CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator

IETF RFC 4137 Extensible Authentication Protocol (EAP) Working Group RFC 4137 State Machines for EAP Peer and Authenticator

RFC 4137 Overview RFC 4137 describes a set of State Machines for: EAP Peer EAP Stand-Alone Authenticator (Non-Pass-Through) EAP Backend Authenticator EAP Full Authenticator Describes sample EAP implementations Peer / Authenticator Peer / Authenticator / AAA

RFC 4137 Overview Illustrative of authoritative RFCs Peer and Stand-Alone Authenticator for EAP from RFC 3748 Backend and Full/Pass-Through for EAP/AAA from RFC 3748 and 3579 Based on the EAP “Switch” model

EAP Switch Model An EAP Authentication is a sequence of EAP methods Result sent from Authenticator to Peer If successful, EAP Success If unsuccessful, EAP Failure EAP Switches control the negotiation sequence Select which methods each will use Negotiate methods or sequence of methods PeerAuthenticator Peer EAP Switch Auth EAP Switch Peer Method Auth Method

EAP Pass-Through Model Authentication resident on backend server Allows edge device to pass EAP Responses PeerAuthenticator Peer EAP Switch Auth EAP Switch Peer Method Local Method Pass-Through Backend EAP Server

State Machine Notation IEEE 802.1X-2004 State diagrams represent the operation of a protocol Group of connected, mutually exclusive states Only one state of each machine can be active at a time Upon entry to a state the defined procedures are executed exactly once Executed in the given order Atomic actions STATE IDENTIFIER Procedure 1 … Procedure N Condition

EAP Peer Global Transitions: DISABLED INITIALIZED

EAP Peer Transitions: INITIALIZED DISABLED: Reached whenever service from the transport layer is Interrupted or unavailable.

EAP Peer Transitions: IDLE INITIALIZE: Initializes the state machine variables.

EAP Peer Transitions: RECEIVED SUCCESS FAILURE IDLE: The state machine is waiting for something to happen.

EAP Peer Transitions: METHOD GET_METHOD IDENTITY NOTIFICATION RETRANSMIT SUCCESS FAILURE DISCARD RECEIVED: Entered when an EAP packet is received.

EAP Peer Transitions: DISCARD FAILURE SEND_RESPONSE METHOD: Performs the method processing. The request from the Authenticator is processed, and the appropriate response packet built.

EAP Peer Transitions: METHOD SEND_RESPONSE GET_METHOD: Entered when a request for a new type comes in. This will result in either starting the appropriate method, or responding with a Nak.

EAP Peer Transitions: SEND_RESPONSE IDENTITY: Separate handling for the Identity method, including building the response packet.

EAP Peer Transitions: SEND_RESPONSE NOTIFICATION: Separate handling for the Notification method, including building the response packet.

EAP Peer Transitions: SEND_RESPONSE RETRANSMIT: Resends the previous response packet.

EAP Peer Transitions: IDLE DISCARD: Signals the transport layer that the request has been ignored and that no response will be sent.

EAP Peer Transitions: IDLE SEND_RESPONSE: Signals the transport layer that a response packet is ready to be sent.

EAP Peer Transitions: None SUCCESS: Terminal state indicating a successful authentication.

EAP Peer Transitions: None FAILURE: Terminal state indicating a failed authentication.

EAP Stand-Alone Authenticator Global Transitions: DISABLED INITIALIZE

EAP Stand-Alone Authenticator Transitions: INITIALIZE DISABLED: The Authenticator is disabled until the port is enabled by the transport layer.

EAP Stand-Alone Authenticator Transitions: SELECT_ACTION INITIALIZE: Initializes all state machine variables.

EAP Stand-Alone Authenticator Transitions: RETRANSMIT RECEIVED IDLE: The State Machine is waiting for something to happen.

EAP Stand-Alone Authenticator Transitions: TIMEOUT_FAILURE IDLE RETRANSMIT: Retransmit the previous request packet.

EAP Stand-Alone Authenticator Transitions: NAK INTEGRITY_CHECK DISCARD RECEIVED: Entered when an EAP packet is received, and parses the packet header.

EAP Stand-Alone Authenticator Transitions: SELECT_ACTION NAK: Process a Nak request.

EAP Stand-Alone Authenticator Transitions: FAILURE SUCCESS PROPOSE_METHOD SELECT_ACTION: Re-evaluates whether or not the authenticator policy has been satisfied (implying success), has been unsatisfied (implying failure), or is still undecided.

EAP Stand-Alone Authenticator Transitions: DISCARD METHOD_RESPONSE INTEGRITY_CHECK: Checks and verifies the integrity of the incoming packet from the Peer.

EAP Stand-Alone Authenticator Transitions: SELECT_ACTION METHOD_REQUEST METHOD_RESPONSE: Processes the incoming packet.

EAP Stand-Alone Authenticator Transitions: METHOD_REQUEST PROPOSE_METHOD: Decision as to which authentication method to try next.

EAP Stand-Alone Authenticator Transitions: SEND_REQUEST METHOD_REQUEST: Formulates a new request for the Peer.

EAP Stand-Alone Authenticator Transitions: IDLE DISCARD: Signals the transport layer that the response has been discarded, and no new request will be sent.

EAP Stand-Alone Authenticator Transitions: IDLE SEND_REQUEST: Signals the transport layer that a new is ready to be sent.

EAP Stand-Alone Authenticator Transitions: None TIMEOUT_FAILURE: Terminal state indicating a failure because no response has been received from the Peer.

EAP Stand-Alone Authenticator Transitions: None FAILURE: Terminal state indicating that the authentication has failed.

EAP Stand-Alone Authenticator Transitions: None SUCCESS: Terminal state indicating that the authentication has successfully completed.

EAP Backend Authenticator The Backend Authenticator is functionally equivalent to the a Stand-Alone Authenticator, with the addition of the ability to “Pick Up” a conversation which had previously been started by a Pass-Through. The only difference between the state machines is the addition of the PICK_UP_METHOD state, and the removal of the TIMEOUT_FAILURE state.

EAP Backend Authenticator Transitions: SELECT_ACTION METHOD_RESPONSE PICK_UP_METHOD: Sets the initial state for a method being continued which was started elsewhere (e.g. in the Pass-Through).

EAP Full Authenticator The first part of a Full Authenticator is functionally identical to the Stand-Alone Authenticator, with the addition of a transition from the SELECT_ACTION state to PASSTHROUGH.

EAP Full Authenticator Transitions: FAILURE SUCCESS INITIALIZE_PASSTHROUGH PROPOSE_METHOD SELECT_ACTION: Re-evaluates whether or not the authenticator policy has been satisfied (implying success), has been unsatisfied (implying failure), or is still undecided.

EAP Full Authenticator The second part of a Full Authenticator supports the operation of Pass-Through Mode.

EAP Full Authenticator Transitions: AAA_REQUEST AAA_IDLE INITIALIZE_PASSTHROUGH: Initializes the variables used by the pass-through portion of the state machine.

EAP Full Authenticator Transitions: RETRANSMIT2 RECEIVED2 IDLE2: The state machine is awaiting a response from the Peer.

EAP Full Authenticator Transitions: TIMEOUT_FAILURE2 IDLE2 RETRANSMIT2: Retransmits the previous packet request.

EAP Full Authenticator Transitions: AAA_REQUEST DISCARD2 RECEIVED2: Entered when an EAP packet is received and the authenticator is in PASSTHROUGH mode.

EAP Full Authenticator Transitions: AAA_IDLE AAA_REQUEST: Parses the incoming EAP packet for submission to the AAA server.

EAP Full Authenticator Transitions: DISCARD2 AAA_RESPONSE TIMEOUT_FAILURE2 FAILURE2 SUCCESS AAA_IDLE: Idle state indicating to the AAA server that there is a response. The state machine is awaiting a new request, a no-request signal, or a success / failure determination.

EAP Full Authenticator Transitions: SEND_REQUEST2 AAA_RESPONSE: Processes the request from the AAA interface into an EAP request.

EAP Full Authenticator Transitions: IDLE2 DISCARD2: Signals the transport layer that the response has been discarded. No new request packet will be sent.

EAP Full Authenticator Transitions: IDLE2 SEND_REQUEST2: Signals the transport layer that a request packet is ready to be sent.

EAP Full Authenticator Transitions: None TIMEOUT_FAILURE2: Terminal state indicating failure because no response has been received.

EAP Full Authenticator Transitions: None FAILURE2: Terminal state indicating authentication failure.

EAP Full Authenticator Transitions: None SUCCESS2: Terminal state indicating authentication success.

Other Considerations Robustness Certain states will block, possibly for extended periods IDENTITY METHOD Can be resolved via implementation considerations Multithreading Security Certain EAP packets are not encrypted (RFC 3748) Known DoS vulnerabilities EAP Peer EAP Stand-Alone Need to weigh additional security vs. peer support

Review EAP Peer State Machine Implementation of EAP Peer EAP Stand-Alone Authenticator Implementation of a self-contained authenticator EAP Backend Authenticator Implementation of a backend authenticator when using an AAA server EAP Full Authenticator Implementation of a complete authenticator

References Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. Levkowetz, Ed., "Extensible Authentication Protocol (EAP)", RFC 3748, June Aboba, B., Simon, D., Arkko, J., Eronen, P., Levkowetz, H., "Extensible Authentication Protocol (EAP) Key Management Framework", Work in Progress, July Institute of Electrical and Electronics Engineers, "Standard for Local and Metropolitan Area Networks: Port-Based Network Access Control", IEEE 802.1X-2004, December Vollbrecht, J., Eronen, E., Petroni, N., Ohba, Y., “State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator”, RFC 4137, August 2005.