Guest

Cisco IOS Mobile IP

Mobile IP Security Associations on a CiscoSecure ACS Server

Table Of Contents

Configuring Mobile IP Security Associations on a CiscoSecure ACS server

Design Introduction

Passwords and Keys

MN-HA SPI & Key

HA-AAA Key

AAA MN Password

Summarized Setup

Mobile Node Configuration

Home Agent Configuration

CiscoSecure ACS Radius Server Configuration

Create ACS definition for the home agent

Defining the MN SA on the ACS

Enabling the Cisco IOS/PIX Radius Attributes field

Troubleshooting

Appendix 1—Software versions used in test

Mobile IP client

Home Agent

ACS version

Appendix 2—Acronyms

Appendix 3

Large Summary Diagram


White Paper

Configuring Mobile IP Security Associations on a CiscoSecure ACS server


This configuration note provides detailed instructions and background information on configuring the Mobile IP Home Agent to download Mobile Node Security Associations from a CiscoSecure ACS AAA server instead of configuring them locally on the Home Agent itself.

Design Introduction

This document details the configuration necessary for a Cisco IOS Software Home Agent (HA) to retrieve a Mobile Nodes (MN)'s SPI and Key from a CiscoSecure ACS RADIUS server (Authentication, Authorization, and Accounting (AAA) server).

When a Mobile IP Home Agent receives a registration request from the MN, it requires the MN's SPI & Key, collectively known as a Security Association (SA), to authenticate the RRQ packet. This SA must exist between the Mobile Node (MN), identified either by a Network Access Identifier (NAI) or home IP address, and the HA. SAs between other Mobile IP entities are possible but are not mandatory.

SAs take the form of a Security Parameter Index (SPI) number, and either an associated 16 byte hexadecimal key (expressed as 32 digits) or an ASCII key. The ACSII key authentication process is not well-defined, and therefore causes interoperability issues, so Cisco only recommends the use of 32 digit hexadecimal keys.

For each MN, matching SAs are configured:

For the MN—SAs are statically configured on the MN.

For the HA—SAs can either be statically configured on the HA, or centrally configured on a AAA server and loaded into the HA as required.

There are several advantages to configuring SAs on AAA servers:

Central point of configuration: all security parameters are centrally configured and maintained.

Scalability: the HA only downloads SAs as required. It does not need to have the complete list of SAs for all MNs that may register to be permanently configured.

The MN does not authenticate to the ACS directly. The HA communicates with the ACS in order to get the correct SPI and Key for the MN that is registering with it.

Passwords and Keys

This document details the configuration necessary to have a Cisco IOS Software HA retrieve a MN's SA from a CiscoSecure ACS RADIUS server. In order to do this, three passwords or keys need to be configured:

1. MN: HA SPI & Key

2. HA: AAA Key

3. AAA MN Password

MN-HA SPI & Key

When the HA receives a registration request from the MN, it needs the MN's SPI & Key to authenticate the RRQ packet. This document describes how the MN's SPI and Key can be configured on a central AAA server and obtained by the HA as required.

HA-AAA Key

This is a shared secret that the HA and AAA server use to authenticate each other when processing access-request/access-response packets. These packets are sent between the HA and the AAA server to request the MN's SPI & Key.

AAA MN Password

This is a shared secret between a user and the AAA server. It is typically used to validate the user to a third party, which has a trust relationship with the AAA server and to supply the third party with additional information about the user. The HA uses this method to provide additional information about the user (MN's SPI and Key), but it does not use it to validate the MN.

This is the process that a third party goes through to validate the user:

1. Third party supplies a challenge to the user and the user uses its shared secret password (user password) with the AAA server to create a response.

2. User sends this response to the third party.

3. Third party sends the challenge and response to the AAA server in an access-request packet.

4. When the AAA server receives an access-request packet from the trusted third party, it uses its stored password for the user and the challenge in the access-request packet to create its own response to the challenge.

5. AAA Server compares the two responses. If they are identical, this validates the user and the AAA server sends back an access-accept packet to the trusted third party.

Every access-request packet sent to the AAA server requires a challenge and response in the packet. Although the HA does not use this method to validate the MN, the HA must supply a challenge and response in the access-request packet in order to retrieve the MN's SPI & Key from the AAA server.

There are two methods for the HA to get the challenge and response it sends to the AAA server:

1. HA receives the challenge and response in the MN's RRQ

The MN receives a challenge in the FA's advertisement when the FA is configured for FA-challenge1 . The MN combines the challenge with its user password to create a response. It then adds a "challenge/response" TLV2 (type, length, value) to the end of the RRQ that it sends to the HA via the FA3 . The HA uses the challenge and response it receives to fill in the access-request packet that it sends to the AAA server4 .

