Access Control and Authentication Mechanisms
Before allowing entities to access a network and its associated resources, the general mechanism is to authenticate the entity (a device and/or user) and then allow authorization based on the identity. The most common access control is binary: It either allows access or denies access based on membership in a group.
Note
Extending access control, especially to the wireless world, means a more finely grained authorization; for example, you can allow access to the network and its resources for internal employees and allow Internet access for guests. Employees are also working on federations, so access can be allowed based on the entity's membership in identity federations?for example, intercollege access to researchers, interorganization access based on collaboration on certain projects, and other similar groups and roles.
The different layers, standards, and conceptual entities in the EAP/802.1x world are seen in Figure 7-1.
Figure 7-1. Layered Authentication Framework
The Three-Party Model
The authentication is based on a three-party model: the supplicant, which requires access; the authenticator, which grants access; and the authentication server, which gives permission.
The supplicant has an identity and some credentials to prove that it is who it claims to be. The supplicant is connected to the network through an authenticator's port that is access controlled. The port concept is important because it acts as the choke point for the supplicant's access to the network resources. The access to the network can be controlled at a single point. The supplicant is called a peer in the IETF RFCs and drafts.
Note
In the wireless world, the most common supplicant is the STA (Station) (laptop or PDA), and the authenticator is the access point (AP). The STA to AP cardinality is 1:1. (That is, one STA can, at one time, connect to the network through only one AP.) This restriction is tailor made for the EAP/802.1x concept of an access-controlled port.
The authenticator itself does not know whether an entity can be allowed access; that is the function of the authentication server. In the IETF world, the authenticator is referred to as the network access server (NAS) or Remote Address Dial-In User Service (RADIUS) client.
Note
In many cases, the authenticator and the authentication server roles can be performed by one device, such as the 802.11 AP.
Let's look at the big picture before discussing the details. The supplicant initiates an access request, and the authenticator starts an EAP message exchange. (In the stricter sense of the standards, such as 802.1x, the supplicant does not necessarily always initiate the access request; the authenticator can initiate an authentication request when it senses a disabled-to-enabled state transition of a port.) At some point, the authenticator communicates with the authenticator server, which decides on an authentication protocol. A set of exchanges then occurs between the supplicant, the authenticator, and the server; at the end of this exchange, a success or failure state is reached. If the authentication succeeds, the authenticator allows network access to the supplicant through the port. The authenticator also keeps a security context with the supplicant-port pair. This context could trigger many things, including timeout if the authentication is only for a period of time (for example, the billed access in public WLAN scenario).
Layered Framework for Authentication
As shown in Figure 7-1, the authentication model is a layered one and has well-defined functionalities and protocols defining each layer and the interfaces between them. The access media (Step 1 in Figure 7-1) can be any of the 802 media: Ethernet, Token Ring, WLAN, or the original media in the serial Point-to-Point Protocol (PPP) link. The EAP specifications provide a framework for exchanging authentication information (Step 2 in Figure 7-1) after the link layer is established. The exchange does not even need IP. It is the function of the transport protocol layer (Step 3 in Figure 7-1) to specify how EAP messages can be exchanged over LAN, which is what 802.1x (and to some extent some parts of 802.11i) does. The actual authentication process (Step 4 in Figure 7-1) is the one that defines how and what credentials should be exchanged. Bear in mind that this framework still does not say how the authorization should be done, such as what decisions are made and when. This functionality is completely left to the domain.
Table 7-1 lists the major standards and efforts in the authentication framework domain. This chapter covers the different flavors of EAP. Hopefully, this table will enable you to dig deeper into the areas in which you are interested.
