© 2012 cisco and/or its affiliates. all rights reserved. 1 eduroam and ieee 802.11u dave stephenson...

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Eduroam and IEEE 802.11uDave Stephenson

Wireless Networking Business Unit Strategic Initiatives and CTO Office

February 27, 2012


802.11u Executive Summary• 802.11u – Interworking with External Networks

• Purpose:Interworking with External Networks is a key enabler to allow IEEE 802.11 devices to interwork with external networks, as typically found in hotspots or other public networks irrespective of whether the service is subscription based or free.

Interworking Service aids network discovery and selection, enabling information transfer from external networks, and enabling emergency services. It provides information to the STAs (mobile devices) about the networks prior to association.

Interworking Service addresses MAC layer enhancements that allow higher layer functionality to provide the overall end-to-end interworking solution.

• Status: IEEE 802.11u-2011 is a fully ratified IEEE standard


802.11u Feature Summary• Network discovery and selection (NDS)

Generic Advertisement Service (GAS) along with Access Network Query Protocol (ANQP) and the Interworking element provide lightweight support for network selection

GAS provides support for other higher-layer network discovery, service advertisement and mobility management protocols

• Generalized QoS L3 L2 mapping

• Service Provider (aka SSPN) Interface

• Support for emergency services including Emergency Alert Service (EAS)

• Standardized SAP for higher-layer mobility management protocols (only for client devices)


IEEE 802.11u Network Selection Overview


Network Selection Prior to IEEE 802.11u• SSID is the sole identifier used for Wi-Fi network selection

• If the Wi-Fi network is open (no encryption)

Whether mobile device’s connection manager recognizes the SSID or not, the mobile device can join

• If the Wi-Fi network is encrypted

If the mobile device’s connection manager does not recognize the SSID, no further action is taken

To join, the mobile device must possess a pre-provisioned profile which contains the binding of {SSID, credential, EAP method(s), AAA server ID, trust anchors}

• There is no way for the Hotspot to signal roaming partners—the only option is for the SP to manage long lists of roaming-partner SSIDs/profiles in the mobile


Network Selection with IEEE 802.11u• All the legacy methods (i.e., pre-11u) still work! And can be used!

• The new question is whether the mobile device has credentials to successfully authenticate with the Wi-Fi access network, NOT whether the SSID is recognized

• IEEE 802.11 GAS/ANQP provides 3 types of identifiers a mobile device can use to determine whether successful authentication is possible

• Realms, provided in NAI Realm List

• PLMN ID, provided in 3GPP Cellular Information List

• OUI, provided in Roaming Consortium List

• This ANQP-provided information identifies the authentication domains of the hotspot operator and all of its roaming partners

• The hotspot is responsible for carrying out authentication, often using Proxy AAA service

• The home SP is no longer required to manage long SSIDs lists on every mobile device—this responsibility has been transferred to the network


Network Selection with IEEE 802.11u: ANQP Messages Identifying Authentication Domains• NAI Realm List

A list of realms (i.e., username@realm) which can be successfully authenticated

If the mobile device finds a realm in the list matching one of its credentials, successful authentication is possible

Either EAP-TLS (certificate credential) or EAP-TTLS with MSCHAPv2 (username/password credential) is used depending on the credential type provisioned by the Home SP

• 3GPP Cellular Information

A PLMN ID list; a PLMN ID is assigned to every cellular operator and has the form {MCC, MNC}

If the mobile device finds a PLMN ID in the list matching the one from its SIM credential, successful authentication is possible

Either EAP-SIM (2G/3G SIM credential) or EAP-AKA (4G USIM credential) are used

• Roaming Consortium List

A list of OUIs (organizationally unique identifier)—essentially the OUI part of a MAC address obtained from IEEE (note: IEEE 802.11u also uses the term “OI”)

If the mobile device finds an OUI in the list matching the one it’s been provisioned with, successful authentication is possible

This method can be used with Aggregators (Hotspot operator does not necessarily know all the authenticable realms) and for other special purposes

For OUIs in the beacon, this is a very battery efficient roaming method (no ANQP queries needed)

Eduroam could identify their authentication service using an OUI


Sample Scenario 802.11uClient

LegacyClient

Manual Setup1. Power-on or unlock the phone2. Select Wi-Fi network

(vulnerable to rogue AP)3. Go to Webauth4. Browse webpage and enter

right credential, usually ID/PWD5. Choose roaming plan6. Start Internet

Automatic Setup1. Power-on or unlock the phone2. Handset automatically validates

network and initiates connection.

