-
Cisco IOS IP Mobility Configuration Guide, Release 12.4T
-
Part 1: Mobile IP
-
Configuring Mobile IP
-
Mobile IP MIB Support for SNMP
-
Mobile IP—NAT Detect
-
Mobile IP—Support for Foreign Agent Reverse Tunneling
-
Mobile IP—Challenge/Response Extensions
-
Mobile IP—Generic NAI Support and Home Address Allocation
-
Mobile IP Home Agent Policy Routing
-
Mobile IP—Home Agent Accounting
-
Mobile IP Dynamic Security Association and Key Distribution
-
Mobile IP—Support for RFC 3519 NAT Traversal
-
-
Part 2: Mobile Networks
-
Cisco Mobile Networks
-
Cisco Mobile Networks—Asymmetric Link
-
Cisco Mobile Networks—Static Collocated Care-of Address
-
Cisco Mobile Networks—Priority HA Assignment
-
Cisco Mobile Networks—Tunnel Templates for Multicast
-
Mobile Networks Dynamic Collocated Care-of Address
-
Mobile Networks Deployment MIB
-
Mobile IP—Foreign Agent Local Routing to Mobile Networks
-
Mobile IP—Generic Routing Encapsulation for Cisco Mobile Networks
-
Mobile IP Support for RFC 3519 NAT Traversal on the Mobile Router
-
Mobile IP— Policy and Application-Based Routing for MR Multipath
-
Mobile Router DHCP Support for Dynamic CCoA and Foreign Agent Processing
-
Mobile Ad Hoc Networks for Router-to-Radio Communications
-
-
Part 1: Mobile IP
Table Of Contents
Mobile IP—Challenge/Response Extensions
Prerequisites for Mobile IP—Challenge/Response Extensions
Restrictions for Mobile IP—Challenge/Response Extensions
Information About Foreign Agent Challenge/Response Extensions
How to Configure Foreign Agent Challenge/Response Extensions
Configuring FA Challenge/Response Extensions
Verifying Foreign Agent Service Configuration
Mobile IP—Challenge/Response Extensions
The Mobile IP—Challenge/Response Extensions feature enables a foreign agent (FA) to authenticate a mobile node (MN) by sending mobile foreign challenge extensions (MFCE) and mobile node-AAA authentication extensions (MNAE) to the home agent (HA) in registration requests.
Feature Specifications for Mobile IP—Challenge/Response Extensions
12.2(13)T
This feature was introduced.
For platforms supported in Cisco IOS Release 12.2(13)T, consult Cisco Feature Navigator.
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that are supported on specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Availability of Cisco IOS Software Images
Platform support for particular Cisco IOS software releases is dependent on the availability of the software images for those platforms. Software images for some platforms may be deferred, delayed, or changed without prior notice. For updated information about platform support and availability of software images for each Cisco IOS software release, refer to the online release notes or, if supported, Cisco Feature Navigator.
Contents
•
Prerequisites for Mobile IP—Challenge/Response Extensions
•
•
•
Prerequisites for Mobile IP—Challenge/Response Extensions
In the Mobile IP—Challenge/Response Extensions feature, the foreign agent expects mobile node RRQs to contain the following extensions:
•
•
•
•
If unique per-user passwords are configured on the AAA and the mobile nodes, and the mobile node or home agent security association is configured on the AAA server, the HA expects mobile node RRQs received from the FA CoA to contain the following:
•
•
Restrictions for Mobile IP—Challenge/Response Extensions
The Mobile IP—Challenge/Response Extensions feature has the following restrictions:
•
Information About Foreign Agent Challenge/Response Extensions
To configure the Mobile IP—Foreign Agent Challenge/Response feature, you must understand the following concepts:
•
Challenge/Response Extensions
Mobile IP, as originally implemented, defines a Mobile-Foreign Authentication extension by which a mobile node can authenticate itself to a foreign agent. This Mobile-Foreign Authentication extension does not provide complete replay protection for the foreign agent and does not allow the foreign agent to use existing methods, such as Challenge Handshake Authentication Protocol (CHAP) to authenticate a mobile node. The Mobile IP—Foreign Agent Challenge/Response Extensions feature extends the Mobile IP agent advertisements and the registration requests that enable a foreign agent to use a challenge/response mechanism to authenticate a mobile node.
When the Mobile IP—Foreign Agent Challenge/Response Extensions feature is configured, the foreign agent expects the mobile node to include a challenge extension with a challenge value that the mobile node had previously advertised. The foreign agent also expects to receive this challenge extension within a specific time interval. The mobile node must also send an extension for authentication (MFAE or MN-AAA.)
How to Configure Foreign Agent Challenge/Response Extensions
This section includes the following procedures:
•
•
Configuring FA Challenge/Response Extensions
Perform this task to configure a foreign agent to authenticate a mobile node by sending MFCEs and MNAEs in registration requests.
Prerequisites
If unique per-user passwords are configured on the AAA and the mobile nodes, and the mobile node or home agent security association is configured on the AAA server, the HA expects mobile node RRQs received from the FA CoA to contain the following:
•
•
If the MFCE and MN-AAA extension authenticator are not forwarded to the home agent, the AAA server storing the mobile node/ home agent SAs must have identical passwords for all users to aid SA retrieval.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
DETAILED STEPS
Verifying Foreign Agent Service Configuration
Perform this task to optionally verify that the interface has been configured to provide foreign agent services.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Additional References
The following sections provide additional references related to the Mobile IP—Challenge/Response Extensions feature:
•
•
Related Documents
Authentication
The part "Authentication, Authorization, and Accounting (AAA)" in the Cisco IOS Security Configuration Guide, Release 12.2
IKE and IPSec security protocols
The part "IP Security and Encryption" in the Cisco IOS Security Configuration Guide, Release 12.2
Mobile IP
Cisco mobile networks
Mobile wireless configuration
Cisco IOS Mobile Wireless Configuration Guide, Release 12.2
Mobile wireless commands
Cisco IOS Mobile Wireless Command Reference, Release 12.2
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
•
•
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
1 Not all supported MIBs are listed.
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
RFC 2002
IP Mobility Support
RFC 2003
IP Encapsulation within IP
RFC 2005
Applicability Statement for IP Mobility Support
RFC 2006
The Definitions of Managed Objects for IP Mobility Support
RFC 3024
Reverse Tunneling for Mobile IP, revised
1 Not all supported RFCs are listed.
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS IP Mobility Command Reference at http://www.cisco.com/en/US/docs/ios/ipmobility/command/reference/imo_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
