1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
|
<pre>Network Working Group B. Aboba
Request for Comments: 3579 Microsoft
Updates: <a href="./rfc2869">2869</a> P. Calhoun
Category: Informational Airespace
September 2003
<span class="h1">RADIUS (Remote Authentication Dial In User Service)</span>
<span class="h1">Support For Extensible Authentication Protocol (EAP)</span>
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document defines Remote Authentication Dial In User Service
(RADIUS) support for the Extensible Authentication Protocol (EAP), an
authentication framework which supports multiple authentication
mechanisms. In the proposed scheme, the Network Access Server (NAS)
forwards EAP packets to and from the RADIUS server, encapsulated
within EAP-Message attributes. This has the advantage of allowing
the NAS to support any EAP authentication method, without the need
for method-specific code, which resides on the RADIUS server. While
EAP was originally developed for use with PPP, it is now also in use
with IEEE 802.
This document updates <a href="./rfc2869">RFC 2869</a>.
<span class="grey">Aboba & Calhoun Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-1.1">1.1</a>. Specification of Requirements. . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.2">1.2</a>. Terminology. . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.1">2.1</a>. Protocol Overview. . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.2">2.2</a>. Invalid Packets. . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-2.3">2.3</a>. Retransmission . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-2.4">2.4</a>. Fragmentation. . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-2.5">2.5</a>. Alternative uses . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-2.6">2.6</a>. Usage Guidelines . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-3">3</a>. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-3.1">3.1</a>. EAP-Message. . . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-3.2">3.2</a>. Message-Authenticator. . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-3.3">3.3</a>. Table of Attributes. . . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-4">4</a>. Security Considerations. . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4.1">4.1</a>. Security Requirements. . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4.2">4.2</a>. Security Protocol. . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-4.3">4.3</a>. Security Issues. . . . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-5">5</a>. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-6">6</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-6.1">6.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-6.2">6.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-32">32</a>
<a href="#appendix-A">Appendix A</a> - Examples. . . . . . . . . . . . . . . . . . . . . . . <a href="#page-34">34</a>
<a href="#appendix-B">Appendix B</a> - Change Log. . . . . . . . . . . . . . . . . . . . . . <a href="#page-43">43</a>
Intellectual Property Statement. . . . . . . . . . . . . . . . . . <a href="#page-44">44</a>
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-44">44</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-45">45</a>
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . <a href="#page-46">46</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
The Remote Authentication Dial In User Service (RADIUS) is an
authentication, authorization and accounting protocol used to control
network access. RADIUS authentication and authorization is specified
in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], and RADIUS accounting is specified in [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>]; RADIUS
over IPv6 is specified in [<a href="./rfc3162" title=""RADIUS and IP6"">RFC3162</a>].
The Extensible Authentication Protocol (EAP), defined in [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>],
is an authentication framework which supports multiple authentication
mechanisms. EAP may be used on dedicated links, switched circuits,
and wired as well as wireless links.
To date, EAP has been implemented with hosts and routers that connect
via switched circuits or dial-up lines using PPP [<a href="./rfc1661" title=""The Point-to-Point Protocol (PPP)"">RFC1661</a>]. It has
also been implemented with bridges supporting [<a href="#ref-IEEE802" title="ANSI/IEEE Std 802">IEEE802</a>]. EAP
encapsulation on IEEE 802 wired media is described in [<a href="#ref-IEEE8021X" title="IEEE Std 802.1X-2001">IEEE8021X</a>].
<span class="grey">Aboba & Calhoun Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
RADIUS attributes are comprised of variable length Type-Length-Value
3-tuples. New attribute values can be added without disturbing
existing implementations of the protocol. This specification
describes RADIUS attributes supporting the Extensible Authentication
Protocol (EAP): EAP-Message and Message-Authenticator. These
attributes now have extensive field experience. The purpose of this
document is to provide clarification and resolve interoperability
issues.
As noted in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], a Network Access Server (NAS) that does not
implement a given service MUST NOT implement the RADIUS attributes
for that service. This implies that a NAS that is unable to offer
EAP service MUST NOT implement the RADIUS attributes for EAP. A NAS
MUST treat a RADIUS Access-Accept requesting an unavailable service
as an Access-Reject instead.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Specification of Requirements</span>
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized. The key
words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Terminology</span>
This document frequently uses the following terms:
authenticator
The end of the link requiring the authentication. Also
known as the Network Access Server (NAS) or RADIUS client.
