- Configuring Mobile IP
- Mobile IP MIB Support for SNMP
- Mobile IP NAT Detect
- Mobile IP Support for Foreign Agent Reverse Tunneling
- Mobile IP Challenge and Response Extensions
- Mobile IP Generic NAI Support and Home Address Allocation
- Mobile IP Home Agent Policy Routing
- Mobile IP Home Agent Accounting
- Mobile IP Dynamic Security Association and Key Distribution
- Mobile IP Support for RFC 3519 NAT Traversal
- Mobile IPv6 High Availability
- IPv6 ACL Extensions for Mobile IPv6
- Mobile IPv6 Home Agent
- IPv6 NEMO
- Index
Contents
- Mobile IP Generic NAI Support and Home Address Allocation
- Finding Feature Information
- Information About Generic NAI Support and Home Address Allocation
- NAI Overview
- Home Address Allocation
- Static IP Addresses
- Local Authorization
- AAA Authorization
- Static IP Address Configuration Priority
- Dynamic IP Addresses
- DHCP
- AAA
- Dynamic IP Address Configuration Priority
- Address Allocation for Same NAI with Multiple Static Addresses
- How Registrations Are Processed for the Same NAI
- Benefits of Generic NAI Support and Home Address Allocation
- How to Configure Generic NAI Support and Home Address Allocation
- Configuring the Home Agent
- Dynamic IP Addresses
- Configuring AAA in the Mobile IP Environment
- Configuring RADIUS in the Mobile IP Environment
- Verifying Generic NAI Support and Home Address Allocation
- Output Examples
- Sample Output for the show ip mobile binding Command
- Sample Output for the show ip mobile host Command
- Sample Output for the show ip mobile visitor Command
- Configuration Examples for Generic NAI Support and Home Address Allocation
- Static Home Addressing Using NAI Examples
- Dynamic Home Addressing Using NAI Examples
- Home Agent Using NAI AAA Server Example
- AAA and Local Configuration Example
- Additional References
- Command Reference
- Glossary
Mobile IP Generic NAI Support and Home Address Allocation
The Mobile IP--Generic NAI Support and Home Address Allocation feature allows a mobile node to be identified by using a network access identifier (NAI) instead of an IP address (home address). The NAI is a character string that can be a unique identifier (username@realm) or a group identifier (realm). Additionally, this feature allows you to configure the home agent to allocate addresses to mobile nodes either statically or dynamically. Home address allocation can be from address pools configured locally on the home agent, through either Dynamic Host Configuration Protocol (DHCP) server access, or from the authentication, authorization, and accounting (AAA) server.
Feature Specifications for Mobile IP--Generic NAI Support and Home Address Allocation
|
Feature History |
|
|---|---|
|
Release |
Modification |
|
12.2(13)T |
This feature was introduced. |
|
Supported Platforms |
|
|
Refer to Feature Navigator. |
- Finding Feature Information
- Information About Generic NAI Support and Home Address Allocation
- How to Configure Generic NAI Support and Home Address Allocation
- Configuration Examples for Generic NAI Support and Home Address Allocation
- Additional References
- Command Reference
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Generic NAI Support and Home Address Allocation
NAI Overview
Authentication, Authorization, and Accounting (AAA) servers are used within the Internet to provide authentication and authorization services for dial-up computers. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. The generic form allows all users in a given realm or without a realm to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server.
The original purpose of the NAI was to support roaming between dialup ISPs. With the NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each realm.
These services are also valuable for mobile nodes using Mobile IP when the nodes are attempting to connect to foreign domains with AAA servers. The Mobile IP--Generic NAI Support and Home Address Allocation feature introduces a method for the mobile node to identify itself by including the NAI along with the Mobile IP registration request.
RFC 2794, Mobile IP Network Access Identifier Extension for IPv4 , defines a mobile node NAI extension of type 131 to the Mobile IP registration messages. This extension must appear in the registration request before the mobile-home authentication extension (MHAE) and mobile-foreign authentication extension (MFAE). The home agent authenticates the mobile node and allocates an IP address. For static IP address allocation, the mobility binding is identified in the home agent as a flow {NAI, IP address} and for dynamic address assignment the mobility binding is identified by the NAI only.
