Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Internet protocol suite wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Wireless security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
IEEE 802.21: Media Independent Handover Services Background: Wireless Internet Roaming 現代網際網路係由許多種不同系統的通訊設備所構成,各種規格彼此之間 無法互通,因而須透過其它設備來介接。在這樣的環境中如何提供有效的 漫遊支援? Background https://mentor.ieee.org/802.11/file/07/11-07-0453-00-0000-802-21-midweek-plenary-update.ppt Handover Initiation Handover Preparation Handover Execution Scope of 802.21 Search new link Setup new link Network discovery Network selection Handover negotiation Layer 2 connectivity IP connectivity Transfer connection Handover signaling Context transfer Packet reception IEEE 802.21 helps with handover initiation, network selection and interface activation Background: IEEE 802.21 • Goals – To enable handover between heterogeneous technologies – Service continuity during and after handover • IEEE 802.21 provides a framework – Allow higher level to interact with lower layers to provide session continuity without dealing with the specifics of each technology – – – – – Service continuity Quality of service Network discovery Network selection assistance Power management Background: IEEE 802.21 https://mentor.ieee.org/802.11/file/07/11-07-0453-00-0000-802-21-midweek-plenary-update.ppt Applications (VoIP/RTP) Link Layer HandoverTriggers Connection Management Policy State IETF Change Handover Management Predictive Network Mobility Management ProtocolsInitiated Smart Triggers Handover Messages Information Service IEEE 802.21 802.21 MIH Function Handover Commands L2 Triggers and Events WLAN Network Information Available Networks Neighbor Maps Network Services Client Initiated Network Initiated Vertical Handovers Handover Messages Information Service Cellular WMAN Protocol and Device Hardware 802.21 is meant to operate across different media Outline • IEEE 802.21 \ • Example Schemes • Appendix Handover 形式 • Horizontal handover – Roaming within homogeneous technologies over the same access network • Vertical handover – Roaming across heterogeneous technologies over different access networks • Hard handover (break-before-make) – Break the original connection before setting up the new one • Soft handover (make-before-break) – Make the new connection before breaking the old one IEEE 802.21 • Functionality – Reduce power consumption by avoiding unnecessary scanning and using information • 例:Turn on IEEE 802.16 module only if 802.16 is available – Reduce power consumption by using backend (core) networks – Reduce handover delay by passing security/QoS information to next point of service – Allow service providers to enforce their policies and roaming agreements IEEE 802.21 Features* • Network selection – Allows users to select between IEEE 802.3, 802.11, 802.16, 3GPP, and 3GPP2 networks – MS (mobile stations) can automatically connect to the right network by observing user selections or by user policies – MS can notify user when available networks change or a switch occurs • Session continuity – Allows make-before-break handover • Provide interface for: – Link state event reporting – Intersystem information service – Handover control (command) service Media Independent Handover (MIH) Concept General Architecture To handle/hide the particularities of each technology, 802.21 maps generic interfaces to a set of media-dependent service access points (SAPs) (MIHF) General Architecture • MIHF user – An entity that uses the MIH SAPs to access MIHF services, and which is responsible for initiating and terminating MIH signaling • MIH_SAP – An interface allows communication between the MIHF layer and higher-layer MIHF users • MIH_LINK_SAP – An interface between the MIHF layer and the lower layers of the protocol stack – All communications between MIHF and lower layers are done through the MIH_LINK_SAP • MIH_NET_SAP – An interface supports the exchange of information between remote MIHF entities MIH Services (1/2) • Event Service – Delivers triggers on events – 例:link up, link down, new link available • Command Service – Set of standard commands for handover control – 例:switch link, configure link, initiate handover, etc • Information Service – Defines a service that provides information for faster handovers – 例:list of available networks, IP version, network operator, etc. MIH users access these services using well-defined service access points (SAPs) MIH Services (2/2) • MIH Function – An intermediate layer between upper and lower layers whose main function is to coordinate the