Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.

Author: Mazujora Yozuru
Country: India
Language: English (Spanish)
Genre: Literature
Published (Last): 20 March 2015
Pages: 10
PDF File Size: 5.78 Mb
ePub File Size: 6.94 Mb
ISBN: 135-6-73759-814-3
Downloads: 99270
Price: Free* [*Free Regsitration Required]
Uploader: Nigar

Where EAP runs over a lower layer in which significant packet loss is experienced, or where the connection between the authenticator and authentication server experiences significant packet loss, EAP methods requiring many round-trips can experience difficulties.

However, it is possible that the EAP peer’s access policy was not satisfied during the initial EAP exchange, even though mutual authentication occurred. Introduction This iettf defines the Extensible Authentication Protocol EAPan authentication framework which supports multiple authentication methods. Multiple authentication methods within an EAP conversation are not supported due to their vulnerability to man-in-the-middle attacks see Section 7.

EAP is an authentication framework, not a specific authentication mechanism.

Information on RFC » RFC Editor

It supports authentication techniques that are based on the following types of credentials:. Minor changes, including style, grammar, spelling, and editorial changes are not mentioned here.

As with the Request packet, the Response packet contains a Type field, which corresponds to the Type field of the Request. The client can, but does not have to be rvc via a CA -signed PKI certificate to the server. Since protected result indications require use of a key for per-packet authentication and integrity protection, methods supporting protected result indications MUST also support the “key derivation”, “mutual authentication”, “integrity protection”, and “replay protection” claims.

As a result, the peer may require an additional authentication in the reverse direction, even if the peer provided an indication that the EAP server had successfully authenticated to it.


The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Extensible Letf Protocolor EAPis an authentication framework frequently used in wireless networks and point-to-point connections.

However, in the case where the authenticator and authentication server reside on different machines, there are several implications for security. However, in PPP the LCP state machine can renegotiate the authentication protocol at efc time, thus allowing a new attempt. Negotiation Attacks In a negotiation attack, the attacker attempts to convince the peer and authenticator to negotiate a less secure EAP method. One of the advantages of the EAP architecture is its flexibility.

Where EAP is used over the Internet, attacks may be carried out at an even greater distance. Protected result indications are not required to protect against rogue authenticators.

EAP Types – Extensible Authentication Protocol Types

The Rcc is at least 64 octets in length. Protocol for Carrying Authentication for Network Access. For example, the group-key handshake defined in [ IEEE GSM cellular networks use a subscriber identity module card to carry out user authentication. This creates a potential security vulnerability.

Pass-Through Behavior When operating as a “pass-through authenticator”, an authenticator performs checks on the Code, Identifier, and Length fields as described in Section 4. Connection to an Untrusted Network With EAP methods supporting one-way authentication, such as EAP-MD5, the peer does not authenticate the authenticator, making the peer vulnerable to attack by a rogue authenticator.

This may be intentional in the case of identity privacy. It cannot be assumed that the contents of the Nak Response s are available to another method. Webarchive template wayback links Pages using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced statements Articles with unsourced statements from April Wikipedia articles with GND identifiers.


EAP Types – Extensible Authentication Protocol Types information

Weak Ciphersuites If after the initial EAP authentication, data packets are sent without per-packet authentication, integrity, 378 replay protection, an attacker with access to the media can inject packets, “flip bits” within existing packets, replay packets, or even hijack the session completely.

When used, this server typically executes EAP methods for the authenticator.

A Notification Response is only used as confirmation that the peer received the Notification Request, not that it has processed it, or displayed the message to the user.

There have also been proposals to use IEEE Unless the authenticator uetf one or more authentication methods locally which support the authenticator role, the EAP method layer header fields Type, Type-Data are not examined as part of the forwarding decision.

Cryptographic Separation Two keys x and y are “cryptographically separate” if an adversary that knows all messages exchanged in the protocol cannot compute x from y or y from x without “breaking” some cryptographic assumption.

Typically, an EAP implementation on a given host will support either peer or authenticator functionality, but it is possible for a host to act as both an EAP peer and authenticator.

The EMSK is reserved for future uses that are not defined yet. In order to address this vulnerability, EAP methods may support a protected exchange of channel properties such as endpoint identifiers, including but not limited to:

Author: admin