cse 8343 state machines for extensible authentication protocol peer and authenticator
TRANSCRIPT
CSE 8343State Machines for Extensible Authentication Protocol
Peer and Authenticator
IETF RFC 4137
Extensible Authentication Protocol(EAP)
Working Group
RFC 4137State Machines for EAPPeer and Authenticator
RFC 4137 Overview• RFC 4137 describes a set of State Machines for:
• EAP Peer
• EAP Stand-Alone Authenticator (Non-Pass-Through)
• EAP Backend Authenticator
• EAP Full Authenticator
• Describes sample EAP implementations• Peer / Authenticator
• Peer / Authenticator / AAA
RFC 4137 Overview• Illustrative of authoritative RFCs
• Peer and Stand-Alone Authenticator for EAP from RFC 3748
• Backend and Full/Pass-Through for EAP/AAA from RFC 3748 and 3579
• Based on the EAP “Switch” model
EAP Switch Model• An EAP Authentication is a sequence of EAP methods• Result sent from Authenticator to Peer• If successful, EAP Success• If unsuccessful, EAP Failure
• EAP Switches control the negotiation sequence• Select which methods each will use• Negotiate methods or sequence of methods
Peer Authenticator
PeerEAP
Switch
AuthEAP
Switch
PeerMethod
AuthMethod
EAP Pass-Through Model• Authentication resident on backend server• Allows edge device to pass EAP Responses
Peer Authenticator
PeerEAP
Switch
AuthEAP
Switch
PeerMethod
LocalMethod
Pass-Through
Backend
BackendEAP
Server
State Machine NotationIEEE 802.1X-2004• State diagrams represent the operation of a protocol• Group of connected, mutually exclusive states• Only one state of each machine can be active at a time
• Upon entry to a state the defined procedures are executed exactly once• Executed in the given order• Atomic actions
STATE IDENTIFIER
Procedure 1
…
Procedure N
Condition
EAP Peer
Global Transitions:•DISABLED•INITIALIZED
EAP Peer
Transitions:•INITIALIZED
DISABLED:Reached whenever service from the transport layer isInterrupted or unavailable.
EAP Peer
Transitions:•IDLE
INITIALIZE:Initializes the state machine variables.
EAP Peer
Transitions:•RECEIVED•SUCCESS•FAILURE
IDLE:The state machine is waiting for something to happen.
EAP Peer
Transitions:•METHOD•GET_METHOD•IDENTITY•NOTIFICATION•RETRANSMIT•SUCCESS•FAILURE•DISCARD
RECEIVED:Entered when an EAP packet is received.
EAP Peer
Transitions:•DISCARD•FAILURE•SEND_RESPONSE
METHOD:Performs the method processing. The request from theAuthenticator is processed, and the appropriate responsepacket built.
EAP Peer
Transitions:•METHOD•SEND_RESPONSE
GET_METHOD:Entered when a request for a new type comes in. This willresult in either starting the appropriate method, orresponding with a Nak.
EAP Peer
Transitions:•SEND_RESPONSE
IDENTITY:Separate handling for the Identity method, includingbuilding the response packet.
EAP Peer
Transitions:•SEND_RESPONSE
NOTIFICATION:Separate handling for the Notification method, includingbuilding the response packet.
EAP Peer
Transitions:•SEND_RESPONSE
RETRANSMIT:Resends the previous response packet.
EAP Peer
Transitions:•IDLE
DISCARD:Signals the transport layer that the request has beenignored and that no response will be sent.
EAP Peer
Transitions:•IDLE
SEND_RESPONSE:Signals the transport layer that a response packet isready to be sent.
EAP Peer
Transitions:•None
SUCCESS:Terminal state indicating a successful authentication.
EAP Peer
Transitions:•None
FAILURE:Terminal state indicating a failed authentication.
EAP Stand-Alone Authenticator
Global Transitions:•DISABLED•INITIALIZE
EAP Stand-Alone Authenticator
Transitions:•INITIALIZE
DISABLED:The Authenticator is disabled until the port is enabledby the transport layer.
EAP Stand-Alone Authenticator
Transitions:•SELECT_ACTION
INITIALIZE:Initializes all state machine variables.
EAP Stand-Alone Authenticator
Transitions:•RETRANSMIT•RECEIVED
IDLE:The State Machine is waiting for something to happen.
EAP Stand-Alone Authenticator
Transitions:•TIMEOUT_FAILURE•IDLE
RETRANSMIT:Retransmit the previous request packet.
EAP Stand-Alone Authenticator
Transitions:•NAK•INTEGRITY_CHECK•DISCARD
RECEIVED:Entered when an EAP packet is received, and parsesthe packet header.
EAP Stand-Alone Authenticator
Transitions:•SELECT_ACTION
NAK:Process a Nak request.
EAP Stand-Alone Authenticator
Transitions:•FAILURE•SUCCESS•PROPOSE_METHOD
SELECT_ACTION:Re-evaluates whether or not the authenticator policyhas been satisfied (implying success), has beenunsatisfied (implying failure), or is still undecided.
EAP Stand-Alone Authenticator
Transitions:•DISCARD•METHOD_RESPONSE
INTEGRITY_CHECK:Checks and verifies the integrity of the incomingpacket from the Peer.
EAP Stand-Alone Authenticator
Transitions:•SELECT_ACTION•METHOD_REQUEST
METHOD_RESPONSE:Processes the incoming packet.
