Jump to content

Protocol for Carrying Authentication for Network Access

Edit links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Gaius Cornelius (talk | contribs) at 22:09, 6 October 2011 (PANA architecture's elements: Fix indefinite article using AWB). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

PANA (Protocol for Carrying Authentication for Network Access) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols. For these purposes, the Extensible Authentication Protocol (EAP) will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.

PANA is an Internet Engineering Task Force (IETF) protocol and described in RFC 5191.

PANA architecture's elements

PaC (PANA Client) The PaC is the client part of the protocol. Obviously, this element is located in the node that wants reach the access network.

PAA (PANA Authentication Agent) In this entity we can find the server part of the PANA protocol. Its main task is the message exchange with the PaC for authenticating it and authorizing it for network access. In addition, in some scenarios, the PAA entity has to do other message exchange with the AAA server in order to present its the PaC credentials. When it occurs, it is due to EAP is configured as passthrough. In that case, the AAA server is placed fisically in a different place that the PAA.

AS (Authentication Server) In this element is contained the information needed to check the PaC’s credentials. So, this node receives the PaC’s credentias by the PAA and send a packet with the result of credential checking process. Moreover, if the result is OK, in this packet we can find some information about the access parameters as bandwith allowed or IP configuration. In that moment, it has established a session between PAA and PaC. This session has a session time. When it expires, it needed a re-authentication process in order to get the network access again by the PaC.

EP (Enforcement Point) It works as a filter of the packets which source is an authenticated PaC. Basically, an EP is a network node which drops packets according some parameters provided as results of the au thentication processes. Typically, this function is done by a communication device as an access point or a router. When an authentication process is done successfully, a key is installed in EP and PaC establishing a session between EP and PaC. While this session doesn’t expires, the PaC can access to network services for which it has been authorised. When the session expires, it will have to indicate this situation to the PAA in order to do a re-authentication.

See also

  • RFC 5191 - Protocol for Carrying Authentication for Network Access (PANA)
  • OpenPANA .
  • CPANA
Retrieved from "https://en.wikipedia.org/w/index.php?title=Protocol_for_Carrying_Authentication_for_Network_Access&oldid=454299642"