CSE 8343IETF RFC 4137RFC 4137 OverviewSlide 4EAP Switch ModelEAP Pass-Through ModelState Machine Notation IEEE 802.1X-2004EAP PeerSlide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21EAP Stand-Alone AuthenticatorSlide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38EAP Backend AuthenticatorSlide 40EAP Full AuthenticatorSlide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Other ConsiderationsReviewReferencesCSE 8343State Machines for Extensible Authentication ProtocolPeer and AuthenticatorIETF RFC 4137Extensible Authentication Protocol(EAP)Working GroupRFC 4137State Machines for EAPPeer and AuthenticatorRFC 4137 Overview•RFC 4137 describes a set of State Machines for:•EAP Peer•EAP Stand-Alone Authenticator (Non-Pass-Through)•EAP Backend Authenticator•EAP Full Authenticator•Describes sample EAP implementations•Peer / Authenticator•Peer / Authenticator / AAARFC 4137 Overview•Illustrative of authoritative RFCs•Peer and Stand-Alone Authenticator for EAP from RFC 3748•Backend and Full/Pass-Through for EAP/AAA from RFC 3748 and 3579•Based on the EAP “Switch” modelEAP Switch Model•An EAP Authentication is a sequence of EAP methods•Result sent from Authenticator to Peer•If successful, EAP Success•If unsuccessful, EAP Failure•EAP Switches control the negotiation sequence•Select which methods each will use•Negotiate methods or sequence of methodsPeer AuthenticatorPeerEAPSwitchAuthEAPSwitchPeerMethodAuthMethodEAP Pass-Through Model•Authentication resident on backend server•Allows edge device to pass EAP ResponsesPeer AuthenticatorPeerEAPSwitchAuthEAPSwitchPeerMethodLocalMethodPass-ThroughBackendBackendEAPServerState Machine NotationIEEE 802.1X-2004•State diagrams represent the operation of a protocol•Group of connected, mutually exclusive states•Only one state of each machine can be active at a time•Upon entry to a state the defined procedures are executed exactly once•Executed in the given order•Atomic actionsSTATE IDENTIFIERProcedure 1…Procedure NConditionEAP PeerGlobal Transitions:•DISABLED•INITIALIZEDEAP PeerTransitions:•INITIALIZEDDISABLED:Reached whenever service from the transport layer isInterrupted or unavailable.EAP PeerTransitions:•IDLEINITIALIZE:Initializes the state machine variables.EAP PeerTransitions:•RECEIVED•SUCCESS•FAILUREIDLE:The state machine is waiting for something to happen.EAP PeerTransitions:•METHOD•GET_METHOD•IDENTITY•NOTIFICATION•RETRANSMIT•SUCCESS•FAILURE•DISCARDRECEIVED:Entered when an EAP packet is received.EAP PeerTransitions:•DISCARD•FAILURE•SEND_RESPONSEMETHOD:Performs the method processing. The request from theAuthenticator is processed, and the appropriate responsepacket built.EAP PeerTransitions:•METHOD•SEND_RESPONSEGET_METHOD:Entered when a request for a new type comes in. This willresult in either starting the appropriate method, orresponding with a Nak.EAP PeerTransitions:•SEND_RESPONSEIDENTITY:Separate handling for the Identity method, includingbuilding the response packet.EAP PeerTransitions:•SEND_RESPONSENOTIFICATION:Separate handling for the Notification method, includingbuilding the response packet.EAP PeerTransitions:•SEND_RESPONSERETRANSMIT:Resends the previous response packet.EAP PeerTransitions:•IDLEDISCARD:Signals the transport layer that the request has beenignored and that no response will be sent.EAP PeerTransitions:•IDLESEND_RESPONSE:Signals the transport layer that a response packet isready to be sent.EAP PeerTransitions:•NoneSUCCESS:Terminal state indicating a successful authentication.EAP PeerTransitions:•NoneFAILURE:Terminal state indicating a failed authentication.EAP Stand-Alone AuthenticatorGlobal Transitions:•DISABLED•INITIALIZEEAP Stand-Alone AuthenticatorTransitions:•INITIALIZEDISABLED:The Authenticator is disabled until the port is enabledby the transport layer.EAP Stand-Alone AuthenticatorTransitions:•SELECT_ACTIONINITIALIZE:Initializes all state machine variables.EAP Stand-Alone AuthenticatorTransitions:•RETRANSMIT•RECEIVEDIDLE:The State Machine is waiting for something to happen.EAP Stand-Alone AuthenticatorTransitions:•TIMEOUT_FAILURE•IDLERETRANSMIT:Retransmit the previous request packet.EAP Stand-Alone AuthenticatorTransitions:•NAK•INTEGRITY_CHECK•DISCARDRECEIVED:Entered when an EAP packet is received, and parsesthe packet header.EAP Stand-Alone AuthenticatorTransitions:•SELECT_ACTIONNAK:Process a Nak request.EAP Stand-Alone AuthenticatorTransitions:•FAILURE•SUCCESS•PROPOSE_METHODSELECT_ACTION:Re-evaluates whether or not the authenticator policyhas been satisfied (implying success), has beenunsatisfied (implying failure), or is still undecided.EAP Stand-Alone AuthenticatorTransitions:•DISCARD•METHOD_RESPONSEINTEGRITY_CHECK:Checks and verifies the integrity of the incomingpacket from the Peer.EAP Stand-Alone AuthenticatorTransitions:•SELECT_ACTION•METHOD_REQUESTMETHOD_RESPONSE:Processes the incoming packet.EAP Stand-Alone AuthenticatorTransitions:•METHOD_REQUESTPROPOSE_METHOD:Decision as to which authentication method to try next.EAP Stand-Alone AuthenticatorTransitions:•SEND_REQUESTMETHOD_REQUEST:Formulates a new request for the Peer.EAP Stand-Alone AuthenticatorTransitions:•IDLEDISCARD:Signals the transport layer that the response has beendiscarded, and no new request will be sent.EAP Stand-Alone AuthenticatorTransitions:•IDLESEND_REQUEST:Signals the transport layer that a new is ready to besent.EAP Stand-Alone AuthenticatorTransitions:•NoneTIMEOUT_FAILURE:Terminal state indicating a failure because no responsehas been received from the Peer.EAP Stand-Alone AuthenticatorTransitions:•NoneFAILURE:Terminal state indicating that the authentication hasfailed.EAP Stand-Alone AuthenticatorTransitions:•NoneSUCCESS:Terminal state indicating that the authentication hassuccessfully completed.EAP Backend AuthenticatorThe Backend Authenticator is functionally equivalent tothe a Stand-Alone Authenticator, with the addition of theability to “Pick Up” a conversation which had previouslybeen started by a Pass-Through.The only difference between the state machines is theaddition of the PICK_UP_METHOD state, and the removalof the TIMEOUT_FAILURE state.EAP Backend