EAP Stand-Alone Authenticator
Transitions:•METHOD_REQUEST
PROPOSE_METHOD:Decision as to which authentication method to try next.
EAP Stand-Alone Authenticator
Transitions:•SEND_REQUEST
METHOD_REQUEST:Formulates a new request for the Peer.
EAP Stand-Alone Authenticator
Transitions:•IDLE
DISCARD:Signals the transport layer that the response has beendiscarded, and no new request will be sent.
EAP Stand-Alone Authenticator
Transitions:•IDLE
SEND_REQUEST:Signals the transport layer that a new is ready to besent.
EAP Stand-Alone Authenticator
Transitions:•None
TIMEOUT_FAILURE:Terminal state indicating a failure because no responsehas been received from the Peer.
EAP Stand-Alone Authenticator
Transitions:•None
FAILURE:Terminal state indicating that the authentication hasfailed.
EAP Stand-Alone Authenticator
Transitions:•None
SUCCESS:Terminal state indicating that the authentication hassuccessfully completed.
EAP Backend Authenticator
The Backend Authenticator is functionally equivalent tothe a Stand-Alone Authenticator, with the addition of theability to “Pick Up” a conversation which had previouslybeen started by a Pass-Through.
The only difference between the state machines is theaddition of the PICK_UP_METHOD state, and the removalof the TIMEOUT_FAILURE state.
EAP Backend Authenticator
Transitions:•SELECT_ACTION•METHOD_RESPONSE
PICK_UP_METHOD:Sets the initial state for a method being continued whichwas started elsewhere (e.g. in the Pass-Through).
EAP Full Authenticator
The first part of a Full Authenticator isfunctionally identical to the Stand-AloneAuthenticator, with the addition of a transition from the SELECT_ACTION state to PASSTHROUGH.
EAP Full Authenticator
Transitions:•FAILURE•SUCCESS•INITIALIZE_PASSTHROUGH•PROPOSE_METHOD
SELECT_ACTION:Re-evaluates whether or not the authenticator policy has been satisfied (implying success), has been unsatisfied (implying failure), or is still undecided.
EAP Full Authenticator
The second part of a Full Authenticatorsupports the operation of Pass-ThroughMode.
EAP Full Authenticator
Transitions:•AAA_REQUEST•AAA_IDLE
INITIALIZE_PASSTHROUGH:Initializes the variables used by the pass-through portion of the state machine.
EAP Full Authenticator
Transitions:•RETRANSMIT2•RECEIVED2
IDLE2:The state machine is awaiting a response from the Peer.
EAP Full Authenticator
Transitions:•TIMEOUT_FAILURE2•IDLE2
RETRANSMIT2:Retransmits the previous packet request.
EAP Full Authenticator
Transitions:•AAA_REQUEST•DISCARD2
RECEIVED2:Entered when an EAP packet is received and the authenticator is in PASSTHROUGH mode.
EAP Full Authenticator
Transitions:•AAA_IDLE
AAA_REQUEST:Parses the incoming EAP packet for submission to the AAA server.
EAP Full Authenticator
Transitions:•DISCARD2•AAA_RESPONSE•TIMEOUT_FAILURE2•FAILURE2•SUCCESS
AAA_IDLE:Idle state indicating to the AAA server that there is a response. The state machine is awaiting a new request, a no-request signal, or a success / failure determination.
EAP Full Authenticator
Transitions:•SEND_REQUEST2
AAA_RESPONSE:Processes the request from the AAA interface into an EAP request.
EAP Full Authenticator
Transitions:•IDLE2
DISCARD2:Signals the transport layer that the response has been discarded. No new request packet will be sent.
EAP Full Authenticator
Transitions:•IDLE2
SEND_REQUEST2:Signals the transport layer that a request packet is ready to be sent.
EAP Full Authenticator
Transitions:•None
TIMEOUT_FAILURE2:Terminal state indicating failure because no response has been received.
EAP Full Authenticator
Transitions:•None
FAILURE2:Terminal state indicating authentication failure.
EAP Full Authenticator
Transitions:•None
SUCCESS2:Terminal state indicating authentication success.
Other Considerations• Robustness• Certain states will block, possibly for extended periods• IDENTITY• METHOD
• Can be resolved via implementation considerations• Multithreading
• Security• Certain EAP packets are not encrypted (RFC 3748)• Known DoS vulnerabilities• EAP Peer• EAP Stand-Alone
• Need to weigh additional security vs. peer support
Review• EAP Peer State Machine• Implementation of EAP Peer
• EAP Stand-Alone Authenticator• Implementation of a self-contained authenticator
• EAP Backend Authenticator• Implementation of a backend authenticator when
using an AAA server
• EAP Full Authenticator• Implementation of a complete authenticator
References• Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service)
Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.
• Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.
• Aboba, B., Simon, D., Arkko, J., Eronen, P., Levkowetz, H., "Extensible Authentication Protocol (EAP) Key Management Framework", Work in Progress, July 2005.
• Institute of Electrical and Electronics Engineers, "Standard for Local and Metropolitan Area Networks: Port-Based Network Access Control", IEEE 802.1X-2004, December 2004.
• Vollbrecht, J., Eronen, E., Petroni, N., Ohba, Y., “State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator”, RFC 4137, August 2005.