Within IEEE 802.1X terminology, the term Authenticator is
used.
peer The other end of the point-to-point link (PPP),
point-to-point LAN segment (IEEE 802.1X) or wireless link,
which is being authenticated by the authenticator. In IEEE
802.1X, this end is known as the Supplicant.
authentication server
An authentication server is an entity that provides an
authentication service to an authenticator (NAS). This
service verifies from the credentials provided by the peer,
the claim of identity made by the peer; it also may provide
credentials allowing the peer to verify the identity of the
authentication server. Within this document it is assumed
that the NAS operates as a pass-through, forwarding EAP
packets between the RADIUS server and the EAP peer.
<span class="grey">Aboba & Calhoun Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Therefore the RADIUS server operates as an authentication
server.
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.
displayable message
This is interpreted to be a human readable string of
characters, and MUST NOT affect operation of the protocol.
The message encoding MUST follow the UTF-8 transformation
format [<a href="./rfc2279" title=""UTF-8, a transformation format of ISO 10646"">RFC2279</a>].
Network Access Server (NAS)
The device providing access to the network. Also known as
the Authenticator (IEEE 802.1X or EAP terminology) or
RADIUS client.
service The NAS provides a service to the user, such as IEEE 802 or
PPP.
session Each service provided by the NAS to a peer constitutes a
session, with the beginning of the session defined as the
point where service is first provided and the end of the
session defined as the point where service is ended. A
peer may have multiple sessions in parallel or series if
the NAS supports that, with each session generating a
separate start and stop accounting record.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. RADIUS Support for EAP</span>
The Extensible Authentication Protocol (EAP), described in [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>],
provides a standard mechanism for support of additional
authentication methods without the NAS to be upgraded to support each
new method. Through the use of EAP, support for a number of
authentication schemes may be added, including smart cards, Kerberos
[<a href="./rfc1510" title=""The Kerberos Network Authentication Service (V5)"">RFC1510</a>], Public Key [<a href="./rfc2716" title=""PPP EAP TLS Authentication Protocol"">RFC2716</a>], One Time Passwords [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>], and
others.
One of the advantages of the EAP architecture is its flexibility.
EAP is used to select a specific authentication mechanism. Rather
than requiring the NAS to be updated to support each new
authentication method, EAP permits the use of an authentication
server implementing authentication methods, with the NAS acting as a
pass-through for some or all methods and peers.
<span class="grey">Aboba & Calhoun Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
A NAS MAY authenticate local peers while at the same time acting as a
pass-through for non-local peers and authentication methods it does
not implement locally. A NAS implementing this specification is not
required to use RADIUS to authenticate every peer. However, once the
NAS begins acting as a pass-through for a particular session, it can
no longer perform local authentication for that session.
In order to support EAP within RADIUS, two new attributes,
EAP-Message and Message-Authenticator, are introduced in this
document. This section describes how these new attributes may be
used for providing EAP support within RADIUS.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Protocol Overview</span>
In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP
Packets between the NAS and an authentication server.
The authenticating peer and the NAS begin the EAP conversation by
negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD
send an initial EAP-Request message to the authenticating peer. This
will typically be an EAP-Request/Identity, although it could be an
EAP-Request for an authentication method (Types 4 and greater). A
NAS MAY be configured to initiate with a default authentication
method. This is useful in cases where the identity is determined by
another means (such as Called-Station-Id, Calling-Station-Id and/or
Originating-Line-Info); where a single authentication method is
required, which includes its own identity exchange; where identity
hiding is desired, so that the identity is not requested until after
a protected channel has been set up.
The peer replies with an EAP-Response. The NAS MAY determine from
the Response that it should proceed with local authentication.
Alternatively, the NAS MAY act as a pass-through, encapsulating the
EAP-Response within EAP-Message attribute(s) sent to the RADIUS
server within a RADIUS Access-Request packet. If the NAS sends an
EAP-Request/Identity message as the initial packet, the peer responds
with an EAP-Response/Identity. The NAS may determine that the peer
is local and proceed with local authentication. If no match is found
against the list of local users, the NAS encapsulates the
EAP-Response/Identity message within an EAP-Message attribute,
enclosed within an Access-Request packet.
On receiving a valid Access-Request packet containing EAP-Message
attribute(s), a RADIUS server compliant with this specification and
wishing to authenticate with EAP MUST respond with an
Access-Challenge packet containing EAP-Message attribute(s). If the
RADIUS server does not support EAP or does not wish to authenticate
with EAP, it MUST respond with an Access-Reject.
