Operation Overview

The optional SIM authentication module or SIMauth enables you to provide IP-based services such as secure public WLAN access, and Unlicensed Mobile Alliance (UMA) and Femtocell access to your subscribers, while leveraging your existing customer care and authentication infrastructure. Appropriate for Global System for Mobile Communications (GSM) infrastructures, the optional SIM authentication module provides AAA services for 802.1X and non-802.1X hotspots and Unlicensed Mobile Access (UMA) networks, enabling several types of service offerings. You can offer secure hotspot access via 802.1X and Extensible Authentication Protocol–Subscriber Identity Module (EAP-SIM) or Extensible Authentication Protocol–Authentication and Key Agreement (EAP-AKA) user authentication. The SIM authentication module extends mobile services over IP access networks for UMA environments, providing the same mobile identity on unlicensed wireless networks as on mobile networks, and enabling roaming and handover between networks.

The SIM authentication module offers secure public WLAN access. Subscriber data is transmitted securely over the wireless link. Data security is ensured with either the Wi-Fi Protected Access (WPA) or the dynamic Wired Equivalent Privacy (WEP) encryption protocol to prevent wireless eavesdropping within the hotspot.

Figure 221 shows the typical network infrastructure for using the SIM authentication module in Steel-Belted Radius Carrier. The SIM authentication module serves as the link between the IP network and the SS7 network, verifying SIM-based or USIM-based credentials provided by a subscriber against an existing provider Home Locator Register (HLR), SQL database, or LDAP directory, to authenticate the subscriber and obtain authorization information.

SIM Authentication Module Support in
Steel-Belted Radius Carrier

The SIM authentication module can also generate accounting data on mobile subscriber activities that can be used by Call Detail Record (CDR) accounting.

To access a public hotspot, the subscriber’s wireless laptop, smart phone, tablet, or personal digital assistant (PDA) must include an IEEE 802.1X supplicant (client application) that supports EAP-SIM or EAP-AKA. The SIM authentication module uses the service provider’s SS7 infrastructure to facilitate secure 802.1X-based subscriber authentication and billing. For SIM authentication, a service provider’s 802.1X access point directs authentication requests from user devices to the Steel-Belted Radius Carrier server.

SIMAuth verifies SIM-based or USIM-based credentials provided by a subscriber against an existing provider HLR, SQL database, or LDAP directory, to authenticate the subscriber and obtain authorization information.

Steel-Belted Radius Carrier supports EAP-SIM/EAP-AKA fast reauthentication. As a result, your server can regularly replace the encryption keys used over the wireless link to provide identity protection to subscribers. Reauthentication occurs securely without requiring interaction between Steel-Belted Radius Carrier and the HLR, thereby decreasing traffic load on the RADIUS server.

To perform an EAP-SIM or EAP-AKA authentication, the wireless access point must have an EAP-capable 802.1X supplicant. EAP-SIM can be used with HLRs that support MAP application context version 2 and EAP-AKA can be used with HLRs that support version 3.

SIM Card-Based Authentication

Figure 222 shows the SIM-based provider/subscriber solution supported by Steel-Belted Radius Carrier.

Authentication in Steel-Belted Radius
Carrier with SIM Authentication Module

The following sequence takes place when a wireless client with a SIM card installed requests access to an IP network protected by Steel-Belted Radius Carrier:

