Manualshelf

HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software
211212213214215216217218219220
EAP-SIM Authentication Using HP-UX AAA Server
Each mobile device that is authorized to use the network has a unique identifier, called
International Mobile Subscriber Identity (IMSI), which identifies the subscriber contained
in the SIM. The SIM is also embedded or burnt with a unique secret (subscriber) key,
Ki, which is pre-shared with the HP-UX AAA Server user storage (also referred to as
Authentication Center, AuC). This forms the basis for securing the access to the network.
The authentication software on the users mobile device for EAP/802.1x authentication
is referred to as supplicant. The supplicant accessing the SIM card information
communicates with the HP-UX AAA Server via the authenticator (access point) to gain
access to the network. The supplicant sends its messages via EAP over LAN to the
access point. The access point encapsulates the EAP message and uses the RADIUS
protocol to communicate with the HP-UX AAA Server. The following is the process
for a successful EAP-SIM authentication.
Figure 17-1 shows the EAP-SIM authentication using the HP-UX AAA Server.
Figure 17-1 EAP-SIM Authentication Using HP-UX AAA Server
1. The supplicant communicates with the access point.
2. The access point responds with an EAP request message asking for its identity.
3. The supplicant sends an EAP response message with the IMSI information stored
in the SIM. The EAP response message is encapsulated in the RADIUS
Access-Request message and forwarded to the HP-UX AAA Server.
4. The HP-UX AAA Server responds to the supplicant via the access point, with the
list of supported versions for EAP-SIM key calculating algorithm.
5. The supplicant responds with the selected key algorithm version and a random
number (NONCE_MT). The NONCE_MT is used to derive the key for the HP-UX AAA
Server and the supplicant during subsequent requests, and to prevent replay
attacks.
6. The HP-UX AAA Server does a lookup of the IMSI’s pre-shared Ki in the users
profile storage and calculates the triplets (RAND, Signed RESponse (SRES),
Kc) or directly gets the triplets from the user profile storage.
The HP-UX AAA Server can use the LDAP directory server or the SQL Compliant
SQL Access to retrieve the Ki and calculate ‘n’ GSM triplets (RAND, SRES,
220 Configuring EAP-SIM and EAP-AKA Authentication Methods