• Makes Wi-Fi easy-to-use and secure like 3G cellular• 802.11u enabled network is compatible with non-11u devices!

Can you tell me your network info?Before I associate?

Yes! Here it is:Realm: cisco.comEAP Method = EAP-TTLS

Domain Name (hotspot operator’s FQDN)

NAI Realm / 3GPP Cellular Info


Packet Flow

Beacon with 802.11u Interworking IE

Probe Request

Probe Response

GAS Initial Request

GAS Initial Response

GAS Comeback Request

GAS Comeback Response

802.1X (EAPOL-Start)

802.1X (EAP-Identity Request)

802.1X (EAP-Identity Response)

802.1X (EAP-Auth. Exchange) RADIUS (EAP-Auth. Exchange)

RADIUS (Access-Accept)802.1X (EAP-Success)

Pre-association protocolusing 802.11 public action framesfor GAS L2 transport.

ANQP provides NAI Realm, 3GPP PLMN ID, etc. so mobile can select roaming candidate network

PLMN ID and/or Realm + EAP Method learned from GAS exchange

802.11u-enabled connection

manager supplies

SSID to join

AAA ServerAP/WLC

802.11u doesn’t change the

authentication procedure

Used if response

requires GAS fragmentation

Authentication (null)

Authentication Response

Association Request (SSID)

Association Response (AID)

4-Way Handshake (PTK, GTK)

Number of queries and query content is

mobile implementation

dependent


IEEE 802.11u: More ANQP Messages• Wi-Fi networks also provide the following information for …

Policy-based network selection (who is the hotspot operator?)

Domain Name List (i.e., the domain name(s) of the hotspot operator)

Aids for connection manager (their use is implementation dependent)

IP Address Type Availability (e.g., IPv4 or IPv6)

Aids to human network selection (aka manual selection)

Venue Name (e.g., “San Francisco Airport”)

• ANQP also provides more information related to access to emergency services (including location)


IEEE 802.11u: Interworking element

• This element is in beacons and probe responses

• Network type: One of: {private | private with guest access | chargeable | free}

STAs can selectively scan for desired network type

• Internet: set to 1 if SSID provides internet access

• ASRA: set to 1 if Web-auth/WISPR configured on this SSID

• ESR (emergency services reachable): set to 1 if emergency services are reachable on this SSID

• UESA (un-authenticated emergency services accessible): set to 1 if emergency services are accessible for terminals not having valid security credentials on this SSID

B0 - B3 B4 B5 B6 B7

Element ID

Length

NetworkType

Internet

ASRA ESR UESAVenue Info (optional)

HESSID(optional)

Octets: 1 1 0 or 2 0 or 6


Roaming Consortium element

• This element is in beacons and probe responses

• Client scans & receives beacon having this element and can quickly determine if there are any Wi-Fi networks for which it has valid security credentials

• Each SP or consortium of SPs must register with IEEE to obtain OI

• Element gives OI for top 3 SPs (or consortium of SPs) having roaming agreements with Wi-Fi access network provider; remainder available via GAS-ANQP query

• Number of GAS-ANQP OIs provides number of additional OIs which will be returned on a GAS-ANQP query (see subsequent slide)


NAI Realm List

Realm #1 Realm #2 Etc.

EAP Method #1

EAP Type (normal or expanded)

Tunneled EAP Type(if used, normal, expanded or non-EAP)

Credential Types

Credential Types

EAP Method #2



Credential Types

Credential Types

Etc.

EAP Method #1



Credential Types

Credential Types

EAP Method #2



Credential Types

Credential Types

Etc.

