Important: In order for this command to function properly, AAA accounting must be enabled for the context in which the HA service is configured using the aaa accounting subscriber radius command.
disabled: Disables using AAA distributed WiMAX MIP keys for authenticating MIP RRQ.
optional: Use AAA distributed WiMAX MIP keys for authenticating RRQ with fallback option to use static/3GPP2 based MIP keys.
required: AAA distributed WiMAX MIP keys for authenticating MIP RRQ are mandatory
allow-noauth: Specifies that the HA service does not require authentication for every mobile node registration request. However, if the mn-aaa extension is received, the HA service will authenticate it.
always: Specifies that the HA service will perform authentication each time a mobile node registers.
dereg-noauth: Disables authentication request upon de-registration.
noauth: Specifies that the HA service will not look for mn-aaa extension and will not authenticate it.
renew-reg-noauth: Specifies that the HA service will not perform authentication for mobile node re-registrations. Initial registration and de-registration will be handled normally.
renew-and-dereg-noauth: Disables authentication request upon re-registration and de-registration.
allow-noauth: Allows a request that does not contain the auth extension.
always: A request should always contain the auth extension to be accepted.
The authentication command, combined with a keyword, can be used to specify how the system will perform authentication of registration request messages.
bind address address [
max-subscribers count ]
count can be configured to any integer value between 0 and 1,000,000.
Important: The maximum number of subscribers supported is dependant on the license key installed and the number of active PACs/PSCs installed in the system. A fully loaded system with 13 active PACs/PSCs can support 1,000,000 total subscribers. Refer to the license key command for additional information.
When configuring the max-subscribers option, be sure to consider the following:
Use the no bind address command to delete a previously configured binding.
bind address 192.168.3.1 max-subscribers 600
binding-update {
max-retransmission num |
retransmission-timeout seconds }
default {
authentication {
imsi-auth |
mn-aaa |
mn-ha } |
binding-update {
max-retransmission |
retransmission-timeout } |
encapsulation |
gre {
checksum |
checksum-verify |
reorder-timeout |
sequence-mode |
sequence-numbers } |
ip local-port |
policy {
null-username |
nw-reachability-fail |
overload } |
private-address allow-no-reverse-tunnel |
reg-lifetime |
reverse-tunnel |
revocation [
enable |
max-retransmission |
retransmission-timeout |
trigger handoff ] |
setup-timeout |
simul-bindings }
imsi-auth: Restores imsi-authentication to its default which is disabled.
mn-aaa: Restores the Foreign Agent (FA) mobile node re-registration authentication setting to its default: always.
mn-ha: Configures the HA service to it’s default behavior of looking for an MN-HA authentication extension in the RRQ.
retransmission-timeout: Configures the transmission timeout for the message to 2 seconds.
checksum : Disables the introduction of the checksum field in outgoing GRE packets.
checksum-verify: Disables verification of the GRE checksum (if present) in incoming GRE packets.
reorder-timeout: sets the maximum number of milliseconds to wait before processing reordered out-of-sequence GRE packets to the default setting: 100.
sequence-mode: Disables the reordering of incoming out-of-sequence GRE packets by setting this parameter to the default setting: none.
sequence-numbers: Disables the insertion or removal of GRE sequence numbers in GRE packets.
null-username: Reject all RRQs that do not have an NAI.
nw-reachability-fail:If the network is not reachable, reject all incoming sessions.
overload: Restores the Home Agent service session overload policy setting to its default: reject.
enable: Disables MIP Registration Revocation on the FA.
max-retransmission: Sets the maximum number of retransmissions to 3.
retransmission-timeout: Sets the retransmission timeout to 3 seconds.
trigger { handoff | idle-timeout}:
handoff enables inter-Access Gateway/FA handoff as a trigger for MIP Registration Revocation.
idle-timeout enables session idle timer expiration as a trigger for MIP Registration Revocation.
Specifies the name of the configured subscriber profile. profile_name can be between 1 and 63 alpha and/or number characters and is case sensitive.
Use the no default subscriber profile_name command to delete the configured default subscriber.
To configure the HA service to apply the rules configured for a subscriber named user1 to every other subscriber session it processes, enter the following command:
fa-ha-spi remote-address fa_ip_address spi-number number {
encrypted secret enc_secret |
secret secret } [
description string ] [
hash-algorithm {
hmac-md5 |
md5 |
rfc2002-md5 } ] [
replay-protection {
timestamp [
timestamp-tolerance tolerance ]|
nonce }]
+
no fa-ha-spi remote-address ha_ip_address spi-number number
remote-address fa_ip_address
Important: The system supports unlimited peer FA addresses per HA but only maintains statistics for a maximum of 8192 peer FAs. If more than 8192 FAs are attached, older statistics are identified and overwritten.
encrypted secret enc_secret | secret secret
encrypted secret enc_secret: Specifies the encrypted shared key (enc_secret) between the HA service and the FA. enc_secret must be between 1 and 254 alpha and/or numeric characters and is case sensitive.
secret secret: Specifies the shared key (secret) between the HA service and the FA. secret must be between 1 and 127 alpha and/or numeric characters and is case sensitive.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
This is a description for the SPI. string must be an alpha and or numeric string of from 1 through 31 characters.
hmac-md5: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
grp_num must be an integer from 1 through 255.
