This document describes an Enterprise Layer 3 mobility solution using the standard-based Mobile IP protocol, Cisco Dynamic Security Association and Key Distribution feature, and Dynamic Host Configuration Protocol (DHCP) option 68.
PART I: SOLUTION OVERVIEW
1.0 Background-Layer 3 Mobility and Mobile IP
Today, enterprises are deploying wireless local area networks (WLAN) to meet their employees' mobility requirements and to boost company productivity. WLAN allows employees to stay connected while moving around their workplace. While deploying WLAN improves company productivity, it also introduces some challenges in the user's mobility experiences. For example, users' application may be interrupted (i.e:. lost of packets) every time when they switch between a high-speed Ethernet and WLAN connection. Users may require re-authenticating and re-login network applications when they roam out of a network boundary (i.e.: subnet boundary). These two scenarios introduce a new question to network administrators - how to help users to maintain their application connections, while they are switching between wired and wireless networks and across IP subnets, and thus further boost the productivity?
Mobile IP is a standard technology that can address the aforementioned challenges. It provides smooth uninterrupted application continuity to mobile users, while they are roaming either between different network media (i.e. Ethernet and WLAN) or across various IP subnets. Mobile IP achieves seamless application connectivity by providing a fixed IP address to a mobile device and ensuring its routing reachability, while the device moves across different network media and IP networks. This ensures that application traffic always flows to a current location of the mobile device where the application is running. As a result, it provides users with a seamless IP connectivity and application continuity.
For more Mobile IP information, please refer to References section.
2.0 Cisco Zero Configuration Client Solution Overview
Cisco Zero Configuration Client (ZECC) solution is a Mobile IP based solution for enterprise that requires layer 3 mobility for either IP subnet crossing or media type roaming. The solution is designed to simplify provision efforts for network administrators and ease mobility experiences for end users. To achieve the objectives, the ZECC solution uses Cisco Dynamic Security Associations and Key Distribution feature and standard DHCP option 68, as well as enhancements on Mobile IP client software to support the Cisco Dynamic Security Associations and Key Distribution feature. Currently, Birdstep Mobile IP client software supports the Cisco feature.
Security Associations and Key Provisioning Challenge
Alike many networking protocols, the standard-based Mobile IP requires mobile users to be authenticated by the networks before using IP mobility service. To perform the authentication it requires common security associations and a secure key (a.k.a a pre-share key) between a supplicant (a mobile node) and an authenticator (the Home Agent router). Provisioning common security associations and pre-share key is a known deployment challenge. One simple approach is to manually (or via a password generator software) generate pre-share key and to configure the security associations and key information on a supplicant and its authenticator (or mobile node and Home Agent in the Mobile IP context). While this approach is simple, it is also time consuming and error-prone for medium and large scale deployments. If there are thousands of mobile devices, a network administrator would need to provision, distribute, and configure the thousands of security associations and keys on the mobile devices.
Security Associations and Key Provisioning Simplified Using Cisco Dynamic Security Association and Key Distribution
To address the provisioning challenge, the ZeCC solution uses Cisco Dynamic Security Associations and Key Distribution feature. The feature defines a framework that enables Mobile IP Client and Home Agent to use a mobile user's Windows domain login information to perform Mobile IP authentication. Once a user logs in the Windows domain, the mobile node generates security associations and derives a secure key (session key) for Mobile IP. On the Home Agent side it creates the necessary security associations and the secure key based on the user's login information from a Windows Domain Controller. This effectively eliminates the need to provision a new key for a mobile user to use Layer 3 mobility service.
Network Configurations Challenge
It is not uncommon for networking client software to configure some settings for a proper operation. Similarly, Mobile IP client software also needs some network settings before it can operate properly. Configurations can be done by the mobile users when the user installs the software. Alternatively, the configurations can be stored or preconfigured in the client software prior to delivering them to the user. Making configurations earlier is obviously less desirable, as the user can make mistakes and delay the network deployment. Making configurations later is better, but if the network settings would have changed, the user would still need to be involved and to make the necessary changes.
