|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Last Update: Jul 15, 2008
-- Color Legend: RFC Editor Queue
/ Processed by IESG
/ ID Exists
/ Recently Expired
-- Each I-D name is a link to an I-D description, which points to a text version, a two-page and fit-in-window PDF version, as well as the IETF Tools' HTML version.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Excerpts from an IESG message on June 2, 2008:
|
|
|
|
The Extensible Authentication Protocol working group (EAP) in the Internet
Area has concluded.
...
The EAP WG has been closed after it has successfully completed its
chartered work items. The mailing list will be closed soon, but its
archives will continue to exist. Given that the EMU WG has an active
discussion list, any EAP layer related matters can be taken up there. If
there are major future discussions or extensions, new lists or working
groups can be created to address those.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC3748
06/2004
(67 p.)
[html]
[pdf(2)] |
B. Aboba
L. Blunk
J. Vollbrecht
J. Carlson
H. Levkowetz |
|
Extensible Authentication Protocol (EAP) |
|
This document defines the Extensible Authentication Protocol (EAP),
an authentication framework which supports multiple authentication
methods. EAP typically runs directly over data link layers such as
Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP
provides its own support for duplicate elimination and
retransmission, but is reliant on lower layer ordering guarantees.
Fragmentation is not supported within EAP itself; however, individual
EAP methods may support this.
|
|
|
| |
| Up List |
Status: | Proposed Standard |
|
|
|
|
|
|
|
|
|
| | |
RFC4137
08/2005
(51 p.)
[html]
[pdf(2)] |
J. Vollbrecht
P. Eronen
N. Petroni
Y. Ohba |
|
State Machines for Extensible Authentication Protocol (EAP)
Peer and Authenticator |
This document describes a set of state machines for Extensible
Authentication Protocol (EAP) peer, EAP stand-alone authenticator
(non-pass-through), EAP backend authenticator (for use on
Authentication, Authorization, and Accounting (AAA) servers), and EAP
full authenticator (for both local and pass-through). This set of
state machines shows how EAP can be implemented to support deployment
in either a peer/authenticator or peer/authenticator/AAA Server
environment. The peer and stand-alone authenticator machines are
illustrative of how the EAP protocol defined in RFC3748 may be
implemented. The backend and full/pass-through authenticators
illustrate how EAP/AAA protocol support defined in RFC3579 may be
implemented. Where there are differences, RFC3748 and
RFC3579 are
authoritative.
The state machines are based on the EAP "Switch" model. This model
includes events and actions for the interaction between the EAP
Switch and EAP methods. A brief description of the EAP "Switch"
model is given in the Introduction section.
The state machine and associated model are informative only.
Implementations may achieve the same results using different methods.
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC4284
01/2006
(14 p.)
[html]
[pdf(2)] |
F. Adrangi
V. Lortz
F. Bari
P. Eronen |
|
Identity Selection Hints for the Extensible Authentication Protocol (EAP) |
The Extensible Authentication Protocol (EAP) is defined in RFC 3748.
This document defines a mechanism that allows an access network to
provide identity selection hints to an EAP peer -- the end of the
link that responds to the authenticator. The purpose is to assist
the EAP peer in selecting an appropriate Network Access Identifier
(NAI). This is useful in situations where the peer does not receive
a lower-layer indication of what network it is connecting to, or when
there is no direct roaming relationship between the access network
and the peer's home network. In the latter case, authentication is
typically accomplished via a mediating network such as a roaming
consortium or broker.
The mechanism defined in this document is limited in its scalability.
It is intended for access networks that have a small to moderate
number of direct roaming partners.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC4764
01/2007
(64 p.)
[html]
[pdf(2)] |
F. Bersani
H. Tschofenig |
|
The EAP-PSK Protocol:
A Pre-Shared Key Extensible Authentication Protocol (EAP) Method |
|
This document specifies EAP-PSK, an Extensible Authentication
Protocol (EAP) method for mutual authentication and session key
derivation using a Pre-Shared Key (PSK). EAP-PSK provides a
protected communication channel when mutual authentication is
successful for both parties to communicate over. This document
describes the use of this channel only for protected exchange of
result indications, but future EAP-PSK extensions may use the channel
for other purposes. EAP-PSK is designed for authentication over
insecure networks such as IEEE 802.11.