Home Address Allocation
The home agent allocates a home address to the mobile node based on the NAI received during Mobile IP registration. The IP addresses can be statically or dynamically allocated to the mobile node. In addition, multiple static IP addresses can be allocated to the same NAI. The home agent will not permit simultaneous registrations for different NAIs with the same IP address, whether it is statically or dynamically allocated.
- Static IP Addresses
- Dynamic IP Addresses
- Address Allocation for Same NAI with Multiple Static Addresses
- How Registrations Are Processed for the Same NAI
Static IP Addresses
Static IP addresses must be configured on the mobile node. The home agent supports static IP addresses that might be public IP addresses, or addresses in a private domain.
 Note | Use of private addresses for Mobile IP services requires reverse tunneling between the foreign agent and the home agent. |
The mobile user proposes the configured/available address as a nonzero home address in the registration request message. The home agent can accept this address or return another address in the registration reply message. The home agent can authorize the IP address by accessing the AAA server or DHCP server. The AAA server may return the name of a local pool, or a single IP address. On successful Mobile IP registration, Mobile IP based services are made available to the user.
Local Authorization
A static address can be authorized on a per-mobile node or per-realm basis. Per-mobile node configurations require a specific NAI in the form of user or user@realm to be defined on the home agent and allow up to five addresses or a pool per NAI. Per-realm configurations require that a generic NAI be in the form of @realm and only allows address allocation from a local pool.
AAA Authorization
The number of mobile nodes that can be configured is limited because of NVRAM on the router. So, as an option, you can also store the authorized addresses or local pool name in a AAA server. Each user must have either the static-addr-pool attribute or the static-pool-def attribute configured in the AAA server. Unlike the static address configuration on the command line, the static-addr-pool attribute is not limited in the number of addresses. See the Configuration Examples for Generic NAI Support and Home Address Allocation section in this document for AAA configuration examples.
Static IP Address Configuration Priority
If the configuration exists locally as well as on the AAA server, the AAA configuration takes precedence over the local pool of addresses. The priority is given in the following order:
AAA addresses
AAA pool name
Local mobile node static addresses
Local pool
In cases where the static addresses list is retrieved from the AAA server but all the addresses are already in use by other mobile nodes, the next priority addressing mechanism is used.
Dynamic IP Addresses
A mobile node can request a dynamically allocated IP address by proposing an all-zero home address in the registration request message. The home agent allocates a home address and returns it to the mobile node in the registration reply message.
A fixed address is a dynamically assigned address that is always the same.
The home address can be allocated from a AAA server, a DHCP server, or configured locally through the command line interface (CLI). You can also define a local pool for address allocation on a AAA server or through the CLI.
DHCP
Optionally, Mobile IP uses the existing Cisco IOS DHCP proxy client to allocate dynamic home addresses by a DHCP server. The NAI is sent in the DHCP client-id option and can be used to provide dynamic DNS services.
AAA
Dynamic IP addressing from a AAA server allows support for fixed and or per session addressing for mobile nodes without the task of maintaining addressing at the mobile node or home agent. The AAA server can return either a specific address, a local pool name, or a DHCP server address.
Dynamic IP Address Configuration Priority
If the configuration exists locally as well as on the AAA server, the AAA configuration takes precedence over the local pool of addresses. The priority is given in the following order:
AAA address
AAA pool
Local mobile node address
Local pool
DHCP pool
Address Allocation for Same NAI with Multiple Static Addresses
The home agent supports multiple Mobile IP registrations for the same NAI with different static addresses through static address configuration on the command line or by configuring static-ip-address pool (s) at the AAA server or DHCP server. When the home agent receives a registration request message from the mobile user, the home agent accesses the AAA for authentication, and possibly for assignment of an IP address.
