EAP Settings

The Extensible Authentication Protocol (EAP) can be used to authenticate MNs when IPSec, Diameter or RADIUS is used in the test. The EAP Settings window allows you to select the authentication methods that will be supported by the MNs, the NAS nodes, or a server node depending on the test case. Click the EAP Settings... button to access the window. The settings for each method are contained on their respective sub-tabs.

WARNING: When running any EAP method, you must use an equal number of user names and sessions. Multiple sessions with the same user name will cause some EAP sessions to fail.

This topic describes the settings for EAP. The topics listed under Related Parameters include certificate settings for EAP-TLS and the protocols and test cases that support EAP.

In this topic...
Username Expanded Type	Retry Count Retry Time EAP Message Delay
Disable Identity Request Apply Parameters from Test Data File	Identity Protection
MD5 GTC EAP-SIM EAP-AKA EAP-AKA' EAP-MSCHAPv2 EAP-TLS/EAP-TTLS Expanded Types Kc	Operator Variant Secret Key SRES Use hard-coded values
Related Parameters User Credentials Digital Certificate Settings IPSec AAA Server Nodal AAA Server Node	Related Topics Testing With EAP EAP Type Using Digital Certificates EAP Measurements

General Settings

User Name

The MN's user name, NAI, or IMSI that will be sent or expected in the EAP Identity response. See User Credentials for a full definition.

NOTEs:

In AAA Node Test Case, EAP User name will not overwrite the General user name.
A leading 0 is needed if you want to use IMSI as User Name. Per chapter 4.1.1.6 of RFC 4187 - "For example, a permanent username derived from the IMSI 295023820005424 would be encoded as the ASCII string "0295023820005424" (byte values in hexadecimal notation: 30 32 39 35 30 32 33 38 32 30 30 30 35 34 32 34)".

Expanded Types

Use the checkbox to enable support for vendor-specific authentication methods. If the AAA Server requests a method that the MN does not support, the MN responds with an Expanded NAK message.

Related Measurements

Expanded NAK Response Count

Retry Count

You can define the number of times a message will be transmitted when the expected response or follow-on request has not been received. Enter 0 to disable retries.

Retry Time

You can define the elapsed time (in seconds) between each try until the configured retry count is reached. Default is 5 Seconds

EAP Message Delay

Numeric - Default is 10 (ms) - Range from 0 to 65535 - Currently only available via SGW Nodal and Wifi Offload Gateway Nodal - CAPWAP and authentication is 802.1x.

Tcl parameter: CapWapEapMsgDelayEn

WiMAX MIP Root Key

Use the WiMAX MIP Root Key to enable WiMAX MIP Root Key generation and distribution.

Range : A maximum of 64 bytes (128 hex characters excluding 0x)

Default: 0X

Combined EAP

Select the checkbox to use the EAP authentication scheme using a challenge combined with a device ID, password and hash algorithm.

Device ID

Indicates the Device ID sending the EAP challenge

Device Secret

Indicates the Device password/secret.

Disable Identity Request

The Disable Identity Request checkbox is available on the IPSec EAP dialog box in all server-side (responder) test cases. For example, Network Host, LNS Node, MIP Node, etc.

When you select the Disable Identity Request checkbox, the IPSec responder does not send the EAP Identity Request as part of the EAP message exchange.
When you do not select the Disable Identity Request checkbox, the IPSec responder sends the EAP Identity Request as part of the EAP message exchange.

Identity Protection

Implements the identity privacy clause in both the EAP-AKA and EAP-SIM methods (RFC 4186: 4.2.1.2. Identity Privacy Support).

Selects Identity Protection allows you to utilize the alternate IDs (user name) in the transport layers (RADIUS/Diameter) during re-authentication process, which protects the real identity of the mobile node.

NOTE: Selecting Identity Protection for other than EAP-AKA and EAP-SIM does not perform any additional procedure.

This option is not available in all the test cases.

Apply Authentication Parameters from Test Data File

See TDF-CSV Editor.

You can provision authentication credentials for each MN by using Test Data Files. See Applying Parameter ValuesApplying Parameter Values.

See Test Data Files for further explanation and sample files. If a sample is not found for the specific TDF, you can obtain a sample file from your Technical Support representative. You may also use the following options to select an existing TDF or create/edit TDF-CSV files (TDF-CSV Editor).

