110 likes | 124 Views
Pre-authentication AAA Requirements. Yoshihiro Ohba ( yohba@tari.toshiba.com ) Alper Yegin ( alper01.yegin@partner.samsung.com> ). What is pre-authentication.
E N D
Pre-authentication AAA Requirements Yoshihiro Ohba (yohba@tari.toshiba.com) Alper Yegin (alper01.yegin@partner.samsung.com>) IETF66 RADEXT WG
What is pre-authentication • Pre-authentication is network access authentication by performing EAP authentication with a target authenticator via the serving network • Pre-authentication was originally defined in IEEE 802.11i where the usage is intra-ESS transitions • HOAKEY BOF (held in IETF65 and to be held in IETF66) is extending the notion of pre-authentication to work across multiple ESS’s and even across multiple access technologies IETF66 RADEXT WG
Basic pre-auth AAA requirements • Requirements identified in IETF65 HOAKEY BOF • AAA needs to know that this is a pre-authentication not normal authentication • User may only be allowed to have a single logon at the same time • User may not be allowed pre-authentication • Can pre-auth session timeout (see below) attribute serve as an indication of pre-auth or some other attribute is needed? • AAA needs to know how long to hold the session before timing out • Session timeout for pre-auth may be different for normal session • If the mobile moves after timeout then do normal authentication • Addressed in draft-aboba-radext-wlan-03.txt • What would signal that the host has successfully connected to a target network? Another round of (non-blocking) Access-Req/Accept? Or do we rely on accounting messages? If latter, then they must be mandated for pre-auth case IETF66 RADEXT WG
Other potential pre-authentication AAA requirements/issues IETF66 RADEXT WG
Extending pre-auth session lifetime • Pre-authentication session lifetime may need to be extended • The MN may continue to stay in the serving network or move to some other network, while maintaining the pre-authentication session with a target authenticator • Maximum pre-auth session lifetime may need to be defined in order to avoid unlimited attempts for extending pre-auth session lifetime - Is this a AAA protocol issue or a configuration issue? IETF66 RADEXT WG
Reverting to pre-auth state from full authorized state • A session with a fully authorized state may need to be changed to a pre-auth state • This can happen when MN moves from network N1 to network N2, and goes back to N1 • MN may not want to perform pre-authentication again with N1 • Is this the same as key caching issue? • Key caching lifetime management is not fully studied • A complete solution for pre-authentication may solve key caching lifetime management issue as well IETF66 RADEXT WG
Maximum number of pre-auth sessions for different authenticators • How many pre-authentication sessions for different authenticators are allowed per MN? • Is this a AAA protocol issue or a configuration issue? • This may be a AAA protocol issue for indirect pre-authentication in which the serving authenticator is involved in pre-auth signaling IETF66 RADEXT WG
Information on the serving network • AAA server may need information on the serving network from which a pre-authentication attempt is being made • This information may affect the authorization decision made by AAA server • This may apply to normal authentication and handover keying signaling as well IETF66 RADEXT WG
Calling-Station-Id • What should Calling-Station-Id be in the case of inter-technology pre-authentication? • Should it be the MN’s address used for the serving network? • In this case, a Calling-Station-Id may dynamically change if MN handovers to a new nerving network and still maintains the pre-authentication state with the target network • Should it be the MN’s address to be used for the target network? • Should it be null? IETF66 RADEXT WG
Network-initiated pre-authentication • Are new AAA attributes needed to support network-initiated pre-authentication? • E.g., list of neighboring authenticators around the serving authenticator IETF66 RADEXT WG
Summary • Pre-authentication for inter-technology handover requires thorough requirements work on both AAA and EAP lower-layer signaling • Pre-authentication is one work item of HOAKEY BOF IETF66 RADEXT WG