1 / 12

Radius Extensions for Key Management in WLAN Network

This document analyzes key management issues during STA authentication in WLAN networks and proposes a solution using RADIUS extensions. It covers scenarios, requirements, and the procedure for implementing the solution.

zalman
Télécharger la présentation

Radius Extensions for Key Management in WLAN Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Radius Extensions for Key Management in WLAN Network Li Xue Bo Gao

  2. Introduction • Analyze the scenario and requirement • Problem Statement for key management that have arisen so far during STA authentication process in WLAN network. • Describe the solution based on RADIUS extension.

  3. Public WLAN Network Scenarios Overview AAA Portal • AC is converged the function of SGW. • In EAP authentication architecture, AC acts as the Authenticator, AC is responsible for STA IP assignment. • It is out the scope of the document. 1 STA WTP AC SGW AAA Portal • AC and SGW is separated. • In EAP authentication framework, AC acts as the Authenticator, SGW is responsible for STA IP assignment. • It is out the scope of the document. 2 STA WTP AC SGW AAA Portal • AC and SGW is separated. • In EAP authentication framework, SGW acts as the Authenticator. • In this scenario, AC needs to acquire the PMK information. 3 WTP STA AC

  4. Illustration: Traditional Operator WLAN Network Characters • WLAN network is one access technology which is added to previous broadband network. • SGW is responsible for: • the service gateway for Broadband service, responsible for authentication. • STA IP address assignment • User management, for example, charging, etc. • Portal Authentication for WLAN. • EAP Authenticator for Mobile devices. AAA Portal RG DSLAM Switch SGW Traditional Broadband network + WLAN network AC STA WTP

  5. The reasons for SGW acting as Authenticator • User Management requirements • SGW needs to achieve user management based on user information, via EAP Authenticator or EAP authentication proxy • SGW needs to achieve charging based on user information, via EAP Authenticator or EAP authentication proxy • Network Operation & Maintenance requirements • SGW is deployed more centralized than AC to reduce the AAA overloading communications • Advantages • The operator can deploy simple AC plus SGW as uniform authentication function with low OPEX • The network and devices can be managed with low CAPEX

  6. Problem Statement Authenticator Server Supplicant Authenticator AC SGW AAA STA WTP EAP-Request EAP-Response RADIUS Access Request EAP type specific mutual authentication RADIUS Accept (PMK) EAP-Success PMK ? • If the authenticator function is deployed on SGW node, there is an issue to achieve traffic encryption/decryption between STA and WTP/AC.

  7. Solution Procedure STA WTP/AC SGW AAA • Control messages used for PMK transported from SGW to AC is defined. PMK of Announcement (KoA) Authentication KoA ACK/NAK • Radius packets , KoA, KoA ACK/NAK , are extended to support Key Management

  8. Packet Format • Code: • TBD: PMK of Announcement (KoA) • TBD: KoA ACK • TBD: KoA NAK (optional) • Attributes: • Calling-Station-Id: It is used to bind the PMK to a special STA. The call-station-id attribute may be included within KoA, KoA-ACK/NAK messages. • Keying-Material (New) • KoA Feedback (New)

  9. New Attributes • Keying-Material • This attribute is included in KoA, and KoA ACK/NAK messages • Type: TBD • Value: PMK (32 Octets) • KoA-Feedback • This attribute is included in KoA ACK/NAK messages • Type: TBD • Value: 2 Octets, containing the feedback from the AC when received the KoA message. Following values are suggested: • 0: Succeed • 1-8: Rejected

  10. Next Step • Security consideration • Clarify the security mechanism for key-management announcement • Security mechanisms • IP Sec • Radius MD5 • Other?

  11. Thank you

  12. Backup: The Procedure for AC acts as Authenticator, SGW supports Radius-Proxy

More Related