tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 4851

 Errata 
Informational
Pages: 64
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: ~sec-eap

The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)

Part 1 of 3, p. 1 to 17
None       Next RFC Part

 


Top       ToC       Page 1 
Network Working Group                                      N. Cam-Winget
Request for Comments: 4851                                     D. McGrew
Category: Informational                                       J. Salowey
                                                                 H. Zhou
                                                           Cisco Systems
                                                                May 2007


           The Flexible Authentication via Secure Tunneling
          Extensible Authentication Protocol Method (EAP-FAST)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document defines the Extensible Authentication Protocol (EAP)
   based Flexible Authentication via Secure Tunneling (EAP-FAST)
   protocol.  EAP-FAST is an EAP method that enables secure
   communication between a peer and a server by using the Transport
   Layer Security (TLS) to establish a mutually authenticated tunnel.
   Within the tunnel, Type-Length-Value (TLV) objects are used to convey
   authentication related data between the peer and the EAP server.

Top       Page 2 
Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Specification Requirements . . . . . . . . . . . . . . . .  5
     1.2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Protocol Overview  . . . . . . . . . . . . . . . . . . . . . .  6
     2.1.  Architectural Model  . . . . . . . . . . . . . . . . . . .  6
     2.2.  Protocol Layering Model  . . . . . . . . . . . . . . . . .  7
   3.  EAP-FAST Protocol  . . . . . . . . . . . . . . . . . . . . . .  8
     3.1.  Version Negotiation  . . . . . . . . . . . . . . . . . . .  8
     3.2.  EAP-FAST Authentication Phase 1: Tunnel Establishment  . .  9
       3.2.1.  TLS Session Resume Using Server State  . . . . . . . . 10
       3.2.2.  TLS Session Resume Using a PAC . . . . . . . . . . . . 10
       3.2.3.  Transition between Abbreviated and Full TLS
               Handshake  . . . . . . . . . . . . . . . . . . . . . . 12
     3.3.  EAP-FAST Authentication Phase 2: Tunneled
           Authentication . . . . . . . . . . . . . . . . . . . . . . 12
       3.3.1.  EAP Sequences  . . . . . . . . . . . . . . . . . . . . 13
       3.3.2.  Protected Termination and Acknowledged Result
               Indication . . . . . . . . . . . . . . . . . . . . . . 13
     3.4.  Determining Peer-Id and Server-Id  . . . . . . . . . . . . 14
     3.5.  EAP-FAST Session Identifier  . . . . . . . . . . . . . . . 15
     3.6.  Error Handling . . . . . . . . . . . . . . . . . . . . . . 15
       3.6.1.  TLS Layer Errors . . . . . . . . . . . . . . . . . . . 15
       3.6.2.  Phase 2 Errors . . . . . . . . . . . . . . . . . . . . 16
     3.7.  Fragmentation  . . . . . . . . . . . . . . . . . . . . . . 16
   4.  Message Formats  . . . . . . . . . . . . . . . . . . . . . . . 18
     4.1.  EAP-FAST Message Format  . . . . . . . . . . . . . . . . . 18
       4.1.1.  Authority ID Data  . . . . . . . . . . . . . . . . . . 20
     4.2.  EAP-FAST TLV Format and Support  . . . . . . . . . . . . . 20
       4.2.1.  General TLV Format . . . . . . . . . . . . . . . . . . 21
       4.2.2.  Result TLV . . . . . . . . . . . . . . . . . . . . . . 22
       4.2.3.  NAK TLV  . . . . . . . . . . . . . . . . . . . . . . . 23
       4.2.4.  Error TLV  . . . . . . . . . . . . . . . . . . . . . . 24
       4.2.5.  Vendor-Specific TLV  . . . . . . . . . . . . . . . . . 25
       4.2.6.  EAP-Payload TLV  . . . . . . . . . . . . . . . . . . . 26
       4.2.7.  Intermediate-Result TLV  . . . . . . . . . . . . . . . 28
       4.2.8.  Crypto-Binding TLV . . . . . . . . . . . . . . . . . . 29
       4.2.9.  Request-Action TLV . . . . . . . . . . . . . . . . . . 31
     4.3.  Table of TLVs  . . . . . . . . . . . . . . . . . . . . . . 32
   5.  Cryptographic Calculations . . . . . . . . . . . . . . . . . . 32
     5.1.  EAP-FAST Authentication Phase 1: Key Derivations . . . . . 32
     5.2.  Intermediate Compound Key Derivations  . . . . . . . . . . 33
     5.3.  Computing the Compound MAC . . . . . . . . . . . . . . . . 34
     5.4.  EAP Master Session Key Generation  . . . . . . . . . . . . 35
     5.5.  T-PRF  . . . . . . . . . . . . . . . . . . . . . . . . . . 35
   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 36

