Table Of Contents
Configuring Mobile IP Security Associations on a CiscoSecure ACS server
This configuration note provides detailed instructions and background information on configuring the Mobile IP Home Agent to download Mobile Node Security Associations from a CiscoSecure ACS AAA server instead of configuring them locally on the Home Agent itself.
This document details the configuration necessary for a Cisco IOS Software Home Agent (HA) to retrieve a Mobile Nodes (MN)'s SPI and Key from a CiscoSecure ACS RADIUS server (Authentication, Authorization, and Accounting (AAA) server).
When a Mobile IP Home Agent receives a registration request from the MN, it requires the MN's SPI & Key, collectively known as a Security Association (SA), to authenticate the RRQ packet. This SA must exist between the Mobile Node (MN), identified either by a Network Access Identifier (NAI) or home IP address, and the HA. SAs between other Mobile IP entities are possible but are not mandatory.
SAs take the form of a Security Parameter Index (SPI) number, and either an associated 16 byte hexadecimal key (expressed as 32 digits) or an ASCII key. The ACSII key authentication process is not well-defined, and therefore causes interoperability issues, so Cisco only recommends the use of 32 digit hexadecimal keys.
For each MN, matching SAs are configured:
•For the MN—SAs are statically configured on the MN.
•For the HA—SAs can either be statically configured on the HA, or centrally configured on a AAA server and loaded into the HA as required.
There are several advantages to configuring SAs on AAA servers:
•Central point of configuration: all security parameters are centrally configured and maintained.
•Scalability: the HA only downloads SAs as required. It does not need to have the complete list of SAs for all MNs that may register to be permanently configured.
The MN does not authenticate to the ACS directly. The HA communicates with the ACS in order to get the correct SPI and Key for the MN that is registering with it.
Passwords and Keys
This document details the configuration necessary to have a Cisco IOS Software HA retrieve a MN's SA from a CiscoSecure ACS RADIUS server. In order to do this, three passwords or keys need to be configured:
1. MN: HA SPI & Key
2. HA: AAA Key
3. AAA MN Password
MN-HA SPI & Key
When the HA receives a registration request from the MN, it needs the MN's SPI & Key to authenticate the RRQ packet. This document describes how the MN's SPI and Key can be configured on a central AAA server and obtained by the HA as required.
This is a shared secret that the HA and AAA server use to authenticate each other when processing access-request/access-response packets. These packets are sent between the HA and the AAA server to request the MN's SPI & Key.
AAA MN Password
This is a shared secret between a user and the AAA server. It is typically used to validate the user to a third party, which has a trust relationship with the AAA server and to supply the third party with additional information about the user. The HA uses this method to provide additional information about the user (MN's SPI and Key), but it does not use it to validate the MN.
This is the process that a third party goes through to validate the user:
1. Third party supplies a challenge to the user and the user uses its shared secret password (user password) with the AAA server to create a response.
2. User sends this response to the third party.
3. Third party sends the challenge and response to the AAA server in an access-request packet.
4. When the AAA server receives an access-request packet from the trusted third party, it uses its stored password for the user and the challenge in the access-request packet to create its own response to the challenge.
5. AAA Server compares the two responses. If they are identical, this validates the user and the AAA server sends back an access-accept packet to the trusted third party.
Every access-request packet sent to the AAA server requires a challenge and response in the packet. Although the HA does not use this method to validate the MN, the HA must supply a challenge and response in the access-request packet in order to retrieve the MN's SPI & Key from the AAA server.
There are two methods for the HA to get the challenge and response it sends to the AAA server:
1. HA receives the challenge and response in the MN's RRQ
The MN receives a challenge in the FA's advertisement when the FA is configured for FA-challenge1 . The MN combines the challenge with its user password to create a response. It then adds a "challenge/response" TLV2 (type, length, value) to the end of the RRQ that it sends to the HA via the FA3 . The HA uses the challenge and response it receives to fill in the access-request packet that it sends to the AAA server4 .
When the AAA server receives an access-request packet, it uses its stored password for the user and the challenge in the access-request packet to create its own response to the challenge. It then compares the two responses. If the two responses are identical, it validates the user and sends back an access-accept packet. The access-accept packet contains the user (MN's) SPI and Key as a Cisco Systems Vendor Specific Attribute (VSA)5 . This SPI and Key is used to compute the Mobile-Home Authentication Extension (MHAE) and validate the MN to the HA.
