User Equipment Identity in IKE_AUTH Message

The following topics are discussed:

Feature Description

Overview

On untrusted WLAN networks that support Mobile Equipment Identity signalling, ePDG can request the subscriber’s User Equipment (UE) for the International Mobile Equipment Identity (IMEI) or IMEI SV (Software Version) information, when the UE does not share this information in the first IKE_AUTH_REQ message in the configuration attributes. On receiving the IMEI or IMEI SV information from the UE, ePDG can share this information with the AAA server in the Diameter EAP Request (DER) message over the SWm interface, and in the ME Identity (MEI) IE with P-GW in the second Create Session Request (CSR) message over the S2b interface.

How UE Identity in IKE_AUTH Message Works

Architecture

During IKEv2 authentication and security association (SA) establishment for UICC devices, when the UE does not share the IMEI or IMEI SV information in the first IKE_AUTH_REQ message, ePDG can request the UE for this information. ePDG includes a DEVICE_IDENTITY notify payload in the IKE_AUTH_RESP message to UE. Based on the availability of IMEI or IMEI SV information, the UE includes the value in the DEVICE_IDENTITY attribute with the Identity Type field set to IMEI or IMEI SV. The UE then shares this information with ePDG in the second IKE_AUTH_REQ message. The structure of the DEVICE_IDENTITY notify payload is as defined in 3GPP TS 24.302.

ePDG can be configured to request the UE for the IMEI or IMEISV information using the notify-payload device-id command under the Crypto Template Configuration Mode. For more configuration information, refer the configuration section of this chapter.

For non-UICC devices, ePDG will not request for the IMEI or IMEI SV information from the UE for single exchange authentication methods like certificate-based authentication. For other authentication methods that uses multiple IKE_AUTH exchanges, the behaviour to request for the IMEI or IMEI SV information is the same as that of UICC devices.

Standards Compliance

This feature complies with the following standards:

  • 3GPP TS 24.302: “3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Access to the 3GPP Evolved Packet Core (EPC) via non-3GPP access networks; Stage 3”

Configuring UE Identity in IKE_AUTH Message

Use the following configuration to enable ePDG to request the UE for the IMEI or IMEI SV information using the DEVICE_IDENTITY notify payload: 

config 
    context context_name 
        crypto template template_name ikev2-dynamic 
            notify-payload device-id 
            end

Notes:

  • Use the no notify-payload device-id command to disable the configuration.

  • Use the default notify-payload device-id command to restore the configuration to its default value.

  • Default: Enabled

Monitoring and Troubleshooting

Show Command(s) and/or Outputs

show crypto statistics ikev2

The following fields are available in the output of the show crypto statistics ikev2 command in support of this feature: 

Total IKEv2 Notify Statistics: 
    Device ID Req Sent:   0 
    Device ID Rsp Rcvd:   0
Table 1. show crypto statistics ikev2 Command Output Descriptions

Field

Description

Total IKEv2 Notify Statistics:

Device ID Req Sent

Total number of IKEv2 Notify payloads sent (device id).

Device Identity Rsp Rcvd

Total IKEv2 Notify payloads received (device id).

show crypto template

The following field is available in the output of the show crypto template command in support of this feature: 

IKEv2 Notify Payload: 
    Device Identity: Enabled [Default]
Table 2. show crypto template Command Output Descriptions

Field

Description

IKEv2 Notify Payload:

Device Identity

Indicates if ePDG is configured to request for device identity in the IKEv2 Notify payload message.

Bulk Statistics

The following bulks statistics included in the system schema support this feature:

Variable

Description

Data Type

ikev2-notifpaysent-deviceid

Description: Total number of IKEv2 Notify payloads sent (device id).

Triggers: Increments when ePDG sends a Device Identity Notify Payload.

Availability: ePDG Service

Type: Counter

Int32

ikev2-notifpayrecv-deviceid

Description: Total IKEv2 Notify payloads received (device id).

Triggers: Increments when ePDG receives a Device Identity Notify Payload.

Availability: ePDG Service

Type: Counter

Int32