Top      ToC       Page 3 
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 37
     7.1.  Mutual Authentication and Integrity Protection . . . . . . 37
     7.2.  Method Negotiation . . . . . . . . . . . . . . . . . . . . 38
     7.3.  Separation of Phase 1 and Phase 2 Servers  . . . . . . . . 38
     7.4.  Mitigation of Known Vulnerabilities and Protocol
           Deficiencies . . . . . . . . . . . . . . . . . . . . . . . 39
       7.4.1.  User Identity Protection and Verification  . . . . . . 39
       7.4.2.  Dictionary Attack Resistance . . . . . . . . . . . . . 40
       7.4.3.  Protection against Man-in-the-Middle Attacks . . . . . 40
       7.4.4.  PAC Binding to User Identity . . . . . . . . . . . . . 41
     7.5.  Protecting against Forged Clear Text EAP Packets . . . . . 41
     7.6.  Server Certificate Validation  . . . . . . . . . . . . . . 42
     7.7.  Tunnel PAC Considerations  . . . . . . . . . . . . . . . . 42
     7.8.  Security Claims  . . . . . . . . . . . . . . . . . . . . . 43
   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 44
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 44
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 45
   Appendix A.  Examples  . . . . . . . . . . . . . . . . . . . . . . 46
     A.1.  Successful Authentication  . . . . . . . . . . . . . . . . 46
     A.2.  Failed Authentication  . . . . . . . . . . . . . . . . . . 47
     A.3.  Full TLS Handshake using Certificate-based Ciphersuite . . 48
     A.4.  Client Authentication during Phase 1 with Identity
           Privacy  . . . . . . . . . . . . . . . . . . . . . . . . . 50
     A.5.  Fragmentation and Reassembly . . . . . . . . . . . . . . . 52
     A.6.  Sequence of EAP Methods  . . . . . . . . . . . . . . . . . 53
     A.7.  Failed Crypto-Binding  . . . . . . . . . . . . . . . . . . 56
     A.8.  Sequence of EAP Method with Vendor-Specific TLV
           Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 57
   Appendix B.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 60
     B.1.  Key Derivation . . . . . . . . . . . . . . . . . . . . . . 60
     B.2.  Crypto-Binding MIC . . . . . . . . . . . . . . . . . . . . 62

Top      ToC       Page 4 
1.  Introduction

   Network access solutions requiring user friendly and easily
   deployable secure authentication mechanisms highlight the need for
   strong mutual authentication protocols that enable the use of weaker
   user credentials.  This document defines an Extensible Authentication
   Protocol (EAP), which consists of establishing a Transport Layer
   Security (TLS) tunnel using TLS 1.0 [RFC2246], TLS 1.1 [RFC4346], or
   a successor version of TLS, using the latest version supported by
   both parties.  Once the tunnel is established, the protocol further
   exchanges data in the form of type, length, and value objects (TLV)
   to perform further authentication.  EAP-FAST supports the TLS
   extension defined in [RFC4507] to support fast re-establishment of
   the secure tunnel without having to maintain per-session state on the
   server.  [EAP-PROV] defines EAP-FAST-based mechanisms to provision
   the credential for this extension which is called a Protected Access
   Credential (PAC).

   EAP-FAST's design motivations included:

   o  Mutual authentication: an EAP server must be able to verify the
      identity and authenticity of the peer, and the peer must be able
      to verify the authenticity of the EAP server.

   o  Immunity to passive dictionary attacks: many authentication
      protocols require a password to be explicitly provided (either as
      cleartext or hashed) by the peer to the EAP server; at minimum,
      the communication of the weak credential (e.g., password) must be
      immune from eavesdropping.

   o  Immunity to man-in-the-middle (MitM) attacks: in establishing a
      mutually authenticated protected tunnel, the protocol must prevent
      adversaries from successfully interjecting information into the
      conversation between the peer and the EAP server.

   o  Flexibility to enable support for most password authentication
      interfaces: as many different password interfaces (e.g., Microsoft
      Challenge Handshake Authentication Protocol (MS-CHAP), Lightweight
      Directory Access Protocol (LDAP), One-Time Password (OTP), etc.)
      exist to authenticate a peer, the protocol must provide this
      support seamlessly.

   o  Efficiency: specifically when using wireless media, peers will be
      limited in computational and power resources.  The protocol must
      enable the network access communication to be computationally
      lightweight.

Top      ToC       Page 5 
   With these motivational goals defined, further secondary design
   criteria are imposed:

   o  Flexibility to extend the communications inside the tunnel: with
      the growing complexity in network infrastructures, the need to
      gain authentication, authorization, and accounting is also
      evolving.  For instance, there may be instances in which multiple
      existing authentication protocols are required to achieve mutual
      authentication.  Similarly, different protected conversations may
      be required to achieve the proper authorization once a peer has
      successfully authenticated.

   o  Minimize the authentication server's per user authentication state
      requirements: with large deployments, it is typical to have many
      servers acting as the authentication servers for many peers.  It
      is also highly desirable for a peer to use the same shared secret
      to secure a tunnel much the same way it uses the username and
      password to gain access to the network.  The protocol must
      facilitate the use of a single strong shared secret by the peer
      while enabling the servers to minimize the per user and device
      state it must cache and manage.