For most TDF Parameters used for Applying Parameters, each row in the file is the overridden value for a different “Session”, aka a different UE. But some TDFs are done in other dimensions, like Bearers, eNodeBs, Subscribers (2 per UE sometimes) or even Hosts, etc. Tooltips on the TDF Parameter:

Note that the “ID” is a unique ID. Please Provide the ID when reporting issues with a TDF. For TDFs that do not apply / override Parameters, but instead are just their own configuration or data or media files you won’t see TDF ID row details.

TIP: When including large files, please be aware of memory limitations, since the TDF Editor shares memory with the Client.

NOTE: The available TDF options vary. on the L3-7 | IPSec tab > IKE with RSA Settings you may only select the Certificate TDF from TAS (these are non-CSV TDFs).

In addition, where applicable, any rules for defining TDFs are included in specific Test Cases. (For example, In MME Node test case, see MME Node - Provisioning TDF.)

From the DMF Window, press Shift+Alt+A to display the Save DMF as Tcl window. Click the Save to File button to save as Tcl file. See additional details on Using the Tcl API.

Select/Create a new TDF-CSV

Allows you to create a new TDF by entering a file name that doesn’t already exist or select an existing file by entering a file name that already exists.

Click to open the Select Existing or Create window.

Navigate to the relevant library/folder,
Enter the name of the file:
If the file name already exists, the file is selected and applied in the test case.
If the file name does not exist, a message displays that says you are creating a new TDF and the embedded TDF-CSV will be launched.
- Click Yes to launch the TDF-CSV Editor and create/save the new TDF-CSV.
- Click No to select a different file

NOTE: If you do not have permission to save in the selected library, an error displays when you try to create a new file.

TIP: You may also navigate to the relevant library/folder and select file, and click OK.

Upload a New TDF to TAS

Click to import a new TDF file from your local folder and select in the test Case (instead of having to go to TDF Admin).

Navigate to the file on your local folder and select.
Then navigate to the location (library) where you want to save it on the TAS. You may rename the file, if required.

View Edit Selected TDF in TDF-CSV Editor

Available only when you have selected a TDF on TAS. Click to open the selected file in TDF-CSV Editor (in place, that is, within the Test Case).

Edit the file and save. You may also click Save As to save the edited TDF-CSV to a different library and also rename the file, if required.

NOTE: You may also select a TDF from a library to which you do not have write permissions, edit the file as required, and save (Save As) only to a different library with the same file name or a different name.

The only options available are Save As and Cancel.

Open Selected TDF in Standalone TDF-CSV Editor

Available only when you have selected a TDF on TAS. Select to retrieve the CSV file and open it in the stand alone TDF-CSV Editor.

Generate Stub TDF-CSV

TIP: Available only when a CSV specification has been defined for in the Test Case for the TDF widget ( View TDF Actions/Options Menu)

Opens an example context specific test data parametersexample context specific test data parameters, which you may save as a .CSV file or open in the TDF-CSV Editor.

Launch Standalone TDF-CSV Editor

Click to open a blank TDF-CSV Editor.

The Launch Standalone TDF-CSV editor options handles very large TDFs that may use too much Client memory if opened within the Test Case/in the embedded editor. You may set the standalone TDF-CSV Editor memory high to edit large TDFs.

^ Back to Top

MD5 Authentication

Use the MD5 checkbox to enable support for MD5 authentication, and then define the MN's Password.

Related Measurements

MD5 measurements

^ Back to Top

GTC Authentication

Use the GTC (Generic Token Card) checkbox to enable support for GTC authentication, and then define the MN's Token/Password.

During TLS authentication (EAP>TLS), when PEAP version is 1 (TLS>PEAP-GTC), authentication protocol on the TLS tunnel uses EAP-GTC with token card (for example, client certificate).

Related Measurements

MD5 measurements

^ Back to Top

EAP-SIM Authentication

Use the EAP-SIM checkbox to enable support for EAP-SIM authentication in a GSM network, and then define the Secret Key, Encryption Algorithm and the Operator Variant or Family Key.

Specify Rand

Select Use Specified RAND value to define RAND value.

Enter the RAND value used to formulate the challenge request.

Range: Up to 96 hexadecimal digits, excluding 0x.

Use hard-coded values

Select Use hard-coded values to define fixed SRES AND Kc values.

SRES — Enter the SRES value that will be used to formulate the challenge response for all MNs.

Range: Up to 24 hexadecimal digits, excluding "0x."

Default: 0x000000000000

Kc — Enter the key that will be used to derive new keying material for all MNs.

Range: Up to 32 hexadecimal digits, excluding "0x."