When the AAA server receives an access-request packet, it uses its stored password for the user and the challenge in the access-request packet to create its own response to the challenge. It then compares the two responses. If the two responses are identical, it validates the user and sends back an access-accept packet. The access-accept packet contains the user (MN's) SPI and Key as a Cisco Systems Vendor Specific Attribute (VSA)5 . This SPI and Key is used to compute the Mobile-Home Authentication Extension (MHAE) and validate the MN to the HA.

2. HA creates the challenge and response (more common)

If the HA does not receive a "challenge/response" TLV in the RRQ, it still needs to supply a challenge and response in the access-request packet. When the "challenge/response" TLV is missing from the RRQ, the HA creates a challenge and a response using a default password (cisco).

Since the AAA server uses the challenge in the packet and the stored user password to create its own response to the challenge, for the HA and AAA server responses to match, the user password for all MNs on the AAA server must be set to cisco.

In a later release, network engineers will be able to change the default password from to a different value. This will allow a different password to be used for all MNs (users) on the AAA server.

Summarized Setup

Figure 1 summarizes the necessary configuration. Appendix 3 will provide the full-page mode.

Figure 1

Lab setup and configuration

Mobile Node Configuration

The following example of MN configuration is based on Birdstep Technologies Mobile IP client software. The required configuration applies to other MN vendors.

The Mobile Node was configured with an IP address belonging to the virtual network configured on the HA.

The IP address of the HA on the MN was the IP address of a loopback interface on the HA. Figure 2 illustrates the IP configuration of the MN.

Figure 2

MN IP Configuration

The MN default configuration is to do MN to HA authentication. MN-HA authentication is mandatory for a Mobile IP deployment. Figure 3 illustrates the Authentication configuration.

Figure 3

Mobile Node Authentication Types configuration

The MN is also configured with the authentication mode. Figure 4 shows the keyed-MD5 authentication module selected. It also shows that SPI 0x100 is used for this MN. By activating the settings button as depicted in Figure 4, the shared-secret value corresponding to SPI 100 will be revealed.

Figure 4

Configuring the MN hash type and SPI

The key that acts as a shared secret between the MN and the HA is configured for SPI 100 by pressing the settings button shown in Figure 4. Figure 5 shows the setting of the key for SPI 100 in the test described in this paper.

Figure 5

Shared secret (key) associated with SPI 100


Note: The SPI (shown in Figure 4) and key (shown in figure 5) must match the SPI and key on the ACS server configured for the MN (in figure 8). This key is used to compute the Mobile-Home Authentication Extension (MHAE) to authenticate Registration Request and Registration Replies between the Mobile Node and the Home Agent.


Home Agent Configuration

Following is the full configuration of the HA router used in the test. Sections relevant to this test have been commented on in bolded italicized text.

This test used a FA, but there were no specific FA requirements for this test and the full FA configuration has not been supplied. Sections of FA configuration are shown in figure 1 and appendix 3. The test would also work with the MN using a Collocated Care of Address instead of a FA.

r3660#more system:running-config
Building configuration...
 
Current configuration : 1617 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
!
hostname r3660
!
boot system flash c3660-is-mz.122-8.T4.bin
! Enable AAVA authentication
aaa new-model
!
! Enable AAA authorization for MIP
aaa authorization ipmobile default group radius 
aaa session-id common
enable secret 5 $1$0Vpv$vtMqxUQqUm7lrOQD7huUP/
!
ip subnet-zero
!
! Loopback interface to use as management address and for mobile nodes
! to use as an HA IP address. Also used as source IP address for all AAA
! packets.
interface Loopback0
 ip address 10.251.254.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
 ip helper-address 10.1.204.10
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.2.2.2 255.255.255.0
 ip helper-address 10.1.204.10
 ip helper-address 172.26.204.67
 duplex auto
 speed auto
!
! Enable MIP
router mobile
!
router eigrp 1
! Redistribute the mobile routes
 redistribute mobile
 network 10.0.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip classless
!
! Enable HA Functionality
ip mobile home-agent
! Define a virtual network as MNs' home network and add it to the HA's
! forwarding table
ip mobile virtual-network 10.254.254.0 255.255.255.0 address 10.254.254.1
! Use AAA to obtain SAs for MNs with IP address between 10.254.254.10 and
! 10.254.254.20, and cache the SA on the HA once loaded
ip mobile host 10.254.254.10 10.254.254.20 virtual-network 10.254.254.0 255.255.255.0 aaa 
load-sa
! This command tells the HA to use the IP address assigned to Loopback1
! as the source address in "Access-Request" packets. The IP address on the
! loopback must match the IP address configured in AAA Client IP Address
! in Figure 6.
ip radius source-interface Loopback0
! Define the radius server and shared secret. The key/password configured
! here should match the key configured on the ACS in figure 6 and figure 7.
! For this example, the radius key is secret-password-here
! Define IP Address of the radius server and the ports it is listening to
radius-server host 172.26.204.67 auth-port 1645 acct-port 1646
radius-server retransmit 3
! Shared Secret between the Home Agent and Radius Server. Used to
! authenticate the radius server.
radius-server key secret-password-here
!
line con 0
line aux 0
line vty 0 4
 password admin
!
end

