Radius Authentication - Cisco ASR 5000 series Product Overview

▀ Features and Functionality - Licensed Enhanced Feature Support
At the beginning of the IKEv2 session setup, the PDIF and the MS exchange capability for multiple authentication.
Multiple authentication is configured in the PDIF service as part of the crypto template where it is associated with an
EAP profile. The EAP profile defines the authentication mode and method. If multiple authentication is enabled in the
crypto template, the PDIF includes a MULTIPLE_AUTH_SUPPORTED Notify payload in the initial IKEv2 setup
response.
Important:
response, the MS may not support multiple authentication and hence may not include a
MULTIPLE_AUTH_SUPPORTED Notify payload in the subsequent IKEv2 AUTH exchange. In this case, the MS may
only go through the first-phase (EAP-AKA) of device authentication.
During initial IKEv2/IPSec security setup exchanges, the MS undergoes both device authentication and subscriber
authentication. This is because even if the device is fully authenticated, a PDIF may not be able to tell which service
profile is applicable for the MS, nor the correct IP address to assign.
Important:
subscriber authentication.
AAA Group Selection
A maximum of 64 AAA groups is allowed on the ASR 5000. This could be spread across multiple contexts or all groups
can be configured within a single VPN context.
A maximum of 320 RADIUS servers is allowed on the chassis.
When the
RADIUS servers configured within the chassis.
The PDIF service allows you to specify a different AAA group for each authentication phase. A given AAA group
supports either Diameter or RADIUS authentication, but not both. In deployments where the NAI used in the first-phase
authentication is different from the NAI used in the second-phase authentication, each NAI can point to different
domain profiles in the PDIF.

RADIUS Authentication

Please see the document AAA Interface and Administration for information on AAA, RADIUS, and Diameter groups.
The second authentication uses RADIUS for subscriber authentication. The PDIF supports EAP termination mode
during the second half of multiple authentication. In this mode, EAP exchange takes place between the MS and the
PDIF, and the PDIF takes the information exchanged in the EAP payload over IKEv2 into RADIUS attributes to support
CHAP/PAP authentication with the RADIUS server, and vice versa.
By default, the PDIF initiates EAP-MD5 authentication and sends an EAP payload with an MD5-Challenge to the MS.
The MS returns an MD5-Challenge response in the EAP payload. Upon receipt, the PDIF sends an RADIUS Access
Request message which includes an NAI, a CHAP-Password, a CHAP-challenge (derived from the EAP payload), and
an IMSI number (which is the calling station ID). Once the AAA server returns an Access-Accept message, optional
attributes such as Framed-IP-Address and HA address are expected for the subsequent session setup processing. The
▄ Cisco ASR 5000 Series Product Overview
Even if the PDIF confirms MULTIPLE_AUTH_SUPPORTED capability in the initial IKEv2 setup
First-phase authentication refers to device authentication, and second-phase authentication refers to
command is issued, this number becomes 800 AAA groups and 1600
Packet Data Interworking Function Overview
OL-22938-02