Access control is the security mechanism to ensure that only valid users are allowed access to the network.

In the most general terms, an access control system has three elements: (1) an entity that desires to get access: the supplicant, (2) an entity that controls the access gate: the authenticator, and (3) an entity that decides whether the supplicant should be admitted: the authentication server. Figure shows a typical access control architecture used by service providers. Access control systems were first developed for use with dial-up modems and were then adapted for broadband services. The basic protocols developed for dial-up services were PPP (point-to-point protocol) and remote dial-in user service (RADIUS) .

PPP is used between the supplicant and the authenticator, which in most cases is the edge router or network access server (NAS),and RADIUS is used between the authenticator and the authentication server. PPP originally supported only two types of authentication schemes: PAP (password authentication protocol) and CHAP (challenge handshake authentication protocol), both of which are not robust enough to be used in wireless systems. More secure authentication schemes can be supported by PPP using EAP (extensible authentication protocol) .

Extensible Authentication Protocol

EAP, a flexible framework created by the IETF (RFC 3748), allows arbitrary and complicated authentication protocols to be exchanged between the supplicant and the authentication server. EAP is a simple encapsulation that can run over not only PPP but also any link, including the WiMAX link. Figure illustrates the EAP framework. EAP includes a set of negotiating messages that are exchanged between the client and the authentication server. The protocol defines a set of request and response messages, where the authenticator sends requests to the authentication server; based on the responses, access to the client may be granted or denied. The protocol assigns type codes to various authentication methods and delegates the task of proving user or device identity to an auxiliary protocol, an EAP method, which defines the rules for authenticating a user or a device.

A number of EAP methods have already been defined to support authentication, using a variety of credentials, such as passwords, certificates, tokens, and smart cards. For example, protected EAP (PEAP) defines a password based EAP method, EAP-transport-layer security (EAP-TLS) defines a certificate-based EAP method, and EAP-SIM (subscriber identity module) defines a SIM card–based EAP method. EAP-TLS provides strong mutual authentication, since it relies on certificates on both the network and the subscriber terminal.

In WiMAX systems, EAP runs from the MS to the BS over the PKMv2 (Privacy Key Management) security protocol defined in the IEEE 802.16e-2005 air-interface. If the authenticator is not in the BS, the BS relays the authentication protocol to the authenticator in the access service network (ASN). From the authenticator to the authentication server, EAP is carried over RADIUS.