The Extensible Authentication Protocol (EAP) can be used to authenticate MNs when IPSec, Diameter or RADIUS is used in the test. The EAP Settings window allows you to select the authentication methods that will be supported by the MNs, the NAS nodes, or a server node depending on the test case. Click the EAP Settings... button to access the window. The settings for each method are contained on their respective sub-tabs.
WARNING: When running any EAP method, you must use an equal number of user names and sessions. Multiple sessions with the same user name will cause some EAP sessions to fail. |
This topic describes the settings for EAP. The topics listed under Related Parameters include certificate settings for EAP-TLS and the protocols and test cases that support EAP.
User Name | The MN's user name, NAI, or IMSI that will be sent or expected in the EAP Identity response. See User Credentials for a full definition.
|
||||||||||||||||||
Expanded Types |
Use the checkbox to enable support for vendor-specific authentication methods. If the AAA Server requests a method that the MN does not support, the MN responds with an Expanded NAK message. Related Measurements |
||||||||||||||||||
Retry Count |
You can define the number of times a message will be transmitted when the expected response or follow-on request has not been received. Enter 0 to disable retries. Retry TimeYou can define the elapsed time (in seconds) between each try until the configured retry count is reached. Default is 5 Seconds |
||||||||||||||||||
Numeric - Default is 10 (ms) - Range from 0 to 65535 - Currently only available via SGW Nodal and Wifi Offload Gateway Nodal - CAPWAP and authentication is 802.1x. Tcl parameter: CapWapEapMsgDelayEn |
|||||||||||||||||||
Use the WiMAX MIP Root Key to enable WiMAX MIP Root Key generation and distribution. Range : A maximum of 64 bytes (128 hex characters excluding 0x) Default: 0X |
|||||||||||||||||||
Combined EAP |
Select the checkbox to use the EAP authentication scheme using a challenge combined with a device ID, password and hash algorithm.
Indicates the Device ID sending the EAP challenge
Indicates the Device password/secret. |
||||||||||||||||||
Disable Identity Request |
The Disable Identity Request checkbox is available on the IPSec EAP dialog box in all server-side (responder) test cases. For example, Network Host, LNS Node, MIP Node, etc.
|
||||||||||||||||||
Identity Protection |
Implements the identity privacy clause in both the EAP-AKA and EAP-SIM methods (RFC 4186: 4.2.1.2. Identity Privacy Support). Selects Identity Protection allows you to utilize the alternate IDs (user name) in the transport layers (RADIUS/Diameter) during re-authentication process, which protects the real identity of the mobile node.
|
||||||||||||||||||
Apply Authentication Parameters from Test Data File |
See TDF-CSV Editor. You can provision authentication credentials for each MN by using Test Data Files. See Applying Parameter ValuesApplying Parameter Values. See Test Data Files for further explanation and sample files. If a sample is not found for the specific TDF, you can obtain a sample file from your Technical Support representative. You may also use the following options to select an existing TDF or create/edit TDF-CSV files (TDF-CSV Editor). For most TDF Parameters used for Applying Parameters, each row in the file is the overridden value for a different “Session”, aka a different UE. But some TDFs are done in other dimensions, like Bearers, eNodeBs, Subscribers (2 per UE sometimes) or even Hosts, etc. Tooltips on the TDF Parameter: Note that the “ID” is a unique ID. Please Provide the ID when reporting issues with a TDF. For TDFs that do not apply / override Parameters, but instead are just their own configuration or data or media files you won’t see TDF ID row details.
|
Use the MD5 checkbox to enable support for MD5 authentication, and then define the MN's Password.
Use the GTC (Generic Token Card) checkbox to enable support for GTC authentication, and then define the MN's Token/Password.
During TLS authentication (EAP>TLS), when PEAP version is 1 (TLS>PEAP-GTC), authentication protocol on the TLS tunnel uses EAP-GTC with token card (for example, client certificate).
