As described in Chapter 3, "Mobile IP Security," the dynamic security association and key distribution protocol, introduced in IOS Release 12.3(4)T, is designed to provide dynamic Mobile Node-Home Agent key generation by integrating with the commonly deployed Windows authentication infra-structure. This can be coupled with other protocol features to enable a Mobile IP solution to be deployed that does not require configuration of the Mobile Node client. Commonly referred to as Cisco ZeCC, or ZeCC, this solution enables the Mobile IP client to be installed through a standard operating system image that is replicated to every new mobile computer. Users need only to log in to the Windows domain to establish a Mobile IP session. This simplifies the overall deployment of a Mobile IP solution.
The goal is to not only simplify the Mobile Node deployment but also to design a Mobile IP implementation that provides optimized connectivity for all users. To this end, the Zero Configuration solution uses Collocated Care-of Address (CCoA), Dynamic Host Configuration Protocol (DHCP)-assigned Home Agent addresses, and a dynamically allocated home address for the Mobile Node. For authentication, the Zero Configuration solution integrates with existing Microsoft Windows domain authentication services and transparently generates the necessary keys when the user performs Windows authentication on the Mobile Node. A loopback interface is used as the home network because the proxy DHCP client cannot be used with virtual networks. (The proxy DHCP client requires an interface IP address to be used as the relay address, or giaddr. Because virtual networks do not have an address, they cannot be used.) The call flow for power-up registration in a zero-config environment is shown in Figure 5-4. The steps of the call flow are as follows:
Figure 5-4. ZeCC Call Flow
ZeCC solutions are based heavily on AAA and DHCP infrastructure configuration, and as such, no specific configuration is required on the Home Agent. The Home Agent configuration, which is the same as for MN-AAA, requires the use of Point-to-Point Protocol (PPP) authentication and Mobile IP authorization. Example 5-3 shows a Home Agent configuration for Zero Client Configuration. In this example, the radius domain-stripping command removes the realm portion of the NAI from the username. Depending on the AAA architecture, this might be necessary. Finally, the configuration uses a loopback for the home network and specifies a DHCP server in the ip mobile host statement. Configuration of the Mobile Node is also simplenone is required, but then that is the point! Server configurations are not laid out because they are specific to AAA and DHCP servers, but the following steps need to be taken to configure the servers:
Example 5-3. Home Agent Configuration for a ZeCC Network
[View full width]
hostname HA ! aaa new-model ! interface Loopback1 ip address 192.168.101.1 255.255.255.0 ! router mobile ! ip mobile home-agent ip mobile host nai @example address pool dhcp-proxy-client dhcp-server 192.168.2.2 interface Loopback1 aaa ! radius-server host 172.19.192.100 auth-port 1645 acct-port 1646 radius-server domain-stripping radius-server key skeleton