cse 8343 state machines for extensible authentication protocol peer and authenticator

CSE 8343State Machines for Extensible Authentication Protocol

Peer and Authenticator

IETF RFC 4137

Extensible Authentication Protocol(EAP)

Working Group

RFC 4137State Machines for EAPPeer and Authenticator

RFC 4137 Overview• RFC 4137 describes a set of State Machines for:

• EAP Peer

• EAP Stand-Alone Authenticator (Non-Pass-Through)

• EAP Backend Authenticator

• EAP Full Authenticator

• Describes sample EAP implementations• Peer / Authenticator

• Peer / Authenticator / AAA

RFC 4137 Overview• Illustrative of authoritative RFCs

• Peer and Stand-Alone Authenticator for EAP from RFC 3748

• Backend and Full/Pass-Through for EAP/AAA from RFC 3748 and 3579

• Based on the EAP “Switch” model

EAP Switch Model• An EAP Authentication is a sequence of EAP methods• Result sent from Authenticator to Peer• If successful, EAP Success• If unsuccessful, EAP Failure

• EAP Switches control the negotiation sequence• Select which methods each will use• Negotiate methods or sequence of methods

Peer Authenticator

PeerEAP

Switch

AuthEAP

Switch

PeerMethod

AuthMethod

EAP Pass-Through Model• Authentication resident on backend server• Allows edge device to pass EAP Responses

Peer Authenticator

PeerEAP

Switch

AuthEAP

Switch

PeerMethod

LocalMethod

Pass-Through

Backend

BackendEAP

Server

State Machine NotationIEEE 802.1X-2004• State diagrams represent the operation of a protocol• Group of connected, mutually exclusive states• Only one state of each machine can be active at a time

• Upon entry to a state the defined procedures are executed exactly once• Executed in the given order• Atomic actions

STATE IDENTIFIER

Procedure 1

…

Procedure N

Condition

EAP Peer

Global Transitions:•DISABLED•INITIALIZED

EAP Peer

Transitions:•INITIALIZED

DISABLED:Reached whenever service from the transport layer isInterrupted or unavailable.

EAP Peer

Transitions:•IDLE

INITIALIZE:Initializes the state machine variables.

EAP Peer

Transitions:•RECEIVED•SUCCESS•FAILURE

IDLE:The state machine is waiting for something to happen.

EAP Peer

Transitions:•METHOD•GET_METHOD•IDENTITY•NOTIFICATION•RETRANSMIT•SUCCESS•FAILURE•DISCARD

RECEIVED:Entered when an EAP packet is received.

EAP Peer

Transitions:•DISCARD•FAILURE•SEND_RESPONSE

METHOD:Performs the method processing. The request from theAuthenticator is processed, and the appropriate responsepacket built.

EAP Peer

Transitions:•METHOD•SEND_RESPONSE

GET_METHOD:Entered when a request for a new type comes in. This willresult in either starting the appropriate method, orresponding with a Nak.

EAP Peer

Transitions:•SEND_RESPONSE

IDENTITY:Separate handling for the Identity method, includingbuilding the response packet.

EAP Peer

Transitions:•SEND_RESPONSE

NOTIFICATION:Separate handling for the Notification method, includingbuilding the response packet.

EAP Peer

Transitions:•SEND_RESPONSE

RETRANSMIT:Resends the previous response packet.

EAP Peer

Transitions:•IDLE

DISCARD:Signals the transport layer that the request has beenignored and that no response will be sent.

EAP Peer

Transitions:•IDLE

SEND_RESPONSE:Signals the transport layer that a response packet isready to be sent.

EAP Peer

Transitions:•None

SUCCESS:Terminal state indicating a successful authentication.

EAP Peer

Transitions:•None

FAILURE:Terminal state indicating a failed authentication.

EAP Stand-Alone Authenticator

Global Transitions:•DISABLED•INITIALIZE

EAP Stand-Alone Authenticator

Transitions:•INITIALIZE

DISABLED:The Authenticator is disabled until the port is enabledby the transport layer.

EAP Stand-Alone Authenticator

Transitions:•SELECT_ACTION

INITIALIZE:Initializes all state machine variables.

EAP Stand-Alone Authenticator

Transitions:•RETRANSMIT•RECEIVED

IDLE:The State Machine is waiting for something to happen.

EAP Stand-Alone Authenticator

Transitions:•TIMEOUT_FAILURE•IDLE

RETRANSMIT:Retransmit the previous request packet.

EAP Stand-Alone Authenticator

Transitions:•NAK•INTEGRITY_CHECK•DISCARD

RECEIVED:Entered when an EAP packet is received, and parsesthe packet header.

EAP Stand-Alone Authenticator

Transitions:•SELECT_ACTION

NAK:Process a Nak request.

EAP Stand-Alone Authenticator

Transitions:•FAILURE•SUCCESS•PROPOSE_METHOD

SELECT_ACTION:Re-evaluates whether or not the authenticator policyhas been satisfied (implying success), has beenunsatisfied (implying failure), or is still undecided.

EAP Stand-Alone Authenticator

Transitions:•DISCARD•METHOD_RESPONSE

INTEGRITY_CHECK:Checks and verifies the integrity of the incomingpacket from the Peer.

EAP Stand-Alone Authenticator

Transitions:•SELECT_ACTION•METHOD_REQUEST

METHOD_RESPONSE:Processes the incoming packet.