Use the EAP-SIM checkbox to enable support for EAP-SIM authentication in a GSM network, and then define the Secret Key, Encryption Algorithm and the Operator Variant or Family Key.
Specify Rand |
Select Use Specified RAND value to define RAND value. Enter the RAND value used to formulate the challenge request. Range: Up to 96 hexadecimal digits, excluding 0x. |
|
Use hard-coded values |
Select Use hard-coded values to define fixed SRES AND Kc values.
Range: Up to 24 hexadecimal digits, excluding "0x." Default: 0x000000000000
Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x00000000000000000000000000000000 |
|
Real Sim Card SRES Calculation |
Available in Security Gateway Node and Wifi Offload Gateway Node. Enable when Use Real SIM Card (One Subscriber) in Mobile Subscribers is Security Gateway Node. In Wifi Offload Gateway Node, it becomes available when S2b to PGW and SWn IPSec are selected.
|
|
Reauthentication Type |
Select the Initial reauthentication type.
Fast re-authentication is optional for both the EAP-SIM server and peer. On each EAP authentication, either one of the entities may fall back on full authentication if is does not want to use fast re-authentication.
|
|
Initial PSeudonym ID |
A pseudonym identity of the peer (including an NAI realm portion in environments where a realm is used). Used on full authentication only. Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication. |
|
SIM Permanent ID |
Indicates the permanent identity used on full authentication only.
|
Use the EAP-AKA checkbox to enable support for EAP-AKA authentication in a CDMA2000 or UMTS network, and then define the Secret Key, Encryption Algorithm and the Operator Variant or Family Key.
The shared key that is known to both the MN and the AAA Server. Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x0123456789ABCDEF0123456789ABCDEF |
|
Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server. Options:
Default: 3GPP Milenage Crypto Algorithms |
|
The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network. Range: Up to 32 hex characters, excluding "0x." Default: 0x63BFA50EE6523365FF14C1F45F88737D |
|
32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm. Range: 0x0 - 0xFFFFFFFF Default: 0x41484147 |
|
AMF Value | Avaialble in 5G test cases. Select All 0s or All 1s. |
You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative. |
Provides an option to disable EAP Identity Request and Response with an AKA Permanent Identity Request message and responds with the AKA challenge following the EAP Identity Response. (Refer to RFC 4187) The AKA-Permanent ID is the permanent identity of the peer, including an NAI realm in environments where a realm is used. The permanent identity is usually based on the IMSI and is used on full authentication only. |
|||||||||||||||||
Select the Starting Sequence Number checkbox and enter the appropriate value. Range: 0 - 281474976710655 (2^48 bits - 1) Default: 1 Type: Integer The Starting Sequence Number allows you to set an initiating sequence number used in the AUTN. Per 3GPP 33.102 annex C.1 and C.2 the re-synchronization procedure usually happens in UE when SQN (server) < SQN (client). Tcl Parameters:
|
|||||||||||||||||
Available when Application = SWm Interface. The purpose of this flag is for Landslide’s AAA Nodal/Node to support encrypted IMSI for AAA diameter test on Swm interface between ePDG and AAA server using EAP-AKA Protocol. EAP-AKA uses public key cryptography to achieve the confidentiality of the permanent identity. The EAP client is configured with the public key of the authentication server so that it can encrypt the permanent identity before sending it to the server and the client allows authentication server to decrypt permanent identity using private key. The EAP-AKA protocol makes use of the International Mobile Subscriber Identity (IMSI) as the permanent identity in the authentication exchange. The IMSI is a unique identifier that can be used to track device movement. Protecting the IMSI against untrusted exposure is important to protect user privacy. The AAA client will encrypt the permanent identity(IMSI) using RSA-OAEP algorithm in AT_IDENTITY attribute on EAP-Request / AKA-Identity message and AAA server will decrypt the permanent identity(IMSI). And optional Key Identifier AVP (attribute value pair) represents a data that helps the server to locate the private key to decrypt the permanent identity. As shown in the figure below, the client and server each require a public key and a private key, because the RSA-OAEP algorithm is used to encrypt the permanent Identity. The Permanent Identity is used as the value of “AKA Permanent ID” in GUI. If the “AKA Permanent ID” is not defined, the “username” in the form <username>@domain is used for Permanent Identity. Per RFC 3447 - Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1
When Use Prefix is enabled of AAA Server Nodal/Node Test cases, , the following fields become available for input:
On AAA Server Nodal Test Case, select to include the Public Key File - Select either an Installed or a Test Data File. On AAA Server Nodal Test Case, select to include the Permanent ID Encryption - Choose an Installed file or a TDF, based on input selected above. On AAA Server Nodal Test Case, select to enable the Key Identifier AVP - Enter the Name of the AVP (Up to 64 Characters) and the Value of the AVP (Up to 64 Characters).
