Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.
|Published (Last):||26 January 2016|
|PDF File Size:||20.7 Mb|
|ePub File Size:||10.3 Mb|
|Price:||Free* [*Free Regsitration Required]|
Where EAP runs over a lower layer in which significant packet loss is experienced, or where the connection between the authenticator and authentication server experiences significant packet loss, EAP methods requiring many round-trips ietc experience difficulties. Use of cleartext passwords would allow the password to be captured by an attacker with access to a link over which EAP packets are transmitted.
RFC – Extensible Authentication Protocol (EAP) –
EAP-GTC carries a text challenge from the iettf server, and a reply generated by a security token. Clarifications have been made in the description of most of the existing Types. Method-specific MICs may be used to provide protection. If an authentication algorithm is used that is known to be vulnerable to dictionary attacks, then the conversation may be tunneled within a protected channel in order to provide additional protection.
EAP Types – Extensible Authentication Protocol Types information
However, it is also possible to develop EAP methods that support per-packet MICs, and respond to verification failures by silently discarding the offending packet.
The term authenticator rff used in [ IEEE EAP is a ‘lock step’ protocol, so that other than the initial Request, a new Request cannot be sent prior to receiving a valid Response. Channel binding The rfx within an EAP gfc of integrity-protected channel properties such as endpoint identifiers which can be compared to values communicated via out of band mechanisms such as via a AAA or lower layer protocol. This terminology is also used in [ IEEE However, where roaming is supported as described in [RFC], it may be necessary to locate the appropriate backend authentication server before the authentication conversation can proceed.
It provides a protected communication channel, when mutual authentication iett successful, for both parties to communicate and is designed for authentication over insecure networks such as IEEE Some of the same risks apply to EAP methods without dictionary attack resistance, as defined in Section 7. The implementation notes in this section have been substantially expanded.
Applicability EAP was designed for use in network access authentication, where IP layer connectivity may not be available. This is a statement of the claimed security properties of the method, using terms defined in Section 7. One of the advantages of the EAP architecture is its flexibility.
In the case where no backend authentication server is used, the EAP server is part of the authenticator.
Additionally a number of vendor-specific methods and new proposals exist. A host receiving an EAP packet may only do one of three things with it: The sequence of Requests and Responses continues as long as needed. It is recommended that any ffc used for authentication failure not be reset until after successful authentication, or subsequent termination of the failed link.
In these situations, use of EAP methods with fewer roundtrips is advisable. In this document, descriptions of EAP message handling assume that per-packet MIC validation, where it occurs, is effectively performed as though it occurs before sending any responses or changing the state itef the host which received the packet.
This attack may be mitigated by the following measures: Where supported by the lower layer, an authenticator sensing the absence of the peer can free resources. GSM cellular networks use a subscriber identity module card to carry out user authentication. Success indications may be explicit or implicit.
RFC – Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs
374 EAP method protocol exchange is done in a minimum of four messages. Since EAP supports retransmission, it is robust against transient connectivity losses. Similarly, switch or access point implementations need to support [ IEEE Per-packet authentication, integrity, and replay protection of result indications protects against spoofing.
Where EAP is used over the Internet, attacks may be carried out at an even greater distance. Pass-Through Behavior When operating as a “pass-through authenticator”, an authenticator performs checks on the Code, Identifier, and Length fields as described in Section 4. For example, in IEEE Typically, the authenticator will send an initial Identity Request; however, an initial Identity Request is not required, and MAY be bypassed.
The authenticator’s decision typically involves both authentication and authorization aspects; the peer may successfully authenticate to the authenticator, but access may be denied by the authenticator due to policy reasons. In this mode, the server authenticates the peer and is aware of whether the peer has authenticated it.