An authentication similar to GPRS may occur within the WLAN, depending on the implementation. Where the GPRS operator owns the WLAN, it is likely that the operator will reuse SIM-based authentication or 3GPP-based USIM authentication for UMTS subscribers within the WLAN environment. Similarly, for a subscriber to access services provided by a GPRS operator over any WLAN access network, regardless of whether the WLAN is owned by a GPRS operator, (U)SIM-based authentication can be used.
To reuse the 3GPP subscription, 3GPP interworking WLAN terminals will need access to UICC smart cards with SIM/USIM applications. A WLAN equipped with a SIM/USIM smart card is called WLAN UE. Given the need for dual-mode (WLAN-cellular) UEs, SIM/USIM will be available in those UEs. The architecture of interworking WLAN access reusing 3GPP USIM/SIM and HSS is shown in Figure 22.12.
Figure 22.12 WLAN system architecture reusing the 3GPP subscription.
The authentication procedure shown in Figure 22.13 is based on the deployment of IEEE 802.1X with 802.11.
Figure 22.13 SIM-based authentication over WLAN.
The cellular access gateway provides the AAA server functionality in the cellular operator's IP core. The access gateway interworks with the home location register (HLR) to obtain the authentication parameters used to create the authentication challenge to the UE and validate the response to the challenge. The EAP is used in the WLAN to perform authentication of the UE, passing the subscriber identity, SIM-based authentication data, and encrypted session key(s) to be used for encryption for the life of the session [3,4].
The authentication process starts after the UE has associated with an AP. The UE sends an EAP-Over-WLAN (EAPOW) Start message to trigger the initiation of 802.1X authentication. In steps 2 and 3 the identity of the UE is obtained with standard EAP-Request/Response messages (see Figure 22.13).
Next, the AP initiates a RADIUS dialog with the access gateway by sending an Access-Request message that contains the identity reported by UE. In the SIM-based authentication, this identity typically includes the IMSI value stored in the SIM card. The access gateway uses IMSI and other information included in the identity (i.e., a domain name) to derive the address of the HLR/HSS that contains subscription data for that particular UE.
In steps 5 and 6, the access gateway retrieves one or more authentication vectors from the HLR/HSS. These could be either UMTS authentication vectors (if the UE is equipped with a USIM) or GSM authentication vectors. In both cases, a random challenge, RAND, and an expected response, XRES, is included in every authentication vector. In steps 7 and 8, the random challenges sent to the UE, which runs the authentication algorithm implemented in the (U)SIM card and generates a challenge response value (SRES).
In steps 9 and 10, SRES is transferred to the access gateway and compared against the corresponding XRES value received from the HSS. If these values match, a RADIUS Access-Accept is generated in step 11 (otherwise, a RADIUS Access-Reject is generated). This instructs AP to authorize the 802.1X port and allow subsequent data packets from the UE. Note that the RADIUS Access-Accept message may also include authorization attributes, such as packet filters, which are used for controlling the user's access rights in the specific WLAN environment. In step 12, the AP transmits a standard EAP-Success message and subsequently an EAPOW-Key message for confi guring the session key in the UE.
Note that the authentication and authorization in the above procedure is controlled by UE's home environment (i.e., home GPRS network). The AP in the visited WLAN implements 802.1X and RADIUS but relies on the HSS in the home environment to authenticate the user. Figure 22.14 shows the protocol architecture for the authentication process. The UE is ultimately authenticated by HSS by means of either the GSM AKA or the UMTS AKA mechanisms.
Figure 22.14 A loosely coupled WLAN control plane for authentication.
The WLAN access network is connected to a 3GPP AAA proxy via the Wr reference point. The Wr reference point is used for authentication and key agreement signaling, and the protocols in this reference point are extensible authentication protocol (EAP) over DIAMETER or RADIUS (see Figure 22.15).
Figure 22.15 3GPP-WLAN interworking, authentication, and roaming architecture.
3GPP AAA proxy forwards authentication signaling between the WLAN access network and the 3GPP AAA server over the Ws reference point. The 3GPP AAA server verifies if the subscriber is authorized to use WLAN. The authorization information and authentication vectors needed in the authentication protocols are stored by the HSS. The 3GPP AAA server retrieves this information over the Wx reference point.
After the user has been successfully authenticated and authorized for network access, the WLAN access network Grants UE access to an IP network. In the simplest case, the IP network is the public Internet, and the user data is directly routed from the WLAN access network to the Internet.