Extensible Authentication Protocol (EAP) architecture generally includes a client, an authenticator, and an Authentication, Authorization and Accounting (AAA) server/EAP server. The authenticator is generally located at the edge of a network, and is coupled with the AAA server/EAP server, or is stand-alone. This architecture provides a function of authenticating and authorizing client devices. An EAP method in EAP is designed to generate a key material such as a Master Session Key (MSK) and an Extended Master Session Key (EMSK). The MSK is applied to a lower-layer protocol below the EAP, and the EMSK is used to protect interaction between a client and the AAA server. Because a complete EAP process generally involves more than two round trips of interaction, delay of authentication and authorization is generally long. A mechanism of reusing a key and state information generated in initial authentication and avoiding use of an asymmetrical key is taken to reduce such switching delay in many measures. However, the extent of improvement of the number of the times of interaction varies depending on the EAP method in use. Regardless of the extent of improvement, an authentication and authorization process is completed only after at least two round trips of interaction are complete. The switching delay is not acceptable to certain real-time applications.
To support quick switching, complete AAA-based authentication is generally avoided. A complete authentication process involves multiple round trips of interaction with a home AAA server of a Mobile Node (MN), which leads to long switching delay. Common EAP authentication methods used in quick switching include EAP re-authentication and EAP pre-authentication. A conception of the EAP re-authentication is: a local EAP server mechanism is introduced, and the key material used in initial complete authentication is reused to avoid too many EAP-based AAA messages in a switching process of the mobile terminal. A conception of the EAP pre-authentication is: an MSK is generated before switching of the mobile terminal, and is used for authentication between the mobile terminal and a Candidate Authenticator (CA).
In the process of developing the present invention, the inventor finds that the prior art has the following problems:
In the process of interaction between an EAP client and an AAA server, it is generally necessary to traverse two authenticators, namely, a Serving Authenticator (SA) and a CA. In this case, the SA and the CA are unable to judge whether an authentication request sent by the client is an ordinary authentication request or a pre-authentication request, and unable to judge whether the SA and the CA themselves need to interact with the AAA server to complete a pre-authentication process, which leads to a pre-authentication failure and switching delay.