 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
You can store the security associations and configuration information remotely on a RADIUS server. You can use the ip mobile secure host command and the ip mobile secure foreign-agent command to configure the security association (MD-5 key) for a specified user, or for a group of users (also known as a domain) for the home agent. The home agent can configure the security association (MD-5 key) for a specified user or a group of users (domain).
Authentication is accomplished either by generating an authentication, authorization, and accounting (AAA) access-request or querying the locally configured security parameters, depending on whether or not you use the aaa keyword when you issue the ip mobile host command to configure the mobile node. For AAA authentication, you must include the aaa keyword; for local authentication, do not include the aaa keyword. If AAA authentication is enabled, AAA queries the security information from the RADIUS server.
When both the network access identifier (NAI) and IP address of the mobile node are present in the registration request, then the authentication request from Mobile IP to AAA has the NAI as the user name and the IP address as the hint IP address. If only the NAI is present in the registration request, then the NAI address is used as the user name with no hint IP address in the authentication request. If only the IP address (home address) is present in the registration request, then it is used as both the user name and the hint IP address in the authentication request. If both the NAI address and the IP address are missing from the registration request, then the registration request is rejected.
If the optional aaa keyword is present in the ip mobile host command, then the authentication parameters are obtained by querying AAA. The authentication algorithm and security key are retrieved by AAA based on its configuration, depending on the SPI provided in the registration request. If the aaa keyword is absent, then the home agent uses authentication parameters configured locally on the router to authenticate the registration request. In both cases, if security parameters are not retrieved, then the request for mobility service is rejected, a security violation error is logged, and no registration reply is generated.
When you configure the mobile host to use RADIUS authentication for home agent users by including the aaa keyword in the ip mobile host command, the Mobile IP home agent application generates a RADIUS access-request message. The RADIUS server then uses Juniper Networks vendor-specific attributes (VSAs) to provide the appropriate authentication algorithm and secure key for the authentication request.
For information about the specific Juniper Networks VSAs used for Mobile IP RADIUS-based authentication, see JUNOSe Broadband Access Configuration Guide and RADIUS IETF Attributes
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |