White Paper Excerpt

Wi-Fi Offloading, How? – 2.1 & 2.2

EAP and Seamless Access with SIM Authentication

EAP authentication is a prerequisite for IEEE 802.1x, which we covered in our previous post and is essential for enabling secure and encrypted Wi-Fi. Several EAP methods can be used in SIM authentication; below, we will provide an overview of the key differences among them.

White Paper: Wi-Fi Offloading, How?

This is an excerpt from our white paper, Wi-Fi Offloading, How?,  a technical deep dive into deploying Wi-Fi offloading solutions. If you like what you read, download the full white paper. As a bonus, you’ll also gain access to Wi-Fi Offloading, Why?, outlining the business benefits for mobile operators.

Wi-Fi Offloading, How? Banner
Consideration EAP-SIM EAP-AKA EAP-AKA’ 5G-AKA
Network Generation 2G/3G 3G/4G 4G/5G For 5G SA architecture. (Note that EAP-AKA′ will be used for a long time.)
Use Case Wi-Fi authentication. Wi-Fi authentication. Wi-Fi authentication. Cellular and Wi-Fi authentication.
Key Management K_i (shared with USIM). The key is derived from the SIM. The key is derived from the SIM and will be further enhanced with Perfect Forward Secrecy (PFS)1. The key is derived from the home network.
Security Features Weak encryption. Advanced security. Further improved key management and security features. Enhanced user equipment identity protection, no clear text identifiers2 enforced by SUCI in 5G.
Authentication Type Challenge-response. Challenge-response. Challenge-response. Challenge-response.
Key Derivation Based on GSM algorithms. Based on 3G/4G algorithms. Improved key derivation (SHA-256). Enhanced key separation.
Identity Protection Limited. Improved with protection against active attacks. Further improved with stronger encryption. Strong protection (SUCI)
Mutual Authentication3 Yes Yes Yes Yes

1) PFS is a cryptographic property that protects past sessions against future compromises of the underlying secret keys in the SIM.

2) The Enea Aptilo SMP IMSI encryption is a non-standard extension supported by both iPhone and Android, which means that identifiers will not be communicated in cleartext for EAP-SIM/AKA/AKA′. This provides a similar protection as 5G SUCI for EAP-AKA/AKA’.

3) Both the device and cellular network are verified in the process. It is not possible to present a “fake” mobile core.

In conclusion, the most common EAP method for Wi-Fi offloading today is EAP-AKA, closely followed by EAP-AKA′. For obvious reasons, EAP-SIM is mostly used in legacy deployments, and it will take time before we see widespread adoption of 5G-AKA.

Seamless Access with SIM Based Authentication

A key component of Wi-Fi offloading is SIM-based authentication, which provides a seamless, secure Wi-Fi experience comparable to cellular networks. This section will examine the mechanics of SIM authentication from a standards perspective. The 3GPP AAA server plays a central role in SIM authentication for 3G, 4G, and 5G networks using the 5G non-standalone architecture (5G NSA), which relies on the existing Evolved Packet Core (EPC) from 4G. However, as we will discuss later, real-world implementations often require capabilities beyond the standard 3GPP AAA function.

The 5G standalone architecture (5G SA) introduced some changes to how SIM-based authentication works for Wi-Fi access (untrusted and trusted non-3GPP Access) compared to previous generations. In 5G SA, no 3GPP AAA server is specified. Instead, the authentication process for Wi-Fi access using SIM credentials is more tightly integrated with the 5G core network and distributed across multiple core network components. Looking ahead, the 3GPP AAA may evolve into a comprehensive bridging function, providing unified management for Wi-Fi access across all generations of cellular networks.

SIM Authentication for Wi-Fi Access in 3G, 4G and 5G NSA

The 3GPP AAA server, exemplified here by the Enea Aptilo SMP, plays a crucial role in SIM authentication for 3G, 4G, and 5G NSA networks. It securely manages the authentication process by integrating with the mobile core to verify the device’s credentials.

Free Wi-Fi at restaurant SIM Authentication for Untrusted Wi-Fi Access in 3G, 4G and 5G NSA Networks

Untrusted non-3GPP Access is used for Wi-Fi networks that the mobile operator does not trust. This is why this is the access method of choice for Wi-Fi Calling, which must be available wherever there is a Wi-Fi network. Note that the 5G non-standalone (5G NSA) networks use the same mobile core (EPC) as 4G.

The user device is already assumed to be onboarded to the Wi-Fi network, for instance in a home, office or public hotspots. So, SIM authentication has nothing to do with security or login to the Wi-Fi network. Instead, SIM authentication is used to authenticate and authorize the user device to access the mobile core through an IPsec tunnel. The keys for setting up the IPsec tunnel are derived from the SIM authentication process.

