HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

161

162

163

164

165

166

167

168

169

170

The authentication software on the user’s mobile device for EAP/802.1x authentication is referred

to as supplicant. The supplicant accessing the SIM card information communicates with the HP-UX

AAA Server via the authenticator (access point) to gain access to the network. The supplicant sends

its messages via EAP over LAN to the access point. The access point encapsulates the EAP message

and uses the RADIUS protocol to communicate with the HP-UX AAA Server. The following is the

process for a successful EAP-SIM authentication.

Figure 52 shows the EAP-SIM authentication using the HP-UX AAA Server.

Figure 52 EAP-SIM Authentication Using HP-UX AAA Server

1. The supplicant communicates with the access point.

2. The access point responds with an EAP request message asking for its identity.

3. The supplicant sends an EAP response message with the IMSI information stored in the SIM.

The EAP response message is encapsulated in the RADIUS Access-Request message and

forwarded to the HP-UX AAA Server.

4. The HP-UX AAA Server responds to the supplicant via the access point, with the list of supported

versions for EAP-SIM key calculating algorithm.

5. The supplicant responds with the selected key algorithm version and a random number

(NONCE_MT). The NONCE_MT is used to derive the key for the HP-UX AAA Server and the

supplicant during subsequent requests, and to prevent replay attacks.

6. The HP-UX AAA Server does a lookup of the IMSI’s pre-shared Ki in the user’s profile storage

and calculates the triplets (RAND, Signed RESponse (SRES), Kc) or directly gets the

triplets from the user profile storage.

The HP-UX AAA Server can use the LDAP directory server or the SQL Compliant SQL Access

to retrieve the Ki and calculate ‘n’ GSM triplets (RAND, SRES, Kc). Typically, n=2 or n=3.

The HP-UX AAA Server also allows adding a customized plug-in using the Software

Development Kit (SDK) to contact any AuC in the network, to directly retrieve the ‘n’ triplets.

After calculating the triplets, the HP-UX AAA Server responds with an EAP request challenge

containing each of the random numbers (RAND), and their respective message authentication

codes (AT_MAC).

7. The supplicant first verifies the message authentication code received from the HP-UX AAA

Server for each of the RAND. After successfully validating the message authentication code

for the received SRES, it generates the encryption key (Kc) used for deriving keying material

and the signed response (SRES) values for each of the RAND value it received.

The supplicant and the HP-UX AAA Server generate multiple RAND, to generate multiple

encryption key (Kc) to derive stronger keying material.

Subsequently, it sends only the message authentication code for each of the SRES values in

the EAP request challenge message.

8. The HP-UX AAA Server on receiving the challenge compares the received message

authentication code by calculating its own message authentication code for the SRES values

it already has. After the validation is successful, the HP-UX AAA Server derives the keying

material for session encryption and sends it with an Access-Accept message to the access

point. The Access-Accept message also has an encapsulated EAP Success message.

EAP-SIM 161