exchange of information and commands between different devices involved in making handover decision and executing handover – Media Independent Event Services: link up/down/going down, transmission status – Media Independent Command Services: switch links, get status – Media Independent Information Services: information elements (IEs), neighbor reports Reference Model Multiple Access Network Reference Model Reference Model: A Scenario PoA: point of attachment PoS: point of service MN: mobile nide Reference Model: A Scenario* • Network entities – MIH point of service (MIH PoS): network-side MIHF instance that exchanges MIH messages with the MN-based MIHF. An MN may have different PoSs as it may exchange messages with more than one network entity. – MIH non-PoS: does not exchange MIH messages with the mobile node. A given network node may be a PoS for an MN with which it exchanges MIH messages and a non-PoS for a network node for which it does not. – MIH point of attachment (PoA): endpoint of a layer 2 link that includes the MN as the other endpoint • Communication reference points – R1 (MN←→Serving PoA (PoS)): used by the MN to communicate with its PoA. It may be used by the MN to gather information about the current status of its connection. Reference Model: A Scenario* • Communication reference points (續) – R2 (MN ←→ Candidate PoA (PoS)): used by the MN to communicate with a candidate PoA. It may be used to gather information about candidate PoAs before making a handover decision. – R3 (MN ←→ non-PoA (PoS)): used by the MN to communicate with an MIH PoS located on a non-PoA network entity. It may be used by a network node to inform the MN about the different IP configuration methods in the network. – R4 (PoS ←→ non-PoS): used for communications between an MIH PoS and an MIH non-PoS. It is typically used when an MIH server that is serving an MN (the PoS) needs to ask for information from another MIH server (the non-PoS). – R5 (PoS ←→ PoS): used between two different MIH PoSs located at different network entities Event Service • Event Service – Events related to handover can be originated at the MAC or MIHF layer located in the node or at the point of attachment to the network – Local (terminal side) and remote (network side) events – Events may trigger user actions Event Service • Event Service (續) – Provides event classification, event filtering and event reporting corresponding to dynamic changes in link characteristics, links status, and link quality – Events: administrative, state change, link parameter, predictive, link synchronous, and link transmission Event Service Event flow model for link events and MIH events Event Service: L2 Triggers (Link Events) Disconnected Connected • State Change Events – Link Up – Link Down – Link Parameters Change • Predictive Events – Link Going Down • Network Initiated Events – Load Balancing – Operator Preferences Link Going Down Link Up Link Down WLAN Link Up Link Switch Make before Break WWAN Time Triggers minimize connectivity disruption during link switching Event Service: Link Events 說明 Event Service: MIH Events 說明 Command Service • Command Service – Enables MIH users to manage and control link behavior relevant to handovers and mobility – Commands flow from user to MIH and then to link layer – Commands allow users to switch links – User communicates separately with each technology (commands do not flow from one technology to another) Command Service • Command service flow Information Service • Information Service – Provides information about networks in a particular geographical area – Information delivery via queries or by broadcast/multicast – Generally static information – 802.21 defines what information is required – Does not define how the service is accessed 802.21 Information Server 802.16 802.11 802.3 Information Service • Information Service (續) – Provides the capability for obtaining necessary information for handovers including neighbor maps, link layer information, and availability of services – Access neighbor maps for networks in a geographic area from any network entity • Wi-Fi hotspot knows about cellular towers and vice versa – Static link layer informational parameters • QoS support and restricted networks. – Use reports to allow efficiency • Channel range prevents the need for scanning. – Vendor specific features: Prioritize networks, network labels Example Message Flow Mobile-initiated handover from 3G to WLAN MIH Protocol Frame Format Information Elements • Information elements – Contain general Information (operators), access network (roaming, cost, security, QoS), PoA (location, data rate, channel range), higher layer, other information (vendor specified) – Information elements are delivered as a Type-Length-Value (TLV) messages Type (1 byte) Length (variable) Value (variable) Network Initiated Handover • Network initiated handover – – – – MIH Handover Initiate: Suggested PoA MIH Handover Prepare: Current to target network MIH Handover Commit: Client commits to do handover MIH Handover complete: New network to old network. Send all buffered packets Network Initiated Network Selection (Example)* UE MIHFUE Network Operator MME MAC Layers MIHFNW (IS) 802.16-AN 802.11-AN 802.11-AN UE Discovery and Registration MIH-Register-Event.Req() MIH-Register-Event.Resp() DL-Burst* Link-Detect Link-Event.Detect(link_info) MIH-Info.Req MIH-Info.Resp Unfavorable Network Beacon Link-Detect Beacon Link-Event.Detect(link_info) MIH-Info.Req MIH-Info.Resp Favorable Network => Selection www.ietf.org/proceedings/05nov/slides/mipshop-6/mipshop-6.ppt Network Controlled Handover (Example)* Operator Network UE Mobile IP MIHFUE MME 802.11 MAC Network Selection MIH-Remote-Link-Switch.Req(802.11 nwk) L3-switch.Ind 802.11 Network 802.11-AN New-FA HA Legend Mobile-IP Signaling MIH signaling over new link Proxy Rtr Solicitation Proxy Rtr Advertisement Link-Associate L2-Procedures (Security, Re-association, QoS Neg.) Link-Event-Up(802.11 nwk) MIH-Link-Event-Up FBU Mobile IP update procedure over new link Release MIH-Remote-Link-Switch.Resp www.ietf.org/proceedings/05nov/slides/mipshop-6/mipshop-6.ppt MIHF Protocol • The MIHF protocol allows peer MIHF entities to interact with each other – MIH communication may imply use of unacknowledged connection-less transport services to reduce transport overhead and ensure efficiency and reduced latency in the delivery of MIH messages MIHF Protocol* • MIHF protocol – Container for MIH messages for 802.11 defined in IEEE 802.11u – Container for MIH messages for 802.16 defined in IEEE 802.16g – Transport for MIH protocol is defined in the IETF MIPSHOP working group • IEEE 802.21 transport – CS, ES, IS messages are transported over L2 or L3 – 802.11u is defining transport of 802.21 messages over 802.11 – MIPSHOP is defining transport over IP MIHF Protocol: Usage Models* www.ietf.org/proceedings/05nov/slides/mipshop-6/mipshop-6.ppt • Direct model Remote ES/CS MIHFUE MIHFMME • Proxy model MIHFUE Remote ES/CS MIHFproxu Remote ES/CS MIHF 802.21 Amendments for MIH* • 802.21 amendments for MIH – MIH Capability indication in beacon – MAC Layer Management Entity (MLME) Service Access Point (SAP): Link up indication, Scan confirm – Information service for generic network selection: IS query frame – Transport of MIHF protocol over 802.11 Summary • 802.21 is a standard protocol for handover initiation, network selection, handover • 802.21 provides a common interface to L3 and higher mobility protocols – Has triggers that allow higher layers to take action – Has commands that allow higher layer to request actions – Has information service that allows all layers to not have to discover the static information Remarks • Similar technologies – Unlicensed Mobile Access (UMA) technology is basically a mobile-centric version of 802.21 – UMA is regarded to provide roaming and handover between GSM, UMTS, Bluetooth and 802.11 networks – http://www.umatoday.com/ – Since June 19 2005, UMA is a part of the ETSI 3GPP standardization process under the GAN (Generic Access Network) Group Remarks • Similar technologies – WiOptiMo technology enables any application running on a device to use the best Internet connection among all the wired/wireless access providers available, guaranteeing persistence in case of weak or no signal and managing the switch among them (when needed/convenient) in a transparent way, without interrupting the active application/session. – http://hal.inria.fr/inria-00001015/en/ or "WiSwitch: Seamless Handover between Multi-Provider Networks“. Outline • IEEE 802.21 • Example Schemes – F. Cacace and L. Vollero, “Managing Mobility and Adaptation in Upcoming 802.21-Enabled Devices”, Proc. 4th Int'l Wksp. Wireless Mobile Applications and Services on WLAN Hotspots, pp. 1–10, Sep. 2006 \ – A. Dutta, S. Das, D. Famolari, Y. Ohba, K. Taniuchi, V. Fajardo, R. M. Lopez, T. Kodama, and H. Schulzrinne, “Seamless Proactive Handover Across Heterogeneous Access Networks”, Wireless Personal Communications, 43(3): 837–855, November 2007 • Appendix Abstract* • One emerging characteristic of electronic devices is the increasing number of connectivity interfaces (aka NICs) towards