Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.
|Published (Last):||4 June 2018|
|PDF File Size:||7.97 Mb|
|ePub File Size:||3.77 Mb|
|Price:||Free* [*Free Regsitration Required]|
EAP-GTC carries ieetf text challenge from the authentication server, and a reply generated by a security token. Webarchive template wayback links Pages using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced ketf Articles with unsourced statements from April Wikipedia articles with GND identifiers.
Since fragmentation support is not provided by EAP itself, this is the responsibility of EAP methods, which are discussed in Section 5.
This means that it is not possible for the peer to validate the identity of ietc authenticator that it is speaking to, using EAP alone. As noted in Section 3.
The client can, but does not have to be authenticated via a CA -signed PKI certificate to the server. Protected ciphersuite negotiation This refers to the ability of an EAP method to negotiate the ciphersuite used to protect the EAP conversation, as well as to integrity protect the negotiation.
Result indications A method provides result indications if after the method’s last message is sent and received: As noted in Section 2. If a peer needs to make use of different authentication methods under different circumstances, then distinct identities SHOULD be employed, each of which identifies exactly one authentication method. If the method derives keys, then the effective key strength MUST be estimated.
There have also been proposals to use IEEE Protected Extensible Authentication Protocol.
Fragmentation This refers to whether an EAP method supports fragmentation and reassembly. The MSK is used only for further key derivation, not directly for protection 378 the EAP conversation or subsequent data.
The specification of the AAA-key derivation, transport, and wrapping mechanisms is outside the scope of this document. From Wikipedia, the free encyclopedia.
Information on RFC » RFC Editor
EAP is not a wire protocol ; instead it only defines message formats. For instance, if keys are derived from a shared secret such as rfcc password or a long-term secretand possibly some public information such as nonces, the effective key strength is limited by the strength of the long-term secret assuming that the derivation procedure is computationally simple. For rvc, within EAP-TLS [RFC], in the client authentication handshake, the server authenticates the peer, but does not receive a protected indication of whether the peer has authenticated it.
Replay protection This refers to protection against replay of an EAP method or its messages, including success and failure result indications. For example, the identity may not be required where it is determined by the port to which the peer has connected leased lines. EAP is used to select a specific authentication mechanism, typically after the authenticator requests more information in order to determine the specific authentication method to be used.
Extensible Authentication Protocol
Microsoft Exchange Server Unleashed. Per-packet authentication, integrity, and replay protection of result indications protects against spoofing. However, it is possible for a pass-through authenticator acting as a AAA client to provide correct information to the AAA server while communicating misleading information to the EAP peer via a lower layer protocol. Success indications may be explicit or implicit. An authenticated peer may be denied access due to lack of authorization e. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack.
Where supported by the lower layer, an authenticator sensing the absence of the peer can free resources. This list of security claims is not exhaustive. In EAP there is no requirement that authentication be full duplex or that the same protocol be iietf in both directions. To protect against data modification, spoofing, or snooping, it is recommended that EAP methods supporting mutual authentication and key derivation as defined by Section 7.
This phase is independent of other phases; hence, any other scheme in-band or out-of-band can be ietv in the future. Due to limitations of the design, this also implies the need for unicast key derivations and EAP method exchanges to occur in each direction.