<span class="grey">Aboba & Calhoun Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
EAP-Message attribute(s) encapsulate a single EAP packet which the
NAS decapsulates and passes on to the authenticating peer. The peer
then responds with an EAP-Response packet, which the NAS encapsulates
within an Access-Request containing EAP-Message attribute(s). EAP is
a 'lock step' protocol, so that other than the initial Request, a new
Request cannot be sent prior to receiving a valid Response.
The conversation continues until either a RADIUS Access-Reject or
Access-Accept packet is received from the RADIUS server. Reception
of a RADIUS Access-Reject packet MUST result in the NAS denying
access to the authenticating peer. A RADIUS Access-Accept packet
successfully ends the authentication phase. The NAS MUST NOT
"manufacture" a Success or Failure packet as the result of a timeout.
After a suitable number of timeouts have elapsed, the NAS SHOULD
instead end the EAP conversation.
Using RADIUS, the NAS can act as a pass-through for an EAP
conversation between the peer and authentication server, without
needing to implement the EAP method used between them. Where the NAS
initiates the conversation by sending an EAP-Request for an
authentication method, it may not be required that the NAS fully
implement the EAP method reflected in the initial EAP-Request.
Depending on the initial method, it may be sufficient for the NAS to
be configured with the initial packet to be sent to the peer, and for
the NAS to act as a pass-through for subsequent messages. Note that
since the NAS only encapsulates the EAP-Response in its initial
Access-Request, the initial EAP-Request within the authentication
method is not available to the RADIUS server. For the RADIUS server
to be able to continue the conversation, either the initial
EAP-Request is vestigial, so that the RADIUS server need not be aware
of it, or the relevant information from the initial EAP-Request (such
as a nonce) is reflected in the initial EAP-Response, so that the
RADIUS server can obtain it without having received the initial
EAP-Request.
Where the initial EAP-Request sent by the NAS is for an
authentication Type (4 or greater), the peer MAY respond with a Nak
indicating that it would prefer another authentication method that is
not implemented locally. In this case, the NAS SHOULD send
Access-Request encapsulating the received EAP-Response/Nak. This
provides the RADIUS server with a hint about the authentication
method(s) preferred by the peer, although it does not provide
information on the Type of the original Request. It also provides
the server with the Identifier used in the initial EAP-Request, so
that Identifier conflicts can be avoided.
<span class="grey">Aboba & Calhoun Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In order to evaluate whether the alternatives preferred by the
authenticating peer are allowed, the RADIUS server will typically
respond with an Access-Challenge containing EAP-Message attribute(s)
encapsulating an EAP-Request/Identity (Type 1). This allows the
RADIUS server to determine the peer identity, so as to be able to
retrieve the associated authentication policy. Alternatively, an
EAP-Request for an authentication method (Type 4 or greater) could be
sent. Since the RADIUS server may not be aware of the Type of the
initial EAP-Request, it is possible for the RADIUS server to choose
an unacceptable method, and for the peer to respond with another Nak.
In order to permit non-EAP aware RADIUS proxies to forward the
Access-Request packet, if the NAS initially sends an
EAP-Request/Identity message to the peer, the NAS MUST copy the
contents of the Type-Data field of the EAP-Response/Identity received
from the peer into the User-Name attribute and MUST include the
Type-Data field of the EAP-Response/Identity in the User-Name
attribute in every subsequent Access-Request. Since RADIUS proxies
are assumed to act as a pass-through, they cannot be expected to
parse an EAP-Response/Identity encapsulated within EAP-Message
attribute(s). If the NAS initially sends an EAP-Request for an
authentication method, and the peer identity cannot be determined
from the EAP-Response, then the User-Name attribute SHOULD be
determined by another means. As noted in <a href="./rfc2865#section-5.6">[RFC2865] Section 5.6</a>, it
is recommended that Access-Requests use the value of the
Calling-Station-Id as the value of the User-Name attribute.
Having the NAS send the initial EAP-Request packet has a number of
advantages:
[<a id="ref-1">1</a>] It saves a round trip between the NAS and RADIUS server.
[<a id="ref-2">2</a>] An Access-Request is only sent to the RADIUS server if the
authenticating peer sends an EAP-Response, confirming that it
supports EAP. In situations where peers may be EAP unaware,
initiating a RADIUS Access-Request on a "carrier sense" or
"media up" indication may result in many authentication
exchanges that cannot complete successfully. For example, on
wired networks [<a href="#ref-IEEE8021X" title="IEEE Std 802.1X-2001">IEEE8021X</a>] Supplicants typically do not initiate
the 802.1X conversation with an EAPOL-Start. Therefore an IEEE
802.1X-enabled bridge may not be able to determine whether the
peer supports EAP until it receives a Response to the initial
EAP-Request.
