GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc3579

Network Working Group B. Aboba Request for Comments: 3579 Microsoft Updates: 2869 P. Calhoun Category: Informational Airespace

                                                        September 2003
        RADIUS (Remote Authentication Dial In User Service)
        Support For Extensible Authentication Protocol (EAP)

Status of this Memo

 This memo provides information for the Internet community.  It does
 not specify an Internet standard of any kind.  Distribution of this
 memo is unlimited.

Copyright Notice

 Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

 This document defines Remote Authentication Dial In User Service
 (RADIUS) support for the Extensible Authentication Protocol (EAP), an
 authentication framework which supports multiple authentication
 mechanisms.  In the proposed scheme, the Network Access Server (NAS)
 forwards EAP packets to and from the RADIUS server, encapsulated
 within EAP-Message attributes.  This has the advantage of allowing
 the NAS to support any EAP authentication method, without the need
 for method-specific code, which resides on the RADIUS server.  While
 EAP was originally developed for use with PPP, it is now also in use
 with IEEE 802.
 This document updates RFC 2869.

Aboba & Calhoun Informational [Page 1] RFC 3579 RADIUS & EAP September 2003

Table of Contents

 1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
     1.1.  Specification of Requirements. . . . . . . . . . . . . .  3
     1.2.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  3
 2.  RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . .  4
     2.1.  Protocol Overview. . . . . . . . . . . . . . . . . . . .  5
     2.2.  Invalid Packets. . . . . . . . . . . . . . . . . . . . .  9
     2.3.  Retransmission . . . . . . . . . . . . . . . . . . . . . 10
     2.4.  Fragmentation. . . . . . . . . . . . . . . . . . . . . . 10
     2.5.  Alternative uses . . . . . . . . . . . . . . . . . . . . 11
     2.6.  Usage Guidelines . . . . . . . . . . . . . . . . . . . . 11
 3.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     3.1.  EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 15
     3.2.  Message-Authenticator. . . . . . . . . . . . . . . . . . 16
     3.3.  Table of Attributes. . . . . . . . . . . . . . . . . . . 18
 4.  Security Considerations. . . . . . . . . . . . . . . . . . . . 19
     4.1.  Security Requirements. . . . . . . . . . . . . . . . . . 19
     4.2.  Security Protocol. . . . . . . . . . . . . . . . . . . . 20
     4.3.  Security Issues. . . . . . . . . . . . . . . . . . . . . 22
 5.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 30
 6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
     6.1.  Normative References . . . . . . . . . . . . . . . . . . 30
     6.2.  Informative References . . . . . . . . . . . . . . . . . 32
 Appendix A - Examples. . . . . . . . . . . . . . . . . . . . . . . 34
 Appendix B - Change Log. . . . . . . . . . . . . . . . . . . . . . 43
 Intellectual Property Statement. . . . . . . . . . . . . . . . . . 44
 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 44
 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45
 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46

1. Introduction

 The Remote Authentication Dial In User Service (RADIUS) is an
 authentication, authorization and accounting protocol used to control
 network access.  RADIUS authentication and authorization is specified
 in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS
 over IPv6 is specified in [RFC3162].
 The Extensible Authentication Protocol (EAP), defined in [RFC2284],
 is an authentication framework which supports multiple authentication
 mechanisms.  EAP may be used on dedicated links, switched circuits,
 and wired as well as wireless links.
 To date, EAP has been implemented with hosts and routers that connect
 via switched circuits or dial-up lines using PPP [RFC1661].  It has
 also been implemented with bridges supporting [IEEE802].  EAP
 encapsulation on IEEE 802 wired media is described in [IEEE8021X].

Aboba & Calhoun Informational [Page 2] RFC 3579 RADIUS & EAP September 2003

 RADIUS attributes are comprised of variable length Type-Length-Value
 3-tuples.  New attribute values can be added without disturbing
 existing implementations of the protocol.  This specification
 describes RADIUS attributes supporting the Extensible Authentication
 Protocol (EAP): EAP-Message and Message-Authenticator.  These
 attributes now have extensive field experience.  The purpose of this
 document is to provide clarification and resolve interoperability
 issues.
 As noted in [RFC2865], a Network Access Server (NAS) that does not
 implement a given service MUST NOT implement the RADIUS attributes
 for that service.  This implies that a NAS that is unable to offer
 EAP service MUST NOT implement the RADIUS attributes for EAP.  A NAS
 MUST treat a RADIUS Access-Accept requesting an unavailable service
 as an Access-Reject instead.

1.1. Specification of Requirements

 In this document, several words are used to signify the requirements
 of the specification.  These words are often capitalized.  The key
 words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
 "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this document
 are to be interpreted as described in [RFC2119].

1.2. Terminology

 This document frequently uses the following terms:
 authenticator
           The end of the link requiring the authentication.  Also
           known as the Network Access Server (NAS) or RADIUS client.
           Within IEEE 802.1X terminology, the term Authenticator is
           used.
 peer      The other end of the point-to-point link (PPP),
           point-to-point LAN segment (IEEE 802.1X) or wireless link,
           which is being authenticated by the authenticator.  In IEEE
           802.1X, this end is known as the Supplicant.
 authentication server
           An authentication server is an entity that provides an
           authentication service to an authenticator (NAS).  This
           service verifies from the credentials provided by the peer,
           the claim of identity made by the peer; it also may provide
           credentials allowing the peer to verify the identity of the
           authentication server.  Within this document it is assumed
           that the NAS operates as a pass-through, forwarding EAP
           packets between the RADIUS server and the EAP peer.

Aboba & Calhoun Informational [Page 3] RFC 3579 RADIUS & EAP September 2003

           Therefore the RADIUS server operates as an authentication
           server.
 silently discard
           This means the implementation discards the packet without
           further processing.  The implementation SHOULD provide the
           capability of logging the error, including the contents of
           the silently discarded packet, and SHOULD record the event
           in a statistics counter.
 displayable message
           This is interpreted to be a human readable string of
           characters, and MUST NOT affect operation of the protocol.
           The message encoding MUST follow the UTF-8 transformation
           format [RFC2279].
 Network Access Server (NAS)
           The device providing access to the network.  Also known as
           the Authenticator (IEEE 802.1X or EAP terminology) or
           RADIUS client.
 service   The NAS provides a service to the user, such as IEEE 802 or
           PPP.
 session   Each service provided by the NAS to a peer constitutes a
           session, with the beginning of the session defined as the
           point where service is first provided and the end of the
           session defined as the point where service is ended.  A
           peer may have multiple sessions in parallel or series if
           the NAS supports that, with each session generating a
           separate start and stop accounting record.

2. RADIUS Support for EAP

 The Extensible Authentication Protocol (EAP), described in [RFC2284],
 provides a standard mechanism for support of additional
 authentication methods without the NAS to be upgraded to support each
 new method.  Through the use of EAP, support for a number of
 authentication schemes may be added, including smart cards, Kerberos
 [RFC1510], Public Key [RFC2716], One Time Passwords [RFC2284], and
 others.
 One of the advantages of the EAP architecture is its flexibility.
 EAP is used to select a specific authentication mechanism.  Rather
 than requiring the NAS to be updated to support each new
 authentication method, EAP permits the use of an authentication
 server implementing authentication methods, with the NAS acting as a
 pass-through for some or all methods and peers.

Aboba & Calhoun Informational [Page 4] RFC 3579 RADIUS & EAP September 2003

 A NAS MAY authenticate local peers while at the same time acting as a
 pass-through for non-local peers and authentication methods it does
 not implement locally.  A NAS implementing this specification is not
 required to use RADIUS to authenticate every peer.  However, once the
 NAS begins acting as a pass-through for a particular session, it can
 no longer perform local authentication for that session.
 In order to support EAP within RADIUS, two new attributes,
 EAP-Message and Message-Authenticator, are introduced in this
 document.  This section describes how these new attributes may be
 used for providing EAP support within RADIUS.

2.1. Protocol Overview

 In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP
 Packets between the NAS and an authentication server.
 The authenticating peer and the NAS begin the EAP conversation by
 negotiating use of EAP.  Once EAP has been negotiated, the NAS SHOULD
 send an initial EAP-Request message to the authenticating peer.  This
 will typically be an EAP-Request/Identity, although it could be an
 EAP-Request for an authentication method (Types 4 and greater).  A
 NAS MAY be configured to initiate with a default authentication
 method.  This is useful in cases where the identity is determined by
 another means (such as Called-Station-Id, Calling-Station-Id and/or
 Originating-Line-Info); where a single authentication method is
 required, which includes its own identity exchange; where identity
 hiding is desired, so that the identity is not requested until after
 a protected channel has been set up.
 The peer replies with an EAP-Response.  The NAS MAY determine from
 the Response that it should proceed with local authentication.
 Alternatively, the NAS MAY act as a pass-through, encapsulating the
 EAP-Response within EAP-Message attribute(s) sent to the RADIUS
 server within a RADIUS Access-Request packet.  If the NAS sends an
 EAP-Request/Identity message as the initial packet, the peer responds
 with an EAP-Response/Identity.  The NAS may determine that the peer
 is local and proceed with local authentication.  If no match is found
 against the list of local users, the NAS encapsulates the
 EAP-Response/Identity message within an EAP-Message attribute,
 enclosed within an Access-Request packet.
 On receiving a valid Access-Request packet containing EAP-Message
 attribute(s), a RADIUS server compliant with this specification and
 wishing to authenticate with EAP MUST respond with an
 Access-Challenge packet containing EAP-Message attribute(s).  If the
 RADIUS server does not support EAP or does not wish to authenticate
 with EAP, it MUST respond with an Access-Reject.