the outside world. That obviously translates in a set of technical issues related to their management in order to provide seamless connectivity when the connections move from one interface to another. The IEEE 802.21 is a recent effort of IEEE that aims at providing a general interface for the management of NICs. In this paper we discuss how the upcoming standard may be effectively exploited in a mobile context in order to hide network heterogeneity to end users. To accomplish this task, we propose a centralized element called Mobility Manager interfacing with the 802.21 sublayer and responsible for the application of connectivity policies. Based on a real testbed, we showed that the new standard and the MM can be used to improve network performance experienced by the end user. Moreover we showed how the MM can interact with adaptive applications in order to improve further the range of usability of real-time applications. IEEE 802.21 Architecture • Three primary services – Media Independent Event Service (MIES) – Media Independent Command Service (MICS) – Media Independent Information Service (MIIS) Media Independent Event Service* • Support for both local and remote events notification to the upper layers of a MS • Common events provided through MIHF – – – – – Link up Link down Link parameters change Link going down L2 handover imminent Media Independent Command Service* • Used to gather information about the status of connected links and to execute mobility and connectivity decisions – Commands can be both local, if issued by an upper layer entity, or remote, if sent by an entity of the access network • Typical commands – “MIH poll” and “MIH configure” to poll connected links asking for their status and to configure new links, respectively Media Independent Information Service* • Provide information to mobile nodes about available networks and services – Use standard and platform independent description language to represent that information: static and dynamic. – Static: names and the providers of mobile terminal’s neighboring network – Dynamic: channel, security and the MAC addresses. • Advantages – Help significantly in the definition of high level handover decisions and policies. – Avoids any specific and access-dependent discovery method for the automatic detection of neighbor networks Media Independent Information Service • Example of stack elements interaction under IEEE 802.21 Applications Mobility Manager Mobility Manager 802.21 MIH Function • Mobility Manager – A centralized system entity running onboard mobile devices and directly interfacing services provided by 802.21 compliant network interfaces – To deliver higher level services to applications in order to enable active content adaptation, e.g. adaptation coordinated with underlying network services Applications Why Mobility Manager? Mobility Manager 802.21 MIH Function • Although user applications can directly interface to the MIH Function, there are reasons to support the design of a system-level centralized entity – Handoff decisions are system-wide and need a centralized point of decision – Applications need a view of network resources at a higher abstraction level than provided by the MIH Function – Shared network resources can be more efficiently granted to requesting applications through a common service – A common interface for mobility events allows easier design of adaptive applications Mobility Manager Mobility Manager: Internals • Link quality module – In charge of storing the information related to the available links and dispatching notifications about changes in link quality – Subscribes also to Link Parameters Change to update its internal information about status of links – Periodically uses the “MIH Poll” command to check the status of a link (signal strength, link speed, etc.) – When changes exceed thresholds, notifications are sent to application level and to the handoff decision module Mobility Manager: Internals • Handoff decision module – Interested in Link Up, Link Down and Link Handoff Imminent events, since they can trigger immediate handoff decisions • Power management module – Issues ”MIH Configure” command to set up or down network interfaces Benefits of the Network-Layer Mobility Manager 1. Vertical handoff can be executed before the connectivity is lost • If there is more than one available wireless interface, service continuity is possible 2. When there is a change of the access router, handoffs are faster because there is no need to execute the Neighbor Unreachability Detection procedure of IPv6 3. No need