Extensible Authentication Protocol (EAP)
RFC 3748
Document Type RFC - Proposed Standard (June 2004; Errata)
Updated by RFC 5247, RFC 7057
Obsoletes RFC 2284
Last updated 2017-10-05
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3748 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Margaret Cullen
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                           B. Aboba
Request for Comments: 3748                                     Microsoft
Obsoletes: 2284                                                 L. Blunk
Category: Standards Track                             Merit Network, Inc
                                                           J. Vollbrecht
                                               Vollbrecht Consulting LLC
                                                              J. Carlson
                                                                     Sun
                                                       H. Levkowetz, Ed.
                                                             ipUnplugged
                                                               June 2004

                Extensible Authentication Protocol (EAP)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).

Abstract

   This document defines the Extensible Authentication Protocol (EAP),
   an authentication framework which supports multiple authentication
   methods.  EAP typically runs directly over data link layers such as
   Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP.  EAP
   provides its own support for duplicate elimination and
   retransmission, but is reliant on lower layer ordering guarantees.
   Fragmentation is not supported within EAP itself; however, individual
   EAP methods may support this.

   This document obsoletes RFC 2284.  A summary of the changes between
   this document and RFC 2284 is available in Appendix A.

Aboba, et al.               Standards Track                     [Page 1]
RFC 3748                          EAP                          June 2004

Table of Contents

   1.   Introduction. . . . . . . . . . . . . . . . . . . . . . . . .  3
        1.1.  Specification of Requirements . . . . . . . . . . . . .  4
        1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . .  4
        1.3.  Applicability . . . . . . . . . . . . . . . . . . . . .  6
   2.   Extensible Authentication Protocol (EAP). . . . . . . . . . .  7
        2.1.  Support for Sequences . . . . . . . . . . . . . . . . .  9
        2.2.  EAP Multiplexing Model. . . . . . . . . . . . . . . . . 10
        2.3.  Pass-Through Behavior . . . . . . . . . . . . . . . . . 12
        2.4.  Peer-to-Peer Operation. . . . . . . . . . . . . . . . . 14
   3.   Lower Layer Behavior. . . . . . . . . . . . . . . . . . . . . 15
        3.1.  Lower Layer Requirements. . . . . . . . . . . . . . . . 15
        3.2.  EAP Usage Within PPP. . . . . . . . . . . . . . . . . . 18
              3.2.1. PPP Configuration Option Format. . . . . . . . . 18
        3.3.  EAP Usage Within IEEE 802 . . . . . . . . . . . . . . . 19
        3.4.  Lower Layer Indications . . . . . . . . . . . . . . . . 19
   4.   EAP Packet Format . . . . . . . . . . . . . . . . . . . . . . 20
        4.1.  Request and Response. . . . . . . . . . . . . . . . . . 21
        4.2.  Success and Failure . . . . . . . . . . . . . . . . . . 23
        4.3.  Retransmission Behavior . . . . . . . . . . . . . . . . 26
   5.   Initial EAP Request/Response Types. . . . . . . . . . . . . . 27
        5.1.  Identity. . . . . . . . . . . . . . . . . . . . . . . . 28
        5.2.  Notification. . . . . . . . . . . . . . . . . . . . . . 29
        5.3.  Nak . . . . . . . . . . . . . . . . . . . . . . . . . . 31
              5.3.1. Legacy Nak . . . . . . . . . . . . . . . . . . . 31
              5.3.2. Expanded Nak . . . . . . . . . . . . . . . . . . 32
        5.4.  MD5-Challenge . . . . . . . . . . . . . . . . . . . . . 35
        5.5.  One-Time Password (OTP) . . . . . . . . . . . . . . . . 36
        5.6.  Generic Token Card (GTC). . . . . . . . . . . . . . . . 37
        5.7.  Expanded Types. . . . . . . . . . . . . . . . . . . . . 38
        5.8.  Experimental. . . . . . . . . . . . . . . . . . . . . . 40
   6.   IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
        6.1.  Packet Codes. . . . . . . . . . . . . . . . . . . . . . 41
        6.2.  Method Types. . . . . . . . . . . . . . . . . . . . . . 41
   7.   Security Considerations . . . . . . . . . . . . . . . . . . . 42
        7.1.  Threat Model. . . . . . . . . . . . . . . . . . . . . . 42
        7.2.  Security Claims . . . . . . . . . . . . . . . . . . . . 43
              7.2.1. Security Claims Terminology for EAP Methods. . . 44
        7.3.  Identity Protection . . . . . . . . . . . . . . . . . . 46
        7.4.  Man-in-the-Middle Attacks . . . . . . . . . . . . . . . 47
        7.5.  Packet Modification Attacks . . . . . . . . . . . . . . 48
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools