Interworking of PANA and 802.1XHuawei TechnologiesHuawei Industrial BaseShenzhen518129China+86-755-28973567lihy@huawei.comHuawei TechnologiesHuawei Industrial BaseShenzhen518129china+86-755-28972317robin@huawei.com
Internet Area
Protocol for carrying Authentication for Network Acces
WGPANA802.1XInterworkingEAP is a lower layer dependant protocol that has 802.1X and PANA to
carry it over link layer and network layer respectively. 802.1X cannot
go through any nodes, while PANA can carry EAP through the network over
network layer. 802.1X is popular on legacy terminals, but it is painful
to upgrade all these terminals to support PANA. This document introduces
a PANA interworking function that enables legacy 802.1X terminals get
authentication and access to PANA network without upgrading its software
or hardware.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .EAP is a protocol that defines an authentication framework supporting
multiple authentication methods. EAP runs between peer and EAP server,
typically over link layer, e.g. IEEE 802. With the effort of PANA
(Protocol for carrying Authentication for Network Access) working group,
EAP now may run over network layer per PANA . As EAP is a lower-layer dependant protocol,
different protocols are needed when EAP runs over different lower
layers, e.g. EAPoL for EAP over
Ethernet and PANA for EAP over IP.Clients may used PANA for authentication to access network without
any link layer authentication method involved. However, legacy terminals
may support EAP and EAPoL but not PANA. One shortcome of 802.1X is that
it could run only on link layer and can't pass through any nodes.The intent is to define an interworking mechanism between 802.1X and
PANA, which helps 802.1X terminals get authentication and access to PANA
network without updating software or hardware of these legacy
terminals.ITU-T Q.3201 has defined the EAP-based
authentication architecture in NGN, where link layer authentication,
network layer authentication as well as an interworking function
betweent them are required. Figure 1 depicts such an architecture for
broadband network. The PANA-IWF is the function entity supports
interworking between 802.1X and PANA. Such function should locate in the
device where user terminals are directly connected. Though EAPoL could
run only over the link between user terminals and the PANA-IWF, EAP
could be further delivered over IP thanks to PANA.Benefits for such an architecture including having a unified
authentication point for various interfaces, supporting authenticating
peers indirectly connected to the authenticator.Legacy user terminals supporting 802.1X are directly connected to
the access network. The PANA-IWF locates in the access network device
where user terminals attach. 802.1X runs between user terminals and
access network device at the edge. Such access network device is
generally called Access Node, which typically can be an Ethernet
switch or a public hot spot in this case. See Figure 2.Legacy user terminals supporting 802.1X are connected to the access
network via gateways. The PANA-IWF locates in the gateway. 802.1X runs
between user terminals and the gateway. This is a typical case for DSL
and PON access network, where the gateway is integrated into DSL CPE
and ONT respectively. See Figure 3.PANA Interworking Function (PANA-IWF) is an intermediate between an
802.1X client and PANA authentication Agent, performs interworking
between EAPoL and PANA. PANA-IWF converts EAPoL message from 802.1X
client into PANA message and forward it to PAA. It also converts PANA
message from PAA into EAPoL message and forward it to the client.For the PAA, PANA-IWF acts as a PaC, maintains PANA state machine and
responses to PAA's PANA-Auth-Request with PANA-Auth-Answer. A local IP
address for the PaC and the IP address of PAA should be configured on
PANA-IWF beforehand. PANA-IWF helps exchanging EAP messages between the
EAPoL client and the PAA in a way of re-encapsulating piggybacked EAP
message with Ethernet or IP header without touching the content of EAP
message.802.1X clients seeking for authentication can reach PAA and get
authorization for network access via PANA-IWF.An example authentication process follows:802.1X Client sends EAPoL-Start to PANA-IWF and triggers an EAP
authentication process.PANA-IWF sends a PANA-Client-Initiation to PAA on receiving the
EAPoL-Start message, and starts negotiatin process with PAA.On receiving PANA-Auth-Request with EAP-Payload carried,
PANA-IWF converts this message into an EAPoL Request message by
extracting the EAP-Payload and adding link layer information.
EAPoL message is then forwarded to 802.1X client.802.1X client replies the EAPoL message as normal 802.1X
authentication process. PANA-IWF converts this EAPoL message from
802.1X client into PANA-Auth-Request message and forward it to
PAA. With PANA-IWF's interpretation, 802.1X client talks to PAA in
EAP and performs authentication process.After the client is successfuly authenticated, PAA sends to
PANA-IWF PANA-Auth-Request with EAP-Success and 'C' bit set. On
one hand, PANA-IWF replies PAA a PANA-Auth-Reply with 'C' bit set
to finish PANA authentication process. On the other hand, it
informs 802.1X client that authentication is successful via an
EAP-Success in EAPoL and finish 802.1X authentication process.802.1X client may request to terminate the session by sending a
EAPOL-Logoff message. PANA-IWF converts the EAPOL-Logoff message into
PANA-Termination-Request message, which is sent to PAA. PAA replies a
PANA-Termination-Answer and clear up the PANA session.802.1X and PANA are both EAP based and inherit security properties
from EAP and EAP methods.IEEE Standard for Local and Metropolitan Area
Networks—Port-Based Network Access ControlIEEEEAP-based security signalling protocol architecture for
network attachment