Access control in WiMAX technology is the security mechanism to ensure that only valid users are allowed access to the WiMAX network. In the most general terms, an access control system has three elements:
- An entity that desires to get access: the supplicant.
- An entity that controls the access gate: the authenticator.
- An entity that decides whether the supplicant should be admitted: the authentication server.
A typical access control architecture used by service providers. Access control systems were first developed for use with dial-up modems and were then adapted for broadband services. The basic protocols developed for dial-up services were PPP (point-to-point protocol) and Remote Dial-In User Service (RADIUS). PPP is used between the supplicant and the authenticator, which in most cases is the edge router or Network Access Server (NAS), and RADIUS is used between the authenticator and the authentication server. (Michel Barbeau)
PPP originally supported only two types of authentication schemes: Password authentication protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP), both of which are not strong enough to be used in wireless systems. Safer authentication schemes can be supported by PPP using Extensible Authentication Protocol (EAP). (Michel Barbeau)
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP), a flexible framework created by the IETF (RFC 3748), allows arbitrary and complicated authentication protocols to be exchanged between the supplicant and the authentication server. Extensible Authentication Protocol (EAP) is a simple encapsulation that can run over not only PPP but also any link, including the WiMAX link.
Extensible Authentication Protocol (EAP) includes a set of negotiating messages that are exchanged between the client and the authentication server. The protocol defines a set of request and response messages, where the authenticator sends requests to the authentication server; based on the responses, access to the client may be granted or denied. The protocol assigns type codes to various authentication methods and delegates the task of proving user or device identity to an auxiliary protocol, an Extensible Authentication Protocol (EAP) method, which defines the rules for authenticating a user or a device. A number of Extensible Authentication Protocol (EAP) methods have already been defined to support authentication, using a variety of credentials, such as passwords, certificates, tokens, and smart cards. For example, Protected Extensible Authentication Protocol (PEAP) defines a password- based EAP method, EAP-transport-layer security (EAP-TLS) defines a certificate-based Extensible Authentication Protocol (EAP) method, and EAP-SIM (subscriber identity module) defines a SIM card–based EAP method. EAP-TLS provides strong mutual authentication, since it relies on certificates on both the network and the subscriber terminal. (Chong li, 2006).
In WiMAX systems, Extensible Authentication Protocol (EAP) runs from the mobile station to the base station over the Privacy Key Management version 2 (PKMv2) security protocol defined in the IEEE 802.16e-2005 air-interface. If the authenticator is not in the base station, the base station relays the authentication protocol to the authenticator in the access service network (ASN). From the authenticator to the authentication server, Extensible Authentication Protocol (EAP) is carried over RADIUS.