EAP Stand-Alone Authenticator

Transitions:•METHOD_REQUEST

PROPOSE_METHOD:Decision as to which authentication method to try next.

EAP Stand-Alone Authenticator

Transitions:•SEND_REQUEST

METHOD_REQUEST:Formulates a new request for the Peer.

EAP Stand-Alone Authenticator

Transitions:•IDLE

DISCARD:Signals the transport layer that the response has beendiscarded, and no new request will be sent.

EAP Stand-Alone Authenticator

Transitions:•IDLE

SEND_REQUEST:Signals the transport layer that a new is ready to besent.

EAP Stand-Alone Authenticator

Transitions:•None

TIMEOUT_FAILURE:Terminal state indicating a failure because no responsehas been received from the Peer.

EAP Stand-Alone Authenticator

Transitions:•None

FAILURE:Terminal state indicating that the authentication hasfailed.

EAP Stand-Alone Authenticator

Transitions:•None

SUCCESS:Terminal state indicating that the authentication hassuccessfully completed.

EAP Backend Authenticator

The Backend Authenticator is functionally equivalent tothe a Stand-Alone Authenticator, with the addition of theability to “Pick Up” a conversation which had previouslybeen started by a Pass-Through.

The only difference between the state machines is theaddition of the PICK_UP_METHOD state, and the removalof the TIMEOUT_FAILURE state.

EAP Backend Authenticator

Transitions:•SELECT_ACTION•METHOD_RESPONSE

PICK_UP_METHOD:Sets the initial state for a method being continued whichwas started elsewhere (e.g. in the Pass-Through).

EAP Full Authenticator

The first part of a Full Authenticator isfunctionally identical to the Stand-AloneAuthenticator, with the addition of a transition from the SELECT_ACTION state to PASSTHROUGH.

EAP Full Authenticator

Transitions:•FAILURE•SUCCESS•INITIALIZE_PASSTHROUGH•PROPOSE_METHOD

SELECT_ACTION:Re-evaluates whether or not the authenticator policy has been satisfied (implying success), has been unsatisfied (implying failure), or is still undecided.

EAP Full Authenticator

The second part of a Full Authenticatorsupports the operation of Pass-ThroughMode.

EAP Full Authenticator

Transitions:•AAA_REQUEST•AAA_IDLE

INITIALIZE_PASSTHROUGH:Initializes the variables used by the pass-through portion of the state machine.

EAP Full Authenticator

Transitions:•RETRANSMIT2•RECEIVED2

IDLE2:The state machine is awaiting a response from the Peer.

EAP Full Authenticator

Transitions:•TIMEOUT_FAILURE2•IDLE2

RETRANSMIT2:Retransmits the previous packet request.

EAP Full Authenticator

Transitions:•AAA_REQUEST•DISCARD2

RECEIVED2:Entered when an EAP packet is received and the authenticator is in PASSTHROUGH mode.

EAP Full Authenticator

Transitions:•AAA_IDLE

AAA_REQUEST:Parses the incoming EAP packet for submission to the AAA server.

EAP Full Authenticator

Transitions:•DISCARD2•AAA_RESPONSE•TIMEOUT_FAILURE2•FAILURE2•SUCCESS

AAA_IDLE:Idle state indicating to the AAA server that there is a response. The state machine is awaiting a new request, a no-request signal, or a success / failure determination.

EAP Full Authenticator

Transitions:•SEND_REQUEST2

AAA_RESPONSE:Processes the request from the AAA interface into an EAP request.

EAP Full Authenticator

Transitions:•IDLE2

DISCARD2:Signals the transport layer that the response has been discarded. No new request packet will be sent.

EAP Full Authenticator

Transitions:•IDLE2

SEND_REQUEST2:Signals the transport layer that a request packet is ready to be sent.

EAP Full Authenticator

Transitions:•None

TIMEOUT_FAILURE2:Terminal state indicating failure because no response has been received.

EAP Full Authenticator

Transitions:•None

FAILURE2:Terminal state indicating authentication failure.

EAP Full Authenticator

Transitions:•None

SUCCESS2:Terminal state indicating authentication success.

Other Considerations• Robustness• Certain states will block, possibly for extended periods• IDENTITY• METHOD

• Can be resolved via implementation considerations• Multithreading

• Security• Certain EAP packets are not encrypted (RFC 3748)• Known DoS vulnerabilities• EAP Peer• EAP Stand-Alone

• Need to weigh additional security vs. peer support

Review• EAP Peer State Machine• Implementation of EAP Peer

• EAP Stand-Alone Authenticator• Implementation of a self-contained authenticator

• EAP Backend Authenticator• Implementation of a backend authenticator when

using an AAA server

• EAP Full Authenticator• Implementation of a complete authenticator

References• Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service)

Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003.

• Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004.

• Aboba, B., Simon, D., Arkko, J., Eronen, P., Levkowetz, H., "Extensible Authentication Protocol (EAP) Key Management Framework", Work in Progress, July 2005.

• Institute of Electrical and Electronics Engineers, "Standard for Local and Metropolitan Area Networks: Port-Based Network Access Control", IEEE 802.1X-2004, December 2004.

• Vollbrecht, J., Eronen, E., Petroni, N., Ohba, Y., “State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator”, RFC 4137, August 2005.