Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.

Similar presentations


Presentation on theme: "Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba."— Presentation transcript:

1 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE /252)

2 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 2 Goals To describe issues with IEEE 802.1X state machine and roaming To recommend a solution

3 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 3 Roaming Requirements Enterprise –User is identified by user-name (NAI), not IP or MAC address –Security is not compromised –Roaming needs to be available for all potential 802.1X authentication methods –Desirable for user to be able to keep the same IP address when roaming, if possible –MUST be able to roam without reauthentication if desired –MUST be able to roam without dropping traffic in case of reauthentication Hot Spot –User is identified by user-name (NAI), not IP or MAC address –Security is not compromised –Roaming should be fast Going back to the home authentication server may cause substantial delays (~ seconds)

4 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 4 Context Transfer & IEEE 802.1X State Machine Goal –User context can move to new AP without reauthentication, if desired May wish to enable delayed reauthentication on roam Process –Client reassociates to new AP –New AP validates reassociate, attempts context transfer from old AP Context transfer succeeds: AP sends EAP-Success to client Context transfer fails: re-associate treated as an associate Requirements –Successful reassociate has same result as if new AP authenticated successfully to backend authentication server –Unsuccessful reassociate has same result as an associate –Authentication for reassociate, disassociate, beacon messages Issues –No 802.1X event or state corresponding to associate or successful re-associate!

5 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 5 Additions to Backend Authentication State Machine (Figure 8-12) Goal –Successful re-associate has same result as if new AP authenticated to backend authentication server Successful reassociate equivalent to: –Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0; currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE –Transition to SUCCESS state Causes canned Success message to be sent Unsuccessful reassociate equivalent to associate: –Set authAbort=TRUE –Transition to INITIALIZE state Authentication starts again

6 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 6 Additions to Authenticator PAE State Machine (Figure 8-8) Goal –Successful re-associate has same result as if new AP authenticated to backend authentication server Unsuccessful reassociate equivalent to: –Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized; eapLogff=FALSE; reAuthCount=0; –Transition to CONNECTING state Successful reassociate with no-reauth == TRUE equivalent to: –Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1; portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE; –Transition to AUTHENTICATED Successful reassociate with no-reauth == FALSE equivalent to: –Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0; portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE; –Transition to CONNECTING

7 doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 7 Additions to Supplicant PAE State Machine (Figure 8-14) Goal –Successful reassociate has same result as if supplicant successfully authenticated to authenticator Sequence of events for successful reassociate –Supplicant in AUTHENTICATED state –Reassociate request sent by Supplicant –Success sent by Authenticator –Supplicant remains in AUTHENTICATED state Sequence of events for unsuccessful reassociate –Supplicant in AUTHENTICATED state –Reassociate request sent by Supplicant –EAP-Request/Identity sent by Authenticator –On EAP-Request/Identity, supplicant transitions to ACQUIRED state


Download ppt "Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba."

Similar presentations


Ads by Google