1 / 7

Issues with the 802.1X State Machine

Issues with the 802.1X State Machine. IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE 802.11-01/252). Goals. To describe issues with IEEE 802.1X state machine and 802.11 roaming To recommend a solution. Roaming Requirements. Enterprise

Mia_John
Download Presentation

Issues with the 802.1X State Machine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE 802.11-01/252) Bernard Aboba, Microsoft

  2. Goals • To describe issues with IEEE 802.1X state machine and 802.11 roaming • To recommend a solution Bernard Aboba, Microsoft

  3. Roaming Requirements • Enterprise • User is identified by user-name (NAI), not IP or MAC address • Security is not compromised • Roaming needs to be available for all potential 802.1X authentication methods • Desirable for user to be able to keep the same IP address when roaming, if possible • MUST be able to roam without reauthentication if desired • MUST be able to roam without dropping traffic in case of reauthentication • “Hot Spot” • User is identified by user-name (NAI), not IP or MAC address • Security is not compromised • Roaming should be fast • Going back to the home authentication server may cause substantial delays (~ seconds) Bernard Aboba, Microsoft

  4. Context Transfer & IEEE 802.1X State Machine • Goal • User context can move to new AP without reauthentication, if desired • May wish to enable delayed reauthentication on roam • Process • Client reassociates to new AP • New AP validates reassociate, attempts context transfer from old AP • Context transfer succeeds: AP sends EAP-Success to client • Context transfer fails: re-associate treated as an associate • Requirements • Successful reassociate has same result as if new AP authenticated successfully to backend authentication server • Unsuccessful reassociate has same result as an associate • Authentication for reassociate, disassociate, beacon messages • Issues • No 802.1X event or state corresponding to associate or successful re-associate! Bernard Aboba, Microsoft

  5. Additions to Backend Authentication State Machine (Figure 8-12) • Goal • Successful re-associate has same result as if new AP authenticated to backend authentication server • Successful reassociate equivalent to: • Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0; currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE • Transition to SUCCESS state • Causes canned Success message to be sent • Unsuccessful reassociate equivalent to associate: • Set authAbort=TRUE • Transition to INITIALIZE state • Authentication starts again Bernard Aboba, Microsoft

  6. Additions to Authenticator PAE State Machine (Figure 8-8) • Goal • Successful re-associate has same result as if new AP authenticated to backend authentication server • Unsuccessful reassociate equivalent to: • Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized; eapLogff=FALSE; reAuthCount=0; • Transition to CONNECTING state • Successful reassociate with no-reauth == TRUE equivalent to: • Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1; portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE; • Transition to AUTHENTICATED • Successful reassociate with no-reauth == FALSE equivalent to: • Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0; portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE; • Transition to CONNECTING Bernard Aboba, Microsoft

  7. Additions to Supplicant PAE State Machine (Figure 8-14) • Goal • Successful reassociate has same result as if supplicant successfully authenticated to authenticator • Sequence of events for successful reassociate • Supplicant in AUTHENTICATED state • Reassociate request sent by Supplicant • Success sent by Authenticator • Supplicant remains in AUTHENTICATED state • Sequence of events for unsuccessful reassociate • Supplicant in AUTHENTICATED state • Reassociate request sent by Supplicant • EAP-Request/Identity sent by Authenticator • On EAP-Request/Identity, supplicant transitions to ACQUIRED state Bernard Aboba, Microsoft

More Related