Security is a key feature of future wireless communication networks. Depending on the requirements of network operators and use cases, the integration of authentication mechanisms has been separated from implementation of authentication frameworks itself. The IETF has defined the Extensible Authentication Protocol (EAP) in RFC2284 for easy extensibility and maintenance of authentication processes. acticom offers software related to EAP including support for authentication methods for WLAN-3GPP integration, i.e. EAP-SIM and EAP-AKA. Non-3GPP related WLAN based access systems might utilize EAP methods that do not meet the security requirements of upcoming security standards: acticom has developed an implementation of Protected-EAP, an IETF draft-standard that extends the well-known EAP-TLS protocol without the need of managing PKI infrastructures.

Integration of Wireless LAN based access networks and 3GPP networks will require  porting of GSM/3GPP authentication mechanisms to Wireless LAN access networks. SIM and USIM will be standardized for identifying/authenticating the user in 3GPP networks. EAP derivitives of these authentication mechanisms have been standardized.

EAP Tunneled Authentication Protocols

For authentication within Wireless LAN based access networks, an EAP authentication method must be chosen that fulfills all requirements of the future IEEE802.11i Enhanced Security standard. Client device and backend authentication server exchange EAP PDUs, that will traverse the wireless link. To prevent an eavesdropper from accessing usable information from the EAP frame exchange an EAP mechanism must provide data encryption and mutual authentication of network and client device. Most EAP mechanisms (like MD5, MS-CHAPv1/v2) used for the Point-to-Point-Protocol (PPP) do not offer sufficient encryption and are vulnerable to at least brute-force dictionary attacks. These protocols should not be deployed by network operators for client authentication in wireless environments. The 802.11i working group has recommended EAP-TLS as defined in RFC2716. EAP-TLS provides sufficient encryption and key derivation mechanisms for 802.11i based link encryption but requires deployment of a Public-Key-Infrastructure for ensuring secure mutual authentication.

 

Several proposals have been developed recently to maintain traditionally deployed EAP mechanisms while guaranteeing a more secure encryption on the wireless link. Protected-EAP (draft-josefsson-pppext-eap-tls-eap-06.txt )is a successor of EAP-TLS that extends the basic EAP-TLS protocol by using the TLS-data phase for exchanging an inner EAP authentication protocol inside the encrypted PEAP tunnel.

 

The PEAPv2 library fits into the acticom IEEE802.1X and WPA/802.11i software stacks, providing improved security.