130 likes | 384 Views
EAP-FAST RFC 4851. Eugene Chang (genchang@cisco.com) EMU WG, IETF 70. EAP-FAST Adoption Success. Stable implementation since 2003 Gartner Dataquest, May 2006* EAP-FAST ~20%, LEAP ~17%, EAP-TTLS <15% Already shipping in 41 product lines* Client Implementations
E N D
EAP-FASTRFC 4851 Eugene Chang (genchang@cisco.com) EMU WG, IETF 70
EAP-FAST Adoption Success • Stable implementation since 2003 • Gartner Dataquest, May 2006* • EAP-FAST ~20%, LEAP ~17%, EAP-TTLS <15% • Already shipping in 41 product lines* • Client Implementations • Acer, Apple, Arcadyan Technology, Ascom, Atheros Communications, Azimuth Systems, Broadcom, Cisco Systems, Cisco-Linksys, Conexant Systems, Datalogic Mobile, Dell, Devicescape Software, Fujitsu Access, Fujitsu, Fujitsu Media Devices, Fujitsu Software Technologies, Fujitsu-Siemens Computers, Gateway, Hewlett-Packard, Integrated System Solution Corp., Intel, Intermec Technologies, Juniper Networks, Lenovo, LXE, Marvell, NEC, Philips, Psion Teklogix, Quanta Computer, Research In Motion, Sony, Summit Data Communications, Texas Instruments, Toshiba, VeriWave • Server Implementations • Avenda Systems, Cisco, Juniper, PeriodikLabs * The Secret Life of EAP-FAST: Adoption under the Radar (Cisco) EAP-FAST for IETF EMU WG
EAP-FAST for Authentication • TLS-based tunneled EAP method • Supports use cases for LEAP, PEAP, and EAP-TTLS • Supports end-point integrity (NAC) • Flexibility to support a wide range of password systems • MS-CHAP, LDAP, OTP • User Identity Protection • Mutual Authentication • Immunity to active and passive dictionary attacks • Immunity to man-in-the-middle attacks • Cryptographic binding and compound key generation for inner key methods • Protected conversation for intermediate and termination results indication EAP-FAST for IETF EMU WG
EAP-FAST Beyond Authentication • Cryptographic binding and compound key generation for inner key methods • Protected conversation for intermediate and termination results indication • Extensive TLV framework for defining new data exchanges • Flexibility to support multiple inner EAP protocols • Inner EAP protocol sequencing EAP-FAST for IETF EMU WG
EAP-FAST Other Features • Protected Access Credential (PAC) • RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State • Flexibility to balance security and ease of deployment • Support use of server root certificates • Option of other server credentials, e.g. PAC • Key to migrating users from LEAP • Reduced cryptographic workload for small wireless devices • Better scaling by reducing AAA server workload EAP-FAST for IETF EMU WG
Main Options for EAP-FAST Authentication EAP-FAST for IETF EMU WG
EAP-FAST Authentication Details RADIUS Server Supplicant EAP-Request/Identity EAP-Response/Identity (MyID1) EAP-Request/EAP-FAST (S=1, A-ID) EAP-Response/EAP-FAST (TLS client_hello w/PAC-Opaque in SessionTicket ext) EAP-Request/EAP-FAST (TLS server_hello, TLS change_cipher_spec, TLS Finished) EAP-Response/EAP-FAST (TLS change_cipher_spec, TLS finished) TLS Tunnel Established (subsequent messages sent inside tunnel) Details in Slide 6 Tunnel Teardown EAP Success EAP-FAST for IETF EMU WG
EAP-FAST Password Authentication Details RADIUS Server Supplicant TLS Tunnel Established (subsequent messages sent inside tunnel) EAP Payload TLV (EAP-Request/EAP-GTC (Challenge) EAP Payload TLV (EAP-Response/EAP-GTC(response with userID & password)) Optional additional exchanges (new pin mode, password change, etc.) Intermediate-Result TLV (Success) Crypto-Binding TLV (Request) Intermediate-Result TLV (Success) Crypto-Binding TLV (Response) Result TLV (Success) [Optional PAC TLV] Result TLV (Success) [PAC TLV Acknowledgement] Tunnel Teardown EAP-FAST for IETF EMU WG
Documentation Status • RFC 4851 The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST) • EAP-FAST Framework • draft-cam-winget-eap-fast-provisioning-05.txt • draft-zhou-emu-fast-gtc-00.txt • Passwords, OTC, password/PIN maintenance • RFC 4507 Transport Layer Security (TLS) Session Resumption without Server Side State • PAC Opaque EAP-FAST for IETF EMU WG
Evaluation Against Current Requirements EAP-FAST for IETF EMU WG
Summary • EAP-FAST • Well-established EAP method • Stable design since 2003 • Widely implemented, shipping in 41 product lines • Well recognized and adopted by enterprise deployments • Seems to meet existing requirements • Support for many other features • Many authentication methods • Endpoint integrity checks (for NEA) • Simplify migration to 802.1X and EAP methods • Reduce computation load on small format devices • Improve scaling of AAA servers • Why have users start over with yet another EAP method? EAP-FAST for IETF EMU WG