A single mobile user can use multiple static IP addresses either on the same IP device or multiple IP devices, while maintaining only one AAA record and security association. The ISP can then bill the user based on the NAI, independent of which IP device was used.
How Registrations Are Processed for the Same NAI
When the same NAI is used for registration from two different mobile IP devices, the behavior is as follows:
If static address allocation is used in both cases, they are considered independent cases.
If dynamic address allocation is used in both cases, the second registration replaces the first.
If static is used for the first registration, and dynamic for the second, the dynamic address allocation replaces the static address allocation.
If dynamic is used for the first registration, and static for the second, they are considered independent cases.
Additionally, two flows originating from the same mobile node using the same NAI, but two different home agents, are viewed as independent cases.
Benefits of Generic NAI Support and Home Address Allocation
Provides a mechanism to identify users based on the NAI
Supports static and dynamic IP address allocation
Optimizes the use of IP addresses by reusing them
How to Configure Generic NAI Support and Home Address Allocation
- Configuring the Home Agent
- Configuring AAA in the Mobile IP Environment
- Configuring RADIUS in the Mobile IP Environment
- Verifying Generic NAI Support and Home Address Allocation
Configuring the Home Agent
Perform one of the following tasks in this section, depending on whether you want to configure static IP addresses or dynamic IP addresses.
1.
enable
2.
configure
{terminal | memory | network}
3.
ip
local
pool
{named-address-pool| default} {first-ip-address[last-ip-address]}
4.
ip
mobile
host
{lower [upper] | nai string [static-address {addr1 [addr2] [addr3] [addr4] [addr5] | local-pool name}] } {interface name | virtual-network network-address mask} [aaa [load-sa]] [care-of-access access-list] [lifetime number]
5.
ip
mobile
secure
host
{lower[upper] | nai string} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm {md5| hmac-md5} mode prefix-suffix]
DETAILED STEPS
Dynamic IP Addresses
This section describes how to configure the home agent to allocate dynamic IP addresses to mobile nodes.
Note |
|
1.
enable
2.
configure
{terminal | memory | network}
3.
ip
local
pool
{named-address-pool| default} {first-ip-address[last-ip-address]}
4.
ip
mobile
host
nai
string [address {addr | pool {local name | dhcp-proxy-client[dhcp-server addr]}] {interface name| virtual-network network-address mask} [aaa [load-sa]] [care-of-access access-list] [lifetime number]
5.
ip
mobile
secure
host
{lower[upper] | nai string} {inbound-spi spi-in outbound-spi spi-out | spi spi} key hex string [replay timestamp [number] algorithm {md5| hmac-md5} mode prefix-suffix]
DETAILED STEPS
Configuring AAA in the Mobile IP Environment
Access control is the way you manage who has user access to the network server and what services the users are allowed to use. AAA network security services provide the primary framework through which you set up access control on your router or access server. See the Configuration Examples for Generic NAI Support and Home Address Allocation in this document for example AAA configurations.
1.
enable
2.
configure
{terminal | memory | network}
3.
aaa
new-model
4.
aaa
authentication
login
{default | list-name} method1 [method2...]
5.
aaa
authorization
ipmobile
{tacacs+| radius}
6.
aaa
session-id
[common| unique]
DETAILED STEPS
Configuring RADIUS in the Mobile IP Environment
Remote Authentication Dial-in User Service (RADIUS) is a method for defining the exchange of AAA information in the network. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a RADIUS server that contains all user authentication and network server access information.
1.
enable
2.
configure
{terminal | memory | network}
3.
radius-server
host
{hostname | ip-address}[auth-port port-number] [acct-port port-number]
4.
radius-server
retransmit
retries
5.
radius-server
key
{0 string |7 string | string}
DETAILED STEPS
Verifying Generic NAI Support and Home Address Allocation
To verify generic NAI support and home address allocation, use the following commands in privileged EXEC mode, as needed:
1.
show
ip
mobile
binding
nai
string
2.
show
ip
mobile
host
nai
string
3.
show
ip
mobile
visitor
nai
string
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
show
ip
mobile
binding
nai
string
Example: Router# show ip mobile binding nai jane@cisco.com |
Displays the mobility binding table.
