In the 3G DHCP Discover authentication
method, the DHCP Discover message carries the
subscriber's MAC address that needs to be authenticated. The iWAG cannot handle inbound raw EAP
authentication messages that are not encapsulated inside the RADIUS
messages. Therefore, the EAP authentication messages are signaled with the AAA server without
passing through the iWAG, that is, out-of-band authentication from the
The following figures and steps describe the call flow pertaining to DHCP Discover authentication for a 3G user:
The mobile device is automatically associated to the SSID broadcast by the access points to establish and maintain wireless connectivity.
The AP or the WLC starts the EAP authentication process by sending an EAP Request ID to the mobile device.
The mobile device sends a response pertaining to the EAP Request ID back to the AP or the WLC.
The WLC sends a RADIUS Access Request to the AAA server asking it to authenticate the subscriber.
After the subscriber is authenticated, the AAA server caches its entire user profile that includes the information about IMSI, MSISDN, APN, and the Cisco AV pair having ssg-service-info set to GTP-service. The cached data also includes the client's MAC address, which is set as the calling-station-ID in the incoming EAP messages.
The AAA server sends the RADIUS Access Accept message to the AP or the WLC.
When the RADIUS Access Accept message comes back, the corresponding user profile in which the use of GTP-service is identified is obtained.
The WLC sends the successful EAP authentication message to the mobile device.
The mobile device sends a DHCP Discover message
to the iWAG. In response to this DHCP Discover message, the DHCP goes into a new pending state to wait for the signaling on the MNO side to be completed, which assigns an IP address to the subscriber.
In response to this DHCP Discover message, DHCP
goes into a new pending state to wait for the signaling on the MNO
side to be completed, which assigns an IP address to the
The iWAG finds a session associated with the subscriber MAC address and retrieves the subscriber IP address from the session context.
The iWAG sends a RADIUS Access Request to the
AAA server asking it to authenticate the subscriber using the MAC address in
it as the calling-station-ID, while also providing all other known
subscriber information, IDs, and IMSI in this Access Request
When the AAA server sends back the RADIUS Access Accept message to the iWAG, the user
profile in which the use of GTP-service is
identified is obtained.
The iWAG sends a query to the DNS server to
resolve a given Access Point Name (APN) to a GGSN IP address.
The DNS server sends the DNS-resolved GGSN
address back to the iWAG.
After receiving the DNS-resolved GGSN address,
the iWAG sends the Create PDP Context Request, in which the PDP
context address is set to 0, in order to request the GGSN for an IP address
The GGSN sends a RADIUS Access Request to the
Based on the cached information obtained from the EAP-SIM authentication, the AAA server replies with a RADIUS Access Accept message to the GGSN.
The GGSN sends the Create PDP Context Response that carries the assigned IP address c.c.c.c for the subscriber, to the iWAG.
The iWAG sends a DHCP Offer message to the mobile device.
The mobile device sends a DHCP Request message to the iWAG, and the iWAG acknowledges this request by sending a DHCP ACK message to the mobile device.
The WiFi subscriber traffic now has a data path through which it can flow.