2. HA creates the challenge and response (more common)
If the HA does not receive a "challenge/response" TLV in the RRQ, it still needs to supply a challenge and response in the access-request packet. When the "challenge/response" TLV is missing from the RRQ, the HA creates a challenge and a response using a default password (cisco).
Since the AAA server uses the challenge in the packet and the stored user password to create its own response to the challenge, for the HA and AAA server responses to match, the user password for all MNs on the AAA server must be set to cisco.
In a later release, network engineers will be able to change the default password from to a different value. This will allow a different password to be used for all MNs (users) on the AAA server.
Figure 1 summarizes the necessary configuration. Appendix 3 will provide the full-page mode.
Lab setup and configuration
Mobile Node Configuration
The following example of MN configuration is based on Birdstep Technologies Mobile IP client software. The required configuration applies to other MN vendors.
The Mobile Node was configured with an IP address belonging to the virtual network configured on the HA.
The IP address of the HA on the MN was the IP address of a loopback interface on the HA. Figure 2 illustrates the IP configuration of the MN.
MN IP Configuration
The MN default configuration is to do MN to HA authentication. MN-HA authentication is mandatory for a Mobile IP deployment. Figure 3 illustrates the Authentication configuration.
Mobile Node Authentication Types configuration
The MN is also configured with the authentication mode. Figure 4 shows the keyed-MD5 authentication module selected. It also shows that SPI 0x100 is used for this MN. By activating the settings button as depicted in Figure 4, the shared-secret value corresponding to SPI 100 will be revealed.
Configuring the MN hash type and SPI
The key that acts as a shared secret between the MN and the HA is configured for SPI 100 by pressing the settings button shown in Figure 4. Figure 5 shows the setting of the key for SPI 100 in the test described in this paper.
Shared secret (key) associated with SPI 100
Note: The SPI (shown in Figure 4) and key (shown in figure 5) must match the SPI and key on the ACS server configured for the MN (in figure 8). This key is used to compute the Mobile-Home Authentication Extension (MHAE) to authenticate Registration Request and Registration Replies between the Mobile Node and the Home Agent.
Home Agent Configuration
Following is the full configuration of the HA router used in the test. Sections relevant to this test have been commented on in bolded italicized text.
This test used a FA, but there were no specific FA requirements for this test and the full FA configuration has not been supplied. Sections of FA configuration are shown in figure 1 and appendix 3. The test would also work with the MN using a Collocated Care of Address instead of a FA.r3660#more system:running-configBuilding configuration...Current configuration : 1617 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptime!hostname r3660!boot system flash c3660-is-mz.122-8.T4.bin! Enable AAVA authenticationaaa new-model!! Enable AAA authorization for MIPaaa authorization ipmobile default group radiusaaa session-id commonenable secret 5 $1$0Vpv$vtMqxUQqUm7lrOQD7huUP/!ip subnet-zero!! Loopback interface to use as management address and for mobile nodes! to use as an HA IP address. Also used as source IP address for all AAA! packets.interface Loopback0ip address 10.251.254.1 255.255.255.255!interface FastEthernet0/0ip address 10.1.1.2 255.255.255.0ip helper-address 10.1.204.10duplex autospeed auto!interface FastEthernet0/1ip address 10.2.2.2 255.255.255.0ip helper-address 10.1.204.10ip helper-address 172.26.204.67duplex autospeed auto!! Enable MIProuter mobile!router eigrp 1! Redistribute the mobile routesredistribute mobilenetwork 10.0.0.0no auto-summaryno eigrp log-neighbor-changes!ip classless!! Enable HA Functionalityip mobile home-agent! Define a virtual network as MNs' home network and add it to the HA's! forwarding tableip mobile virtual-network 10.254.254.0 255.255.255.0 address 10.254.254.1! Use AAA to obtain SAs for MNs with IP address between 10.254.254.10 and! 10.254.254.20, and cache the SA on the HA once loadedip mobile host 10.254.254.10 10.254.254.20 virtual-network 10.254.254.0 255.255.255.0 aaa load-sa! This command tells the HA to use the IP address assigned to Loopback1! as the source address in "Access-Request" packets. The IP address on the! loopback must match the IP address configured in AAA Client IP Address! in Figure 6.ip radius source-interface Loopback0! Define the radius server and shared secret. The key/password configured! here should match the key configured on the ACS in figure 6 and figure 7.! For this example, the radius key is secret-password-here! Define IP Address of the radius server and the ports it is listening toradius-server host 172.26.204.67 auth-port 1645 acct-port 1646radius-server retransmit 3! Shared Secret between the Home Agent and Radius Server. Used to! authenticate the radius server.radius-server key secret-password-here!line con 0line aux 0line vty 0 4password admin!end
CiscoSecure ACS Radius Server Configuration
Caution: If ACS 3.1 is used, the routers running the HA service must be at Cisco IOS Software Release 12.2(15)T or later. This is because of a change in the way attributes are communicated in ACS 3.1.