[<a id="ref-3">3</a>] It allows some peers to be authenticated locally.
<span class="grey">Aboba & Calhoun Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Although having the NAS send the initial EAP-Request packet has
substantial advantages, this technique cannot be universally
employed. There are circumstances in which the peer identity is
already known (such as when authentication and accounting is handled
based on Called-Station-Id, Calling-Station-Id and/or
Originating-Line-Info), but where the appropriate EAP method may vary
based on that identity.
Rather than sending an initial EAP-Request packet to the
authenticating peer, on detecting the presence of the peer, the NAS
MAY send an Access-Request packet to the RADIUS server containing an
EAP-Message attribute signifying EAP-Start. The RADIUS server will
typically respond with an Access-Challenge containing EAP-Message
attribute(s) encapsulating an EAP-Request/Identity (Type 1).
However, an EAP-Request for an authentication method (Type 4 or
greater) can also be sent by the server.
EAP-Start is indicated by sending an EAP-Message attribute with a
length of 2 (no data). The Calling-Station-Id SHOULD be included in
the User-Name attribute. This may result in a RADIUS Access-Request
being sent by the NAS to the RADIUS server without first confirming
that the peer supports EAP. Since this technique can result in a
large number of uncompleted RADIUS conversations, in situations where
EAP unaware peers are common, or where peer support for EAP cannot be
determined on initial contact (e.g. [<a href="#ref-IEEE8021X" title="IEEE Std 802.1X-2001">IEEE8021X</a>] Supplicants not
initiating the conversation with an EAPOL-Start) it SHOULD NOT be
employed by default.
For proxied RADIUS requests, there are two methods of processing. If
the domain is determined based on the Calling-Station-Id,
Called-Station-Id and/or Originating-Line-Info, the RADIUS server may
proxy the initial RADIUS Access-Request/EAP-Start. If the realm is
determined based on the peer identity, the local RADIUS server MUST
respond with a RADIUS Access-Challenge including an EAP-Message
attribute encapsulating an EAP-Request/Identity packet. The response
from the authenticating peer SHOULD be proxied to the final
authentication server.
If an Access-Request is sent to a RADIUS server which does not
support the EAP-Message attribute, then an Access-Reject MUST be sent
in response. On receiving an Access-Reject, the NAS MUST deny access
to the authenticating peer.
<span class="grey">Aboba & Calhoun Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Invalid Packets</span>
While acting as a pass-through, the NAS MUST validate the EAP header
fields (Code, Identifier, Length) prior to forwarding an EAP packet
to or from the RADIUS server. On receiving an EAP packet from the
peer, the NAS checks the Code (2) and Length fields, and matches the
Identifier value against the current Identifier, supplied by the
RADIUS server in the most recently validated EAP-Request. On
receiving an EAP packet from the RADIUS server (encapsulated within
an Access-Challenge), the NAS checks the Code (1) and Length fields,
then updates the current Identifier value. Pending EAP Responses
that do not match the current Identifier value are silently discarded
by the NAS.
Since EAP method fields (Type, Type-Data) are typically not validated
by a NAS operating as a pass-through, despite these checks it is
possible for a NAS to forward an invalid EAP packet to or from the
RADIUS server. A RADIUS server receiving EAP-Message attribute(s) it
does not understand SHOULD make the determination of whether the
error is fatal or non-fatal based on the EAP Type. A RADIUS server
determining that a fatal error has occurred MUST send an
Access-Reject containing an EAP-Message attribute encapsulating
EAP-Failure.
A RADIUS server determining that a non-fatal error has occurred MAY
send an Access-Challenge to the NAS including EAP-Message
attribute(s) as well as an Error-Cause attribute [<a href="./rfc3576" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC3576</a>] with value
202 (decimal), "Invalid EAP Packet (Ignored)". The Access-Challenge
SHOULD encapsulate within EAP-Message attribute(s) the most recently
sent EAP-Request packet (including the same Identifier value). On
receiving such an Access-Challenge, a NAS implementing previous
versions of this specification will decapsulate the EAP-Request and
send it to the peer, which will retransmit the EAP-Response.
