Cisco IOS Software Releases 12.3 T

Table Of Contents

Mobile IP Dynamic Security Association and Key Distribution

Contents

Prerequisites for Mobile IP Dynamic Security Association and Key Distribution

Restrictions for Mobile IP Dynamic Security Association and Key Distribution

Information About Mobile IP Dynamic Security Association and Key Distribution

Session Identifiers

Using the Cisco Secure ACS Server

Benefits of Mobile IP Dynamic Security Association and Key Distribution

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

clear ip mobile binding

clear ip mobile visitor

show ip mobile binding

show ip mobile visitor

Glossary

Mobile IP Dynamic Security Association and Key Distribution

---

The Mobile IP Dynamic Security Association and Key Distribution feature enables a Mobile IP client (mobile node) to use the Microsoft Windows login information to generate the dynamic shared keys needed to create the security associations between it and the home agent. These security associations are used to authenticate the mobile device. In response to a successful registration, basic configuration parameters such as the DHCP server address, home address prefix length, and domain name system (DNS) address are also passed on to the mobile node in the form of extensions to the registration reply message sent by the home agent.

This feature eliminates the need for any configuration of the Mobile IP client software once it is installed. Now customers need not log in and authenticate multiple times, making the Mobile IP client software a "plug-and-play" operation.

Feature History for the Mobile IP Dynamic Security Association and Key Distribution Feature

Release	Modification
12.3(4)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for Mobile IP Dynamic Security Association and Key Distribution

•Restrictions for Mobile IP Dynamic Security Association and Key Distribution

•Additional References

•Information About Mobile IP Dynamic Security Association and Key Distribution

•Additional References

•Command Reference

•Glossary

Prerequisites for Mobile IP Dynamic Security Association and Key Distribution

Your network must be configured to run Mobile IP. The home agent must be configured with the authentication, authorization, and accounting (AAA) address of a RADIUS server that has access to the domain controller for authenticating the user in the Windows domain.

Because Mobile IP requires support on the host device, each mobile node must be appropriately configured for the desired Mobile IP service with client software.

Restrictions for Mobile IP Dynamic Security Association and Key Distribution

This feature can be used only in a Windows operating system environment.

Information About Mobile IP Dynamic Security Association and Key Distribution

This section describes the following concepts related to the Mobile IP Dynamic Security Association and Key Distribution feature:

•Session Identifiers

•Using the Cisco Secure ACS Server

•Benefits of Mobile IP Dynamic Security Association and Key Distribution

Session Identifiers

This feature introduces the concept of a session identifier (session-id) that is available if a network access identifier (NAI) is specified in your configuration. The session identifier is optional and can be added by the mobile node in the initial registration request. For example, a single user can have multiple sessions (for example when logging through different devices such as a PDA, cellular phone, or laptop) and use the same NAI for all sessions. These individual sessions are identified by the session identifier. If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from the mobile node.

Using the Cisco Secure ACS Server

Because this feature leverages an existing authentication infrastructure, such as the Windows Domain Controller (DC) database or Active Directory (AD), you need not configure any Mobile IP client user information in a AAA server. You only need to configure the AAA so it can use the DC/AD to authenticate the Mobile IP client users upon receiving a RADIUS request from a home agent.

The following is a brief summary of the steps necessary to configure the Cisco Secure Access Control Server (ACS) to use a database to authenticate Mobile IP clients.

•In the navigation bar, click External User Databases. Select Windows Domain Database to authenticate unknown users.

•In the navigation bar, click External User Databases. Map the domain of the unknown users to an ACS group.

•Click Database Group Mappings. Check the Microsoft MPPE Key attribute for the mapped ACS group.

For more information on Cisco Secure ACS configuration, refer to the "Administering External User Databases" chapter of the Cisco Secure ACS Windows Server 3.1 User Guide.

Benefits of Mobile IP Dynamic Security Association and Key Distribution

•This feature eliminates the need for any configuration of the Mobile IP client software once it is installed. Now customers need not log in and authenticate multiple times, making the Mobile IP client software a "plug-and-play" operation.

•For network administrators, this feature simplifies Mobile IP provisioning and increases mobility security through dynamic re-keying.

Additional References

The following sections provide references related to the Mobile IP Dynamic Security Association and Key Distribution feature.

Related Documents

Related Topic	Document Title
Mobile IP commands: complete command syntax, command mode, defaults, usage guidelines, and examples	Cisco IOS IP Command Reference, Volume 4 of 4: IP Mobility, Release 12.3 T
Information about Network Access Identifiers in Mobile IP	Mobile IP Generic NAI Support and Home Address Allocation feature document, Release 12.2(13)T
Configuration tasks for Cisco Secure ACS	Cisco Secure ACS Windows Server 3.1 User Guide

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/public/support/tac/home.shtml

Command Reference

This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

•clear ip mobile binding

•clear ip mobile visitor

•show ip mobile binding

•show ip mobile visitor

clear ip mobile binding

To remove mobility bindings, use the clear ip mobile binding command in EXEC mode.

clear ip mobile binding {all [load standby-group-name] | ip-address | nai string [session-id string]}

Syntax Description

all	Clears all mobility bindings.
load standby-group-name	(Optional) Downloads mobility bindings for a standby group after clear.
ip-address	IP address of a mobile node.
nai string	Network access identifier of the mobile node.
session-id string	(Optional) Session identifier.The string value must be fewer than 25 characters.

Command Modes

EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.1(3)T	The following keywords and argument were added: •all •load •standby-group-name
12.2(2)XC	The nai keyword was added.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.3(4)T	The session-id keyword was added.

Usage Guidelines

The home agent creates a mobility binding for each roaming mobile node. Associated with the mobility binding is the tunnel to the visited network and a host route to forward packets destined for the mobile node. Typically, there should be no need to clear the binding because it expires after the lifetime is reached or when the mobile node deregisters.

When the mobility binding is removed through the use of this command, the number of users on the tunnel is decremented and the host route is removed from the routing table. The mobile node is not notified.

If the nai string session-id string option is specified, only the binding entry with that session identifier is cleared. If the session-id keyword is not specified, all binding entries (potentially more than one with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile binding command.

Use this command with care, because it will disrupt any sessions used by the mobile node. After you use this command, the mobile node will need to reregister to continue roaming.

Examples

The following example administratively stops mobile node 10.2.0.1 from roaming:

Router# show ip mobile binding

Mobility Binding List:

Total 1

10.2.0.1: 

    Care-of Addr 68.0.0.31, Src Addr 68.0.0.31, 

    Lifetime granted 02:46:40 (10000), remaining 02:46:32

    Flags SbdmGvt, Identification B750FAC4.C28F56A8, 

    Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowed

    Routing Options - (G)GRE

Router# clear ip mobile binding 10.2.0.1

Router# show ip mobile binding

Related Commands

Command	Description
show ip mobile binding	Displays the mobility binding table.

clear ip mobile visitor

To remove visitor information, use the clear ip mobile visitor command in EXEC mode.

clear ip mobile visitor [ip-address | nai string [session-id string] [ip-address]]

Syntax Description

ip-address	(Optional) IP address. If not specified, visitor information will be removed for all addresses.
nai string	(Optional) Network access identifier of the mobile node.
session-id string	(Optional) Session identifier. The string value must be less than 25 characters.
ip-address	(Optional) IP address associated with the network access identifier (NAI).

Command Modes

EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.2(2)XC	The nai keyword and associated variables were added.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.3(4)T	The session-id keyword was added.

Usage Guidelines

The foreign agent creates a visitor entry for each accepted visitor. The visitor entry allows the mobile node to receive packets while in a visited network. Associated with the visitor entry is the ARP entry for the visitor. There should be no need to clear the entry because it expires after lifetime is reached or when the mobile node deregisters.