EAP SIM-AKA in 3G/4G/5G NSA untrusted 3GPP access (Wi-Fi)

  1. The device initiates an Internet Key Exchange version 2 (IKEv2) connection to the evolved Packet Data Gateway (ePDG) in 4G/5G NSA or Tunnel Termination Gateway (TTG) in 3G, located in the mobile core. This creates an initial, unauthenticated tunnel.
  2. The device sends an IKE_AUTH request containing its identity through this initial tunnel. The ePDG/TTG forwards this request to the Enea Aptilo SMP (SMP) acting as a 3GPP AAA server to initiate the EAP-AKA authentication process. The SMP communicates with the Home Subscriber Server (HSS) or Home Location Register (HLR) to retrieve the user’s authentication vector. Based on the authentication vector, the SMP generates an EAP challenge (EAP-SIM/AKA/AKA’). This challenge is sent back through the ePDG/TTG to the device. The device processes the challenge using its SIM credentials and sends the response back to the SMP through the ePDG/TTG. The SMP verifies the device’s response and if successful, the SMP generates keying material for the IPsec tunnel and sends it to the ePDG/TTG. The SMP also sends an EAP Success message to the ePDG/TTG, which is forwarded to the device. The device independently derives keys for IPsec tunnel establishment based on the shared secret and parameters received in the EAP authentication process.
  3. The ePDG/TTG and device complete the IKEv2 exchange, utilizing the generated keys to establish a fully authenticated and encrypted IPsec tunnel. Optionally, additional IPsec Security Associations (SAs) may be established for different traffic types or QoS levels. The ePDG/TTG then establishes a GTP connection to the Packet Gateway (P-GW/GGSN) to provide the device with access to the mobile network services and the Internet.

Trusted secure Wi-Fi. SIM Authentication for Trusted Wi-Fi Access in 3G, 4G and 5G NSA Networks

In Wi-Fi networks, the 3GPP AAA serves a dual purpose for trusted non-3GPP access.

  • It authenticates users through SIM-based authentication for Wi-Fi network access.
  • It enables WPA2/WPA3 encryption of the Wi-Fi network upon successful authentication. This encryption ensures secure, over-the-air communication within the Wi-Fi network.

The user gets internet access through the local gateway, as shown in the picture below (the most common scenario). The traffic can also be backhauled to the mobile core using the 3GPP-specified trusted WAG/TWAG gateway functionality with an optional local traffic breakout.

EAP SIM-AKA in 3G/4G/5G NS trusted non-3GPPP access (Wi-Fi)

  1. During initialization, only EAP over LAN (EAPOL) 802.1x traffic is permitted between the device and the Wi-Fi access point (AP). All other traffic, such as DHCP or HTTP, is blocked. Initially, the Wi-Fi AP sends an EAP identity request to the device (EAP-SIM/AKA/AKA’). From this point, a secure end-to-end communication channel is established between the device and the Enea Aptilo Service Management Platform (SMP), which acts as a 3GPP AAA server for SIM authentication. The Wi-Fi AP’s role is to forward EAP messages over EAPOL to the AAA by encapsulating them in RADIUS and vice versa.
  2. In this multi-round trip EAP exchange, the device sends its identity to the SMP. The SMP contacts the HSS/HLR via the SS7/MAP or Diameter D’/Gr’ interface to retrieve the 3GPP authentication vectors needed to authenticate this identity. The SMP challenges the device for authentication based on these vectors. Note that it is not only the SMP that authenticates the device. The device also authenticates the network, i.e., the SMP and its connection to the mobile core.
  3. Upon mutual successful authentication, the Enea Aptilo SMP sends the generated encryption keys to the access point over RADIUS. The encryption keys are used to secure the Wi-Fi radio network through WPA2-Enterprise or WPA3-Enterprise encryption. The client must generate the same encryption keys to gain network access and correctly validate the authentication vectors through the SIM card. The derived encryption keys are unique to the connection, ensuring the device has its own encrypted and secure Wi-Fi connection.

SIM Authentication for Wi-Fi Access in 5G SA

Today (November 2024), relatively few 5G networks (50-60 networks) are utilizing the 5G standalone (5G SA) architecture, but this architecture will grow in importance over time. The authentication process for non-3GPP access, such as Wi-Fi, is more unified with the cellular authentication process, which introduces new technical challenges. One of these is how to be able to use Non-Access Stratum (NAS) signaling over Wi-Fi. The EAP-5G protocol has been introduced to encapsulate NAS messages to go over Wi-Fi through an IKV2 connection. So, EAP-5G is not an authentication protocol, which can be a bit confusing at first look.

SIM Authentication for untrusted Wi-Fi Access in 5G SA Networks

The principles are the same as for untrusted Wi-Fi access towards the Evolved Packet Core (4G/5G NSA). The user is assumed to be already onboarded to the Wi-Fi network, and security is enforced by having an IPsec tunnel between the device and the mobile core.

