|
Table Of Contents
User Authentication and Authorization
User Authentication and Authorization
Skip HA-CHAP with MN-FA Challenge Extension (MFCE)
Authentication and Authorization RADIUS Attributes
User Authentication and Authorization
This chapter discusses User Authentication and Authorization, and how to configure this feature on the Cisco Mobile Wireless Home Agent.
This chapter includes the following sections:
• User Authentication and Authorization
• Skip HA-CHAP with MN-FA Challenge Extension (MFCE)
• Authentication and Authorization RADIUS Attributes
User Authentication and Authorization
You can configure the Home Agent to authenticate a user with either Password Authentication Protocol (PAP), or Challenge Handshake Authentication Protocol (CHAP). The Foreign Agent Challenge procedures are supported (RFC 3012) and include the following extensions:
•Mobile IP Agent Advertisement Challenge Extension
•MN-FA Challenge Extension
•MN-AAA Authentication Extension
Note PAP is used if no MN-AAA extension is present, and CHAP is always used if MN-AAA is present. The password for PAP users can be set using the ip mobile home-agent aaa user-password command.
If the Home Agent receives the MN-AAA Authentication Extension in the Registration Request (when configured to authenticate the user with the Home AAA-server), the contents are used. If the extension is absent, a default configurable password is used. This default password is a locally defined string such as "vendor".
The HA accepts and maintains the MN-FA challenge extension and MN-AAA authentication extension (if present) from the original registration for use in later registration updates.
If the Home Agent does not receive a response from the AAA server within a configurable timeout, the message can be retransmitted a configurable number of times. You can configure the Home Agent to communicate with a group of AAA servers; the server is chosen in round-robin fashion from the available configured servers.
To configure authorization and authentication on the HA, perform the following tasks:
The HA supports 3GPP2 and Cisco proprietary security extension attributes in RADIUS access accept packet. Sending 3GPP2 MN-HA SPI in Access Request to RADIUS server and processing the MN-HA Secure Key Received from RADIUS server is configurable on HA.
Cisco IOS provides a mechanism to authorize subscribers based on their realm. This can be done using a feature called "Subscriber Authorization", the details of which can be found here: http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455cf0.html#wp1056463.
Note The Home Agent will accept user profiles, it will not authorize a mobile subscriber based on information returned in a group profile.
Skip HA-CHAP with MN-FA Challenge Extension (MFCE)
This feature allows the HA to download a Security Association (SA) and cache it locally on the disk, rather than performing a HA-CHAP procedure with Home AAA server to download the SA for the user for each registration request. When a user first registers with the HA, the HA does HA-CHAP (MN-AAA authentication), downloads the SA, and caches it locally. On subsequent re-registration requests, the HA uses the locally cached SA to authenticate the user. The SA cache entry is removed when the binding for the user is deleted.
You can configure this feature on the HA using the ip mobile host command, noted above.
Configuration Examples
The following example configures a mobile node group to reside on virtual network 10.99.1.0 and retrieve and cache mobile node security associations from a AAA server. The cached security association is then used for subsequent registrations.
ip mobile host 10.99.1.1 10.99.1.100 virtual-network 10.99.1.0 aaa load-sa
The following example configures a local pool of dynamic addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain. The security associations that are retrieved from the AAA server are cached permanently until cleared manually.
ip mobile host nai @cisco.com address pool local mobilenodes virtual network 10.2.0.0
255.255.0.0 aaa load-sa permanent lifetime 180
Authentication and Authorization RADIUS Attributes
The Home Agent, and the RADIUS server support RADIUS attributes listed in Table 1 for authentication and authorization services.
Posted: Fri Nov 17 00:42:20 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.