Cisco SP Wi-Fi solution:
use cases and call flows
Djordje Vulovic
Consulting Systems Engineer
CCIE #16582
Local Breakout
using MAC TAL Authentication
MAC TAL Authentication
Device
AP+WLC
DHCP
ISG
QPS
Portal
QPS
QPS SuM
Open Association
DHCP
All subscriber devices’ MACaddresses are provisioned
and activated on the SUM
server.
DHCP
ARP
IP
Unknown MAC.
RADIUS Access Req
(username= MAC
Framed IP)
RADIUS Access Accept
(Service Name)
RADIUS Access Req (username= MAC)
RADIUS Access Accept(Service Name)
Check if service
configured
RADIUS AR/AA
(Service Name)
Apply service for
authenticated user
RADIUS Accounting
START (Session)
RADIUS Accounting START (Session)
RADIUS Accounting
START (Service)
IP
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Local Breakout
using Web Authentication
Web Authentication following failed MAC-TAL (1/2)
Device
AP+WLC
DHCP
ISG
QPS
Portal
QPS
QPS SuM
Open Association
DHCP
All subscriber authentication
credentials i.e. username,
password, service-name, and
device MAC-Address need to
be provisioned on the SuM.
DHCP
ARP
IP
Unknown MAC.
RADIUS Access Req
(username= MAC
Framed IP)
RADIUS Access Req (username= MAC)
RADIUS Access Reject
RADIUS Reject
Apply Open
Garden and L4
Redirect Services
http://www.google.com
L4 Redirect to Portal
REST API
Send branded portal
REST Authenticate
Subscriber API
Post username/password credentials
RADIUS COA Req:
Account Logon
Username,
Password
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
REST Session Start API
Cisco Public
Web Authentication following failed MAC-TAL (2/2)
Device
AP+WLC
DHCP
QPS
Portal
QPS
ISG
QPS SuM
RADIUS Access Req
(username and
password)
RADIUS Access Req (username, password)
RADIUS Access Accept
(Service Name)
RADIUS Access Accept(Service Name)
Check if service
configured
RADIUS AR/AA
(Service Name)
Apply services for
authenticated
subscriber
RADIUS Accounting
START (Session)
RADIUS Accounting START (Session)
RADIUS Accounting
START (Service)
RADIUS CoA Ack
Account Logon
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Web Authentication with SMS delivery (1/2)
Device
AP+WLC
ISG
QPS Portal
QPS
QPS SuM
As per previous examples
Apply Open
Garden and L4
Redirect Services
http://www.google.com
L4 Redirect to Portal
REST API
Send branded portal
POST MSISDN
REST Authenticate
MSISDN API
RADIUS Access Req (username= MSISDN)
RADIUS Access Accept (SMS Code)
Deliver Short Message (MSISDN, SMS code and URL)
Deliver SMS
Deliver Short Message Response
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
SMS GW
Web Authentication with SMS delivery (2/2)
Device
AP+WLC
ISG
QPS
QPS Portal
QPS SuM
REST
MSISDN Validated
Renew page asking to enter code
POST SMS Code
RADIUS COA Req:
Account Logon
MSISDN, SMS Code
REST Session Start API
(MSISDN, SMS Code)
RADIUS Access Req
(MSISDN and SMS
Code)
RADIUS Access Req (MSISDN, SMS Code)
RADIUS Access Accept
(Service Name)
RADIUS Access Accept(Service Name)
Apply services for
authenticated
subscriber
RADIUS Accounting
START (Session)
RADIUS Accounting START (Session)
RADIUS Accounting
START (Service)
RADIUS CoA Ack
Account Logon
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
SMS GW
Local Breakout
using EAP Authentication
EAP-TTLS-based authentication (1/2)
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
EAP-TTLS-based authentication (2/2)
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
EAP-SIM Call Flow (steps 1-3)
HLR/AuC
AAA
WLC
SIM-based
clients
EAPOL Start
EAP Request/Identity
EAP Response/Identity
(1IMSI@realm)
EAP Response/Identity (username=1IMSI@realm, calling station ID = MAC, calledstation-ID = SSID)
EAP Request
SIM-Start
EAP Response
SIM-Start
EAP Request/SIM-Start
EAP Response/SIM-Start (Nonce)
IMSI
Ki + RAND
A3
A8
SRES
n * triplets
(SRES, RAND, Kc)
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Kc
EAP-SIM Call Flow (steps 4-6)
AAA
WLC
SIM-based
clients
MAC = SHA-1 (EAP Packet | Nonce)
MK = SHA-1(Identity | n*Kc | Nonce
EAP Request
SIM-Challenge
EAP Request/SIM-Challenge (n*RAND, MAC)
SIM calculates (n*SRES, n*Kc)
MAC = SHA-1
(EAP Packet | n*SRES)
SIM
K = SHA-1
(Identity | n*Kc | Nonce)
EAP Response
SIM-Challenge
Ki + RAND
A3
A8
SRES
Kc
EAP Response/SIM-Challenge (MAC)
Comapre received MAC with
SHA-1(EAP Packet | n*SRES)
EAP Success
Presentation_ID
EAP Success (MK)
Cisco and/or its affiliates. All rights reserved.