When a visitor entry is removed, the number of users on the tunnel is decremented and the ARP entry is removed from the ARP cache. The visitor is not notified.

If the nai string session-id string option is specified, only the visitor entry with that session identifier is cleared. If session-id is not specified, all visitor entries (potentially more than one, with different session identifiers) for that NAI are cleared. You can determine the session-id string value by using the show ip mobile visitor command.

Use this command with care because it may terminate any sessions used by the mobile node. After using this command, the visitor will need to reregister to continue roaming.

Examples

The following example administratively stops visitor 172.21.58.16 from visiting:

Router# clear ip mobile visitor 172.21.58.16

Related Commands

Command	Description
show ip mobile visitor	Displays the table containing the visitor list of the foreign agent.

show ip mobile binding

To display the mobility binding table, use the show ip mobile binding command in EXEC mode.

show ip mobile binding [home-agent ip-address | nai string [session-id string] | summary]

Syntax Description

home-agent ip-address	(Optional) IP address of mobile node.
nai string	(Optional) Network access identifier (NAI).
session-id string	(Optional) Session identifier. The string value must be less than 25 characters.
summary	(Optional) Total number of bindings in the table.

Command Modes

EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.0(2)T	The home-agent keyword and ip-address argument were added.
12.1(2)T	The summary keyword was added.
12.2(2)XC	The nai keyword was added.
12.2(13)T	This command was enhanced to display the service options field and to include information about the mobile networks registered on the home agent.
12.3(4)T	The session-id keyword was added.

Usage Guidelines

The home agent updates the mobility binding table in response to registration events from mobile nodes. If the ip-address argument is specified, bindings are shown for only that mobile node. If the session-id string combination is specified, only the binding entry for that session identifier is displayed.

A session identifier is used to uniquely identify a Mobile IP flow. A Mobile IP flow is the set of {NAI, IP address}. The flow allows a single NAI to be associated with one or multiple IP addresses, for example, {NAI, ipaddr1}, {NAI, ipaddr2}, and so on. Thus, a single user can have multiple sessions (for example, when logging through different devices such as a PDA, cellular phone, or laptop). If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from that mobile node.

Examples

The following is sample output from the show ip mobile binding command:

Router# show ip mobile binding

Mobility Binding List:

Total 1

20.0.0.1: 

    Care-of Addr 68.0.0.31, Src Addr 68.0.0.31, 

    Lifetime granted 02:46:40 (10000), remaining 02:46:32

    Flags SbdmGvt, Identification B750FAC4.C28F56A8, 

    Tunnel100 src 66.0.0.5 dest 68.0.0.31 reverse-allowed

    Routing Options - (G)GRE

    Service Options:

      NAT detect

The following is sample output from the show ip mobile binding command when mobile networks are configured or registered on the home agent:

Router# show ip mobile binding

Mobility Binding List:

Total 1

20.0.4.1:

  Care-of Addr 45.0.0.5, Src Addr 45.0.0.5

  Lifetime granted 00:02:00 (120), remaining 00:01:56

  Flags sbDmgvT, Identification B7A262C5.DE43E6F4

  Tunnel0 src 46.0.0.3 dest 45.0.0.5 reverse-allowed

  MR Tunnel1 src 46.0.0.3 dest 20.0.4.1 reverse-allowed

  Routing Options - (D)Direct-to-MN (T)Reverse-tunnel

  Mobile Networks: 54.0.0.0/255.255.255.0(S)

                   44.0.0.0/255.255.255.0 (D)

                   46.0.0.0/255.0.0.0(D)

The following is sample output from the show ip mobile binding command with session identifier information:

Router# show ip mobile binding

Mobility Binding List:

Total 1

  100.100.100.19: 

