Access control is the process that takes place between the wireless station and the access network in order to establish a security association. The wireless station and the access network need to mutually authenticate each other and derive fresh keying material that will be used to protect the traffic over the air.

Typical access control architectures use the Extensible Authentication Protocol (EAP) for performing authentication, and AAA (Authentication Authorization and Accounting) protocols to transfer EAP messages and keying material between different parties involved in the authentication process.

EAP is a client/server protocol that can support different authentication mechanisms (also called methods) for authenticating a client to an authentication server and deriving fresh keys.

The EAP protocol introduces three roles. First, the EAP peer which corresponds to the client wishing to authenticate and gain service access. The EAP authenticator, which corresponds to the entity that has control of the service (in case of access networks, this corresponds to an access point or a switch). Finally, the EAP server which is the entity capable of authenticating the network client or EAP peer.

The EAP server and the EAP authenticator can be integrated or separated entities. When the EAP authenticator is itself an EAP server, it processes all the EAP messages exchanged with the EAP peer locally. However, this approach is not recommended since the EAP server has access to sensitive user data and authentication materials such as user passwords and it is best to keep it in a safe location at the back-end of the wireless access network. If the EAP server is separated from the EAP authenticator, then the EAP authenticator is said to act as an EAP pass-through authenticator, and the EAP server is referred to as Back-end EAP authentication server. The EAP pass-through authenticator forwards EAP packets between the EAP peer and the EAP server and waits for a message called EAP-Success or a message called EAP-Failure messages from the EAP server respectively indicating the success or the failure of the EAP authentication. In case of successfull authentication, the EAP authenticator grants the network access service to the client, in the opposite case, the client is rejected.

An EAP authentication generally starts by the EAP authenticator issuing an EAP-Request Identity message. The EAP peer answers by issuing an EAP-Response Identity message that includes its identity. The EAP-Response Identity message is forwarded to the EAP server which selects an EAP authentication method and issues an EAP-Request message to the peer. The contents of this message depend on the EAP method selected by the EAP server. There are several methods that the EAP server can choose from if they are configured. Such methods include EAP-TLS, EAP-MD5, EAP-SIM.

When the EAP peer receives the first EAP-Request from the EAP server, it can accept the method selected by the EAP server or reject it by issuing an EAP-NAK message. The EAP-NAK message includes a list of preferred methods from which the EAP server should choose.

When the EAP peer and EAP server agree on the method, the EAP exchange will continue until the EAP server and peer have achieved authentication using the selected method. The number of round trips depends on the method in use. At the end of a successful authentication, the EAP server issues an EAP-Success message. When the EAP authenticator receives this message, it grants service access to the client.

In the context of network access control, Authentication, Authorization and Accounting protocols allow network access servers (access points and switches) to communicate with centralized Authentication, Authorization and Accounting servers. As previously explained, the authentication using EAP involves a back-end EAP server that is capable of verifying client credentials. EAP messages between the network client and the access point are exchanged using 802.1X frames. On the other hand, EAP messages between the access point and the EAP server are carried using a AAA protocol. AAA protocols specify the encapsulation of EAP packets over UDP and/or TCP. This allows the access point to exchange EAP packets with EAP server over an IP network. AAA protocols may natively support accounting and authorization protocols or specify encapsulation of existing accounting and authorization protocols. In this thesis we focus on authentication in wireless access networks, for this reason, we will only overview how AAA protocols support authentication operations.

The AAA server is a logical entity that supports several authentication, authorization and accounting services. The AAA server is precisely a program that accepts AAA messages, identifies the type of AAA message then forwards the service specific payload to the corresponding service. For example, in the case of authentication using EAP, the AAA server receives AAA messages that encapsulate EAP messages from access points. The role of the AAA server consists in extracting the EAP payload and forwarding it to the EAP server, which generally consists of a routine, for processing. The resulting EAP message returned by the EAP server is then encapsulated in a AAA message by the AAA server and sent back to the access point. In this context, access points are said to act as AAA clients. AAA clients are generally policy enforcement points, where the service is delivered. In the context of access networks, access points and switches act as AAA clients to exchange EAP messages with the EAP server.

The two AAA protocols used today are RADIUS and Diameter . Each support encapsulation of EAP messages. The support of EAP authentication in RADIUS is specified in RFC 3579 while the support of EAP in Diameter is specified in RFC 4072.

Labels: wireless, security