Canonical URL: ; File formats: Plain Text PDF Discuss this RFC: Send questions or comments to [email protected] This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically. Network Working Group B. Aboba Request for Comments: Microsoft Obsoletes: L. Blunk Category: Standards Track Merit Network, Inc J. Vollbrecht.

Author: Milmaran JoJokinos
Country: Pakistan
Language: English (Spanish)
Genre: Relationship
Published (Last): 2 October 2004
Pages: 457
PDF File Size: 11.83 Mb
ePub File Size: 8.45 Mb
ISBN: 614-5-36983-597-4
Downloads: 27184
Price: Free* [*Free Regsitration Required]
Uploader: Tashakar

However, it is possible that the EAP peer’s access policy was not satisfied during the initial EAP exchange, even though mutual authentication occurred. There is therefore no support for “pass-through peer” operation. Therefore, unless a host implements an EAP authenticator layer, these packets ketf be silently discarded. If an authentication algorithm is used that is known to be vulnerable to dictionary attacks, then the conversation may be tunneled within a protected channel in order to provide additional protection.

In this document, this end of the link is called the peer.

EAP Types – Extensible Authentication Protocol Types

In general, a fragmented EAP packet will require as many round-trips to send as there are fragments. This may not always be the case. The Notification Type is discussed in Section 5. The protocol only specifies chaining multiple EAP mechanisms and not any specific method.

As a result, it may be necessary for an authentication algorithm to add one or two additional messages at most one roundtrip in order to run over EAP. Where a single EAP authentication method is utilized, but other methods are run within it a “tunneled” methodthe prohibition against multiple authentication methods does not apply.


In the case where the authenticator operates in pass-through mode, the EAP server is located on the backend authentication server. Connection to an Untrusted Network. Pass-Through Behavior When operating as a “pass-through authenticator”, an authenticator performs checks on the Code, Identifier, tfc Length fields as described in Section 4.

Information on RFC » RFC Editor

The Identity Type is discussed in Section 5. In particular, the following combinations are expected to be used in practice:. Applicability EAP was designed for use in network access authentication, where IP layer connectivity may not be available. The omission is intentional.

EAP is a lock-step protocol which only supports a single packet in flight. This can be accomplished by including a proof in an Appendix, or including a reference to a proof. It does not refer to the ability to negotiate the ciphersuite used to protect data. Archived from the original on February 9, In-band provisioning—provide the peer with a shared secret to be used in secure phase 1 conversation.

It was co-developed by Funk Software and Certicom and is widely supported across platforms. Multiple authentication methods within an EAP conversation are not supported due to their vulnerability to man-in-the-middle attacks see Section 7.


Please address the information to the IETF at ietf- ipr ietf. Network Working Group B. Therefore, a mechanism needs to be provided to transmit the AAA-Key from the authentication server 348 the authenticator that needs it. The client can, but does not have to be authenticated via a CA -signed PKI certificate to ieetf server.

Alternatively, the authentication conversation can continue until the authenticator determines that successful authentication has occurred, in which case the authenticator MUST transmit an EAP Success Code 3. The MSK is at least 64 octets in length.

Extensible Authentication Protocol

For example, the EAP authenticator may not have demonstrated authorization to act in both peer and authenticator roles. It cannot be assumed that the contents of the Notification Request or Response are available to another method.

As described in Section 4. In this case, it is necessary for both ends to implement EAP authenticator and peer layers.

In EAP there is no provision for retries ietd failed authentication. For example, the identity may not be required where it is determined by the port to which the peer has connected leased lines.