Mechanism | Specification | Description |
|---|---|---|
Domain: Access Method | ||
PPP | RFC 1661: The Point-to-Point Protocol (PPP) | |
802.3, 802.5, 802.11 and other standards | Various | IEEE access media standards |
Transport Layer Security (TLS) | RFC 2246: Transport Layer Security Version 1.0 | |
RFC 3268: AES Cipher Suit for TLS | ||
RFC 3546: TLS extensions | ||
Domain: Authentication Exchange | ||
EAP | RFC 2284: PPP Extensible Authentication Protocol (EAP) | Original 1998 EAP standard |
RFC 3579: RADIUS Support for EAP | Was RFC 2284bis | |
draft-urien-eap-smartcard-03.txt | EAP-Support in SmartCard | |
draft-funk-eap-md5-tunneled-00.txt | EAP MD5-tunneled authentication protocol | |
draft-mancini-pppext-eap-ldap-00.txt | EAP-LDAP protocol | |
draft-haverinen-pppext-eap-sim-12.txt | EAP SIM authentication | |
draft-arkko-pppext-eap-aka-11.txt | EAP AKA authentication | |
draft-tschofenig-eap-ikev2-02.txt | EAP IKEv2 method | |
draft-salki-pppext-eap-gprs-01.txt | EAP GPRS protocol | |
draft-aboba-pppext-key-problem-07.txt | EAP key management framework | |
draft-jwalker-eap-archie-01.txt | EAP Archie protocol | |
draft-ietf-eap-statemachine-01 | State machines for EAP peer and authenticator | |
802.1x | IEEE Std. 802.1X-2001 | Port-based network access control |
802.1aa | Revision of the 802.1x, work-in-progress | |
Domain: Authentication Process | ||
RADIUS | RFC 2865: RADIUS | Current RADIUS specification |
RFC 2866: RADIUS Accounting | Defines protocol for carrying accounting information between authenticator and authentication server | |
RFC 2867: RADIUS Accounting Modifications for Tunnel Protocol Support | Updates RFC 2866 | |
RFC 2868: RADIUS Attributes for Tunnel Protocol Support | Updates RFC 2865 | |
RFC 2809: Implementation of L2TP Compulsory Tunneling via RADIUS | ||
RFC 2869: RADIUS Extensions | Adds attributes for carrying AAA information between the authenticator (NAS) and authentication server (shared accounting server) | |
RFC 3576: Dynamic Authorization Extensions to RADIUS | ||
RFC 2548: Microsoft Vendor-Specific RADIUS Attributes | ||
RFC 3575: IANA Considerations for RADIUS | Describes best practices for registering RADIUS packet types | |
RFC 3580: IEEE 802.1x Remote Authentication Dial-In User Service (RADIUS) Usage Guidelines | ||
RFC 3162: RADIUS and IPV6 | ||
RFC 2881: Network Access Server Requirements Next Generation (NASREQNG) NAS Model | Proposes a model for NAS?the authenticator | |
RFC 2882: Extended RADIUS Practices | ||
RFC 2618, 2619, 2620, and 2621 | Various RADIUS MIBs | |
RFC 2607: Proxy Chaining and Policy Implementation in Roaming | ||
One-Time Password (OTP) | RFC 2289: A One-Time Password System | |
RFC 2243: OTP Extended Responses | ||
EAP TLS (EAP Transport Layer Security) | RFC 2716: PPP EAP TLS Authentication Protocol | |
EAP TTLS (EAP Tunneled TLS) | draft-ietf-pppext-eap-ttls-03.txt | EAP tunneled TLS authentication protocol |
Kerberos | RFC 1510: Kerberos V5 | |
RFC 2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) | ||
RFC 3244: Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols | ||
RFC 3546: TLS Extensions | Updates RFC 2246 | |
RFC 3268: AES for TLS | ||
CHAP | RFC 1994: PPP Challenge Handshake Authentication Protocol (CHAP) | |
RFC 2433: Microsoft PPP CHAP Extensions | ||
RFC 2759: Microsoft PPP CHAP Extensions, Version 2 | ||
Protected EAP (PEAP) | draft-josefsson-pppext-eap-tls-eap-07.txt | PEAP V2 |
draft-kamath-pppext-peapv0-00.txt | Microsoft PEAP version 0 (implementation in Windows XP SP1) | |
draft-puthenkulam-eap-binding-04.txt | The compound authentication binding problem | |
Diameter | RFC 3588: Diameter Base Protocol | |
draft-ietf-aaa-diameter-nasreq-13.txt; Diameter Network Access Server Application | Diameter application in the AAA domain | |
draft-ietf-aaa-diameter-cms-sec-04.txt | Diameter CMS security application | |