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC4793
01/2007
(82 p.)
[html]
[pdf(2)] |
M. Nystroem |
|
The EAP Protected One-Time Password Protocol (EAP-POTP) |
|
This document describes a general Extensible Authentication Protocol
(EAP) method suitable for use with One-Time Password (OTP) tokens,
and offers particular advantages for tokens with direct electronic
interfaces to their associated clients. The method can be used to
provide unilateral or mutual authentication, and key material, in
protocols utilizing EAP, such as PPP, IEEE 802.1X, and Internet Key
Exchange Protocol Version 2 (IKEv2).
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC4851
05/2007
(64 p.)
[html]
[pdf(2)] |
N. Cam-Winget
D. McGrew
J. Salowey
H. Zhou |
|
The Flexible Authentication via Secure Tunneling
Extensible Authentication Protocol Method (EAP-FAST) |
|
This document defines the Extensible Authentication Protocol (EAP)
based Flexible Authentication via Secure Tunneling (EAP-FAST)
protocol. EAP-FAST is an EAP method that enables secure
communication between a peer and a server by using the Transport
Layer Security (TLS) to establish a mutually authenticated tunnel.
Within the tunnel, Type-Length-Value (TLV) objects are used to convey
authentication related data between the peer and the EAP server.
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC5106
01/2008
(33 p.)
[html]
[pdf(2)] |
H. Tschofenig
D. Kroeselberg
A. Pashalidis
Y. Ohba
F. Bersani |
|
The Extensible Authentication Protocol-Internet
Key Exchange Protocol version 2 (EAP-IKEv2) Method |
|
This document specifies EAP-IKEv2, an Extensible Authentication
Protocol (EAP) method that is based on the Internet Key Exchange
(IKEv2) protocol. EAP-IKEv2 provides mutual authentication and
session key establishment between an EAP peer and an EAP server. It
supports authentication techniques that are based on passwords,
high-entropy shared keys, and public key certificates. EAP-IKEv2
further provides support for cryptographic ciphersuite negotiation,
hash function agility, identity confidentiality (in certain modes of
operation), fragmentation, and an optional "fast reconnect" mode.
|
|
|
|
|
|
|
|
|
|
|
| | |
RFC5113
01/2008
(39 p.)
[html]
[pdf(2)] |
J. Arkko
B. Aboba
J. Korhonen
F. Bari |
|
Network Discovery and Selection Problem |
|
When multiple access networks are available, users may have
difficulty in selecting which network to connect to and how to
authenticate with that network. This document defines the network
discovery and selection problem, dividing it into multiple sub-
problems. Some constraints on potential solutions are outlined, and
the limitations of several solutions (including existing ones) are
discussed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| | |
eap-keying-22
RFC Ed Queue (05/08)
Nov 11, 2007
(74 p.)
[pdf(2)]
[html]
|
B. Aboba
D. Simon
P. Eronen |
|
Extensible Authentication Protocol (EAP) Key Management Framework |
|
The Extensible Authentication Protocol (EAP), defined in RFC 3748,
enables extensible network access authentication. This document
specifies the EAP key hierarchy and provides a framework for the
transport and usage of keying material and parameters generated by
EAP authentication algorithms, known as "methods". It also provides
a detailed system-level security analysis, describing the conditions
under which the key management guidelines described in RFC 4962 can
be satisfied.
|
|
|
| |
| Up List |
Intended Status: | Proposed Standard |
|
|
|
|
|
|
|
|
| | |
funk-eap-
ttls-v0-05
RFC Ed Queue (05/08)
Apr 30, 2008
(48 p.)
[pdf(2)]
[html]
|
P. Funk
S. Blake-Wilson |
|
EAP Tunneled TLS Authentication Protocol Version 0 |
EAP-TTLS is an EAP method that provides additional functionality
beyond what is available in EAP-TLS [RFC 5216]. In EAP-TLS, a TLS
handshake is used to mutually authenticate a client and server. EAP-TTLS
extends this authentication negotiation by using the secure
connection established by the TLS handshake to exchange additional
information between client and server. In EAP-TTLS, the TLS
handshake may be mutual; or it may be one-way, in which only the
server is authenticated to the client. The secure connection
established by the handshake may then be used to allow the server to
authenticate the client using existing, widely-deployed
authentication mechanisms. The authentication of the client may
itself be EAP, or it may be another authentication protocol such as
PAP, CHAP, MS-CHAP or MS-CHAP-V2.
