Filter
Top Products
Configuring Mobile IP
How Mobile IP Works
IPC-164
Cisco IOS IP Configuration Guide
This authentication process begins when a MN sends the registration request. The MN adds the time
stamp, computes the message digest, and appends the MHAE to the registration request. The HA
receives the request, checks that the time stamp is valid, computes the message digest using the same
key, and compares the message digest results. If the results match, the request is successfully
authenticated. For the registration reply, the HA adds the time stamp, computes the message digest, and
appends the MHAE to the registration reply. The MN authenticates the registration reply upon arrival
from the HA.
MN-FA
Mobile IP does not require that communication between an MN and an FA be authenticated. Cisco IOS
software supports the optional Mobile-Foreign Authentication Extension (MFAE). MFAE protects the
communication between the MN and FA by keeping a shared key between them.
FA-HA
Mobile IP does not require that communication between an FA and an HA be authenticated. Cisco IOS
software supports the optional Foreign-Home Authentication Extension (FHAE). FHAE protects the
communication between the FA and HA by keeping a shared key between them.
HA-HA
Communication between an active HA and a standby HA in an HA redundancy topology must be
authenticated. The authentication process works in the same manner as described in the previous
“MN-HA” section. However, HA-HA authentication is an added Cisco-proprietary authentication
extension needed to secure communication between peer HAs for HA redundancy. (Active HAs and
standby HAs are peers to each other.)
Use the ip mobile secure home-agent global configuration command to configure the security
associations between all peer HAs within a standby group for each of the other HAs within the standby
group. The configuration is necessary because any HA within the standby group can become active HA
or standby HA at any time. See the “Mobile IP HA Redundancy Configuration Task List” section later
in this chapter for more information on HA-HA authentication.
Storing Security Associations
As discussed in the “Mobile IP Security” section earlier in this chapter, authentication between the MN
and the HA involves keys. You can store the keys or security associations (SAs) on one of the following
locations:
• NVRAM of an HA
• Authentication, authorization, and accounting (AAA) server that can be accessed using either
TACACS+ or RADIUS
Because the NVRAM of an HA is typically limited, you should store the SAs on the HA only if your
organization has a small number of MNs. If your organization has a large number of MNs, you should
store the SAs on a AAA server.