PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
In addition, in some scenarios, the PAA entity has to do other message exchange with the AAA server in order to offer the PaC credentials to it.
If the credential check was successful, that packet contains access parameters, such as allowed bandwidth or IP configuration.
EP (Enforcement Point) It works as a filter of the packets which source is an authenticated PaC.
Basically, an EP is a network node which drops packets according to some parameters provided as results of the authentication processes.