On AAA Server Node Test Case, select to include the Permanent ID Decryption - Choose an Installed file or a TDF, based on input selected above. On AAA Server Node Test Case, select to include the Private Key File - Select either an Installed or a Test Data File.
|
Reauthentication ID Type: Indicates the ID type used to perform EAP authentication again. Select the reauthentication type.
Options: Fast ReAuth , Permanent, Pseudo
Fast Reauth: EAP-AKA Fast re-authentication is based on the keys derived on the preceding full authentication procedure that does not make use of the AKA algorithms and does not need new vectors from the Authentication Centre.
Fast re-authentication is optional for both the EAP-AKA server and peer. On each EAP authentication, either one of the entities may fall back on full authentication if is does not want to use fast re-authentication.
PSeudo: A pseudonym identity of the peer (including an NAI realm portion in environments where a realm is used). Used on full authentication only.
Fast re-authentication identities are one-time identities. If the peer does not receive a new fast re-authentication identity, it MUST use either the permanent identity or a pseudonym identity on the next authentication to initiate full authentication.
Permanent: Indicates the permanent identity used on full authentication only.
Fast ReAuth Max Counter: The fast re-authentication exchange makes use of an unsigned 16-bit counter, included in the AT_COUNTER attribute. The counter has three goals:
It can be used to limit the number of successive reauthentication exchanges without full-authentication
it contributes to the keying material,
it protects the peer and the server from replays.
On full authentication, both the server and the peer initializes the counter to one. The counter value of at least one is used on the first fast re-authentication. On subsequent fast re-authentications, the counter MUST be greater than on any of the previous fast re-authentications. For example, on the second fast re-authentication, counter value is two or greater, etc. The AT_COUNTER attribute is encrypted.
Allocate Fast ReAuth ID: Select to trigger usage of a previously generated key. Available on AAA Tab in the AAA Node Test Case.
Allocate Pseudonym Name: Select to trigger generation of a Pseudonym name. Available on AAA Tab in the AAA Node Test Case.
Send Request Identity: Select Send Request Identity to include AKA-Identity in response to a valid EAP-Request/AKA-Identity from the server.
AMF Value: With EAP-AKA authentication, in order to reduce the risk of node vulnerability, the AKA algorithm is computed with the AMF separation bit set to 1, and the peer checks to ensure that this is indeed the case.
When the server creates an AKA challenge, the Authentication Management Field (AMF) separation bit is set to 1 in the AKA algorithm. If the bit is not set to 1, the fails authentication.
EAP-AKA' [RFC 5448] uses a key derivation function, which binds the keys derived to the name of the access network. This assists in limiting the effects of compromised access network nodes and keys.
Click EAP Settings > EPA-AKA' tab and select EAP-AKA' to configure the following settings.