Important: The SPI configuration on the HA must match the SPI configuration for the FA service on the system in order for the two devices to communicate properly.
Use the no version of this command to delete a previously configured SPI.
fa-ha-spi remote-address 192.168.0.2 spi-number 512 secret q397F65 hash-algorithm rfc2002-md5
no fa-ha-spi remote-address 172.100.3.200 spi-number 400
gre {
checksum |
checksum-verify |
reorder-timeout timeout |
sequence-mode {
none |
reorder } |
sequence-numbers }
none: Disables reordering of incoming out-of-sequence GRE packets.
reorder: Enables reordering of incoming out-of-sequence GRE packets.
idle-timeout-mode {
aggressive |
handoff |
normal }
[ upstream-only ]
number can be any integer value between 1 and 65535.
Specifies the logical name of the IP address pool. name must be from 1 to 31 alpha and/or numeric characters.
isakmp { peer-fa fa_address |skew-lifetime time | aaa-context context_name }
peer-fa fa_address {crypto map map_name [[ encrypted ] secret secret ]}
•
|
fa_address: IP address of the peer FA to which this IPSEC SA will be established.
|
•
|
crypto map map_name: The name of a crypto map configured in the same context that defines the IPSec tunnel properties. map_name is the name of the crypto map and can be from 1 to 127 alpha and/or numeric characters.
|
•
|
encrypted: This keyword is intended only for use by the chassis while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
|
•
|
secret secret: The pre-shared secret that will be used to during the IKE negotiation. secret is the secret string and can be from 1 to 127 alpha and/or numeric characters.
|
time is the amount of time the IKE S key fetched from AAA is considered valid after the key has expired. It is measured in seconds and can be configured to any integer value from 1 to 65535.
Important: For maximum security, it is recommended that the above command be executed for every possible FA that the HA service communicates with.
mn-ha-spi spi-number number [
description string ] [
encrypted secret enc_secret |
secret secret ] [
hash-algorithm {
hmac-md5 |
md5 |
rfc2002-md5 } ] [
permit-any-hash-algorithm ] [
replay-protection {
nonce |
timestamp } ] [
timestamp-tolerance tolerance ]
This is a description for the SPI. string must be an alpha and or numeric string of from 1 through 31 characters.
encrypted secret enc_secret | secret secret
encrypted secret enc_secret: Specifies the encrypted shared key (enc_secret) between the HA service and the mobile node. enc_secret must be between 1 and 254 alpha and/or numeric characters and is case sensitive.
secret secret: Specifies the shared key (secret) between the HA service and the mobile node. secret must be between 1 and 127 alpha and/or numeric characters and is case sensitive.
The encrypted keyword is intended only for use by the chassis while saving configuration scripts. The system displays the
encrypted keyword in the configuration file as a flag that the variable following the
secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
hmac-md5: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
nonce: configures replay protection to be implemented using NONCE per RFC 2002.
timestamp: configures replay protection to be implemented using timestamps per RFC 2002.
Important: Cisco Systems strongly recommends that you do not use this command without first consulting Cisco Systems Technical Support. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packets.
Important: This functionality works best when the HA service is communicating with an FA service running in a system. However, an HA service running in the system communicating with an FA from a different manufacturer will operate correctly even if this parameter is enabled.
Use the no version of this command to disable tunnel optimization if enabled.
code must be either 0xFFFF or 0xFFFE.
policy nw-reachability-fail {
reject [
use-reject-code {
admin-prohibited |
insufficient-resources } ] |
redirect ip_addr1 [
weight value ] [ ip_addr2 [
weight value ] ...
ip_addr16 [
weight value ] ] }
no policy nw-reachability-fail [
redirect ip_addr1 ...
ip_addr16 ]
use-reject-code {
admin-prohibited |
insufficient-resources }: When rejecting calls send the specified reject code. If this keyword is not specified the admin-prohibited reject code is sent by default.
use-reject-code {
admin-prohibited |
insufficient-resources }: Use the specified reject code when rejecting traffic.
admin-prohibited: When this keyword is specified and traffic is rejected, the error code 81H (admin-prohibited) is returned.
insufficient-resources: When this keyword is specified and traffic is rejected, the error code 82H (insufficient resources) is returned.
redirect ip_addr1 [ weight value ] [ ip_addr2 [ weight value ] ... ip_addr16 [ weight value ] ]
ip_addr1: This must be an IPv4 address specified in dotted decimal notation. Up to 16 IP addresses and optional weight values can be entered on one command line.
weight value: When multiple addresses are specified, they are selected in a weighted round-robin scheme. If a weight is not specified the entry is automatically assigned a weight of 1.
value must be an integer from 1 through 10.