  Care-of Addr 70.70.70.2, Src Addr 100.100.100.1.0.0.31, 

  Lifetime granted 00:33:20 (20000), remaining 00:30:56

  Flags SbdmGvt, Identification BC1C2A04.EA42659C, 

  Tunnel0 src 100.100.100.100 dest 70.70.70.2 reverse-allowed

  Routing Options 

  Session identifier

  SPI 333 (decimal 819) MD5, Prefix-suffix, Timestamp +/-255, root key

  Key 38a38987ad0a399cb80940835689da66

  SPI 334 (decimal 820) MD5, Prefix-suffix, Timestamp +/-255, session key

  Key 34c7635a313038611dec8c16681b55e0

Table 1 describes the significant fields shown in the display.

Table 1 show ip mobile binding Field Descriptions 

Field	Description
Total	Total number of mobility bindings.
20.0.4.1	Home IP address of the mobile node. The NAI is displayed if configured.
Care-of Addr	Care-of address of the mobile node.
Src Addr	IP source address of the registration request as received by the home agent. Will be either the colocated care-of address of a mobile node or an address on the foreign agent.
Lifetime granted	The lifetime granted to the mobile node for this registration. Number of seconds in parentheses.
Lifetime remaining	The time (in hh:mm:ss) remaining until the registration is expired. It has the same initial value as lifetime granted, and is counted down by the home agent.
Flags	Services requested by the mobile node. The mobile node requests these services by setting bits in the registration request. Uppercase characters denote bit set.
Identification	Identification used in that binding by the mobile node. This field has two purposes: unique identifier for each request, and replay protection.
Tunnel	The tunnel used by the mobile node is characterized by the source and destination addresses, and reverse-allowed or reverse-off for reverse tunnel. The default encapsulation is IPIP. The mobile node can request GRE.
Routing Options	Routing options identify the services the home agent is currently providing. The mobile node must request these services in its registration request by setting the services flag (see Flags field description). For example, the V bit may have been requested by the mobile node (shown in the Flags field), but the home agent will not provide such service. Options are B (broadcast), D (direct-to-mobile node), G (GRE), and T (reverse-tunnel).
Session identifier	The ID used to uniquely identify a Mobile IP flow.
SPI	The SPI is the 4-byte opaque index within the mobility security association that selects the specific security parameters to be used to authenticate the peer.
MD5	Message Digest 5 authentication algorithm. HMAC-MD5 is displayed if configured.
Prefix-suffix	Authentication mode.
Timestamp	Replay protection method.
root key	Dynamic key based on the Windows password shared between the mobile node and AAA or Windows domain controller or active directory. Once a mobile node registers, this key is established until the binding persists on the home agent. Subsequent registration requests can be authenticated using the root key.
session key	Dynamic key that is derived using the root key. This key can be refreshed and the refreshed keys are based off the root key. Subsequent registration renewal messages can be authenticated using the session key. The period or frequency for the session key refresh is determined by the mobile node. Registration requests that also request session key refresh are authenticated using the root key.
Mobile Networks	Mobile networks configured or registered on the home agent. D denotes dynamic (registered) mobile networks and S denotes static (configured) mobile networks.
Service Options	Service options configured.
NAT detect	Network Address Translation (NAT) detect, which indicates that the mobile node is registering from behind a NAT-enabled router.

show ip mobile visitor

To display the table containing the visitor list of the foreign agent, use the show ip mobile visitor command in EXEC mode.

show ip mobile visitor [[pending] [address | summary] | nai string [session-id string]]

Syntax Description

pending	(Optional) Displays the pending registration table.
address	(Optional) IP address.
summary	(Optional) Displays all values in the table.
nai string	(Optional) Network access identifier (NAI).
session-id string	(Optional) Session identifier. The string value must be less than 25 characters.

Command Modes

EXEC

Command History

Release	Modification
12.0(1)T	This command was introduced.
12.2(2)XC	The nai keyword was added.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.3(4)T	The session-id keyword was added.

