EAP-AKA ========= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the Expansion of EAP-AKA?** * **EAP-AKA** stands for **Extensible Authentication Protocol - Authentication and Key Agreement**. * It is an authentication protocol used for mobile devices and networks, providing secure authentication and key management for mobile network access. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-AKA?** * **EAP-AKA** is an authentication protocol used in **3G** and **4G LTE** networks for **mutual authentication** and **secure key management** between devices (such as smartphones) and the network. * It provides secure **SIM-based authentication** using a shared secret stored in the SIM card. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-AKA useful?** * **SIM-Based Authentication**: EAP-AKA utilizes the **SIM card** to securely authenticate mobile devices, ensuring that only authorized devices can access the network. * **Secure Key Exchange**: It offers a secure way to exchange keys between the device and the network for encryption of data during communication. * **Mutual Authentication**: Both the mobile device and the network authenticate each other, reducing the risk of attacks like **man-in-the-middle**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * **Key Agreement**: EAP-AKA facilitates a process where the device and network mutually agree on a session key used for encryption. * **SIM-Based Authentication**: The device uses the **SIM card** to perform authentication. A secret stored in the SIM card (shared with the network) is used for authentication. * **Key Derivation**: After successful authentication, a key (PMK - Pairwise Master Key) is generated for securing communication between the device and the network. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-AKA used?** * **Mobile Networks**: Primarily used in **3G** and **4G LTE** cellular networks for secure mobile device authentication. * **Wi-Fi Networks**: EAP-AKA is also used in some Wi-Fi networks, especially when SIM card-based authentication is required. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * EAP-AKA operates at the **Application Layer (Layer 7)** of the OSI model. * It uses lower layers for transport, commonly relying on **RADIUS** (Remote Authentication Dial-In User Service) for transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-AKA windows specific?** * **No**, **EAP-AKA** is not Windows-specific. * It is platform-agnostic and can be implemented on any platform supporting **EAP** and **SIM-based authentication**, including **Android**, **iOS**, **Linux**, and **Windows**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-AKA Linux Specific?** * **No**, **EAP-AKA** is not Linux-specific. * Similar to other platforms, Linux-based devices can support **EAP-AKA** if the appropriate network infrastructure (like **RADIUS** server) is in place. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-AKA?** * **EAP-AKA** typically uses the **RADIUS protocol** for communication between the client device and the authentication server. * RADIUS usually operates over **UDP (User Datagram Protocol)** for transport. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-AKA?** * When using **RADIUS**, **EAP-AKA** typically uses **UDP port 1812** for authentication requests and **UDP port 1813** for accounting. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-AKA using Client-server model?** * **Yes**, **EAP-AKA** follows the **client-server model**. * The **client** (e.g., mobile device) authenticates with the **server** (e.g., RADIUS or network authentication server), which processes the authentication request and issues a response. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-AKA protocol uses certificates?** * **Yes**, **EAP-AKA** uses **certificates** in some cases, particularly when mutual authentication requires secure server verification. * Server certificates are used to authenticate the server to the client. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-AKA protocol?** * **EAP-AKA** typically involves **four** frame exchanges: 1. **EAP-Request/Identity**: The client sends an identity request. 2. **EAP-Response/Identity**: The server responds with a request for the client’s identity. 3. **EAP-Request/AKA**: A request for authentication. 4. **EAP-Success**: The server sends an authentication success message. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-AKA Protocol uses client certificates?** * **No**, **EAP-AKA** generally does not require **client certificates**. * It relies on **SIM card-based authentication**, where the client proves its identity through the SIM card shared secret. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-AKA Protocol uses Server Certificates?** * **Yes**, **EAP-AKA** typically uses **server certificates** to authenticate the network during the authentication process. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-AKA Protocol depends on TCP?** * **No**, **EAP-AKA** does not depend on **TCP**. * It uses **RADIUS**, which relies on **UDP** (User Datagram Protocol) as the transport protocol. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-AKA Protocol depends on UDP?** * **Yes**, **EAP-AKA** depends on **UDP**. * **RADIUS**, which is used for transporting **EAP-AKA** messages, operates over **UDP**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-AKA Protocol?** * **Test Engineers**: Responsible for testing the **EAP-AKA** protocol, ensuring it functions correctly under various conditions. * **RADIUS Server Administrators**: Ensure the **RADIUS server** is correctly configured to handle **EAP-AKA** requests. * **Client Devices**: Mobile devices that initiate the authentication process. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-AKA Protocol work with free radius server on Linux?** * **Yes**, **EAP-AKA** can work with the **FreeRADIUS** server on **Linux** systems. * FreeRADIUS supports various EAP protocols, including **EAP-AKA**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-AKA Protocol work with Internal radius server of hostapd?** * **Yes**, **EAP-AKA** can work with the internal **RADIUS server** of **hostapd** on **Linux** systems. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version used for EAP-AKA Protocol?** * **EAP-AKA** is specified in **RFC 4187**, which defines the use of the **Authentication and Key Agreement (AKA)** for mobile device authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** * During the **EAP-AKA** authentication process, **EAP** and **key exchange** packets are encrypted for privacy. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-AKA Protocol?** * **Stage 1**: The client sends an **EAP-Request/Identity** message. * **Stage 2**: The network responds with an **EAP-Response/Identity**. * **Stage 3**: The client and server exchange **authentication information**, generating a **session key**. * **Stage 4**: **EAP-Success** message is sent, confirming successful authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * The final output is the generation of a **PMK** (Pairwise Master Key), used to encrypt data traffic between the device and the network. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generated after the connection procedure?** * The key generated is the **PMK (Pairwise Master Key)**, used for encrypting traffic between the client device and the network. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** * The **PMK** is used to generate the **PTK** (**Pairwise Transient Key**), which is then used for **data encryption** during the communication session. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_AKA Version&IEEE Details ` * :ref:`EAP_AKA Basic Setup on Ubuntu ` * :ref:`EAP_AKA Protocol Packet Details ` * :ref:`EAP_AKA Usecases ` * :ref:`EAP_AKA Basic Features ` * :ref:`Reference links ` .. _EAP_AKA_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_AKA_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_AKA_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_AKA_step5: .. tab-set:: .. tab-item:: EAP_AKA Version&RFC Details * rfc details .. _EAP_AKA_step18: .. tab-set:: .. tab-item:: EAP_AKA Basic Setup on Ubuntu * setup .. _EAP_AKA_step6: .. tab-set:: .. tab-item:: EAP_AKA Protocol Packet Details * packet details .. _EAP_AKA_step7: .. tab-set:: .. tab-item:: EAP_AKA Usecases * usecases .. _EAP_AKA_step8: .. tab-set:: .. tab-item:: EAP_AKA Basic Features * features .. _EAP_AKA_step17: .. tab-set:: .. tab-item:: Reference links * Reference links