1 / 11

Pre-authentication AAA Requirements

Pre-authentication AAA Requirements. Yoshihiro Ohba ( yohba@tari.toshiba.com ) Alper Yegin ( alper01.yegin@partner.samsung.com> ). What is pre-authentication.

tfine
Download Presentation

Pre-authentication AAA Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Pre-authentication AAA Requirements Yoshihiro Ohba (yohba@tari.toshiba.com) Alper Yegin (alper01.yegin@partner.samsung.com>) IETF66 RADEXT WG

  2. What is pre-authentication • Pre-authentication is network access authentication by performing EAP authentication with a target authenticator via the serving network • Pre-authentication was originally defined in IEEE 802.11i where the usage is intra-ESS transitions • HOAKEY BOF (held in IETF65 and to be held in IETF66) is extending the notion of pre-authentication to work across multiple ESS’s and even across multiple access technologies IETF66 RADEXT WG

  3. Basic pre-auth AAA requirements • Requirements identified in IETF65 HOAKEY BOF • AAA needs to know that this is a pre-authentication not normal authentication • User may only be allowed to have a single logon at the same time • User may not be allowed pre-authentication • Can pre-auth session timeout (see below) attribute serve as an indication of pre-auth or some other attribute is needed? • AAA needs to know how long to hold the session before timing out • Session timeout for pre-auth may be different for normal session • If the mobile moves after timeout then do normal authentication • Addressed in draft-aboba-radext-wlan-03.txt • What would signal that the host has successfully connected to a target network? Another round of (non-blocking) Access-Req/Accept? Or do we rely on accounting messages? If latter, then they must be mandated for pre-auth case IETF66 RADEXT WG

  4. Other potential pre-authentication AAA requirements/issues IETF66 RADEXT WG

  5. Extending pre-auth session lifetime • Pre-authentication session lifetime may need to be extended • The MN may continue to stay in the serving network or move to some other network, while maintaining the pre-authentication session with a target authenticator • Maximum pre-auth session lifetime may need to be defined in order to avoid unlimited attempts for extending pre-auth session lifetime - Is this a AAA protocol issue or a configuration issue? IETF66 RADEXT WG

  6. Reverting to pre-auth state from full authorized state • A session with a fully authorized state may need to be changed to a pre-auth state • This can happen when MN moves from network N1 to network N2, and goes back to N1 • MN may not want to perform pre-authentication again with N1 • Is this the same as key caching issue? • Key caching lifetime management is not fully studied • A complete solution for pre-authentication may solve key caching lifetime management issue as well IETF66 RADEXT WG

  7. Maximum number of pre-auth sessions for different authenticators • How many pre-authentication sessions for different authenticators are allowed per MN? • Is this a AAA protocol issue or a configuration issue? • This may be a AAA protocol issue for indirect pre-authentication in which the serving authenticator is involved in pre-auth signaling IETF66 RADEXT WG

  8. Information on the serving network • AAA server may need information on the serving network from which a pre-authentication attempt is being made • This information may affect the authorization decision made by AAA server • This may apply to normal authentication and handover keying signaling as well IETF66 RADEXT WG

  9. Calling-Station-Id • What should Calling-Station-Id be in the case of inter-technology pre-authentication? • Should it be the MN’s address used for the serving network? • In this case, a Calling-Station-Id may dynamically change if MN handovers to a new nerving network and still maintains the pre-authentication state with the target network • Should it be the MN’s address to be used for the target network? • Should it be null? IETF66 RADEXT WG

  10. Network-initiated pre-authentication • Are new AAA attributes needed to support network-initiated pre-authentication? • E.g., list of neighboring authenticators around the serving authenticator IETF66 RADEXT WG

  11. Summary • Pre-authentication for inter-technology handover requires thorough requirements work on both AAA and EAP lower-layer signaling • Pre-authentication is one work item of HOAKEY BOF IETF66 RADEXT WG

More Related