Multiple Authentication
The Oracle Communications Session Border Controller supports multiple authentication exchanges during IKEv2 negotiation. These exchanges are defined in RFC 4739, Multiple Authentication Exchanges in the Internet Key Exchange (IKEv2) Protocol. Multiple authentication enables the OCSBC to engage in an initial certificate-based or shared-secret-based authentication with a remote IKEv2 peer (for example, a femtocell), followed by a subsequent EAP-AKA or EAP-SIM authentication of the remote mobile subscriber.
Multiple authentication exchanges require the use of two specific Notify payloads, MULTIPLE_AUTH_SUPPORTED and ANOTHER_AUTH_FOLLOWS (Notify message type s16404 and 16405) defined in Sections 3.1 and 3.2 of RFC 4739.
Message exchange is as follows.
Initiator (IKEv2 peer) Responder
1. HDR, SAi1, KEi, Ni --->
2. <--- HDR, SAr1, KEr, Nr, CERTREQ, N (MULTIPLE_AUTH_SUPPORTED)
3. HDR, { IDi, CERT, CERTREQ, {IDr], AUTH, SAi2, TSi, TS2
(MULTIPLE_AUTH_SUPPORTED) N (ANOTHER_AUTH_FOLLOWS) } --->
4. <--- HDR, { IDr, CERT, AUTH }
5. HDR, { IDi } --->
6. <--- HDR, { EAP (Request)}
7. HDR, { EAP (Response) } --->
8. <--- HDR, { EAP (Request)}
9. HDR, { EAP (Response) } --->
10. <--- HDR, { EAP (Success)}
11. HDR, { AUTH } --->
12. <--- HDR, { AUTH, SAr2, TSi, TSr }In Step 2 the responder advertises support for multiple authentication via the MULTIPLE_AUTH_SUPPORTED Notification Payload.
In Step 3 the initiator advertises support for multiple authentication and, using the ANOTHER_AUTH_FOLLOWS Notification Payload, signals its readiness for such authentication.
Step 4 completes mutual certificate authentication.
In Step 5 the initiator discloses its identity.
In Step 6 the responder initiates the EAP process
In Steps 7 and 8 the initiator and responder exchange authentication information for the remote peer.
In Steps 9 and 10 the initiator and responder exchange authentication information for the mobile subscriber.
Steps 11 and 12 report successful authentication.