Default: 0x00000000000000000000000000000000

Real Sim Card SRES Calculation

Available in Security Gateway Node and Wifi Offload Gateway Node. Enable when Use Real SIM Card (One Subscriber) in Mobile Subscribers is Security Gateway Node. In Wifi Offload Gateway Node, it becomes available when S2b to PGW and SWn IPSec are selected.

NOTE: Must configure Secret key and Operator Variant in the Security Gateway Node as per required in operator SIM card for successful authentication.

Tcl Parameter: DataEapSimRealSimSresCalcEn

Reauthentication Type

Select the Initial reauthentication type.

NOTE: (RFC 4186) Fast re-authentication is implemented as the full authentication procedure is time consuming for frequent use. Fast re-authentication is optional for both the EAP-SIM and peer severs. On each EAP authentication, either one of the entities may fall back on full authentication if it does not want to use fast re-authentication.

Initial Fast Reuth ID: EAP-SIM Fast re-authentication is based on the keys derived on the preceding full authentication procedure that does not make use of the SIM algorithms and does not need new triplets (RAND, SRES, Kc) from the Authentication Centre.

Fast re-authentication is optional for both the EAP-SIM server and peer. On each EAP authentication, either one of the entities may fall back on full authentication if is does not want to use fast re-authentication.

Initial PSeudonym ID

A pseudonym identity of the peer (including an NAI realm portion in environments where a realm is used). Used on full authentication only.

Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication.

SIM Permanent ID

Indicates the permanent identity used on full authentication only.

NOTE: The fast re-authentication procedure makes use of separate re-authentication user identities. Pseudonyms and the permanent identity are reserved for full authentication only. If a re-authentication identity is lost and the network does not recognize it, the EAP server can fall back on full authentication.

Related Measurements

EAP-SIM Measurements

^ Back to Top

EAP-AKA Authentication

Use the EAP-AKA checkbox to enable support for EAP-AKA authentication in a CDMA2000 or UMTS network, and then define the Secret Key, Encryption Algorithm and the Operator Variant or Family Key.

Secret Key	The shared key that is known to both the MN and the AAA Server. Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x0123456789ABCDEF0123456789ABCDEF
Encryption Algorithm	Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server. Options: 3GPP Milenage Crypto Algorithms 3GPP2 Enhanced Crypto Algorithms USIM Test Algorithm Default: 3GPP Milenage Crypto Algorithms
Operator Variant	The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network. Range: Up to 32 hex characters, excluding "0x." Default: 0x63BFA50EE6523365FF14C1F45F88737D
Family Key	32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm. Range: 0x0 - 0xFFFFFFFF Default: 0x41484147
AMF Value	Avaialble in 5G test cases. Select All 0s or All 1s.
Apply <EAP method> Parameters from Test Data File	You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative. EAP-TLS-TTLS-PEAP-Example EAP_cfg_file EAP_config_params EAP_MD5_cfg_file EAP_SIM_cfg_file_example EAP_AKA_cfg_file

AKA Permanent ID

Provides an option to disable EAP Identity Request and Response with an AKA Permanent Identity Request message and responds with the AKA challenge following the EAP Identity Response. (Refer to RFC 4187)

The AKA-Permanent ID is the permanent identity of the peer, including an NAI realm in environments where a realm is used. The permanent identity is usually based on the IMSI and is used on full authentication only.

Starting Sequence Number

Select the Starting Sequence Number checkbox and enter the appropriate value.

Range: 0 - 281474976710655 (2^48 bits - 1)

Default: 1

Type: Integer

The Starting Sequence Number allows you to set an initiating sequence number used in the AUTN. Per 3GPP 33.102 annex C.1 and C.2 the re-synchronization procedure usually happens in UE when SQN (server) < SQN (client).

Tcl Parameters:

EapAkaSqn

PeapEapAkaSqn

Use Prefix

Available when Application = SWm Interface. The purpose of this flag is for Landslide’s AAA Nodal/Node to support encrypted IMSI for AAA diameter test on Swm interface between ePDG and AAA server using EAP-AKA Protocol. EAP-AKA uses public key cryptography to achieve the confidentiality of the permanent identity. The EAP client is configured with the public key of the authentication server so that it can encrypt the permanent identity before sending it to the server and the client allows authentication server to decrypt permanent identity using private key. The EAP-AKA protocol makes use of the International Mobile Subscriber Identity (IMSI) as the permanent identity in the authentication exchange. The IMSI is a unique identifier that can be used to track device movement. Protecting the IMSI against untrusted exposure is important to protect user privacy.

