802.1X & EAP State Machines (found at: Jim Burns Paul Congdon Nick Petroni John Vollbrecht.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Discussion of KaY Key Exchange and Management Interface to SecY
Doc.: IEEE /252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
EAP STATE Machine Proposal
EAP State Machines IETF 56 - March 19, 2003 John Vollbrecht Nick Petroni
Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
S4C4 PPP. Protocols Point to Point Protocol Link Control Protocol Network Control Program Password Authentication Protocol Challenge Handshake Authentication.
Doc.: IEEE /0780r1 Submission NameAffiliationsAddressPhone Ping Fang Zhiming Ding Phillip Barber Rob Sun Huawei Technologies Co., Ltd. Bldg.
Analysis and Improvements over DoS Attacks against IEEE i Standard Networks Security, Wireless Communications and Trusted Computing(NSWCTC), 2010.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 Data Communications Point-to-Point Protocol (PPP)
WLAN Security Examining EAP and 802.1x x works at Layer 2 to authentication and authorize devices on wireless access points.
802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
The Transport Layer Chapter 6. The Transport Service Services Provided to the Upper Layers Transport Service Primitives Berkeley Sockets An Example of.
Authentication Center for SDP Federation
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Point-to-Point Access: PPP. In a network, two devices can be connected by a dedicated link or a shared link. In the first case, the link can be used by.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Method of identifying mobile devices Srinivas Tenneti.
Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
November 10, 2003EAP WG, IETF 581 EAP State Machines (draft-ietf-eap-statemachine-01) John Vollbrecht, Pasi Eronen, Nick Petroni, Yoshihiro Ohba.
Csci388 Wireless and Mobile Security – Access Control: 802
Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
12. Point-to-Point Access: PPP
Doc.: IEEE /562r1 Submission November 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
3/20/2007IETF68 PANA WG1 PANA Issues and Resolutions Yoshihiro Ohba Alper Yegin.
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator.
Doc.: IEEE /1281r1 Submission NameAffiliationsAddressPhone Robert Sun;Huawei Technologies Co., Ltd. Suite 400, 303 Terry Fox Drive, Kanata,
Network Access Control
Doc.: IEEE /0873r0 Submission July 2010 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Effectiveness of Reduction of Message Exchanges Date:
Doc.: IEEE /610r0 Submission November 2001 Tim Moore, Microsoft 802.1X and key interactions Tim Moore.
NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.
Doc.: IEEE r1 Submission March 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Communication Networks NETW 501 Tutorial 2
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Eap STate machinE dEsign teaM (ESTEEM) Draft Team members Bernard Aboba, Jari Arkko, Paul.
Port Based Network Access Control
EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Relationship between peer link and physical link
Open issues with PANA Protocol
EAP State Machines (draft-vollbrecht-eap-state-04.txt,ps)
802.1x/EAP state machine status Work in Progress
802.1X and key interactions Tim Moore November 2001
Chapter 2 Network Models.
– Chapter 5 (B) – Using IEEE 802.1x
TDLS Setup Date: Authors: Mar 2008 September 2007
PaC State Machine States
Chapter 2 Network Models.
EAP State Machines IETF 56 - March 19, 2003
Integrity Check for Disassociate/Associate/Re-associate
Chapter 2 Network Models.
802.1X/ Issues Nancy Cam-Winget, Cisco Systems
Chapter 2 Network Models.
Relationship between peer link and physical link
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
Presentation transcript:

802.1X & EAP State Machines (found at: Jim Burns Paul Congdon Nick Petroni John Vollbrecht

New Significant 802.1aa/D5 Changes Specification of interface between EAP/802.1X No more EAP packet processing in 802.1X Addition of controlled port in Supplicant Initial Authenticator request comes from EAP Ability for EAP to silently discard frames Proposed inclusion of EAP machines in 802.1X Annex EAPOL-Key exchange sequenced before EAP-Success Propose to include generic 4-way handshake within 802.1X

Issues to Discuss How to best incorporate into the 802.1X/EAP interface diagrams? What is the proper sequence for key exchange and sending final EAP-Success? What is the interface to generic 4-way handshake machine? Where to define the specification of EAPOL-Key message processing?

