RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)
RFC 3579
Document | Type |
RFC - Informational
(September 2003; No errata)
Updated by RFC 5080
Updates RFC 2869
|
|
---|---|---|---|
Last updated | 2015-10-14 | ||
Stream | ISE | ||
Formats | plain text pdf html bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3579 (Informational) | |
Telechat date | |||
Responsible AD | Randy Bush | ||
Send notices to | (None) |
Network Working Group B. Aboba Request for Comments: 3579 Microsoft Updates: 2869 P. Calhoun Category: Informational Airespace September 2003 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP) Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method-specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802. This document updates RFC 2869. Aboba & Calhoun Informational [Page 1] RFC 3579 RADIUS & EAP September 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Specification of Requirements. . . . . . . . . . . . . . 3 1.2. Terminology. . . . . . . . . . . . . . . . . . . . . . . 3 2. RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . . 4 2.1. Protocol Overview. . . . . . . . . . . . . . . . . . . . 5 2.2. Invalid Packets. . . . . . . . . . . . . . . . . . . . . 9 2.3. Retransmission . . . . . . . . . . . . . . . . . . . . . 10 2.4. Fragmentation. . . . . . . . . . . . . . . . . . . . . . 10 2.5. Alternative uses . . . . . . . . . . . . . . . . . . . . 11 2.6. Usage Guidelines . . . . . . . . . . . . . . . . . . . . 11 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.1. EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 15 3.2. Message-Authenticator. . . . . . . . . . . . . . . . . . 16 3.3. Table of Attributes. . . . . . . . . . . . . . . . . . . 18 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 19 4.1. Security Requirements. . . . . . . . . . . . . . . . . . 19 4.2. Security Protocol. . . . . . . . . . . . . . . . . . . . 20 4.3. Security Issues. . . . . . . . . . . . . . . . . . . . . 22 5. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 30 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 6.1. Normative References . . . . . . . . . . . . . . . . . . 30 6.2. Informative References . . . . . . . . . . . . . . . . . 32 Appendix A - Examples. . . . . . . . . . . . . . . . . . . . . . . 34 Appendix B - Change Log. . . . . . . . . . . . . . . . . . . . . . 43 Intellectual Property Statement. . . . . . . . . . . . . . . . . . 44 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46 1. Introduction The Remote Authentication Dial In User Service (RADIUS) is an authentication, authorization and accounting protocol used to control network access. RADIUS authentication and authorization is specified in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS over IPv6 is specified in [RFC3162]. The Extensible Authentication Protocol (EAP), defined in [RFC2284], is an authentication framework which supports multiple authentication mechanisms. EAP may be used on dedicated links, switched circuits, and wired as well as wireless links. To date, EAP has been implemented with hosts and routers that connect via switched circuits or dial-up lines using PPP [RFC1661]. It has also been implemented with bridges supporting [IEEE802]. EAP encapsulation on IEEE 802 wired media is described in [IEEE8021X]. Aboba & Calhoun Informational [Page 2] RFC 3579 RADIUS & EAP September 2003 RADIUS attributes are comprised of variable length Type-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol. This specification describes RADIUS attributes supporting the Extensible AuthenticationShow full document text