The AAA client will encrypt the permanent identity(IMSI) using RSA-OAEP algorithm in AT_IDENTITY attribute on EAP-Request / AKA-Identity message and AAA server will decrypt the permanent identity(IMSI). And optional Key Identifier AVP (attribute value pair) represents a data that helps the server to locate the private key to decrypt the permanent identity. As shown in the figure below, the client and server each require a public key and a private key, because the RSA-OAEP algorithm is used to encrypt the permanent Identity. The Permanent Identity is used as the value of “AKA Permanent ID” in GUI. If the “AKA Permanent ID” is not defined, the “username” in the form <username>@domain is used for Permanent Identity.

Per RFC 3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1

When Use Prefix is enabled of AAA Server Nodal/Node Test cases, , the following fields become available for input:

On AAA Server Nodal Test Case, select to include the Public Key File - Select either an Installed or a Test Data File.

On AAA Server Nodal Test Case, select to include the Permanent ID Encryption - Choose an Installed file or a TDF, based on input selected above.

On AAA Server Nodal Test Case, select to enable the Key Identifier AVP - Enter the Name of the AVP (Up to 64 Characters) and the Value of the AVP (Up to 64 Characters).

On AAA Server Node Test Case, select to include the Permanent ID Decryption - Choose an Installed file or a TDF, based on input selected above.

On AAA Server Node Test Case, select to include the Private Key File - Select either an Installed or a Test Data File.

NasRadEapAkaUsePrefixEn	NasRadEapAkaPermIdEncryptEn	NasRadEapAkaPublicKeyTestDataFileEn	NasRadEapAkaPublicKeyTestDataFile
NasRadEapAkaPublicKeyFile	NasRadEapAkaKeyIdAvpEn	NasRadEapAkaKeyIdAvpName	NasRadEapAkaKeyIdAvpValue
AaaNodeEapAkaUsePrefixEn	AaaNodeEapAkaPermIdDecryptEn	AaaNodeEapAkaPrivateKeyTestDataFileEn	AaaNodeEapAkaPrivateKeyTestDataFile
AaaNodeEapAkaPrivateKeyFile

Related Measurements

EAP-AKA Measurements

Reauthentication ID Type: Indicates the ID type used to perform EAP authentication again. Select the reauthentication type.

Options: Fast ReAuth , Permanent, Pseudo

Fast Reauth: EAP-AKA Fast re-authentication is based on the keys derived on the preceding full authentication procedure that does not make use of the AKA algorithms and does not need new vectors from the Authentication Centre.

Fast re-authentication is optional for both the EAP-AKA server and peer. On each EAP authentication, either one of the entities may fall back on full authentication if is does not want to use fast re-authentication.

PSeudo: A pseudonym identity of the peer (including an NAI realm portion in environments where a realm is used). Used on full authentication only.

Permanent: Indicates the permanent identity used on full authentication only.
Fast ReAuth Max Counter: The fast re-authentication exchange makes use of an unsigned 16-bit counter, included in the AT_COUNTER attribute. The counter has three goals:
- It can be used to limit the number of successive reauthentication exchanges without full-authentication
- it contributes to the keying material,
- it protects the peer and the server from replays.

On full authentication, both the server and the peer initializes the counter to one. The counter value of at least one is used on the first fast re-authentication. On subsequent fast re-authentications, the counter MUST be greater than on any of the previous fast re-authentications. For example, on the second fast re-authentication, counter value is two or greater, etc. The AT_COUNTER attribute is encrypted.

Allocate Fast ReAuth ID: Select to trigger usage of a previously generated key. Available on AAA Tab in the AAA Node Test Case.
Allocate Pseudonym Name: Select to trigger generation of a Pseudonym name. Available on AAA Tab in the AAA Node Test Case.
Send Request Identity: Select Send Request Identity to include AKA-Identity in response to a valid EAP-Request/AKA-Identity from the server.
AMF Value: With EAP-AKA authentication, in order to reduce the risk of node vulnerability, the AKA algorithm is computed with the AMF separation bit set to 1, and the peer checks to ensure that this is indeed the case.

When the server creates an AKA challenge, the Authentication Management Field (AMF) separation bit is set to 1 in the AKA algorithm. If the bit is not set to 1, the fails authentication.

Apply AKA Parameters from Test Data File

^ Back to Top

EAP-AKA' Authentication

EAP-AKA' [RFC 5448] uses a key derivation function, which binds the keys derived to the name of the access network. This assists in limiting the effects of compromised access network nodes and keys.

