In a 3GPP system, a wireless device is allowed to attach to and access a wireless communication network, if the wireless device is associated with a subscription that allows the wireless communication network to authenticate the wireless device. The 3rd Generation Partnership Project, 3GPP, wireless local area network, WLAN, interworking specifies network access authentication based on the Extensible Authentication Protocol, EAP. The EAP authentication framework provides support for different authentication methods. The protocol is carried directly over data-link layer (DDL) and is currently widely deployed especially in wired and wireless local area networks. The EAP-SIM (Subscriber Identity Module) is a method for authentication and session key distribution using the GSM SIM, and the EAP-AKA is a method similar to the EAP-SIM, with the difference that that it uses the Authentication and Key Agreement, AKA, mechanism. EAP-AKA′, also denoted EAP-AKA Prime, is a revision of the EAP-AKA method, and uses a new key derivation function that binds the derived keys to the name of the access network.
EAP-SIM, EAP-AKA and EAP-AKA′ share the same framework and hence have very similar signaling flows. In EAP terminology there are three main entities that participate in the authentication:                A Supplicant—the entity that requests the authentication. In the following, the term wireless device will be used synonymously for the supplicant.        An Authenticator—the front-end entity that communicates with an Authentication Server (as described below), normally using an authentication server protocol such as e.g. the RADIUS protocol or the DIAMETER protocol, and relays messages between the Supplicant and the Authentication server. However, other protocols than the RADIUS protocol and the DIAMETER protocol are within the scope of the following disclosure. Further, in the following disclosure, the authenticator will also be described as a network node.        The Authentication Server—the back-end entity that is responsible for carrying the authentication and key derivation, based on the Supplicant's network secret.        
Wi-Fi is considered a key candidate for small cell solutions for mobile broadband heterogeneous networks. Consequently, Wi-Fi integration to the 3GPP Radio Access Network, RAN, is emerging as an interesting study object. In order for operators to benefit from the full advantages offered by the Wi-Fi integration into the 3GPP RAN, the operators need greater control over the access selection of their subscribers compared to the current implementations, where the decision is purely device-based. Integration may involve combining both 3GPP and Wi-Fi in the small pico-base stations in order to gain access to the Wi-Fi sites with 3GPP technology and vice versa. A second level of integration that may be implemented involves integrating the Wi-Fi access tighter into the RAN by introducing enhanced network controlled traffic steering between 3GPP and Wi-Fi, based on knowledge about the combined situation in the different accesses. An object for this second level of integration is to avoid potential issues with device-controlled Wi-Fi selection, such as selecting Wi-Fi when the Wi-Fi connection is bad or when the wireless device is moving, thus giving better end user performance and better utilization of the combined Wi-Fi and cellular radio network resources.
In order to achieve good support for network-controlled Wi-Fi/3GPP access selection and service mapping, it is required to link (or connect) the wireless device context in the 3GPP RAN, which holds information e.g. about the radio performance and the device mobility on the 3GPP side, with the device context in the Wi-Fi network. This could then enable a network entity/node to take decisions whether the wireless device should access the Wi-Fi network or not depending e.g. on if the wireless device is stationary and/or has a good connection to the Wi-Fi AP (Wi-Fi Access Point). The decision may be signaled to the wireless device or executed internally in the 3GPP/Wi-Fi network, e.g. to control UE admission to the Wi-Fi network.
Different solutions have been proposed to enhance network controlled Wi-Fi/3GPP access selection. In one of the solutions, a logical entity on the network side collects information from both 3GPP and Wi-Fi systems before the access selection can be performed on a per-user basis.
In order to work properly, the logical entity must be able to correlate the information collected from both systems in order to make an access selection decision. This means that the logical entity needs to be able to identify each specific wireless device in both the Wi-Fi and 3GPP networks using proper identifiers in both networks.
This requirement can be fulfilled by probing the EAP messages, which contain the permanent identity of the wireless device. This identity contains the International Mobile Subscriber Identity (IMSI)—a 3GPP identifier unique for every wireless device. The IMSI is used during the EAP authentication and is sent by a wireless device, via a network node being the Wi-Fi access point, Wi-Fi AP, and corresponding to the Authenticator according to the EAP terminology. The network node may intercept and extract the IMSI during the EAP signaling. The network node is also aware of the Medium Access Control (MAC) address of the wireless device, which serves as a wireless device identifier in the Wi-Fi network. A mapping between the IMSI and the MAC enables the logical entity to trace the same wireless device in the two systems independently and is a key requirement for enabling network-based access selection.
Within the authentication framework of the EAP-SIM, the EAP-AKA and the EAP-AKA Prime, the Supplicant (in this case the wireless device) may be provided by the Authentication Server with a pseudonym and/or fast re-authentication identities with the intention that the wireless device uses those instead of its permanent identity. This is mainly due to security reasons. However, if the wireless device uses a pseudonym and/or fast re-authentication identity instead of its permanent identity, the aforementioned identity mapping, and the subsequent information correlation between the two systems, may be unsuccessful.
An important aspect of Wi-Fi integration into 3GPP networks is the need of a common performance monitoring (PM) system where operators are able to monitor the performance of each subscriber in both systems, e.g. for customer care purposes. In that case, the system must be able to perform a MAC/IMSI mapping for PM data correlation on per-subscriber basis. This may, however, be very cumbersome in case a pseudonym or fast re-authentication identity is used instead of the permanent identity, which contains the IMSI.
Hence, as explained above, a problem with the existing framework is related to a situation when the network node requires the permanent identity of the wireless device for different purposes, but the wireless device uses a pseudonym and/or fast re-authentication identity instead. For example, in the case of access network selection, the permanent identity may be required as an identifier used to find user-specific information from the 3GPP network. However, currently no method exists for obtaining the permanent identity of the wireless device at the network node in an authentication process, when a pseudonym is used by the wireless device, or for a fast re-authentication procedure, when the wireless device uses a fast re-authentication identity instead of its permanent identity.