EAP

Extensible Authentication Protocol

Security →
Introduced in Rel-6 Also in: Security, Services, Radio Access Network

EAP is a flexible IETF framework for network access authentication that supports multiple methods and is a cornerstone for secure 3G, 4G, and 5G network access, especially for non-3GPP access.

Category
Security
Introduced
Rel-6
Where
Core Network › Evolved Packet Core
Also touches
3 segments
Specifications
29 specs
EAP Description Purpose Related Classification Detected Changes Specifications

Description

The Extensible Authentication Protocol (EAP) is an authentication framework, originally defined in IETF RFC 3748 and widely incorporated into 3GPP standards, that provides a flexible mechanism for securely authenticating a client (or UE) to a network. It operates as a lock-step request-response protocol carried within a lower-layer transport protocol, such as PPP, IEEE 802.1X (EAP over LAN - EAPOL), or directly within 3GPP-specific signaling like NAS (Non-Access Stratum) or DIAMETER. The core architecture involves three entities: the EAP peer (the client requesting access), the EAP authenticator (the network access point, e.g., a WLAN AP or 3GPP AAA Proxy), and the EAP server (the backend authentication server, often an AAA server like HSS/UDM or a separate RADIUS server).

EAP works by allowing the authenticator to act as a pass-through. The authenticator receives an EAP-Start or EAP-Response/Identity from the peer, encapsulates it, and forwards it to the EAP server. The EAP server then selects an appropriate EAP method (e.g., EAP-AKA, EAP-AKA', EAP-TLS, EAP-SIM) based on policy and the peer's identity. The subsequent EAP conversation—a series of method-specific request/response messages—occurs directly between the peer and the server, transparently relayed by the authenticator. This conversation performs the mutual authentication and derives session keys. Upon successful authentication, the EAP server sends an EAP-Success message to the authenticator, along with the derived Master Session Key (MSK) and Extended MSK (EMSK). The authenticator uses the MSK to derive necessary link-layer encryption keys.

In 3GPP networks, EAP's role is pivotal, especially for integrating non-3GPP access networks (like WLAN, Wi-Fi, and fixed access) with the 3GPP core. It forms the basis for authentication in trusted and untrusted non-3GPP access to the EPS and 5GC, as defined in S2a, S2b, and N3IWF interfaces. Within the core, the Authentication Server Function (AUSF) in 5GC often acts as the EAP server, interacting with the UDM for credential verification. EAP methods like EAP-AKA and EAP-AKA' are used for authentication leveraging USIM credentials, providing seamless mobility and security consistency across different access technologies. EAP thus provides a unified, extensible security layer that is independent of the underlying link technology.

Purpose & Motivation

EAP was created to solve the problem of having multiple, incompatible authentication mechanisms for different network access technologies. Prior to its adoption, each link-layer technology (e.g., dial-up PPP, wired Ethernet, wireless LAN) often had its own proprietary or limited authentication scheme. This fragmentation hindered seamless roaming and consistent security policy enforcement across heterogeneous networks. The IETF developed EAP as a general framework to decouple the authentication method from the specific physical and link-layer protocols, enabling a single, flexible authentication process to run over any link layer capable of carrying EAP frames.

3GPP adopted EAP to address the critical need for secure, unified authentication mechanisms, particularly for interworking with non-3GPP access networks (e.g., WLAN hotspots). As cellular operators began offering seamless access across cellular and Wi-Fi networks, they required an authentication method that could leverage the strong credentials stored in the USIM/SIM card. EAP-AKA (and later EAP-AKA') was developed within the IETF/3GPP collaboration to meet this need, allowing a UE to authenticate to a non-3GPP network using its 3GPP subscription identity and keys. This solved the problem of secure credential reuse and provided a standardized, extensible foundation for future authentication methods, supporting the evolution towards converged access in 4G and 5G.

Classification

Part ofAAA
Specific typesERERP

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (85 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-6, normative work from Rel-15.

Rel-15 32 changes

In Release 15, key clarifications and additions were made to the Extensible Authentication Protocol (EAP) function, including the introduction of a specific **EAP-5G method ID**. The release provided clarifications on using additional EAP methods for primary authentication and detailed rules on the concurrent running of authentication and NAS security mode control procedures. Furthermore, it included corrections and updates to the authentication framework, specifically for the **3GPP 5G profile for EAP-AKA'**, and clarified parameters like ngksi and ABBA for that method.

  • Stage 2 solution of Steering Of Roaming (SOR) based on Authentication procedure during Registration (Alternative 3) TS 24.890CR0013
  • Addition of EAP-5G method ID TS 33.402CR0144
  • Rules on concurrent running of authentication and NAS SMC procedure TS 33.501CR0004
  • Clarifications to: Protection at the network or transport layer, Authorization and authentication between network functions and the NRF TS 33.501CR0147
  • MCPTT UE subscribing to and downloading documents after MCPTT user authentication Flow TS 24.484CR0053
  • Clarifying the condition when the ePDG sends its certificate to the UE during untrusted non 3gpp access authentication (8.2.2) TS 33.402CR0145

+ 26 more changes

Rel-16 19 changes

In Release 16, the EAP function was enhanced to support authentication and authorization between Security Edge Protection Proxies (SeCoPs) and other network functions, and to enable authentication in indirect communication scenarios. It also introduced support for network slice specific authentication and authorization, and for authentication in Public Network Integrated Non-Public Networks (PNI-NPN). Furthermore, the release provided clarifications on authentication method selection, key derivation, and the use of EAP-TLS with TLS 1.3.