Create ACS definition for the home agent
Configure the ACS server with a definition for the HA that will be contacting it to download MN SAs.
A HA definition is configured by clicking the Network Configuration button on the ACS server. This button is circled in red in figure 6Error! Reference source not found.
Note: The Key field shown in Error! Reference source not found. provides the shared secret that is used to secure communications between the ACS server and the HA. The same key must be configured on the HA in the radius-server key command. In this example, it is set to secret-password-here. This is the HA-AAA key described above in the Passwords and Keys section of the document.
Configuring the ACS with a definition for the HA
The AAA Client IP Address is the source IP address the HA will use when requesting a MN's IP address from the ACS. In our example, it is loopback0's IP address on the HA. The HA is configured to use Loopback0 as the source IP address by the
ip radius source-interface Loopback0command.
The Key field shown in figure 6Error! Reference source not found. provides the ACS server with the shared secret that is configured in the HA with the
radius-server key secret-password-herecommand.
Defining the MN SA on the ACS
The MN is configured on the ACS server as a user. User definitions are added to the ACS server by clicking the User Setup button highlighted in figure 7Error! Reference source not found.
Configuring the MN in ACS
The user ID is configured to match the MN's home address. In this case, the mobile node's IP address is 10.254.254.10.
ConfirmPassword in User Setup must be configured as cisco. The mobile node password is set to a static value of cisco because:
•The mobile IP developers set a default user password of cisco for computing the response in the access requests sent by the HA to the ACS.
•Communication between the home agent and the radius server is already protected by a shared secret (in this case the shared secret is secret-password-here)
It is also necessary to define the Mobile Node's Security Association on the ACS server so it can be dynamically passed to the HA when the Mobile Node registers to it.
The MN's SA can be defined by scrolling down to the bottom of the User Setup page. Near the bottom the Cisco IOS/PIX Radius Attributes field should be visible. An example of this field is shown in figure 8Error! Reference source not found.
Note: If the Cisco IOS/PIX Radius Attributes field does not appear, enable this option as described in the section—Enabling the Cisco IOS/PIX Radius Attributes field.
The MN's SA key is entered on the ACS server as shown in figure 8Error! Reference source not found.
Setting the MNs key
The key is entered as one string without line-feeds. In the example above the following would be entered:
Mobileip:spi#0=spi 100 key hex 12345678123456781234567812345678
This entry would be displayed on the ACS as shown in figure 8Error! Reference source not found. The spiI#0= field is an index used by the ACS server that allows multiple SPIs to be defined for a single MN. The SPI 100 field is the actual SPI number defined on the MN that will be used by the HA.
Note: The SPI and Key must also be configured on the mobile node. This data is used on the Home Agent to authenticate the mobile IP Registration Request and to compute the MHAE for the Registration Reply.
Figure 9 shows an example where more than one SA is defined for a MN. The ACS server uses the spi#0 and spi#1 to index these, but passes spi 100 and spi 200 respectively to the HA. The two entries in the ACS interface are separated by a carriage-return.
Setting multiple SAs for a MN
Enabling the Cisco IOS/PIX Radius Attributes field
Cisco IOS/PIX Radius Attributesfield does not appear as a User Setup option unless it is first enabled. To enable the
Cisco IOS/PIX Radius Attributesfield, click the Interface Configuration button circled in Figure 10. Select the check box to enable
User cisco-av-pairoption as shown in Figure 10.