Aboba & Calhoun Informational [Page 5] RFC 3579 RADIUS & EAP September 2003

 EAP-Message attribute(s) encapsulate a single EAP packet which the
 NAS decapsulates and passes on to the authenticating peer.  The peer
 then responds with an EAP-Response packet, which the NAS encapsulates
 within an Access-Request containing EAP-Message attribute(s).  EAP is
 a 'lock step' protocol, so that other than the initial Request, a new
 Request cannot be sent prior to receiving a valid Response.
 The conversation continues until either a RADIUS Access-Reject or
 Access-Accept packet is received from the RADIUS server.  Reception
 of a RADIUS Access-Reject packet MUST result in the NAS denying
 access to the authenticating peer.  A RADIUS Access-Accept packet
 successfully ends the authentication phase.  The NAS MUST NOT
 "manufacture" a Success or Failure packet as the result of a timeout.
 After a suitable number of timeouts have elapsed, the NAS SHOULD
 instead end the EAP conversation.
 Using RADIUS, the NAS can act as a pass-through for an EAP
 conversation between the peer and authentication server, without
 needing to implement the EAP method used between them.  Where the NAS
 initiates the conversation by sending an EAP-Request for an
 authentication method, it may not be required that the NAS fully
 implement the EAP method reflected in the initial EAP-Request.
 Depending on the initial method, it may be sufficient for the NAS to
 be configured with the initial packet to be sent to the peer, and for
 the NAS to act as a pass-through for subsequent messages.  Note that
 since the NAS only encapsulates the EAP-Response in its initial
 Access-Request, the initial EAP-Request within the authentication
 method is not available to the RADIUS server.  For the RADIUS server
 to be able to continue the conversation, either the initial
 EAP-Request is vestigial, so that the RADIUS server need not be aware
 of it, or the relevant information from the initial EAP-Request (such
 as a nonce) is reflected in the initial EAP-Response, so that the
 RADIUS server can obtain it without having received the initial
 EAP-Request.
 Where the initial EAP-Request sent by the NAS is for an
 authentication Type (4 or greater), the peer MAY respond with a Nak
 indicating that it would prefer another authentication method that is
 not implemented locally.  In this case, the NAS SHOULD send
 Access-Request encapsulating the received EAP-Response/Nak.  This
 provides the RADIUS server with a hint about the authentication
 method(s) preferred by the peer, although it does not provide
 information on the Type of the original Request.  It also provides
 the server with the Identifier used in the initial EAP-Request, so
 that Identifier conflicts can be avoided.

Aboba & Calhoun Informational [Page 6] RFC 3579 RADIUS & EAP September 2003

 In order to evaluate whether the alternatives preferred by the
 authenticating peer are allowed, the RADIUS server will typically
 respond with an Access-Challenge containing EAP-Message attribute(s)
 encapsulating an EAP-Request/Identity (Type 1).  This allows the
 RADIUS server to determine the peer identity, so as to be able to
 retrieve the associated authentication policy.  Alternatively, an
 EAP-Request for an authentication method (Type 4 or greater) could be
 sent.  Since the RADIUS server may not be aware of the Type of the
 initial EAP-Request, it is possible for the RADIUS server to choose
 an unacceptable method, and for the peer to respond with another Nak.
 In order to permit non-EAP aware RADIUS proxies to forward the
 Access-Request packet, if the NAS initially sends an
 EAP-Request/Identity message to the peer, the NAS MUST copy the
 contents of the Type-Data field of the EAP-Response/Identity received
 from the peer into the User-Name attribute and MUST include the
 Type-Data field of the EAP-Response/Identity in the User-Name
 attribute in every subsequent Access-Request.  Since RADIUS proxies
 are assumed to act as a pass-through, they cannot be expected to
 parse an EAP-Response/Identity encapsulated within EAP-Message
 attribute(s).  If the NAS initially sends an EAP-Request for an
 authentication method, and the peer identity cannot be determined
 from the EAP-Response, then the User-Name attribute SHOULD be
 determined by another means.  As noted in [RFC2865] Section 5.6, it
 is recommended that Access-Requests use the value of the
 Calling-Station-Id as the value of the User-Name attribute.
 Having the NAS send the initial EAP-Request packet has a number of
 advantages:
 [1]  It saves a round trip between the NAS and RADIUS server.
 [2]  An Access-Request is only sent to the RADIUS server if the
      authenticating peer sends an EAP-Response, confirming that it
      supports EAP.  In situations where peers may be EAP unaware,
      initiating a RADIUS Access-Request on a "carrier sense" or
      "media up" indication may result in many authentication
      exchanges that cannot complete successfully.  For example, on
      wired networks [IEEE8021X] Supplicants typically do not initiate
      the 802.1X conversation with an EAPOL-Start.  Therefore an IEEE
      802.1X-enabled bridge may not be able to determine whether the
      peer supports EAP until it receives a Response to the initial
      EAP-Request.
 [3]  It allows some peers to be authenticated locally.

Aboba & Calhoun Informational [Page 7] RFC 3579 RADIUS & EAP September 2003

 Although having the NAS send the initial EAP-Request packet has
 substantial advantages, this technique cannot be universally
 employed.  There are circumstances in which the peer identity is
 already known (such as when authentication and accounting is handled
 based on Called-Station-Id, Calling-Station-Id and/or
 Originating-Line-Info), but where the appropriate EAP method may vary
 based on that identity.
 Rather than sending an initial EAP-Request packet to the
 authenticating peer, on detecting the presence of the peer, the NAS
 MAY send an Access-Request packet to the RADIUS server containing an
 EAP-Message attribute signifying EAP-Start.  The RADIUS server will
 typically respond with an Access-Challenge containing EAP-Message
 attribute(s) encapsulating an EAP-Request/Identity (Type 1).
 However, an EAP-Request for an authentication method (Type 4 or
 greater) can also be sent by the server.
 EAP-Start is indicated by sending an EAP-Message attribute with a
 length of 2 (no data).  The Calling-Station-Id SHOULD be included in
 the User-Name attribute.  This may result in a RADIUS Access-Request
 being sent by the NAS to the RADIUS server without first confirming
 that the peer supports EAP.  Since this technique can result in a
 large number of uncompleted RADIUS conversations, in situations where
 EAP unaware peers are common, or where peer support for EAP cannot be
 determined on initial contact (e.g. [IEEE8021X] Supplicants not
 initiating the conversation with an EAPOL-Start) it SHOULD NOT be
 employed by default.
 For proxied RADIUS requests, there are two methods of processing.  If
 the domain is determined based on the Calling-Station-Id,
 Called-Station-Id and/or Originating-Line-Info, the RADIUS server may
 proxy the initial RADIUS Access-Request/EAP-Start.  If the realm is
 determined based on the peer identity, the local RADIUS server MUST
 respond with a RADIUS Access-Challenge including an EAP-Message
 attribute encapsulating an EAP-Request/Identity packet.  The response
 from the authenticating peer SHOULD be proxied to the final
 authentication server.
 If an Access-Request is sent to a RADIUS server which does not
 support the EAP-Message attribute, then an Access-Reject MUST be sent
 in response.  On receiving an Access-Reject, the NAS MUST deny access
 to the authenticating peer.

Aboba & Calhoun Informational [Page 8] RFC 3579 RADIUS & EAP September 2003

2.2. Invalid Packets

 While acting as a pass-through, the NAS MUST validate the EAP header
 fields (Code, Identifier, Length) prior to forwarding an EAP packet
 to or from the RADIUS server.  On receiving an EAP packet from the
 peer, the NAS checks the Code (2) and Length fields, and matches the
 Identifier value against the current Identifier, supplied by the
 RADIUS server in the most recently validated EAP-Request.  On
 receiving an EAP packet from the RADIUS server (encapsulated within
 an Access-Challenge), the NAS checks the Code (1) and Length fields,
 then updates the current Identifier value.  Pending EAP Responses
 that do not match the current Identifier value are silently discarded
 by the NAS.
 Since EAP method fields (Type, Type-Data) are typically not validated
 by a NAS operating as a pass-through, despite these checks it is
 possible for a NAS to forward an invalid EAP packet to or from the
 RADIUS server.  A RADIUS server receiving EAP-Message attribute(s) it
 does not understand SHOULD make the determination of whether the
 error is fatal or non-fatal based on the EAP Type.  A RADIUS server
 determining that a fatal error has occurred MUST send an
 Access-Reject containing an EAP-Message attribute encapsulating
 EAP-Failure.
 A RADIUS server determining that a non-fatal error has occurred MAY
 send an Access-Challenge to the NAS including EAP-Message
 attribute(s) as well as an Error-Cause attribute [RFC3576] with value
 202 (decimal), "Invalid EAP Packet (Ignored)".  The Access-Challenge
 SHOULD encapsulate within EAP-Message attribute(s) the most recently
 sent EAP-Request packet (including the same Identifier value).  On
 receiving such an Access-Challenge, a NAS implementing previous
 versions of this specification will decapsulate the EAP-Request and
 send it to the peer, which will retransmit the EAP-Response.
 A NAS compliant with this specification, on receiving an
 Access-Challenge with an Error-Cause attribute of value 202 (decimal)
 SHOULD discard the EAP-Response packet most recently transmitted to
 the RADIUS server and check whether additional EAP-Response packets
 have been received matching the current Identifier value.  If so, a
 new EAP-Response packet, if available, MUST be sent to the RADIUS
 server within an Access-Request, and the EAP-Message attribute(s)
 included within the Access-Challenge are silently discarded.  If no
 EAP-Response packet is available, then the EAP-Request encapsulated
 within the Access-Challenge is sent to the peer, and the
 retransmission timer is reset.

Aboba & Calhoun Informational [Page 9] RFC 3579 RADIUS & EAP September 2003

 In order to provide protection against Denial of Service (DoS)
 attacks, it is advisable for the NAS to allocate a finite buffer for
 EAP packets received from the peer, and to discard packets according
 to an appropriate policy once that buffer has been exceeded.  Also,
 the RADIUS server is advised to permit only a modest number of
 invalid EAP packets within a single session, prior to terminating the
 session with an Access-Reject.  By default a value of 5 invalid EAP
 packets is recommended.

2.3. Retransmission

 As noted in [RFC2284], if an EAP packet is lost in transit between
 the authenticating peer and the NAS (or vice versa), the NAS will
 retransmit.
 It may be necessary to adjust retransmission strategies and
 authentication timeouts in certain cases.  For example, when a token
 card is used additional time may be required to allow the user to
 find the card and enter the token.  Since the NAS will typically not
 have knowledge of the required parameters, these need to be provided
 by the RADIUS server.  This can be accomplished by inclusion of
 Session-Timeout attribute within the Access-Challenge packet.
 If Session-Timeout is present in an Access-Challenge packet that also
 contains an EAP-Message, the value of the Session-Timeout is used to
 set the EAP retransmission timer for that EAP Request, and that
 Request alone.  Once the EAP-Request has been sent, the NAS sets the
 retransmission timer, and if it expires without having received an
 EAP-Response corresponding to the Request, then the EAP-Request is
 retransmitted.

