Summary EAP-based network access authentication already generates an SA (SA2) between the MN and the access network (NAS) Now generate derivative SAs (SA3)between the MN and the mobility servers (MAP, FMIP AR) MN (EAP peer) NAS (EAP authenticator) HAAA (EAP authentication server) Home network Visited network MAP or AR SA1 SA2 SA3 |