1.1.  Specification Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] .

1.2.  Terminology

   Much of the terminology in this document comes from [RFC3748].
   Additional terms are defined below:

   Protected Access Credential (PAC)

      Credentials distributed to a peer for future optimized network
      authentication.  The PAC consists of, at most, three components: a
      shared secret, an opaque element, and optionally other
      information.  The shared secret component contains the pre-shared
      key between the peer and the authentication server.  The opaque
      part is provided to the peer and is presented to the
      authentication server when the peer wishes to obtain access to
      network resources.  Finally, a PAC may optionally include other
      information that may be useful to the peer.  The opaque part of
      the PAC is the same type of data as the ticket in [RFC4507] and
      the shared secret is used to derive the TLS master secret.

Top      ToC       Page 6 
2.  Protocol Overview

   EAP-FAST is an authentication protocol similar to EAP-TLS [RFC2716]
   that enables mutual authentication and cryptographic context
   establishment by using the TLS handshake protocol.  EAP-FAST allows
   for the established TLS tunnel to be used for further authentication
   exchanges.  EAP-FAST makes use of TLVs to carry out the inner
   authentication exchanges.  The tunnel is then used to protect weaker
   inner authentication methods, which may be based on passwords, and to
   communicate the results of the authentication.

   EAP-FAST makes use of the TLS enhancements in [RFC4507] to enable an
   optimized TLS tunnel session resume while minimizing server state.
   The secret key used in EAP-FAST is referred to as the Protected
   Access Credential key (or PAC-Key); the PAC-Key is used to mutually
   authenticate the peer and the server when securing a tunnel.  The
   ticket is referred to as the Protected Access Credential opaque data
   (or PAC-Opaque).  The secret key and ticket used to establish the
   tunnel may be provisioned through mechanisms that do not involve the
   TLS handshake.  It is RECOMMENDED that implementations support the
   capability to distribute the ticket and secret key within the EAP-
   FAST tunnel as specified in [EAP-PROV].

   The EAP-FAST conversation is used to establish or resume an existing
   session to typically establish network connectivity between a peer
   and the network.  Upon successful execution of EAP-FAST, both EAP
   peer and EAP server derive strong session key material that can then
   be communicated to the network access server (NAS) for use in
   establishing a link layer security association.

2.1.  Architectural Model

   The network architectural model for EAP-FAST usage is shown below:

    +----------+      +----------+      +----------+      +----------+
    |          |      |          |      |          |      |  Inner   |
    |   Peer   |<---->|  Authen- |<---->| EAP-FAST |<---->|  Method  |
    |          |      |  ticator |      |  server  |      |  server  |
    |          |      |          |      |          |      |          |
    +----------+      +----------+      +----------+      +----------+

                       EAP-FAST Architectural Model

   The entities depicted above are logical entities and may or may not
   correspond to separate network components.  For example, the EAP-FAST
   server and inner method server might be a single entity; the
   authenticator and EAP-FAST server might be a single entity; or the
   functions of the authenticator, EAP-FAST server, and inner method

Top      ToC       Page 7 
   server might be combined into a single physical device.  For example,
   typical 802.11 deployments place the Authenticator in an access point
   (AP) while a Radius server may provide the EAP-FAST and inner method
   server components.  The above diagram illustrates the division of
   labor among entities in a general manner and shows how a distributed
   system might be constructed; however, actual systems might be
   realized more simply.  The security considerations Section 7.3
   provides an additional discussion of the implications of separating
   the EAP-FAST server from the inner method server.

2.2.  Protocol Layering Model

   EAP-FAST packets are encapsulated within EAP; EAP in turn requires a
   carrier protocol for transport.  EAP-FAST packets encapsulate TLS,
   which is then used to encapsulate user authentication information.
   Thus, EAP-FAST messaging can be described using a layered model,
   where each layer encapsulates the layer above it.  The following
   diagram clarifies the relationship between protocols:

    +---------------------------------------------------------------+
    |       Inner EAP Method     |     Other TLV information        |
    |---------------------------------------------------------------|
    |                 TLV Encapsulation (TLVs)                      |
    |---------------------------------------------------------------|
    |                         TLS                                   |
    |---------------------------------------------------------------|
    |                       EAP-FAST                                |
    |---------------------------------------------------------------|
    |                         EAP                                   |
    |---------------------------------------------------------------|
    |   Carrier Protocol (EAP over LAN, RADIUS, Diameter, etc.)     |
    +---------------------------------------------------------------+

                          Protocol Layering Model

   The TLV layer is a payload with Type-Length-Value (TLV) Objects
   defined in Section 4.2.  The TLV objects are used to carry arbitrary
   parameters between an EAP peer and an EAP server.  All conversations
   in the EAP-FAST protected tunnel must be encapsulated in a TLV layer.