Network Configurations Simplified Using Cisco Dynamic Security Association and Key Distribution And DHCP Option 68
The ZECC solution eliminates all of the necessary network configurations, such as Domain Name System (DNS) (in the home network of the mobile node) and the network prefix mask (of the home address of the mobile node) for the mobile user. This is accomplished mostly by the "network parameter pushing capability" in Cisco Dynamic Security Associations and Key Distribution feature. The capability allows a Home Agent to push network parameters to a mobile node during the mobile node's initial registration and authentication processes. The network parameter is carried in Mobile IP Vendor Specific Extensions (VSE) in a Registration Reply message (RRP). Because the network configurations are pushed from the networks, changes on them do not require end users to be aware.
The only remaining network setting that the feature cannot use effectively is the Home Agent address. This happens because the client needs to know how to access the Home Agent router before sending a registration request (RRQ). This "chicken and egg" problem is solved by using DHCP option 68. The DHCP option 68 is a standard DHCP option that allows a DHCP server to return a Home Agent address during normal DHCP processes. Thus, when a mobile node boots up and starts the DHCP process, it acquires the DHCP IP address as well as the Home Agent address.
Furthermore, by being able to activate the Mobile IP client software along with the Window login process, the solution essentially creates a "plug and play" experience for end users. Users would only need to login one time* for both: their Windows domain login and Layer 3 mobility service. This provides a good "user transparency" for mobile users to enjoy Layer 3 mobility service.
With the combination of Cisco Dynamic Security Association and Key Distribution feature and DHCP option 68, a mobile user no longer needs any configurations or additional procedures to enjoy IP mobility service after installing Mobile IP client software. Yet, a network administrator does not need to provision an additional pre-shared key and security associations for Mobile IP. This greatly simplifies enterprise IP mobility deployment.
Figure 1 provides more details about the authentication processes using the ZECC solution. A brief description of this process follows the figure.
* Similar to Cisco LEAP login process, where users can login into both: Windows domain and WLAN services at the same time. Now with this new feature, a mobile user can login to the Windows domain, WLAN, and Mobile IP all at once.
Figure 1. ZECC Operation Overview
Note: Steps 6, 7, and 8 are optional. If the user data is stored in Access Control Server (ACS) database, those steps are not necessary.
Step 1. Mobile node sends DHCP requests to DHCP server.
Step 2. DHCP server responds to the requests and includes DHCP optional 68 information.
Step 3. User logins to Windows Domain normally. Mobile IP client on the mobile node generates MS-CHAPv2* information based on the user's Windows login password.
Step 4. Mobile node carries the MS-CHAPv2 information in Vendor Specific Extensions (VSE) of an RRQ and sends it to Home Agent. The RRQ also contains Mobile-Home Authentication Extension (MHAE) extension, which is a mandatory Mobile IP authentication extension.
Step 5. Home Agent processes the RRQ** and relays*** the MS-CHAPv2 information to a Radius server using a Radius Access-Request message for user authentication.
Step 6. Radius server relays the Access-Request message to a selected Domain Controller or Active Directory to authenticate the user.
* The MS-CHAPv2 is the method to authenticate a mobile user in the initial registration process. The subsequent re-registration does not use MS-CHAPv2.
** The Home Agent differentiates the special RRQ from the normal MHAE by examining the special key distribution VSE existence.
*** Here it assumes that the home agent does not have the Security Parameter Index (SPI) for the mobile node, and thus relays to a backend authentication server.
Step 7. The Domain Controller/Active Directory authenticates the user successfully.
Step 8. The DC/AD replies to the authenticated result and sends secure key (double hashed of the user's password) to the Radius server.
Step 9. Radius server, which has configured the return of MS-CHAP-MPPE key attribute, relays the secure key to Home Agent via an Access-Accept message.
Step 10. Home Agent upon receiving the Access-Accept message derives another key, known as a session key, based on the received secure key from the Radius server. Home Agent authenticates the MHAE based on the derived session key and creates Mobile IP binding. Home Agent discards the original secure key from the Radius server and only keeps the session key.
Step 11. Home Agent sends RRP with network configuration parameters and security associations (DNS server IP address and Home Agent-mobile node security parameter index (SPI)) to mobile node.
Step 12. Mobile node authenticates the RRP.
Step 13. Mobile node completes the initial registration process and can start send and receive mobile data traffic.
Note: The mobile node would periodically re-register with the Home Agent. The authentication for the re-registration is based on the session key and the dynamically generated SA between the Home Agent and a mobile node. It does not involve Radius and Domain Controller/Active Directory.
