Extensible Authentication Protocol ( EAP )

1. General EAP
Extensible authentication protocol is a general authentication
framework, which support multiple authetication methods.
The advantages of EAP :
The EAP protocol can support multiple authentication
mechanisms without having to pre-negotiate a particular one
Network Access Server (NAS) devices ( e.g switch or access point)
do not have to understand each authentication method and may
act as a pass-through agent for a backend authentication server.
Seperation between authenticator and backend authentication
server simplifies credentials management and policy decision
making.
The disadvantages of EAP :
Where
the
authenticator
is
separeted
from
backend
authentication server, this complicates the security analysis and
if needed, the key distribution.
EAP implementation consist three key components :
Lower layer : is responsible for transmitting and receiving EAP
frames between the peer and the authenticator
EAP layer : is responsible for receives and transmits EAP packets
via
Lower
Layer,
implement
duplicate
detection
and
retranmissions.
EAP method : is responsible for implementation of authentication
algorithm, receives/transmit EAP messages via EAP layer.

Figure 1 : EAP multiplexing model

Figure 2 : Pass-through Authenticator

The EAP authentication exchange proceeds as follow :

The authenticator sends a Request to authenticate the peer. The
Request include a Type field to indicate what is being requested. (
e.g Identity Request ).
The peer send a Response packet in reply to a valid Request. As
with the Request packet, the Reponse packet contains a Type
field corresponding with the Type field of the Request.
The authenticator send an addictional Request packet and the
peer replies with a Response, this process continues as long as
needed.
The conservation continues until the authenticator cannot
authenticate the peer, replying Code 4 ( indicate Failure ) or the
authenticator determines a succcessful authentication has
occurred, replying Code 3 ( indicate Success ).
2. Specific EAP support in UICC
Why EAP is used ?
The authentication methods require the usage of credentials
stored in the UICC.
For security reasons, the credentials shall not be revealed in clear
in a unprotected environment ( e.g laptop, mobile).
Here to explain in clear how EAP used in UICC, we mentioned a
specific case : EAP SIM.
2.1

EAP SIM

EAP SIM is EAP authentication protocol, designed for used with

existing GSM mobile telephone telecommunication system and SIM
cards for mobile phones. The EAP AKA allows Wireless LAN users to
authenticate access to a Wireless LAN network using mobile phone
SIMcard.

Figure 3 : An example of an EAP SIM and EAP AKA

WLAN authentication system
When the users roams within the range of WLAN Access Point,
the Access Point, the Radius server and Wireless client software will set
up a communication dialog in order to authenticate the user and
confirm that they are allowed to access the network. During this
process, the Radius server will contact the users home GSM operator
directly or through GSM/MAP/ SS7 gateway and retrieve the GSM triplet
that used to authenticate the user.
If the user Wireless client software and SIM card are able to
validate the GSM triplets correctly, the Radius server tells the AP to
grant access to the WLAN. The AP connects client computer to the
WLAN, and send accounting information to the Radius server,
indicating the connection is complete. Radiator would usually be
configured to insert this data into a SQL database to be used for billing.
The user will use the wireless connection to send and receive the
internet traffic for period of time. During this time, the AP will typically
send the message Alive to the Radius server, indicating the wireless

sessions is still connected. After the users roams out the range of AP,
or turn off their devices, the AP will send message Stop to Radius
server, indicating the wireless sessions is completed. All the data could
be stored in SQL database for billing.

Figure 4 : Typical message sent during an EAP SIM wireless session

The overall result of this process is that only people that have a
valid SIM card will be able to get access to the Wireless WLAN. Furthur,
with proof that a valid SIM card is used, the operator is able to arrange
the payment for WLAN access through users home mobile phone
operator, using the existing mobile phone billing infrastructre.
2.2

Principle to implement EAP methods in UICC

The following architectural principles are applied :

The authenticator is able to perform an EAP authentication
process ( using an specific EAP method ) with a UICC application
implementing this method. That means the authentication is

performed end to end between the authenticator and UICC

application
The peer is composed of several components :
- The UICC EAP framework provides the information to the
terminal about the existing UICC applications that provid
UICC EAP clients.
- A UICC application provides one or more UICC EAP clients.
- A UICC EAP client implements one specific EAP method.

Figure 6 : EAP architecture when supplicant is split between

a UICC and a terminal