to waste bandwidth by setting high Router Advertisements (RA) frequency on access networks in order to lower handoff delay 4. Handoff decision module can avoid the ping-pong effect that is common when the handoff decision is triggered at the network level (due to the intermittent arrival of RAs from access routers) 5. Handoff decision module can minimize the degradation of data flows due to the presence of zones with intermittent connectivity Outline • IEEE 802.21 • Example Schemes – F. Cacace and L. Vollero, “Managing Mobility and Adaptation in Upcoming 802.21-Enabled Devices”, Proc. 4th Int'l Wksp. Wireless Mobile Applications and Services on WLAN Hotspots, pp. 1–10, Sep. 2006 – A. Dutta, S. Das, D. Famolari, Y. Ohba, K. Taniuchi, V. Fajardo, R. M. Lopez, T. Kodama, and H. Schulzrinne, “Seamless Proactive Handover Across Heterogeneous Access Networks”, Wireless Personal Communications, 43(3): 837–855, Nov. 2007 \ • Appendix Wireless Internet Roaming Scenario Abstract* • Dual-mode handsets and multimode terminals are generating demand for solutions that enable convergence and seamless handover across heterogeneous access networks. The IEEE 802.21 working group is creating a framework that defines a Media Independent Handover Function (MIHF), facilitates handover across heterogeneous access networks and helps mobile users experience better performance during mobility events. In this paper, we describe this 802.21 framework and also summarize a Media-independent Pre-Authentication (MPA) mechanism currently under discussion within the IRTF that can further optimize handover performance. We discuss how the 802.21 framework and the MPA technique can be integrated to improve handover performance. Finally, we describe a test-bed implementation and validate experimental performance results of the combined mobility technique Recall: IEEE 802.21* • IEEE 802.11 provides – Media Independent Event Service – Media Independent Command Service – Media Independent Information Service Recall: IEEE 802.21* • Media Independent Event Service – Provides services to the upper layers by reporting both local and remote events Recall: IEEE 802.21* • Media Independent Command Service – Gathers information about the status of the connected links, as well as to execute higher layer mobility and connectivity decisions to lower layers Recall: IEEE 802.21* • Media Independent Information Service – Provides access information, including network type, roaming partners, channel information, MAC address, security information, and other information about higher layer services helpful to handover decision Media Independent Preauthentication (MPA) • Media Independent Pre-authentication – A mobile-assisted, secure handover optimization scheme – A mobile node is not only able to securely obtained IP address and other configuration parameters from a candidate target network (CTN), but also able to send and receive IP packet using the obtained CTN IP address before it physically attaches to the CTN – MPA does not perform network discovery How MPA Works? • Operations – Establishes a security association with a CTN via its existing network using Protocol for carrying Authentication and Network Access (PANA) to obtain configuration information – A bi-directional tunnel is established between device and Access Router (AR) of the CTN • IP packets sent over this tunnel – When layer2 connect to CTN, this tunnel can be removed then the handover is complete MPA and 802.21 Assisted Handoff 802.11 CDMA MPA vs. FMIPv6: Security • MPA與FMIPv6 都是 make-before-break 預先換手的方法 • MPA – With IEEE 802.21 Information Service helps to bootstrap L2 security such as 802.11i and thus optimize the L2 delay • FMIPv6 (RFC 4068) – R. Koodli (Ed.), Fast handovers for mobile IPv6, IETF RFC 4068, July 205 – With IEEE 802.21 Information discovery can help reduce handover delay to L2 delay but without any security optimization • MPA有安全性驗證,而FMIPv6雖也配合802.21,並無安全 性驗證 MPA vs. FMIPv6: Pre-configuration and Binding Update • MPA – Information exchanges take place between mobile node and authentication agent (AA), access router (AR) and configuration agent (CA) of the target network – MPA 透過 target network (下一個即將使用的網路) 的 AA AR CA 來進行 Pre-configuration and binding update • FMIPv6 – Information exchanges between previous access router (PAR) and next access router (NAR) – FMIPv6 主要是透過 previous access router (PAR) and next access router (NAR)來進行 Pre-configuration and binding update Experimental Setup for MPA and 802.21 Assisted Handovers Experimental Setup: Intra-Technology, InterDomain Experimental