   Methods for encapsulating EAP within carrier protocols are already
   defined.  For example, IEEE 802.1X [IEEE.802-1X.2004] may be used to
   transport EAP between the peer and the authenticator; RADIUS
   [RFC3579] or Diameter [RFC4072] may be used to transport EAP between
   the authenticator and the EAP-FAST server.

Top      ToC       Page 8 
3.  EAP-FAST Protocol

   EAP-FAST authentication occurs in two phases.  In the first phase,
   EAP-FAST employs the TLS handshake to provide an authenticated key
   exchange and to establish a protected tunnel.  Once the tunnel is
   established the second phase begins with the peer and server engaging
   in further conversations to establish the required authentication and
   authorization policies.  The operation of the protocol, including
   Phase 1 and Phase 2, are the topic of this section.  The format of
   EAP-FAST messages is given in Section 4 and the cryptographic
   calculations are given in Section 5.

3.1.  Version Negotiation

   EAP-FAST packets contain a 3-bit version field, following the TLS
   Flags field, which enables EAP-FAST implementations to be backward
   compatible with previous versions of the protocol.  This
   specification documents the EAP-FAST version 1 protocol;
   implementations of this specification MUST use a version field set to
   1.

   Version negotiation proceeds as follows:

      In the first EAP-Request sent with EAP type=EAP-FAST, the EAP
      server must set the version field to the highest supported version
      number.

      If the EAP peer supports this version of the protocol, it MUST
      respond with an EAP-Response of EAP type=EAP-FAST, and the version
      number proposed by the EAP-FAST server.

      If the EAP-FAST peer does not support this version, it responds
      with an EAP-Response of EAP type=EAP-FAST and the highest
      supported version number.

      If the EAP-FAST server does not support the version number
      proposed by the EAP-FAST peer, it terminates the conversation.
      Otherwise the EAP-FAST conversation continues.

   The version negotiation procedure guarantees that the EAP-FAST peer
   and server will agree to the latest version supported by both
   parties.  If version negotiation fails, then use of EAP-FAST will not
   be possible, and another mutually acceptable EAP method will need to
   be negotiated if authentication is to proceed.

   The EAP-FAST version is not protected by TLS; and hence can be
   modified in transit.  In order to detect a modification of the EAP-
   FAST version, the peers MUST exchange the EAP-FAST version number

Top      ToC       Page 9 
   received during version negotiation using the Crypto-Binding TLV
   described in Section 4.2.8.  The receiver of the Crypto-Binding TLV
   MUST verify that the version received in the Crypto-Binding TLV
   matches the version sent by the receiver in the EAP-FAST version
   negotiation.

3.2.  EAP-FAST Authentication Phase 1: Tunnel Establishment

   EAP-FAST is based on the TLS handshake [RFC2246] to establish an
   authenticated and protected tunnel.  The TLS version offered by the
   peer and server MUST be TLS v1.0 or later.  This version of the EAP-
   FAST implementation MUST support the following TLS ciphersuites:

      TLS_RSA_WITH_RC4_128_SHA

      TLS_RSA_WITH_AES_128_CBC_SHA [RFC3268]

      TLS_DHE_RSA_WITH_AES_128_CBC_SHA [RFC3268]

   Other ciphersuites MAY be supported.  It is RECOMMENDED that
   anonymous ciphersuites such as TLS_DH_anon_WITH_AES_128_CBC_SHA only
   be used in the context of the provisioning described in [EAP-PROV].
   Care must be taken to address potential man-in-the-middle attacks
   when ciphersuites that do not provide authenticated tunnel
   establishment are used.  During the EAP-FAST Phase 1 conversation the
   EAP-FAST endpoints MAY negotiate TLS compression.

   The EAP server initiates the EAP-FAST conversation with an EAP
   request containing an EAP-FAST/Start packet.  This packet includes a
   set Start (S) bit, the EAP-FAST version as specified in Section 3.1,
   and an authority identity.  The TLS payload in the initial packet is
   empty.  The authority identity (A-ID) is used to provide the peer a
   hint of the server's identity that may be useful in helping the peer
   select the appropriate credential to use.  Assuming that the peer
   supports EAP-FAST the conversation continues with the peer sending an
   EAP-Response packet with EAP type of EAP-FAST with the Start (S) bit
   clear and the version as specified in Section 3.1.  This message
   encapsulates one or more TLS records containing the TLS handshake
   messages.  If the EAP-FAST version negotiation is successful then the
   EAP-FAST conversation continues until the EAP server and EAP peer are
   ready to enter Phase 2.  When the full TLS handshake is performed,
   then the first payload of EAP-FAST Phase 2 MAY be sent along with
   server-finished handshake message to reduce the number of round
   trips.

