-
Cisco IOS IP Mobility Configuration Guide, Release 12.4
-
Part 1: Mobile IP
-
Configuring Mobile IP
-
Mobile IP MIB Support for SNMP
-
Mobile IP—NAT Detect
-
Mobile IP—Support for Foreign Agent Reverse Tunneling
-
Mobile IP—Challenge/Response Extensions
-
Mobile IP—Generic NAI Support and Home Address Allocation
-
Mobile IP Home Agent Policy Routing
-
Mobile IP—Home Agent Accounting
-
Mobile IP Dynamic Security Association and Key Distribution
-
Mobile IP—Support for RFC 3519 NAT Traversal
-
-
Part 2: Mobile Networks
-
Cisco Mobile Networks
-
Cisco Mobile Networks—Asymmetric Link
-
Cisco Mobile Networks—Static Collocated Care-of Address
-
Cisco Mobile Networks—Priority HA Assignment
-
Cisco Mobile Networks—Tunnel Templates for Multicast
-
Mobile Networks Dynamic Collocated Care-of Address
-
Mobile Networks Deployment MIB
-
Mobile IP—Foreign Agent Local Routing to Mobile Networks
-
Mobile IP—Generic Routing Encapsulation for Cisco Mobile Networks
-
Mobile Router DHCP Support for Dynamic CCoA and Foreign Agent Processing
-
-
Part 1: Mobile IP
Table Of Contents
Mobile IP Dynamic Security Association and Key Distribution
Prerequisites for Mobile IP Dynamic Security Association and Key Distribution
Restrictions for Mobile IP Dynamic Security Association and Key Distribution
Information About Mobile IP Dynamic Security Association and Key Distribution
Using the Cisco Secure ACS Server
Benefits of Mobile IP Dynamic Security Association and Key Distribution
Mobile IP Dynamic Security Association and Key Distribution
The Mobile IP Dynamic Security Association and Key Distribution feature enables a Mobile IP client (mobile node) to use the Microsoft Windows login information to generate the dynamic shared keys needed to create the security associations between it and the home agent. These security associations are used to authenticate the mobile device. In response to a successful registration, basic configuration parameters such as the DHCP server address, home address prefix length, and domain name system (DNS) address are also passed on to the mobile node in the form of extensions to the registration reply message sent by the home agent.
This feature eliminates the need for any configuration of the Mobile IP client software once it is installed. Now customers need not log in and authenticate multiple times, making the Mobile IP client software a "plug-and-play" operation.
Feature History for the Mobile IP Dynamic Security Association and Key Distribution Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Mobile IP Dynamic Security Association and Key Distribution
•
•
Prerequisites for Mobile IP Dynamic Security Association and Key Distribution
Your network must be configured to run Mobile IP. The home agent must be configured with the authentication, authorization, and accounting (AAA) address of a RADIUS server that has access to the domain controller for authenticating the user in the Windows domain.
Because Mobile IP requires support on the host device, each mobile node must be appropriately configured for the desired Mobile IP service with client software.
Restrictions for Mobile IP Dynamic Security Association and Key Distribution
This feature can be used only in a Windows operating system environment.
Information About Mobile IP Dynamic Security Association and Key Distribution
This section describes the following concepts related to the Mobile IP Dynamic Security Association and Key Distribution feature:
•
•
Session Identifiers
This feature introduces the concept of a session identifier (session-id) that is available if a network access identifier (NAI) is specified in your configuration. The session identifier is optional and can be added by the mobile node in the initial registration request. For example, a single user can have multiple sessions (for example when logging through different devices such as a PDA, cellular phone, or laptop) and use the same NAI for all sessions. These individual sessions are identified by the session identifier. If the session identifier is present in the initial registration, it must be present in all subsequent registration renewals from the mobile node.
Using the Cisco Secure ACS Server
Because this feature leverages an existing authentication infrastructure, such as the Windows Domain Controller (DC) database or Active Directory (AD), you need not configure any Mobile IP client user information in a AAA server. You only need to configure the AAA so it can use the DC/AD to authenticate the Mobile IP client users upon receiving a RADIUS request from a home agent.
The following is a brief summary of the steps necessary to configure the Cisco Secure Access Control Server (ACS) to use a database to authenticate Mobile IP clients.
•
•
•
For more information on Cisco Secure ACS configuration, refer to the "Administering External User Databases" chapter of the Cisco Secure ACS Windows Server 3.1 User Guide.
Benefits of Mobile IP Dynamic Security Association and Key Distribution
•
•
Additional References
The following sections provide references related to the Mobile IP Dynamic Security Association and Key Distribution feature.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS IP Mobility Command Reference at http://www.cisco.com/en/US/docs/ios/ipmobility/command/reference/imo_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
•
Glossary
home agent—A router on a home network of the mobile node or that tunnels packets to the mobile node or mobile router while it is away from home. It keeps current location information for registered mobile nodes called a mobility binding.
mobile node—A host or router that changes its point of attachment from one network or subnet to another. A mobile node may change its location without changing its IP address; it may continue to communicate with other Internet nodes at any location using its home IP address, assuming that link-layer connectivity to a point of attachment is available.
NAI—network access identifier. The user ID submitted by the mobile node during registration to identify the user for authentication. The NAI might help route the registration request to the correct home agent.
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
