When a LTE UE moves from LTE network to trusted WLAN (handover), it should be authenticated. EAP (Extensible Authentication Protcol)-AKA is used for authentication. EAP-AKA is used for LTE subscribers whose devices have SIM card.
During authentication procedure, authentication messages are exchanged among UE, WiFi-AP (WiFi-access point), TWAG (Trusted Wireless Access Gateway), AAA and HSS.
TWAG is a WLAN core network node which has interfaces with AAA and PGW of LTE network. Interface "STa" is used to exchange authentication and authorization related messages with TWAG and AAA while interface "S2a" is used for establishing data tunnels by using GTPv2 protocol.
In case of un-trusted WLAN, LTE UEs are authenticated with ePDG node by using IPsec tunnel. ePDG node sits in home network while TWAG can be in visited network as well.
One more think, for EAP-AKA based authentication, UE should have support of 802.1x and 802.11i protocol.
For devices which do not have SIM, EAP-TLS and EAP-TTLS based authentication method is used.
Hope it will help you to understand up to some extent.