2.4. Fragmentation

 Using the EAP-Message attribute, it is possible for the RADIUS server
 to encapsulate an EAP packet that is larger than the MTU on the link
 between the NAS and the peer.  Since it is not possible for the
 RADIUS server to use MTU discovery to ascertain the link MTU, the
 Framed-MTU attribute may be included in an Access-Request packet
 containing an EAP-Message attribute so as to provide the RADIUS
 server with this information.  A RADIUS server having received a
 Framed-MTU attribute in an Access-Request packet MUST NOT send any
 subsequent packet in this EAP conversation containing EAP-Message
 attributes whose values, when concatenated, exceed the length
 specified by the Framed-MTU value, taking the link type (specified by
 the NAS-Port-Type attribute) into account.  For example, as noted in
 [RFC3580] Section 3.10, for a NAS-Port-Type value of IEEE 802.11, the

Aboba & Calhoun Informational [Page 10] RFC 3579 RADIUS & EAP September 2003

 RADIUS server may send an EAP packet as large as Framed-MTU minus
 four (4) octets, taking into account the additional overhead for the
 IEEE 802.1X Version (1), Type (1) and Body Length (2) fields.

2.5. Alternative Uses

 Currently the conversation between security servers and the RADIUS
 server is often proprietary because of lack of standardization.  In
 order to increase standardization and provide interoperability
 between RADIUS vendors and  security vendors, it is recommended that
 RADIUS- encapsulated EAP be used for this conversation.
 This has the advantage of allowing the RADIUS server to support EAP
 without the need for authentication-specific code within the RADIUS
 server.  Authentication-specific code can then reside on a security
 server instead.
 In the case where RADIUS-encapsulated EAP is used in a conversation
 between a RADIUS server and a security server, the security server
 will typically return an Access-Accept message without inclusion of
 the expected attributes currently returned in an Access-Accept.  This
 means that the RADIUS server MUST add these attributes prior to
 sending an Access-Accept message to the NAS.

2.6. Usage Guidelines

2.6.1. Identifier Space

 In EAP, each session has its own unique Identifier space.  RADIUS
 server implementations MUST be able to distinguish between EAP
 packets with the same Identifier existing within distinct sessions,
 originating on the same NAS.  For this purpose, sessions can be
 distinguished based on NAS and session identification attributes.
 NAS identification attributes include NAS-Identifier,
 NAS-IPv6-Address and NAS-IPv4-Address.  Session identification
 attributes include User-Name, NAS-Port, NAS-Port-Type, NAS-Port-Id,
 Called-Station-Id, Calling-Station-Id and Originating-Line-Info.

2.6.2. Role Reversal

 Since EAP is a peer-to-peer protocol, an independent and simultaneous
 authentication may take place in the reverse direction.  Both peers
 may act as authenticators and authenticatees at the same time.
 However, role reversal is not supported by this specification.  A
 RADIUS server MUST respond to an Access-Request encapsulating an
 EAP-Request with an Access-Reject.  In order to avoid retransmissions

Aboba & Calhoun Informational [Page 11] RFC 3579 RADIUS & EAP September 2003

 by the peer, the Access-Reject SHOULD include an EAP-Response/Nak
 packet indicating no preferred method, encapsulated within
 EAP-Message attribute(s).

2.6.3. Conflicting Messages

 The NAS MUST make its access control decision based solely on the
 RADIUS Packet Type (Access-Accept/Access-Reject).  The access control
 decision MUST NOT be based on the contents of the EAP packet
 encapsulated in one or more EAP-Message attributes, if present.
 Access-Accept packets SHOULD have only one EAP-Message attribute in
 them, containing EAP Success; similarly, Access-Reject packets SHOULD
 have only one EAP-Message attribute in them, containing EAP Failure.
 Where the encapsulated EAP packet does not match the result implied
 by the RADIUS Packet Type, the combination is likely to cause
 confusion, because the NAS and peer will arrive at different
 conclusions as to the outcome of the authentication.
 For example, if the NAS receives an Access-Reject with an
 encapsulated EAP Success, it will not grant access to the peer.
 However, on receiving the EAP Success, the peer will be lead to
 believe that it authenticated successfully.
 If the NAS receives an Access-Accept with an encapsulated EAP
 Failure, it will grant access to the peer.  However, on receiving an
 EAP Failure, the peer will be lead to believe that it failed
 authentication.  If no EAP-Message attribute is included within an
 Access-Accept or Access-Reject, then the peer may not be informed as
 to the outcome of the authentication, while the NAS will take action
 to allow or deny access.
 As described in [RFC2284], the EAP Success and Failure packets are
 not acknowledged, and these packets terminate the EAP conversation.
 As a result, if these packets are encapsulated within an
 Access-Challenge, no response will be received, and therefore the NAS
 will send no further Access-Requests to the RADIUS server for the
 session.  As a result, the RADIUS server will not indicate to the NAS
 whether to allow or deny access, while the peer will be informed as
 to the outcome of the authentication.

Aboba & Calhoun Informational [Page 12] RFC 3579 RADIUS & EAP September 2003

 To avoid these conflicts, the following combinations SHOULD NOT be
 sent by a RADIUS server:
    Access-Accept/EAP-Message/EAP Failure
    Access-Accept/no EAP-Message attribute
    Access-Accept/EAP-Start
    Access-Reject/EAP-Message/EAP Success
    Access-Reject/no EAP-Message attribute
    Access-Reject/EAP-Start
    Access-Challenge/EAP-Message/EAP Success
    Access-Challenge/EAP-Message/EAP Failure
    Access-Challenge/no EAP-Message attribute
    Access-Challenge/EAP-Start
 Since the responsibility for avoiding conflicts lies with the RADIUS
 server, the NAS MUST NOT "manufacture" EAP packets in order to
 correct contradictory messages that it receives.  This behavior,
 originally mandated within [IEEE8021X], will be deprecated in the
 future.

2.6.4. Priority

 A RADIUS Access-Accept or Access-Reject packet may contain EAP-
 Message attribute(s). In order to ensure the correct processing of
 RADIUS packets, the NAS MUST first process the attributes, including
 the EAP-Message attribute(s), prior to processing the Accept/Reject
 indication.

2.6.5. Displayable Messages

 The Reply-Message attribute, defined in [RFC2865], Section 5.18,
 indicates text which may be displayed to the peer.  This is similar
 in concept to EAP Notification, defined in [RFC2284].  When sending a
 displayable message to a NAS during an EAP conversation, the RADIUS
 server MUST encapsulate displayable messages within
 EAP-Message/EAP-Request/Notification attribute(s).  Reply-Message
 attribute(s) MUST NOT be included in any RADIUS message containing an
 EAP-Message attribute.  An EAP-Message/EAP-Request/Notification
 SHOULD NOT be included within an Access-Accept or Access-Reject
 packet.
 In some existing implementations, a NAS receiving Reply-Message
 attribute(s) copies the Text field(s) into the Type-Data field of an
 EAP-Request/Notification packet, fills in the Identifier field, and
 sends this to the peer.  However, several issues arise from this:

Aboba & Calhoun Informational [Page 13] RFC 3579 RADIUS & EAP September 2003

 [1]  Unexpected Responses.  On receiving an EAP-Request/Notification,
      the peer will send an EAP-Response/Notification, and the NAS
      will pass this on to the RADIUS server, encapsulated within
      EAP-Message attribute(s).  However, the RADIUS server may not be
      expecting an Access-Request containing an
      EAP-Message/EAP-Response/Notification attribute.
      For example, consider what happens when a Reply-Message is
      included within an Access-Accept or Access-Reject packet with no
      EAP-Message attribute(s) present.  If the value of the
      Reply-Message attribute is copied into the Type-Data of an
      EAP-Request/Notification and sent to the peer, this will result
      in an Access-Request containing an
      EAP-Message/EAP-Response/Notification attribute being sent by
      the NAS to the RADIUS server.  Since an Access-Accept or
      Access-Reject packet terminates the RADIUS conversation, such an
      Access-Request would not be expected, and could be interpreted
      as the start of another conversation.
 [2]  Identifier conflicts.  While the EAP-Request/Notification is an
      EAP packet containing an Identifier field, the Reply-Message
      attribute does not contain an Identifier field.  As a result, a
      NAS receiving a Reply-Message attribute and wishing to translate
      this to an EAP-Request/Notification will need to choose an
      Identifier value.  It is possible that the chosen Identifier
      value will conflict with a value chosen by the RADIUS server for
      another packet within the EAP conversation, potentially causing
      confusion between a new packet and a retransmission.
 To avoid these problems, a NAS receiving a Reply-Message attribute
 from the RADIUS server SHOULD silently discard the attribute, rather
 than attempting to translate it to an EAP Notification Request.

3. Attributes

 The NAS-Port or NAS-Port-Id attributes SHOULD be included by the NAS
 in Access-Request packets, and either NAS-Identifier, NAS-IP-Address
 or NAS-IPv6-Address attributes MUST be included.  In order to permit
 forwarding of the Access-Reply by EAP-unaware proxies, if a User-Name
 attribute was included in an Access-Request, the RADIUS server MUST
 include the User-Name attribute in subsequent Access-Accept packets.
 Without the User-Name attribute, accounting and billing becomes
 difficult to manage.  The User-Name attribute within the Access-
 Accept packet need not be the same as the User-Name attribute in the
 Access-Request.