Usage Guidelines

The foreign agent updates the table containing the visitor list of the foreign agent in response to registration events from mobile nodes.

A session identifier is used to uniquely identify a Mobile IP flow. A Mobile IP flow is the set of {NAI, IP address}. The flow allows a single NAI to be associated with one or multiple IP addresses, for example, {NAI, ipaddr1}, {NAI, ipaddr2}, and so on. Thus, a single user can have multiple sessions (for example when logging through different devices such as a PDA, cellular phone, or laptop). If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from that mobile node.

Examples

The following is sample output from the show ip mobile visitor command:

Router# show ip mobile visitor

Mobile Visitor List:

Total 1

20.0.0.1:

    Interface Ethernet1/2, MAC addr 0060.837b.95ec

    IP src 20.0.0.1, dest 67.0.0.31, UDP src port 434

    HA addr 66.0.0.5, Identification B7510E60.64436B38

    Lifetime 08:20:00 (30000) Remaining 08:19:16

    Tunnel100 src 68.0.0.31, dest 66.0.0.5, reverse-allowed

    Routing Options - (T)Reverse-tunnel

If the mobile node has visited and is associated with a session identifier, then the visitor entry for the mobile node shows the session identifier as shown below:

Router#show ip mobile visitor 

Mobile Visitor List:

Total 1

    user01@cisco.com

    Home addr 100.100.100.17

    Interface Ethernet3/3, MAC addr 0004.6d25.b857

    IP src 0.0.0.0, dest 100.100.100.1, UDP src port 434

    HA addr 100.100.100.100, Identification BC189864.B2FE6CC4

    Lifetime 00:33:20 (2000) Remaining 00:33:06

    Tunnel0 src 70.70.70.2, dest 100.100.100.100, reverse-allowed

    Routing Options - (B)Broadcast

    Session identifier PDA

Table 2 describes the significant fields shown in the display.

Table 2 show ip mobile visitor Field Descriptions 

Field	Description
Total1	Number of visitors.
IP address	Home IP address of a visitor. The NAI is displayed if configured.
Interface	Name of the interface.
MAC addr	MAC address of the visitor.
IP src	Source IP address of the registration request of a visitor.
IP dest	Destination IP address of the registration request of a visitor. When a foreign agent sends a reply to a visitor, the IP source address is set to this address, unless it is multicast or broadcast, in which case it is set to the IP address of the output interface.
UDP src port	Source UDP port of registration request of the visitor.
HA addr	Home agent IP address for that visiting mobile node.
Identification	Identification used in that registration by the mobile node.
Lifetime	The lifetime (in hh:mm:ss) granted to the mobile node for this registration.
Remaining	The number of seconds remaining until the registration is expired. It has the same initial value as in the Lifetime field, and is counted down by the foreign agent.
Tunnel	The tunnel used by the mobile node is characterized by the source and destination addresses, and reverse-allowed or reverse-off for reverse tunnel. The default is IPIP encapsulation; otherwise GRE will be displayed in the Routing Options field.
Routing Options	Routing options list all foreign agent-accepted services, based on registration flags sent by the mobile node. Possible options are: •(S) Mult-binding (Cisco home agent does not support) •(B) Broadcast •(D) Direct-to-mobile node •(M) MinIP (not supported on home agent) •(G) GRE •(T) Reverse-tunnel
Session identifier	Session identifier can be the device name or MAC address.

Glossary

home agent—A router on a home network of the mobile node or that tunnels packets to the mobile node or mobile router while it is away from home. It keeps current location information for registered mobile nodes called a mobility binding.

mobile node—A host or router that changes its point of attachment from one network or subnet to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its home IP address, assuming that link-layer connectivity to a point of attachment is available.

NAI—network access identifier. The user ID submitted by the mobile node during registration to identify the user for authentication. The NAI might help route the registration request to the correct home agent.

---

Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.

---

Copyright © 2003 Cisco Systems, Inc. All rights reserved.