CiscoSecure ACS Radius Server Configuration

Caution: If ACS 3.1 is used, the routers running the HA service must be at Cisco IOS Software Release 12.2(15)T or later. This is because of a change in the way attributes are communicated in ACS 3.1.

Create ACS definition for the home agent

Configure the ACS server with a definition for the HA that will be contacting it to download MN SAs.

A HA definition is configured by clicking the Network Configuration button on the ACS server. This button is circled in red in figure 6Error! Reference source not found.


Note: The Key field shown in Error! Reference source not found. provides the shared secret that is used to secure communications between the ACS server and the HA. The same key must be configured on the HA in the radius-server key command. In this example, it is set to secret-password-here. This is the HA-AAA key described above in the Passwords and Keys section of the document.


Figure 6

Configuring the ACS with a definition for the HA

The AAA Client IP Address is the source IP address the HA will use when requesting a MN's IP address from the ACS. In our example, it is loopback0's IP address on the HA. The HA is configured to use Loopback0 as the source IP address by the ip radius source-interface Loopback0 command.

The Key field shown in figure 6Error! Reference source not found. provides the ACS server with the shared secret that is configured in the HA with the radius-server key secret-password-here command.

Defining the MN SA on the ACS

The MN is configured on the ACS server as a user. User definitions are added to the ACS server by clicking the User Setup button highlighted in figure 7Error! Reference source not found.

Figure 7

Configuring the MN in ACS

The user ID is configured to match the MN's home address. In this case, the mobile node's IP address is 10.254.254.10.

The Password and Confirm Password in User Setup must be configured as cisco. The mobile node password is set to a static value of cisco because:

The mobile IP developers set a default user password of cisco for computing the response in the access requests sent by the HA to the ACS.

Communication between the home agent and the radius server is already protected by a shared secret (in this case the shared secret is secret-password-here)

It is also necessary to define the Mobile Node's Security Association on the ACS server so it can be dynamically passed to the HA when the Mobile Node registers to it.

The MN's SA can be defined by scrolling down to the bottom of the User Setup page. Near the bottom the Cisco IOS/PIX Radius Attributes field should be visible. An example of this field is shown in figure 8Error! Reference source not found.


Note: If the Cisco IOS/PIX Radius Attributes field does not appear, enable this option as described in the section—Enabling the Cisco IOS/PIX Radius Attributes field.


The MN's SA key is entered on the ACS server as shown in figure 8Error! Reference source not found.

Figure 8

Setting the MNs key

The key is entered as one string without line-feeds. In the example above the following would be entered:

Mobileip:spi#0=spi 100 key hex 12345678123456781234567812345678

This entry would be displayed on the ACS as shown in figure 8Error! Reference source not found. The spiI#0= field is an index used by the ACS server that allows multiple SPIs to be defined for a single MN. The SPI 100 field is the actual SPI number defined on the MN that will be used by the HA.


Note: The SPI and Key must also be configured on the mobile node. This data is used on the Home Agent to authenticate the mobile IP Registration Request and to compute the MHAE for the Registration Reply.


Figure 9 shows an example where more than one SA is defined for a MN. The ACS server uses the spi#0 and spi#1 to index these, but passes spi 100 and spi 200 respectively to the HA. The two entries in the ACS interface are separated by a carriage-return.

Figure 9

Setting multiple SAs for a MN

Enabling the Cisco IOS/PIX Radius Attributes field

The Cisco IOS/PIX Radius Attributes field does not appear as a User Setup option unless it is first enabled. To enable the Cisco IOS/PIX Radius Attributes field, click the Interface Configuration button circled in Figure 10. Select the check box to enable User cisco-av-pair option as shown in Figure 10.