Aboba & Calhoun Informational [Page 14] RFC 3579 RADIUS & EAP September 2003

3.1. EAP-Message

 Description
    This attribute encapsulates EAP [RFC2284] packets so as to allow
    the NAS to authenticate peers via EAP without having to understand
    the EAP method it is passing through.
    The NAS places EAP messages received from the authenticating peer
    into one or more EAP-Message attributes and forwards them to the
    RADIUS server within an Access-Request message.  If multiple
    EAP-Message attributes are contained within an Access-Request or
    Access-Challenge packet, they MUST be in order and they MUST be
    consecutive attributes in the Access-Request or Access-Challenge
    packet.  The RADIUS server can return EAP-Message attributes in
    Access-Challenge, Access-Accept and Access-Reject packets.
    When RADIUS is used to enable EAP authentication, Access-Request,
    Access-Challenge, Access-Accept, and Access-Reject packets SHOULD
    contain one or more EAP-Message attributes.  Where more than one
    EAP-Message attribute is included, it is assumed that the
    attributes are to be concatenated to form a single EAP packet.
    Multiple EAP packets MUST NOT be encoded within EAP-Message
    attributes contained within a single Access-Challenge,
    Access-Accept, Access-Reject or Access-Request packet.
    It is expected that EAP will be used to implement a variety of
    authentication methods, including methods involving strong
    cryptography.  In order to prevent attackers from subverting EAP
    by attacking RADIUS/EAP, (for example, by modifying EAP Success or
    EAP Failure packets) it is necessary that RADIUS provide
    per-packet authentication and integrity protection.
    Therefore the Message-Authenticator attribute MUST be used to
    protect all Access-Request, Access-Challenge, Access-Accept, and
    Access-Reject packets containing an EAP-Message attribute.
    Access-Request packets including EAP-Message attribute(s) without
    a Message-Authenticator attribute SHOULD be silently discarded by
    the RADIUS server.  A RADIUS server supporting the EAP-Message
    attribute MUST calculate the correct value of the
    Message-Authenticator and MUST silently discard the packet if it
    does not match the value sent.  A RADIUS server not supporting the
    EAP-Message attribute MUST return an Access-Reject if it receives
    an Access-Request containing an EAP-Message attribute.

Aboba & Calhoun Informational [Page 15] RFC 3579 RADIUS & EAP September 2003

    Access-Challenge, Access-Accept, or Access-Reject packets
    including EAP-Message attribute(s) without a Message-Authenticator
    attribute SHOULD be silently discarded by the NAS.  A NAS
    supporting the EAP-Message attribute MUST calculate the correct
    value of the Message-Authenticator and MUST silently discard the
    packet if it does not match the value sent.
    A summary of the EAP-Message attribute format is shown below.  The
    fields are transmitted from left to right.
     0                   1                   2
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |    Length     |     String...
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type
    79 for EAP-Message
 Length
    >= 3
 String
    The String field contains an EAP packet, as defined in [RFC2284].
    If multiple EAP-Message attributes are present in a packet their
    values should be concatenated; this allows EAP packets longer than
    253 octets to be transported by RADIUS.

3.2. Message-Authenticator

 Description
    This attribute MAY be used to authenticate and integrity-protect
    Access-Requests in order to prevent spoofing.  It MAY be used in
    any Access-Request.  It MUST be used in any Access-Request,
    Access-Accept, Access-Reject or Access-Challenge that includes an
    EAP-Message attribute.
    A RADIUS server receiving an Access-Request with a
    Message-Authenticator attribute present MUST calculate the correct
    value of the Message-Authenticator and silently discard the packet
    if it does not match the value sent.

Aboba & Calhoun Informational [Page 16] RFC 3579 RADIUS & EAP September 2003

    A RADIUS client receiving an Access-Accept, Access-Reject or
    Access-Challenge with a Message-Authenticator attribute present
    MUST calculate the correct value of the Message-Authenticator and
    silently discard the packet if it does not match the value sent.
    This attribute is not required in Access-Requests which include
    the User-Password attribute, but is useful for preventing attacks
    on other types of authentication.  This attribute is intended to
    thwart attempts by an attacker to setup a "rogue" NAS, and perform
    online dictionary attacks against the RADIUS server.  It does not
    afford protection against "offline" attacks where the attacker
    intercepts packets containing (for example) CHAP challenge and
    response, and performs a dictionary attack against those packets
    offline.
    A summary of the Message-Authenticator attribute format is shown
    below.  The fields are transmitted from left to right.
     0                   1                   2
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |     Type      |    Length     |     String...
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 Type
    80 for Message-Authenticator
 Length
    18
 String
    When present in an Access-Request packet, Message-Authenticator is
    an HMAC-MD5 [RFC2104] hash of the entire Access-Request packet,
    including Type, ID, Length and Authenticator, using the shared
    secret as the key, as follows.
    Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
    Request Authenticator, Attributes)
    When the message integrity check is calculated the signature
    string should be considered to be sixteen octets of zero.

Aboba & Calhoun Informational [Page 17] RFC 3579 RADIUS & EAP September 2003

    For Access-Challenge, Access-Accept, and Access-Reject packets,
    the Message-Authenticator is calculated as follows, using the
    Request-Authenticator from the Access-Request this packet is in
    reply to:
    Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
    Request Authenticator, Attributes)
    When the message integrity check is calculated the signature
    string should be considered to be sixteen octets of zero.  The
    shared secret is used as the key for the HMAC-MD5 message
    integrity check.  The Message-Authenticator is calculated and
    inserted in the packet before the Response Authenticator is
    calculated.

3.3. Table of Attributes

 The following table provides a guide to which attributes may be found
 in packets including EAP-Message attribute(s), and in what quantity.
 The EAP-Message and Message-Authenticator attributes specified in
 this document MUST NOT be present in an Accounting-Request.  If a
 table entry is omitted, the values found in [RFC2548], [RFC2865],
 [RFC2868], [RFC2869] and [RFC3162] should be assumed.

Request Accept Reject Challenge # Attribute 0-1 0-1 0 0 1 User-Name 0 0 0 0 2 User-Password [Note 1] 0 0 0 0 3 CHAP-Password [Note 1] 0 0 0 0 18 Reply-Message 0 0 0 0 60 CHAP-Challenge 0 0 0 0 70 ARAP-Password [Note 1] 0 0 0 0 75 Password-Retry 1+ 1+ 1+ 1+ 79 EAP-Message [Note 1] 1 1 1 1 80 Message-Authenticator [Note 1] 0-1 0 0 0 94 Originating-Line-Info [Note 3] 0 0 0-1 0-1 101 Error-Cause [Note 2] Request Accept Reject Challenge # Attribute

 [Note 1] An Access-Request that contains either a User-Password or
 CHAP-Password or ARAP-Password or one or more EAP-Message attributes
 MUST NOT contain more than one type of those four attributes.  If it
 does not contain any of those four attributes, it SHOULD contain a
 Message-Authenticator.  If any packet type contains an EAP-Message
 attribute it MUST also contain a Message-Authenticator.  A RADIUS
 server receiving an Access-Request not containing any of those four
 attributes and also not containing a Message-Authenticator attribute
 SHOULD silently discard it.

Aboba & Calhoun Informational [Page 18] RFC 3579 RADIUS & EAP September 2003

 [Note 2] The Error-Cause attribute is defined in [RFC3576].
 [Note 3] The Originating-Line-Info attribute is defined in [NASREQ].
 The following table defines the meaning of the above table entries.
 0     This attribute MUST NOT be present.
 0+    Zero or more instances of this attribute MAY be present.
 0-1   Zero or one instance of this attribute MAY be present.
 1     Exactly one instance of this attribute MUST be present.
 1+    One or more of these attributes MUST be present.

4. Security Considerations

4.1. Security Requirements

 RADIUS/EAP is used in order to provide authentication and
 authorization for network access.  As a result, both the RADIUS and
 EAP portions of the conversation are potential targets of an attack.
 Threats are discussed in [RFC2607], [RFC2865], and [RFC3162].
 Examples include:
 [1]  An adversary may attempt to acquire confidential data and
      identities by snooping RADIUS packets.
 [2]  An adversary may attempt to modify packets containing RADIUS
      messages.
 [3]  An adversary may attempt to inject packets into a RADIUS
      conversation.
 [4]  An adversary may launch a dictionary attack against the RADIUS
      shared secret.
 [5]  An adversary may launch a known plaintext attack, hoping to
      recover the key stream corresponding to a Request Authenticator.
 [6]  An adversary may attempt to replay a RADIUS exchange.
 [7]  An adversary may attempt to disrupt the EAP negotiation, in
      order to weaken the authentication, or gain access to peer
      passwords.
 [8]  An authenticated NAS may attempt to forge NAS or session
      identification attributes,
 [9]  A rogue (unauthenticated) NAS may attempt to impersonate a
      legitimate NAS.

Aboba & Calhoun Informational [Page 19] RFC 3579 RADIUS & EAP September 2003

 [10] An attacker may attempt to act as a man-in-the-middle.
 To address these threats, it is necessary to support confidentiality,
 data origin authentication, integrity, and replay protection on a
 per-packet basis.  Bi-directional authentication between the RADIUS
 client and server also needs to be provided.  There is no requirement
 that the identities of RADIUS clients and servers be kept
 confidential (e.g., from a passive eavesdropper).

4.2. Security Protocol

 To address the security vulnerabilities of RADIUS/EAP,
 implementations of this specification SHOULD support IPsec [RFC2401]
 along with IKE [RFC2409] for key management.  IPsec ESP [RFC2406]
 with non-null transform SHOULD be supported, and IPsec ESP with a
 non-null encryption transform and authentication support SHOULD be
 used to provide per-packet confidentiality, authentication, integrity
 and replay protection.  IKE SHOULD be used for key management.
 Within RADIUS [RFC2865], a shared secret is used for hiding of
 attributes such as User-Password, as well as in computation of the
 Response Authenticator.  In RADIUS accounting [RFC2866], the shared
 secret is used in computation of both the Request Authenticator and
 the Response Authenticator.
 Since in RADIUS a shared secret is used to provide confidentiality as
 well as integrity protection and authentication, only use of IPsec
 ESP with a non-null transform can provide security services
 sufficient to substitute for RADIUS application-layer security.
 Therefore, where IPSEC AH or ESP null is used, it will typically
 still be necessary to configure a RADIUS shared secret.
 Where RADIUS is run over IPsec ESP with a non-null transform, the
 secret shared between the NAS and the RADIUS server MAY NOT be
 configured.  In this case, a shared secret of zero length MUST be
 assumed.  However, a RADIUS server that cannot know whether incoming
 traffic is IPsec-protected MUST be configured with a non-null RADIUS
 shared secret.
 When IPsec ESP is used with RADIUS, per-packet authentication,
 integrity and replay protection MUST be used.  3DES-CBC MUST be
 supported as an encryption transform and AES-CBC SHOULD be supported.
 AES-CBC SHOULD be offered as a preferred encryption transform if
 supported.  HMAC-SHA1-96 MUST be supported as an authentication
 transform.  DES-CBC SHOULD NOT be used as the encryption transform.

