Network Access Control Functions; Authentication And Key Agreement (Aka) - Cisco ASR 5000 Series Administration Manual

▀ Features and Functionality - Base Software
to their requirements for committed bandwidth resources, jitter and delay. In this way, each application receives the
service treatment that users expect.
The MME Operator Policy configuration allows the specification of QoS for each traffic class that can either be used as
a default or as an over ride to the HSS settings.
In LTE-EPC 4G architectures, QoS management is network controlled via dynamic policy interactions between the
PCRF and PDN GW. EPS bearer management is used to establish, modify or remove dedicated EPC bearers in order to
provide service treatments tied to the needs of specific applications/service data flows. The service priority is
provisioned based on QoS Class Identifiers (QCI) in the Gx policy signaling. PCRF signaling interaction may also be
used to establish or modify the APN-AMBR attribute assigned to the default EPS bearer.
When it is necessary to set-up a dedicated bearer, the PDN GW initiates the Create Dedicated Bearer Request which
includes the IMSI (permanent identity of mobile access terminal), Traffic Flow Template (TFT - 5-tuple packet filters)
and S5 Tunnel Endpoint ID (TEID) information that is propagated downstream via the SGW over the S11 interface to
the MME. The Dedicated Bearer signaling includes requested QoS information such as QCI, Allocation and Retention
Priority (ARP), Guaranteed Bit Rate (GBR - guaranteed minimum sending rate) and Maximum Bit Rate (MBR-
maximum burst size).
The MME allocates a unique EPS bearer identity for every dedicated bearer and encodes this information in a Session
Management Request that includes Protocol Transaction ID (PTI), TFT‟s and EPS bearer QoS parameters. The MME
signals the Bearer Setup Request in the S1-MME message toward the neighboring eNodeB.

Network Access Control Functions

These functions enable secure user and device level authentication between the authenticator component of the MME
and a 3GPP HSS / AuC and Diameter-based S6a interface support.
This section describes following features:

Authentication and Key Agreement (AKA)

HSS Support Over S6a Interface
Authentication and Key Agreement (AKA)
MME provides EPS Authentication and Key Agreement mechanism for user authentication procedure over the E-
UTRAN. The Authentication and Key Agreement (AKA) mechanism performs authentication and session key
distribution in networks. AKA is a challenge- response based mechanism that uses symmetric cryptography. AKA is
typically run in a Services Identity Module.
The AKA is the procedure that take between the user and network to authenticate themselves towards each other and to
provide other security features such as integrity and confidentiality protection.
In a logical order this follows the following procedure:
1. Authentication: Performs authentication by, identifying the user to the network; and identifying the network to
the user.
2. Key agreement: Performs key agreement by, generating the cipher key; and generating the integrity key.
3. Protection: When the AKA procedure is performed it protects, the integrity of messages; confidentiality of
signalling data; and confidentiality of user data
▄ Cisco ASR 5000 Series Mobility Management Entity Administration Guide
24
MME in LTE/SAE Wireless Data Services
OL-22987-01