802.1x EAP Layer EAP Method port enabled/disabled eapResp eapReq eapFail eapSuccess eapNoReq eapRestart eapResp eapNoResp eapRcvd eapSuccess eapFail EAP / 802.1X Interface (excluding key exchange) port enabled/disabled Supplicant/PeerAuthenticator

802.1x EAP Layer EAP Method Link Secure (physical or crypto) keyAvailable portValid Key Interface with EAP 802.1X &

802.1x EAP Layer EAP Method rxMethodReq intCheck !intCheck Method-state Startmethod rcvRsp/NAK Method-state intCheck !intCheck EAP / EAP Method Interface

Supplicant Front-End LOGOFF txLogoff; logoffSent = TRUE; portStatus = Unauthorized; (userLogoff && !logoffSent) && !(initialize || !portEnabled) DISCONNECTED startCount = 0; logoffSent = FALSE; portStatus = Unauthorized; suppAbort = TRUE; HELD heldWhile = heldPeriod; portStatus = Unauthorized; CONNECTING startWhen = startPeriod; startCount = startCount + 1; eapRcvd = FALSE; txStart; AUTHENTICATED portStatus = Authorized; AUTHENTICATING startCount = 0; eapSuccess = FALSE; easFail = FALSE; suppTimeout = FALSE; suppStart = TRUE; eapRcvd = FALSE; Initialize || !portEnabled eapFail !userLogoff heldWhile == 0eapRcvd UTC eapRcvd && portValid !portValid (((startWhen == 0) && (startCount >= maxStart)) !! eapSuccess) && portValid eapRcvd (startWhen == 0) && (startCount < maxStart) suppTimeout eapSuccess && portValid

Supplicant Back-End INITIALIZE previousId = 256; abortSupp; suppAbort = FALSE; REQUEST authWhile = 0; getSuppRsp; RESPONSE txsuppRsp(receivedId, previousId); previousId = receivedId; eapResp = FALSE; RECEIVE authWhile = authPeriod; eapRcvd = FALSE; eapNoResp = FALSE; TIMEOUT suppTimeout = TRUE IDLE suppStart = FALSE; UTC eapNoResp eapResp UTC eapRcvd authWhile == 0 UTC suppStart eapSucess || eapFail (portControl! = Auto) || Initialize || suppAbort

EAP Peer

INITIALIZE portMode=auto; eapRestart=TRUE; DISCONNECTED portStatus=Unauthorized eapolLogoff=FALSE; HELD portSatus=Unauthorized quietWhile=quietPeriod; eapolLogoff=FALSE; CONNECTING eapolStart=FALSE; reAuthenticate=FALSE AUTHENTICATED portStatus=Authorized AUTHENTICATING authSuccess=FALSE; authFail=FALSE; authTimeout=FALSE; authStart=TRUE; ABORTING authAbort=TRUE; eapRestart=TRUE; ((portControl==auto) && (portMode != portControl)) || Initialize || !portEnabled eapolLogoff || !portValid eapolStart || reAuthenticate eapolLogoff UCT authSuccess && portValid UCT (eapReq || eapSuccess || eapFail) && (eapRestart == FALSE) (quietWhile == 0) !eapolLogoff && !authAbort eapolLogoff && !authAbort authFail reAuthenticate || eapolStart || eapolLogoff || authTimeout Authenticator Front-End

INITIALIZE abortAuth; eapNoRequest=FALSE; authAbort=FALSE; IGNORE eapNoReques t = FALSE; TIMEOUT authTimeout=TRUE; SUCCESS txReq(); authSuccess=TRUE; REQUEST txReq(); aWhileReq=suppTimeout; inc(reqCount); RESPONSE eapRequest=eapSuccess=FALSE; authTimeout=FALSE; eapResp=eapFail=FALSE; eapNoRequest=FALSE; aWhile=serverTimeout; reqCount=0; sendRespToServer(); FAIL txReq(); authFail=TRUE; IDLE authStart=FALSE; reqCount=0; UCT AuthStart && eapSuccess AuthStart && eapFail AuthStart && eapRequest eapSuccess && ((keyTxEnabled && !keyAvailable) || !keyTxEnabled) eapRequest (aWhileReq == 0) && (reqCount != maxReq) eapResp eapFail aWhile==0 eapNoRequest (aWhileReq==0) && (reqCount>=maxReq) UCT (aWhileReq==0) && (reqCount>=maxReq) eapResp (aWhileReq==0) && (reqCount != maxReq) UCT (portControl!=Auto)|| Initialize || authAbort Authenticator Backend

EAP Authenticator

Authenticator Key Tx Machine NO_KEY_TRANSMIT KEY_TRANSMIT txKey; keyAvailable = FALSE Initialize || (portControl != Auto) keyTxEnable && keyAvailable && eapSuccess keyAvailable !keyTxEnable || authFail || eapolLogoff

Supplicant Key Tx Machine NO_SUPP_KEY_TRANSMIT SUPP_KEY_TRANSMIT txSuppKey; suppKeyAvailable = FALSE Initialize keyTxEnable && suppkeyAvailable && eapSuccess suppKeyAvailable !keyTxEnable || eapFail || userlLogoff

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.