HP-UX AAA Server A.08.02 Administrator's Guide
9. The access point forwards the EAP Success message to the supplicant, and keeps the keying
material for encrypting the subscriber’s session. The supplicant also derives the same encryption
key and therefore, the access point does not forward to the supplicant.
10. With the common session key, the network traffic between the access point and the supplicant
can now be encrypted and the supplicant can securely access the network.
EAP-SIM includes an optional identity privacy support, wherein the supplicant can send a temporary
(pseudonym) identity instead of using the clear text permanent identity (IMSI) to prevent
eavesdroppers. In such cases, the HP-UX AAA Server has to do a lookup of the real user name
(permanent identity) on receiving the pseudonym identity. The mapping of the permanent identity
with the pseudonym and vice-versa can be done using algorithms built inside the HP-UX AAA
Server or using an external storage like an SQL-compliant database with the mapping information.
EAP-SIM also includes an optional fast re-authentication support, wherein the previously generated
master session key during full authentication process will be used to generate a fresh master session
key. Therefore, a new set of triplets is not required. A supplicant requesting the fast re-authentication
will send the fast re-authentication identity received during the previous full authentication. The
HP-UX AAA Server internally maps the fast re-authentication identity to the permanent identity either
using an optional internal cache or using an external storage like an SQL-compliant database with
the mapping information.
Features
The EAP-SIM authentication method is fully compliant with RFC 4186. It offers the following features:
• International Mobile Subscriber Identity (IMSI) permanent identities on a per realm basis.
• Non-IMSI permanent identities on a per realm basis.
• Protected success indications on a per realm basis.
• Fast re-authentication on a per realm basis.
• Pseudonyms generated using algorithms or randomly, on a per realm basis.
• To ensure that permanent user names, pseudonyms, and fast re-authentication user names are
distinct, and can be easily distinguished, the server generates pseudonyms, whose leading
character is 2 and fast re-authentication user names, whose leading character is 3. In
accordance with the RFC, permanent user names derived from the IMSI are prefixed with the
leading character 1.
• A user's Subscriber key, Ki, along with the names of the appropriate A3 and A8 algorithms,
can be stored in an external database or a local file. and algorithms are standard algorithms.
If Ki is stored in one of these locations, the server automatically generates GSM authentication
triplets using this information.
• A set of GSM authentication triplets can be stored in a local file. This is intended for use in a
lab environment, and requires no additional user-written plug-ins.
• If the customer implements an AATV, the user credentials can be retrieved from an
Authentication Center (AuC) that the AATV communicates with. The AuC function authenticates
SIM cards that attempt to connect to the GSM network by generating data known as triplets.
• A3 or A8 (3rd Generation Partnership Project) 3GPP Milenage algorithms are provided with
parameters that can be configured.
• The Milenage A3 or A8 algorithm can be customized with a simple plug-in.
• Additional customer-supplied A3 or A8 algorithms can be plugged into the server.
• Occurrences and values of received SIM attributes are validated.
• Support for pseudonym and fast re-authentication identity mapping is built-in without the need
for an external database. Support is also provided using SQL Access and built-in AATVs.
162 Configuring EAP-SIM and EAP-AKA Authentication Methods