Cisco Public
HLR/AuC
Integration to Mobile Core
using intelligent Wireless Access Gateway
- iWAG
What is iWag





Intelligent Wireless Access Gateway
A transport/switching element with ISG Subscriber Awareness
Radius-based Authentication and Accounting
Policy-based subscriber routing for WiFi wholesale model
Ethernet Access with PMIPv6 transport to 4G Mobile Core and with GTP
transport to 3G Mobile Core
 Policy-based subscriber selective offload
 Provides a transparent access to WLAN users to connect to the 3G or 4G
Mobile Packet Core without having any client application installed in the userequipment(UE)
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
iWAG models: Authentication and FSOL
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
iWAG Deployment Model 1
HLR
AAA
OCS
PCRF
CGF
DHCP
Access Network Policy
Gy
Gx
Ga
Mobile Home Network Policy
EAP-SIM/AKA
Authentication
(out-of-band)
AP
AP
WLC
FSOL: DHCP Discover
GTP
ASR1K
Gn’
EWAG
3G Core
GGSN
Service IP
L2 Connected
Model #
Access
Type
Authentication
FSOL
Service IP
1
Layer 2
EAP-SIM/AKA
(out-of- band)
DHCP
Discover
GGSN
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Internet
Cisco Public
Call Flow
GGSN @g.g.g.g
iWAG
AP+WLC
WiFi client
AAA
Vlan connectivity
Out of band EAP authentication
DHCP Discover
[MAC=client-MAC]
Access Req
[client-MAC]
Access Accept
[IMSI, MSISDN, APN, ssg-service=GTP-svc, etc]
Create PDP Req
[IP addr=0.0.0.0]
Access Req
Access Accept
Create PDP Resp
[IP addr=c.c.c.c]
DHCP Offer
[client IP =c.c.c.c; server=e.e.e.e]
Regenerate a DHCP offer
to send back to the client
DHCP Req
[client requested IP=c.c.c.c; server=e.e.e.e]
DHCP ACK
[client IP=c.c.c.c; server=e.e.e.e; renewal time…]
Activate session on DP fully after
finding it having a valid IP addr
client’s traffic
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
client’s traffic tunneled
Cisco Public
19
iWAG Deployment Model 2
HLR
DHCP
OCS
PCRF
CGF
AAA
Gy
Access Network Policy
Gx
Ga
Mobile Home Network Policy
EAP-SIM/AKA
Authentication
(in-band)
AP
AP
WLC
GTP
FSOL:
Radius Access Request
ASR1K
Gn’
EWAG
3G Core
GGSN
Service IP
L2 Connected
Model #
Access
Type
Authentication
FSOL
Service IP
2
Layer 2
EAP-SIM/AKA (inband)
Radius
GGSN
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Internet
Cisco Public
Call flow (1/2)
WiFi
client
Vlan connectivity
AP+WLC
iWAG
@e.e.e.e
AAA
EAP Start
EAP-Req/ID
Access Req
[EAP-Resp/ID]
EAP-Resp/ID
EAP-Req/SIM/Start
EAP-Resp/SIM/Start
EAP-Req/SIM/
Challenge
EAP-Resp/SIM/
Challenge
EAP-Success
Encap/decap EAP into/from Radius message
Detect Radius proxy in L2 as
FSoL; create new ISG session
Access Req
[EAP-Resp/ID; NAS=e.e.e.e]
Access Accept
[EAP-Req/SIM/Start]
Access Req
[EAP-Resp/SIM/Start]
Access Accept
[EAP-Req/SIM/Challenge]
Access Req
[EAP-Resp/SIM/Challenge]
Access Accept
[EAP-Req/SIM/Start]
Access Req
[EAP-Resp/SIM/Start]
Access Accept
[EAP-Req/SIM/Challenge]
Access Req
[EAP-Resp/SIM/Challenge]
Access Accept