Important: Refer to the context configuration mode command
nw-reachability server to configure network reachability servers.
Important: Refer to the subscriber configuration mode command
nw-reachability-server to bind the network reachability to a specific subscriber.
Important: Refer to the
nw-reachability server server_name keyword of the context configuration mode
ip pool command bind the network reachability server to an IP pool.
policy overload { redirectaddress [ weightweight_num ] [ address2 [ weightweight_num ] ... address16 [ weightweight_num ] ] | reject [ use-reject-code { admin-prohibited | insufficient-resources } ] }
no policy overload [ redirect address [ address2...address16 ] ]
overload: This keyword without any options deletes the complete overload policy from the PDSN service.
overload redirect address [
address2 ... address16 ]: deletes up to 16 IP addresses from the overload redirect policy. The IP addresses must be expressed in IP v4 dotted decimal notation
redirect address [ weight weight_num ] [ address2 [ weight weight_num ] ... address16 [ weight weight_num ]
weight weight_num : When multiple addresses are specified, they are selected in a weighted round-robin scheme. Entries with higher weights are more likely to be chosen. If a weight is not specified the entry is automatically assigned a weight of 1.
weight_num must be an integer from 1 through 10.
use-reject-code {
admin-prohibited |
insufficient-resources }: Use the specified reject code when rejecting traffic.
admin-prohibited: When this keyword is specified and traffic is rejected, the error code 81H (admin-prohibited) is returned.
insufficient-resources: When this keyword is specified and traffic is rejected, the error code 82H (insufficient resources) is returned.
Use the no version of this command to restore the default policy.
Important: This command is customer specific and is license enabled.
Important: This command is customer specific and is license enabled.
Use the no version of this command to disable reverse tunneling. If reverse tunneling is disabled, and the mobile node does not request it, triangular routing will be performed.
Important: If reverse tunneling is disabled on the system and a mobile node requests it, the call will be rejected with a reply code of 74H (reverse-tunneling unavailable).
revocation {
enable |
max-retransmission number |
negotiate-i-bit |
retransmission-timeout secs |
send-nai-ext | trigger {
handoff |
idle-timeout } }
no revocation {
enable |
negotiate-i-bit |
send-nai-ext |trigger {
handoff |
idle-timeout } }
handoff: Default: Enabled
idle-timeout: Default: Enabled
Important: The value of retransmission-timeout doubles. HA disconnects the session forcibly in 120 seconds after sending initial MIP revocation.
threshold init-rrq-rcvd-rate high_thresh [ clear low_thresh ]
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
no threshold ipsec-call-req-rej
high_thresh can be configured to any integer value between 0 and 100000.
low_thresh can be configured to any integer value between 0 and 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
no threshold ipsec-ike-failrate
high_thresh can be configured to any integer value between 0 and 100.
low_thresh can be configured to any integer value between 0 and 100.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
no threshold ipsec-ike-failures
high_thresh can be configured to any integer value between 0 and 100000.
low_thresh can be configured to any integer value between 0 and 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
no threshold ipsec-ike-failures
high_thresh can be configured to any integer value between 0 and 100000.
low_thresh can be configured to any integer value between 0 and 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
no threshold ipsec-tunnels-established
high_thresh can be configured to any integer value between 0 and 1000000.
low_thresh can be configured to any integer value between 0 and 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
no threshold ipsec-tunnels-setup
high_thresh can be configured to any integer value between 0 and 1000000.
low_thresh can be configured to any integer value between 0 and 1000000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
threshold reg-reply-error high_thresh [ clear low_thresh ]
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
threshold rereg-reply-error high_thresh [ clear low_thresh ]
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
•
|
Enter condition: Actual number of re-registration reply errors > High Threshold
|
•
|
Clear condition: Actual number of re-registration reply errors £ Low Threshold
|
threshold dereg-reply-error high_thresh [ clear low_thresh ]
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
•
|
Enter condition: Actual number of de-registration reply errors > High Threshold
|
•
|
Clear condition: Actual number of de-registration reply errors £ Low Threshold
|
Important: Use this command in conjunction with
authentication aaa-distributed-mip-keys required command.