110 likes | 125 Views
Learn about the challenges faced during the implementation and deployment of a new wireless EAP method and discover suggested testing requirements for open and interoperable EAP products.
E N D
Implementation Experience with a New Wireless EAP Method David Mitton RSA Security, Inc. IETF 66, Montreal
New EAP Method 32, SecurID Token Authentication • Uses Protected-OTP EAP Frameworkdraft-nystrom-eap-potp-04.txt • EAP Method 32 - profile of POTP for RSA SecurID • Applications: • Dial PPP • VPN (PPTP) • Wired 802.1x • 802.11i Wireless 802.1x IETF 66, Montreal
Problems with Wireless Deployment • Development and testing on single vendor access point worked flawlessly • When deployed to the field, began getting problem reports • Three different vendors; three different types of problems IETF 66, Montreal
Typical Components Diagram IETF 66, Montreal
Typical Message Flow IETF 66, Montreal
Case 1: Response Not Accepted • EAP 32 Request message is forwarded from AP to STA, but AP returns EAP Failure upon receiving response. • AP decides to block EAP based on method value. IETF 66, Montreal
Case 2: Fumbled Forwarding • EAP32 Request passes from RADIUS to EAPOL but not the Response • Method dependencies in the code that packs and unpacks EAP messages from RADIUS messages • Causes the AP to retransmit Request every 30 seconds. STA responds each time, but Response is lost • Session-Timeout value (120) ignored by AP IETF 66, Montreal
Case 3: Session Interference • Re-sync condition causes a long authentication, AP decides to send new Identity Request to STA in midst of exchange. (2.5 seconds after previous exchange) • AP has bad policy on length of authentication process. Not tied to message exchange. • Did not honor Session-Timeout attribute in Access-Challenge. IETF 66, Montreal
Bad Assumptions • Method type #s should all be passed, or be management configurable • Avoid method dependent processing for EAP forwarding – why? • Session timeout should: • use Session-Timeout attribute, • sensitive to message ID change, and message to message timing, not overall elapsed time IETF 66, Montreal
Suggested Testing Requirements • Allow all method values • Retransmission of individual messages should be manageable (Session-Timeout) • Timeout of authentication session should be tied to session inactivity not arbitrary or inaccessible numbers • Anything that returns keys should work (e.g. meets RFC 3748) IETF 66, Montreal
How do we get Open and Interoperable EAP products? • Products that only support a short list of protocols are preventing new security! • Who is responsible? • Vendors? • Wi-Fi Alliance? • IEEE 802.11? • What can we do here? IETF 66, Montreal