HP-UX AAA Server A.08.00.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

231

232

233

234

235

236

237

238

239

240

EAP-AKA

This section discusses the EAP-AKA authentication method and its configurations.

This section addresses the following topics:

• “Overview” (page 231)

• “EAP-AKA Authentication Using HP-UX AAA Server” (page 231)

• “Features” (page 232)

• “Benefits” (page 233)

• “Configuring EAP-AKA” (page 234)

Overview

EAP AKA is an authentication and session key distribution mechanism used in the

third generation mobile networks: UMTS and CDMA2000. AKA is based on the

challenge-response mechanism and symmetric cryptography.

EAP-AKA Authentication Using HP-UX AAA Server

The HP-UX AAA Server authenticates the EAP-AKA supplicant to the IP network

using Wireless LAN (WLAN) access. The authentication process is described as follows:

1. The supplicant associates with the access point.

2. The access point responds first with an EAP Request message asking for its identity.

3. The supplicant sends an EAP response message with the subscriber’s International

Mobile Subscriber Identity (IMSI) contained in the UMTS Subscriber Identity

Module (USIM) or CDMA2000 User Identity Module. The EAP Response message

is encapsulated in the RADIUS Access-Request message and forwarded to the

AAA Server.

4. The HP-UX AAA Server on receiving the EAP Response message does a lookup

for the user’s identity to retrieve the pre-shared key and per-user sequence number

(SQN) to generate an authentication vector. The SQN is incremented sequentially

for every authentication of the user to the network. The authentication vector is

actually a security quintet which consists of five numbers: RAND (a 128-bit random

number), XRES (a 32 bit signed response to RAND), CK ( a 128-bit session

encryption key), IK ( a 128bit integrity key) and AUTN ( a 128-bit network

authentication token). The AAA Server can also be configured to connect to an

external storage like an Authentication Centre AuC, to provide the authentication

vector.

5. The AAA Server then sends a EAP Request Challenge message with the random

number RAND, network authentication token AUTN and the message

authentication code for EAP Packet.

6. The supplicant runs the AKA algorithm to compare the AUTN it generates with

the received AUTN. If it matches, it has successfully authenticated the AAA Server.

The supplicant now sends a EAP Response Challenge via the Access Point contain

EAP-AKA 231