The troubleshooting section in this document is divided into three parts:
1. Is the problem on the radius server or the home agent?
2. Troubleshooting the Home Agent
3. Troubleshooting the ACS server
1. Is the problem on the radius server or the home agent?
To determine if the problem is on the radius server or the home agent, turn on "debug radius" and "debug ip mobile host" on the home agent. Watch to see if the radius server returns an "Access-Accept" or an "Access-Reject". If the radius server returns an "Access-Reject", see why the radius server rejected the "Access-Request" packet from the home agent by Troubleshooting the ACS server.
If the radius server returns an "Access-Accept" and the home agent rejects the registration, there is most likely a
mis-configuration between the SPI/Key on the radius server and the SPI/Key defined on the mobile node. Begin troubleshooting from the home agent (See Troubleshooting the Home Agent).
In this successful example below, the home agent received an "Access-Accept" from the radius server and an SPI and Key were returned so that the HA could validate the MN's RRQ packet.05:45:04: RADIUS(00000000): sending05:45:04: RADIUS: Send to unknown id 54 172.26.204.67:1645, Access-Request, len 6505:45:04: RADIUS: authenticator 93 F7 57 BD 44 3F 88 D8—86 4C A8 F6 1A 2F B1 D105:45:04: RADIUS: User-Name  15 "10.254.254.10"05:45:04: RADIUS: User-Password  18 *05:45:04: RADIUS: Service-Type  6 Outbound 05:45:04: RADIUS: NAS-IP-Address  6 10.254.254.105:45:04: RADIUS: Received from id 54 172.26.204.67:1645, Access-Accept, len 17405:45:04: RADIUS: authenticator F7 1A E5 F5 D2 39 38 28—1E D6 77 E1 38 07 94 DC05:45:04: RADIUS: Session-Timeout  6 60005:45:04: RADIUS: Vendor, Cisco  7105:45:04: RADIUS: Cisco AVpair  65 "mobileip:spi#0=spi 100 key hex12345678123456781234567812345678"05:45:04: RADIUS: Vendor, Cisco  7105:45:04: RADIUS: Cisco AVpair  65 "mobileip:spi#1=spi 200 key hex12345678123456781234567812345678"05:45:04: RADIUS: Framed-IP-Address  6 255.255.255.25505:45:04: RADIUS(00000000): Unique id not in use
2. Troubleshooting the Home Agent
The show command that you want to use on the HA is
show ip mobile binding X.Y.Z.Aor just show ip mobile binding if there are not too many hosts. This will show if the mobile node registered successfully.
show ip mobile host X.Y.Z.Awill indicate the last error for this host and tell you whether it is registered or not. If it says "never" as the last error and it is not registered then the HA never received a registration request from the FA and debugging should be done on the FA.
There is no equivalent command of
show ip mobile hoston the FA. If the registration is successful, you can use
show ip mobile visitoron the FA.
If the registrations are not seen on the HA,
debug ip mobile hostwill show what is happening on the FA. If there is a lot of mobile IP host traffic an ACL identifying the host can be used with the
debug ip mobile hostcommand.
