Protocol for Carrying Authentication for Network Access
Encyclopedia
PANA is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols. For these purposes, the Extensible Authentication Protocol
(EAP) will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
PANA is an Internet Engineering Task Force
(IETF) protocol and described in RFC 5191.
The PaC is the client part of the protocol. Obviously, this element is located in the node that wants reach the access network.
PAA (PANA Authentication Agent)
In this entity we can find the server part of the PANA protocol. Its main task is the message exchange with the PaC for authenticating it and authorizing it for network access. In addition, in some scenarios, the PAA entity has to do other message exchange with the AAA
server in order to present its the PaC credentials. When it occurs, it is due to EAP
is configured as passthrough. In that case, the AAA
server is placed fisically in a different place that the PAA.
AS (Authentication Server)
In this element is contained the information needed to check the PaC’s credentials. So, this node receives the PaC’s credentias by the PAA and send a packet with the result of credential checking process. Moreover, if the result is OK, in this packet we can find some information about the access parameters as bandwith allowed or IP configuration. In that moment, it has established a session
between PAA and PaC. This session has a session time. When it expires, it needed a re-authentication process in order to get the network access again by the PaC.
EP (Enforcement Point)
It works as a filter of the packets which source is an authenticated PaC. Basically, an EP is a network node which drops packets according some parameters provided as results of the au thentication processes. Typically, this function is done by a communication device as an access point or a router. When an authentication process is done successfully, a key is installed in EP and PaC establishing a session between EP and PaC. While this session doesn’t expires, the PaC can access to network services for which it has been authorised. When the session expires, it will have to indicate this situation to the PAA in order to do a re-authentication.
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
(EAP) will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
PANA is an Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...
(IETF) protocol and described in RFC 5191.
PANA architecture's elements
PaC (PANA Client)The PaC is the client part of the protocol. Obviously, this element is located in the node that wants reach the access network.
PAA (PANA Authentication Agent)
In this entity we can find the server part of the PANA protocol. Its main task is the message exchange with the PaC for authenticating it and authorizing it for network access. In addition, in some scenarios, the PAA entity has to do other message exchange with the AAA
AAA protocol
In computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
server in order to present its the PaC credentials. When it occurs, it is due to EAP
Extensible Authentication Protocol
Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in wireless networks and Point-to-Point connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247....
is configured as passthrough. In that case, the AAA
AAA protocol
In computer security, AAA commonly stands for authentication, authorization and accounting.- Authentication :Authentication refers to the process where an entity's identity is authenticated, typically by providing evidence that it holds a specific digital identity such as an identifier and the...
server is placed fisically in a different place that the PAA.
AS (Authentication Server)
In this element is contained the information needed to check the PaC’s credentials. So, this node receives the PaC’s credentias by the PAA and send a packet with the result of credential checking process. Moreover, if the result is OK, in this packet we can find some information about the access parameters as bandwith allowed or IP configuration. In that moment, it has established a session
between PAA and PaC. This session has a session time. When it expires, it needed a re-authentication process in order to get the network access again by the PaC.
EP (Enforcement Point)
It works as a filter of the packets which source is an authenticated PaC. Basically, an EP is a network node which drops packets according some parameters provided as results of the au thentication processes. Typically, this function is done by a communication device as an access point or a router. When an authentication process is done successfully, a key is installed in EP and PaC establishing a session between EP and PaC. While this session doesn’t expires, the PaC can access to network services for which it has been authorised. When the session expires, it will have to indicate this situation to the PAA in order to do a re-authentication.