802.1X

1
802.1X EAPState Machines(found at
http//www-personal.umich.edu/jrv/eap.htm)

• Jim Burns
• Paul Congdon
• Nick Petroni
• John Vollbrecht

2
New Significant 802.1aa/D5 Changes

• Specification of interface between EAP/802.1X
• No more EAP packet processing in 802.1X
• Addition of controlled port in Supplicant
• Initial Authenticator request comes from EAP
• Ability for EAP to silently discard frames
• Proposed inclusion of EAP machines in 802.1X
  Annex
• EAPOL-Key exchange sequenced before EAP-Success
• Propose to include generic 4-way handshake within
  802.1X

3
Issues to Discuss

• How to best incorporate 802.11 into the
  802.1X/EAP interface diagrams?
• What is the proper sequence for key exchange and
  sending final EAP-Success?
• What is the interface to generic 4-way handshake
  machine?
• Where to define the specification of EAPOL-Key
  message processing?

4
EAP / 802.1X Interface(excluding key exchange)
Supplicant/Peer
Authenticator
EAP Method
EAP Method
EAP Layer
EAP Layer
eapReq eapFail eapSuccess eapNoReq
eapResp eapNoResp
eapSuccess eapFail
eapRcvd
eapResp
eapRestart
802.1x
802.1x
port enabled/disabled
port enabled/disabled
5
Key Interface with EAP802.1X 802.11
EAP Method
EAP Method
EAP Layer
EAP Layer
keyAvailable
keyAvailable
802.1x
802.1x
portValid
portValid
Link Secure (physical or crypto)
Link Secure (physical or crypto)
6
EAP / EAP Method Interface
EAP Method
EAP Method
Method-state
Method-state
Startmethod rcvRsp/NAK
intCheck !intCheck
intCheck !intCheck
rxMethodReq
EAP Layer
EAP Layer
802.1x
802.1x
7
Supplicant Front-End
(userLogoff !logoffSent) !(initialize
!portEnabled)
Initialize !portEnabled
DISCONNECTED startCount 0 logoffSent
FALSE portStatus Unauthorized suppAbort
TRUE
HELD heldWhile heldPeriod portStatus
Unauthorized
LOGOFF txLogoff logoffSent TRUE portStatus
Unauthorized
heldWhile 0
eapRcvd
eapSuccess portValid
!userLogoff
UTC
AUTHENTICATED portStatus Authorized
CONNECTING startWhen startPeriod startCount
startCount 1 eapRcvd FALSE txStart
(startWhen 0) (startCount lt maxStart)
!portValid
eapFail
eapRcvd
eapRcvd portValid
(((startWhen 0) (startCount gt
maxStart)) !! eapSuccess) portValid
AUTHENTICATING startCount 0 eapSuccess
FALSE easFail FALSE suppTimeout
FALSE suppStart TRUE eapRcvd FALSE
suppTimeout
eapFail
8
Supplicant Back-End
(portControl! Auto) Initialize suppAbort
REQUEST authWhile 0 getSuppRsp
INITIALIZE previousId 256 abortSupp suppAbort
FALSE
eapResp
RESPONSE txsuppRsp(receivedId,
previousId) previousId receivedId eapResp
FALSE
eapNoResp
UTC
UTC
RECEIVE authWhile authPeriod eapRcvd
FALSE eapNoResp FALSE
authWhile 0
eapRcvd
eapSucess eapFail
TIMEOUT suppTimeout TRUE
UTC
IDLE suppStart FALSE
suppStart
9
EAP Peer
10
Authenticator Front-End
((portControlauto) (portMode !
portControl)) Initialize !portEnabled
INITIALIZE portModeauto eapRestartTRUE
UCT
eapolLogoff !authAbort
DISCONNECTED portStatusUnauthorized eapolLogoffF
ALSE
HELD portSatusUnauthorized quietWhilequietPeriod
eapolLogoffFALSE
eapolLogoff !portValid
UCT
(quietWhile 0)
eapolLogoff
CONNECTING eapolStartFALSE reAuthenticateFALSE
!eapolLogoff !authAbort
eapolStart reAuthenticate
(eapReq eapSuccess eapFail) (eapRestart
FALSE)
authFail
AUTHENTICATED portStatusAuthorized
ABORTING authAbortTRUE eapRestartTRUE
authSuccess portValid
AUTHENTICATING authSuccessFALSE authFailFALSE
authTimeoutFALSE authStartTRUE
reAuthenticate eapolStart eapolLogoff
authTimeout
11
Authenticator Backend
12
EAP Authenticator
13
Authenticator Key Tx Machine
Initialize (portControl ! Auto)
NO_KEY_TRANSMIT
keyTxEnable keyAvailable eapSuccess
KEY_TRANSMIT txKey keyAvailable FALSE
!keyTxEnable authFail eapolLogoff
keyAvailable
14
Supplicant Key Tx Machine
Initialize
NO_SUPP_KEY_TRANSMIT
keyTxEnable suppkeyAvailable eapSuccess
SUPP_KEY_TRANSMIT txSuppKey suppKeyAvailable
FALSE
!keyTxEnable eapFail userlLogoff
suppKeyAvailable