Below is debug output captured when mobile node 10.254.254.10 is successfully registering with the home agent.r3660#debug radiusRadius protocol debugging is onRadius protocol brief debugging is offRadius packet hex dump debugging is offRadius packet protocol debugging is onRadius packet retransmission debugging is offRadius server fail-over debugging is offr3660#debug ip mobile hostIP mobility for mobile node debugging is on05:45:04: MobileIP: HA 120 received registration for MN 10.254.254.10 on FastEthernet0/0 using COA 172.26.204.81 HA 10.254.254.1 lifetime 180 options sbdmgvt05:45:04: RADIUS(00000000): sending05:45:04: RADIUS: Send to unknown id 54 172.26.204.67:1645, Access-Request, len 6505:45:04: RADIUS: authenticator 93 F7 57 BD 44 3F 88 D8—86 4C A8 F6 1A 2F B1 D105:45:04: RADIUS: User-Name  15 "10.254.254.10"05:45:04: RADIUS: User-Password  18 *05:45:04: RADIUS: Service-Type  6 Outbound 05:45:04: RADIUS: NAS-IP-Address  6 10.254.254.105:45:04: RADIUS: Received from id 54 172.26.204.67:1645, Access-Accept, len 17405:45:04: RADIUS: authenticator F7 1A E5 F5 D2 39 38 28—1E D6 77 E1 38 07 94 DC05:45:04: RADIUS: Session-Timeout  6 60005:45:04: RADIUS: Vendor, Cisco  7105:45:04: RADIUS: Cisco AVpair  65 "mobileip:spi#0=spi 100 key hex12345678123456781234567812345678"05:45:04: RADIUS: Vendor, Cisco  7105:45:04: RADIUS: Cisco AVpair  65 "mobileip:spi#1=spi 200 key hex12345678123456781234567812345678"05:45:04: RADIUS: Framed-IP-Address  6 255.255.255.25505:45:04: RADIUS(00000000): Unique id not in use05:45:04: RADIUS: Received from id 005:45:04: MobileIP: MN 10.254.254.10: Parse AV 'ip mobile secure host 10.254.254.10 spi 100 key hex 12345678123456781234567812345678' ok (0)05:45:04: MobileIP: MN 10.254.254.10: Parse AV 'ip mobile secure host 10.254.254.10 spi 200 key hex 12345678123456781234567812345678' ok (0)05:45:04: MobileIP: HA 11 received registration for MN 10.254.254.10 on using COA 172.26.204.81 HA 10.254.254.1 lifetime 180 options sbdmgvt05:45:04: MobileIP: MN 10.254.254.10—authenticating MN 10.254.254.10 using SPI 10005:45:04: MobileIP: MN 10.254.254.10—authenticated MN 10.254.254.10 using SPI 10005:45:04: MobileIP: Identification field has timestamp 315111592 secs greater than our current time 03/01/93 05:45:04 (> allowed 7 secs) for MN 10.254.254.1005:45:04: %IPMOBILE-6-SECURE: Security violation on HA from MN 10.254.254.10—errcode registration id mismatch (133), reason Bad identifier (3)05:45:04: MobileIP: HA rejects registration for MN 10.254.254.10 - registration id mismatch (133)05:45:04: MobileIP: MN 10.254.254.10—MH auth ext added (SPI 100) to MN 10.254.254.1005:45:04: MobileIP: MN 10.254.254.10—HA sent reply to 10.1.1.105:45:05: MobileIP: HA 120 received registration for MN 10.254.254.10 on FastEthernet0/0 using COA 172.26.204.81 HA 10.254.254.1 lifetime 180 options sbdmgvt05:45:05: MobileIP: MN 10.254.254.10—authenticating MN 10.254.254.10 using SPI 10005:45:05: MobileIP: MN 10.254.254.10—authenticated MN 10.254.254.10 using SPI 10005:45:05: MobileIP: Mobility binding for MN 10.254.254.10 created05:45:05: MobileIP: Roam timer started for MN 10.254.254.10, lifetime 6005:45:05: MobileIP: MN 10.254.254.10 is now roaming05:45:05: MobileIP: Insert route 10.254.254.10/255.255.255.255 via gateway 172.26.204.81 on Tunnel005:45:05: MobileIP: HA accepts registration from MN 10.254.254.1005:45:05: MobileIP: MN 10.254.254.10—MH auth ext added (SPI 100) to MN 10.254.254.1005:45:05: MobileIP: MN 10.254.254.10—HA sent reply to 10.1.1.1r3660#undebug all
Ignore any errors with code 133—it is just telling you that the clocks are mismatched. The MN will automatically correct that and reissue another RRQ. This problem can be avoided altogether by enabling Network Time Protocol (NTP) on the routers and MNs.
3. Troubleshooting the ACS server
reportsand find the out why the ACS sent an "Access-Reject" to the home agent.
Figure 11 illustrates the ACS Failed attempts log that resulted from attempts to log in with non-matching HA/ACS passwords, and from attempts to log in with a client password not equal to cisco. (The same error is logged in the ACS in both cases). To differentiate between these 2 problems, you have to look at the debug output on the HA from the
If the problem is with a mis-match in the HA-AAA key on the AAA server and the HA, the debug-radius output on the HA will show a
failed decryptmessage following the
Passed authentications can only be viewed in the ACS log only if first enabled via the
System Configuration—Logging buttons.
