Cisco ASR 5000 Series Administration Manual page 29

Femto Network Gateway Overview
Figure 3. IPSec Tunnel Establishment with EAP-AKA Authentication
FAP
1. IKE_SA_INIT Request
2. IKE_SA_INIT Response
3. IKE_AUTH Request
(Idi=FAPID, Idr, SAs, Cfg payload
(INTERNAL_IP4_ADDRESS))
6. IKE_AUTH Response
(EAP-Req/AKA-Chal)
7. IKE_AUTH Request
(EAP-Req/AKA-Chal)
10. IKE_AUTH Response
(EAP success)
11. IKE_AUTH Request
12. IKE_AUTH Response
(Traffic selectors, Cfg payload (TIA))
Table 3. IPSec Tunnel Establishment with EAP-AKA Authentication
Step Description
1. The FAP initiates an IKEv2 exchange with the FNG, known as the IKE_SA_INIT exchange, by issuing an IKE_SA_INIT
Request to negotiate cryptographic algorithms, exchange nonces, establish NAT traversal, and perform a Diffie-Hellman
exchange with the FNG.
2. The FNG responds with an IKE_SA_INIT Response by choosing a cryptographic suite from the initiator's offered choices,
completing the Diffie-Hellman and nonce exchanges with the FAP.
OL-24872-01
FNG
4. RADIUS Access-Request
(EAP response identity)
5. RADIUS Access-Challenge
(EAP-Req/AKA-Chal, RAND, AUTN)
8. RADIUS Access-Request
(EAP-Req/AKA-Chal, FAP Rsp)
9. RADIUS Access-Accept
(EAP success, attributes)
FNG allocates TIA to FAP,
installs IPSec SA for TIA
AAA
Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄
How the FNG Works ▀
29