Setup: Inter-Technology, InterDomain MPA Assisted L2 Handoff Delay • Layer 2 handoff delay – 802.11 layer-2 handoff delay consists scanning, association, and authentication – 802.11 layer-2 delay 主要是由 scanning, association, authentication and EAP-TLS 所組成 • 附錄說明EAP TLS認證方法 – Scanning takes the maximum amount of time during layer 2 handover (scanning delay 所花費時間最多) Message Flow: MPA-Assisted Optimized L2 Handoff 570 ms 15 ms Summary • A mobility optimization framework exploiting IEEE 802.21 and a media independent pre-authentication (MPA) framework to provide secured and seamless convergence and support heterogeneous handover • Discussed several functional components of the IEEE 802.21 framework and their respective roles in providing the optimization – Demonstrated network discovery, network selection, preconfiguration, pre-authentication, and proactive handover operations that are part of a mobility event • Presented two types of heterogeneous handover scenarios: intra-technology, inter-domain; and inter-technology, inter-domain Outline • IEEE 802.21 • Example Schemes • Appendix \ – Public Key Infrastructure – EAP-TLS Authentication Method Public Key Infrastructure (for Key Administration) • Public Key Infrastructure (PKI) – Combination of software/hardware products, encryption technologies and services that enable enterprises to protect their communications on the Internet or other types of networks – Integrate digital certificates, public-key cryptography, and certificate authorities into a total network security architecture – Encompasses • Issue digital certificates to individual users and servers • End-user enrollment software; integration with corporate certificate directories • Tools for managing/renewing/revoking certificates Public Key Infrastructure • Public keys are stored in publicly available directories • On the Internet, public key directories are maintained by Certification Authorities (CAs) such as VeriSign – PKI as a system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction – CAs are trusted third-parties (公正的第三者) that issue digital certificates (aka digital IDs) to individuals and organization that register with them – Certificate Authorities are the digital world’s equivalent of passport offices Public Key Infrastructure • A public key and private key are allocated when a digital certificate is issued – PGP (Pretty Good Privacy) and RSA are examples of public key encryption systems • Public-key certificates (issued by a trusted third party) – 數位憑證是一個小型的電腦檔案,主要包含二部分 • “data” part: issuer, owner, public key, validity period, etc • “signature” part: digital signature over the data part Public Key Infrastructure • X.509 format (ITU Recommendation & ISO/IEC Standard) VERSION 例 SERIAL NUMBER 0 SIGNATURE ALGORITHM 1234567891011121314 RSA+MD5, 512 ISSUER C=US, S=VA, O=GMU, OU=ISE VALIDITY 9/9/99-1/1/1 SUBJECT SUBJECT PUBLIC KEY INFO SIGNATURE C=US, S=VA, O=GMU, OU=ISSE, CN=Ravi Sandhu RSA, 1024, xxxxxxxxxxxxxxxxxxxxxxxxx SIGNATURE Public Key Infrastructure: X.509 Certificate Public Key Infrastructure • CA (Certificate Authority):認證中心 – 發行數位憑證的信譽機構 • • DS (Directory Service):存放電子憑證的地方 RA (Registry Agent):代理使用者向CA登記註冊的代理 程式 • 動作流程 (註冊) 1. 使用者傳送自己的公開金鑰及資料到RA 2. RA傳送公開金鑰到CA 3. CA對此公開金鑰簽章成數位憑證 4. CA傳送此憑證到RA 5. 使用者從RA獲得憑證 6. CA傳送此憑證到DS 7. 使用者可以與DS確認他的憑證 數位憑證的產生與使用 • 數位憑證的產生與使用 Certificate Authority 2.產生數位憑證Certificate: [H(個人身份資料及公鑰)]d 1.請求憑證(個人身份 相關資料及公鑰) 3.傳回Certificate Alice Bob 5.提出數位憑證Certificate以表明身份 4.驗證及儲存Certificate 6.驗證數位憑證 數位憑證與加解密機制的關係 EAP-TLS Message Flow (1/3) EAP-TLS Message Flow (2/3) AP-RADIUS Key 802.1X/EAP-Request Identity 802.1X/EAP-Response Identity (My ID) RADIUS Access Request/EAPResponse Identity 802.1X/EAP-Request(TLS) RADIUS Access Challenge/EAP-Request 802.1X/EAP-Response(TLS ClientHello(random1)) RADIUS Access Request/EAPResponse TLS ClientHello 802.1X/EAP-Request(TLS ServerHello(random2) || TLS Certificate || TLS CertificateRequest || TLS server_key_exchange || TLS server_done) RADIUS Access Challenge/EAP-Request EAP-TLS Message Flow (3/3) AP-RADIUS Key MasterKey = TLS-PRF(PreMasterKey, “master secret” || random1 || random2) 802.1X/EAP-Response(TLS client_key_exchange || TLS || TLS certificate || TLS certificateVerify || TLS change_cipher_suite || TLS finished 802.1X/EAP-Request(TLS change_cipher_suite || TLS finished) 802.1X/EAP-Response RADIUS Access Request/EAPResponse RADIUS Access Challenge/EAP-Request RADIUS Access Request/EAPResponse Identity PMK = TLS-PRF(MasterKey, “client EAP encryption” || random1 || random2) 802.1X/EAP-Success RADIUS Accept/EAPSuccess, PMK