Thus, EAP-TTLS allows legacy password-based authentication protocols
to be used against existing authentication databases, while
protecting the security of these legacy protocols against
eavesdropping, man-in-the-middle and other attacks.
EAP-TTLS also allows client and server to establish keying material
for use in the data connection between the client and access point.
The keying material is established implicitly between client and
server based on the TLS handshake.
This document describes EAP-TTLSv0; that is, the original version 0
of the EAP-TTLS protocol, which has been widely deployed.
|
|
|
| |
| Up List |
Intended Status: | Informational |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Informational |
|
|
|
|
|
|
|
|
| | |
vidya-eap-
usrk-ip-
mobility-01
Publication Requested
Nov 16, 2007
(17 p.)
[pdf(2)]
[html]
|
V. Narayanan
G. Giaretta |
|
EAP-Based Keying for IP Mobility Protocols |
|
EAP [RFC 3748] is increasingly used for network access authentication in
various networks. Also, key generating EAP methods are being adopted
in various systems for the purposes of cryptographic protection
between an EAP peer and an enforcement point in the network. Key
generating EAP methods produce an MSK and an EMSK in accordance with
[RFC 3748]. The MSK is meant for use by the EAP lower layer at the peer and
the authenticator and is used differently by various lower layers.
The EMSK hierarchy is defined in [2]. The EMSK hierarchy is meant to
be extensible to derive keys for various usages. This document
defines the key hierarchy and key derivations for using the EMSK
hierarchy for keying in IP mobility protocols.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Informational |
|
|
|
|
|
|
|
|
| | |
abhi-eap-radius-00
ID Exists
Feb 13, 2008
(5 p.)
[pdf(2)]
[html]
|
A. Singh |
|
Secure Communication of EAP - Radius messages |
|
EAP is used to establish secure communication channel in
IKEv2 and in Wireless Security. EAP-TLS, EAP-TTLS, EAP-MD5,
EAP-SIM uses radius protocol for communication bewteen
radius server and the client. These protocols are used in
both Wireless network authentication and in IKEV2 authentication
to establish VPN tunnel.
This draft presents the security protocol which can be used
to establish the secure communication channel between the
radius server and pass through server. Pass through server
is access point in the case of wireless communication and
it is gateway in case of IKEV2 authnetication.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Informational |
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| | |
urien-eap-
smartcard-14
ID Exists
Feb 21, 2008
(64 p.)
[pdf(2)]
[html]
|
P. Urien
G. Pujolle |
|
EAP-Support in Smartcard |
|
This document describes the functional interface, based on the ISO7816
standard, to EAP methods, fully and securely executed in smart cards.
This class of tamper resistant device may deliver client or server
services; it can compute Root Keys from an Extended Master Session Key
(EMSK).
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
| Up List |
Intended Status: | Standards Track |
|
|
|
|
|
|
|
|
| | |
zrelli-eap-
frap-04
ID Exists
Jun 3, 2008
(30 p.)
[pdf(2)]
[html]
|
S. Zrelli
Y. Shinoda |
|
EAP Fast Re-Authentication Protocol (EAP-FRAP) |
|
This document specifies an extension to the AAA/EAP authentication
and key management framework that allows an EAP peer to perform fast
re-authentications with the local EAP server after an initial full
EAP authentication using a legacy EAP method with the same or another
EAP server. EAP-FRAP eliminates the need for exchanges between the
local EAP server and the home EAP server each time the EAP peers is
authenticated. In wireless networks, this allows the mobile device
to reduce hand-off delays. The EAP-FRAP extension does not require
changes in underlying layer protocols. Which makes is back-ward
compatible with existing infrastructures and easily deployable with
minimal costs.
|
|
|
|
|
|
|
|
|
|
|
|
|