Figure 10

Interface Configuration

Troubleshooting

The troubleshooting section in this document is divided into three parts:

1. Is the problem on the radius server or the home agent?

2. Troubleshooting the Home Agent

3. Troubleshooting the ACS server

1. Is the problem on the radius server or the home agent?

To determine if the problem is on the radius server or the home agent, turn on "debug radius" and "debug ip mobile host" on the home agent. Watch to see if the radius server returns an "Access-Accept" or an "Access-Reject". If the radius server returns an "Access-Reject", see why the radius server rejected the "Access-Request" packet from the home agent by Troubleshooting the ACS server.

If the radius server returns an "Access-Accept" and the home agent rejects the registration, there is most likely a
mis-configuration between the SPI/Key on the radius server and the SPI/Key defined on the mobile node. Begin troubleshooting from the home agent (See Troubleshooting the Home Agent).

In this successful example below, the home agent received an "Access-Accept" from the radius server and an SPI and Key were returned so that the HA could validate the MN's RRQ packet.

05:45:04: RADIUS(00000000): sending
05:45:04: RADIUS: Send to unknown id 54 172.26.204.67:1645, Access-Request, len 65
05:45:04: RADIUS:  authenticator 93 F7 57 BD 44 3F 88 D8—86 4C A8 F6 1A 2F B1 D1
05:45:04: RADIUS:  User-Name           [1]   15  "10.254.254.10"
05:45:04: RADIUS:  User-Password       [2]   18  *
05:45:04: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
05:45:04: RADIUS:  NAS-IP-Address      [4]   6   10.254.254.1
05:45:04: RADIUS: Received from id 54 172.26.204.67:1645, Access-Accept, len 174
05:45:04: RADIUS:  authenticator F7 1A E5 F5 D2 39 38 28—1E D6 77 E1 38 07 94 DC
05:45:04: RADIUS:  Session-Timeout     [27]  6   600
05:45:04: RADIUS:  Vendor, Cisco       [26]  71
05:45:04: RADIUS:   Cisco AVpair       [1]   65  "mobileip:spi#0=spi 100 key hex
 12345678123456781234567812345678"
05:45:04: RADIUS:  Vendor, Cisco       [26]  71
05:45:04: RADIUS:   Cisco AVpair       [1]   65  "mobileip:spi#1=spi 200 key hex
 12345678123456781234567812345678"
05:45:04: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
05:45:04: RADIUS(00000000): Unique id not in use

2. Troubleshooting the Home Agent

The show command that you want to use on the HA is show ip mobile binding X.Y.Z.A or just show ip mobile binding if there are not too many hosts. This will show if the mobile node registered successfully.

The command show ip mobile host X.Y.Z.A will indicate the last error for this host and tell you whether it is registered or not. If it says "never" as the last error and it is not registered then the HA never received a registration request from the FA and debugging should be done on the FA.

There is no equivalent command of show ip mobile host on the FA. If the registration is successful, you can use show ip mobile visitor on the FA.

If the registrations are not seen on the HA, debug ip mobile host will show what is happening on the FA. If there is a lot of mobile IP host traffic an ACL identifying the host can be used with the debug ip mobile host command.

Below is debug output captured when mobile node 10.254.254.10 is successfully registering with the home agent.

r3660#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
r3660#debug ip mobile host
IP mobility for mobile node debugging is on
05:45:04: MobileIP: HA 120 received registration for MN 10.254.254.10 on FastEth
ernet0/0 using COA 172.26.204.81 HA 10.254.254.1 lifetime 180 options sbdmgvt
05:45:04: RADIUS(00000000): sending
05:45:04: RADIUS: Send to unknown id 54 172.26.204.67:1645, Access-Request, len 65
05:45:04: RADIUS:  authenticator 93 F7 57 BD 44 3F 88 D8—86 4C A8 F6 1A 2F B1 D1
05:45:04: RADIUS:  User-Name           [1]   15  "10.254.254.10"
05:45:04: RADIUS:  User-Password       [2]   18  *
05:45:04: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
05:45:04: RADIUS:  NAS-IP-Address      [4]   6   10.254.254.1
05:45:04: RADIUS: Received from id 54 172.26.204.67:1645, Access-Accept, len 174
05:45:04: RADIUS:  authenticator F7 1A E5 F5 D2 39 38 28—1E D6 77 E1 38 07 94 DC
05:45:04: RADIUS:  Session-Timeout     [27]  6   600
05:45:04: RADIUS:  Vendor, Cisco       [26]  71
05:45:04: RADIUS:   Cisco AVpair       [1]   65  "mobileip:spi#0=spi 100 key hex
 12345678123456781234567812345678"
05:45:04: RADIUS:  Vendor, Cisco       [26]  71
05:45:04: RADIUS:   Cisco AVpair       [1]   65  "mobileip:spi#1=spi 200 key hex
 12345678123456781234567812345678"
05:45:04: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
05:45:04: RADIUS(00000000): Unique id not in use
05:45:04: RADIUS: Received from id 0
05:45:04: MobileIP: MN 10.254.254.10: Parse AV 'ip mobile secure host 10.254.254.10 spi 
100 key hex 12345678123456781234567812345678' ok (0)
05:45:04: MobileIP: MN 10.254.254.10: Parse AV 'ip mobile secure host 10.254.254.10 spi 
200 key hex 12345678123456781234567812345678' ok (0)
05:45:04: MobileIP: HA 11 received registration for MN 10.254.254.10 on  using COA 
172.26.204.81 HA 10.254.254.1 lifetime 180 options sbdmgvt
05:45:04: MobileIP: MN 10.254.254.10—authenticating MN 10.254.254.10 using SPI 100
05:45:04: MobileIP: MN 10.254.254.10—authenticated MN 10.254.254.10 using SPI 100
05:45:04: MobileIP: Identification field has timestamp 315111592 secs greater th
an our current time 03/01/93 05:45:04 (> allowed 7 secs) for MN 10.254.254.10
05:45:04: %IPMOBILE-6-SECURE: Security violation on HA from MN 10.254.254.10—errcode 
registration id mismatch (133), reason Bad identifier (3)
05:45:04: MobileIP: HA rejects registration for MN 10.254.254.10 - registration id 
mismatch (133)
05:45:04: MobileIP: MN 10.254.254.10—MH auth ext added (SPI 100) to MN 10.254.254.10
05:45:04: MobileIP: MN 10.254.254.10—HA sent reply to 10.1.1.1
05:45:05: MobileIP: HA 120 received registration for MN 10.254.254.10 on FastEthernet0/0 
using COA 172.26.204.81 HA 10.254.254.1 lifetime 180 options sbdmgvt
05:45:05: MobileIP: MN 10.254.254.10—authenticating MN 10.254.254.10 using SPI 100
05:45:05: MobileIP: MN 10.254.254.10—authenticated MN 10.254.254.10 using SPI 100
05:45:05: MobileIP: Mobility binding for MN 10.254.254.10 created
05:45:05: MobileIP: Roam timer started for MN 10.254.254.10, lifetime 60
05:45:05: MobileIP: MN 10.254.254.10 is now roaming
05:45:05: MobileIP: Insert route 10.254.254.10/255.255.255.255 via gateway 172.26.204.81 
on Tunnel0
05:45:05: MobileIP: HA accepts registration from MN 10.254.254.10
05:45:05: MobileIP: MN 10.254.254.10—MH auth ext added (SPI 100) to MN 10.254.254.10
05:45:05: MobileIP: MN 10.254.254.10—HA sent reply to 10.1.1.1
r3660#undebug all

Ignore any errors with code 133—it is just telling you that the clocks are mismatched. The MN will automatically correct that and reissue another RRQ. This problem can be avoided altogether by enabling Network Time Protocol (NTP) on the routers and MNs.

3. Troubleshooting the ACS server

Click on activities and reports and find the out why the ACS sent an "Access-Reject" to the home agent.

Figure 11 illustrates the ACS Failed attempts log that resulted from attempts to log in with non-matching HA/ACS passwords, and from attempts to log in with a client password not equal to cisco. (The same error is logged in the ACS in both cases). To differentiate between these 2 problems, you have to look at the debug output on the HA from the debug radius command.

If the problem is with a mis-match in the HA-AAA key on the AAA server and the HA, the debug-radius output on the HA will show a failed decrypt message following the access-Reject.

Passed authentications can only be viewed in the ACS log only if first enabled via the System Configuration—Logging buttons.

