Radius extensions for key management in wlan network
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

Radius Extensions for Key Management in WLAN Network PowerPoint PPT Presentation


  • 47 Views
  • Uploaded on
  • Presentation posted in: General

Radius Extensions for Key Management in WLAN Network. Li Xue Bo Gao. Introduction. Analyze the scenario and requirement Problem Statement for key management that have arisen so far during STA authentication process in WLAN network. Describe the solution based on RADIUS extension.

Download Presentation

Radius Extensions for Key Management in WLAN Network

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Radius extensions for key management in wlan network

Radius Extensions for Key Management in WLAN Network

Li Xue

Bo Gao


Introduction

Introduction

  • Analyze the scenario and requirement

  • Problem Statement for key management that have arisen so far during STA authentication process in WLAN network.

  • Describe the solution based on RADIUS extension.


Public wlan network scenarios overview

Public WLAN Network Scenarios Overview

AAA

Portal

  • AC is converged the function of SGW.

    • In EAP authentication architecture, AC acts as the Authenticator, AC is responsible for STA IP assignment.

    • It is out the scope of the document.

1

STA

WTP

AC

SGW

AAA

Portal

  • AC and SGW is separated.

    • In EAP authentication framework, AC acts as the Authenticator, SGW is responsible for STA IP assignment.

    • It is out the scope of the document.

2

STA

WTP

AC

SGW

AAA

Portal

  • AC and SGW is separated.

    • In EAP authentication framework, SGW acts as the Authenticator.

    • In this scenario, AC needs to acquire the PMK information.

3

WTP

STA

AC


Illustration traditional operator wlan network characters

Illustration: Traditional Operator WLAN Network Characters

  • WLAN network is one access technology which is added to previous broadband network.

  • SGW is responsible for:

    • the service gateway for Broadband service, responsible for authentication.

    • STA IP address assignment

    • User management, for example, charging, etc.

    • Portal Authentication for WLAN.

    • EAP Authenticator for Mobile devices.

AAA

Portal

RG

DSLAM

Switch

SGW

Traditional Broadband network + WLAN network

AC

STA

WTP


The reasons for sgw acting as authenticator

The reasons for SGW acting as Authenticator

  • User Management requirements

    • SGW needs to achieve user management based on user information, via EAP Authenticator or EAP authentication proxy

    • SGW needs to achieve charging based on user information, via EAP Authenticator or EAP authentication proxy

  • Network Operation & Maintenance requirements

    • SGW is deployed more centralized than AC to reduce the AAA overloading communications

    • Advantages

    • The operator can deploy simple AC plus SGW as uniform authentication function with low OPEX

    • The network and devices can be managed with low CAPEX


Problem statement

Problem Statement

Authenticator Server

Supplicant

Authenticator

AC

SGW

AAA

STA

WTP

EAP-Request

EAP-Response

RADIUS Access Request

EAP type specific mutual authentication

RADIUS Accept (PMK)

EAP-Success

PMK

?

  • If the authenticator function is deployed on SGW node, there is an issue to achieve traffic encryption/decryption between STA and WTP/AC.


Solution procedure

Solution Procedure

STA

WTP/AC

SGW

AAA

  • Control messages used for PMK transported from SGW to AC is defined.

PMK of Announcement (KoA)

Authentication

KoA ACK/NAK

  • Radius packets , KoA, KoA ACK/NAK , are extended to support Key Management


Packet format

Packet Format

  • Code:

    • TBD: PMK of Announcement (KoA)

    • TBD: KoA ACK

    • TBD: KoA NAK (optional)

  • Attributes:

    • Calling-Station-Id: It is used to bind the PMK to a special STA. The call-station-id attribute may be included within KoA, KoA-ACK/NAK messages.

    • Keying-Material (New)

    • KoA Feedback (New)


New attributes

New Attributes

  • Keying-Material

    • This attribute is included in KoA, and KoA ACK/NAK messages

    • Type: TBD

    • Value: PMK (32 Octets)

  • KoA-Feedback

    • This attribute is included in KoA ACK/NAK messages

    • Type: TBD

    • Value: 2 Octets, containing the feedback from the AC when received the KoA message. Following values are suggested:

      • 0: Succeed

      • 1-8: Rejected


Next step

Next Step

  • Security consideration

    • Clarify the security mechanism for key-management announcement

    • Security mechanisms

      • IP Sec

      • Radius MD5

      • Other?


Thank you

Thank you


Backup the procedure for ac acts as authenticator sgw supports radius proxy

Backup: The Procedure for AC acts as Authenticator, SGW supports Radius-Proxy


  • Login