Aboba & Calhoun Informational [Page 20] RFC 3579 RADIUS & EAP September 2003

 A typical IPsec policy for an IPsec-capable RADIUS client is
 "Initiate IPsec, from me to any destination port UDP 1812".  This
 causes an IPsec SA to be set up by the RADIUS client prior to sending
 RADIUS traffic.  If some RADIUS servers contacted by the client do
 not support IPsec, then a more granular policy will be required:
 "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, destination
 port UDP 1812".
 For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept
 IPsec, from any to me, destination port 1812".  This causes the
 RADIUS server to accept (but not require) use of IPsec.  It may not
 be appropriate to require IPsec for all RADIUS clients connecting to
 an IPsec-enabled RADIUS server, since some RADIUS clients may not
 support IPsec.
 Where IPsec is used for security, and no RADIUS shared secret is
 configured, it is important that the RADIUS client and server perform
 an authorization check.  Before enabling a host to act as a RADIUS
 client, the RADIUS server SHOULD check whether the host is authorized
 to provide network access.  Similarly, before enabling a host to act
 as a RADIUS server, the RADIUS client SHOULD check whether the host
 is authorized for that role.
 RADIUS servers can be configured with the IP addresses (for IKE
 Aggressive Mode with pre-shared keys) or FQDNs (for certificate
 authentication) of RADIUS clients.  Alternatively, if a separate
 Certification Authority (CA) exists for RADIUS clients, then the
 RADIUS server can configure this CA as a trust anchor [RFC3280] for
 use with IPsec.
 Similarly, RADIUS clients can be configured with the IP addresses
 (for IKE Aggressive Mode with pre-shared keys) or FQDNs (for
 certificate authentication) of RADIUS servers.  Alternatively, if a
 separate CA exists for RADIUS servers, then the RADIUS client can
 configure this CA as a trust anchor for use with IPsec.
 Since unlike SSL/TLS, IKE does not permit certificate policies to be
 set on a per-port basis, certificate policies need to apply to all
 uses of IPsec on RADIUS clients and servers.  In IPsec deployments
 supporting only certificate authentication, a management station
 initiating an IPsec-protected telnet session to the RADIUS server
 would need to obtain a certificate chaining to the RADIUS client CA.
 Issuing such a certificate might not be appropriate if the management
 station was not authorized as a RADIUS client.
 Where RADIUS clients may obtain their IP address dynamically (such as
 an Access Point supporting DHCP), IKE Main Mode with pre-shared keys
 [RFC2409] SHOULD NOT be used, since this requires use of a group

Aboba & Calhoun Informational [Page 21] RFC 3579 RADIUS & EAP September 2003

 pre-shared key; instead, Aggressive Mode SHOULD be used.  IKEv2, a
 work in progress, may address this issue in the future.  Where RADIUS
 client addresses are statically assigned, either Aggressive Mode or
 Main Mode MAY be used.  With certificate authentication, Main Mode
 SHOULD be used.
 Care needs to be taken with IKE Phase 1 Identity Payload selection in
 order to enable mapping of identities to pre-shared keys even with
 Aggressive Mode.  Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity
 Payloads are used and addresses are dynamically assigned, mapping of
 identities to keys is not possible, so that group pre-shared keys are
 still a practical necessity.  As a result, the ID_FQDN identity
 payload SHOULD be employed in situations where Aggressive mode is
 utilized along with pre-shared keys and IP addresses are dynamically
 assigned.  This approach also has other advantages, since it allows
 the RADIUS server and client to configure themselves based on the
 fully qualified domain name of their peers.
 Note that with IPsec, security services are negotiated at the
 granularity of an IPsec SA, so that RADIUS exchanges requiring a set
 of security services different from those negotiated with existing
 IPsec SAs will need to negotiate a new IPsec SA.  Separate IPsec SAs
 are also advisable where quality of service considerations dictate
 different handling RADIUS conversations.  Attempting to apply
 different quality of service to connections handled by the same IPsec
 SA can result in reordering, and falling outside the replay window.
 For a discussion of the issues, see [RFC2983].

4.3. Security Issues

 This section provides more detail on the vulnerabilities identified
 in Section 4.1., and how they may be mitigated.  Vulnerabilities
 include:
 Privacy issues
 Spoofing and hijacking
 Dictionary attacks
 Known plaintext attacks
 Replay attacks
 Negotiation attacks
 Impersonation
 Man in the middle attacks
 Separation of authenticator and authentication server
 Multiple databases

Aboba & Calhoun Informational [Page 22] RFC 3579 RADIUS & EAP September 2003

4.3.1. Privacy Issues

 Since RADIUS messages may contain the User-Name attribute as well as
 NAS-IP-Address or NAS-Identifier attributes, an attacker snooping on
 RADIUS traffic may be able to determine the geographic location of
 peers in real time.  In wireless networks, it is often assumed that
 RADIUS traffic is physically secure, since it typically travels over
 the wired network and that this limits the release of location
 information.
 However, it is possible for an authenticated attacker to spoof ARP
 packets [RFC826] so as to cause diversion of RADIUS traffic onto the
 wireless network.  In this way an attacker may obtain RADIUS packets
 from which it can glean peer location information, or which it can
 subject to a known plaintext or offline dictionary attack.  To
 address these vulnerabilities, implementations of this specification
 SHOULD use IPsec ESP with non-null transform and per-packet
 encryption, authentication, integrity and replay protection to
 protect both RADIUS authentication [RFC2865] and accounting [RFC2866]
 traffic, as described in Section 4.2.

4.3.2. Spoofing and Hijacking

 Access-Request packets with a User-Password attribute establish the
 identity of both the user and the NAS sending the Access-Request,
 because of the way the shared secret between the NAS and RADIUS
 server is used.  Access-Request packets with CHAP-Password or
 EAP-Message attributes do not have a User-Password attribute.  As a
 result, the Message-Authenticator attribute SHOULD be used in
 Access-Request packets that do not have a User-Password attribute, in
 order to establish the identity of the NAS sending the request.
 An attacker may attempt to inject packets into the conversation
 between the NAS and the RADIUS server, or between the RADIUS server
 and the security server.  RADIUS [RFC2865] does not support
 encryption other than attribute hiding.  As described in [RFC2865],
 only Access-Reply and Access-Challenge packets are integrity
 protected.  Moreover, the per-packet authentication and integrity
 protection mechanism described in [RFC2865] has known weaknesses
 [MD5Attack], making it a tempting target for attackers looking to
 subvert RADIUS/EAP.
 To provide stronger security, the Message-Authenticator attribute
 MUST be used in all RADIUS packets containing an EAP-Message
 attribute.  Implementations of this specification SHOULD use IPsec
 ESP with non-null transform and per-packet encryption,
 authentication, integrity and replay protection, as described in
 Section 4.2.

Aboba & Calhoun Informational [Page 23] RFC 3579 RADIUS & EAP September 2003

4.3.3. Dictionary Attacks

 The RADIUS shared secret is vulnerable to offline dictionary attack,
 based on capture of the Response Authenticator or
 Message-Authenticator attribute.  In order to decrease the level of
 vulnerability, [RFC2865] recommends:
    The secret (password shared between the client and the RADIUS
    server) SHOULD be at least as large and unguessable as a
    well-chosen password.  It is preferred that the secret be at least
    16 octets.
 The risk of an offline dictionary attack can be further reduced by
 employing IPsec ESP with non-null transform in order to encrypt the
 RADIUS conversation, as described in Section 4.2.

4.3.4. Known Plaintext Attacks

 Since EAP [RFC2284] does not support PAP, the RADIUS User-Password
 attribute is not used to carry hidden user passwords within
 RADIUS/EAP conversations.  The User-Password hiding mechanism,
 defined in [RFC2865] utilizes MD5, defined in [RFC1321], in order to
 generate a key stream based on the RADIUS shared secret and the
 Request  Authenticator.  Where PAP is in use, it is possible to
 collect key streams corresponding to a given Request Authenticator
 value, by capturing RADIUS conversations corresponding to a PAP
 authentication attempt, using a known password.  Since the
 User-Password is known, the key stream corresponding to a given
 Request Authenticator can be determined and stored.
 Since the key stream may have been determined previously from a known
 plaintext attack, if the Request Authenticator repeats, attributes
 encrypted using the RADIUS attribute hiding mechanism should be
 considered compromised.  In addition to the User-Password attribute,
 which is not used with EAP, this includes attributes such as
 Tunnel-Password [RFC2868, section 3.5] and MS-MPPE-Send-Key and
 MS-MPPE-Recv-Key attributes [RFC2548, section 2.4], which include a
 Salt field as part of the hiding algorithm.
 To avoid this, [RFC2865], Section 3 advises:
    Since it is expected that the same secret MAY be used to
    authenticate with servers in disparate geographic regions, the
    Request Authenticator field SHOULD exhibit global and temporal
    uniqueness.

Aboba & Calhoun Informational [Page 24] RFC 3579 RADIUS & EAP September 2003

 Where the Request Authenticator repeats, the Salt field defined in
 [RFC2548], Section 2.4 does not provide protection against
 compromise.  This is because MD5 [RFC1321], rather than HMAC-MD5
 [RFC2104], is used to generate the key stream, which is calculated
 from the 128-bit RADIUS shared secret (S), the  128-bit Request
 Authenticator (R), and the Salt field (A), using the formula b(1) =
 MD5(S + R + A).  Since the Salt field is placed at the end, if the
 Request Authenticator were to repeat on a network where PAP is in
 use, then the salted keystream could be calculated from the
 User-Password keystream by continuing the MD5 calculation based on
 the Salt field (A), which is sent in the clear.
 Even though EAP does not support PAP authentication, a security
 vulnerability can still exist where the same RADIUS shared secret is
 used for hiding User-Password as well as other attributes.  This can
 occur, for example, if the same RADIUS proxy handles authentication
 requests for both EAP and PAP.
 The threat can be mitigated by protecting RADIUS with IPsec ESP with
 non-null transform, as described in Section 4.2.  Where RADIUS shared
 secrets are configured, the RADIUS shared secret used by a NAS
 supporting EAP MUST NOT be reused by a NAS utilizing the
 User-Password attribute, since improper shared secret hygiene could
 lead to compromise of hidden attributes.