Figure 11

Accessing failed authentication attempts on the ACS

Debug output from debug radius command on HA

4d02h: MobileIP: HA 157 rcv registration for MN 65.1.1.1 on FastEthernet1/1 using HomeAddr 65.1.1.1 COA 90.90.90.1 HA 200.200.200.1 lifetime 36000 options sbdmg-T-

4d02h: RADIUS(000000CE): Config NAS IP: 0.0.0.0

4d02h: RADIUS/ENCODE(000000CE): acct_session_id: 206

4d02h: RADIUS(000000CE): sending

4d02h: RADIUS/ENCODE: Best Local IP-Address 200.200.200.1 for Radius-Server 180.180.180.4

4d02h: RADIUS(000000CE): Send Access-Request to 180.180.180.4:1645 id 21645/164, len 60

4d02h: RADIUS: authenticator 9D 4F 4A 9B 9B A9 FB A0—72 DF ED 94 99 CF 8D BF

4d02h: RADIUS: User-Name [1] 10 "65.1.1.1"

4d02h: RADIUS: User-Password [2] 18 *

4d02h: RADIUS: Service-Type [6] 6 Outbound [5]

4d02h: RADIUS: NAS-IP-Address [4] 6 200.200.200.1

4d02h: RADIUS: Received from id 21645/164 180.180.180.4:1645, Access-Reject, len 20

4d02h: RADIUS: authenticator 29 03 82 DF D0 80 0A DB—CB 12 6D 07 6F 56 45 7D

4d02h: RADIUS: response-authenticator decrypt fail, pak len 20

4d02h: RADIUS: packet dump: 03A40014290382DFD0800ADBCB126D076F56457D

4d02h: RADIUS: expected digest: 9D02764BF4D5CA81FDB044B08C725E74

4d02h: RADIUS: response authen: 290382DFD0800ADBCB126D076F56457D

4d02h: RADIUS: request authen: 9D4F4A9B9BA9FBA072DFED9499CF8DBF

4d02h: RADIUS: Response (164) failed decrypt

Appendix 1—Software versions used in test

Mobile IP client

Birdstep Mobile IP client software was used for this test. Software version 1.4.8 was used, as is shown in Figure 12.

Figure 12

Birdstep software version information

Home Agent

The Home Agent used in this test was running IOS version 12.2(8)T4. Output from a show version taken on the Home Agent is shown below.

r3660#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) 3600 Software (C3660-IS-M), Version 12.2(8)T4,  RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 03-May-02 21:03 by ccai
Image text-base: 0x60008940, data-base: 0x615C0000
 
ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)
ROM: 3600 Software (C3660-JO3S56I-M), Version 12.0(7)XK2, EARLY DEPLOYMENT RELEASE 
SOFTWARE (fc1)
 
r3660 uptime is 4 days, 48 minutes
System returned to ROM by power-on
System image file is "flash:c3660-is-mz.122-8.T4.bin"
 
cisco 3660 (R527x) processor (revision 1.0) with 253952K/8192K bytes of memory.
Processor board ID JAB0446C08C
R527x CPU at 225Mhz, Implementation 40, Rev 10.0, 2048KB L2 Cache
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
 
 
3660 Chassis type: ENTERPRISE
4 Ethernet/IEEE 802.3 interface(s)
2 FastEthernet/IEEE 802.3 interface(s)
DRAM configuration is 64 bits wide with parity disabled.
125K bytes of non-volatile configuration memory.
65536K bytes of processor board System flash (Read/Write)
16384K bytes of processor board PCMCIA Slot0 flash (Read/Write)
 
Configuration register is 0x2102
 
r3660#

ACS version

ACS version 3.0(1) build 19 was used in this test. The version information is circled in Error! Reference source not found. below.

Figure 13

ACS version information

Appendix 2—Acronyms

AAA

Authentication, Authorization, Accounting

ACS

Access Control Server

CCOA

Colocated Care of Address

CN

Correspondent Node

COA

Care Of Address

FA

Foreign Agent

FHAE

Foreign-Home Authentication Extension

GRE

Generic Routing Encapsulation

HA

Home Agent

IPnIP

IP in IP Encapsulation

MAAE

MN-AAA Authentication Extension

MFAE

Mobile-Foreign Authentication Extension

MHAE

Mobile-Home Authentication Extension

MIP

Mobile IP

MN

Mobile Node

SPI

Security Parameter Index

TLV

Type, Length, Value


Appendix 3

Large Summary Diagram

1 The MN can create its own challenge in Colocated Care of Address (CCoA) mode.
2 This is a MN-AAA Authentication Extension (RFC 3012).
3 The FA can use this TLV too and can strip it off the RRQ if configured to do so.
4 The HA will use the received challenge and response to fill in the Access-Request packet unless it is configured to ignore it.
5 The MN's SPI and Key are sent back from the AAA server to the HA in clear text.