EAP Settings


The Extensible Authentication Protocol (EAP) can be used to authenticate MNs when IPSec, Diameter or RADIUS is used in the test. The EAP Settings window allows you to select the authentication methods that will be supported by the MNs, the NAS nodes, or a server node depending on the test case. Click the EAP Settings... button to access the window. The settings for each method are contained on their respective sub-tabs.

WARNING: When running any EAP method, you must use an equal number of user names and sessions. Multiple sessions with the same user name will cause some EAP sessions to fail.

This topic describes the settings for EAP. The topics listed under Related Parameters include certificate settings for EAP-TLS and the protocols and test cases that support EAP.


General Settings

User Name The MN's user name, NAI, or IMSI that will be sent or expected in the EAP Identity response. See User Credentials for a full definition.

NOTEs:

  • In AAA Node Test Case, EAP User name will not overwrite the General user name.
  • A leading 0 is needed if you want to use IMSI as User Name. Per chapter 4.1.1.6 of RFC 4187 - "For example, a permanent username derived from the IMSI 295023820005424 would be encoded as the ASCII string "0295023820005424" (byte values in hexadecimal notation: 30 32 39 35 30 32 33 38 32 30 30 30 35 34 32 34)".
 
Expanded Types

Use the checkbox to enable support for vendor-specific authentication methods. If the AAA Server requests a method that the MN does not support, the MN responds with an Expanded NAK message.

Related Measurements

Retry Count

You can define the number of times a message will be transmitted when the expected response or follow-on request has not been received. Enter 0 to disable retries.

Retry Time

You can define the elapsed time (in seconds) between each try until the configured retry count is reached. Default is 5 Seconds

EAP Message Delay

Numeric - Default is 10 (ms) - Range from 0 to 65535 - Currently only available via SGW Nodal and Wifi Offload Gateway Nodal - CAPWAP and authentication is 802.1x.

Tcl parameter:  CapWapEapMsgDelayEn

WiMAX MIP Root Key

Use the WiMAX MIP Root Key to enable WiMAX MIP Root Key generation and distribution.

Range : A maximum of 64 bytes (128 hex characters excluding 0x)

Default: 0X

Combined EAP

Select the checkbox to use the EAP authentication scheme using a challenge combined with a device ID, password and hash algorithm.

  • Device ID

Indicates the Device ID sending the EAP challenge

  • Device Secret

Indicates the Device password/secret.

Disable Identity Request

The Disable Identity Request checkbox is available on the IPSec EAP dialog box in all server-side (responder) test cases. For example, Network Host, LNS Node, MIP Node, etc.

  • When you select the Disable Identity Request checkbox, the IPSec responder does not send the EAP Identity Request as part of the EAP message exchange.  

  • When you do not select the Disable Identity Request checkbox, the IPSec responder sends the EAP Identity Request as part of the EAP message exchange.  

Identity Protection

Implements the identity privacy clause in both the EAP-AKA and EAP-SIM methods (RFC 4186: 4.2.1.2.  Identity Privacy Support).

Selects Identity Protection allows you to utilize the alternate IDs (user name) in the transport layers (RADIUS/Diameter) during re-authentication process, which protects the real identity of the mobile node. 

NOTE: Selecting Identity Protection for other than EAP-AKA and EAP-SIM does not perform any additional procedure.

This option is not available in all the test cases.

 

Apply Authentication Parameters from Test Data File

See TDF-CSV Editor.

You can provision authentication credentials for each MN by using Test Data Files. See Applying Parameter ValuesApplying Parameter Values.

See Test Data Files for further explanation and sample files. If a sample is not found for the specific TDF, you can obtain a sample file from your Technical Support representative. You may also use the following options to select an existing TDF or create/edit TDF-CSV files (TDF-CSV Editor). 

For most TDF Parameters used for Applying Parameters, each row in the file is the overridden value for a different “Session”, aka a different UE. But some TDFs are done in other dimensions, like Bearers, eNodeBs, Subscribers (2 per UE sometimes) or even Hosts, etc. Tooltips on the TDF Parameter: 

Note that the “ID” is a unique ID. Please Provide the ID when reporting issues with a TDF. For TDFs that do not apply / override Parameters, but instead are just their own configuration or data or media files you won’t see TDF ID row details.

TIP: When including large files, please be aware of memory limitations, since the TDF Editor shares memory with the Client.

NOTE: The available TDF options vary. on the L3-7 | IPSec tab > IKE with RSA Settings you may only select the Certificate TDF from TAS (these are non-CSV TDFs).

