There is a lot of confusion about this contribution, and I understand that email is NOT the best way to understand a contribution. I would request urgent group meeting opportunity to present this contribution and answer all the questions.
This contribution is certainly NOT for just guests / contractors. This contribution is achieving a lot of objectives. In a way, this contribution is making MNO-traffic visible in WIFI which is anonymous today. I will try to explain in this email all the requirements / pinpoints this contribution is trying to solve - ─── The Credential Question ─────────────────────────────────────────── To directly answer Michael's question: EAP-WSIM does NOT require a new credential. The credential is the SIM card the MNO device already carries — the same credential used for 4G/5G cellular authentication. EAP-WSIM reuses the existing MNO-provisioned SIM credential at the Wi-Fi layer. No new enrollment, no certificates, no passwords. Zero-touch onboarding is a direct consequence of this design. ─── The Real Problem: MNO Traffic is Anonymous on Enterprise Wi-Fi ──── Today, when an MNO device connects to enterprise Wi-Fi — whether employee, visitor, or contractor — the enterprise network has no visibility into the fact that it is an MNO device at all. The device connects via a guest SSID or captive portal and becomes completely anonymous. All MNO application traffic — VoWiFi calls, MNO data flows — travels inside an IPsec tunnel that the enterprise Wi-Fi layer cannot inspect, classify, or prioritize. The enterprise cannot apply QoS, cannot enforce per-subscriber policy, and cannot distinguish VoWiFi flows from any other traffic. EAP-WSIM surfaces MNO subscriber identity at the 802.11 association layer. For the first time, the enterprise Wi-Fi network knows which MNO subscriber is connected, enabling per-device QoS (WMM AC_VO for VoWiFi), policy enforcement, VLAN assignment, and charging correlation — all anchored to a verified MNO identity, not a self-asserted DSCP marking. ─── The Scope: Every MNO Device in Every Enterprise ────────────────── This is not a guest or contractor use case. It is the universal case. Every enterprise campus today has employees, contractors, and visitors carrying MNO-issued SIM devices. Every one of those devices — when it connects to enterprise Wi-Fi — loses its MNO identity at the Wi-Fi layer and becomes an anonymous IP endpoint. EAP-WSIM closes that gap for all of them, not by requiring any device changes, but by deploying a WSIM hardware authenticator (MEA) at the enterprise edge. ─── The Fast Handoff Problem ────────────────────────────────────────── On a guest SSID there is no PMK, no PMK-R0, and no 802.11r fast transition — regardless of device capability. Every AP crossing requires a full 802.1X re-exchange costing 1,800–2,900 ms — enough to drop any active VoWiFi call. EAP-WSIM derives PMK-R0/R1 locally at the MEA, enabling sub-50ms transitions with no MNO backend involvement. A natural question is whether deploying 802.11r with enterprise credentials (EAP-TLS) would be sufficient. It solves handoff latency but requires full enterprise PKI enrollment for every MNO device including unmanaged visitors — significant operational cost for devices the enterprise does not own. More importantly, it solves only the handoff problem while leaving the MNO identity gap completely intact. Fast handoff without application layer integration is a partial solution that justifies neither the deployment cost nor the protocol complexity. ─── The Device Compliance Gap ───────────────────────────────────────── Today MNOs enforce strict compliance on 4G/5G stack implementations across device vendors. They do not enforce equivalent compliance on Wi-Fi implementations. This is why 802.11r support is inconsistent across chipsets, OEMs, and OS versions — carrier-locked firmware, driver bugs, and OS-level suppression mean that a device may advertise FT capability but fail to negotiate it correctly. EAP-WSIM changes this: because authentication uses MNO-provisioned SIM credentials, MNOs gain a mechanism to enforce 802.11r compliance as part of device certification — the same way they enforce cellular stack compliance today. ─── Why an Enhancement, Not a New Protocol ────────────────────────── EAP-WSIM is best understood as an evolutionary enhancement of EAP-AKA — not a clean-sheet design. The evolution follows the same pattern as 4G to 5G authentication: 4G provided device-only authentication; 5G added mutual authentication without replacing the underlying MILENAGE framework. EAP-WSIM makes the analogous step for the enterprise Wi-Fi layer: it retains MILENAGE at its core but removes the MNO backend from the active authentication loop, replacing the live HSS/HLR/UDM query with a venue-hosted WSIM card acting as a self-contained Authentication Centre. Two enhancements are added in the same spirit: Forward secrecy via ephemeral ECDH — absent in EAP-AKA and EAP-AKA', addressed partially in RFC 9678 for MNO-connected deployments, now brought to the offline enterprise case. Post-quantum cryptography — EAP-WSIM introduces ML-KEM (FIPS 203) as a replacement for ECDH P-256, making it the first SIM-based EAP method with quantum-resistant key agreement. This directly addresses the post-quantum authentication migration deadline established by recent US federal policy and applies to MNO devices for the first time. ─── Summary ─────────────────────────────────────────────────────────── EAP-WSIM is the missing integration layer between the MNO application layer and enterprise Wi-Fi. It delivers: (1) reuse of existing SIM credentials with zero-touch onboarding, (2) MNO subscriber identity visible at 802.11 association enabling QoS and policy, (3) fast handoff via locally derived PMK-R0/R1 without MNO backend involvement, and (4) a path for MNOs to enforce Wi-Fi implementation compliance across device vendors. No existing solution addresses all four simultaneously. Regards, Praveen Gupta [email protected] https://datatracker.ietf.org/doc/draft-gupta-emu-eap-wsim/ -----Original Message----- From: Michael Richardson <[email protected]> Sent: Friday, July 3, 2026 10:15 AM To: [email protected]; [email protected] Subject: [Emu] Re: New Individual Draft: draft-gupta-emu-eap-wsim-00 (EAP-WSIM) <[email protected]> wrote: > Yes, I would expect most enterprise users to have enterprise Wi-Fi > credentials, not MNO-provided credentials. My understanding is that this is about guests and/or contractors. I would understand if the idea is to use existing MNO deployed credentials, but if one needs a new new credential, what's the point? -- Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide ** My working hours and your working hours may be different. ** ** Please do not feel obligated to reply outside your normal working hours ** _______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