4.3.5. Replay Attacks

 The RADIUS protocol provides only limited support for replay
 protection.  RADIUS Access-Requests include liveness via the 128-bit
 Request Authenticator.  However, the Request Authenticator is not a
 replay counter.  Since RADIUS servers may not maintain a cache of
 previous Request Authenticators, the Request Authenticator does not
 provide replay protection.
 RADIUS accounting [RFC2866] does not support replay protection at the
 protocol level.  Due to the need to support failover between RADIUS
 accounting servers, protocol-based replay protection is not
 sufficient to prevent duplicate accounting records.  However, once
 accepted by the accounting server, duplicate accounting records can
 be detected by use of the the Acct-Session-Id [RFC2866, section 5.5]
 and Event-Timestamp [RFC2869, section 5.3] attributes.
 Unlike RADIUS authentication, RADIUS accounting does not use the
 Request Authenticator as a nonce.  Instead, the Request Authenticator
 contains an MD5 hash calculated over the Code, Identifier, Length,
 and request attributes of the Accounting Request packet, plus the
 shared secret.  The Response Authenticator also contains an MD5 hash
 calculated over the Code, Identifier and Length, the Request

Aboba & Calhoun Informational [Page 25] RFC 3579 RADIUS & EAP September 2003

 Authenticator field from the Accounting-Request packet being replied
 to, the response attributes and the shared secret.
 Since the Accounting Response Authenticator depends in part on the
 Accounting Request Authenticator, it is not possible to replay an
 Accounting-Response unless the Request Authenticator repeats.  While
 it is possible to utilize EAP methods such as EAP TLS [RFC2716] which
 include liveness checks on both sides, not all EAP messages will
 include liveness so that this provides incomplete protection.
 Strong replay protection for RADIUS authentication and accounting can
 be provided by enabling IPsec replay protection with RADIUS, as
 described in Section 4.2.

4.3.6. Negotiation Attacks

 In a negotiation attack a rogue NAS, tunnel server, RADIUS proxy or
 RADIUS server attempts to cause the authenticating peer to choose a
 less secure authentication method.  For example, a session that would
 normally be authenticated with EAP would instead be authenticated via
 CHAP or PAP; alternatively, a connection that would normally be
 authenticated via a more secure EAP method such as EAP-TLS [RFC2716]
 might be made to occur via a less secure EAP method, such as
 MD5-Challenge.  The threat posed by rogue devices, once thought to be
 remote, has gained currency given compromises of telephone company
 switching systems, such as those described in [Masters].
 Protection against negotiation attacks requires the elimination of
 downward negotiations.  The RADIUS exchange may be further protected
 by use of IPsec, as described in Section 4.2.  Alternatively, where
 IPsec is not used, the vulnerability can be mitigated via
 implementation of per-connection policy on the part of the
 authenticating peer, and per-peer policy on the part of the RADIUS
 server.  For the authenticating peer, authentication policy should be
 set on a per-connection basis.  Per-connection policy allows an
 authenticating peer to negotiate a strong EAP method when connecting
 to one service, while negotiating a weaker EAP method for another
 service.
 With per-connection policy, an authenticating peer will only attempt
 to negotiate EAP for a session in which EAP support is expected.  As
 a result, there is a presumption that an authenticating peer
 selecting EAP requires that level of security.  If it cannot be
 provided, it is likely that there is some kind of misconfiguration,
 or even that the authenticating peer is contacting the wrong server.
 Should the NAS not be able to negotiate EAP, or should the
 EAP-Request sent by the NAS be of a different EAP type than what is
 expected, the authenticating peer MUST disconnect.  An authenticating

Aboba & Calhoun Informational [Page 26] RFC 3579 RADIUS & EAP September 2003

 peer expecting EAP to be negotiated for a session MUST NOT negotiate
 a weaker method, such as CHAP or PAP.  In wireless networks, the
 service advertisement itself may be spoof-able, so that an attacker
 could fool the peer into negotiating an authentication method
 suitable for a less secure network.
 For a NAS, it may not be possible to determine whether a peer is
 required to authenticate with EAP until the peer's identity is known.
 For example, for shared-uses NASes it is possible for one reseller to
 implement EAP while another does not.  Alternatively, some peer might
 be authenticated locally by the NAS while other peers are
 authenticated via RADIUS.  In such cases, if any peers of the NAS
 MUST do EAP, then the NAS MUST attempt to negotiate EAP for every
 session.  This avoids forcing a peer to support more than one
 authentication type, which could weaken security.
 If CHAP is negotiated, the NAS will pass the User-Name and
 CHAP-Password attributes to the RADIUS server in an Access-Request
 packet.  If the peer is not required to use EAP, then the RADIUS
 server will respond with an Access-Accept or Access-Reject packet as
 appropriate.  However, if CHAP has been negotiated but EAP is
 required, the RADIUS server MUST respond with an Access-Reject,
 rather than an Access-Challenge/EAP-Message/EAP-Request packet.  The
 authenticating peer MUST refuse to renegotiate authentication, even
 if the renegotiation is from CHAP to EAP.
 If EAP is negotiated but is not supported by the RADIUS proxy or
 server, then the server or proxy MUST respond with an Access-Reject.
 In these cases, a PPP NAS MUST send an LCP-Terminate and disconnect
 the peer.  This is the correct behavior since the authenticating peer
 is expecting EAP to be negotiated, and that expectation cannot be
 fulfilled.  An EAP-capable authenticating peer MUST refuse to
 renegotiate the authentication protocol if EAP had initially been
 negotiated.  Note that problems with a non-EAP capable RADIUS proxy
 could prove difficult to diagnose, since a peer connecting from one
 location (with an EAP-capable proxy) might be able to successfully
 authenticate via EAP, while the same peer connecting at another
 location (and encountering an EAP-incapable proxy) might be
 consistently disconnected.

4.3.7. Impersonation

 [RFC2865] Section 3 states:
    A RADIUS server MUST use the source IP address of the RADIUS UDP
    packet to decide which shared secret to use, so that RADIUS
    requests can be proxied.

Aboba & Calhoun Informational [Page 27] RFC 3579 RADIUS & EAP September 2003

 When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or
 NAS-IPv6-Address attributes may not match the source address.  Since
 the NAS-Identifier attribute need not contain an FQDN, this attribute
 also may not correspond to the source address, even indirectly, with
 or without a proxy present.
 As a result, the authenticity check performed by a RADIUS server or
 proxy does not verify the correctness of NAS identification
 attributes.  This makes it possible for a rogue NAS to forge
 NAS-IP-Address, NAS-IPv6-Address or NAS-Identifier attributes within
 a RADIUS Access-Request in order to impersonate another NAS.  It is
 also possible for a rogue NAS to forge session identification
 attributes such as Called-Station-Id, Calling-Station-Id, and
 Originating-Line-Info.
 This could fool the RADIUS server into subsequently sending
 Disconnect or CoA-Request messages [RFC3576] containing forged
 session identification attributes to a NAS targeted by an attacker.
 To address these vulnerabilities RADIUS proxies SHOULD check whether
 NAS identification attributes (NAS-IP-Address, NAS-IPv6-Address,
 NAS-Identifier) match the source address of packets originating from
 the NAS.  Where a match is not found, an Access-Reject SHOULD be
 sent, and an error SHOULD be logged.
 However, such a check may not always be possible.  Since the
 NAS-Identifier attribute need not correspond to an FQDN, it may not
 be resolvable to an IP address to be matched against the source
 address.  Also, where a NAT exists between the RADIUS client and
 proxy, checking the NAS-IP-Address or NAS-IPv6-Address attributes may
 not be feasible.
 To allow verification of NAS and session identification parameters,
 EAP methods can support the secure exchange of these parameters
 between the EAP peer and EAP server.  NAS identification attributes
 include NAS-IP-Address, NAS-IPv6-Address and Called-Station-Id;
 session identification attributes include User-Name and
 Calling-Station-Id.  The secure exchange of these parameters between
 the EAP peer and server enables the RADIUS server to check whether
 the attributes provided by the NAS match those provided by the peer;
 similarly, the peer can check the parameters provided by the NAS
 against those provided by the EAP server.  This enables detection of
 a rogue NAS.

Aboba & Calhoun Informational [Page 28] RFC 3579 RADIUS & EAP September 2003

4.3.8. Man in the Middle Attacks

 RADIUS only provides security on a hop-by-hop basis, even where IPsec
 is used.  As a result, an attacker gaining control of a RADIUS proxy
 could attempt to modify EAP packets in transit.  To protect against
 this, EAP methods SHOULD incorporate their own per-packet integrity
 protection and authentication mechanisms.

4.3.9. Separation of Authenticator and Authentication Server

 As noted in [RFC2716], it is possible for the EAP peer and
 authenticator to mutually authenticate, and derive a Master Session
 Key (MSK) for a ciphersuite used to protect subsequent data traffic.
 This does not present an issue on the peer, since the peer and EAP
 client reside on the same machine; all that is required is for the
 EAP client module to derive and pass a Transient Session Key (TSK) to
 the ciphersuite module.
 The situation is more complex when EAP is used with RADIUS, since the
 authenticator and authentication server may not reside on the same
 host.
 In the case where the authenticator and authentication server reside
 on different machines, there are several implications for security.
 First, mutual authentication will occur between the peer and the
 authentication server, not between the peer and the authenticator.
 This means that it is not possible for the peer to validate the
 identity of the NAS or tunnel server that it is speaking to, using
 EAP alone.
 As described in Section 4.2, when RADIUS/EAP is used to encapsulate
 EAP packets, IPsec SHOULD be used to provide per-packet
 authentication, integrity, replay protection and confidentiality.
 The Message-Authenticator attribute is also required in RADIUS
 Access-Requests containing an EAP-Message attribute sent from the NAS
 or tunnel server to the RADIUS server.  Since the
 Message-Authenticator attribute involves an HMAC-MD5 message
 integrity check, it is possible for the RADIUS server to verify the
 integrity of the Access-Request as well as the NAS or tunnel server's
 identity, even where IPsec is not used.  Similarly, Access-Challenge
 packets containing an EAP-Message attribute sent from the RADIUS
 server to the NAS are also authenticated and integrity protected
 using an HMAC-MD5 message integrity check, enabling the NAS or tunnel
 server to determine the integrity of the packet and verify the
 identity of the RADIUS server, even where IPsec is not used.
 Moreover, EAP packets sent using methods that contain their own
 integrity protection cannot be successfully modified by a rogue NAS
 or tunnel server.

