Cisco Zero Configuration Client | Mobile IP Technology and Applications

As described in Chapter 3, "Mobile IP Security," the dynamic security association and key distribution protocol, introduced in IOS Release 12.3(4)T, is designed to provide dynamic Mobile Node-Home Agent key generation by integrating with the commonly deployed Windows authentication infra-structure. This can be coupled with other protocol features to enable a Mobile IP solution to be deployed that does not require configuration of the Mobile Node client. Commonly referred to as Cisco ZeCC, or ZeCC, this solution enables the Mobile IP client to be installed through a standard operating system image that is replicated to every new mobile computer. Users need only to log in to the Windows domain to establish a Mobile IP session. This simplifies the overall deployment of a Mobile IP solution.

The goal is to not only simplify the Mobile Node deployment but also to design a Mobile IP implementation that provides optimized connectivity for all users. To this end, the Zero Configuration solution uses Collocated Care-of Address (CCoA), Dynamic Host Configuration Protocol (DHCP)-assigned Home Agent addresses, and a dynamically allocated home address for the Mobile Node. For authentication, the Zero Configuration solution integrates with existing Microsoft Windows domain authentication services and transparently generates the necessary keys when the user performs Windows authentication on the Mobile Node. A loopback interface is used as the home network because the proxy DHCP client cannot be used with virtual networks. (The proxy DHCP client requires an interface IP address to be used as the relay address, or giaddr. Because virtual networks do not have an address, they cannot be used.) The call flow for power-up registration in a zero-config environment is shown in Figure 5-4. The steps of the call flow are as follows:

1.	DHCP is used to acquire a Care-of Address (CoA).
2.	The Mobile Node learns the IP address of a local Home Agent through DHCP option 68.
3.	The Mobile Node computes the authentication tokens as described in Chapter 3.
4.	The Mobile Node sends a RRQ to the Home Agent, with the home address set to 0.0.0.0.
5.	When the Home Agent receives the RRQ, it forwards the authentication request to the RADIUS server.
6.	In turn, the RADIUS server queries the Windows domain controller or active directory.
7.	User is authenticated.
8.	Windows Domain Controller or active directory returns the authentication results and secure key to the RADIUS server.
9.	The RADIUS server relays the result and key to the Home Agent.
10.	Upon an acknowledgment from the AAA infrastructure, the Home Agent derives the session key, authenticates the Mobile Node, and allocates a home IP address for the Mobile Node.
11.	The Home Agent returns the home address, home network prefix length, DNS server, DHCP server, and DHCP client ID to the Mobile Node in the RRP.
12.	The Mobile Node authenticates the RRP.
13.	Registration is complete.

Figure 5-4. ZeCC Call Flow

ZeCC solutions are based heavily on AAA and DHCP infrastructure configuration, and as such, no specific configuration is required on the Home Agent. The Home Agent configuration, which is the same as for MN-AAA, requires the use of Point-to-Point Protocol (PPP) authentication and Mobile IP authorization. Example 5-3 shows a Home Agent configuration for Zero Client Configuration. In this example, the radius domain-stripping command removes the realm portion of the NAI from the username. Depending on the AAA architecture, this might be necessary. Finally, the configuration uses a loopback for the home network and specifies a DHCP server in the ip mobile host statement. Configuration of the Mobile Node is also simplenone is required, but then that is the point! Server configurations are not laid out because they are specific to AAA and DHCP servers, but the following steps need to be taken to configure the servers:

Step 1.	A Mobile IP Home Agent router with software supporting the Dynamic security association and Key Distribution feature should be configured. The proper image can be found using Feature Navigator on Cisco.com (http://www.cisco.com/go/fn). Access to Feature Navigator requires a valid Cisco.com account.
Step 2.	A ZeCC-compliant Mobile Node client must be installed on the end device. See http://www.cisco.com/go/mobile_ip for a list of clients.
Step 3.	A RADIUS server and Windows domain controller must be configured to return the Microsoft Challenge Handshake Authentication Protocol (MS CHAP) Microsoft Point-To-Point Encryption (MPPE) keys to the Home Agent in RADIUS authentication response. Some RADIUS servers can support this without a domain controller. Look for information on setting up MS CHAPv2 in the RADIUS server documentation.
Step 4.	A DHCP server is needed to return the Home Agent IP address in option 68.

Example 5-3. Home Agent Configuration for a ZeCC Network

[View full width]

 hostname HA ! aaa new-model ! interface Loopback1  ip address 192.168.101.1 255.255.255.0 ! router mobile ! ip mobile home-agent ip mobile host nai @example address pool dhcp-proxy-client dhcp-server 192.168.2.2  interface Loopback1 aaa ! radius-server host 172.19.192.100 auth-port 1645 acct-port 1646 radius-server domain-stripping radius-server key skeleton