Accessing failed authentication attempts on the ACS
Debug output from debug radius command on HA
4d02h: MobileIP: HA 157 rcv registration for MN 184.108.40.206 on FastEthernet1/1 using HomeAddr 220.127.116.11 COA 18.104.22.168 HA 22.214.171.124 lifetime 36000 options sbdmg-T-
4d02h: RADIUS(000000CE): Config NAS IP: 0.0.0.0
4d02h: RADIUS/ENCODE(000000CE): acct_session_id: 206
4d02h: RADIUS(000000CE): sending
4d02h: RADIUS/ENCODE: Best Local IP-Address 126.96.36.199 for Radius-Server 188.8.131.52
4d02h: RADIUS(000000CE): Send Access-Request to 184.108.40.206:1645 id 21645/164, len 60
4d02h: RADIUS: authenticator 9D 4F 4A 9B 9B A9 FB A0—72 DF ED 94 99 CF 8D BF
4d02h: RADIUS: User-Name  10 "220.127.116.11"
4d02h: RADIUS: User-Password  18 *
4d02h: RADIUS: Service-Type  6 Outbound 
4d02h: RADIUS: NAS-IP-Address  6 18.104.22.168
4d02h: RADIUS: Received from id 21645/164 22.214.171.124:1645,Access-Reject
, len 20
4d02h: RADIUS: authenticator 29 03 82 DF D0 80 0A DB—CB 12 6D 07 6F 56 45 7D
4d02h: RADIUS: response-authenticatordecrypt fail
, pak len 20
4d02h: RADIUS: packet dump: 03A40014290382DFD0800ADBCB126D076F56457D
4d02h: RADIUS: expected digest: 9D02764BF4D5CA81FDB044B08C725E74
4d02h: RADIUS: response authen: 290382DFD0800ADBCB126D076F56457D
4d02h: RADIUS: request authen: 9D4F4A9B9BA9FBA072DFED9499CF8DBF
4d02h: RADIUS: Response (164)failed decrypt
Appendix 1—Software versions used in test
Mobile IP client
Birdstep Mobile IP client software was used for this test. Software version 1.4.8 was used, as is shown in Figure 12.
Birdstep software version information
The Home Agent used in this test was running IOS version 12.2(8)T4. Output from a show version taken on the Home Agent is shown below.r3660#sh verCisco Internetwork Operating System SoftwareIOS (tm) 3600 Software (C3660-IS-M), Version 12.2(8)T4, RELEASE SOFTWARE (fc1)TAC Support: http://www.cisco.com/tacCopyright (c) 1986-2002 by cisco Systems, Inc.Compiled Fri 03-May-02 21:03 by ccaiImage text-base: 0x60008940, data-base: 0x615C0000ROM: System Bootstrap, Version 12.0(6r)T, RELEASE SOFTWARE (fc1)ROM: 3600 Software (C3660-JO3S56I-M), Version 12.0(7)XK2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)r3660 uptime is 4 days, 48 minutesSystem returned to ROM by power-onSystem image file is "flash:c3660-is-mz.122-8.T4.bin"cisco 3660 (R527x) processor (revision 1.0) with 253952K/8192K bytes of memory.Processor board ID JAB0446C08CR527x CPU at 225Mhz, Implementation 40, Rev 10.0, 2048KB L2 CacheBridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).3660 Chassis type: ENTERPRISE4 Ethernet/IEEE 802.3 interface(s)2 FastEthernet/IEEE 802.3 interface(s)DRAM configuration is 64 bits wide with parity disabled.125K bytes of non-volatile configuration memory.65536K bytes of processor board System flash (Read/Write)16384K bytes of processor board PCMCIA Slot0 flash (Read/Write)Configuration register is 0x2102r3660#
ACS version 3.0(1) build 19 was used in this test. The version information is circled in Error! Reference source not found. below.
ACS version information
Large Summary Diagram
1 The MN can create its own challenge in Colocated Care of Address (CCoA) mode.2 This is a MN-AAA Authentication Extension (RFC 3012).3 The FA can use this TLV too and can strip it off the RRQ if configured to do so.4 The HA will use the received challenge and response to fill in the Access-Request packet unless it is configured to ignore it.5 The MN's SPI and Key are sent back from the AAA server to the HA in clear text.