Aboba & Calhoun Informational [Page 29] RFC 3579 RADIUS & EAP September 2003

 The second issue that arises where the authenticator and
 authentication server reside on separate hosts is that the EAP Master
 Session Key (MSK) negotiated between the peer and authentication
 server will need to be transmitted to the authenticator.  Therefore a
 mechanism needs to be provided to transmit the MSK from the
 authentication server to the NAS or tunnel server that needs it.  The
 specification of the key transport and wrapping mechanism is outside
 the scope of this document.  However, it is expected that the
 wrapping mechanism will provide confidentiality, integrity and replay
 protection, and data origin authentication.

4.3.10. Multiple Databases

 In many cases a security server will be deployed along with a RADIUS
 server in order to provide EAP services.  Unless the security server
 also functions as a RADIUS server, two separate user databases will
 exist, each containing information about the security requirements
 for the user.  This represents a weakness, since security may be
 compromised by a successful attack on either of the servers, or their
 databases.  With multiple user databases, adding a new user may
 require multiple operations, increasing the chances for error.  The
 problems are further magnified in the case where user information is
 also being kept in an LDAP server.  In this case, three stores of
 user information may exist.
 In order to address these threats, consolidation of databases is
 recommended.  This can be achieved by having both the RADIUS server
 and security server store information in the same database; by having
 the security server provide a full RADIUS implementation; or by
 consolidating both the  security server and the RADIUS server onto
 the same machine.

5. IANA Considerations

 This specification does not create any new registries, or define any
 new RADIUS attributes or values.

6. References

6.1. Normative References

 [RFC1321]      Rivest, R., "The MD5 Message-Digest Algorithm", RFC
                1321, April 1992.
 [RFC2104]      Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
                Keyed-Hashing for Message Authentication", RFC 2104,
                February 1997.

Aboba & Calhoun Informational [Page 30] RFC 3579 RADIUS & EAP September 2003

 [RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.
 [RFC2279]      Yergeau, F., "UTF-8, a transformation format of ISO
                10646", RFC 2279, January 1998.
 [RFC2284]      Blunk, L. and J. Vollbrecht, "PPP Extensible
                Authentication Protocol (EAP)", RFC 2284, March 1998.
 [RFC2401]      Atkinson, R. and S. Kent, "Security Architecture for
                the Internet Protocol", RFC 2401, November 1998.
 [RFC2406]      Kent, S. and R. Atkinson, "IP Encapsulating Security
                Payload (ESP)", RFC 2406, November 1998.
 [RFC2409]      Harkins, D. and D. Carrel, "The Internet Key Exchange
                (IKE)", RFC 2409, November 1998.
 [RFC2486]      Aboba, B. and M. Beadles, "The Network Access
                Identifier", RFC 2486, January 1999.
 [RFC2865]      Rigney, C., Willens, S., Rubens, A. and W. Simpson,
                "Remote Authentication Dial In User Service (RADIUS)",
                RFC 2865, June 2000.
 [RFC2988]      Paxson, V. and M. Allman, "Computing TCP's
                Retransmission Timer", RFC 2988, November 2000.
 [RFC3162]      Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IP6",
                RFC 3162, August 2001.
 [RFC3280]      Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
                X.509 Public Key Infrastructure Certificate and
                Certificate Revocation List (CRL) Profile", RFC 3280,
                April 2002.
 [RFC3576]      Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B.
                Aboba, "Dynamic Authorization Extensions to Remote
                Authentication Dial In User Service (RADIUS)", RFC
                3576, July 2003.

Aboba & Calhoun Informational [Page 31] RFC 3579 RADIUS & EAP September 2003

6.2. Informative References

 [RFC826]       Plummer, D., "An Ethernet Address Resolution
                Protocol", STD 37, RFC 826, November 1982.
 [RFC1510]      Kohl, J. and C. Neuman, "The Kerberos Network
                Authentication Service (V5)", RFC 1510, September
                1993.
 [RFC1661]      Simpson, W., "The Point-to-Point Protocol (PPP)", STD
                51, RFC 1661, July 1994.
 [RFC2548]      Zorn, G., "Microsoft Vendor-specific RADIUS
                Attributes", RFC 2548, March 1999.
 [RFC2607]      Aboba, B. and J. Vollbrecht, "Proxy Chaining and
                Policy Implementation in Roaming", RFC 2607, June
                1999.
 [RFC2716]      Aboba, B. and D. Simon,"PPP EAP TLS Authentication
                Protocol", RFC 2716, October 1999.
 [RFC2866]      Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
 [RFC2867]      Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
                Modifications for Tunnel Protocol Support", RFC 2867,
                June 2000.
 [RFC2868]      Zorn, G., Leifer, D., Rubens, A., Shriver, J.,
                Holdrege, M. and I. Goyret, "RADIUS Attributes for
                Tunnel Protocol Support", RFC 2868, June 2000.
 [RFC2869]      Rigney, C., Willats, W. and P. Calhoun, "RADIUS
                Extensions", RFC 2869, June 2000.
 [RFC2983]      Black, D. "Differentiated Services and Tunnels", RFC
                2983, October 2000.
 [RFC3580]      Congdon, P., Aboba, B., Smith, A., Zorn, G. and J.
                Roese, "IEEE 802.1X Remote Authentication Dial In User
                Service (RADIUS) Usage Guidelines", RFC 3580,
                September 2003.
 [IEEE802]      IEEE Standards for Local and Metropolitan Area
                Networks:  Overview and Architecture, ANSI/IEEE Std
                802, 1990.

Aboba & Calhoun Informational [Page 32] RFC 3579 RADIUS & EAP September 2003

 [IEEE8021X]    IEEE Standards for Local and Metropolitan Area
                Networks:  Port based Network Access Control, IEEE Std
                802.1X-2001, June 2001.
 [MD5Attack]    Dobbertin, H., "The Status of MD5 After a Recent
                Attack", CryptoBytes Vol.2 No.2, Summer 1996.
 [Masters]      Slatalla, M. and  J. Quittner, "Masters of Deception."
                HarperCollins, New York, 1995.
 [NASREQ]       Calhoun, P., et al., "Diameter Network Access Server
                Application", Work in Progress.

Aboba & Calhoun Informational [Page 33] RFC 3579 RADIUS & EAP September 2003

Appendix A - Examples

 The examples below illustrate conversations between an authenticating
 peer, NAS, and RADIUS server.  The OTP and EAP-TLS protocols are used
 only for illustrative purposes; other authentication protocols could
 also have been used, although they might show somewhat different
 behavior.
 Where the NAS sends an EAP-Request/Identity as the initial packet,
 the exchange appears as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      <- EAP-Request/
                      Identity

EAP-Response/ Identity (MyID) →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      (MyID) ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Request
                                             OTP/OTP Challenge
                      <- EAP-Request/
                      OTP/OTP Challenge

EAP-Response/ OTP, OTPpw →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      OTP, OTPpw ->
                                              <- RADIUS
                                              Access-Accept/
                                              EAP-Message/EAP-Success
                                              (other attributes)
                      <- EAP-Success

Aboba & Calhoun Informational [Page 34] RFC 3579 RADIUS & EAP September 2003

 In the case where the NAS initiates with an EAP-Request for EAP TLS
 [RFC2716], and the identity is determined based on the contents of
 the client certificate, the exchange will appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      <- EAP-Request/
                      EAP-Type=EAP-TLS
                      (TLS Start, S bit set)

EAP-Response/ EAP-Type=EAP-TLS (TLS client_hello)→

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      EAP-Type=EAP-TLS->
                                            <-RADIUS Access-Challenge/
                                            EAP-Message/
                                            EAP-Request/
                                            EAP-Type=EAP-TLS
                       <- EAP-Request/
                       EAP-Type=EAP-TLS
                       (TLS server_hello,
                       TLS certificate,
                 [TLS server_key_exchange,]
                 [TLS certificate_request,]
                     TLS server_hello_done)

EAP-Response/ EAP-Type=EAP-TLS (TLS certificate, TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished)→

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      EAP-Type=EAP-TLS->
                                            <-RADIUS Access-Challenge/
                                            EAP-Message/
                                            EAP-Request/
                                            EAP-Type=EAP-TLS
                      <- EAP-Request/
                      EAP-Type=EAP-TLS
                      (TLS change_cipher_spec,
                      TLS finished)

Aboba & Calhoun Informational [Page 35] RFC 3579 RADIUS & EAP September 2003

EAP-Response/ EAP-Type=EAP-TLS →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      EAP-Type=EAP-TLS->
                                            <-RADIUS Access-Accept/
                                            EAP-Message/EAP-Success
                                            (other attributes)
                      <- EAP-Success
 In the case where the NAS first sends an EAP-Start packet to the
 RADIUS server,  the conversation would appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      RADIUS Access-Request/
                      EAP-Message/Start ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Request/
                                             Identity
                      <- EAP-Request/
                      Identity

EAP-Response/ Identity (MyID) →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      Identity (MyID) ->
                                              <- RADIUS
                                              Access-Challenge/
                                              EAP-Message/EAP-Request/
                                              OTP/OTP Challenge
                      <- EAP-Request/
                      OTP/OTP Challenge

EAP-Response/ OTP, OTPpw →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      OTP, OTPpw ->
                                              <- RADIUS
                                              Access-Accept/
                                              EAP-Message/EAP-Success
                                              (other attributes)
                      <- EAP-Success

Aboba & Calhoun Informational [Page 36] RFC 3579 RADIUS & EAP September 2003

 In the case where the NAS initiates with an EAP-Request for EAP TLS
 [RFC2716], but the peer responds with a Nak, indicating that it would
 prefer another method not implemented locally on the NAS, the
 exchange will appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      <- EAP-Request/
                      EAP-Type=EAP-TLS
                      (TLS Start, S bit set)