NAI Realm List Query Response

• Credential Type

Zero or more types in list

SIM, USIM, Certificate,NFC Secure element, Hardtoken, Softoken, Username/password


IEEE 802.11u and Eduroam


IEEE 802.11u ANQP Roaming Consortium List• Excerpts from IEEE 802.11u-2011:

Each OI identifies an SP or group of SPs (i.e., a roaming consortium) … whose security credentials can be used to authenticate with the AP transmitting this [OI]

Eduroam is a roaming consortium and could register for its own OI

A terminal can have a locally stored binding between an OI and a set of security credentials with which it can authenticate to the network identified by the OI.

• Notes on ANQP and OIsANQP does not provide the binding between OI and realm or PLMN ID

For each member realm of an OI, there does not have to be an entry in the 3GPP Cellular Information List or NAI Realm List—therefore, ANQP using OIs can support a very large number of realms


ANQP and the AAA System• For roaming partners:

AAA routing is based on the realm provided via EAP

When a realm is provided in ANQP, the hotspot infrastructure has been configured with routing information for the authentication request

Realms can be explicitly provided in the NAI Realm List or implicitly provided in the 3GPP Cellular Information List

Either the Wi-Fi infrastructure (e.g., AP or access controller) or the visited AAA server is configured with this routing information

• For aggregators:AAA routing could be based on a prepended aggregator tag, e.g., iPass/[email protected]

Aggregator tags are not needed if the hotspot’s AAA server has routing knowledge for all the realms represented by the OIs

My understanding is that this is the case with Eduroam

The aggregator’s client realms (e.g., cisco.com) do not need to be provided in other ANQP elements

mailto:iPass/[email protected]

mailto:iPass/[email protected]

mailto:[email protected]


OI & Credential Provisioning in the Mobile Device• Question: how does the mobile device’s connection manager

know whether a particular credential can be used with a given aggregator?

Out-of-scope of IEEE 802.11u

Might be solved by the Wi-Fi Alliance’s Hotspot 2.0 program


Q & A

Thank you.


Other IEEE 802.11u Features


Generalized QoS Mapping• Provides QoS Map (DSCP to UP mapping) for consistent packet

marking and queuing for all clients in the BSS

• Provides for each service to have the proper QoS over the air

There is no standardized mapping of end-to-end QoS (DSCP) to L2 QoS

Voice and Video endpoints can use this information element to provide proper mapping for each flow (e.g., voice, video, signaling) over the air

• Hot Spot usage

Multiple service providers can share an AP at a hotspot (e.g., airport hotspot)

Each SP can have their own end-to-end DSCP marking practice and network-specific QoSMap all will have harmonized L2 QoS on the shared AP


SSPN Interface• Permissions received from SP are saved in a MIB and enforced for

each client

• Provides standardized support for permissions and rate limiting for each QoS level

Maximum data rate permitted for each access category

Maximum data transfer (in bytes) permitted for each access category

Permission to use a specific access category (e.g., voice)

• Provides for enforcement of security requirements, location requirements

Can forces dis-association of client if hotspot in non-permitted location or cipher too weak


802.11u Provides Access to Emergency Services• Features supporting Emergency Services

Identification of WLANs wherein emergency services are reachable

Provision for access emergency services in an RSN (802.1x network) when client does NOT have valid security credentials

Expedited Bandwidth Request element

Used with admission control procedures to identify a flow as an emergency call

• Support for Emergency Alert Service (EAS)

Uses CAP—common alerting protocol

E.g., Amber alert, severe thunderstorm warning, etc.


802.11u provides support for Mobility Management Protocols• Applies only to client devices

• Standardized SAP having MAC primitives to support 802.21 event service and command service (but generic enough to support other mobility management protocols), eg:

Network discovery—tells MIH when a new network is discovered (as opposed to a new AP in the same network)

ESS-Link-going-down—tells MIH when device is leaving the network (as opposed to transitioning away from an AP)

© 2012 cisco and/or its affiliates. all rights reserved. 1 eduroam and ieee 802.11u dave stephenson...

Documents

network slide

mobile slide

authentication service

u interworking

network vulnerable

u devices

list of realms

wifi access network