Network Name |
Indicates the network name of the access network for which the authentication is being performed. Option: Maximum of 64 Characters |
|
AKA' Permanent ID |
Provides an option to disable EAP Identity Request and Response with an AKA Permanent Identity Request message and responds with the AKA challenge following the EAP Identity Response. (Refer to RFC 4187) The AKA-Permanent ID is the permanent identity of the peer, including an NAI realm in environments where a realm is used. The permanent identity is usually based on the IMSI and is used on full authentication only. |
|
Starting Sequence Number |
Select the Starting Sequence Number checkbox and enter the appropriate value. Range: 0 - 281474976710655 (2^48 bits - 1) Default: 1 Type: Integer The Starting Sequence Number allows you to set an initiating sequence number used in the AUTN. Per 3GPP 33.102 annex C.1 and C.2 the re-synchronization procedure usually happens in UE when SQN (server) < SQN (client). |
|
Full-Reauthentication |
In HSGW Nodal test Case, select to perform the full re-authentication process, that is, perform full authentication again periodically instead of the fast re-authentication process.
|
The shared key that is known to both the MN and the AAA Server. Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x0123456789ABCDEF0123456789ABCDEF |
|
Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server. Options:
Default: 3GPP Milenage Crypto Algorithms |
|
The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network. Range: Up to 32 hex characters, excluding "0x." Default: 0x63BFA50EE6523365FF14C1F45F88737D |
|
32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm. Range: 0x0 - 0xFFFFFFFF Default: 0x41484147 |
|
AMF Value | Avaialble in 5G test cases. Select All 0s or All 1s. |
You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative. |
Use the MSCHAPv2 checkbox to enable support for EAP-MSCHAPv2 authentication for AAA RADIUS client and server testing, and define the MN's Password and User Name (Wifi Nodal/Node, SGW Wifi)
EAP Header: Available when PEAP V1 = 0. Select EAP Header to ensure Microsoft PEAP includes EAP header on the EAP message (for TLS tunnel).
Type: True, False
Tcl Parameter: <Prefix>EapMsChapV2EapHeaderEn
Prefix example:
AAA Node= AaaNodePeap | AAA Nodal= NasRadPeap | IP App Node= NasRadPeap |
DataPeap DataMP |
Main and Ciphers (See additional details in topic TLS - Ciphers) tab are available for input. Ciphers tab is available when TLS Version = TLSv1.1, or TLSv1.2 or TLSv1.3.
Use the EAP-TLS checkbox to enable support for TLS authentication. Select TLS Version - Landslide supports TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 (TLSv1.0 is mutually exclusive with the remaining TLS versions however TLSv1.1, TLSv1.2, TLSv1.3 can all be selected concurrently). Select the methods and keys that will be used.
NOTES:
|
Use the Generate Pairwise Master Key to enable PMK support when a Pre-Shared Key is used. The resulting PMK is used in place of a Master Session Key (MSK) to calculate and verify authentication tokens, and it will be used by RADIUS and IPSec as well as TLS. Available when TLS Version = TLSv1.0.
Use the Generate Master Session Key to generate the MSK (Master Session Key) upon success of PEAPv1 to be used for AUTH data calculation. Available when TLS Version = TLSv1.0.
Use the Reauthentication check box to allow the AAA server (SUT) to enable EAP-TLS session to resume. Available when TLS Version = TLSv1.0.
NOTE: If you do not select this checkbox, the AAA server (SUT) disables EAP-TLS session resume and result is failure of every alternate authentication attempt, even when using the cached session id from the preceding authentication. |
Select to Include Finish Message in Digest.
Select Enable Pre-Shared Key Cipher Suites and enter the secret in the Pre-Shared Key field OR select Include Certificates (See also digital certificate settings.) Available when TLS Version = TLSv1.0.
Selecting Include Certificates allows you to provision the local peers' Private Key and select the X.509 Certificate File.
Private Key: Select Installed and use the drop-down list to select the file that will provision the local peers' private key.
X.509 Certificate File: Select Installed and use the drop-down list to select the X.509 certificate file.