A NAS compliant with this specification, on receiving an
Access-Challenge with an Error-Cause attribute of value 202 (decimal)
SHOULD discard the EAP-Response packet most recently transmitted to
the RADIUS server and check whether additional EAP-Response packets
have been received matching the current Identifier value. If so, a
new EAP-Response packet, if available, MUST be sent to the RADIUS
server within an Access-Request, and the EAP-Message attribute(s)
included within the Access-Challenge are silently discarded. If no
EAP-Response packet is available, then the EAP-Request encapsulated
within the Access-Challenge is sent to the peer, and the
retransmission timer is reset.
<span class="grey">Aboba & Calhoun Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In order to provide protection against Denial of Service (DoS)
attacks, it is advisable for the NAS to allocate a finite buffer for
EAP packets received from the peer, and to discard packets according
to an appropriate policy once that buffer has been exceeded. Also,
the RADIUS server is advised to permit only a modest number of
invalid EAP packets within a single session, prior to terminating the
session with an Access-Reject. By default a value of 5 invalid EAP
packets is recommended.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Retransmission</span>
As noted in [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>], if an EAP packet is lost in transit between
the authenticating peer and the NAS (or vice versa), the NAS will
retransmit.
It may be necessary to adjust retransmission strategies and
authentication timeouts in certain cases. For example, when a token
card is used additional time may be required to allow the user to
find the card and enter the token. Since the NAS will typically not
have knowledge of the required parameters, these need to be provided
by the RADIUS server. This can be accomplished by inclusion of
Session-Timeout attribute within the Access-Challenge packet.
If Session-Timeout is present in an Access-Challenge packet that also
contains an EAP-Message, the value of the Session-Timeout is used to
set the EAP retransmission timer for that EAP Request, and that
Request alone. Once the EAP-Request has been sent, the NAS sets the
retransmission timer, and if it expires without having received an
EAP-Response corresponding to the Request, then the EAP-Request is
retransmitted.
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Fragmentation</span>
Using the EAP-Message attribute, it is possible for the RADIUS server
to encapsulate an EAP packet that is larger than the MTU on the link
between the NAS and the peer. Since it is not possible for the
RADIUS server to use MTU discovery to ascertain the link MTU, the
Framed-MTU attribute may be included in an Access-Request packet
containing an EAP-Message attribute so as to provide the RADIUS
server with this information. A RADIUS server having received a
Framed-MTU attribute in an Access-Request packet MUST NOT send any
subsequent packet in this EAP conversation containing EAP-Message
attributes whose values, when concatenated, exceed the length
specified by the Framed-MTU value, taking the link type (specified by
the NAS-Port-Type attribute) into account. For example, as noted in
<a href="./rfc3580#section-3.10">[RFC3580] Section 3.10</a>, for a NAS-Port-Type value of IEEE 802.11, the
<span class="grey">Aboba & Calhoun Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
RADIUS server may send an EAP packet as large as Framed-MTU minus
four (4) octets, taking into account the additional overhead for the
IEEE 802.1X Version (1), Type (1) and Body Length (2) fields.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Alternative Uses</span>
Currently the conversation between security servers and the RADIUS
server is often proprietary because of lack of standardization. In
order to increase standardization and provide interoperability
between RADIUS vendors and security vendors, it is recommended that
RADIUS- encapsulated EAP be used for this conversation.
This has the advantage of allowing the RADIUS server to support EAP
without the need for authentication-specific code within the RADIUS
server. Authentication-specific code can then reside on a security
server instead.
In the case where RADIUS-encapsulated EAP is used in a conversation
between a RADIUS server and a security server, the security server
will typically return an Access-Accept message without inclusion of
the expected attributes currently returned in an Access-Accept. This
means that the RADIUS server MUST add these attributes prior to
sending an Access-Accept message to the NAS.
<span class="h3"><a class="selflink" id="section-2.6" href="#section-2.6">2.6</a>. Usage Guidelines</span>
<span class="h4"><a class="selflink" id="section-2.6.1" href="#section-2.6.1">2.6.1</a>. Identifier Space</span>
In EAP, each session has its own unique Identifier space. RADIUS
server implementations MUST be able to distinguish between EAP
packets with the same Identifier existing within distinct sessions,
originating on the same NAS. For this purpose, sessions can be
distinguished based on NAS and session identification attributes.
NAS identification attributes include NAS-Identifier,
NAS-IPv6-Address and NAS-IPv4-Address. Session identification
attributes include User-Name, NAS-Port, NAS-Port-Type, NAS-Port-Id,
Called-Station-Id, Calling-Station-Id and Originating-Line-Info.
<span class="h4"><a class="selflink" id="section-2.6.2" href="#section-2.6.2">2.6.2</a>. Role Reversal</span>
Since EAP is a peer-to-peer protocol, an independent and simultaneous
authentication may take place in the reverse direction. Both peers
may act as authenticators and authenticatees at the same time.
