Cisco Cisco Prime Access Registrar 6.0 白書

Page 2 of 20

The use of EAP-SIM and EAP-AKA in Hotspot 2.0 is seen as an important step in improving the experience of

smartphone users on Wi-Fi networks, bringing them on a par with cellular networks where network selection and

authentication are fully automated and usually hidden from the user, even in roaming scenarios.

However, the wide-scale introduction of Passpoint-certified mobile devices and operation of EAP-SIM and EAP-

AKA brings new scalability challenges to service provider Wi-Fi networks and their MNO partner networks. As a

consequence, the GSMA and the WBA have cooperated on an investigation into the potential for scaling issues
associated with the adoption of WFA’s Passpoint-certified devices that make use of smart card credentials to

authenticate themselves to service provider Wi-Fi networks.

This white paper builds on material published by GSMA/WBA

and describes a comprehensive and proven set of

tools that enable service providers to address the scalability challenges of their carrier Wi-Fi deployments.

Adoption of Passpoint

Legacy service provider Wi-Fi systems have conventionally made extensive use of web-based authentication.

These systems require scaling to address the requirement to allocate an IP address to every Wi-Fi device that
associates with the network. This requirement enables the service provider to redirect users’ HTTP browser
sessions to a “captive” portal, where they are provided with a web page advertising the Wi-Fi service and are

subsequently able to enter their username and password credentials. An improved user experience may be

supported on particular devices that transparently make an HTTP request in order to determine whether the Wi-Fi

network offers direct connectivity to the Internet or whether user credentials are required to be entered into a

captive portal.

Compared with such legacy systems that stress the IP address management (IPAM) functionality of the service

provider Wi-Fi network, users of Passpoint devices will instead trigger an EAP dialogue after associating with the

Wi-Fi network and before requesting an IP address. This EAP dialogue will typically be transported over RADIUS

signaling between the IEEE 802.1X port-based authenticator and the EAP server. Furthermore, when supporting

EAP-SIM and/or EAP-AKA methods, as defined in the Hotspot 2.0 Release 1.0 and 2.0 specifications, the EAP

server will interface to the home location register (HLR) for EAP-SIM or the home subscriber server (HSS) for EAP-

AKA enabling the recovery of subscriber smart card credentials.

Hence, compared with legacy service provider Wi-Fi architectures that required scalable IPAM infrastructure,

mobile operators wanting to accelerate the adoption of Wi-Fi through the use of Passpoint-certified devices need to

pay careful attention to the scalability of the end-to-end systems for supporting the EAP dialogue.

Overview of IEEE 802.1X-Based Authentication

It is instructive to review the authentication process when IEEE 802.1X is used as required by the Passpoint

architecture.

Figure 1

illustrates that the Wi-Fi client initiates the authentication process by sending an

authentication request followed by an association request. Subsequent to the association request/response

exchange, the access point initiates the EAP sequence. On successful authentication, the AAA server sends a

pairwise master key (PMK) to the access point. The client is able to derive the same PMK independently. The PMK

is then used to derive another set of keys, termed pairwise transient keys (PTKs). The PTKs are used to secure the

traffic between the client and the AP over the encrypted Wi-Fi link. The PTKs are derived and installed based on a

four-way handshake using EAP over LAN (EAPOL) key frames. The four-way handshake is required to provide

protection from replay attacks as well as man-in-the-middle attacks.

http://www.wballiance.com/tag/authentication-signaling-optimization/