   After the TLS session is established, another EAP exchange MAY occur
   within the tunnel to authenticate the EAP peer.  EAP-FAST
   implementations MUST support client authentication during tunnel

Top      ToC       Page 10 
   establishment using the TLS ciphersuites specified in Section 3.2.
   EAP-FAST implementations SHOULD also support the immediate
   renegotiation of a TLS session to initiate a new handshake message
   exchange under the protection of the current ciphersuite.  This
   allows support for protection of the peer's identity.  Note that the
   EAP peer does not need to authenticate as part of the TLS exchange,
   but can alternatively be authenticated through additional EAP
   exchanges carried out in Phase 2.

   The EAP-FAST tunnel protects peer identity information from
   disclosure outside the tunnel.  Implementations that wish to provide
   identity privacy for the peer identity must carefully consider what
   information is disclosed outside the tunnel.

   The following sections describe resuming a TLS session based on
   server-side or client-side state.

3.2.1.  TLS Session Resume Using Server State

   EAP-FAST session resumption is achieved in the same manner TLS
   achieves session resume.  To support session resumption, the server
   and peer must minimally cache the SessionID, master secret, and
   ciphersuite.  The peer attempts to resume a session by including a
   valid SessionID from a previous handshake in its ClientHello message.
   If the server finds a match for the SessionID and is willing to
   establish a new connection using the specified session state, the
   server will respond with the same SessionID and proceed with the EAP-
   FAST Authentication Phase 1 tunnel establishment based on a TLS
   abbreviated handshake.  After a successful conclusion of the EAP-FAST
   Authentication Phase 1 conversation, the conversation then continues
   on to Phase 2.

3.2.2.  TLS Session Resume Using a PAC

   EAP-FAST supports the resumption of sessions based on client-side
   state using techniques described in [RFC4507].  This version of EAP-
   FAST does not support the provisioning of a ticket through the use of
   the SessionTicket handshake message.  Instead it supports the
   provisioning of a ticket called a Protected Access Credential (PAC)
   as described in [EAP-PROV].  Implementations may provide additional
   ways to provision the PAC, such as manual configuration.  Since the
   PAC mentioned here is used for establishing the TLS Tunnel, it is
   more specifically referred to as the Tunnel PAC.  The Tunnel PAC is a
   security credential provided by the EAP server to a peer and
   comprised of:

Top      ToC       Page 11 
   1.  PAC-Key: this is a 32-octet key used by the peer to establish the
       EAP-FAST Phase 1 tunnel.  This key is used to derive the TLS
       premaster secret as described in Section 5.1.  The PAC-Key is
       randomly generated by the EAP server to produce a strong entropy
       32-octet key.  The PAC-Key is a secret and MUST be treated
       accordingly.  For example, as the PAC-Key is a separate component
       provisioned by the server to establish a secure tunnel, the
       server may deliver this component protected by a secure channel,
       and it must be stored securely by the peer.

   2.  PAC-Opaque: this is a variable length field that is sent to the
       EAP server during the EAP-FAST Phase 1 tunnel establishment.  The
       PAC-Opaque can only be interpreted by the EAP server to recover
       the required information for the server to validate the peer's
       identity and authentication.  For example, the PAC-Opaque
       includes the PAC-Key and may contain the PAC's peer identity.
       The PAC-Opaque format and contents are specific to the PAC
       issuing server.  The PAC-Opaque may be presented in the clear, so
       an attacker MUST NOT be able to gain useful information from the
       PAC-Opaque itself.  The server issuing the PAC-Opaque must ensure
       it is protected with strong cryptographic keys and algorithms.

   3.  PAC-Info: this is a variable length field used to provide, at a
       minimum, the authority identity of the PAC issuer.  Other useful
       but not mandatory information, such as the PAC-Key lifetime, may
       also be conveyed by the PAC issuing server to the peer during PAC
       provisioning or refreshment.

   The use of the PAC is based on the SessionTicket extension defined in
   [RFC4507].  The EAP server initiates the EAP-FAST conversation as
   normal.  Upon receiving the A-ID from the server, the peer checks to
   see if it has an existing valid PAC-Key and PAC-Opaque for the
   server.  If it does, then it obtains the PAC-Opaque and puts it in
   the SessionTicket extension in the ClientHello.  It is RECOMMENDED in
   EAP-FAST that the peer include an empty Session ID in a ClientHello
   containing a PAC-Opaque.  EAP-FAST does not currently support the
   SessionTicket Handshake message so an empty SessionTicket extension
   MUST NOT be included in the ClientHello.  If the PAC-Opaque included
   in the SessionTicket extension is valid and the EAP server permits
   the abbreviated TLS handshake, it will select the ciphersuite allowed
   to be used from information within the PAC and finish with the
   abbreviated TLS handshake.  If the server receives a Session ID and a
   PAC-Opaque in the SessionTicket extension in a ClientHello, it should
   place the same Session ID in the ServerHello if it is resuming a
   session based on the PAC-Opaque.  The conversation then proceeds as
   described in [RFC4507] until the handshake completes or a fatal error
   occurs.  After the abbreviated handshake completes, the peer and
   server are ready to commence Phase 2.  Note that when a PAC is used,

Top      ToC       Page 12 
   the TLS master secret is calculated from the PAC-Key, client random,
   and server random as described in Section 5.1.