Click EAP Settings > EPA-AKA' tab and select EAP-AKA' to configure the following settings.

Network Name

Indicates the network name of the access network for which the authentication is being performed.

Option: Maximum of 64 Characters

AKA' Permanent ID

Starting Sequence Number

Select the Starting Sequence Number checkbox and enter the appropriate value.

Range: 0 - 281474976710655 (2^48 bits - 1)

Default: 1

Type: Integer

Full-Reauthentication

In HSGW Nodal test Case, select to perform the full re-authentication process, that is, perform full authentication again periodically instead of the fast re-authentication process.

NOTE: In HSGW Node, used for back-to-back testing, use Full-Authentication Time (s) to specifiy the time to wait before performing full-authentication process similar to the first time authentication.

Secret Key	The shared key that is known to both the MN and the AAA Server. Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x0123456789ABCDEF0123456789ABCDEF
Encryption Algorithm	Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server. Options: 3GPP Milenage Crypto Algorithms 3GPP2 Enhanced Crypto Algorithms USIM Test Algorithm Default: 3GPP Milenage Crypto Algorithms
Operator Variant	The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network. Range: Up to 32 hex characters, excluding "0x." Default: 0x63BFA50EE6523365FF14C1F45F88737D
Family Key	32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm. Range: 0x0 - 0xFFFFFFFF Default: 0x41484147
AMF Value	Avaialble in 5G test cases. Select All 0s or All 1s.
Apply <EAP method> Parameters from Test Data File	You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative. EAP-TLS-TTLS-PEAP-Example EAP_cfg_file EAP_config_params EAP_MD5_cfg_file EAP_SIM_cfg_file_example EAP_AKA_cfg_file

EAP-AKA' Measurements

^ Back to Top

EAP-MSCHAPv2 Authentication

Use the MSCHAPv2 checkbox to enable support for EAP-MSCHAPv2 authentication for AAA RADIUS client and server testing, and define the MN's Password and User Name (Wifi Nodal/Node, SGW Wifi)

EAP Header: Available when PEAP V1 = 0. Select EAP Header to ensure Microsoft PEAP includes EAP header on the EAP message (for TLS tunnel).

Type: True, False

Tcl Parameter: <Prefix>EapMsChapV2EapHeaderEn

Prefix example:

AAA Node= AaaNodePeap

AAA Nodal= NasRadPeap

IP App Node= NasRadPeap

IPSec

DataPeap

DataMP

Related Measurements

EAP-MSCHAPv2 Measurements

^ Back to Top

EAP-TLS Authentication

Main and Ciphers (See additional details in topic TLS - Ciphers) tab are available for input. Ciphers tab is available when TLS Version = TLSv1.1, or TLSv1.2 or TLSv1.3.

Use the EAP-TLS checkbox to enable support for TLS authentication. Select TLS Version - Landslide supports TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 (TLSv1.0 is mutually exclusive with the remaining TLS versions however TLSv1.1, TLSv1.2, TLSv1.3 can all be selected concurrently). Select the methods and keys that will be used.

NOTES:

When digital certificates are used in a RADIUS test, the maximum number of MS sessions is limited to 100,000. The Activation rate in a AAA Server Nodal test is limited to 1000 sessions/second, and a AAA Server node can process authentications at 85 authentications/second. As with any other licensed capacities, the limits in reduced-capacity systems may be less than the maximum values.
When EAP-TLS is used with IPSec, the maximum number of sessions is reduced since an additional tunnel is established for TLS.

Use the Generate Pairwise Master Key to enable PMK support when a Pre-Shared Key is used. The resulting PMK is used in place of a Master Session Key (MSK) to calculate and verify authentication tokens, and it will be used by RADIUS and IPSec as well as TLS. Available when TLS Version = TLSv1.0.
Use the Generate Master Session Key to generate the MSK (Master Session Key) upon success of PEAPv1 to be used for AUTH data calculation. Available when TLS Version = TLSv1.0.
Use the Reauthentication check box to allow the AAA server (SUT) to enable EAP-TLS session to resume. Available when TLS Version = TLSv1.0.

NOTE: If you do not select this checkbox, the AAA server (SUT) disables EAP-TLS session resume and result is failure of every alternate authentication attempt, even when using the cached session id from the preceding authentication.

