Presentation is loading. Please wait.

Presentation is loading. Please wait.

802.1x/EAP state machine status Work in Progress

Published byAgatha Bond Modified over 5 years ago

Similar presentations

Presentation on theme: "802.1x/EAP state machine status Work in Progress"— Presentation transcript:

1 802.1x/EAP state machine status Work in Progress
January 2003 doc.: IEEE /079r0 January 2003 802.1x/EAP state machine status Work in Progress Robert Moskowitz January, 2003 Robert Moskowitz, ICSAlabs Robert Moskowitz, ICSAlabs

2 Driving Events 802.1aa Draft 4.1 balloting EAPbis Design Team progress
January 2003 Driving Events 802.1aa Draft 4.1 balloting Ballot resolution Jan 7 - 9 EAPbis Design Team progress EAP state machinery 802.11i Draft 3 balloting Robert Moskowitz, ICSAlabs

3 January 2003 802.1aa change goals To provide a packet handshake interface to the EAP layer that supports the actions of the EAP layer To remove interpretation and action upon EAP packets within 802.1X (for the most part) To do so without completely re-writing the rest of the supplicant machines To give the EAP layer complete decision power over the authentication state of the supplicant Robert Moskowitz, ICSAlabs

4 Developments in EAPbis
January 2003 Developments in EAPbis EAP ‘switch’ state machine Still evolving Chaining of methods standardized Identity Request/Response a method Robert Moskowitz, ICSAlabs

5 January 2003 Developments in 802.1aa Eliminate indeterminate end condition in machine Key exchange after authenticator notified by AS of success, before it sends EAP-Success Sending of EAP-Success is deterministic end of 802.1x Linking of Supplicant backend to EAP switch machine Robert Moskowitz, ICSAlabs

6 802.1x Supplicant Back End January 2003
This might be rolled into front end at this point Robert Moskowitz, ICSAlabs

7 BEM Global Variables SuppStart SuppSuccess SuppFail SuppTimeout
January 2003 BEM Global Variables SuppStart SuppSuccess from EAP switch SuppFail SuppTimeout SuppRsp SuppNoRsp EapRcvd Robert Moskowitz, ICSAlabs

8 EAP Switch Machine January 2003 Changes Pending
buildNak(currentMethod) suppResp = TRUE INITIALIZE methodState = SUCC discCount = 0 METHOD intCheck = doIntegrityCheck() if (intCheck) { methodState = {CONT | CON_SUCC | SUCC | FAIL } } buildMethodResp(currentId) ACTIVE DIALOG rxNotify = FALSE rxMethodReq = FALSE rxSuccess = FALSE rxFailure = FALSE parseReceivedMessage() SUCCESS suppSuccess = TRUE FAILURE suppFail = TRUE DISCARD increment(discCount) suppNoResp = TRUE NAK UCT successCondition failureCondition !intCheck intCheck successCondition = Policy.isSatisfied() && {{rxSuccess && methodState == CON_SUCC } || {rxSuccess && methodState == SUCC }} rxMethodReq && methodState == CONT failureCondition = { rxFailure && methodState == FAIL } || { rxFailure && methodState == SUCC} !allowMethod METHOD INIT allowMethod = Policy.allow(currentMethod) if (allowMethod) { methodState = INIT {methodState == SUCC || methodState == CON_SUCC} allowMethod IDLE eapRcvd = FALSE timeout = FALSE suppResp = FALSE suppNoResp = FALSE eapRcvd else timeout && methodState != CON_SUCC timeout && Policy.isSatisfied() && methodState == CON_SUCC DISABLED !linkEnabled linkEnabled Changes Pending Robert Moskowitz, ICSAlabs

9 EAP Global variables SuppSuccess SuppFail KeyAvail SuppRsp SuppNoRsp
January 2003 EAP Global variables SuppSuccess SuppFail Also set if keying required but no key available KeyAvail Used to initiate Key Transmit machine SuppRsp SuppNoRsp EAP must acknowledge each frame to 802.1x Robert Moskowitz, ICSAlabs

