1
|
On
connecting to WiFi network, MS first send DNS query to get PDIF IP address
|
2
|
MS receives
PDIF address from DNS
|
3
|
MS sets up
IKEv2/IPSec tunnel by sending IKE_SA_INIT Request to PDIF. MS includes SA, KE,
Ni, NAT-DETECTION Notify payloads in the IKEv2 exchange.
|
4
|
PDIF
processes the IKE_SA_INIT Request for the appropriate PDIF service (bound by
the destination IP address in the IKEv2 INIT request). PDIF responds with
IKE_SA_INIT Response with SA, KE, Nr payloads and NAT-Detection Notify
payloads. If multiple-authentication support is configured to be enabled in the
PDIF service, PDIF will include MULTIPLE_AUTH_SUPPORTED Notify payload in the
IKE_SA_INIT Response. PDIF will start the IKEv2 setup timer after sending the
IKE_SA_INIT Response.
|
5
|
On receiving
successful IKE_SA_INIT Response from PDIF, MS sends IKE_ AUTH Request for the
first EAP-AKA authentication. If the MS is capable of doing
multiple-authentication, it will include MULTI_AUTH_SUPPORTED Notify payload in
the IKE_AUTH Request. MS also includes IDi payload which contains the NAI, SA,
TSi, TSr, CP (requesting IP address and DNS address) payloads. MS will not
include AUTH payload to indicate that it will use EAP methods.
|
6
|
On receiving
IKE_AUTH Request from MS, PDIF sends DER message to Diameter AAA server. AAA
servers are selected based on domain profile, default subscriber template or
default domain configurations. PDIF includes Multiple-Auth-Support AVP,
EAP-Payload AVP with EAP-Response/Identity in the DER. Exact details are
explained in the Diameter message sections. PDIF starts the session setup timer
on receiving IKE_AUTH Request from MS.
|
7
|
PDIF
receives DEA with Result-Code AVP specifying to continue EAP authentication.
PDIF takes EAP-Payload AVP contents and sends IKE_ AUTH Response back to MS in
the EAP payload. PDIF allows IDr and CERT configurations in the PDIF service
and optionally includes IDr and CERT payloads (depending upon the
configuration). PDIF optionally includes AUTH payload in IKE_AUTH Response if
PDIF service is configured to do so.
|
8
|
MS receives
the IKE_AUTH Response from PDIF. MS processes the exchange and sends a new
IKE_AUTH Request with EAP payload. PDIF receives the new IKE_AUTH Request from
MS and sends DER to AAA server. This DER message contains the EAP-Payload AVP
with EAP-AKA challenge response and challenge received from MS.
|
9
|
The AAA
server sends the DEA back to the PDIF with Result-Code AVP as "success." The
EAP-Payload AVP message also contains the EAP result code with "success." The
DEA also contains the IMSI for the user, which is included in the Callback-Id
AVP. PDIF uses this IMSI for all subsequent session management functions such
as duplicate session detection etc. PDIF also receives the MSK from AAA, which
is used for further key computation.
|
10
|
PDIF sends
the IKE_AUTH Response back to MS with the EAP payload.
|
11
|
MS sends the
final IKE_AUTH Request for the first authentication with the AUTH payload
computed from the keys. If the MS plans to do the second authentication, it
will include ANOTHER_AUTH_FOLLOWS Notify payload also.
|
12
|
PDIF
processes the AUTH request and responds with the IKE_AUTH Response with the
AUTH payload computed from the MSK. PDIF does not assign any IP address for the
MS pending second authentication. Nor will the PDIF include any configuration
payloads.
a. If PDIF service does not support Multiple-Authentication
and ANOTHER_AUTH_FOLLOWS Notify payload is received, then PDIF sends IKE_AUTH
Response with appropriate error and terminate the IKEv2 session by sending
INFORMATIONAL (Delete) Request.b. If ANOTHER_AUTH_FOLLOWS Notify payload is not
present in the IKE_AUTH Request, PDIF allocates the IP address from the locally
configured pools. However, if
proxy-mip-required is enabled, then PDIF initiates
Proxy-MIP setup to HA by sending P-MIP RRQ. When PDIF receives the Proxy-MIP
RRP, it takes the Home Address (and DNS addresses if any) and sends the
IKE_AUTH Response back to MS by including CP payload with Home Address and DNS
addresses. In either case, IKEv2 setup will finish at this stage and IPSec
tunnel gets established with a Tunnel Inner Address (TIA).
|
13
|
MS does the
second authentication by sending the IKE_AUTH Request with IDi payload to
include the NAI. This NAI may be completely different from the NAI used in the
first authentication.
|
14
|
On receiving
the second authentication IKE_AUTH Request, PDIF checks the configured second
authentication methods. The second authentication may be either EAP-MD5
(default) or EAP-GTC. The EAP methods may be either EAP-Passthru or
EAP-Terminated.
a. If the configured method is EAP-MD5, PDIF sends the
IKE_AUTH Response with EAP payload including challenge.b. If the configured
method is EAP-GTC, PDIF sends the IKE_AUTH Response with EAP-GTC.c. MS
processes the IKE_AUTH Response:
-
If the
MS supports EAP-MD5, and the received method is EAP-MD5, then the MS will take
the challenge, compute the response and send IKE_AUTH Request with EAP payload
including Challenge and Response.
-
If the
MS does not support EAP-MD5, but EAP-GTC, and the received method is EAP-MD5,
the MS sends legacy-Nak with EAP-GTC.
|
15(a)
|
PDIF
receives the new IKE_AUTH Request from MS.
If the original method was EAP-MD5 and MD5 challenge and
response is received, PDIF sends RADIUS Access Request with corresponding
attributes (Challenge, Challenge Response, NAI, IMSI etc.).
|
15(b)
|
If the original method was EAP-MD5 and legacy-Nak was received
with GTC, the PDIF sends IKE_AUTH Response with EAP-GTC.
|
16
|
PDIF
receives Access Accept from RADIUS and sends IKE_AUTH Response with EAP
success.
|
17
|
PDIF
receives the final IKE_AUTH Request with AUTH payload.
|
18
|
PDIF
checks the validity of the AUTH payload and initiates Proxy-MIP setup request
to the Home Agent if
proxy-mip-required is enabled. The HA address may
be received from the RADIUS server in the Access Accept (Step 16) or may be
locally configured. PDIF may also remember the HA address from the first
authentication received in the final DEA message.
|
19
|
If
proxy-mip-required is disabled, PDIF assigns the
IP address from the local pool.
|
20
|
PDIF
received proxy-MIP RRP and gets the IP address and DNS addresses.
|
21
|
PDIF sets
up the IPSec tunnel with the home address. On receiving the IKE_AUTH Response
MS also sets up the IPSec tunnel using the received IP address. PDIF sends the
IKE_AUTH Response back to MS by including the CP payload with the IP address
and optionally the DNS addresses. This completes the setup.
|
22
|
PDIF sends
a RADIUS Accounting start message.
|