NETMANIAS

TECH-BLOG

Please visit www.netmanias.com to view more posts

IEEE 802.1x-based user authentication in KT,

SK Telecom and LG U+'s Wi-Fi networks
February 26, 2015 | By Chris Yoo (tech@netmanias.com)

We will talk about call flow in IEEE 802.1x-based user authentication used in Korean network operators' Wi-Fi
networks. Before we continue, let's take a look at what Korean operators' current Wi-Fi authentication are like
first.

KT provides the following SSIDs in its Wi-Fi Hotspots:

ollehWiFi (with lock icon): Users are authenticated based on the IMSI stored in USIM of their mobile
device. At this time, EAP-AKA defined in 802.1x is used as an authentication protocol.

ollehWifi (without lock icon): Users are authenticated based on the MAC address of their non-USIM
device or based on username and password through captive portal or Connection Manager (CM).

SK Telecom provides the following SSIDs in its Wi-Fi Hotspots:

T wifi zone_secure (with lock icon): Like KT, users are authenticated based on the IMSI in their
mobile device, and EAP-AKA defined in 802.1x is used as authentication protocol.

T wifi zone (without lock icon): Like KT, user authentications are based on MAC or
username/password.

LG U+ provides the following SSIDs in its Wi-Fi Hotspots:

U+ zone (with lock icon): MSCHAPv2 over PEAP (Protected EAP) defined in 802.1x is used. Simply put,
username/password-based authentication, which is similar to EAP-TTLS.

Here SSID stands for Service Set Identifier, and is used for users to identify Wi-Fi services. An access point (AP)
can have more than one SSIDs, and each SSID may provide different authentication/encryption methods (e.g.
In SK Telecom networks, an AP has 2 SSIDs - T wifi zone_secure and T wifi zone).
Now with that in mind, we will see in Figure 1 how EAP-AKA-based authentication and Internet access flow in
KT's ollehWiFi work.

Netmanias Tech-Blog: IEEE 802.1x-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi
networks

Wi-Fi

Wi-Fi
AP

SmartPhone

Hotspot AP

MAC=A

Public IP = 123.228.77.23

AAA

1 Beacon
SSID=ollehWiFi, AP MAC address, Security=WPA2

2 User selects ollehWiFi

3 802.11 Association
SSID=ollehWiFi

IMSI is stored in SIM(USIM) Card in SmartPhone

EAP-AKA Authentication (Mutual Authentiation)

4 [EAPoL] EAP-AKA Authentication

5 [RADIUS] Access Request

IMSI=450041012341234

IMSI=450041012341234

6 [RADIUS] Access Accept

7 [EAPoL] EAP-Success

EAP-Success, MSK

Create PTK based on MSK

Create PTK based on MSK

8 WPA2 (CCMP/AES)
based Encryption/Integrity Protected

PTK

PTK
AP acts as DHCP Server, and delivers Private
IP address to MS (AP supports PAT/NAT)

9 IP Allocation (DHCP)
DHCP Client

DHCP Sever

Device gets Private IP address 172.30.10.10

10 [RADIUS] Accounting Request: Start

User-Name=IMSI, Framed-IP-Address=172.30.10.10,
Calling-Station-Id=A, # of UL/DL bytes, # of UL/DL packets, etc

11 Internet Access
UL: SIP=172.30.10.10

...

UL: SIP=123.228.77.23

PAT(NAT)

...

Internet

12 [RADIUS] Accounting Request: Interim

User-Name=IMSI, Framed-IP-Address=172.30.10.10,
Calling-Station-Id=A, # of UL/DL bytes, # of UL/DL packets, etc

12 [RADIUS] Accounting Request: Interim

User-Name=IMSI, Framed-IP-Address=172.30.10.10,
Calling-Station-Id=A, # of UL/DL bytes, # of UL/DL packets, etc

User log-off Wi-Fi access

13 802.11 disassociation

...

14 [RADIUS] Accounting Request: Stop

User-Name=IMSI, Framed-IP-Address=172.30.10.10,
Calling-Station-Id=A, # of UL/DL bytes, # of UL/DL packets, etc

Figure 1. EAP-AKA-based Authentication and Internet Access Flow in KT's ollehWiFi

1.

In the figure above, an AP broadcasts a beacon frame to a plurality of stations periodically. The frame
at this time contains an SSID (ollehWiFi), AP's MAC address and security (WPA2) information. So,
when a user searches for a wireless LAN on his device, SSID(s) appears along with locked or unlocked
information next to them (encrypted networks will show a lock icon to the right of the SSID while
open networks will not).

2.

The user selects ollehWiFi (with lock icon) to join.

3.

Then the station goes through 802.11 association procedure with the AP. This procedure is the same
as "connecting a LAN cable to a PC" in a wired network.

4.

Now, time to authenticate the user. ollehWiFi (with lock icon) uses EAP-AKA authentication, which
requires mutual authentication. So, the network authenticates the station, and the station
authenticates the network. For this step, an IMSI working as a user ID and K (Security Key) used in
authentication are stored in the built-in USIM card of the station, and the IMSI value is delivered to

Netmanias Tech-Blog: IEEE 802.1x-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi
networks

the AP (EAP-AKA over EAPoL).

5.

Then the AP forwards the IMSI value to the AAA server via Access Request, a RADIUS protocol
message (EAP-AKA over RADIUS). The AAA server must have values of IMSI and K provisioned for
each user.