A user running an EAP-SIM-compatible 802.1X supplicant opens a wireless connection to an 802.1X access point at a WLAN hotspot.
The 802.1X-configured access point challenges the supplicant for its identity.
The 802.1X supplicant on the wireless client responds with an EAP-SIM-based identity.
The access point forwards this information to Steel-Belted Radius Carrier (directly or through a proxy RADIUS server).
Steel-Belted Radius Carrier sends an Access-Challenge request for EAP-SIM authentication to the access point, which forwards the request to the wireless client.
The wireless client receives the EAP-SIM request, and, through the access point, agrees to start EAP-SIM by sending an EAP-SIM response. Included in the wireless client response is a nonce (large random number) that protects against playback attacks.
The Steel-Belted Radius Carrier software passes the EAP information to the SIMauth module.
The SIMauth module converts the EAP information to SIM requests and passes them to the GWrelay application.
The GWrelay application passes the requests to the MAP gateway instances in a round-robin method.
The MAP gateway instances pass requests for information that they need to perform the authentication (called triplets) through Signalware to the HLR.
The HLR does a database lookup and returns the requested triplets to the SIMauth module.
If Steel-Belted Radius Carrier is configured to support user authorization, the SIMauth module sends a request for authorization information to an external (LDAP or SQL) database or through Signalware to the HLR.
The external database or HLR returns the requested authorization information for the user.
The SIMauth module uses subscriber data to verify authorization.
The SIMauth module uses these triplets to create the message authentication code (MAC) that it sends as part of its challenge to the wireless client.
Steel-Belted Radius Carrier sends an Access-Challenge containing the MAC to the access point.
The access point forwards the challenge to the wireless client.
The wireless client verifies that the message is authentic (by running the appropriate authentication algorithms) and responds by sending its own message authentication code to Steel-Belted Radius Carrier.
The Steel-Belted Radius Carrier server verifies the client message authentication code, and sends an Access-Accept response to the wireless access point. The Access-Accept includes keying material for encrypting data sent on the wireless connection.
The wireless access point uses the keying material from the Access-Accept to establish an encrypted session with the wireless client.

Authentication using a USIM card and EAP-AKA is similar, although the authentication information retrieved from the HLR is different.

EAP-SIM/EAP-AKA Authorization/Service Delivery

Steel-Belted Radius Carrier server enables you to configure subscriber connections according to authorization strings that you can configure in the subscriber database or HLR. You can map one or more authorization strings to a profile that you configure in Steel-Belted Radius Carrier. This profile is applied to the user connection.

EAP-SIM/EAP-AKA Identities

To provide identity protection and fast reauthentication, the EAP-SIM/EAP-AKA protocol includes three types of identities for the client. For any given authentication between the client and server, only one of these three is required:

The Permanent Identity is the identity required by the EAP-SIM/EAP-AKA server to retrieve the authentication information (triplets) and authorization information from the external database or HLR. The Permanent Identity must contain the IMSI from the SIM card being used.
The Pseudonym Identity is used in place of the Permanent Identity whenever it is available. The EAP-SIM/EAP-AKA server (Steel-Belted Radius Carrier server) creates the pseudonym, and sends it to the client on the first authentication. A new pseudonym is created every time that authentication occurs. Steel-Belted Radius Carrier server uses an encrypted form of the IMSI as the pseudonym so that pseudonyms can be shared among all Steel-Belted Radius Carrier servers that share the same encryption key. The Pseudonym Identity provides identity protection by hiding the Permanent Identity (the IMSI) on the second and all future authentications.
The Reauthentication Identity also provides identity protection. Like the pseudonym, a new Reauthentication Identity is created by the server on each authentication. However, the purpose of using the Reauthentication Identity is to begin a fast reauthentication exchange. During this exchange in EAP-SIM or EAP-AKA, new key material is generated based on the current authentication information. The device’s SIM card and the HLR do not need to participate in this exchange. This feature is used to regularly replace the encryption keys used over the wireless link.

You can disable the Pseudonym and Reauthentication identities. For more details, see the section on configuring EAP-SIM and EAP-AKA for the SIM authentication module in the SBR Carrier Reference Guide.

Any of these identities can also contain a @realm tag to form a Network Address Identifier (NAI). The wireless access point typically uses the EAP identity as the RADIUS username for communicating to the RADIUS server. In this case, the RADIUS server or RADIUS proxy server can use the realm to direct the RADIUS request to another server or use the realm in another way.

The EAP-SIM and EAP-AKA protocols enable the server to provide a realm when it creates a Reauthentication Identity. Steel-Belted Radius Carrier server typically uses the realm that was received with the last Permanent Identity or Pseudonym Identity for the realm returned with the new Reauthentication Identity. You can configure a different realm to be returned in the simauth.aut configuration file.

EAP-SIM/EAP-AKA Fast Reauthentication

You can configure the SIM authentication module for fast reauthentication, so that after a customer establishes a secure 802.1X network connection through the authentication and authorization processes, the server replaces the encryption keys used over the wireless link. Because fast reauthentication does not require interaction between Steel-Belted Radius Carrier SIM authentication module and the HLR, this added security measure does not affect traffic loads on the network.