10 Authenticator Key Transmit state machine changes
January 2003 Authenticator Key Transmit state machine changes EAPOL-Key message definition and delivery mechanism is indeterminate. has caused issues that have and continue to impact the synchronization of external components such as DHCP client requires better coordination with EAPOL-Success message key transmit happens before EAP Success Robert Moskowitz, ICSAlabs

11 January 2003 More on Key Transmit If uses aSuccess and KeyAvail, only occurs after end of EAP exchanges If only uses KeyAvail, can do key exchange in the middle of a chained EAP exchange Design team leaning toward this approach Keying material in Access-Challenge Implies a signal that link is protected Robert Moskowitz, ICSAlabs

12 January 2003 Impact on i Is key derivation part of authentication or a separate machine? 4-way handshake occurs at least 4 places outside of 802.1x authentication Shared Key, Rekey, Michael recovery, Pre-auth RADIUS Accept WILL set KeyAvail Either way, changes in 802.1aa result in changes in i Robert Moskowitz, ICSAlabs

Download ppt "802.1x/EAP state machine status Work in Progress"

Similar presentations

LinkSec Architecture Attempt 3

LinkSec Architecture Attempt 3
1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.

1 Needham-Schroeder Key Descriptor 11/12/2002 Needham-Schroeder Key Descriptor Robert G. Moskowitz ICSAlabs IEEE 802 Plenary Meeting Kauai, Nov 12, 2002.
EAP STATE Machine Proposal

EAP STATE Machine Proposal
MPLS-TP Alarm Suppression tool

MPLS-TP Alarm Suppression tool
Doc.: IEEE 802.11-03/365r0 Submission May 2003 Robert Moskowitz, ICSAlabsSlide 1 Radius/Diameter Cleanup Robert Moskowitz ICSAlabs.

Doc.: IEEE /365r0 Submission May 2003 Robert Moskowitz, ICSAlabsSlide 1 Radius/Diameter Cleanup Robert Moskowitz ICSAlabs.
1 SpaceWire Update NASA GSFC November 25, 2002. 2 GSFC SpaceWire Status New Link core with split clock domains complete (Much faster) New Router core.

1 SpaceWire Update NASA GSFC November 25, GSFC SpaceWire Status New Link core with split clock domains complete (Much faster) New Router core.
Doc.: IEEE 802.11-10/0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date: 2010-01-07.

Doc.: IEEE /0018r0 Submission January 2010 Alexander Tolpin, Intel CorporationSlide 1 4 –Way Handshake Synchronization Issue Date:
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Authentication Center for SDP Federation

Authentication Center for SDP Federation
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Doc.: IEEE 802.11-11/1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: 2011-05-10 Authors: NameCompanyAddressPhoneemail.

Doc.: IEEE /1066r2 Submission July 2011 Robert Moskowitz, VerizonSlide 1 Link Setup Flow Date: Authors: NameCompanyAddressPhone .
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard

Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Doc.: IEEE 802.11-03/492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.

Doc.: IEEE /492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.
802.1X & EAP State Machines (found at: Jim Burns Paul Congdon Nick Petroni John Vollbrecht.

802.1X & EAP State Machines (found at: Jim Burns Paul Congdon Nick Petroni John Vollbrecht.
CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator.

CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator.
Doc.: IEEE 802.11-02/230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.

Doc.: IEEE /230r0 Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 Proxied Preauthorized Roaming Robert Moskowitz Trusecure Corporation.
Issue 199 - EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.

Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.
Doc.: IEEE 802.11-11/1426r02 Submission NameAffiliationsAddressPhoneemail ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,

Doc.: IEEE /1426r02 Submission NameAffiliationsAddressPhone ChengYan FengZTE Corporation No.800, Middle Tianfu Avenue, Hi-tech District,
Eap STate machinE dEsign teaM (ESTEEM) Draft Team members Bernard Aboba, Jari Arkko, Paul.

Eap STate machinE dEsign teaM (ESTEEM) Draft Team members Bernard Aboba, Jari Arkko, Paul.

Similar presentations

Ads by Google