   Specific details for the Tunnel PAC format, provisioning and security
   considerations are best described in [EAP-PROV]

3.2.3.  Transition between Abbreviated and Full TLS Handshake

   If session resumption based on server-side or client-side state
   fails, the server can gracefully fall back to a full TLS handshake.
   If the ServerHello received by the peer contains a empty Session ID
   or a Session ID that is different than in the ClientHello, the server
   may be falling back to a full handshake.  The peer can distinguish
   the server's intent of negotiating full or abbreviated TLS handshake
   by checking the next TLS handshake messages in the server response to
   the ClientHello.  If ChangeCipherSpec follows the ServerHello in
   response to the ClientHello, then the server has accepted the session
   resumption and intends to negotiate the abbreviated handshake.
   Otherwise, the server intends to negotiate the full TLS handshake.  A
   peer can request for a new PAC to be provisioned after the full TLS
   handshake and mutual authentication of the peer and the server.  In
   order to facilitate the fallback to a full handshake, the peer SHOULD
   include ciphersuites that allow for a full handshake and possibly PAC
   provisioning so the server can select one of these in case session
   resumption fails.  An example of the transition is shown in
   Appendix A.

3.3.  EAP-FAST Authentication Phase 2: Tunneled Authentication

   The second portion of the EAP-FAST Authentication occurs immediately
   after successful completion of Phase 1.  Phase 2 occurs even if both
   peer and authenticator are authenticated in the Phase 1 TLS
   negotiation.  Phase 2 MUST NOT occur if the Phase 1 TLS handshake
   fails.  Phase 2 consists of a series of requests and responses
   encapsulated in TLV objects defined in Section 4.2.  Phase 2 MUST
   always end with a protected termination exchange described in
   Section 3.3.2.  The TLV exchange may include the execution of zero or
   more EAP methods within the protected tunnel as described in
   Section 3.3.1.  A server MAY proceed directly to the protected
   termination exchange if it does not wish to request further
   authentication from the peer.  However, the peer and server must not
   assume that either will skip inner EAP methods or other TLV
   exchanges.  The peer may have roamed to a network that requires
   conformance with a different authentication policy or the peer may
   request the server take additional action through the use of the
   Request-Action TLV.

Top      ToC       Page 13 
3.3.1.  EAP Sequences

   EAP [RFC3748] prohibits use of multiple authentication methods within
   a single EAP conversation in order to limit vulnerabilities to man-
   in-the-middle attacks.  EAP-FAST addresses man-in-the-middle attacks
   through support for cryptographic protection of the inner EAP
   exchange and cryptographic binding of the inner authentication
   method(s) to the protected tunnel.  EAP methods are executed serially
   in a sequence.  This version of EAP-FAST does not support initiating
   multiple EAP methods simultaneously in parallel.  The methods need
   not be distinct.  For example, EAP-TLS could be run twice as an inner
   method, first using machine credentials followed by a second instance
   using user credentials.

   EAP method messages are carried within EAP-Payload TLVs defined in
   Section 4.2.6.  If more than one method is going to be executed in
   the tunnel then, upon completion of a method, a server MUST send an
   Intermediate-Result TLV indicating the result.  The peer MUST respond
   to the Intermediate-Result TLV indicating its result.  If the result
   indicates success, the Intermediate-Result TLV MUST be accompanied by
   a Crypto-Binding TLV.  The Crypto-Binding TLV is further discussed in
   Section 4.2.8 and Section 5.3.  The Intermediate-Result TLVs can be
   included with other TLVs such as EAP-Payload TLVs starting a new EAP
   conversation or with the Result TLV used in the protected termination
   exchange.  In the case where only one EAP method is executed in the
   tunnel, the Intermediate-Result TLV MUST NOT be sent with the Result
   TLV.  In this case, the status of the inner EAP method is represented
   by the final Result TLV, which also represents the result of the
   whole EAP-FAST conversation.  This is to maintain backward
   compatibility with existing implementations.

   If both peer and server indicate success, then the method is
   considered complete.  If either indicates failure. then the method is
   considered failed.  The result of failure of an EAP method does not
   always imply a failure of the overall authentication.  If one
   authentication method fails, the server may attempt to authenticate
   the peer with a different method.

