EAP

Extensible Authentication Protocol

Security
Introduced in Rel-6
The Extensible Authentication Protocol (EAP) is a flexible framework defined by the IETF for network access authentication, widely adopted by 3GPP. It supports multiple authentication methods (EAP methods) and is a cornerstone for secure access in 3G, 4G, and 5G networks, especially for non-3GPP access.

Description

The Extensible Authentication Protocol (EAP) is an authentication framework, originally defined in IETF RFC 3748 and widely incorporated into 3GPP standards, that provides a flexible mechanism for securely authenticating a client (or UE) to a network. It operates as a lock-step request-response protocol carried within a lower-layer transport protocol, such as PPP, IEEE 802.1X (EAP over LAN - EAPOL), or directly within 3GPP-specific signaling like NAS (Non-Access Stratum) or DIAMETER. The core architecture involves three entities: the EAP peer (the client requesting access), the EAP authenticator (the network access point, e.g., a WLAN AP or 3GPP AAA Proxy), and the EAP server (the backend authentication server, often an AAA server like HSS/UDM or a separate RADIUS server).

EAP works by allowing the authenticator to act as a pass-through. The authenticator receives an EAP-Start or EAP-Response/Identity from the peer, encapsulates it, and forwards it to the EAP server. The EAP server then selects an appropriate EAP method (e.g., EAP-AKA, EAP-AKA', EAP-TLS, EAP-SIM) based on policy and the peer's identity. The subsequent EAP conversation—a series of method-specific request/response messages—occurs directly between the peer and the server, transparently relayed by the authenticator. This conversation performs the mutual authentication and derives session keys. Upon successful authentication, the EAP server sends an EAP-Success message to the authenticator, along with the derived Master Session Key (MSK) and Extended MSK (EMSK). The authenticator uses the MSK to derive necessary link-layer encryption keys.

In 3GPP networks, EAP's role is pivotal, especially for integrating non-3GPP access networks (like WLAN, Wi-Fi, and fixed access) with the 3GPP core. It forms the basis for authentication in trusted and untrusted non-3GPP access to the EPS and 5GC, as defined in S2a, S2b, and N3IWF interfaces. Within the core, the Authentication Server Function (AUSF) in 5GC often acts as the EAP server, interacting with the UDM for credential verification. EAP methods like EAP-AKA and EAP-AKA' are used for authentication leveraging USIM credentials, providing seamless mobility and security consistency across different access technologies. EAP thus provides a unified, extensible security layer that is independent of the underlying link technology.

Purpose & Motivation

EAP was created to solve the problem of having multiple, incompatible authentication mechanisms for different network access technologies. Prior to its adoption, each link-layer technology (e.g., dial-up PPP, wired Ethernet, wireless LAN) often had its own proprietary or limited authentication scheme. This fragmentation hindered seamless roaming and consistent security policy enforcement across heterogeneous networks. The IETF developed EAP as a general framework to decouple the authentication method from the specific physical and link-layer protocols, enabling a single, flexible authentication process to run over any link layer capable of carrying EAP frames.

3GPP adopted EAP to address the critical need for secure, unified authentication mechanisms, particularly for interworking with non-3GPP access networks (e.g., WLAN hotspots). As cellular operators began offering seamless access across cellular and Wi-Fi networks, they required an authentication method that could leverage the strong credentials stored in the USIM/SIM card. EAP-AKA (and later EAP-AKA') was developed within the IETF/3GPP collaboration to meet this need, allowing a UE to authenticate to a non-3GPP network using its 3GPP subscription identity and keys. This solved the problem of secure credential reuse and provided a standardized, extensible foundation for future authentication methods, supporting the evolution towards converged access in 4G and 5G.

Key Features

  • Framework supporting multiple authentication methods (EAP methods)
  • Transport independence, operable over PPP, IEEE 802, RADIUS, DIAMETER, and 3GPP NAS
  • Supports mutual authentication between peer and server
  • Derives keying material (MSK, EMSK) for subsequent secure communication
  • Critical for 3GPP - non-3GPP access interworking (e.g., WLAN, wireline)
  • Enables USIM-based authentication via EAP-AKA/EAP-AKA' methods

Evolution Across Releases

Rel-6 Initial

Introduced EAP-AKA for WLAN interworking (I-WLAN) to enable USIM-based authentication over untrusted WLAN access. Defined the framework for carrying EAP within 3GPP protocols, establishing EAP as the key authentication mechanism for non-3GPP access integration into the 3GPP core network.

TS 21.905TS 22.937TS 23.234TS 23.402TS 24.161TS 24.234TS 24.244TS 24.302TS 24.484TS 24.890TS 28.204TS 29.234TS 29.826TS 31.105TS 31.826TS 33.127TS 33.234TS 33.320TS 33.402TS 33.501TS 33.514TS 33.545TS 33.820TS 33.835TS 33.841TS 33.882TS 43.318TS 43.902TS 44.318

Defining Specifications

SpecificationTitle
TS 21.905 3GPP TS 21.905
TS 22.937 3GPP TS 22.937
TS 23.234 3GPP TS 23.234
TS 23.402 3GPP TS 23.402
TS 24.161 3GPP TS 24.161
TS 24.234 3GPP TS 24.234
TS 24.244 3GPP TS 24.244
TS 24.302 3GPP TS 24.302
TS 24.484 3GPP TS 24.484
TS 24.890 3GPP TS 24.890
TS 28.204 3GPP TS 28.204
TS 29.234 3GPP TS 29.234
TS 29.826 3GPP TS 29.826
TS 31.105 3GPP TR 31.105
TS 31.826 3GPP TR 31.826
TS 33.127 3GPP TR 33.127
TS 33.234 3GPP TR 33.234
TS 33.320 3GPP TR 33.320
TS 33.402 3GPP TR 33.402
TS 33.501 3GPP TR 33.501
TS 33.514 3GPP TR 33.514
TS 33.545 3GPP TR 33.545
TS 33.820 3GPP TR 33.820
TS 33.835 3GPP TR 33.835
TS 33.841 3GPP TR 33.841
TS 33.882 3GPP TR 33.882
TS 43.318 3GPP TR 43.318
TS 43.902 3GPP TR 43.902
TS 44.318 3GPP TR 44.318