However, role reversal is not supported by this specification. A
RADIUS server MUST respond to an Access-Request encapsulating an
EAP-Request with an Access-Reject. In order to avoid retransmissions
<span class="grey">Aboba & Calhoun Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
by the peer, the Access-Reject SHOULD include an EAP-Response/Nak
packet indicating no preferred method, encapsulated within
EAP-Message attribute(s).
<span class="h4"><a class="selflink" id="section-2.6.3" href="#section-2.6.3">2.6.3</a>. Conflicting Messages</span>
The NAS MUST make its access control decision based solely on the
RADIUS Packet Type (Access-Accept/Access-Reject). The access control
decision MUST NOT be based on the contents of the EAP packet
encapsulated in one or more EAP-Message attributes, if present.
Access-Accept packets SHOULD have only one EAP-Message attribute in
them, containing EAP Success; similarly, Access-Reject packets SHOULD
have only one EAP-Message attribute in them, containing EAP Failure.
Where the encapsulated EAP packet does not match the result implied
by the RADIUS Packet Type, the combination is likely to cause
confusion, because the NAS and peer will arrive at different
conclusions as to the outcome of the authentication.
For example, if the NAS receives an Access-Reject with an
encapsulated EAP Success, it will not grant access to the peer.
However, on receiving the EAP Success, the peer will be lead to
believe that it authenticated successfully.
If the NAS receives an Access-Accept with an encapsulated EAP
Failure, it will grant access to the peer. However, on receiving an
EAP Failure, the peer will be lead to believe that it failed
authentication. If no EAP-Message attribute is included within an
Access-Accept or Access-Reject, then the peer may not be informed as
to the outcome of the authentication, while the NAS will take action
to allow or deny access.
As described in [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>], the EAP Success and Failure packets are
not acknowledged, and these packets terminate the EAP conversation.
As a result, if these packets are encapsulated within an
Access-Challenge, no response will be received, and therefore the NAS
will send no further Access-Requests to the RADIUS server for the
session. As a result, the RADIUS server will not indicate to the NAS
whether to allow or deny access, while the peer will be informed as
to the outcome of the authentication.
<span class="grey">Aboba & Calhoun Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
To avoid these conflicts, the following combinations SHOULD NOT be
sent by a RADIUS server:
Access-Accept/EAP-Message/EAP Failure
Access-Accept/no EAP-Message attribute
Access-Accept/EAP-Start
Access-Reject/EAP-Message/EAP Success
Access-Reject/no EAP-Message attribute
Access-Reject/EAP-Start
Access-Challenge/EAP-Message/EAP Success
Access-Challenge/EAP-Message/EAP Failure
Access-Challenge/no EAP-Message attribute
Access-Challenge/EAP-Start
Since the responsibility for avoiding conflicts lies with the RADIUS
server, the NAS MUST NOT "manufacture" EAP packets in order to
correct contradictory messages that it receives. This behavior,
originally mandated within [<a href="#ref-IEEE8021X" title="IEEE Std 802.1X-2001">IEEE8021X</a>], will be deprecated in the
future.
<span class="h4"><a class="selflink" id="section-2.6.4" href="#section-2.6.4">2.6.4</a>. Priority</span>
A RADIUS Access-Accept or Access-Reject packet may contain EAP-
Message attribute(s). In order to ensure the correct processing of
RADIUS packets, the NAS MUST first process the attributes, including
the EAP-Message attribute(s), prior to processing the Accept/Reject
indication.
<span class="h4"><a class="selflink" id="section-2.6.5" href="#section-2.6.5">2.6.5</a>. Displayable Messages</span>
The Reply-Message attribute, defined in <a href="./rfc2865#section-5.18">[RFC2865], Section 5.18</a>,
indicates text which may be displayed to the peer. This is similar
in concept to EAP Notification, defined in [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>]. When sending a
displayable message to a NAS during an EAP conversation, the RADIUS
server MUST encapsulate displayable messages within
EAP-Message/EAP-Request/Notification attribute(s). Reply-Message
attribute(s) MUST NOT be included in any RADIUS message containing an
EAP-Message attribute. An EAP-Message/EAP-Request/Notification
SHOULD NOT be included within an Access-Accept or Access-Reject
packet.
