CSE 8343 State Machines for Extensible Authentication Protocol Peer and Authenticator IETF RFC 4137 Extensible Authentication Protocol EAP Working Group RFC 4137 State Machines for EAP Peer and Authenticator RFC 4137 Overview RFC 4137 describes a set of State Machines for EAP Peer EAP Stand Alone Authenticator Non Pass Through EAP Backend Authenticator EAP Full Authenticator Describes sample EAP implementations Peer Authenticator Peer Authenticator AAA RFC 4137 Overview Illustrative of authoritative RFCs Peer and Stand Alone Authenticator for EAP from RFC 3748 Backend and Full Pass Through for EAP AAA from RFC 3748 and 3579 Based on the EAP Switch model EAP Switch Model An EAP Authentication is a sequence of EAP methods Result sent from Authenticator to Peer If successful EAP Success If unsuccessful EAP Failure EAP Switches control the negotiation sequence Select which methods each will use Negotiate methods or sequence of methods Peer Peer Method Peer EAP Switch Authenticator Auth EAP Switch Auth Method EAP Pass Through Model Authentication resident on backend server Allows edge device to pass EAP Responses Peer Peer EAP Switch Authenticator Local Method Auth EAP Switch Backend EAP Server Pass Through Peer Method Backend State Machine Notation IEEE 802 1X 2004 State diagrams represent the operation of a protocol Group of connected mutually exclusive states Only one state of each machine can be active at a time Upon entry to a state the defined procedures are executed exactly once Executed in the given order Atomic actions STATE IDENTIFIER Procedure 1 Procedure N Condition EAP Peer Global Transitions DISABLED INITIALIZED EAP Peer DISABLED Reached whenever service from the transport layer is Interrupted or unavailable Transitions INITIALIZED EAP Peer INITIALIZE Initializes the state machine variables Transitions IDLE EAP Peer IDLE The state machine is waiting for something to happen Transitions RECEIVED SUCCESS FAILURE EAP Peer RECEIVED Entered when an EAP packet is received Transitions METHOD GET METHOD IDENTITY NOTIFICATION RETRANSMIT SUCCESS FAILURE DISCARD EAP Peer METHOD Performs the method processing The request from the Authenticator is processed and the appropriate response packet built Transitions DISCARD FAILURE SEND RESPONSE EAP Peer GET METHOD Entered when a request for a new type comes in This will result in either starting the appropriate method or responding with a Nak Transitions METHOD SEND RESPONSE EAP Peer IDENTITY Separate handling for the Identity method including building the response packet Transitions SEND RESPONSE EAP Peer NOTIFICATION Separate handling for the Notification method including building the response packet Transitions SEND RESPONSE EAP Peer RETRANSMIT Resends the previous response packet Transitions SEND RESPONSE EAP Peer DISCARD Signals the transport layer that the request has been ignored and that no response will be sent Transitions IDLE EAP Peer SEND RESPONSE Signals the transport layer that a response packet is ready to be sent Transitions IDLE EAP Peer SUCCESS Terminal state indicating a successful authentication Transitions None EAP Peer FAILURE Terminal state indicating a failed authentication Transitions None EAP Stand Alone Authenticator Global Transitions DISABLED INITIALIZE EAP Stand Alone Authenticator DISABLED The Authenticator is disabled until the port is enabled by the transport layer Transitions INITIALIZE EAP Stand Alone Authenticator INITIALIZE Initializes all state machine variables Transitions SELECT ACTION EAP Stand Alone Authenticator IDLE The State Machine is waiting for something to happen Transitions RETRANSMIT RECEIVED EAP Stand Alone Authenticator RETRANSMIT Retransmit the previous request packet Transitions TIMEOUT FAILURE IDLE EAP Stand Alone Authenticator RECEIVED Entered when an EAP packet is received and parses the packet header Transitions NAK INTEGRITY CHECK DISCARD EAP Stand Alone Authenticator NAK Process a Nak request Transitions SELECT ACTION EAP Stand Alone Authenticator SELECT ACTION Re evaluates whether or not the authenticator policy has been satisfied implying success has been unsatisfied implying failure or is still undecided Transitions FAILURE SUCCESS PROPOSE METHOD EAP Stand Alone Authenticator INTEGRITY CHECK Checks and verifies the integrity of the incoming packet from the Peer Transitions DISCARD METHOD RESPONSE EAP Stand Alone Authenticator METHOD RESPONSE Processes the incoming packet Transitions SELECT ACTION METHOD REQUEST EAP Stand Alone Authenticator PROPOSE METHOD Decision as to which authentication method to try next Transitions METHOD REQUEST EAP Stand Alone Authenticator METHOD REQUEST Formulates a new request for the Peer Transitions SEND REQUEST EAP Stand Alone Authenticator DISCARD Signals the transport layer that the response has been discarded and no new request will be sent Transitions IDLE EAP Stand Alone Authenticator SEND REQUEST Signals the transport layer that a new is ready to be sent Transitions IDLE EAP Stand Alone Authenticator TIMEOUT FAILURE Terminal state indicating a failure because no response has been received from the Peer Transitions None EAP Stand Alone Authenticator FAILURE Terminal state indicating that the authentication has failed Transitions None EAP Stand Alone Authenticator SUCCESS Terminal state indicating that the authentication has successfully completed Transitions None EAP Backend Authenticator The Backend Authenticator is functionally equivalent to the a Stand Alone Authenticator with the addition of the ability to Pick Up a conversation which had previously been started by a Pass Through The only difference between the state machines is the addition of the PICK UP METHOD state and the removal of the TIMEOUT FAILURE state EAP Backend Authenticator PICK UP METHOD Sets the initial state for a method being continued which was started elsewhere e g in the Pass Through Transitions SELECT ACTION METHOD RESPONSE EAP Full Authenticator The first part of a Full Authenticator is functionally identical to the Stand Alone Authenticator with the addition of a transition from the SELECT ACTION state to PASSTHROUGH EAP Full Authenticator SELECT ACTION Re evaluates whether or not the authenticator policy has been satisfied implying success has been unsatisfied implying failure or is still undecided Transitions FAILURE SUCCESS INITIALIZE PASSTHROUGH PROPOSE METHOD EAP Full Authenticator The second part of a Full Authenticator supports the operation of Pass