• Seamless application continuity between different media access networks, such as Ethernet and WLAN, and across IP subnet boundary
• Plug and Play mobility experience for end users: no client configurations and no mobile service login is required (the mobile service authentication is incorporated with user's Windows domain login)
• Light-weighted network provisioning for network administrator: no need to provision secure associations and pre-shared key; only one additional router is needed to enable the service
• Enhanced mobility security through dynamic re-keying
4.0 ZECC Solution System Requirements
• Mobile IP Home Agent router with Dynamic Security Association and Key Distribution feature-any Cisco routers running Cisco IOS® Software Release 12.3(7)T* with IP plus feature set
• Mobile Node-PC running Windows O.S with Mobile IP client software that supports ZECC features.
– Currently, the Birdstep vendor provides the Cisco ZECC enabled Mobile IP client. Please contact Birdstep (www.birdstep.com) for the product availability.
• Radius Server-For example, Cisco ACS server 3.2
• Windows Domain Controller (or Active Directory)
• DHCP Server with option 68 support
* The feature is available in Cisco IOS Software Release 12.3(4)T. However, as there is an implementation improvement for the feature after Release 12.3(4)T, it is recommended to use Release 12.3(7).
PART II: DEPLOYMENT
5.0 Deployment Overview
Deploying the ZECC Layer 3 mobility solution can be divided into three simple tasks that are described below:
Network administrators provision a Home Agent router into the enterprise networks and, if needed, modify the existing ACS (or an equivalent Radius server) configurations.
IT administrator pushes Mobile IP client software to mobile users.
Mobile users install the client software and enjoy the Layer 3 mobility service.
Only task one involves configurations for the network components involved in the ZECC solution. Thus, the next configuration discussion will focus on the task one only.
6.0 Configuration Example
This section provides configuration examples to implement Cisco ZECC Layer 3 Mobility solution. The example is based on the following components:
1 x Cisco 7200VXR Series Router
Cisco IOS Software Release 12.3(7)T with IP plus feature set
1 x Desktop
• Cisco ACS 3.2
• Windows 2000 server (as a DHCP server and a Domain Controller)
• Radius Server
• Domain Controller
• DHCP Server
1 x Laptop
Birdstep Mobile IP Client v184.108.40.20620
The Cisco 7200VXR Series Router with Cisco IOS Software Release 12.3(7)T is used as a Home Agent router. It is placed in the core layer of the networks and is accessible by the mobile node. The accessibility is done by assigning a routable IP address (220.127.116.11) to the Home Agent router in the enterprise network. The IP address is used as the Home Agent address.
The desktop PC is loaded with Windows 2000 server and Cisco ACS. It is used as a Windows Domain Controller, DHCP server, and Radius server. It is placed in the data center and is accessible by the Cisco 7200 Series Router (Home Agent). The name of the Windows domain is "MOBILEIP".
The laptop is loaded with a Birdstep Cisco ZECC Mobile IP client. It is used as the mobile node and located in Layer 2 access layer, where both Ethernet and WLAN network access are available. The IP addressing for the subnets (foreign) in the L2 access layers are served by the DHCP server in the data center.
Figure 2 below illustrates the sample topology.
Figure 2. Sample Network Topology
The configuration example assumes the following:
• Windows Domain controller or Active Directory already has Windows login information for the mobile user. This should be true for most enterprise networks.
• DHCP server is configured to provide IP addressing for the foreign subnets, where the mobile user will boot the mobile node.
• ACS server belongs to the same Windows Domain as the Windows Domain Controller.
Home Agent Configuration
There is no special ZECC configuration required on a Home Agent router to enable the solution. A Home Agent with generic Home Agent router configuration can support the solution and should not need to modify its configurations. Home Agent should be aware of authentication, authorization, and accounting (AAA) server, and AAA server should be reachable from Home Agent. Below is a generic Home Agent configuration:
Figure 3. Home Agent Configurations
Foreign Agent (Optional)
Foreign Agent is an optional component in Mobile IP. It adds additional management options and improves scalability for Mobile IP networks.
Foreign Agent, similar to a Home Agent, does not require any special configuration on Foreign Agent router to enable the ZECC solution. Foreign Agent supports this solution if it is running Cisco IOS Software Release 12.3(7)T or later with ip plus feature set.
Please refer to References section for the foreign agent configurations.
