1.
|
An
association between the UE and WLC is established.
|
2.
|
The initial
attach procedure starts with the authenticator sending an EAP Request/Identity
message toward the supplicant.
|
3.
|
The UE
responds to the EAP Request/Identity message with an EAP Response/Identity
message, which contains the permanent identity (IMSI) on the SIM.
|
4.
|
The WLC
requests MRME for authentication using EAP over RADIUS by sending an "Access-
Request" message.
The WLC
includes the User-Name, EAP-Identity as part of the EAP-Message,
Acct-Session-Id in the "Access-Request" message.
|
5.
|
The MRME
initiates Authentication and Authorization procedures by sending "Diameter EAP
Request" message to the 3GPP AAA Server, containing the user identity and
EAP-Payload.
|
6.
|
The 3GPP AAA
Server fetches the user profile and authentication vectors from the HSS/HLR (if
these parameters are not available in the 3GPP AAA Server). The 3GPP AAA Server
looks for the IMSI of the authenticated user based on the received user
identity (root NAI or Decorated NAI), and includes the EAP-AKA as the requested
authentication method in the request sent to the HSS. The HSS then generates
authentication vectors and sends them back to the 3GPP AAA server. The 3GPP AAA
Server checks if the user's subscription is authorized for a trusted non-3GPP
access.
The 3GPP AAA
Server initiates the authentication challenge. The user identity is not
requested again.
|
7.
|
The MRME
responds to WLC with a "Radius Access-Challenge" message by including EAP-AKA
AKA-Challenge in the EAP-Messages.
|
8.
|
WLC sends an
authentication challenge towards the UE.
|
9.
|
The UE
responds with a challenge response.
|
10.
|
The WLC
forwards the "Radius Access-Request" by including EAP-Response/AKA-Challenge in
the EAP-Message to MRME.
|
11.
|
The MRME
forwards the EAP-Response/AKA-Challenge message to the 3GPP AAA Server by
sending a "Diameter EAP Request" message.
The AAA
Server checks if the authentication response is correct.
|
12.
|
The 3GPP AAA
Server forwards the final Authentication and Authorization answer by initiating
"Diameter EAP Answer" (with a result code indicating success) including the
relevant service authorization information, an EAP success and the key material
to the MRME.
The MRME
performs P-GW Resolution (Steps 13-16) for dynamic P-GW selection by delaying
the EAP-Response (Access-Accept) message to the WLC.
|
13.
|
The MRME
sends a "DNS Request" with S-NAPTR Query by constructing an APN FQDN to the DNS
Server.
|
14.
|
The MRME
receives a "DNS Answer" with a list of A-Records from the DNS Server.
|
15.
|
The MRME
sends a "DNS Request" by including the selected A-Record to get the P-GW IPv4
address.
|
16.
|
The MRME
receives the resolved P-GW IPv4 address in the "DNS Response" from the DNS
Server.
|
17.
|
The MRME
sends the "Radius Access-Accept" message to the WLC by including the Shared
Secret generated in the EAP exchange, and the User-Name.
|
18.
|
The WLC
originates the "PMIPv6 Proxy-Binding-Update" message to the CGW. The
information for the subscriber to form the PBU message is included. In
addition, WLC also allocates a GRE tunnel ID for downlink data transfer, and
includes it in the PBU message.
|
19.
|
The CGW
originates a "GTPv2 Create Session Request" message on the S2a interface
towards PDN-GW, by including S2a GTP-U TEID to be used for downlink data
transfer, MSISDN, IMSI, APN, PAA, PDNType, Bearer-Context-List, APN-AMBR and
Charging characteristic.
|
20.
|
The PDN-GW
allocates the requested IP address for the subscriber and responds to the CGW
with a "GTPv2 Create Session Response" message by including the Cause, PAA,
Bearer-Context-List, APN-AMBR and GTP-U PGW TEID for uplink data transfer.
|
21.
|
The CGW
responds with a "PMIPv6 PBA" to the WLC, by including the UEs IP address.
|
22.
|
A GTPv2
tunnel is established between the CGW and P-GW.
|
23.
|
A PMIPv6
tunnel is established between the WLC and CGW.
|
24.
|
The WLC
initiates a "Radius Accounting-Request" with "Acct-Status-Type" as "Start" and
by including the assigned UEs address.
|
25.
|
The MRME
proxies the received "Radius Accounting-Request" towards the RADIUS accounting
server.
|
26.
|
The MRME
receives the "Radius Accounting-Response" from the Radius accounting server.
|
27.
|
The MRME
proxies the received "Radius Accounting-Response" towards the WLC.
|