|
| Step 2 |
show
ip
mobile
host
nai
string
Example: Router# show ip mobile host nai jane@cisco.com |
Displays mobile node information.
|
| Step 3 |
show
ip
mobile
visitor
nai
string
Example: Router# show ip mobile visitor nai jane@cisco.com |
Displays the visitor list on the foreign agent.
|
Output Examples
This section provides the following output examples:
- Sample Output for the show ip mobile binding Command
- Sample Output for the show ip mobile host Command
- Sample Output for the show ip mobile visitor Command
Sample Output for the show ip mobile binding Command
In this example, output information about all current mobility bindings is displayed using the show ip mobile bindingEXEC command:
Router> show ip mobile binding nai jane@cisco.com
Mobility Binding List:
jane@cisco.com (Bindings 1):
Home Addr 25.2.2.1
Care-of Addr 68.0.0.31, Src Addr 68.0.0.31,
Lifetime granted 02:46:40 (10000), remaining 02:46:32
Flags Sbdmgvt, Identification B750FAC4.C28F56A8,
Tunnel2 src 1.1.1.1.dest 2.2.2.1 reverse-allowed
Routing Options - (B)Broadcast
Sample Output for the show ip mobile host Command
In this example, mobile host counters and information is displayed using the show ip mobile hostEXEC command:
Router> show ip mobile host nai jane@cisco.com
jane@cisco.com:
Dynamic address from local pool dynamic-pool
Allowed lifetime 00:03:20 (200/default)
Roaming status -registered-, Home link on virtual network 25.0.0.0/8
Bindings 25.2.2.1
Accepted 2, Last time 04/13/02 19:04:28
Overall service time 00:04:42
Denied 0, Last time -never-
Last code ‘-never- (0)’
Total violations 0
Tunnel to MN - pkts 0, bytes 0
Reverse tunnel from MN - pkts 0, bytes 0
Sample Output for the show ip mobile visitor Command
In this example, the visitor list on the foreign agent is displayed using the show ip mobile visitorEXEC command:
Router> show ip mobile visitor nai jane@cisco.com
Security Associations (algorithm,mode,replay)
Mobile Visitor List:
jane@cisco.com
Home addr 25.2.2.2
Interface Ethernet3/2, MAC addr 0060.837b.95ec
IP src 0.0.0.0, dest 2.2.2.1, UDP src port 434
HA addr 1.1.1.1, Identification B7510E60.64436B38
Lifetime 00:03:20 (200) Remaining 00:02:57
Tunnel2 src 2.2.2.1, dest 1.1.1.1, reverse-allowed
Routing Options - (B) Broadcast
Configuration Examples for Generic NAI Support and Home Address Allocation
- Static Home Addressing Using NAI Examples
- Dynamic Home Addressing Using NAI Examples
- Home Agent Using NAI AAA Server Example
- AAA and Local Configuration Example
Static Home Addressing Using NAI Examples
The following example configures a local pool of static addresses to be used in assigning IP addresses to mobile nodes in the cisco.com domain:
router mobile ! ip local pool mobilenodes 172.21.58.3 172.21.58.250 ip mobile host nai @cisco.com static-address local-pool mobilenodes ip mobile secure host nai @cisco.com spi 100 key hex 123456781234567812345678123245678 !
Dynamic Home Addressing Using NAI Examples
The following is an example of dynamic addressing using a local pool:
router mobile ! ip local pool my-pool 10.1.2.3 10.1.2.5 ip mobile host nai jane@cisco.com address pool local my-pool virtual-network 10.0.0.0 255.255.255.0 ip mobile secure host nai jane@cisco.com spi 100 key hex 123456781234567812345678123245678
The following is an example of dynamic addressing using a DHCP server specified by the DHCP proxy client:
router mobile ! ip mobile host nai jane@cisco.com address pool dhcp-proxy-client dhcp-server 10.1.2.3 interface FastEthernet 0/0 ip mobile secure host nai jane@cisco.com spi 100 key hex 123456781234567812345678123245678
Home Agent Using NAI AAA Server Example
In the following static configuration, the home agent can use a AAA server to store either the authorized addresses or local pool name. For the mobile node to request a static address, either the static-addr-pool attribute or the static-pool-def attribute must be configured on the AAA server.