You may also select Test Data File to specify the certificate file names. This allows you to upload a certificate you want to use as a Test Data File without causing the test Server to reboot.
|
Select Enable EAP-TLS MTU - to support EAP fragmentation scheme as defined in RFC5216. Default 1000 - Range from 100 to 65000. Available when TLS Version = TLSv1.0.
First Entry: The First Entry indicates a subset of the keys contained in the private key file may be used. This parameter uses a zero-based index to specify the starting key for the set.
Range: N/A
Default: 0
Number of Entries: The number of private keys that will be used in the test. If there are more local peers than keys, the keys will be distributed among the peers as evenly as possible.
Range: N/A
Default: 1
Use Generate WiMAX MSK to enable WiMAX Key generation and distribution
Use the PEAP checkbox to enable the Protected Extensible Authentication Protocol (PEAP) with a AAA Server within EAP-TLS. Select the PEAP Version from the drop-down list (0 = Microsoft PEAP, 1 = general PEAP implementation).
If you select 0 (Microsoft PEAP), only MSCHAPv2 is allowed. Enter parameters in the PEAP-MSCHAPV2 sub-tab.
If you select 1 (general PEAP implementation), you can enter parameters in the PEAP-MD5, PEAP-GTC, PEAP-SIM, PEAP-AKA, PEAP-AKA' and PEAP-MSCHAPV2 sub-tabs.
NOTE: Option 0 (Microsoft PEAP) is the only option allowed for Wifi RF Emulation. |
Use the FAST checkbox to enable further authentication exchanges with a AAA Server within EAP-TLS. EAP-FAST supports the TLS extension to support fast re-establishment of the secure tunnel without having to maintain per-session state on the server (RFC 4851 . EAP-FAST makes use of the TLS to enable an optimized TLS tunnel session resume while minimizing server state. Current implementation is based on V1.
The secret key used in EAP-FAST is referred to as the Protected Access Credential key (or PAC-Key); the PAC-Key is used to mutually authenticate the peer and the server when securing a tunnel.
Enter parameters in the FAST-MD5, FAST-SIM, FAST-AKA, FAST-AKA' and FAST-MSCHAPV2 sub-tabs.
The Enable PACs check box is available in AAA Server Node test cases when you select the FAST checkbox.
Use the Enable PACs check box distribute credentials to a peer for optimized network authentication. EAP-FAST uses PACs to dynamically provision attributes.
Use the TTLS Extensions checkbox to enable an authentication method with a AAA Server within EAP-TLS. Select the authentication Method from the drop-down list (EAP, PAP, CHAP, MSCHAPV1, or MSCHAPV2). Define the AAA User Name and Password, where applicable, following the guidelines in User Credentials. Note: Maximum of 64 characters are allowed for User Name / Password.
NOTE: The PEAP and TTLS Extensions fields are mutually exclusive. |
Select Apply TLS Parameters from Test Data File (TDF) check box to apply parameter values using a test data file.
The shared key that is known to both the MN and the AAA Server. Range: Up to 32 hexadecimal digits, excluding "0x." Default: 0x0123456789ABCDEF0123456789ABCDEF |
|
Method of cryptographic encryption of the data to be transmitted between the MN and the AAA Server. Options:
Default: 3GPP Milenage Crypto Algorithms |
|
The 128-bit, operator-specific MILENAGE constant (Operator Variant - OP or OPc ) provisioned for the network. Range: Up to 32 hex characters, excluding "0x." Default: 0x63BFA50EE6523365FF14C1F45F88737D |
|
32-bit identifier used by the 3GPP2 Enhanced Cryptographic Algorithm. Range: 0x0 - 0xFFFFFFFF Default: 0x41484147 |
|
AMF Value | Avaialble in 5G test cases. Select All 0s or All 1s. |
You can provision authentication credentials for each MN by using Test Data Files for one or more EAP methods. See Parameter Features for more information on provisioning by file. You can obtain a sample file from your Technical Support representative. |