EAP-SIM in 5G standalone architecture for untrusted 3GPP access (Wi-Fi)

  1. The device initiates an Internet Key Exchange version 2 (IKEv2) connection to the selected Non-3GPP Interworking Function (N3IWF) located in the mobile core. This creates an initial unauthenticated tunnel.
  2. The device sends a NAS Registration Request message encapsulated in EAP-5G to the N3IWF over this initial tunnel. The N3IWF extracts and forwards the NAS message to the Access and Mobility Management Function (AMF). The NAS signaling between the device and AMF uses the N1 interface, similar to cellular access. The AMF initiates the authentication procedure by sending an authentication request to the Authentication Server Function (AUSF). The AUSF communicates with the Unified Data Management (UDM) to retrieve authentication data and the subscriber’s profile. The UDM, together with the Authentication credential Repository and Processing Function (ARPF), generates an authentication vector. The AUSF receives the authentication vector and initiates the EAP authentication procedure (EAP-AKA’ or 5G-AKA). The authentication challenge is returned to the device through the AMF and N3IWF. The device processes the challenge using its SIM credentials and sends the response back to the AUSF through the N3IWF and AMF. The AUSF verifies the device’s response. If successful, the AUSF generates keying material for the IPsec tunnel establishment and sends it to the AMF’s security anchor function. The AMF derives further keys for NAS security and N3IWF communication. The AMF initiates the NAS Security Mode Command procedure with the device to establish NAS security. The AUSF sends an EAP-Success message to the AMF, which in turn sends the EAP-Success message to the device through the N3IWF, utilizing the NAS security mode. The AMF also sends keying material to the N3IWF for IPsec tunnel establishment. The device independently derives keys for IPsec tunnel establishment based on the shared secret and parameters received in the EAP authentication process.
  3. The N3IWF and device complete the IKEv2 exchange, utilizing the generated keys to establish a fully authenticated and encrypted IPsec tunnel. Optionally, additional IPsec Security Associations (SAs) may be established for different traffic types or QoS levels. The N3IWF then establishes a GTP tunnel to the User Plane Function (UPF) packet gateway to provide the device with access to the mobile network services and the Internet.

SIM Authentication for Trusted Wi-Fi Access in 5G SA Networks

The authentication process is very similar to the process for untrusted Wi-Fi access, with some important exceptions:

  • The device is authenticated for access to the Wi-Fi network, while with untrusted Wi-Fi access, the device is assumed to be already onboarded to the Wi-Fi network.
  • The initial unauthorized IKEv2 connection used for untrusted Wi-Fi access is not necessary as the underlying link layer can transfer NAS messages encapsulated in EAP-5G.
  • The IPsec tunnel is NULL encrypted to avoid duplicated encryption with the encrypted (WPA2/WPA3) Wi-Fi network connection created in the EAP authentication process.
  • The N3IWF is replaced by the Trusted Non-3GPP Gateway Function (TNGF) or the Trusted WLAN Interworking Function (TWIF) used for legacy devices that do not support 5G NAS signaling over trusted Wi-Fi access. Note that these are all functions, so all three functions could be incorporated in the same gateway.

EAP-AKA in 5G-standalone architectures for trusted 3GPP access (Wi-Fi)

  1. The device discovers a trusted Wi-Fi network (trusted non-3GPP) and initiates an EAP-based authentication procedure towards the selected public or private cellular network (PLMN/SNPN) by sending a NAS Registration Request message encapsulated in EAP-5G to the trusted Wi-Fi AP (TNAP), which forwards it to the TNGF/TWIF gateway function. The TNGF/TWIF extracts and forwards the NAS message to the Access and Mobility Management Function (AMF). The NAS signaling between the device and AMF uses the N1 interface, similar to cellular access. The AMF initiates the authentication procedure by sending an authentication request to the Authentication Server Function (AUSF). The AUSF communicates with the Unified Data Management (UDM) to retrieve authentication data and the subscriber’s profile. The UDM, with the often-co-located Authentication credential Repository and Processing Function (ARPF), generates an authentication vector. The AUSF receives the authentication vector and initiates the EAP authentication procedure (EAP-AKA’ or 5G-AKA). The authentication challenge is sent back to the device through the AMF and TNGF/TWIF. The device processes the challenge using its SIM credentials and sends the response back to the AUSF through the TNGF/TWIF and AMF. The AUSF verifies the device’s response. If successful, the AUSF generates keying material for the NULL encryption IPsec tunnel establishment and sends it to the AMF’s security anchor function. The AMF derives further keys for NAS security and TNGF/TWIF communication. The AMF initiates the NAS Security Mode Command procedure with the device to establish NAS security. The AUSF sends an EAP-Success message to the AMF, which in turn sends the EAP-Success message to the device through the TNGF/TWIF, utilizing the NAS security mode. The AMF also sends keying material to the TNGF/TWIF for the (WPA2/WPA3) encryption of the Wi-Fi network connection and the IPsec tunnel establishment. The device independently derives keys for IPsec tunnel establishment and secure Wi-Fi connection based on the shared secret and parameters received in the EAP authentication process.
  2. Upon mutual successful authentication, the TNGF/TWIF sends the generated encryption keys to the access point over RADIUS. The encryption keys are used to secure the Wi-Fi radio network through WPA2-Enterprise or WPA3-Enterprise encryption. The device must generate the same encryption keys to gain network access and correctly validate the authentication vectors through the SIM card. The derived encryption keys are unique to the connection, ensuring the device has its own encrypted and secure Wi-Fi connection.
  3. The TNGF/TWIF and the device use the generated keys to establish the NULL-encrypted IPsec tunnel using IKEv2 signaling. Optionally, additional IPsec Security Associations (SAs) may be established for different traffic types or QoS levels. The TNGF/TWIF then establishes a GTP tunnel to the User Plane Function (UPF) packet gateway to provide the device with access to the mobile network services and the Internet.

