Presentation is loading. Please wait.

Presentation is loading. Please wait.

Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba.

Published byVictoria Houston Modified over 10 years ago

Similar presentations

Presentation on theme: "Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba."— Presentation transcript:

1 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE 802.11-01/252)

2 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 2 Goals To describe issues with IEEE 802.1X state machine and 802.11 roaming To recommend a solution

3 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 3 Roaming Requirements Enterprise –User is identified by user-name (NAI), not IP or MAC address –Security is not compromised –Roaming needs to be available for all potential 802.1X authentication methods –Desirable for user to be able to keep the same IP address when roaming, if possible –MUST be able to roam without reauthentication if desired –MUST be able to roam without dropping traffic in case of reauthentication Hot Spot –User is identified by user-name (NAI), not IP or MAC address –Security is not compromised –Roaming should be fast Going back to the home authentication server may cause substantial delays (~ seconds)

4 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 4 Context Transfer & IEEE 802.1X State Machine Goal –User context can move to new AP without reauthentication, if desired May wish to enable delayed reauthentication on roam Process –Client reassociates to new AP –New AP validates reassociate, attempts context transfer from old AP Context transfer succeeds: AP sends EAP-Success to client Context transfer fails: re-associate treated as an associate Requirements –Successful reassociate has same result as if new AP authenticated successfully to backend authentication server –Unsuccessful reassociate has same result as an associate –Authentication for reassociate, disassociate, beacon messages Issues –No 802.1X event or state corresponding to associate or successful re-associate!

5 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 5 Additions to Backend Authentication State Machine (Figure 8-12) Goal –Successful re-associate has same result as if new AP authenticated to backend authentication server Successful reassociate equivalent to: –Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0; currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE –Transition to SUCCESS state Causes canned Success message to be sent Unsuccessful reassociate equivalent to associate: –Set authAbort=TRUE –Transition to INITIALIZE state Authentication starts again

6 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 6 Additions to Authenticator PAE State Machine (Figure 8-8) Goal –Successful re-associate has same result as if new AP authenticated to backend authentication server Unsuccessful reassociate equivalent to: –Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized; eapLogff=FALSE; reAuthCount=0; –Transition to CONNECTING state Successful reassociate with no-reauth == TRUE equivalent to: –Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1; portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE; –Transition to AUTHENTICATED Successful reassociate with no-reauth == FALSE equivalent to: –Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0; portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE; –Transition to CONNECTING

7 doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 7 Additions to Supplicant PAE State Machine (Figure 8-14) Goal –Successful reassociate has same result as if supplicant successfully authenticated to authenticator Sequence of events for successful reassociate –Supplicant in AUTHENTICATED state –Reassociate request sent by Supplicant –Success sent by Authenticator –Supplicant remains in AUTHENTICATED state Sequence of events for unsuccessful reassociate –Supplicant in AUTHENTICATED state –Reassociate request sent by Supplicant –EAP-Request/Identity sent by Authenticator –On EAP-Request/Identity, supplicant transitions to ACQUIRED state

Download ppt "Doc.: IEEE 802.11-01/252 Submission May 2001 Bernard Aboba, MicrosoftSlide 1 Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Doc.: IEEE 802.11-01/553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE 802.11 Tgi Tim Moore Bernard Aboba.

Doc.: IEEE /553r0 Submission September 2001 Tim Moore, Bernard Aboba/Microsoft Authenticated Fast Handoff IEEE Tgi Tim Moore Bernard Aboba.
Doc.:IEEE 802.11-01/540ar0 Submission November 2001 Albert Young, Bob OHara Slide 1 A Re-Key Proposal Albert Young 3Com Corporation Santa Clara, CA

Doc.:IEEE /540ar0 Submission November 2001 Albert Young, Bob OHara Slide 1 A Re-Key Proposal Albert Young 3Com Corporation Santa Clara, CA
Doc.: IEEE 802.11-08/1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: 2008-11-10 Authors:

Doc.: IEEE /1263r0 Submission November 2008 Dan Harkins, Aruba NetworksSlide 1 A Modest Proposal…. Date: Authors:
Doc.: IEEE 802.11-00/087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.

Doc.: IEEE /087 Submission May, 2000 Steven Gray, NOKIA Jyri Rinnemaa, Jouni Mikkonen Nokia Slide 1.
IEEE 802.11i: A Retrospective Bernard Aboba Microsoft March 2004.

IEEE i: A Retrospective Bernard Aboba Microsoft March 2004.
802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.

802.1AF - directions define requirements to find and create connections in terms of Discovery - Authentication - Enable 1.Discover of what can be done.
Doc.: IEEE 802.11-04-614-01-frfh Submission July 2004 Jon Edney, NokiaSlide 1 What is an ESS? Jon Edney, Nokia.

Doc.: IEEE frfh Submission July 2004 Jon Edney, NokiaSlide 1 What is an ESS? Jon Edney, Nokia.
IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.

IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.
Doc.:IEEE 802.11-11/1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:

Doc.:IEEE /1523r4 Submission November 2011 Access Delay Reduction for FILS: Network Discovery & Access congestion Improvements Slide 1 Authors:
Submission doc.: IEEE 802.11-11/1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date: 2011-09-22.

Submission doc.: IEEE /1326r1 August 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Early Key Generation by ECDH and PKC Date:
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Doc.: IEEE 802.11-08/0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: 2008-07-13 Authors:

Doc.: IEEE /0836r2 Submission July 2008 Dan Harkins, Aruba NetworksSlide 1 Changes to SAE State Machine Date: Authors:
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Submission doc.: IEEE 802.11-12/0789r3 NameAffiliationsAddressPhoneemail George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,

Submission doc.: IEEE /0789r3 NameAffiliationsAddressPhone George Cherian Santosh Abraham Jouni Malinen Qualcomm 5775 Morehouse Dr, San Diego,
Doc.: IEEE 802.11-14/0093r2 Submission NameAffiliationsAddressPhoneemail Hitoshi MORIOKAAllied Telesis R&D Center 2-14-38 Tenjin, Chuo-ku, Fukuoka 810-0001.

Doc.: IEEE /0093r2 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
Doc.: IEEE 802.11-03/095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.

Doc.: IEEE /095r0 Submission January 2003 Dan Harkins, Trapeze Networks.Slide 1 Fast Re-authentication Dan Harkins.
Doc.: IEEE 802.11-02/689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.

Doc.: IEEE /689r0 Submission November 2002 Dan Harkins, Trapeze Networks.Slide 1 Re-authentication when Roaming Dan Harkins.
Doc.: IEEE 802.11-11/1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA

Doc.: IEEE /1160 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA
Doc.: IEEE 802.11-11/1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1

Doc.: IEEE /1160r1 Submission NameAffiliationsAddressPhone George CherianQualcomm 5775 Morehouse Dr, San Diego, CA, USA +1

Similar presentations

Ads by Google