[EAP-Success; MAC, IMSI, MSISDN, APN, ssg-service=GTP-svc, etc]
Access Accept
[EAP-Success]
Cache the downloaded user info, esp including
client-MAC, IMSI, MSISDN, GTP-svc
Accounting Start
Accounting Accept
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Call flow (2/2)
AP+WLC
WiFi client
GGSN @g.g.g.g
iWAG @e.e.e.e
Vlan connectivity
DHCP Discover
[client MAC=MAC]
Detect DHCP for an existing
ISG session; regen GTP
Create PDP Req
[IP addr=0.0.0.0]
Access Req
Create PDP Resp
[IP addr=c.c.c.c]
Access Accept
Accounting Start
DHCP Offer
[client IP =c.c.c.c; server=e.e.e.e]
Regenerate a DHCP offer
to send back to the client
Accounting Accept
DHCP Req
[client requested IP=c.c.c.c; server=e.e.e.e]
DHCP ACK
[client IP=c.c.c.c; server=e.e.e.e; renewal
time…]
Activate session on DP fully after
finding it having a valid IP addr
Client has valid
addr c.c.c.c
client’s traffic
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
client’s traffic tunneled
Cisco Public
AAA
iWAG Deployment Model 3
HLR
DHCP
AAA
OCS
PCRF
CGF
Portal
Gy
Access Network Policy
Gx
Ga
Mobile Home Network Policy
Web Logon
Authentication
AP
User name/Password
AP
WLC
GTP
FSOL:
Unclassified MAC
ASR1K
Gn’
iWAG
3G Core
GGSN
L2 Connected
Service IP
Model #
Access
Type
Authentication
FSOL
Service IP
3
Layer 2
Web Logon
Unclassified
MAC
GGSN
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Internet
Cisco Public
Call flow (1/3)
DHCP @d.d.d.d
WiFi client
AP+WLC
iWAG
@e.e.e.e
Vlan connectivity
DHCP Discover
(broadcast)
DHCP Discover
(unicast on VLAN based on SSID)
DHCP Offer
[client IP=c.c.c.c; server=d.d.d.d]
DHCP Offer
(unicast to client)
DHCP Req
[client requested IP=c.c.c.c; server=d.d.d.d]
DHCP ACK
[client IP=c.c.c.c; server=d.d.d.d; renewal time…]
ARP Req
(broadcast)
DHCP Req
[client requested IP=c.c.c.c; server=d.d.d.d]
Client has a valid IP addr
& DHCP server addr
DHCP ACK
[client IP=c.c.c.c; server=d.d.d.d; renewal time…]
Client has iWAG’s MAC
addr and e.e.e.e as GW
addr
ARP Req (broadcast on VLAN for SSID)
[Src MAC=WLC-MAC]
ARP Resp
[Src MAC=iWAG-MAC; Dst MAC=Client-MAC]
ARP Resp
[Src MAC=iWAG-MAC; Dst MAC=WLC-MAC]
DNS Req
[Src MAC=client-MAC; Src IP=c.c.c.c; Dst MAC=iWAG-MAC; Dst IP=e.e.e.e]
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Detect unclassified MAC
addr > iWAG creates
unauth session
Call flow (2/3)
WiFi client @c.c.c.c
EWAG/ISG @e.e.e.e
AAA
DNS
Access Req (download
control policies for OG &
L4Redirect)
Access Accept
Apply OG policy
Access Req (for MAC TAL)
Access Rej
Apply unauth
timer &
L4Redirect
DNS Resp
[Src MAC=EWAG-MAC; Src IP=e.e.e.e; Dst
MAC=client-MAC; Dst IP=c.c.c.c]
DNS Req (permitted by OG)
DNS Resp
HTTP Req
[Src IP= c.c.c.c; Dst IP=public addr w.w.w.w; Dst MAC=EWAG-MAC]
w.w.w.w not part of
OG; L4Redirect to
p.p.p.p
HTTP Req (L4Redirected)
[Src IP=e.e.e.e; Dst IP=p.p.p.p]
HTTP Resp
[Src IP=p.p.p.p; Dst IP=e.e.e.e]
HTTP Resp
[Src IP=p.p.p.p; Dst IP=c.c.c.c]
HTTP Login Credential