In addition, where applicable, any rules for defining TDFs are included in specific Test Cases. (For example, In MME Node test case, see MME Node - Provisioning TDF.)

From the DMF Window, press Shift+Alt+A to display the  Save DMF as Tcl window. Click the Save to File button to save as Tcl file. See additional details on Using the Tcl API.

 

Select/Create a new TDF-CSV

Allows you to create a new TDF by entering a file name that doesn’t already exist or select an existing file by entering a file name that already exists.

Click to open the Select Existing or Create window.

  • Navigate to the relevant library/folder,

  • Enter the name of the file:

  • If the file name already exists, the file is selected and applied in the test case.

  • If the file name does not exist, a message displays that says you are creating a new TDF and the embedded TDF-CSV will be launched.

    • Click Yes to launch the TDF-CSV Editor and create/save the new TDF-CSV.

    • Click No to select a different file

NOTE: If you do not have permission to save in the selected library, an error displays when you try to create a new file.
TIP: You may also navigate to the relevant library/folder and select file, and click OK.

 

Upload a New TDF to TAS

Click to import a new TDF file from your local folder and select in the test Case (instead of having to go to TDF Admin).

  • Navigate to the file on your local folder and select.
  • Then navigate to the location (library) where you want to save it on the TAS. You may rename the file, if required.  

View Edit Selected TDF in TDF-CSV Editor

Available only when you have selected a TDF on TAS. Click to open the selected file in TDF-CSV Editor (in place, that is, within the Test Case).

Edit the file and save. You may also click Save As to save the edited TDF-CSV to a different library and also rename the file, if required.

NOTE: You may also select a TDF from a library to which you do not have write permissions, edit the file as required, and save (Save As) only to a different library with the same file name or a different name.

The only options available are Save As and Cancel.

Open Selected TDF in Standalone TDF-CSV Editor

Available only when you have selected a TDF on TAS. Select to retrieve the CSV file and open it in the stand alone TDF-CSV Editor.

Generate Stub TDF-CSV

TIP: Available only when a CSV specification has been defined for in the Test Case for the TDF widget ( View TDF Actions/Options Menu)

 

Opens an example context specific test data parametersexample context specific test data parameters, which you may save as a .CSV file or open in the TDF-CSV Editor.

 

Launch Standalone TDF-CSV Editor

Click to open a blank TDF-CSV Editor.

The Launch Standalone TDF-CSV editor options handles very large TDFs that may use too much Client memory if opened within the Test Case/in the embedded editor.  You may set the standalone TDF-CSV Editor memory high to edit large TDFs.

 

 

^ Back to Top


MD5 Authentication

Use the MD5 checkbox to enable support for MD5 authentication, and then define the MN's Password.

Related Measurements

^ Back to Top


GTC Authentication

Use the GTC (Generic Token Card) checkbox to enable support for GTC authentication, and then define the MN's Token/Password.

During TLS authentication (EAP>TLS), when PEAP version is 1 (TLS>PEAP-GTC), authentication protocol on the TLS tunnel uses EAP-GTC with token card (for example, client certificate).

Related Measurements

^ Back to Top


EAP-SIM Authentication

Use the EAP-SIM checkbox to enable support for EAP-SIM authentication in a GSM network, and then define the Secret Key, Encryption Algorithm and the  Operator Variant or Family Key.

Specify Rand

Select Use Specified RAND value to define RAND value.

Enter the RAND value used to formulate the challenge request.

Range: Up to 96 hexadecimal digits, excluding 0x.

Use hard-coded values

Select Use hard-coded values to define fixed SRES AND Kc values.

  • SRES — Enter the SRES value that will be used to formulate the challenge response for all MNs.

Range: Up to 24 hexadecimal digits, excluding "0x."

Default: 0x000000000000

  • Kc — Enter the key that will be used to derive new keying material for all MNs.

Range: Up to 32 hexadecimal digits, excluding "0x."

