Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
 
 
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
 
CHANNELS     HFR    |  Mobile Fronthaul Solution  |  Carrier Ethernet Solution  | Resources        
CHANNELS     ZARAM    |  TWDM-PON SFP+ ONU  |  XGSPON 10G SFP+ ONT  |  Use cases  | Evolution of FTTH Access Network    

 

IEEE 802.1X-based user authentication in KT, SK Telecom and LG U+'s Wi-Fi networks
February 26, 2015 | By Chris Yoo (tech@netmanias.com)
Online viewer:
Comments (7)
8

We will talk about call flow in IEEE 802.1X-based user authentication used in Korean network operators' Wi-Fi networks. Before we continue, let's take a look at what Korean operators' current Wi-Fi authentication are like first. 
 
KT provides the following SSIDs in its Wi-Fi Hotspots: 

  • ollehWiFi (with lock icon): Users are authenticated based on the IMSI stored in USIM of their mobile device. At this time, EAP-AKA defined in 802.1X is used as an authentication protocol. 
  • ollehWifi (without lock icon): Users are authenticated based on the MAC address of their non-USIM device or based on username and password through captive portal or Connection Manager (CM). 

 
SK Telecom provides the following SSIDs in its Wi-Fi Hotspots:

  • T wifi zone_secure (with lock icon): Like KT, users are authenticated based on the IMSI in their mobile device, and EAP-AKA defined in 802.1X is used as authentication protocol.
  • T wifi zone (without lock icon): Like KT, user authentications are based on MAC or username/password.

 
LG U+ provides the following SSIDs in its Wi-Fi Hotspots:

  • U+ zone (with lock icon): MSCHAPv2 over PEAP (Protected EAP) defined in 802.1X is used. Simply put, username/password-based authentication, which is similar to EAP-TTLS.

 
Here SSID stands for Service Set Identifier, and is used for users to identify Wi-Fi services. An access point (AP) can have more than one SSIDs, and each SSID may provide different authentication/encryption methods (e.g. In SK Telecom networks, an AP has 2 SSIDs - T wifi zone_secure and T wifi zone).
 
Now with that in mind, we will see in Figure 1 how EAP-AKA-based authentication and Internet access flow in KT's ollehWiFi work.
 

Figure 1. EAP-AKA-based Authentication and Internet Access Flow in KT's ollehWiFi
 

  1. In the figure above, an AP broadcasts a beacon frame to a plurality of stations periodically. The frame at this time contains an SSID (ollehWiFi), AP's MAC address and security (WPA2) information. So, when a user searches for a wireless LAN on his device, SSID(s) appears along with locked or unlocked information next to them (encrypted networks will show a lock icon to the right of the SSID while open networks will not). 
  2. The user selects ollehWiFi (with lock icon) to join.
  3. Then the station goes through 802.11 association procedure with the AP. This procedure is the same as "connecting a LAN cable to a PC" in a wired network.
  4. Now, time to authenticate the user. ollehWiFi (with lock icon) uses EAP-AKA authentication, which requires mutual authentication. So, the network authenticates the station, and the station authenticates the network. For this step, an IMSI@realm working as a user ID and K (Security Key) used in authentication are stored in the built-in USIM card of the station, and the IMSI@realm value is delivered to the AP (EAP-AKA over EAPoL).
  5. Then the AP forwards the IMSI@realm to the AAA server via Access Request, a RADIUS protocol message (EAP-AKA over RADIUS). The AAA server must have values of IMSI and K provisioned for each user.
  6. The resulf of authentication (i.e. 'Authentication succeeded' here) is notified via the Access Accept message. At this time, a Master Session Key (MSK) is also sent to the AP along with the message, to be used in Step 8.
  7. The AP then notifies the station of the successful authentication.
  8. Procedures for encryption and integrity protection across the airlink between the station and the AP begin. So, once these procedures (i.e. Step 8) are completed, all user data are encrypted and integrity-protected. See Figure 2 for detailed call flow.
  9. The station sends a DHCP message (DHCP Discover/Request) to have the AP allocate an IP address to it. Upon receipt of the message, the AP, acting as a DHCP server, allocates an IP address to the station (DHCP Offer/Ack). As the IP address allocated by the AP is a private IP, the AP acts as PAT/NAT (feature that translates multiple private IP addresses into one public IP address).
  10. Once IP address allocation is done, the AP sends Accounting Request (Start) message to the AAA server, notifying that the user has started using the Wi-Fi network, and thus accounting for the user is being initiated. This message contains user ID (IMSI), IP address allocated to the station, MAC address of the station, amount (and bytes) of the packets transmitted to/from the station, etc.
  11. Now that the station has an IP address as well, the user can start using the Internet, and the AP performs PAT/NAT feature as explained above. As seen in the figure, the AP accordingly translates the source IP (172.30.10.10) of the packet sent by the station into 123.228.77.23, a public IP address configured in the AP, and sends it to the Internet.
  12. The AP constantly sends Accounting Request (Interim) message to the AAA server at the default intervals or at the intervals specified by the AAA server through Access Accept (e.g. 300 seconds).
  13. When the user disconnects from the Wi-Fi network, disassociation procedure between the station and the AP begins. This is the same as disconnecting a LAN cable from a PC in a wired network.
  14. Now that the station is detached from the network, the AP notifies the AAA server by sending Accounting Request (Stop) message.
     