In some existing implementations, a NAS receiving Reply-Message
attribute(s) copies the Text field(s) into the Type-Data field of an
EAP-Request/Notification packet, fills in the Identifier field, and
sends this to the peer. However, several issues arise from this:
<span class="grey">Aboba & Calhoun Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
[<a id="ref-1">1</a>] Unexpected Responses. On receiving an EAP-Request/Notification,
the peer will send an EAP-Response/Notification, and the NAS
will pass this on to the RADIUS server, encapsulated within
EAP-Message attribute(s). However, the RADIUS server may not be
expecting an Access-Request containing an
EAP-Message/EAP-Response/Notification attribute.
For example, consider what happens when a Reply-Message is
included within an Access-Accept or Access-Reject packet with no
EAP-Message attribute(s) present. If the value of the
Reply-Message attribute is copied into the Type-Data of an
EAP-Request/Notification and sent to the peer, this will result
in an Access-Request containing an
EAP-Message/EAP-Response/Notification attribute being sent by
the NAS to the RADIUS server. Since an Access-Accept or
Access-Reject packet terminates the RADIUS conversation, such an
Access-Request would not be expected, and could be interpreted
as the start of another conversation.
[<a id="ref-2">2</a>] Identifier conflicts. While the EAP-Request/Notification is an
EAP packet containing an Identifier field, the Reply-Message
attribute does not contain an Identifier field. As a result, a
NAS receiving a Reply-Message attribute and wishing to translate
this to an EAP-Request/Notification will need to choose an
Identifier value. It is possible that the chosen Identifier
value will conflict with a value chosen by the RADIUS server for
another packet within the EAP conversation, potentially causing
confusion between a new packet and a retransmission.
To avoid these problems, a NAS receiving a Reply-Message attribute
from the RADIUS server SHOULD silently discard the attribute, rather
than attempting to translate it to an EAP Notification Request.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Attributes</span>
The NAS-Port or NAS-Port-Id attributes SHOULD be included by the NAS
in Access-Request packets, and either NAS-Identifier, NAS-IP-Address
or NAS-IPv6-Address attributes MUST be included. In order to permit
forwarding of the Access-Reply by EAP-unaware proxies, if a User-Name
attribute was included in an Access-Request, the RADIUS server MUST
include the User-Name attribute in subsequent Access-Accept packets.
Without the User-Name attribute, accounting and billing becomes
difficult to manage. The User-Name attribute within the Access-
Accept packet need not be the same as the User-Name attribute in the
Access-Request.
<span class="grey">Aboba & Calhoun Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. EAP-Message</span>
Description
This attribute encapsulates EAP [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>] packets so as to allow
the NAS to authenticate peers via EAP without having to understand
the EAP method it is passing through.
The NAS places EAP messages received from the authenticating peer
into one or more EAP-Message attributes and forwards them to the
RADIUS server within an Access-Request message. If multiple
EAP-Message attributes are contained within an Access-Request or
Access-Challenge packet, they MUST be in order and they MUST be
consecutive attributes in the Access-Request or Access-Challenge
packet. The RADIUS server can return EAP-Message attributes in
Access-Challenge, Access-Accept and Access-Reject packets.
When RADIUS is used to enable EAP authentication, Access-Request,
Access-Challenge, Access-Accept, and Access-Reject packets SHOULD
contain one or more EAP-Message attributes. Where more than one
EAP-Message attribute is included, it is assumed that the
attributes are to be concatenated to form a single EAP packet.
Multiple EAP packets MUST NOT be encoded within EAP-Message
attributes contained within a single Access-Challenge,
Access-Accept, Access-Reject or Access-Request packet.
It is expected that EAP will be used to implement a variety of
authentication methods, including methods involving strong
cryptography. In order to prevent attackers from subverting EAP
by attacking RADIUS/EAP, (for example, by modifying EAP Success or
EAP Failure packets) it is necessary that RADIUS provide
per-packet authentication and integrity protection.
Therefore the Message-Authenticator attribute MUST be used to
protect all Access-Request, Access-Challenge, Access-Accept, and
Access-Reject packets containing an EAP-Message attribute.
Access-Request packets including EAP-Message attribute(s) without
a Message-Authenticator attribute SHOULD be silently discarded by
the RADIUS server. A RADIUS server supporting the EAP-Message
attribute MUST calculate the correct value of the
Message-Authenticator and MUST silently discard the packet if it
does not match the value sent. A RADIUS server not supporting the
EAP-Message attribute MUST return an Access-Reject if it receives
an Access-Request containing an EAP-Message attribute.