  • Authentication and authorization between SeCoP and network functions TS 33.501CR0693
  • Authentication and authorization between SeCoPs TS 33.501CR0694
  • Using EAP-TLS with TLS 1.3 TS 33.501CR0757
  • Authentication in indirect communication scenarios TS 33.501CR0808
  • Network slice specific authentication and authorization clauses TS 33.501CR0853
  • Correction of IKEV2 protocol RFC number from old 7296 to new 7296 TS 24.302CR0720

+ 13 more changes

Rel-17 16 changes

In Release 17, the EAP function was enhanced with new procedures and clarifications, including support for authentication in user plane procedures for Multicast/Broadcast Services (MBS) and specific authentication method selection for Non-3GPP Conneced WLAN (N5CW). The release also provided clarifications on secondary authentication during UE onboarding, authentication for UE behind 5G-RG and FN-RG, and the support for authentication methods in a Standalone Non-Public Network (SNPN).

  • Connectivity for NSWO authentication TS 24.302CR0731
  • Change the procedure of network slice re-authentication and revocation by AAA-S TS 33.501CR1091
  • Removing Editor's note on Credentials Holder using AUSF and UDM for primary authentication TS 33.501CR1307
  • Usage of AN ID for NSWO authentication TS 33.501CR1317
  • Resolution of editor notes related to protocol between NSSAAF and AAA TS 33.501CR1350
  • Corrections and clarifications to secondary authentication during UE onboarding TS 33.501CR1388

+ 10 more changes

Rel-18 16 changes

In Release 18, key enhancements for EAP included the introduction of a Home Network triggered primary authentication procedure and clarifications for it, along with the specific capability for the AUSF to send back the MSK to the W-AGF after a successful EAP authentication. Furthermore, the release added authentication procedures for devices behind a Residential Gateway (RG), such as for NSWO and AUN3, and updated normative references by replacing an IETF draft with RFC 9190 for EAP-TLS.

  • Authentication for UE behind 5G-RG and FN-RG using NSWO TS 33.501CR1593
  • Authentication of AUN3 devices behind RG TS 33.501CR1614
  • Introducing Home Trigger primrary authentication procedure TS 33.501CR1670
  • Use of NF Instance ID in the mutual authentication between the NF Consumer and NRF TS 33.501CR1761
  • Robustness interfaces and protocols defined for UDM TS 33.514CR0006
  • Clarification on authentication using ePDG certificate TS 24.302CR0777

+ 10 more changes

Rel-19 2 changes

In Release 19, the EAP function was updated to correct the requirement for mutual authentication and to refine the associated test case concerning the authentication status of the UE as verified by the UDM. These changes ensure the authentication procedures between the user equipment and the core network are more precisely defined and tested. The updates specifically relate to the non-access stratum protocols and the baseline UE capability for network registration with authentication.

  • Correct mutual authentication requirement TS 33.501CR2163
  • Updating test case about authentication status of UE by UDM TS 33.514CR0032

Explore further

Broader topics and technologies where EAP plays a role.

Topics
OAM (Operations & Maintenance)Authentication (5G-AKA, EAP)NAS (Non-Access Stratum)Encryption & IntegrityRoaming & InterconnectMEC (Edge Computing)
Technologies
LTE5G

Defining Specifications

3GPP specifications that define or reference EAP, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TR 21.905 vj00 3GPP Technical Terms and Definitions Rel-19
TR 22.937 vd00 FMC requirements for 3GPP-WLAN service continuity Rel-13
TS 23.234 vd10 3GPP-WLAN Interworking Index Rel-13
TS 23.402 vj00 EPC for Non-3GPP Access (PMIP) Rel-19
TS 24.161 vj00 Network-Based IP Flow Mobility (NBIFOM) Rel-19
TS 24.234 vc20 3GPP-WLAN Interworking Network Selection Rel-12
TS 24.244 vj00 Wireless LAN Control Plane Protocol Rel-19
TS 24.302 vj00 Access to EPC via non-3GPP networks; Stage 3 Rel-19
TS 24.484 vj30 MCS Configuration Management Rel-19
TS 24.890 vg00 5G NAS Protocol for 5GS Stage 3 Rel-16
TS 28.204 vi11 Charging management Rel-18
TS 29.234 vb20 WLAN-3GPP Interworking Stage-3 Protocol Rel-11
TS 29.826 vd10 P-CSCF Restoration Enhancements for WLAN Rel-13
TS 31.105 vj10 Slice Subscriber Identity Module (SSIM) Application Rel-19
TR 31.826 vi00 Technical Report Rel-18
TS 33.127 vj50 Lawful Interception Architecture and Functions Rel-19
TS 33.234 vj00 3GPP-WLAN Interworking Security Rel-19
TS 33.320 vj00 H(e)NB Subsystem Security Architecture Rel-19
TS 33.402 vj00 Security for non-3GPP access to EPS Rel-19
TS 33.501 vk00 5G Security Architecture and Procedures Rel-20
TS 33.514 vk00 5G Security Assurance for UDM Rel-20
TS 33.545 vj20 Security for NR Femto Subsystem Rel-19
TS 33.820 v1830 Home NodeB/eNodeB Security Architecture Rel-8
TS 33.835 vg10 Study on authentication and key management for apps Rel-16
TR 33.841 vg10 Security aspects; Study on 256-bit algorithms for 5G Rel-16
TR 33.882 vi01 Technical Report on 5G Security for Personal IoT Networks Rel-18
TS 43.318 vj00 Generic Access Network (GAN) Stage 2 Rel-19
TR 43.902 vj00 GAN Enhancements Feasibility Study Rel-19
TS 44.318 vj00 Generic Access Network (GAN) Interface Procedures Rel-19