Bridging the 3GPP Standard with Real-World Solutions

While the outlined flows above reflect 3GPP standards for SIM authentication, practical network implementations often favor pragmatic, hybrid approaches due to existing network design, equipment and investments. In real-world deployments, the RADIUS protocol—widely used in Wi-Fi and various gateways—will likely continue to play a significant role alongside emerging 5G standards and protocols.

Historically, many 3GPP-specified interworking gateway functions for Wi-Fi (non-3GPP Access) have not seen widespread adoption for Wi-Fi offloading. For example, in 4G with the Evolved Packet Core (EPC), the tunnel-terminating ePDG gateway has primarily been used for Wi-Fi Calling rather than Wi-Fi offloading.

Wi-Fi Offloading

Unified SIM-authentication for 3G, 4G,5G NSA and 5G SAFor Wi-Fi offloading in trusted Wi-Fi network environments, there has been limited demand for the WAG/TWAG to backhaul traffic to the EPC mobile core. In fact, the vast majority (around 90%) of Enea’s Wi-Fi offloading customer deployments opt to route traffic directly to the internet via a non-3GPP gateway, bypassing the mobile core. We foresee a similar trend in 5G SA, with a strong preference for local traffic breakout. Backhauling traffic through the mobile core only offloads the radio network (RAN), while local breakout delivers a more efficient solution by directly handling traffic at the edge.

In this context, the 3GPP AAA is expected to evolve and take the role of SIM-based authentication (control plane only) also in 5G SA, effectively offering a unified SIM authentication function across all generations of cellular networks. This evolution would give mobile operators a streamlined and pragmatic architecture, capable of handling SIM authentication seamlessly across both 4G and 5G core networks.

Wi-Fi Calling

For Wi-Fi Calling utilizing untrusted Wi-Fi access in 5G SA, the N3IWF function will still be required. One potential scenario is the adaptation of the 3GPP AAA function as a “bridging function” within the authentication flow for Wi-Fi Calling. Mobile Network Operators (MNOs) often prefer leveraging established, proven technologies over quickly adopting new standards when practical alternatives exist. It’s important to note that the N3IWF is only a reference in the 3GPP standard and not a specific gateway product. An adaptive authentication server (3GPP AAA), like Enea’s Aptilo SMP, could potentially evolve to integrate with the 5G SA core for control plane authentication while the existing ePDG gateways manage the N3IWF roles within the traffic plane. The same scenario could also happen for trusted access, with the existing WAG/TWAG gateways taking over the TNGF/TWIF functions in the traffic plane. These scenarios would require cooperation between the 3GPP AAA and gateway vendors.

Related insights

Wi-Fi Offloading

Local Break-Out: The Dominant Deployment Model

Read more

Tags: Wi-Fi Offloading

Wi-Fi offloading and the device.

Wi-Fi Offloading and the Device

Read more

Tags: Wi-Fi Offloading

Enea publishes the definitive technical guide to Wi-Fi Offloading

Read more

Tags: Carrier Wi-Fi, Wi-Fi AAA, Wi-Fi Authentication, Wi-Fi Monetization, Wi-Fi Offloading

Wi-Fi Offloading How

New White Paper: Wi-Fi Offloading – How?

Read more

Tags: Wi-Fi Offloading

Secure Wi-Fi with 802.1x and WPA2/WPA3

Read more

Tags: Carrier Wi-Fi, Wi-Fi AAA, Wi-Fi Authentication, Wi-Fi Offloading