doc.: ieee 802.11-01/252 submission may 2001 bernard aboba, microsoftslide 1 issues with the 802.1x...
TRANSCRIPT
May 2001
Bernard Aboba, MicrosoftSlide 1
doc.: IEEE 802.11-01/252
Submission
Issues with the 802.1X State Machine
IEEE 802.1X Revision PARBernard Aboba
Microsoft(excerpted from IEEE 802.11-01/252)
May 2001
Bernard Aboba, MicrosoftSlide 2
doc.: IEEE 802.11-01/252
Submission
Goals
• To describe issues with IEEE 802.1X state machine and 802.11 roaming
• To recommend a solution
May 2001
Bernard Aboba, MicrosoftSlide 3
doc.: IEEE 802.11-01/252
Submission
Roaming Requirements• Enterprise
– User is identified by user-name (NAI), not IP or MAC address– Security is not compromised– Roaming needs to be available for all potential 802.1X authentication
methods– Desirable for user to be able to keep the same IP address when roaming, if
possible– MUST be able to roam without reauthentication if desired– MUST be able to roam without dropping traffic in case of reauthentication
• “Hot Spot”– User is identified by user-name (NAI), not IP or MAC address– Security is not compromised– Roaming should be fast
• Going back to the home authentication server may cause substantial delays (~ seconds)
May 2001
Bernard Aboba, MicrosoftSlide 4
doc.: IEEE 802.11-01/252
Submission
Context Transfer & IEEE 802.1X State Machine
• Goal– User context can move to new AP without reauthentication, if desired
• May wish to enable delayed reauthentication on roam
• Process– Client reassociates to new AP– New AP validates reassociate, attempts context transfer from old AP
• Context transfer succeeds: AP sends EAP-Success to client• Context transfer fails: re-associate treated as an associate
• Requirements– Successful reassociate has same result as if new AP authenticated successfully to
backend authentication server– Unsuccessful reassociate has same result as an associate– Authentication for reassociate, disassociate, beacon messages
• Issues– No 802.1X event or state corresponding to associate or successful re-associate!
May 2001
Bernard Aboba, MicrosoftSlide 5
doc.: IEEE 802.11-01/252
Submission
Additions to Backend Authentication State Machine (Figure 8-12)
• Goal– Successful re-associate has same result as if new AP authenticated to
backend authentication server
• Successful reassociate equivalent to: – Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0;
currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE
– Transition to SUCCESS state• Causes canned Success message to be sent
• Unsuccessful reassociate equivalent to associate:– Set authAbort=TRUE
– Transition to INITIALIZE state• Authentication starts again
May 2001
Bernard Aboba, MicrosoftSlide 6
doc.: IEEE 802.11-01/252
Submission
Additions to Authenticator PAE State Machine (Figure 8-8)• Goal
– Successful re-associate has same result as if new AP authenticated to backend authentication server
• Unsuccessful reassociate equivalent to:– Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized;
eapLogff=FALSE; reAuthCount=0; – Transition to CONNECTING state
• Successful reassociate with no-reauth == TRUE equivalent to: – Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1;
portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE;
– Transition to AUTHENTICATED
• Successful reassociate with no-reauth == FALSE equivalent to:– Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0;
portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE;– Transition to CONNECTING
May 2001
Bernard Aboba, MicrosoftSlide 7
doc.: IEEE 802.11-01/252
Submission
Additions to Supplicant PAE State Machine (Figure 8-14)
• Goal– Successful reassociate has same result as if supplicant successfully authenticated
to authenticator
• Sequence of events for successful reassociate– Supplicant in AUTHENTICATED state– Reassociate request sent by Supplicant– Success sent by Authenticator– Supplicant remains in AUTHENTICATED state
• Sequence of events for unsuccessful reassociate– Supplicant in AUTHENTICATED state– Reassociate request sent by Supplicant– EAP-Request/Identity sent by Authenticator– On EAP-Request/Identity, supplicant transitions to ACQUIRED state