1 / 11

EAP Scenarios and 802.1af

EAP Scenarios and 802.1af. Joseph Salowey jsalowey@cisco.com 1/12/2006. Basic EAP Model. Authentication. EAP Server. EAP Peer. EAP Authen- ticator. Keys. AAA Model. Authentication. AAA Server. EAP Server. EAP Peer. EAP Authen- ticator. Keys.

Anita
Download Presentation

EAP Scenarios and 802.1af

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EAP Scenarios and 802.1af Joseph Salowey jsalowey@cisco.com 1/12/2006

  2. Basic EAP Model Authentication EAP Server EAP Peer EAP Authen- ticator Keys

  3. AAA Model Authentication AAA Server EAP Server EAP Peer EAP Authen- ticator Keys (Authorization)

  4. AAA Model Notes • Peer authenticates AAA server • AAA server provides authenticator with key • Possession indicates to peer that authenticator is authorized • Peer does not know the identity of the authenticator, by default it can’t differentiate between authenticators • Authenticator receives authorizations from AAA server

  5. 3rd Party Authentication Model Authentication EAP Authen- ticator EAP Server EAP Peer (Online or Offline) Authentication Services

  6. 3rd Party Authentication ModelNotes • Peer authenticates the authenticator • Peer knows the authenticator’s identity • Peer must be able to authorize based on identity information • Authenticator does not get authorization based on authentication exchange • Authentication service may be offline as in PKI CA • Authentication service may be online as in Kerberos

  7. Approaches to modifying the AAA model (“channel bindings”) • Bind authenticator/service identity into EAP exchange • EAP methods do not interpret the data, instead transport data • Draft-arkko-eap-service-identity-auth-04 • Specify target authenticator/service • Mechanism dependent implementation (kerberos, channel binding, credential selection) • Bind authenticator/service identity to key material • Draft-obha-aaa-key-binding-01

  8. 3rd Party authentication case Mutual Authentication SW1 SW2 Authentication Services (offline)

  9. Unilateral AAA case Mutual Authentication SW1 SW2 AAA

  10. Bilateral AAA case Mutual Authentication x 2 AAA SW1 SW2 AAA AZ AZ

  11. EAP and keys • EAP methods can derive key material • MSK available to the authenticator • EMSK reserved (for derivation of other keys TBD) • MSK may be used to derive session keys data encryption (802.11i) • MSK may be used to derive KEK to encrypt key descriptor to distribute keys (group keys) • Either or both approaches may be useful for CAK establishment

More Related