[Src IP=c.c.c.c; Dst IP==p.p.p.p]
Presentation_ID
HTTP Login credential
[Src IP==e.e.e.e; Dst IP==p.p.p.p]
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Portal @p.p.p.p
Call flow (3/3)
AAA
EWAG/ISG @e.e.e.e
WiFi client @c.c.c.c
Portal @p.p.p.p
CoA Req/Acct-logon
[username/pwd]
Detect acct-logon event; trigger
user authen for username/pwd
Access Req
[username/pwd]
Access Accept
[IMSI, MSISDN, APN, GTP-svc, etc]
CoA ACK/Acct-logon
[username/pwd]
HTTP Resp
[Src IP=p.p.p.p; Dst IP=c.c.c.c]
HTTP Login Resp
[Src IP=p.p.p.p; Dst IP=e.e.e.e]
Client fully authenticated; remove OG &
L4Redirect; regen GTP PDP context &
tunnel
Create PDP Req
[PDP addr=c.c.c.c]
Access Req
Access Accept
Create PDP Resp
[PDP addr=c.c.c.c]
Activate session on DP
fully
Presentation_ID
client’s
traffic
Accounting Start
Accounting Accept
client’s traffic tunneled
Cisco and/or its affiliates. All rights reserved.
Cisco Public
GGSN @g.g.g.g
3G / 4G Mobile user Radius profiles
subscriber-profile gtp1 {
access-accept {
cisco-avpair { "cisco-mn-service=ipv4" }
cisco-avpair { "cisco-mpc-protocol-interface=gtpv1" }
cisco-avpair { "cisco-service-selection=cisco1.com" }
cisco-avpair { "cisco-msisdn=49123456789" }
3gpp {
imsi 262020000000642
}
}
}
4G mobile user
RADIUS profile
PMIPv6 based
Presentation_ID
3G mobile user
RADIUS profile
GTP based
subscriber-profile pmip {
access-accept {
reply-msg "Default profile”
cisco-avpair { "mn-service=ipv4" }
cisco-avpair { "home-lma=LMA1" }
cisco-avpair { "cisco-mpc-protocol-interface=pmipv6" }
cisco-avpair { "home-lma-ipv6-address=9::2" }
cisco-avpair { "cisco-downlink-gre-key=100" }
cisco-avpair { "cisco-uplink-gre-key=100" }
3gpp {
mn-nai {
username mn
domain-name cisco.com
start-at 1
}
}
}
}
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Integration to Mobile Core
using enhanced Wireless Access Gateway
- eWAG
ReWAG
Home
internet
HSS
GGSN
AAA
Radius triggered (ReWAG)
Gn
GTPv1
1- UE authenticated by AAA (EAP-SIM)
2- UE gets WiFi IP address from DHCP
eWAG
Packet Core
3- UE sends Accounting start (radius)
4- Session is triggered
WiFi access
PMIPv6
DHCP
5- eWAG gets mobile IP address from
WLC
GGSN
6- eWAG sets up tunnel
7-eWAG does NAT
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Radius-based eWAG (ReWAG) w/o ISG 1/3
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
Radius-based eWAG (ReWAG) w/o ISG 2/3
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
Radius-based eWAG (ReWAG) w/o ISG 3/3
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
DeWAG
Home
internet
HSS
AAA
GGSN
DHCP triggered (DeWAG)
Gn
GTPv1
1- UE authenticated by AAA (EAP-SIM)
2- UE comes to eWAG for DHCP (VLAN)
Packet Core
eWAG
WiFi access
PMIPv6
DHCP
3- eWAG gets mobile IP address from
GGSN
WLC
4- eWAG sets up tunnel
5- Accounting is started
6- (no NAT)
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
DHCP-based eWAG (DeWAG) 1/3
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
34
DHCP-based eWAG (DeWAG) 2/3
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
35
DHCP-based eWAG (DeWAG) 3/3
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
Integration to Mobile Core
using S2a Mobility Gateway
- SaMOG
EPC, Trusted wifi & Untrusted wifi Architecture
HSS/
AAA
S6a
PGW/
GGSN
S5
S2b
S2a
STa
TWAG
TWAP
MME SGW
S1-U
S1-MME
S1-U
S1-MME
Radius
IP/GRE
Radius
IP/GRE
SaMOG
GW
ePDG
Aggregation/
Core
Radius
IP/GRE
Secure Transport, S1 Aggregation
Un-trusted
WiFi
Radio Access
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Radio
Access
(RAN)
3GPP SaMOG Functional Architecture
PGW
AAA/HSS
S2a
GTP
PMIP6
STa
(Diameter)
TWAP
Internet
TWAG
Cw
Uw
Cw: AAA Radius
Uw: Tunnel, native IP
WiFi Access
Trusted WiFi
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Trusted WLAN AAA Proxy (TWAP)
Functions
 Relaying the AAA information between the WLAN Access Network and the
3GPP AAA Server
 Establishing Binding of UE IMSI with UE MAC address on the WLAN Access
Network into (IMSI, MAC) tuple via snooping on the AAA protocol messages
 Detecting L2 Attach of UE to the WLAN Access Network via snooping on the
AAA protocol for EAP-Success message
 Detecting L2 Detach of UE from the WLAN Access Network via snooping on
the AAA protocol for Accounting-Request STOP message
 Informing the Trusted WLAN Access Gateway of WLAN Attach and Detach
events for UE with (MAC, IMSI) tuple
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Trusted WLAN Access Gateway
 For IPv4:
 Default IPv4 router
 Allocates the IP address received from P-GW to the UE (Direct or indirect)
 For IPv6:
 Default IPv6 Router
 Advertises the IPv6 prefix received from P-GW to UE ( Direct or indirect)
 WLAN Access side connectivity
 S2a connectivity towards PGW
 Support for LBO in case of NSWO
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
ASR5K based SaMOG GW (TWAG/TWAP)
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Multi-Radio Management Entity (MRME)
 New StarOS service for access control and session management
 Basic Functions
•
•
•
•
Trusted WLAN AAA Proxy (TWAP)
EAP-AKA(’) over Radius termination (support EAP-SIM as well)
Diameter STa interface to 3GPP AAA Server
UE session management (Attach, Detach, Mobility)
 Enhanced functions (roadmap)
•
•
•
•
GW selection ( for 3G, 4G users)
session continuity (Anchor PGW selection)
access admission control
Closed Subscriber Group support
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
Converged Access Gateway (CGW)
 New StarOS service for Trusted WLAN Access Gateway
 3GPP TWAG
 Ingress (towards the WiFi AP)
• IP-in-IP-GRE termination
• Un-tunneled operation
 Egress (towards Mobile Gateway)
• GTPv2-C, GTP-U
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
SaMOG Session Establishment w/EAP-SIM 1/2
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public
SaMOG Session Establishment w/EAP-SIM 2/2
Presentation_ID
Cisco and/or its affiliates. All rights reserved.
Cisco Public