3.3.2.  Protected Termination and Acknowledged Result Indication

   A successful EAP-FAST Phase 2 conversation MUST always end in a
   successful Result TLV exchange.  An EAP-FAST server may initiate the
   Result TLV exchange without initiating any EAP conversation in EAP-
   FAST Phase 2.  After the final Result TLV exchange, the TLS tunnel is
   terminated and a clear text EAP-Success or EAP-Failure is sent by the
   server.  The format of the Result TLV is described in Section 4.2.2.

Top      ToC       Page 14 
   A server initiates a successful protected termination exchange by
   sending a Result TLV indicating success.  The server may send the
   Result TLV along with an Intermediate-Result TLV and a Crypto-Binding
   TLV.  If the peer requires nothing more from the server it will
   respond with a Result TLV indicating success accompanied by an
   Intermediate-Result TLV and Crypto-Binding TLV if necessary.  The
   server then tears down the tunnel and sends a clear text EAP-Success.

   If the peer receives a Result TLV indicating success from the server,
   but its authentication policies are not satisfied (for example it
   requires a particular authentication mechanism be run or it wants to
   request a PAC), it may request further action from the server using
   the Request-Action TLV.  The Request-Action TLV is sent along with
   the Result TLV indicating what EAP Success/Failure result the peer
   would expect if the requested action is not granted.  The value of
   the Request-Action TLV indicates what the peer would like to do next.
   The format and values for the Request-Action TLV are defined in
   Section 4.2.9.

   Upon receiving the Request-Action TLV the server may process the
   request or ignore it, based on its policy.  If the server ignores the
   request, it proceeds with termination of the tunnel and send the
   clear text EAP Success or Failure message based on the value of the
   peer's result TLV.  If the server honors and processes the request,
   it continues with the requested action.  The conversation completes
   with a Result TLV exchange.  The Result TLV may be included with the
   TLV that completes the requested action.

   Error handling for Phase 2 is discussed in Section 3.6.2.

3.4.  Determining Peer-Id and Server-Id

   The Peer-Id and Server-Id may be determined based on the types of
   credentials used during either the EAP-FAST tunnel creation or
   authentication.

   When X.509 certificates are used for peer authentication, the Peer-Id
   is determined by the subject or subjectAltName fields in the peer
   certificate.  As noted in [RFC3280] (updated by [RFC4630]):

      The subject field identifies the entity associated with the public
      key stored in the subject public key field.  The subject name MAY
      be carried in the subject field and/or the subjectAltName
      extension....  If subject naming information is present only in
      the subjectAltName extension (e.g., a key bound only to an email
      address or URI), then the subject name MUST be an empty sequence
      and the subjectAltName extension MUST be critical.

Top      ToC       Page 15 
      Where it is non-empty, the subject field MUST contain an X.500
      distinguished name (DN).

   If an inner EAP method is run, then the Peer-Id is obtained from the
   inner method.

   When the server uses an X.509 certificate to establish the TLS
   tunnel, the Server-Id is determined in a similar fashion as stated
   above for the Peer-Id; e.g., the subject or subjectAltName field in
   the server certificate defines the Server-Id.

3.5.  EAP-FAST Session Identifier

   The EAP session identifier is constructed using the random values
   provided by the peer and server during the TLS tunnel establishment.
   The Session-Id is defined as follows:

      Session-Id  = 0x2B || client_random || server_random)
     client_random = 32 byte nonce generated by the peer
     server_random = 32 byte nonce generated by the server

3.6.  Error Handling

   EAP-FAST uses the following error handling rules summarized below:

   1.  Errors in the TLS layer are communicated via TLS alert messages
       in all phases of EAP-FAST.

   2.  The Intermediate-Result TLVs carry success or failure indications
       of the individual EAP methods in EAP-FAST Phase 2.  Errors within
       the EAP conversation in Phase 2 are expected to be handled by
       individual EAP methods.

   3.  Violations of the TLV rules are handled using Result TLVs
       together with Error TLVs.

   4.  Tunnel compromised errors (errors caused by Crypto-Binding failed
       or missing) are handled using Result TLVs and Error TLVs.

3.6.1.  TLS Layer Errors

   If the EAP-FAST server detects an error at any point in the TLS
   Handshake or the TLS layer, the server SHOULD send an EAP-FAST
   request encapsulating a TLS record containing the appropriate TLS
   alert message rather than immediately terminating the conversation so
   as to allow the peer to inform the user of the cause of the failure
   and possibly allow for a restart of the conversation.  The peer MUST
   send an EAP-FAST response to an alert message.  The EAP-Response

Top      ToC       Page 16 
   packet sent by the peer may encapsulate a TLS ClientHello handshake
   message, in which case the EAP-FAST server MAY allow the EAP-FAST
   conversation to be restarted, or it MAY contain an EAP-FAST response
   with a zero-length message, in which case the server MUST terminate
   the conversation with an EAP-Failure packet.  It is up to the EAP-
   FAST server whether to allow restarts, and if so, how many times the
   conversation can be restarted.  An EAP-FAST Server implementing
   restart capability SHOULD impose a limit on the number of restarts,
   so as to protect against denial-of-service attacks.

