HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

221

222

223

224

225

226

227

228

229

230

Kc). Typically, n=2 or n=3. The HP-UX AAA Server also allows adding a customized

plug-in using the Software Development Kit (SDK) to contact any AuC in the

network, to directly retrieve the ‘n’ triplets.

After calculating the triplets, the HP-UX AAA Server responds with an EAP request

challenge containing each of the random numbers (RAND), and their respective

message authentication codes (AT_MAC).

7. The supplicant first verifies the message authentication code received from the

HP-UX AAA Server for each of the RAND. After successfully validating the message

authentication code for the received SRES, it generates the encryption key (Kc)

used for deriving keying material and the signed response (SRES) values for each

of the RAND value it received.

The supplicant and the HP-UX AAA Server generate multiple RAND, to generate

multiple encryption key (Kc) to derive stronger keying material.

Subsequently, it sends only the message authentication code for each of the SRES

values in the EAP request challenge message.

8. The HP-UX AAA Server on receiving the challenge compares the received message

authentication code by calculating its own message authentication code for the

SRES values it already has. After the validation is successful, the HP-UX AAA

Server derives the keying material for session encryption and sends it with an

Access-Accept message to the access point. The Access-Accept message also

has an encapsulated EAP Success message.

9. The access point forwards the EAP Success message to the supplicant, and keeps

the keying material for encrypting the subscriber’s session. The supplicant also

derives the same encryption key and therefore, the access point does not forward

to the supplicant.

10. With the common session key, the network traffic between the access point and

the supplicant can now be encrypted and the supplicant can securely access the

network.

EAP-SIM includes an optional identity privacy support, wherein the supplicant can

send a temporary (pseudonym) identity instead of using the clear text permanent

identity (IMSI) to prevent eavesdroppers. In such cases, the HP-UX AAA Server has

to do a lookup of the real user name (permanent identity) on receiving the pseudonym

identity. The mapping of the permanent identity with the pseudonym and vice-versa

can be done using algorithms built inside the HP-UX AAA Server or using an external

storage like an SQL-compliant database with the mapping information.

EAP-SIM also includes an optional fast re-authentication support, wherein the

previously generated master session key during full authentication process will be

used to generate a fresh master session key. Therefore, a new set of triplets is not

required. A supplicant requesting the fast re-authentication will send the fast

re-authentication identity received during the previous full authentication. The HP-UX

AAA Server internally maps the fast re-authentication identity to the permanent identity

EAP-SIM 221