Beruflich Dokumente
Kultur Dokumente
TECH-BLOG
We will talk about call flow in IEEE 802.1x-based user authentication used in Korean network operators' Wi-Fi
networks. Before we continue, let's take a look at what Korean operators' current Wi-Fi authentication are like
first.
ollehWiFi (with lock icon): Users are authenticated based on the IMSI stored in USIM of their mobile
device. At this time, EAP-AKA defined in 802.1x is used as an authentication protocol.
ollehWifi (without lock icon): Users are authenticated based on the MAC address of their non-USIM
device or based on username and password through captive portal or Connection Manager (CM).
T wifi zone_secure (with lock icon): Like KT, users are authenticated based on the IMSI in their
mobile device, and EAP-AKA defined in 802.1x is used as authentication protocol.
T wifi zone (without lock icon): Like KT, user authentications are based on MAC or
username/password.
U+ zone (with lock icon): MSCHAPv2 over PEAP (Protected EAP) defined in 802.1x is used. Simply put,
username/password-based authentication, which is similar to EAP-TTLS.
Here SSID stands for Service Set Identifier, and is used for users to identify Wi-Fi services. An access point (AP)
can have more than one SSIDs, and each SSID may provide different authentication/encryption methods (e.g.
In SK Telecom networks, an AP has 2 SSIDs - T wifi zone_secure and T wifi zone).
Now with that in mind, we will see in Figure 1 how EAP-AKA-based authentication and Internet access flow in
KT's ollehWiFi work.
Netmanias Tech-Blog: IEEE 802.1x-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi
networks
Wi-Fi
Wi-Fi
AP
SmartPhone
Hotspot AP
MAC=A
Public IP = 123.228.77.23
AAA
1 Beacon
SSID=ollehWiFi, AP MAC address, Security=WPA2
IMSI=450041012341234
IMSI=450041012341234
7 [EAPoL] EAP-Success
EAP-Success, MSK
8 WPA2 (CCMP/AES)
based Encryption/Integrity Protected
PTK
PTK
AP acts as DHCP Server, and delivers Private
IP address to MS (AP supports PAT/NAT)
9 IP Allocation (DHCP)
DHCP Client
DHCP Sever
11 Internet Access
UL: SIP=172.30.10.10
...
UL: SIP=123.228.77.23
PAT(NAT)
...
Internet
13 802.11 disassociation
...
In the figure above, an AP broadcasts a beacon frame to a plurality of stations periodically. The frame
at this time contains an SSID (ollehWiFi), AP's MAC address and security (WPA2) information. So,
when a user searches for a wireless LAN on his device, SSID(s) appears along with locked or unlocked
information next to them (encrypted networks will show a lock icon to the right of the SSID while
open networks will not).
2.
3.
Then the station goes through 802.11 association procedure with the AP. This procedure is the same
as "connecting a LAN cable to a PC" in a wired network.
4.
Now, time to authenticate the user. ollehWiFi (with lock icon) uses EAP-AKA authentication, which
requires mutual authentication. So, the network authenticates the station, and the station
authenticates the network. For this step, an IMSI working as a user ID and K (Security Key) used in
authentication are stored in the built-in USIM card of the station, and the IMSI value is delivered to
Netmanias Tech-Blog: IEEE 802.1x-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi
networks
Then the AP forwards the IMSI value to the AAA server via Access Request, a RADIUS protocol
message (EAP-AKA over RADIUS). The AAA server must have values of IMSI and K provisioned for
each user.
6.
The resulf of authentication (i.e. 'Authentication succeeded' here) is notified via the Access Accept
message. At this time, a Master Session Key (MSK) is also sent to the AP along with the message, to
be used in Step 8.
7.
8.
Procedures for encryption and integrity protection across the airlink between the station and the AP
begin. So, once these procedures (i.e. Step 8) are completed, all user data are encrypted and
integrity-protected. See Figure 2 for detailed call flow.
9.
The station sends a DHCP message (DHCP Discover/Request) to have the AP allocate an IP address to
it. Upon receipt of the message, the AP, acting as a DHCP server, allocates an IP address to the
station (DHCP Offer/Ack). As the IP address allocated by the AP is a private IP, the AP acts as
PAT/NAT (feature that translates multiple private IP addresses into one public IP address).
10. Once IP address allocation is done, the AP sends Accounting Request (Start) message to the AAA
server, notifying that the user has started using the Wi-Fi network, and thus accounting for the user
is being initiated. This message contains user ID (IMSI), IP address allocated to the station, MAC
address of the station, amount (and bytes) of the packets transmitted to/from the station, etc.
11. Now that the station has an IP address as well, the user can start using the Internet, and the AP
performs PAT/NAT feature as explained above. As seen in the figure, the AP accordingly translates
the source IP (172.30.10.10) of the packet sent by the station into 123.228.77.23, a public IP address
configured in the AP, and sends it to the Internet.
12. The AP constantly sends Accounting Request (Interim) message to the AAA server at the default
intervals or at the intervals specified by the AAA server through Access Accept (e.g. 300 seconds).
13. When the user disconnects from the Wi-Fi network, disassociation procedure between the station
and the AP begins. This is the same as disconnecting a LAN cable from a PC in a wired network.
14. Now that the station is detached from the network, the AP notifies the AAA server by sending
Accounting Request (Stop) message.
Netmanias Tech-Blog: IEEE 802.1x-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi
networks
Wi-Fi
Wi-Fi
AP
Hotspot AP
SmartPhone
AAA
EAPoL
MSK
RADIUS
MSK
MSK
GMK
255
PMK
511
SNonce(Random #) Generation
EAPoL-Key
ANonce
GMK
255
511
ANonce(Random #) Generation
PTK Generation
PMK
AP MAC MS MAC
Address Address ANonce
SNonce
PTK
KCK
0
KEK
127
SNonce
TK
255
AP MAC MS MAC
Address Address ANonce
383
PTK
EAPoL-Key Frame
KCK
EAPoL-Key
SNonce, MIC
KEK
127
TK
255
383
PTK Generation
CBC-MAC
MIC
KCK
EAPoL-Key Frame
CBC-MAC
User Data
CBC-MAC
802.11 Header
User Data
MIC
TK
) then
Integrity Check
Success
802.11 CCMP
Header Header User Data MIC FCS
Encrypted
Encrypted User Data & MIC User Data
MIC
MIC
User Data
Internet
00
01
02
03
04
05
06
07
08
09
10
11
12
13
eMBMS/Mobile IPTV
CDN/Mobile CDN
Transparent Caching
BSS/OSS
Services
Cable TPS
Voice/Video Quality
IMS
Policy Control/PCRF
IPTV/TPS
LTE
Mobile
Network
Mobile WiMAX
Carrier WiFi
LTE Backaul
Data Center Migration
Carrier Ethernet
FTTH
Wireline
Network
Data Center
Metro Ethernet
MPLS
IP Routing
CDN
Transparent
Caching
Analysis
Networks
eMBMS
LTE
IMS
Infrastructure Services
Concept Design
DRM
POC
Training
Wi-Fi
protocols
IP/MPLS
Carrier Ethernet
Consulting
Future