6.

The resulf of authentication (i.e. 'Authentication succeeded' here) is notified via the Access Accept
message. At this time, a Master Session Key (MSK) is also sent to the AP along with the message, to
be used in Step 8.

7.

The AP then notifies the station of the successful authentication.

8.

Procedures for encryption and integrity protection across the airlink between the station and the AP
begin. So, once these procedures (i.e. Step 8) are completed, all user data are encrypted and
integrity-protected. See Figure 2 for detailed call flow.

9.

The station sends a DHCP message (DHCP Discover/Request) to have the AP allocate an IP address to
it. Upon receipt of the message, the AP, acting as a DHCP server, allocates an IP address to the
station (DHCP Offer/Ack). As the IP address allocated by the AP is a private IP, the AP acts as
PAT/NAT (feature that translates multiple private IP addresses into one public IP address).

10. Once IP address allocation is done, the AP sends Accounting Request (Start) message to the AAA
server, notifying that the user has started using the Wi-Fi network, and thus accounting for the user
is being initiated. This message contains user ID (IMSI), IP address allocated to the station, MAC
address of the station, amount (and bytes) of the packets transmitted to/from the station, etc.
11. Now that the station has an IP address as well, the user can start using the Internet, and the AP
performs PAT/NAT feature as explained above. As seen in the figure, the AP accordingly translates
the source IP (172.30.10.10) of the packet sent by the station into 123.228.77.23, a public IP address
configured in the AP, and sends it to the Internet.
12. The AP constantly sends Accounting Request (Interim) message to the AAA server at the default
intervals or at the intervals specified by the AAA server through Access Accept (e.g. 300 seconds).
13. When the user disconnects from the Wi-Fi network, disassociation procedure between the station
and the AP begins. This is the same as disconnecting a LAN cable from a PC in a wired network.
14. Now that the station is detached from the network, the AP notifies the AAA server by sending
Accounting Request (Stop) message.

Netmanias Tech-Blog: IEEE 802.1x-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi
networks

MSK: Master Session Key

PMK: Pairwise Master Key
ANonce: AP Nonce
SNonce: STA (MS) Nonce
PTK: Pairwise Transient Key
KCK: Key Confirmation Key
KEK: Key Encryption Key
TK: Temporary Key
MIC: Message Integrity Code
MSK
PMK
0

Wi-Fi

Wi-Fi
AP

Hotspot AP

SmartPhone

AAA

EAPoL
MSK

RADIUS
MSK

PMK,which is derived from MSK

MSK

PMK,which is derived from MSK

GMK

255

PMK

511

SNonce(Random #) Generation

EAPoL-Key
ANonce

GMK

255

511

ANonce(Random #) Generation

PTK Generation
PMK

AP MAC MS MAC
Address Address ANonce

SNonce

Pseudo-random function (PRF)-384

PMK

PTK
KCK
0

KEK
127

SNonce

Pseudo-random function (PRF)-384

TK
255

AP MAC MS MAC
Address Address ANonce

383

PTK

MIC Generation for Integrity Check

KCK

EAPoL-Key Frame

KCK

EAPoL-Key
SNonce, MIC

KEK
127

TK
255

383

PTK Generation

CBC-MAC

Integrity Check for EAPoL-Key Frame

MIC

KCK

EAPoL-Key Frame
CBC-MAC

User Data Encryption & Integrity Protected

802.11 Header

User Data
CBC-MAC

802.11 Header

User Data

MIC

If ( EAPoL-Key Frames MIC =

TK

) then
Integrity Check
Success

User Data (Encrypted & Integrity Protected)

TK

Nonce (PN, SA)

CRT mode AES

802.11 CCMP
Header Header User Data MIC FCS

User Data Decryption & Integrity Check

Encrypted
Encrypted User Data & MIC User Data

MIC

MIC

User Data

Internet

Figure 2. WPA2 AES (CCMP) Encryption Algorithm

SK Telecom's T wifi zone_secure will have the same flow as in Figure 1. LG U+'s U+ zone will also have the
same except MSCHAPv2 over PEAP is used instead of EAP-AKA during Steps 4-7 in Figure 1.
Next time, we will talk about captive portal-based Wi-Fi authentication procedure in Korean network
operators' Wi-Fi networks.

Netmanias Research and Consulting Scope

99

00

01

02

03

04

05

06

07

08

09

10

11

12

13

eMBMS/Mobile IPTV
CDN/Mobile CDN
Transparent Caching
BSS/OSS

Services

Cable TPS
Voice/Video Quality
IMS
Policy Control/PCRF
IPTV/TPS
LTE

Mobile
Network

Mobile WiMAX
Carrier WiFi
LTE Backaul
Data Center Migration
Carrier Ethernet
FTTH

Wireline
Network

Data Center
Metro Ethernet
MPLS
IP Routing

CDN
Transparent
Caching

Analysis

Networks

eMBMS

LTE
IMS
Infrastructure Services

Analyze trends, technologies and market

Report
Technical documents
Blog
One-Shot gallery

Concept Design
DRM

POC

Training

Wi-Fi

We design the future

protocols

IP/MPLS

We design the future

Carrier Ethernet

We design the future

Consulting

Visit http://www.netmanias.com to view and download more technical documents.

Future

About NMC Consulting Group (www.netmanias.com)

NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service
areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002.
Copyright 2002-2015 NMC Consulting Group. All rights reserved.