HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

161

162

163

164

165

166

167

168

169

170

EAP-AKA

This section discusses the EAP-AKA authentication method and its configurations. This section

addresses the following topics:

• “Overview” (page 169)

• “EAP-AKA Authentication Using HP-UX AAA Server” (page 169)

• “Features” (page 170)

• “Benefits” (page 171)

• “Configuring EAP-AKA” (page 171)

Overview

EAP AKA is an authentication and session key distribution mechanism used in the third generation

mobile networks: UMTS and CDMA2000. AKA is based on the challenge-response mechanism

and symmetric cryptography.

EAP-AKA Authentication Using HP-UX AAA Server

The HP-UX AAA Server authenticates the EAP-AKA supplicant to the IP network using Wireless LAN

(WLAN) access. The authentication process is described as follows:

1. The supplicant associates with the access point.

2. The access point responds first with an EAP Request message asking for its identity.

3. The supplicant sends an EAP response message with the subscriber’s International Mobile

Subscriber Identity (IMSI) contained in the UMTS Subscriber Identity Module (USIM) or

CDMA2000 User Identity Module. The EAP Response message is encapsulated in the RADIUS

Access-Request message and forwarded to the AAA Server.

4. The HP-UX AAA Server on receiving the EAP Response message does a lookup for the user’s

identity to retrieve the pre-shared key and per-user sequence number (SQN) to generate an

authentication vector. The SQN is incremented sequentially for every authentication of the

user to the network. The authentication vector is actually a security quintet which consists of

five numbers: RAND (a 128-bit random number), XRES (a 32 bit signed response to RAND),

CK ( a 128-bit session encryption key), IK ( a 128bit integrity key) and AUTN ( a 128-bit

network authentication token). The AAA Server can also be configured to connect to an external

storage like an Authentication Centre AuC, to provide the authentication vector.

5. The AAA Server then sends a EAP Request Challenge message with the random number RAND,

network authentication token AUTN and the message authentication code for EAP Packet.

6. The supplicant runs the AKA algorithm to compare the AUTN it generates with the received

AUTN. If it matches, it has successfully authenticated the AAA Server. The supplicant now

sends a EAP Response Challenge via the Access Point contain the result parameter (RES)

generated using the RAND and the pres-hared secret key. It also includes a message

authentication code for integrity protection.

7. The AAA Server on receiving the EAP Response message compares the result parameter with

XRES parameter in corresponding authentication vector. On successfully comparison and

validating the message authentication code, the AAA Server sends an EAP Success message

encapsulated inside Access-Accept message to the Access point with the session key.

8. The Access point forwards the EAP Success message to the supplicant, and keeps the keying

material for encrypting the user’s session. The supplicant also has derived the same encryption

key so the Access point does not forward to the supplicant.

9. With the common session key, the network traffic between the access point and the supplicant

can now be encrypted and the supplicant can securely access the network.

The EAP-AKA uses an example algorithm for key generation that can be customized or replaced

with operator specific key generation algorithm.

EAP-AKA 169