Protocol for Carrying Authentication for Network Access
PANA (Protocol for Carrying Authentication for Network Access) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols. For these purposes, the Extensible Authentication Protocol (EAP) will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
PANA is an Internet Engineering Task Force (IETF) protocol and described in RFC 5191.
Architecture's elements
PaC (PANA Client) The PaC is the client part of the protocol. This element is located in the node that wants to reach the access network.
PAA (PANA Authentication Agent) This entity represents the server part of the PANA protocol. Its main task is the message exchange with the PaC for authenticating and authorizing it for network access. In addition, in some scenarios, the PAA entity has to do other message exchange with the AAA server in order to offer the PaC credentials to it. In this case, EAP is configured as pass-through and the AAA server is placed physically in a different place than the PAA.
AS (Authentication Server) This element contains the information needed to check the PaC’s credentials. So, this node receives the PaC’s credentials by the PAA and sends a packet with the result of credential checking process. Moreover, if the result is OK, this packet contains some information about the access parameters as bandwidth allowed or IP configuration. Now, a session between PAA and PaC has been established. This session has a session time. When it expires, it needs a re-authentication process in order to get the network access again by the PaC.
EP (Enforcement Point) It works as a filter of the packets which source is an authenticated PaC. Basically, an EP is a network node which drops packets according to some parameters provided as results of the authentication processes. Typically, this function is applied by a communication device as an access point or a router. When an authentication process is done successfully, a key is installed in EP and PaC, establishing a session between EP and PaC. While this session doesn’t expire, the PaC can access to network services for which it has been authorised. When the session expires, it will have to indicate this situation to the PAA in order to do a re-authentication.