The following meanings for the abbreviations used in this specification apply:    3GPP 3rd generation partnership project    AAA Authentication, Authorization, and Accounting    APN Access point name    CHAP Challenge Handshake Authentication Protocol    EAP Extensible Authentication Protocol    EAP-GTC EAP general token card    eNode-B LTE base station (also referred to as eNB)    EPC Evolved Packet Core    EPS Evolved Packet System    ePDG Evolved Packet Data Gateway    GGSN Gateway GPRS Support Node    GPRS General Packet Radio Service    GTPv2 GPRS Tunnelling Protocol version 2    IDi Identification—initiator    IDr Identification—responder    IETF Internet Engineering Task Force    IKEv2 Internet Key Exchange version 2    IP Internet protocol    IPSec Internet Protocol Security    LCP Link control protocol    LTE Long term evolution    LTE-A LTE-Advanced    MN Mobile node    MSISDN Mobile station integrated services data network    MT mobile terminal    PAP Password Authentication Protocol    PCO Protocol Configuration Options    PDG Packet Data Gateway    PDN Packet data network    PDP Packet data protocol    PGW PDN Gateway (PDN GW)    PMIPv6 Proxy MIPv6    PPP Point-to-point protocol    TE Terminal equipment    UE User equipment
The present specification basically relates to the 3GPP Evolved Packet System (EPS), more specifically to the scenario when a UE is connected to the EPC via an untrusted Non-3GPP Access Network. When a UE is connected to the EPC (evolved packet core) via an untrusted Non-3GPP Access Network, there is an IPSec tunnel between the UE and the 3GPP network to have secure communication. The IPSec tunnel end-point in the 3GPP network is the ePDG (evolved packet data gateway). IKEv2 is used between the UE and the ePDG to establish the IPSec tunnel.
In GPRS, for example as specified in 3GPP TS 23.060 and in EPS when the UE is connected to the 3GPP Packet Core network via a 3GPP access or a trusted non-3GPP Access Network an authentication with an external AAA server using PAP or CHAP is possible. The details of this external authentication are specified for example in 3GPP TS 29.061.
The external authentication requires the exchange of authentication information between the UE and the external AAA server.
For this purpose, Protocol Configuration Options (PCO) information elements are specified, which can be used to carry user credentials between the UE and the core network when the UE is attached to a 3GPP access network. The user credentials are e.g. user name and user password within PAP or CHAP parameters (PAP: Password Authentication Protocol, CHAP: Challenge-Handshake Protocol).
When a UE is connected to the EPC via an untrusted non-3GPP access network, there is an IPSec tunnel between the UE and the 3GPP network to establish a secure communication. The endpoint of the IPSec tunnel at the side of the 3GPP network is the ePDG (evolved Packet Data Network). For example, IKEv2 (Internet Key Exchange version 2) is used between the UE and the ePDG to establish the IPSec tunnel.
However, currently, there is no solution how to carry user credentials between the UE using untrusted non-3GPP access and the core network, and there is no PCO mechanism or the like defined between the UE and ePDG.
In view of the above, there are no feasible mechanisms for providing the ePDG with required authentication data to be used when authenticating a UE's access to an external network via an untrusted access network.
Accordingly, there is a demand for mechanisms for an external authentication support over untrusted access, i.e. for supporting an authentication to an external packet data network over an untrusted access network.