Home Agent
The following example shows how the home agent is configured to use the AAA server:
aaa new-model aaa authorization ipmobile radius ! ip local pool mobilenodes 10.0.0.5 10.0.0.10 ip mobile host nai user@staticuser.com interface FastEthernet0/0 aaa ip mobile host nai @static.com interface FastEthernet0/0 aaa
Radius Attributes
Cisco-AVPair = "mobileip:static-addr-pool=10.0.0.1 10.0.0.2 10.0.0.3" Cisco-AVPair = "mobileip:static-pool-def=mobilenodes"
AAA and Local Configuration Example
You can also configure some addressing details on the home agent and some on the AAA server. In the following example, a set of authorized static addresses for a mobile node are configured on the AAA server and the dynamic addresses are configured locally on the home agent.
Home Agent
ip mobile host nai @cisco.com address pool local mobilenodes interface ethernet2/1 aaa
Radius Attribute
Cisco-AVPair = "mobileip:static-addr-pool=10.2.0.1 10.2.0.2 10.0.0.3"
Additional References
For additional information related to generic NAI support and home address assignment, refer to the following sections:
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Mobile IP configuration tasks |
"Configuring Mobile IP" chapter in theCisco IOS IP Configuration Guide, Release 12.2 |
|
Mobile IP commands: complete command syntax, command mode, defaults, usage guidelines, and examples |
"Mobile IP Commands" chapter in theCisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 |
|
AAA configuration tasks |
Cisco IOS Security Configuration Guide, Release 12.2 |
|
AAA commands: complete command syntax, command mode, defaults, usage guidelines, and examples |
Cisco IOS Security Command Reference, Release 12.2 |
Standards
|
Standards |
Title |
|---|---|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
|
MIBs1 |
MIBs Link |
|---|---|
|
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
|
RFCs2 |
Title |
|---|---|
|
RFC 2486 |
The Network Access Identifier |
|
RFC 2794 |
Mobile IP Network Access Identifier Extension for IPv4 |
|
RFC 3220 |
IP Mobility Support for IPv4 |
Technical Assistance
|
Description |
Link |
|---|---|
|
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, tools, and lots more. Registered Cisco.com users can log in from this page to access even more content. |
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS IP Mobility Command Reference at http://www.cisco.com/en/US/docs/ios/ipmobility/command/reference/imo_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List .
clear ip mobile binding
clear ip mobile host-counters
clear ip mobile secure
clear ip mobile visitor
ip mobile home-agent
ip mobile home-agent reject-static-address
ip mobile host
ip mobile secure
show ip mobile binding
show ip mobile globals
show ip mobile host
show ip mobile secure
show ip mobile violation
show ip mobile visitor
Glossary
home agent --A router on a home network of the mobile node or that tunnels packets to the mobile node or mobile router while they are away from home. It keeps current location information for registered mobile nodes called a mobility binding.
flow --In the context of this document, a flow is the set of {NAI, IP Address}. The flow allows a single NAI to be associated with one or multiple IP addresses, for example, {NAI, ipaddr1}, {NAI, ipaddr2}, and so on.
foreign agent --A router on the visited network of a foreign network that provides routing services to the mobile node while registered. The foreign agent detunnels and delivers packets to the mobile node or mobile router that were tunneled by the Home Agent of the mobile node. For packets sent by a mobile node, the Foreign Agent may serve as a default router for registered mobile nodes.
mobility binding --The association of a home address with a care-of address and the remaining lifetime.
NAI --Network Access Identifier. The user ID submitted by the mobile node during registration to identify the user for authentication. The NAI may help route the registration request to the right home agent.
Note | Refer to the Internetworking Terms and Acronyms for terms not included in this glossary. |