Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.

Author: Totaxe Shaktiktilar
Country: Estonia
Language: English (Spanish)
Genre: Science
Published (Last): 22 September 2005
Pages: 279
PDF File Size: 16.43 Mb
ePub File Size: 6.33 Mb
ISBN: 610-8-65528-443-9
Downloads: 55363
Price: Free* [*Free Regsitration Required]
Uploader: Akinosida

A method is said to provide protected result indications if it supports result indications, as well as the “integrity protection” and “replay protection” claims. One of the advantages of the EAP architecture is its flexibility.

RFC – part 1 of 3

EAP is used to select a specific authentication mechanism, typically after the authenticator requests more information in order to determine the specific idtf method to be used.

It cannot be assumed that the contents of the Notification Request or Response are available to another method.

In istf mode, the server authenticates the peer and is aware of whether the peer has authenticated it. EAP-TLS is still considered one of the most secure EAP standards available, ietg TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software.

Both ends of the link may act as authenticators and peers at the same time. This is discussed in more detail in Section 7. Hosts supporting peer- to-peer operation with such a method would need to be provisioned with both types of credentials.

How this may be used and how it may not be used is specified in detail in Section 2.


EAP Types – Extensible Authentication Protocol Types information

Where EAP is used over the Internet, attacks may be carried out at an even greater distance. This document obsoletes RFC Displayable Message This is interpreted to be a human readable string of characters.

The lack of mutual authentication in GSM has also been overcome. Integrity protection This refers to providing data origin authentication and protection against unauthorized modification of information for EAP packets including EAP Requests and Responses.

Similarly, while an authentication failure will result in denied access to the controlled port in [IEEE GSM cellular networks use a subscriber identity module card to carry out user authentication. To address security vulnerabilities, “tunneled” methods MUST support protection against man-in-the-middle attacks.

This creates a potential security vulnerability. For example, in IEEE However, where roaming is supported as described in [RFC], it may be necessary to locate the appropriate backend itef server before rcc authentication conversation can proceed.

Extensible Authentication Protocol – Wikipedia

This would allow for situations much like HTTPS, where a wireless hotspot allows free access and does not authenticate station clients but station clients wish to use encryption IEEE Network Working Group B. Table of Contents 1.

Instead, for each named peer, there SHOULD be an indication of exactly one method used to authenticate that peer name.

Microsoft Exchange Server Unleashed. EAP is not a wire protocol; instead it only defines message formats. Breaking a cryptographic assumption would typically require inverting a one-way function or predicting the outcome of a cryptographic pseudo-random number generator without knowledge of the secret state. Success and Failure are discussed in Section 4. Although it is difficult to define what “comparable effort” and “typical block cipher” exactly mean, reasonable approximations are sufficient here.

Webarchive template wayback links Pages using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced statements Articles with unsourced statements from April Wikipedia articles with GND identifiers.


After such an attack, if the lower layer supports failure indications, the authenticator can synchronize state with the peer by providing a lower layer failure indication. As noted in Section 3. In these situations, use of EAP methods with fewer roundtrips is advisable.

An introduction to LEAP authentication”. Changes from RFC EAP is not a wire protocol ; instead it rc defines message formats. In EAP there is no istf for retries of failed authentication. A method may be said to provide protection against dictionary attacks if, when it uses a password as a secret, the method does not allow an offline attack that has a work factor based on the number of passwords in an attacker’s dictionary.

Ietg order to protect against dictionary attacks, authentication methods resistant to dictionary attacks as defined in Section 7. PEAPv1 was defined in draft-josefsson-pppext-eap-tls-eap through draft-josefsson-pppext-eap-tls-eap[36] and PEAPv2 was defined in versions beginning with draft-josefsson-pppext-eap-tls-eap Silently Discard This means the implementation discards the packet without further processing.

The implementation gfc in this section have been substantially expanded. Since protected result indications require use of a key for per-packet authentication and integrity protection, methods supporting protected result indications MUST also support the “key derivation”, “mutual authentication”, “integrity protection”, and “replay protection” claims.

The underlying key exchange is resistant to active attack, passive attack, and dictionary attack. Note that the user’s name is never transmitted in unencrypted clear text, improving privacy.