Default: 0x00000000000000000000000000000000

Real Sim Card SRES Calculation

Available in Security Gateway Node and Wifi Offload Gateway Node. Enable when Use Real SIM Card (One Subscriber)  in Mobile Subscribers is Security Gateway Node. In Wifi Offload Gateway Node, it becomes available when S2b to PGW and SWn IPSec are selected.
NOTE: Must configure Secret key and Operator Variant in the Security Gateway Node as per required in operator SIM card for successful authentication.
  Tcl Parameter: DataEapSimRealSimSresCalcEn

Reauthentication Type

Select the Initial reauthentication type.
NOTE: (RFC 4186) Fast re-authentication is implemented as the full authentication procedure is time consuming for frequent use. Fast re-authentication is optional for both the EAP-SIM and peer severs. On each EAP authentication, either one of the entities may fall back on full authentication if it does not want to use fast re-authentication.
  • Initial Fast Reuth ID: EAP-SIM Fast re-authentication is based on the keys derived on the preceding full authentication procedure that does not make use of the SIM algorithms and does not need new triplets (RAND, SRES, Kc) from the Authentication Centre.

Fast re-authentication is optional for both the EAP-SIM server and peer. On each EAP authentication, either one of the entities may fall back on full authentication if is does not want to use fast re-authentication.

 

Initial PSeudonym ID

A pseudonym identity of the peer (including an NAI realm portion in environments where a realm is used).  Used on full authentication only.

Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication.

SIM Permanent ID

Indicates the permanent identity used on full authentication only.
NOTE: The fast re-authentication procedure makes use of separate re-authentication user identities. Pseudonyms and the permanent identity are reserved for full authentication only. If a re-authentication identity is lost and the network does not recognize it, the EAP server can fall back on full authentication.
 

Related Measurements

^ Back to Top


EAP-AKA Authentication

Use the EAP-AKA checkbox to enable support for EAP-AKA authentication in a CDMA2000 or UMTS network, and then define the Secret Key, Encryption Algorithm and the Operator Variant or Family Key.

Secret Key

The shared key that is known to both the MN and the AAA Server.

Range: Up to 32 hexadecimal digits, excluding "0x."

Default: 0x0123456789ABCDEF0123456789ABCDEF

Encryption Algorithm

Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server.

Options:

  • 3GPP Milenage Crypto Algorithms

  • 3GPP2 Enhanced Crypto Algorithms

  • USIM Test Algorithm

Default: 3GPP Milenage Crypto Algorithms

Operator Variant

The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network.

Range: Up to 32 hex characters, excluding "0x."

Default: 0x63BFA50EE6523365FF14C1F45F88737D

Family Key

32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm.

Range: 0x0 - 0xFFFFFFFF

Default: 0x41484147

AMF Value Avaialble in 5G test cases. Select All 0s or All 1s.

Apply <EAP method> Parameters from Test Data File

You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative.

AKA Permanent ID

Provides an option to disable EAP Identity Request and Response with an AKA Permanent Identity Request message and responds with the AKA challenge following the EAP Identity Response.  (Refer to RFC 4187)

The AKA-Permanent ID is the permanent identity of the peer, including an NAI realm in environments where a realm is used.  The permanent identity is usually based on the IMSI and is used on full authentication only.

Starting Sequence Number

Select the Starting Sequence Number checkbox and enter the appropriate value.

Range: 0 - 281474976710655 (2^48 bits - 1)

Default: 1

Type: Integer

The Starting Sequence Number allows you to set an initiating sequence number used in the AUTN. Per 3GPP 33.102 annex C.1 and C.2 the re-synchronization procedure usually happens in UE when SQN (server) < SQN (client).

Tcl Parameters:

EapAkaSqn

PeapEapAkaSqn

Use Prefix

Available when Application = SWm Interface. The purpose of this flag is for Landslide’s AAA Nodal/Node to support encrypted IMSI for AAA diameter test on Swm interface between ePDG and AAA server using EAP-AKA Protocol. EAP-AKA uses public key cryptography to achieve the confidentiality of the permanent identity. The EAP client is configured with the public key of the authentication server so that it can encrypt the permanent identity before sending it to the server and the client allows authentication server to decrypt permanent identity using private key. The EAP-AKA protocol makes use of the International Mobile Subscriber Identity (IMSI) as the permanent identity in the authentication exchange. The IMSI is a unique identifier that can be used to track device movement. Protecting the IMSI against untrusted exposure is important to protect user privacy.

The AAA client will encrypt the permanent identity(IMSI) using RSA-OAEP algorithm in AT_IDENTITY attribute on EAP-Request / AKA-Identity message and AAA server will decrypt the permanent identity(IMSI). And optional Key Identifier AVP (attribute value pair) represents a data that helps the server to locate the private key to decrypt the permanent identity. As shown in the figure below, the client and server each require a public key and a private key, because the RSA-OAEP algorithm is used to encrypt the permanent Identity. The Permanent Identity is used as the value of “AKA Permanent ID” in GUI. If the “AKA Permanent ID” is not defined, the “username” in the form <username>@domain is used for Permanent Identity.

