The following meanings for the abbreviations used in this specification apply:
3GPP 3rd generation partnership project
AAA Authentication, Authorization, and Accounting
APN Access point name
CHAP Challenge Handshake Authentication Protocol
EAP Extensible Authentication Protocol
EAP-GTC EAP general token card
eNode-B LTE base station (also referred to as eNB)
EPC Evolved Packet Core
ePDG Evolved Packet Data Gateway
GGSN Gateway GPRS Support Node
GPRS General Packet Radio Service
GTPv2 GPRS Tunnelling Protocol version 2
IDi Identification—initiator
IDr Identification—responder
IETF Internet Engineering Task Force
IKEv2 Internet Key Exchange version 2
IP Internet protocol
IPSec Internet Protocol Security
LCP Link control protocol
LTE Long term evolution
LTE-A LTE-Advanced
MN Mobile node
MSISDN Mobile station integrated services data network
MT mobile terminal
PAP Password Authentication Protocol
PCO Protocol Configuration Options
PDG Packet Data Gateway
PDN Packet data network
PDP Packet data protocol
PGW PDN Gateway (PDN GW)
PMIPv6 Proxy MIPv6
PPP Point-to-point protocol
TE Terminal equipment
UE User equipment
The present specification basically relates to the 3GPP Evolved Packet System (EPS), more specifically to the scenario when a UE is connected to the EPC via an untrusted Non-3GPP Access Network. When a UE is connected to the EPC (evolved packet core) via an untrusted Non-3GPP Access Network, there is an IPSec tunnel between the UE and the 3GPP network to have secure communication. The IPSec tunnel end-point in the 3GPP network is the ePDG (evolved packet data gateway). IKEv2 is used between the UE and the ePDG to establish the IPSec tunnel.
In GPRS, for example as specified in 3GPP TS 23.060 and in EPS when the UE is connected to the 3GPP Packet Core network via a 3GPP access or a trusted non-3GPP Access Network an authentication with an external AAA server using PAP or CHAP is possible. The details of this external authentication are specified for example in 3GPP TS 29.061.
The external authentication requires the exchange of authentication information between the UE and the external AAA server.
For this purpose, Protocol Configuration Options (PCO) information elements are specified, which can be used to carry user credentials between the UE and the core network when the UE is attached to a 3GPP access network. The user credentials are e.g. user name and user password within PAP or CHAP parameters (PAP: Password Authentication Protocol, CHAP: Challenge-Handshake Protocol).
When a UE is connected to the EPC via an untrusted non-3GPP access network, there is an IPSec tunnel between the UE and the 3GPP network to establish a secure communication. The endpoint of the IPSec tunnel at the side of the 3GPP network is the ePDG (evolved Packet Data Network). For example, IKEv2 (Internet Key Exchange version 2) is used between the UE and the ePDG to establish the IPSec tunnel.
However, currently, there is no solution how to carry user credentials between the UE using untrusted non-3GPP access and the core network, and there is no PCO mechanism or the like defined between the UE and ePDG.
In view of the above, there are no feasible mechanisms for providing the ePDG with required authentication data to be used when authenticating a UE's access to an external network via an untrusted access network.
Accordingly, there is a demand for mechanisms for an external authentication support over untrusted access, i.e. for supporting an authentication to an external packet data network over an untrusted access network.