   If the EAP-FAST peer detects an error at any point in the TLS layer,
   the EAP-FAST peer should send an EAP-FAST response encapsulating a
   TLS record containing the appropriate TLS alert message.  The server
   may restart the conversation by sending an EAP-FAST request packet
   encapsulating the TLS HelloRequest handshake message.  The peer may
   allow the EAP-FAST conversation to be restarted or it may terminate
   the conversation by sending an EAP-FAST response with an zero-length
   message.

3.6.2.  Phase 2 Errors

   Any time the peer or the server finds a fatal error outside of the
   TLS layer during Phase 2 TLV processing, it MUST send a Result TLV of
   failure and an Error TLV with the appropriate error code.  For errors
   involving the processing of the sequence of exchanges, such as a
   violation of TLV rules (e.g., multiple EAP-Payload TLVs), the error
   code is Unexpected_TLVs_Exchanged.  For errors involving a tunnel
   compromise, the error-code is Tunnel_Compromise_Error.  Upon sending
   a Result TLV with a fatal Error TLV the sender terminates the TLS
   tunnel.  Note that a server will still wait for a message from the
   peer after it sends a failure, however the server does not need to
   process the contents of the response message.

   If a server receives a Result TLV of failure with a fatal Error TLV,
   it SHOULD send a clear text EAP-Failure.  If a peer receives a Result
   TLV of failure, it MUST respond with a Result TLV indicating failure.
   If the server has sent a Result TLV of failure, it ignores the peer
   response, and it SHOULD send a clear text EAP-Failure.

3.7.  Fragmentation

   A single TLS record may be up to 16384 octets in length, but a TLS
   message may span multiple TLS records, and a TLS certificate message
   may in principle be as long as 16 MB.  This is larger than the
   maximum size for a message on most media types, therefore it is
   desirable to support fragmentation.  Note that in order to protect
   against reassembly lockup and denial-of-service attacks, it may be
   desirable for an implementation to set a maximum size for one such

Top      ToC       Page 17 
   group of TLS messages.  Since a typical certificate chain is rarely
   longer than a few thousand octets, and no other field is likely to be
   anywhere near as long, a reasonable choice of maximum acceptable
   message length might be 64 KB.  This is still a fairly large message
   packet size so an EAP-FAST implementation MUST provide its own
   support for fragmentation and reassembly.

   Since EAP is an lock-step protocol, fragmentation support can be
   added in a simple manner.  In EAP, fragments that are lost or damaged
   in transit will be retransmitted, and since sequencing information is
   provided by the Identifier field in EAP, there is no need for a
   fragment offset field.

   EAP-FAST fragmentation support is provided through the addition of
   flag bits within the EAP-Response and EAP-Request packets, as well as
   a TLS Message Length field of four octets.  Flags include the Length
   included (L), More fragments (M), and EAP-FAST Start (S) bits.  The L
   flag is set to indicate the presence of the four-octet TLS Message
   Length field, and MUST be set for the first fragment of a fragmented
   TLS message or set of messages.  The M flag is set on all but the
   last fragment.  The S flag is set only within the EAP-FAST start
   message sent from the EAP server to the peer.  The TLS Message Length
   field is four octets, and provides the total length of the TLS
   message or set of messages that is being fragmented; this simplifies
   buffer allocation.

   When an EAP-FAST peer receives an EAP-Request packet with the M bit
   set, it MUST respond with an EAP-Response with EAP-Type of EAP-FAST
   and no data.  This serves as a fragment ACK.  The EAP server must
   wait until it receives the EAP-Response before sending another
   fragment.  In order to prevent errors in processing of fragments, the
   EAP server MUST increment the Identifier field for each fragment
   contained within an EAP-Request, and the peer must include this
   Identifier value in the fragment ACK contained within the EAP-
   Response.  Retransmitted fragments will contain the same Identifier
   value.

   Similarly, when the EAP-FAST server receives an EAP-Response with the
   M bit set, it must respond with an EAP-Request with EAP-Type of EAP-
   FAST and no data.  This serves as a fragment ACK.  The EAP peer MUST
   wait until it receives the EAP-Request before sending another
   fragment.  In order to prevent errors in the processing of fragments,
   the EAP server MUST increment the Identifier value for each fragment
   ACK contained within an EAP-Request, and the peer MUST include this
   Identifier value in the subsequent fragment contained within an EAP-
   Response.


Next RFC Part