Per RFC 3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1

 

When Use Prefix is enabled of AAA Server Nodal/Node Test cases, , the following fields become available for input:

 

On AAA Server Nodal Test Case, select to include the Public Key File - Select either an Installed or a Test Data File.

On AAA Server Nodal Test Case, select to include the Permanent ID Encryption - Choose an Installed file or a  TDF, based on input selected above.

On AAA Server Nodal Test Case, select to enable the Key Identifier AVP - Enter the Name of the AVP (Up to 64 Characters) and the Value of the AVP (Up to 64 Characters).

 

On AAA Server Node Test Case, select to include the Permanent ID Decryption - Choose an Installed file or a  TDF, based on input selected above.

On AAA Server Node Test Case, select to include the Private Key File - Select either an Installed or a Test Data File.

 

NasRadEapAkaUsePrefixEn

NasRadEapAkaPermIdEncryptEn

NasRadEapAkaPublicKeyTestDataFileEn

NasRadEapAkaPublicKeyTestDataFile

NasRadEapAkaPublicKeyFile

NasRadEapAkaKeyIdAvpEn

NasRadEapAkaKeyIdAvpName

NasRadEapAkaKeyIdAvpValue

AaaNodeEapAkaUsePrefixEn

AaaNodeEapAkaPermIdDecryptEn

AaaNodeEapAkaPrivateKeyTestDataFileEn

AaaNodeEapAkaPrivateKeyTestDataFile

AaaNodeEapAkaPrivateKeyFile

 

 

 

 

Related Measurements

Reauthentication ID Type: Indicates the ID type used to perform EAP authentication again. Select the reauthentication type.

Options: Fast ReAuth , Permanent, Pseudo

Fast re-authentication is optional for both the EAP-AKA server and peer. On each EAP authentication, either one of the entities may fall back on full authentication if is does not want to use fast re-authentication.

Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication.

On full authentication, both the server and the peer initializes the counter to one.  The counter value of at least one is used on the first fast re-authentication.  On subsequent fast re-authentications, the counter MUST be greater than on any of the previous fast re-authentications.  For example, on the second  fast re-authentication, counter value is two or greater, etc.  The AT_COUNTER attribute is encrypted.

When the server creates an AKA challenge, the Authentication Management Field (AMF) separation bit is set to 1 in the AKA algorithm. If the bit is not set to 1, the fails authentication.

^ Back to Top


EAP-AKA' Authentication

EAP-AKA' [RFC 5448] uses a key derivation function, which binds the keys derived to the name of the access network. This assists in limiting the effects of compromised access network nodes and keys.

Click EAP Settings > EPA-AKA' tab and select EAP-AKA' to configure the following settings.  

 

Network Name

Indicates the network name of the access network for which the authentication is being performed.

Option: Maximum of 64 Characters

AKA' Permanent ID

Provides an option to disable EAP Identity Request and Response with an AKA Permanent Identity Request message and responds with the AKA challenge following the EAP Identity Response.  (Refer to RFC 4187)

The AKA-Permanent ID is the permanent identity of the peer, including an NAI realm in environments where a realm is used.  The permanent identity is usually based on the IMSI and is used on full authentication only.

Starting Sequence Number

Select the Starting Sequence Number checkbox and enter the appropriate value.

Range: 0 - 281474976710655 (2^48 bits - 1)

Default: 1

Type: Integer

The Starting Sequence Number allows you to set an initiating sequence number used in the AUTN. Per 3GPP 33.102 annex C.1 and C.2 the re-synchronization procedure usually happens in UE when SQN (server) < SQN (client).

Full-Reauthentication

In HSGW Nodal test Case, select to perform the full re-authentication process, that is,  perform full authentication again periodically instead of the fast re-authentication process.

NOTE: In HSGW Node, used for back-to-back testing, use Full-Authentication Time (s) to specifiy the time to wait before performing full-authentication process similar to the first time authentication.

Secret Key

The shared key that is known to both the MN and the AAA Server.

Range: Up to 32 hexadecimal digits, excluding "0x."

Default: 0x0123456789ABCDEF0123456789ABCDEF

Encryption Algorithm

Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server.

Options:

  • 3GPP Milenage Crypto Algorithms

  • 3GPP2 Enhanced Crypto Algorithms

  • USIM Test Algorithm

Default: 3GPP Milenage Crypto Algorithms

Operator Variant

The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network.

Range: Up to 32 hex characters, excluding "0x."

