There is a lot of confusion about this contribution, and I understand that 
email is NOT the best way to understand a contribution.  I would request urgent 
group meeting opportunity to present this contribution and answer all the 
questions. 

This contribution is certainly NOT for just guests / contractors.  This 
contribution is achieving a lot of objectives. In a way, this contribution is 
making MNO-traffic visible in WIFI which is anonymous today. 

I will try to explain in this email all the requirements / pinpoints this 
contribution is trying to solve - 

─── The Credential Question ───────────────────────────────────────────

To directly answer Michael's question: EAP-WSIM does NOT require a new 
credential. The credential is the SIM card the MNO device already carries — the 
same credential used for 4G/5G cellular authentication. EAP-WSIM reuses the 
existing MNO-provisioned SIM credential at the Wi-Fi layer. No new enrollment, 
no certificates, no passwords. Zero-touch onboarding is a direct consequence of 
this design.


─── The Real Problem: MNO Traffic is Anonymous on Enterprise Wi-Fi ────

Today, when an MNO device connects to enterprise Wi-Fi — whether employee, 
visitor, or contractor — the enterprise network has no visibility into the fact 
that it is an MNO device at all. The device connects via a guest SSID or 
captive portal and becomes completely anonymous. All MNO application traffic — 
VoWiFi calls, MNO data flows — travels inside an IPsec tunnel that the 
enterprise Wi-Fi layer cannot inspect, classify, or prioritize. The enterprise 
cannot apply QoS, cannot enforce per-subscriber policy, and cannot distinguish 
VoWiFi flows from any other traffic.

EAP-WSIM surfaces MNO subscriber identity at the 802.11 association layer. For 
the first time, the enterprise Wi-Fi network knows which MNO subscriber is 
connected, enabling per-device QoS (WMM AC_VO for VoWiFi), policy enforcement, 
VLAN assignment, and charging correlation — all anchored to a verified MNO 
identity, not a self-asserted DSCP marking.


─── The Scope: Every MNO Device in Every Enterprise ──────────────────

This is not a guest or contractor use case. It is the universal case. Every 
enterprise campus today has employees, contractors, and visitors carrying 
MNO-issued SIM devices. Every one of those devices — when it connects to 
enterprise Wi-Fi — loses its MNO identity at the Wi-Fi layer and becomes an 
anonymous IP endpoint. EAP-WSIM closes that gap for all of them, not by 
requiring any device changes, but by deploying a WSIM hardware authenticator 
(MEA) at the enterprise edge.


─── The Fast Handoff Problem ──────────────────────────────────────────

On a guest SSID there is no PMK, no PMK-R0, and no 802.11r fast transition — 
regardless of device capability. Every AP crossing requires a full 802.1X 
re-exchange costing 1,800–2,900 ms — enough to drop any active VoWiFi call. 
EAP-WSIM derives PMK-R0/R1 locally at the MEA, enabling sub-50ms transitions 
with no MNO backend involvement.

A natural question is whether deploying 802.11r with enterprise credentials 
(EAP-TLS) would be sufficient. It solves handoff latency but requires full 
enterprise PKI enrollment for every MNO device including unmanaged visitors — 
significant operational cost for devices the enterprise does not own. More 
importantly, it solves only the handoff problem while leaving the MNO identity 
gap completely intact. Fast handoff without application layer integration is a 
partial solution that justifies neither the deployment cost nor the protocol 
complexity.


─── The Device Compliance Gap ─────────────────────────────────────────

Today MNOs enforce strict compliance on 4G/5G stack implementations across 
device vendors. They do not enforce equivalent compliance on Wi-Fi 
implementations. This is why 802.11r support is inconsistent across chipsets, 
OEMs, and OS versions — carrier-locked firmware, driver bugs, and OS-level 
suppression mean that a device may advertise FT capability but fail to 
negotiate it correctly. EAP-WSIM changes this: because authentication uses 
MNO-provisioned SIM credentials, MNOs gain a mechanism to enforce 802.11r 
compliance as part of device certification — the same way they enforce cellular 
stack compliance today.


─── Why an Enhancement, Not a New Protocol ──────────────────────────

EAP-WSIM is best understood as an evolutionary enhancement of EAP-AKA — not a 
clean-sheet design. The evolution follows the same pattern as 4G to 5G 
authentication: 4G provided device-only authentication; 5G added mutual 
authentication without replacing the underlying MILENAGE framework. EAP-WSIM 
makes the analogous step for the enterprise Wi-Fi layer: it retains MILENAGE at 
its core but removes the MNO backend from the active authentication loop, 
replacing the live HSS/HLR/UDM query with a venue-hosted WSIM card acting as a 
self-contained Authentication Centre.

Two enhancements are added in the same spirit:

Forward secrecy via ephemeral ECDH — absent in EAP-AKA and EAP-AKA', addressed 
partially in RFC 9678 for MNO-connected deployments, now brought to the offline 
enterprise case.

Post-quantum cryptography — EAP-WSIM introduces ML-KEM (FIPS 203) as a 
replacement for ECDH P-256, making it the first SIM-based EAP method with 
quantum-resistant key agreement. This directly addresses the post-quantum 
authentication migration deadline established by recent US federal policy and 
applies to MNO devices for the first time.

─── Summary ───────────────────────────────────────────────────────────

EAP-WSIM is the missing integration layer between the MNO application layer and 
enterprise Wi-Fi. It delivers: (1) reuse of existing SIM credentials with 
zero-touch onboarding, (2) MNO subscriber identity visible at 802.11 
association enabling QoS and policy, (3) fast handoff via locally derived 
PMK-R0/R1 without MNO backend involvement, and (4) a path for MNOs to enforce 
Wi-Fi implementation compliance across device vendors. No existing solution 
addresses all four simultaneously.

Regards,
Praveen Gupta
[email protected]
https://datatracker.ietf.org/doc/draft-gupta-emu-eap-wsim/


-----Original Message-----
From: Michael Richardson <[email protected]> 
Sent: Friday, July 3, 2026 10:15 AM
To: [email protected]; [email protected]
Subject: [Emu] Re: New Individual Draft: draft-gupta-emu-eap-wsim-00 (EAP-WSIM)


<[email protected]> wrote:
    > Yes, I would expect most enterprise users to have enterprise Wi-Fi
    > credentials, not MNO-provided credentials.

My understanding is that this is about guests and/or contractors.
I would understand if the idea is to use existing MNO deployed credentials, but 
if one needs a new new credential, what's the point?


--
Michael Richardson <[email protected]>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

**       My working hours and your working hours may be different.         **
** Please do not feel obligated to reply outside your normal working hours **




_______________________________________________
Emu mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to