HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

171

172

173

174

175

176

177

178

179

180

Benefits

EAP-AKA offers the following benefits:

• In devices that already contain an identity module, AKA can be used as a secure Point-to-Point

Protocol (PPP) authentication method.

• Enables the use of third generation mobile network authentication infrastructure in wireless

LANs.

• Supports the co-existence of the existing infrastructure with any other EAP technology.

• Supports identity privacy.

• Supports result indications.

• Supports fast re-authentication.

Configuring EAP-AKA

The configuration files must be edited manually, because EAP-AKA cannot be configured using

the HP-UX AAA Server Manager.

This section addresses the following topics:

• “EAP-AKA Client Configuration” (page 171)

• “EAP-AKA User Credential Lookup Configuration” (page 171)

• “EAP-AKA Realm-Based Configurations” (page 172)

• “Global EAP-AKA Configuration in aaa.config” (page 177)

NOTE: Subsequently, you must restart the RADIUS Server for the configurations to take effect.

EAP-AKA Client Configuration

You can configure the access point or the access device for the HP-UX AAA Server to use EAP-AKA,

using the HP-UX AAA Server Manager. For more information on how to configure, see Chapter 7

(page 69).

EAP-AKA User Credential Lookup Configuration

The HP-UX AAA Server supports configuration of EAP-AKA user credentials as Reply Items in two

forms, as follows:

The HP-UX AAA Server on receiving a AKA request does a lookup of the unique identifiers' (real

username) credentials. The credentials can be the pre-shared user's Subscriber-Key (Ki),

AKA-Sequence-Number (SQN), AKA-Mode (AMF), and AKA-Algorithm. The following information

must be provided for the EAP-AKA module to continue processing of the user request:

• The first form includes the configuration of the user's Subscriber-Key (Ki), AKA-Sequence-Number

(SQN), AKA-Mode (AMF), and AKA-Algorithm. For a description of the algorithm, see

“Generating Authentication Vectors Using A3, A8, and AKA Algorithms” (page 193). The

server uses these AVPs as input to generate an authentication vector.

◦ Subscriber-Key is a string attribute containing the binary encoded 128-bit user secret key,

often referred to as Ki. The encoding must be in network byte order (big-endian).

◦ AKA-Sequence-Number is a string attribute containing the binary encoded 48-bit user

sequence number, often referred to as SQN. The encoding must be in network byte order

(big-endian).

EAP-AKA 171