Cisco ACS Server Configuration
Typically, in a Mobile IP deployment Cisco ACS server is used as an authenticator and offers security associations and pre-share key of a mobile user to a Home Agent (acting as a Network Access Server (NAS)) to authenticate the mobile user. This scheme requires a network administrator to provision the security associations and the key on both: the ACS server's local database and the mobile user's Mobile IP client software. As discussed in Part I, this can be a deployment challenge. Cisco ZECC L3 mobility solution addresses this deployment challenge by using the mobile user's Windows domain login information located in either a Windows domain controller or Active Directory.
Below is an example how to configure Cisco ACS server to use a Windows domain controller for mobile users' authentication.
Note: The ACS server does not need to be configured if it has already used Windows domain controller to authenticate a network user. In this case, make sure the user profile or the group profile of the user is configured to return MS-CHAP-MPPE attribute. To see how to configure this, go to "Enable MS-CHAP-MPPE attribute for the ACS group" section below.
1. Configuring Unknown User Policy
If the realm stripping is not configured on the Home Agent, it uses "Domain\username" format or "Domain\usernam.realm" format to identify a Mobile IP user. The format is used in the username attribute in the Access-Request message sent to the ACS server. The ACS server treats the user as an unknown user (assuming there is no identical username configured in its local user database). Thus, the ACS server needs to be instructed how and where to authenticate an unknown user.
To perform this task click External User Databases>Unknown User Policy. A window similar to the following should appear.
Figure 4. Configure Unknown User Policy in ACS
In the window, move the "Windows Database" from the "External Database" section to the "Selected Database" section and select the "Check the following external user database" radio button.
2. Mapping the Unknown User to a ACS Local Group
By default, an unknown user is mapped to the default group in the ACS user database.
In this step the unknown users that belong to a MOBILEIP Windows Domain will be mapped to an ACS group named Mobile-IP.
To perform the task click External User Databases>Database Group Mapping>Windows Database>New configuration. In the "Detected Domains" section select the MOBILEIP domain and click submit. Note that ACS server belongs to the "MOBILEIP" domain and automatically detects it.
Figure 5. Adding a New Domain
The following window will pop up with MOBILEIP added in the domain configurations. Click the MOBILEIP.
Figure 6. Two External Domains-MOBILIP and DEFAULT
The following window pops up next. To add the Windows domain group to an ACS group click on "Add mapping".
Figure 7. Windows Domain Group and ACS Group Mapping
Select an ACS group (CiscoSecure Group)-Group1-to map to the Windows groups in the MOBILEIP domain. Then click Submit.
Figure 8. Mapping ACS Group 1 to Windows MOIBLIEIP Group
The following window should pop indicating all Windows groups in Domain MOBILEIP maps to the ACS Group 1.
Figure 9. Group Mapping Result
3. Enabling MS-CHAP-MPPE Attribute forthe ACS Group
Once the Windows Domain authenticates the user, the Windows Domain Controller will return a secure key (hash of the hash of Windows login password) to the ACS server. Then ACS server will need to relay the secure key to the Home Agent. This secure key is known as MS-CHAP-MPPE-Keys under the Microsoft Radius attribute. The ACS needs to be instructed to return the secure key for the authenticated user to the Home Agent.
To perform the task, click Group Setup and select Group 1. Find "Microsoft Radius Attributes" section and check the MS-CHAP-MPPE-Keys radio button as shown below.
Figure 10. Check MS-CHAP-MPPE Key
Mobile device does not need any configuration. After installing the Birdstep Mobile IP client, the client software will prompt the user to select available network interfaces to be used for roaming. Select interfaces for Mobile IP client use.
Settings can be confirmed from the Birdstep Configuration Tool. Below is the screen capture from the Tool.
Figure 11. Birdstep Configuration Tool
A "DefaultZECCProfile" is created automatically on the left side of the window. The "Enable Cisco Zero-Configuration" box is checked in the right side of the window.*
* Note that client used an evaluation release from Birdstep for the ZECC support. The final version of the client may have different appearance and setup procedures. Contact Birdstep for the setup details if a different setup procedure is experienced.
DHCP Server Configuration
Below is an example on how to configure the option 68 on a Windows 2000 DHCP server. The DHCP server has configured 18.104.22.168 as the Mobile IP Home Agent address.
To configure the Home Agent address, right click Scope Options>Configuration Options and then select option 68. Enter Home Agent address in the IP address field and click Add>OK.