Scalable authentication protocol (EAP) 3. Underlying Behavior

3. Underlying behavior 3.1. underlying requirements

EAP requires that the underlying layer have the following functions:

[1] unreliable transmission. In EAP, the authenticator resends requests that have no response, so that EAP does not require the underlying layer to be reliable. Because EAP can define its own re-transmission behavior, when EAP runs on a reliable underlying layer, it can make both the underlying layer and the EAP layer have re-transmission. Note that the successful and failed packets of EAP cannot be resold. If there is no reliable underlying layer, and the error rate is high, the data packet will be lost and will eventually time out. This requires increasing the reliability of the EAP Success and Failure packets, as described in section 4.2.

[2] underlying error detection. If the underlying layer is unreliable, it depends on the underlying error detection. Some EAP methods may not have MIC values. Even if they exist, they may not calculate all data items, such as encoding, identification, length, or type items. Therefore, if there is no underlying error detection, the error message may be redirected to the EAP layer or the EAP method layer, causing authentication failure.

For example, eaptls only calculates the mic for the type of data, and takes the effective failure of the mic as a fatal error. There is no underlying error detection, and such methods cannot be reliably executed.

[3] underlying security. EAP does not require the underlying layer to provide security services such as confidentiality, authentication, integrity, and replay protection for each packet. However, these security services can also be implemented. Key derivation supported by the EAP method can be used to provide dynamic key material. In this way, EAP authentication can be bound with subsequent data to prevent data modification, spoofing, and replay. For details, see section 7.1.

[4] minimum MTU. The underlying layer supports a minimum of 1020 bytes of eapmtu.

EAP does not support MTU path search, data splitting, and restructuring, even the methods mentioned in this article (such as identification, notification, Nak response, MD5-challenge, one-time password, general-purpose token card, extended Nak response, and so on) are not supported.

Generally, the EAP peer extracts information from the underlying eapmtu and sets the EAP frame size to a proper value. When the authentication end runs in pass-through mode, the authentication server does not directly control the eapmtu, and therefore relies on the authentication end to provide information to it. For example, the encapsulated MTU attribute is described in section 2.4.

Some methods such as EAP-TLS support data split and reorganization, EAP method was initially designed to work with PPP, PPP at least 1500 bytes MTU for control frame, so EAP method does not support split and reorganization.

Without other information, the EAP method has an eapmtu of at least 1020 bytes. If the load of the EAP method is greater than the minimum eapmtu, they should support splitting and restructuring.

EAP is a lock-step protocol, that is, it has poor performance in processing split and reorganization. Therefore, if the underlying layer supports splitting and restructuring, it is better to put the splitting and restructuring tasks on the underlying layer than on the EAP layer. This can be achieved by providing EAP with a large eapmtu, which is processed by the layer for data splitting and restructuring.

[5] possible duplicate. If the underlying layer is reliable, a non-replicated stream data packet is provided to the EAP layer. Although the underlying layer is expected to provide non-replicated stream data packets, this is not a hard requirement. The identifier item can be used to detect duplicate copies at the peer end and the authentication end.

[6] sorting checks. EAP does not require monotonically increasing identifiers, so it relies on Sorting checks at the underlying layer. EAP was originally designed to run on PPP. In section 1st, there is a sorting requirement:

Point-to-Point Protocol is a simple link designed to transmit data packets between two peer ends. These links support full-duplex and dual-direction operations. "

At the underlying layer, data sources and targets must be sorted with a certain priority.

Generally, the cause of the re-sorting is that the EAP authentication fails and the redirection causes the re-running of the EAP authentication. In a certain environment, reordering often occurs, and it can be considered that EAP authentication often fails. It is recommended that EAP only run on the underlying layer that provides sorting checks; it is not recommended to run on bare IP or UDP transmission. The EAP with radius is encapsulated to meet the sorting requirement. Because radius is a lock-step protocol, this Protocol delivers data packets in order.

3.2 use of EAP in PPP

In order to establish communication on a point-to-point link, during the link establishment, the first endpoint of the PPP link initiates an LCP packet to configure the data link. After the link is established, PPP provides an optional authentication phase before entering the network layer coordination phase.

By default, authentication is not mandatory. If the link requires authentication, you must specify an authentication protocol configuration option during the link establishment phase.

If the peer-to-peer identity has been established during authentication, the server can select the next network-layer negotiation option based on the identity.

In combination with PPP, EAP does not need to select a specific authentication mechanism in the PPP link control phase. In this way, the authentication end is allowed to request more information before a specific authentication mechanism is selected. Backend servers are also allowed. backend servers can implement multiple authentication mechanisms only when the PPP authentication end passes the authentication exchange. The PPP link establishment and authentication phases and Authentication Protocol configuration options are defined in the Point-to-Point Protocol (PPP.

3.2.1. PPP configuration option format

The following is a brief introduction to PPP authentication protocol configuration selection. Data transmission goes from left to right.

The information items in a frame of PPP data link layer only contain one EAP packet. The hexadecimal value of the packet protocol item is c227.

Type

3

Length

4

Authenticationprotocol

C227 (hexadecimal) indicates the Scalable authentication protocol EAP

3.3. Use of EAP in IEEE802

EAP encapsulation in IEEE802 is described in the IEEE-802.1X. IEEE802
The EAP encapsulation package does not involve PPP, and ieee802.1x does not support link or network layer negotiation. Therefore, ieee802.1x does not support negotiation of non-EAP authentication mechanisms, such as PAP and chap.

3.4. Underlying indication

The reliability and security of underlying indicators depend on the underlying layer. Because EAP does not rely on media, the underlying security has little impact on processing EAP information.

To improve reliability, if the peer receives a successful indication at the underlying layer (defined in section 7.2), pretend that a successful packet has been received even if it is lost. This includes the success of selecting to ignore some cases (described in section 4.2.

Security considerations in section 7.12 include the reliability and security of PPP, IEEE802 wired networks, and 802.11 Wireless LAN.

After the EAP authentication is complete, the peer end generally sends and receives data through the authentication end. It is generally hoped that the entity that transfers data and completes authentication is the same. To implement this function, the underlying layer must support the integrity, authentication, replay protection of each packet, and bind each packet of service with the key generated during EAP authentication. Otherwise, subsequent data transmission may be modified, spoofed, or replayed.

When the key material used for underlying encryption is provided by EAP, key negotiation and key activation are all controlled by the underlying layer. In PPP, the key is negotiated with ECP. Therefore, it is impossible to use the key from EAP authentication before ECP is completed. Therefore, the PPP key cannot protect the initial EAP exchange, but can protect the EAP re-authentication.

In IEEE802 media, the initial key activation also occurs after the EAP authentication is completed. Therefore, the underlying layer cannot protect the initialized EAP exchange, but it can protect the re-Authentication and pre-authentication.