Figure 2. WPA2 AES (CCMP) Encryption Algorithm 
 

SK Telecom's T wifi zone_secure will have the same flow as in Figure 1. LG U+'s U+ zone will also have the same except MSCHAPv2 over PEAP is used instead of EAP-AKA during Steps 4-7 in Figure 1. 
 
Next time, we will talk about captive portal-based Wi-Fi authentication procedure in Korean network operators' Wi-Fi networks.

 

 

rmhapankar 2015-02-27 14:45:24

Hi,

 

You mentioned about "MAC address based authentication for non-USIM devices", how that would work ?

How you address concerns like MAC cloning ?

 

Best Regards,

Rajesh

Netmanias 2015-03-02 15:06:12

Hi Rajesh,

 

'MAC address-based authentication' is performed during 802.11 association procedure. So, after Step 3 in Figure 1 above, the AP sends the MAC address of the station via Access Request message to AAA, where the MAC address is already provisioned. Then, AAA begins authentication based on the provisioned information, and then forwards the result to the AP via Access Accept/Access Reject message.

As you pointed out, it is impossible to prevent MAC cloning in this type of authentication, unfortunately. However, because AAA collects accounting information of stations that are accessing it (that is, as AAA knows whether a station at a specific MAC addresses has accessed it or not), it can at least prevent multiple stations from making a request for authentication using the same MAC address. 

 

Thanks,

Netmanias.com

Harishankar 2015-03-09 15:52:58

Hi,

 

Does the Korean operators uses HS2.0 based solution for  auto-login when in Wifi coverage without user intervention?

Do these operators consider the Wifi network as trusted or untrusted domain? IS there any dependency on the handset for such a solution?

What if the KT subscribers roams in US for  example. Will he be able to use the KT wifi roaming?

 

Regards,

Harishankar

 

David Kim 2015-03-09 18:54:49

KT provides hotspot 2.0 service with the following roaming partners:

NTT DoCoMo (Japan), CMCC (China), PCCW (China), Chunghwa Telecom (Taiwan)

- Authentication protocol: EAP-AKA

- Supported device: smartphone (Android, iOS), iPad with cellular interface


You can find article in link below:

http://www.kt.com/eng/pr/news_01.jsp (type the 'automatic roaming' in the serach box)

Harishankar 2015-03-10 16:09:22

Thanks for the reply. 

Does it work for non-SIM based devices like Tablets? How authentication works for that case?

 

 

David Kim 2015-03-12 09:29:56

According to Hotspot 2.0, devices without SIM/USIM card can be authenticated using EAP-TLS or EAP-TTLS. But, as far as I know KT does not support this EAP-TLS/EAP-TTLS authentication, but features roaming that uses captive portal-based ID/PW authentication, instead.
 
Simply put, current KT subscribers can access Wi-Fi:   

  1. in 4 different operators' networks in 3 countries by using a device with a SIM/USIM card through EAP-AKA authentication procedure, or
  2. in about 100 countries by using any device (with or without SIM/USIM card) through captive portal/WISPr.
Rajesh Desisetti 2019-09-30 18:28:55

Hi, 

Please share Dot1x and Mab authentication with AAA and dynamic ACL feature.

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.
View All (823)
4.5G (1) 5G (89) AI (6) AR (1) ARP (3) AT&T (1) Akamai (1) Authentication (5) Big Data (2) Blockchain (3) C-RAN/Fronthaul (17) CDN (4) CPRI (4) Carrier Ethernet (3) China (1) China Mobile (2) Cisco (1) Cloud (5) CoMP (6) Connected Car (4) DHCP (5) EDGE (1) Edge Computing (1) Ericsson (2) FTTH (6) GSLB (1) GiGAtopia (2) Gigabit Internet (19) Google (7) Google Global Cache (3) HLS (5) HSDPA (2) HTTP Adaptive Streaming (5) Handover (1) Huawei (1) IEEE 802.1 (1) IP Routing (7) IPTV (21) IoST (3) IoT (55) KT (43) Korea (19) Korea ICT Market (1) Korea ICT Service (13) Korea ICT Vendor (1) LG U+ (18) LSC (1) LTE (78) LTE-A (16) LTE-B (1) LTE-H (2) LTE-M (3) LTE-U (4) LoRa (7) MEC (3) MPLS (2) MPTCP (3) MWC 2015 (8) NB-IoT (6) Netflix (2) Network Protocol (21) Network Slicing (4) New Radio (9) Nokia (1) OSPF (2) OTT (3) PCRF (1) Platform (2) QoS (3) RCS (4) Roaming (1) SD-WAN (17) SDN/NFV (71) SIM (1) SK Broadband (2) SK Telecom (35) Samsung (5) Security (16) Self-Driving (1) Small Cell (2) Spectrum Sharing (2) Switching (6) TAU (2) UHD (5) VR (2) Video Streaming (12) VoLTE (8) VoWiFi (2) Wi-Fi (31) YouTube (6) blockchain (1) eICIC (1) eMBMS (1) iBeacon (1) security (1) telecoin (1) uCPE (2)
Password confirmation
Please enter your registered comment password.
Password