Select to Include Finish Message in Digest.
Select Enable Pre-Shared Key Cipher Suites and enter the secret in the Pre-Shared Key field OR select Include Certificates (See also digital certificate settings.) Available when TLS Version = TLSv1.0.
Selecting Include Certificates allows you to provision the local peers' Private Key and select the X.509 Certificate File.
- Private Key: Select Installed and use the drop-down list to select the file that will provision the local peers' private key.
- X.509 Certificate File: Select Installed and use the drop-down list to select the X.509 certificate file.

You may also select Test Data File to specify the certificate file names. This allows you to upload a certificate you want to use as a Test Data File without causing the test Server to reboot.

NOTE:

Using Test Data Files also allows you to save certificates for to different repositories and provides you with a means to use the same certificates files names from different repositories.
When Certificates are TDF, they are exportable to STE. See topic Exporting Test Suites for additional information.

Select Enable EAP-TLS MTU - to support EAP fragmentation scheme as defined in RFC5216. Default 1000 - Range from 100 to 65000. Available when TLS Version = TLSv1.0.
First Entry: The First Entry indicates a subset of the keys contained in the private key file may be used. This parameter uses a zero-based index to specify the starting key for the set.

Range: N/A

Default: 0

Number of Entries: The number of private keys that will be used in the test. If there are more local peers than keys, the keys will be distributed among the peers as evenly as possible.

Range: N/A

Default: 1

Use Generate WiMAX MSK to enable WiMAX Key generation and distribution

Use the PEAP checkbox to enable the Protected Extensible Authentication Protocol (PEAP) with a AAA Server within EAP-TLS. Select the PEAP Version from the drop-down list (0 = Microsoft PEAP, 1 = general PEAP implementation).

If you select 0 (Microsoft PEAP), only MSCHAPv2 is allowed. Enter parameters in the PEAP-MSCHAPV2 sub-tab.

If you select 1 (general PEAP implementation), you can enter parameters in the PEAP-MD5, PEAP-GTC, PEAP-SIM, PEAP-AKA, PEAP-AKA' and PEAP-MSCHAPV2 sub-tabs.

NOTE: Option 0 (Microsoft PEAP) is the only option allowed for Wifi RF Emulation.

Use the FAST checkbox to enable further authentication exchanges with a AAA Server within EAP-TLS. EAP-FAST supports the TLS extension to support fast re-establishment of the secure tunnel without having to maintain per-session state on the server (RFC 4851 . EAP-FAST makes use of the TLS to enable an optimized TLS tunnel session resume while minimizing server state. Current implementation is based on V1.

The secret key used in EAP-FAST is referred to as the Protected Access Credential key (or PAC-Key); the PAC-Key is used to mutually authenticate the peer and the server when securing a tunnel.

Enter parameters in the FAST-MD5, FAST-SIM, FAST-AKA, FAST-AKA' and FAST-MSCHAPV2 sub-tabs.

The Enable PACs check box is available in AAA Server Node test cases when you select the FAST checkbox.

Use the Enable PACs check box distribute credentials to a peer for optimized network authentication. EAP-FAST uses PACs to dynamically provision attributes.

Use the TTLS Extensions checkbox to enable an authentication method with a AAA Server within EAP-TLS. Select the authentication Method from the drop-down list (EAP, PAP, CHAP, MSCHAPV1, or MSCHAPV2). Define the AAA User Name and Password, where applicable, following the guidelines in User Credentials. Note: Maximum of 64 characters are allowed for User Name / Password.

NOTE: The PEAP and TTLS Extensions fields are mutually exclusive.

Select Apply TLS Parameters from Test Data File (TDF) check box to apply parameter values using a test data file.

Related Measurements

EAP-TLS Measurements

^ Back to Top

Common Settings

Secret Key	The shared key that is known to both the MN and the AAA Server. Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x0123456789ABCDEF0123456789ABCDEF
Encryption Algorithm	Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server. Options: 3GPP Milenage Crypto Algorithms 3GPP2 Enhanced Crypto Algorithms USIM Test Algorithm Default: 3GPP Milenage Crypto Algorithms
Operator Variant	The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network. Range: Up to 32 hex characters, excluding "0x." Default: 0x63BFA50EE6523365FF14C1F45F88737D
Family Key	32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm. Range: 0x0 - 0xFFFFFFFF Default: 0x41484147
AMF Value	Avaialble in 5G test cases. Select All 0s or All 1s.
Apply <EAP method> Parameters from Test Data File	You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative. EAP-TLS-TTLS-PEAP-Example EAP_cfg_file EAP_config_params EAP_MD5_cfg_file EAP_SIM_cfg_file_example EAP_AKA_cfg_file

^ Back to Top