Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.
|Published (Last):||7 April 2005|
|PDF File Size:||9.50 Mb|
|ePub File Size:||7.36 Mb|
|Price:||Free* [*Free Regsitration Required]|
The standard also describes the conditions under which the AAA key management requirements described in RFC can be satisfied.
Man-in-the-Middle Attacks Where EAP is tunneled within another protocol that omits peer authentication, there exists a potential vulnerability to a man-in- the-middle attack. Within this document, authenticator requirements apply regardless of whether the authenticator is operating as a pass-through or not. A subsection giving requirements on processing of success and failure packets has been added.
Fragmentation This refers to whether an EAP method supports fragmentation and reassembly. The highest security available is when the “private keys” of client-side certificate are housed in smart cards. However, as noted in Section 7. This could cause packets to be inappropriately discarded or misinterpreted.
EAP Types – Extensible Authentication Protocol Types
When used, this server typically executes EAP methods for the authenticator. Pass-Through Behavior When operating as a “pass-through authenticator”, an authenticator performs checks on the Code, Identifier, and Length fields as described in Section 4.
EAP may be used on dedicated links, as well as switched circuits, and wired as well as wireless links. Standards Track [Page 67].
The rc notes in this section have been substantially expanded. As noted in [ RFC ] Section 2. EAP is not a wire protocol ; instead it only defines message formats. This may enable an authenticator to impersonate another authenticator or communicate incorrect information via out- of-band mechanisms such as via a AAA or lower layer protocol. Specification of Requirements In this document, several words are used to signify the requirements of the specification. It is also possible that result indications may not be supported in both directions or that synchronization may not be achieved in all modes of operation.
RFC – Extensible Authentication Protocol (EAP)
Archived from the original PDF on 12 December Alternatively, the authentication conversation can continue until the authenticator determines that successful authentication has occurred, in which case the authenticator MUST transmit an EAP Success Code 3. Success indications may be explicit or implicit. However, in PPP the LCP state machine can renegotiate the authentication protocol at any time, thus allowing a new attempt.
While EAP provides support for retransmission, it assumes ordering guarantees provided by the lower layer, so out of order reception is not supported.
This may be intentional in the case of identity privacy. However, in the case where the authenticator and authentication server reside on different machines, there are several implications for security. Archived from the original on 26 November Therefore, unless a host implements an EAP authenticator layer, these packets will be silently discarded.
Multiple authentication methods within an EAP conversation are not supported due to their vulnerability to man-in-the-middle attacks see Section 7. Clarifications have been made in the description of most of the existing Types. Note that there is no requirement that an implementation conform to this model, as long as the on-the-wire behavior is consistent with it.
Extensible Authentication Protocol
It cannot be assumed that the contents of the Notification Request or Response are available to another method. In particular, this definition allows that the adversary has the knowledge of all nonces sent in cleartext, as well as all predictable counter values used in the protocol.
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. For example, the identity may not be required where it is determined by the frc to which the peer has connected leased lines. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees.
rff This list of security claims is not exhaustive. Where EAP is used over the Internet, attacks may be carried out at an even greater distance. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http: Where the requirement is meant to apply to either the authenticator or backend authentication server, depending on where the EAP authentication is terminated, the term “EAP server” will be used.