Important: This chapter does not discuss the configuration of the local context. Information about the local context can be found in Command Line Reference.
Important: When configuring Mobile IP take into account the MIP timing considerations discussed in Mobile-IP and Proxy-MIP Timer Considerations appendix.
Important: A fourth context that serves as a destination context must also be configured if Reverse Tunneling is disabled in the FA service configuration. Reverse Tunneling is enabled by default.
NOTE: The name of the source context should be the same as the name of the context in which the FA-context is configured if a separate system is being used to provide GGSN/FA functionality. Mobile Country Code (MCC): The MCC can be configured to any integer value from 0 to 999. Mobile Network Code (MNC): The MNC can be configured to any integer value from 0 to 999. Behavior Bits: If charging characteristics will be configured on the GGSN, behavior bits for the following conditions can be configured: Profile Index:If the GGSN’s charging characteristics will be used for subscriber PDP contexts, profile indexes can be modified/configured for one or more of the following conditions: IP address:The IP address of the CGF server to which the GGSN will send accounting information Priority:If more than on CGF is configured, this is the server’s priority. It is used to determine the rotation order of the CGFs when sending accounting information. Maximum number of messages:The maximum number of outstanding or unacknowledged GTPP messages allowed for the CGF.
•
NOTE: If a separate system is used to provide HA functionality, the AAA context name should match the name of the context in which the AAA functionality is configured on the HA machine. NOTE: The examples discussed in this chapter assumes GTPP is used. NOTE: The profile index parameters are configured as part of the GGSN service. Home Agent IP Address: The IP address of an HA with which the system will tunnel subscriber Mobile IP sessions. Mobile IP Requirement: The APN can be configured to require Mobile IP for all sessions it facilitates. Incoming PDP contexts that do/can not use Mobile IP are dropped. IP Address: Specifies the IP address of the Foreign RADIUS authentication server the system will communicate with to provide subscriber authentication functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. IP Address: Specifies the IP address of the foreign RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the foreign RADIUS accounting server and the source context. UDP Port Number: Specifies the port used by the source context and the foreign RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain. It should, however, match the name of the context in which the HA service is configured if a separate system is used to provide HA functionality. HA IP address: Specifies the IP address of the HAs with which the FA service communicates. The FA service allows the creation of a security profile that can be associated with a particular HA. Index: Specifies the shared SPI between the FA service and a particular HA. The SPI can be configured to any integer value between 256 and 4294967295.Multiple SPIs can be configured if the FA service is to communicate with multiple HAs. Secrets: Specifies the shared SPI secret between the FA service and the HA. The secret can be between 1 and 127 characters (alpha and/or numeric).An SPI secret is required for each SPI configured. Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is hmac-md5.A hash-algorithm is required for each SPI configured. NOTE: The system will only support multiple Mobile IP sessions per subscriber if the subscriber’s mobile node has a static IP address.Important: If ACLs are used, the destination context would only consist of the ACL configuration. Interface configuration would not be required.
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
NOTE: The initial registration and de-registration will still be handled normally) FA IP address: The HA service allows the creation of a security profile that can be associated with a particular FA. Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295. Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric). Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295. Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric). Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds. IP Address: Specifies the IP address of the home RADIUS authentication server the system will communicate with to provide subscriber authentication functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. IP Address: Specifies the IP address of the home RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the home RADIUS accounting server and the source context. UDP Port Number: Specifies the port used by the source context and the home RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. NOTE: For this configuration, the IP context name should be identical to the name of the destination context.
NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
2. The HA service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.For this example, the result of this process is that the HA service determined that AAA functionality should be provided by the Source context.
4. Upon successful authentication, the Source context determines which egress context to use for the subscriber session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.For this example, the system determines that the egress context is the Destination context based on the configuration of the Default subscriber.
6.
NOTE: The initial registration and de-registration will still be handled normally) FA IP address: The HA service allows the creation of a security profile that can be associated with a particular FA. Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295. Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric). Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be configured to any integer value between 256 and 4294967295. Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be between 1 and 127 characters (alpha and/or numeric). Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds. IP Address: Specifies the IP address of the home RADIUS authentication server the system will communicate with to provide subscriber authentication functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. IP Address: Specifies the IP address of the home RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the home RADIUS accounting server and the source context. UDP Port Number: Specifies the port used by the source context and the home RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. NOTE: For this configuration, the IP context name should be identical to the name of the destination context.
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.NOTE: For this configuration, the destination context name should not match the domain name of a specific domain. IP Address: Specifies the IP address of the RADIUS authentication server the system will communicate with to provide subscriber authentication functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. IP Address: Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context. UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
NOTE: The default domain name can be the same as the source context. NOTE: The last-resort context name can be the same as the source context.
•
•
•
•
•
• NOTE: The username string is searched from right to left for the separator character. Therefore, if there is one or more separator characters in the string, only the first one that is recognized is considered the actual separator. For example, if the default username format was used, then for the username string user1@enterprise@isp1, the system resolves to the username user1@enterprise with domain isp1.
• Subscriber default domain name = Domainx
• Subscriber username format = username@
•
•
3. Sessions are received by the HA service from the FA over the Gi interface for subscriber1@Domain1, subscriber2, and subscriber3@Domain37.
•
• For subscriber2, the HA service determines that no domain name is present.
•
5. The HA service determi nes which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
• For subscriber1, the HA service determines that a context was configured with a name (Domain1) that matches the domain name specified in the username string. Therefore, Domain1 is used.
• For subscriber2, the HA service determines that Domainx is configured as the default domain name. Therefore, Domainx is used.
• For subscriber3, the HA service determines that no context is configured that matches the domain name (Domain37) specified in the username string. Because no last-resort context name was configured, the Source context is used.
7. Upon successful authentication of all three subscribers, the HA service determines which destination context to use for each of the subscriber sessions. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
• For subscriber1, the HA service receives the SN-VPN-NAME or SN1-VPN-NAME attribute equal to Domain1 as part of the Authentication Accept message from the AAA server on Domain1’s network. Therefore, Domain1 is used as the destination context.
• For subscriber2, the HA service determines that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determines the subscriber IP context name configured within the Domainx context. Therefore, the Domainx context is used as the destination context.
• For subscriber3, the HA service determines that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determines the subscriber IP context name configured within the Source context. Therefore, the Source context is used as the destination context.
9.
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |