PANA (Protocol for Carrying Authentication for Network Access) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols. For these purposes, the Extensible Authentication Protocol (EAP) will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
PANA is an Internet Engineering Task Force (IETF) protocol and described in RFC 5191.
Architecture's elements
editPaC (PANA Client) The PaC is the client part of the protocol. This element is located in the node that wants to reach the access network.
PAA (PANA Authentication Agent) This entity represents the server part of the PANA protocol. Its main task is the message exchange with the PaC for authenticating and authorizing it for network access. In addition, in some scenarios, the PAA entity has to do other message exchange with the AAA server in order to offer the PaC credentials to it. In this case, EAP is configured as pass-through and the AAA server is placed physically in a different place than the PAA.
AS (Authentication Server) This element contains the information needed to check the PaC's credentials. To this end this node receives the PaC's credentials from the PAA, performs a credential check, and sends a packet with the result of the credential check. If the credential check was successful, that packet contains access parameters, such as allowed bandwidth or IP configuration. At this point, a session between PAA and PaC has been established. This session has a session lifetime. When the session expires, a re-authentication process is required for the PaC to regain network access.
EP (Enforcement Point) It works as a filter of the packets which source is an authenticated PaC. Basically, an EP is a network node which drops packets according to some parameters provided as results of the authentication processes. Typically, this function is applied by a communication device as an access point or a router. When an authentication process is done successfully, a key is installed in EP and PaC, establishing a session between EP and PaC. While this session is active (hasn't expired), the PaC can access network services for which it has been authorised. When the session expires, the PaC will have to indicate this situation to the PAA in order to perform re-authentication.