EAP-Response/ EAP-Type=Nak (Alternative(s))→

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      Nak ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Request/
                                             Identity
                      <- EAP-Request/
                      Identity

EAP-Response/ Identity (MyID) →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      (MyID) ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Request
                                             OTP/OTP Challenge
                      <- EAP-Request/
                      OTP/OTP Challenge

EAP-Response/ OTP, OTPpw →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      OTP, OTPpw ->
                                              <- RADIUS
                                              Access-Accept/
                                              EAP-Message/EAP-Success
                                              (other attributes)
                      <- EAP-Success

Aboba & Calhoun Informational [Page 37] RFC 3579 RADIUS & EAP September 2003

 In the case where the authenticating peer attempts to authenticate
 the NAS, the conversation would appear as follows:

Authenticating peer NAS RADIUS Server ——————- — ————- EAP-Request/ Challenge, MD5 →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Request/
                      Challenge, MD5 ->
                                              <- RADIUS
                                              Access-Reject/
                                              EAP-Message/
                                              EAP-Response/
                                              Nak (no alternative)
                      <- EAP-Response/Nak
                       (no alternative)

EAP-Failure →

Aboba & Calhoun Informational [Page 38] RFC 3579 RADIUS & EAP September 2003

 In the case where an invalid EAP Response is inserted by an attacker,
 the conversation would appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      <- EAP-Request/
                      EAP-Type=Foo

EAP-Response/ EAP-Type=Foo →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      EAP-Type=Foo ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Request/
                                             EAP-Type=Foo
                      <- EAP-Request/
                      EAP-Type=Foo

Attacker spoof: EAP-Response/ EAP-Type=Bar →

Good guy: EAP-Response/ EAP-Type=Foo →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      EAP-Type=Bar ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Request/
                                             EAP-Type=Foo,
                                             Error-Cause="Invalid EAP
                                              Packet (Ignored)"
                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      EAP-Type=Foo ->
                                             <- Access-Accept/
                                             EAP-Message/Success
                      <- EAP Success

Aboba & Calhoun Informational [Page 39] RFC 3579 RADIUS & EAP September 2003

 In the case where the client fails EAP authentication, and an error
 message is sent prior to disconnection, the conversation would appear
 as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      RADIUS Access-Request/
                      EAP-Message/Start ->
                                             <- RADIUS
                                             Access-Challenge/
                                             EAP-Message/EAP-Response/
                                             Identity
                      <- EAP-Request/
                      Identity

EAP-Response/ Identity (MyID) →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      (MyID) ->
                                              <- RADIUS
                                              Access-Challenge/
                                              EAP-Message/EAP-Request
                                              OTP/OTP Challenge
                      <- EAP-Request/
                      OTP/OTP Challenge

EAP-Response/ OTP, OTPpw →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      OTP, OTPpw ->
                                              <- RADIUS
                                              Access-Challenge/
                                              EAP-Message/EAP-Request/
                                              Notification
                      <- EAP-Request/
                         Notification

EAP-Response/ Notification →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      Notification ->
                                               <- RADIUS
                                               Access-Reject/
                                               EAP-Message/EAP-Failure
                      <- EAP-Failure
                      (client disconnected)

Aboba & Calhoun Informational [Page 40] RFC 3579 RADIUS & EAP September 2003

 In the case that the RADIUS server or proxy does not support EAP-
 Message, but no error message is sent, the conversation would appear
 as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      RADIUS Access-Request/
                      EAP-Message/Start ->
                                                <- RADIUS
                                                Access-Reject
                      (User Disconnected)

In the case where the local RADIUS server does support EAP-Message, but the remote RADIUS server does not, the conversation would appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      RADIUS Access-Request/
                      EAP-Message/Start ->
                                                <- RADIUS
                                                Access-Challenge/
                                                EAP-Message/
                                                EAP-Response/
                                                Identity
                      <- EAP-Request/
                      Identity

EAP-Response/ Identity (MyID) →

                      RADIUS Access-Request/
                      EAP-Message/EAP-Response/
                      (MyID) ->
                                                <- RADIUS
                                                Access-Reject
                                                (proxied from remote
                                                 RADIUS server)
                      (User Disconnected)

Aboba & Calhoun Informational [Page 41] RFC 3579 RADIUS & EAP September 2003

 In the case where PPP is the link and the authenticating peer does
 not support EAP, but where EAP is required for that user, the
 conversation would appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      <- PPP LCP Request-EAP
                      auth

PPP LCP NAK-EAP auth →

                      <- PPP LCP Request-CHAP
                      auth

PPP LCP ACK-CHAP auth →

                      <- PPP CHAP Challenge

PPP CHAP Response →

                      RADIUS Access-Request/
                      User-Name,
                      CHAP-Password ->
                                                <- RADIUS
                                                Access-Reject
                      <-  PPP LCP Terminate
                      (User Disconnected)

In the case where PPP is the link, the NAS does not support EAP, but where EAP is required for that user, the conversation would appear as follows:

Authenticating peer NAS RADIUS server ——————- — ————-

                      <- PPP LCP Request-CHAP
                      auth

PP LCP ACK-CHAP auth →

                      <- PPP CHAP Challenge

PPP CHAP Response →

                      RADIUS Access-Request/
                      User-Name,
                      CHAP-Password ->
                                               <- RADIUS
                                               Access-Reject
                      <-  PPP LCP Terminate
                      (User Disconnected)

Aboba & Calhoun Informational [Page 42] RFC 3579 RADIUS & EAP September 2003

Appendix B - Change Log

 The following changes have been made from RFC 2869:
 A NAS may simultaneously support both local authentication and
 pass-through; once the NAS enters pass-through mode within a session,
 it cannot revert back to local authentication.  Also EAP is
 explicitly described as a 'lock step' protocol. (Section 2).
 The NAS may initiate with an EAP-Request for an authentication Type.
 If the Request is NAK'd, the NAS should send an initial
 Access-Request with an EAP-Message attribute containing an
 EAP-Response/Nak.
 The RADIUS server may treat an invalid EAP Response as a non-fatal
 error (Section 2.2)
 For use with RADIUS/EAP, the Password-Retry (Section 2.3) and
 Reply-Message (2.6.5) attributes are deprecated.
 Each EAP session has a unique Identifier space (Section 2.6.1).
 Role reversal is not supported (Section 2.6.2).
 Message combinations (e.g. Access-Accept/EAP-Failure) that conflict
 are discouraged (Section 2.6.3).
 Only a single EAP packet may be encapsulated within a RADIUS message
 (Section 3.1).
 An Access-Request lacking explicit authentication as well as a
 Message- Authenticator attribute SHOULD be silently discarded
 (Section 3.3).
 The Originating-Line-Info attribute is supported (Section 3.3).
 IPsec ESP with non-null transform SHOULD be used and the usage model
 is described in detail (Section 4.2).
 Additional discussion of security vulnerabilities (Section 4.1) and
 potential fixes (Section 4.3).
 Separated normative (Section 6.1) and informative (Section 6.2)
 references.

Aboba & Calhoun Informational [Page 43] RFC 3579 RADIUS & EAP September 2003

 Added additional examples (Appendix A): a NAS initiating with an
 EAP-Request for an authentication Type; attempted role reversal.

Intellectual Property Statement

 The IETF takes no position regarding the validity or scope of any
 intellectual property or other rights that might be claimed to
 pertain to the implementation or use of the technology described in
 this document or the extent to which any license under such rights
 might or might not be available; neither does it represent that it
 has made any effort to identify any such rights.  Information on the
 IETF's procedures with respect to rights in standards-track and
 standards-related documentation can be found in BCP-11.  Copies of
 claims of rights made available for publication and any assurances of
 licenses to be made available, or the result of an attempt made to
 obtain a general license or permission for the use of such
 proprietary rights by implementors or users of this specification can
 be obtained from the IETF Secretariat.
 The IETF invites any interested party to bring to its attention any
 copyrights, patents or patent applications, or other proprietary
 rights which may cover technology that may be required to practice
 this standard.  Please address the information to the IETF Executive
 Director.

Acknowledgments

 Thanks to Dave Dawson and Karl Fox of Ascend, Glen Zorn of Cisco
 Systems, Jari Arkko of Ericsson and Ashwin Palekar, Tim Moore and
 Narendra Gidwani of Microsoft for useful discussions of this problem
 space.  The authors would also like to acknowledge Tony Jeffree,
 Chair of IEEE 802.1 for his assistance in resolving RADIUS/EAP issues
 in IEEE 802.1X-2001.

Aboba & Calhoun Informational [Page 44] RFC 3579 RADIUS & EAP September 2003

Authors' Addresses

 Bernard Aboba
 Microsoft Corporation
 One Microsoft Way
 Redmond, WA 98052
 Phone:  +1 425 706 6605
 Fax:    +1 425 936 7329
 EMail:   bernarda@microsoft.com
 Pat R. Calhoun
 Airespace
 110 Nortech Parkway
 San Jose, California, 95134
 USA
 Phone:  +1 408 635 2023
 Fax:    +1 408 635 2020
 EMail:  pcalhoun@airespace.com

Aboba & Calhoun Informational [Page 45] RFC 3579 RADIUS & EAP September 2003

Full Copyright Statement

 Copyright (C) The Internet Society (2003).  All Rights Reserved.
 This document and translations of it may be copied and furnished to
 others, and derivative works that comment on or otherwise explain it
 or assist in its implementation may be prepared, copied, published
 and distributed, in whole or in part, without restriction of any
 kind, provided that the above copyright notice and this paragraph are
 included on all such copies and derivative works.  However, this
 document itself may not be modified in any way, such as by removing
 the copyright notice or references to the Internet Society or other
 Internet organizations, except as needed for the purpose of
 developing Internet standards in which case the procedures for
 copyrights defined in the Internet Standards process must be
 followed, or as required to translate it into languages other than
 English.
 The limited permissions granted above are perpetual and will not be
 revoked by the Internet Society or its successors or assignees.
 This document and the information contained herein is provided on an
 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

 Funding for the RFC Editor function is currently provided by the
 Internet Society.

Aboba & Calhoun Informational [Page 46]

/data/webs/external/dokuwiki/data/pages/rfc/rfc3579.txt · Last modified: 2003/09/02 20:35 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki