RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)
RFC 3579
| Document | Type |
RFC - Informational
(September 2003; No errata)
Updated by RFC 5080
Updates RFC 2869
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | ISE | ||
| Formats | plain text pdf html bibtex | ||
| Stream | ISE state | (None) | |
| Consensus Boilerplate | Unknown | ||
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 3579 (Informational) | |
| Telechat date | |||
| Responsible AD | Randy Bush | ||
| Send notices to | (None) | ||
Network Working Group B. Aboba
Request for Comments: 3579 Microsoft
Updates: 2869 P. Calhoun
Category: Informational Airespace
September 2003
RADIUS (Remote Authentication Dial In User Service)
Support For Extensible Authentication Protocol (EAP)
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document defines Remote Authentication Dial In User Service
(RADIUS) support for the Extensible Authentication Protocol (EAP), an
authentication framework which supports multiple authentication
mechanisms. In the proposed scheme, the Network Access Server (NAS)
forwards EAP packets to and from the RADIUS server, encapsulated
within EAP-Message attributes. This has the advantage of allowing
the NAS to support any EAP authentication method, without the need
for method-specific code, which resides on the RADIUS server. While
EAP was originally developed for use with PPP, it is now also in use
with IEEE 802.
This document updates RFC 2869.
Aboba & Calhoun Informational [Page 1]
RFC 3579 RADIUS & EAP September 2003
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Specification of Requirements. . . . . . . . . . . . . . 3
1.2. Terminology. . . . . . . . . . . . . . . . . . . . . . . 3
2. RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . . 4
2.1. Protocol Overview. . . . . . . . . . . . . . . . . . . . 5
2.2. Invalid Packets. . . . . . . . . . . . . . . . . . . . . 9
2.3. Retransmission . . . . . . . . . . . . . . . . . . . . . 10
2.4. Fragmentation. . . . . . . . . . . . . . . . . . . . . . 10
2.5. Alternative uses . . . . . . . . . . . . . . . . . . . . 11
2.6. Usage Guidelines . . . . . . . . . . . . . . . . . . . . 11
3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1. EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 15
3.2. Message-Authenticator. . . . . . . . . . . . . . . . . . 16
3.3. Table of Attributes. . . . . . . . . . . . . . . . . . . 18
4. Security Considerations. . . . . . . . . . . . . . . . . . . . 19
4.1. Security Requirements. . . . . . . . . . . . . . . . . . 19
4.2. Security Protocol. . . . . . . . . . . . . . . . . . . . 20
4.3. Security Issues. . . . . . . . . . . . . . . . . . . . . 22
5. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 30
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.1. Normative References . . . . . . . . . . . . . . . . . . 30
6.2. Informative References . . . . . . . . . . . . . . . . . 32
Appendix A - Examples. . . . . . . . . . . . . . . . . . . . . . . 34
Appendix B - Change Log. . . . . . . . . . . . . . . . . . . . . . 43
Intellectual Property Statement. . . . . . . . . . . . . . . . . . 44
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction
The Remote Authentication Dial In User Service (RADIUS) is an
authentication, authorization and accounting protocol used to control
network access. RADIUS authentication and authorization is specified
in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS
over IPv6 is specified in [RFC3162].
The Extensible Authentication Protocol (EAP), defined in [RFC2284],
is an authentication framework which supports multiple authentication
mechanisms. EAP may be used on dedicated links, switched circuits,
and wired as well as wireless links.
To date, EAP has been implemented with hosts and routers that connect
via switched circuits or dial-up lines using PPP [RFC1661]. It has
also been implemented with bridges supporting [IEEE802]. EAP
encapsulation on IEEE 802 wired media is described in [IEEE8021X].
Aboba & Calhoun Informational [Page 2]
RFC 3579 RADIUS & EAP September 2003
RADIUS attributes are comprised of variable length Type-Length-Value
3-tuples. New attribute values can be added without disturbing
existing implementations of the protocol. This specification
describes RADIUS attributes supporting the Extensible Authentication
Show full document text