To access Internet services supported in a home network, a mobile node must obtain the right to use an access network, and it must be able to contact a home network gateway to access the Internet in the home network. This means that the device must be authenticated by an AP to use the access network, and it must additionally be authenticated by the home network gateway to access its home network. EAP-PEAP is currently the most commonly used authentication protocol in access networks, and IKEv2 is common security protocol for mutual authentication on the Internet. As the procedures in EAP-PEAP and IKEv2 are quite similar, EAP-PEAP can be replaced by IKEv2. If the access network authentication uses IKEv2-based protocols and the home network authentication also uses IKEv2, the IKEv2 messages exchanged in each authentication become duplicated. However, it should be noted that EAP-IKEv2 is not able to carry EAP exchanges. We propose a hybrid authentication mechanism that can be used to authenticate a mobile node for both networks simultaneously. The proposed mechanism is based on the IKEv2-EAP exchanges instead of the EAP exchanges currently used to authenticate the access network, but our scheme adopts the encapsulation method defined by EAP-IKEv2 to transport the IKEv2 message over IEEE 802.11 so as not to change the current access network authentication architecture and the message format used by the authentication protocols. The scheme authenticates both networks through a single IKEv2 authentication, rather than two authentication procedures - one for the access network and one for the home network. This reduces the number of exchanged messages and authentication time.

The Extensible Authentication Protocol (EAP) is an authentication framework that supports multiple authentication mechanisms [38] between a peer and an authentication server in a data communication network. EAP is used as a useful tool for enabling user authentication and distribution of session keys. There are numerous EAP methods that have been developed by global SDOs such as IETF, IEEE, ITU-T, and 3GPP. In this paper, we analyze the most widely deployed EAP methods ranging from the EAP-TLS [27] to the EAP-PSK [25]. In addition, we derive the security requirements of EAP methods meet, evaluate the typical EAP methods in terms of the security requirements, and discuss the features of the existing widely-deployed EAP methods. In addition, we identify two typical use cases for the EAP methods. Finally, recent global standardization activities in this area are reviewed.

This paper describes the IKEv2 protocol and presents how an open-source IKEv2 implementation, in particular OpenIKEv2 has been designed and implemented. All the issues found during this process and how they were solved are also described. Finally, a comparison between existing open-source implementations is presented.