Default: 0x63BFA50EE6523365FF14C1F45F88737D

Family Key

32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm.

Range: 0x0 - 0xFFFFFFFF

Default: 0x41484147

AMF Value Avaialble in 5G test cases. Select All 0s or All 1s.

Apply <EAP method> Parameters from Test Data File

You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative.

EAP-AKA' Measurements

^ Back to Top


EAP-MSCHAPv2 Authentication

Use the MSCHAPv2 checkbox to enable support for EAP-MSCHAPv2 authentication for AAA RADIUS client and server testing, and define the MN's Password and User Name (Wifi Nodal/Node, SGW Wifi)

EAP Header: Available when PEAP V1 = 0. Select EAP Header to ensure Microsoft PEAP includes EAP header on the EAP message (for TLS tunnel).

Type: True, False

Tcl Parameter: <Prefix>EapMsChapV2EapHeaderEn

Prefix example:

AAA Node= AaaNodePeap AAA Nodal= NasRadPeap IP App Node= NasRadPeap

IPSec

DataPeap

DataMP

   

Related Measurements

^ Back to Top


EAP-TLS Authentication

Main and Ciphers (See additional details in topic TLS - Ciphers) tab are available for input. Ciphers tab is available when TLS Version = TLSv1.1, or TLSv1.2 or TLSv1.3.

Use the EAP-TLS checkbox to enable support for TLS authentication. Select TLS Version - Landslide supports  TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 (TLSv1.0 is mutually exclusive with the remaining TLS versions however TLSv1.1, TLSv1.2, TLSv1.3 can all be selected concurrently).  Select the methods and keys that will be used.

NOTES:

  • When digital certificates are used in a RADIUS test, the maximum number of MS sessions is limited to 100,000. The Activation rate in a AAA Server Nodal test is limited to 1000 sessions/second, and a AAA Server node can process authentications at 85 authentications/second. As with any other licensed capacities, the limits in reduced-capacity systems may be less than the maximum values.

  • When EAP-TLS is used with IPSec, the maximum number of sessions is reduced since an additional tunnel is established for TLS.

You may also select Test Data File to specify the certificate file names. This allows you to upload a certificate you want to use as a Test Data File without causing the test Server to reboot.

NOTE:
  • Using Test Data Files also allows you to save certificates for to different repositories and provides you with a means to use the same certificates files names from different repositories.
  • When Certificates are TDF, they are exportable to STE. See topic Exporting Test Suites for additional information.

 

Range: N/A

Default: 0

Range: N/A

Default: 1

If you select 0 (Microsoft PEAP), only MSCHAPv2 is allowed. Enter parameters in the PEAP-MSCHAPV2 sub-tab.  

If you select 1 (general PEAP implementation), you can enter parameters in the PEAP-MD5, PEAP-GTC, PEAP-SIM, PEAP-AKA, PEAP-AKA' and PEAP-MSCHAPV2 sub-tabs.

 

NOTE: Option 0 (Microsoft PEAP) is the only option allowed for Wifi RF Emulation.

The secret key used in EAP-FAST is referred to as the Protected Access Credential key (or PAC-Key); the PAC-Key is used to mutually authenticate the peer and the server when securing a tunnel.

Enter parameters in the FAST-MD5, FAST-SIM, FAST-AKA, FAST-AKA' and FAST-MSCHAPV2 sub-tabs.

Use the Enable PACs check box distribute credentials  to a peer for optimized network authentication. EAP-FAST uses PACs to dynamically provision attributes.

NOTE: The PEAP and TTLS Extensions fields are mutually exclusive.

Related Measurements

^ Back to Top


Common Settings

Secret Key

The shared key that is known to both the MN and the AAA Server.

Range: Up to 32 hexadecimal digits, excluding "0x."

Default: 0x0123456789ABCDEF0123456789ABCDEF

Encryption Algorithm

Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server.

Options:

  • 3GPP Milenage Crypto Algorithms

  • 3GPP2 Enhanced Crypto Algorithms

  • USIM Test Algorithm

Default: 3GPP Milenage Crypto Algorithms

Operator Variant

The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network.

Range: Up to 32 hex characters, excluding "0x."

Default: 0x63BFA50EE6523365FF14C1F45F88737D

Family Key

32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm.

Range: 0x0 - 0xFFFFFFFF

Default: 0x41484147

AMF Value Avaialble in 5G test cases. Select All 0s or All 1s.

Apply <EAP method> Parameters from Test Data File

You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative.

 

^ Back to Top