1 / 14

802.1X & EAP State Machines (found at: www-personal.umich/~jrv/eap.htm)

802.1X & EAP State Machines (found at: http://www-personal.umich.edu/~jrv/eap.htm). Jim Burns Paul Congdon Nick Petroni John Vollbrecht. New Significant 802.1aa/D5 Changes. Specification of interface between EAP/802.1X No more EAP packet processing in 802.1X

bryant
Télécharger la présentation

802.1X & EAP State Machines (found at: www-personal.umich/~jrv/eap.htm)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 802.1X & EAPState Machines(found at: http://www-personal.umich.edu/~jrv/eap.htm) Jim Burns Paul Congdon Nick Petroni John Vollbrecht

  2. New Significant 802.1aa/D5 Changes • Specification of interface between EAP/802.1X • No more EAP packet processing in 802.1X • Addition of controlled port in Supplicant • Initial Authenticator request comes from EAP • Ability for EAP to silently discard frames • Proposed inclusion of EAP machines in 802.1X Annex • EAPOL-Key exchange sequenced before EAP-Success • Propose to include generic 4-way handshake within 802.1X

  3. Issues to Discuss • How to best incorporate 802.11 into the 802.1X/EAP interface diagrams? • What is the proper sequence for key exchange and sending final EAP-Success? • What is the interface to generic 4-way handshake machine? • Where to define the specification of EAPOL-Key message processing?

  4. EAP / 802.1X Interface(excluding key exchange) Supplicant/Peer Authenticator EAP Method EAP Method EAP Layer EAP Layer eapReq eapFail eapSuccess eapNoReq eapResp eapNoResp eapSuccess eapFail eapRcvd eapResp eapRestart 802.1x 802.1x port enabled/disabled port enabled/disabled

  5. Key Interface with EAP802.1X & 802.11 EAP Method EAP Method EAP Layer EAP Layer keyAvailable keyAvailable 802.1x 802.1x portValid portValid Link Secure (physical or crypto) Link Secure (physical or crypto)

  6. EAP / EAP Method Interface EAP Method EAP Method Method-state Method-state Startmethod rcvRsp/NAK intCheck !intCheck intCheck !intCheck rxMethodReq EAP Layer EAP Layer 802.1x 802.1x

  7. Supplicant Front-End (userLogoff && !logoffSent) && !(initialize || !portEnabled) Initialize || !portEnabled DISCONNECTED startCount = 0; logoffSent = FALSE; portStatus = Unauthorized; suppAbort = TRUE; HELD heldWhile = heldPeriod; portStatus = Unauthorized; LOGOFF txLogoff; logoffSent = TRUE; portStatus = Unauthorized; heldWhile == 0 eapRcvd eapSuccess && portValid !userLogoff UTC AUTHENTICATED portStatus = Authorized; CONNECTING startWhen = startPeriod; startCount = startCount + 1; eapRcvd = FALSE; txStart; (startWhen == 0) && (startCount < maxStart) !portValid eapRcvd eapFail eapRcvd && portValid (((startWhen == 0) && (startCount >= maxStart)) !! eapSuccess) && portValid AUTHENTICATING startCount = 0; eapSuccess = FALSE; easFail = FALSE; suppTimeout = FALSE; suppStart = TRUE; eapRcvd = FALSE; suppTimeout eapFail

  8. Supplicant Back-End (portControl! = Auto) || Initialize || suppAbort REQUEST authWhile = 0; getSuppRsp; INITIALIZE previousId = 256; abortSupp; suppAbort = FALSE; eapResp RESPONSE txsuppRsp(receivedId, previousId); previousId = receivedId; eapResp = FALSE; eapNoResp UTC UTC RECEIVE authWhile = authPeriod; eapRcvd = FALSE; eapNoResp = FALSE; authWhile == 0 eapRcvd eapSucess || eapFail TIMEOUT suppTimeout = TRUE UTC IDLE suppStart = FALSE; suppStart

  9. EAP Peer

  10. Authenticator Front-End ((portControl==auto) && (portMode != portControl)) || Initialize || !portEnabled INITIALIZE portMode=auto; eapRestart=TRUE; UCT eapolLogoff && !authAbort DISCONNECTED portStatus=Unauthorized eapolLogoff=FALSE; HELD portSatus=Unauthorized quietWhile=quietPeriod; eapolLogoff=FALSE; eapolLogoff || !portValid UCT (quietWhile == 0) eapolLogoff CONNECTING eapolStart=FALSE; reAuthenticate=FALSE !eapolLogoff && !authAbort eapolStart || reAuthenticate (eapReq || eapSuccess || eapFail) && (eapRestart == FALSE) authFail AUTHENTICATED portStatus=Authorized ABORTING authAbort=TRUE; eapRestart=TRUE; authSuccess && portValid AUTHENTICATING authSuccess=FALSE; authFail=FALSE; authTimeout=FALSE; authStart=TRUE; reAuthenticate || eapolStart || eapolLogoff || authTimeout

  11. (portControl!=Auto)|| Initialize || authAbort (aWhileReq==0) && (reqCount != maxReq) REQUEST txReq(); aWhileReq=suppTimeout; inc(reqCount); INITIALIZE abortAuth; eapNoRequest=FALSE; authAbort=FALSE; (aWhileReq == 0) && (reqCount != maxReq) eapResp eapRequest eapResp RESPONSE eapRequest=eapSuccess=FALSE; authTimeout=FALSE; eapResp=eapFail=FALSE; eapNoRequest=FALSE; aWhile=serverTimeout; reqCount=0; sendRespToServer(); IGNORE eapNoRequest = FALSE; (aWhileReq==0) && (reqCount>=maxReq) AuthStart && eapRequest (aWhileReq==0) && (reqCount>=maxReq) eapNoRequest eapSuccess && ((keyTxEnabled && !keyAvailable) || !keyTxEnabled) eapFail aWhile==0 TIMEOUT authTimeout=TRUE; FAIL txReq(); authFail=TRUE; SUCCESS txReq(); authSuccess=TRUE; AuthStart && eapFail UCT UCT UCT IDLE authStart=FALSE; reqCount=0; AuthStart && eapSuccess Authenticator Backend

  12. EAP Authenticator

  13. Authenticator Key Tx Machine Initialize || (portControl != Auto) NO_KEY_TRANSMIT keyTxEnable && keyAvailable && eapSuccess KEY_TRANSMIT txKey; keyAvailable = FALSE !keyTxEnable || authFail || eapolLogoff keyAvailable

  14. Supplicant Key Tx Machine Initialize NO_SUPP_KEY_TRANSMIT keyTxEnable && suppkeyAvailable && eapSuccess SUPP_KEY_TRANSMIT txSuppKey; suppKeyAvailable = FALSE !keyTxEnable || eapFail || userlLogoff suppKeyAvailable

More Related