1. Field of the Invention
The present invention relates to mobile communications, and more particularly, to authenticating and authorizing a mobile device using tunneled EAP.
2. Background of Invention
An increasingly large number of individuals use portable computing devices, such as laptop computers, personal data assistants (PDAs), smart phones and the like, to support mobile communications. The number of computing devices, and the number of networks that these devices connect to, has increased dramatically in recent years.
In a typical wireless Internet environment, Wi-Fi based hotspots could be adjacent or distributed in cellular telephone networks. When the services of wireless LAN and cellular networks are integrated, the mobile device (e.g., laptop computer) can move across networks. There are two types of roaming: roaming between the same type of network (e.g., wireless LAN to wireless LAN or cellular network to cellular network) is defined as horizontal roaming; roaming between different types of networks, such as a wireless LAN and a cellular network, is defined as vertical roaming.
The service provider allowing access to its network usually requires a mobile node and/or a mobile user to authenticate that it is entitled to access the network before it is granted network access. Authentication is the process of identifying a device or user. For example, when logging on to a computer network, user authentication is commonly achieved using a username and password. Authentication is distinct from authorization, which is the process of giving devices or individuals access to services and features based on their identity. Authentication merely ensures that an individual is who he or she claims to be, but does not address the access rights of the individual.
Accordingly, a wireless network generally includes many wireless nodes and users trying to gain access to a network. The primary means for controlling access include network access servers (“NAS”) and authentication servers, such as authentication, authorization, accounting (AAA) servers. A NAS, which is also referred to as an access point, provides access to the network. The devices and users connect though an access point via some form of wireless connection (e.g. IEEE 802.1X) to obtain access to a network (e.g., the Internet). In typical installations, there is a local authentication server, which allows the user to authenticate the network and a user's home authentication server that authenticates the user. The authentication servers are typically RADIUS (Remote Authentication Dial-In User Service) or Diameter servers.
In this type of network access server environment, a version of the Extensible Authentication Protocol (EAP) is typically used for network authentication. For further information regarding EAP, see e.g., “RFC 3748: Extensible Authentication Protocol,” by the Internet Engineering Task Force (IETF), the disclosure of which is hereby incorporated by reference. EAP is a general protocol for authentication, which supports multiple authentication mechanisms. The client devices and the authentication server (e.g., RADIUS or DIAMTER server) exchange EAP messages by embedding them as attributes of a RADIUS packet. For further information regarding RADIUS, see, e.g., “RFC 2865: Remote Authentication Dial In User Service (RADIUS),” by the IETF, the disclosure of which is hereby incorporated by reference. See also, “RFC 4072: Diameter Extensible Authentication Protocol (EAP) Application, by the IETF, the disclosure of which is hereby incorporated by reference.
Certain TLS (Transport Layer Security) based Extended Authentication Protocols optionally allow user authentication to occur within the protected tunnel. EAP-TTLS (Extended Authentication Protocol Tunneled Transport Layer Security) and PEAP (Protected Extended Authentication Protocol) are EAP protocols that are authentication tunneling protocols that create a protected channel for user authentication. These protocols use a two-phase authentication approach. In the first phase, the mobile device authenticates the foreign network, that is, the mobile device uses a digital certificate to ensure that the foreign network is legitimate. After the foreign network is authenticated, an encrypted channel between the mobile device and the mobile device's home AAA (i.e. AAA/H) is established using TLS and the information provided in the digital certificate. In the second phase, user information (e.g. Inner-User-ID) is securely transmitted using the established TLS-encrypted channel. The foreign network can authenticate the user from the user information using an inner user authentication method (e.g. PAP(Password Authentication Protocol), CHAP(Challenge-handshake authentication protocol), EAP, MSCHAPv1 (Microsoft Challenge handshake authentication protocol) and MSCHAPv2). The authentication can be carried out either by a TLS-AAA (the TLS end point of the foreign network) or by a remote AAA/H. For PEAP, this inner user authentication method typically must be another EAP authentication method. For further information about EAP-TTLS, see, Internet Draft EAP Tunneled TLS Authentication Protocol Version 0 (draft-funk-eap-ttls-v0), which is hereby incorporated by reference. For further information about PEAP, see Internet Draft PEAP (draft-josefsson-pppext-eap-tls-eap-06.txt), which is hereby incorporated by reference.
In the two-phase authentication protocols, such as those described above, the foreign network must know how to route user information to the user's home server. In prior art systems, routing is typically achieved using static routes configured based on generic information transmitted between the mobile the device and foreign network during the first phase of the authentication process. In prior art systems, the foreign network routes the inner user authentication information using the outer identity/roaming identity used by the mobile device to authenticate the foreign network, in some cases even before inner user information is known. For example, the foreign network may have a list associating outer identities to home servers (e.g. outer identity user@IPprovider is routed to home server IPprovider). This front end approach can be problematic because it may be desirable to route a user's inner user authentication information to a AAA server other than the general AAA server.
What is needed are methods for wireless Internet environments that provide increased flexibility for authenticating a user.