Module 216 - WiMAX Authentication

Module 216 - WiMAX Authentication

Wimax1.0 1-49
2005 - 2011 Nokia Siemens Networks
Module 216 - WiMAX Authentication
Module 216 - WiMAX Authentication
WiMAX Authentication: EAP-TTLS
Step 1: MS to BS Radio link and BS to CAPC link activation
Step 2: MS initiates authentication with the BS by sending a PKMv2 EAP-Start. The BTS creates and
sends an nitiate Authentication message to the CAPC. The BTS includes a fag indicating whether or
not the PKMv2 EAP-Start message was signed with a valid CMAC or if the CMAC was not included.
The CAPC sends an M_SEC_EAP_REQ containing an EAP dentity Request to BS. The CAPC at this
point does not know the EAP identity of the MS and must establish this identity before being able to
contact the AAA server.
The BS forwards the EAP-dentity Request to the MS via the PKMv2 EAP-Transfer message.
The MS responds with a PKMv2 EAP-Message containing the EAP Response with the dentity
information from the MS. The BTS forwards this EAP dentity response message to the CAPC within
an M_SEC_EAP_RSP message and identifes whether or not the EAP-Message was sent with a valid
CMAC digest.
Upon receiving an M_SEC_EAP_RSP with an EAP dentity response the CAPC sends the RADUS
Access request message to the active AAA server/proxy.
Step 3: The AAA responds to the RADUS Access-Request with a RADUS Access-Challenge containing
an M_SEC_EAP_REQ which in the EAP-TTLS case contains an EAP-TTLS Start. This begins the
process of establishing the EAP-TTLS tunnel.
AAA server and MS use TLS to establish an encrypted tunnel. TLS handshake messages are
encapsulated in EAP-TTLS request/response message. EAP-TTLS requests message originates
from AAA server to MS while MS sends the EAP-TTLS response message to AAA server. RADUS
Access-Challenge messages carry the EAP TTLS request from AAA server to CAPC while RADUS
Access request carry EAP TTLS response message from CAPC to AAA server.
1-50
Wimax1.0
2005 - 2011 Nokia Siemens Networks
Module 216 - WiMAX Authentication
Module 216 - WiMAX Authentication
Wimax1.0 1-51
2005 - 2011 Nokia Siemens Networks
Module 216 - WiMAX Authentication
Module 216 - WiMAX Authentication
After the handshake phase is completed, an end to end secure tunnel is established and MSS and
AAA server have negotiated the security parameters for the next phase of MS user authentication using
MS-CHAP-v2.
Step 4: Upon successful authentication of user at AAA server, the AAA sends a RADUS Access-Accept
message with EAP Success to CAPC. n case of authentication failure at AAA server, it sends a RADUS
Access-Reject message with EAP Failure to CAPC.
1-52
Wimax1.0
2005 - 2011 Nokia Siemens Networks
Module 216 - WiMAX Authentication
Module 216 - WiMAX Authentication
Wimax1.0 1-53
2005 - 2011 Nokia Siemens Networks