<span class="grey">Aboba & Calhoun Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Access-Challenge, Access-Accept, or Access-Reject packets
including EAP-Message attribute(s) without a Message-Authenticator
attribute SHOULD be silently discarded by the NAS. A NAS
supporting the EAP-Message attribute MUST calculate the correct
value of the Message-Authenticator and MUST silently discard the
packet if it does not match the value sent.
A summary of the EAP-Message attribute format is shown below. The
fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
79 for EAP-Message
Length
>= 3
String
The String field contains an EAP packet, as defined in [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>].
If multiple EAP-Message attributes are present in a packet their
values should be concatenated; this allows EAP packets longer than
253 octets to be transported by RADIUS.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Message-Authenticator</span>
Description
This attribute MAY be used to authenticate and integrity-protect
Access-Requests in order to prevent spoofing. It MAY be used in
any Access-Request. It MUST be used in any Access-Request,
Access-Accept, Access-Reject or Access-Challenge that includes an
EAP-Message attribute.
A RADIUS server receiving an Access-Request with a
Message-Authenticator attribute present MUST calculate the correct
value of the Message-Authenticator and silently discard the packet
if it does not match the value sent.
<span class="grey">Aboba & Calhoun Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
A RADIUS client receiving an Access-Accept, Access-Reject or
Access-Challenge with a Message-Authenticator attribute present
MUST calculate the correct value of the Message-Authenticator and
silently discard the packet if it does not match the value sent.
This attribute is not required in Access-Requests which include
the User-Password attribute, but is useful for preventing attacks
on other types of authentication. This attribute is intended to
thwart attempts by an attacker to setup a "rogue" NAS, and perform
online dictionary attacks against the RADIUS server. It does not
afford protection against "offline" attacks where the attacker
intercepts packets containing (for example) CHAP challenge and
response, and performs a dictionary attack against those packets
offline.
A summary of the Message-Authenticator attribute format is shown
below. The fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
80 for Message-Authenticator
Length
18
String
When present in an Access-Request packet, Message-Authenticator is
an HMAC-MD5 [<a href="./rfc2104" title=""HMAC: Keyed-Hashing for Message Authentication"">RFC2104</a>] hash of the entire Access-Request packet,
including Type, ID, Length and Authenticator, using the shared
secret as the key, as follows.
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)
When the message integrity check is calculated the signature
string should be considered to be sixteen octets of zero.
<span class="grey">Aboba & Calhoun Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
For Access-Challenge, Access-Accept, and Access-Reject packets,
the Message-Authenticator is calculated as follows, using the
Request-Authenticator from the Access-Request this packet is in
reply to:
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes)
When the message integrity check is calculated the signature
string should be considered to be sixteen octets of zero. The
shared secret is used as the key for the HMAC-MD5 message
integrity check. The Message-Authenticator is calculated and
inserted in the packet before the Response Authenticator is
calculated.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Table of Attributes</span>
The following table provides a guide to which attributes may be found
in packets including EAP-Message attribute(s), and in what quantity.
The EAP-Message and Message-Authenticator attributes specified in
this document MUST NOT be present in an Accounting-Request. If a
table entry is omitted, the values found in [<a href="./rfc2548" title=""Microsoft Vendor-specific RADIUS Attributes"">RFC2548</a>], [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>],
[<a href="./rfc2868" title=""RADIUS Attributes for Tunnel Protocol Support"">RFC2868</a>], [<a href="./rfc2869" title=""RADIUS Extensions"">RFC2869</a>] and [<a href="./rfc3162" title=""RADIUS and IP6"">RFC3162</a>] should be assumed.
Request Accept Reject Challenge # Attribute
0-1 0-1 0 0 1 User-Name
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0 0 2 User-Password [Note 1]
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0 0 3 CHAP-Password [Note 1]
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0 0 18 Reply-Message
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0 0 60 CHAP-Challenge
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0 0 70 ARAP-Password [Note 1]
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0 0 75 Password-Retry
1+ 1+ 1+ 1+ 79 EAP-Message [Note 1]
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a> 1 </span> 1 1 80 Message-Authenticator [Note 1]
0-1 0 0 0 94 Originating-Line-Info [Note 3]
<span class="h2"><a class="selflink" id="section-0" href="#section-0">0</a> 0 </span> 0-1 0-1 101 Error-Cause [Note 2]
Request Accept Reject Challenge # Attribute
[Note 1] An Access-Request that contains either a User-Password or
CHAP-Password or ARAP-Password or one or more EAP-Message attributes
MUST NOT contain more than one type of those four attributes. If it
does not contain any of those four attributes, it SHOULD contain a
Message-Authenticator. If any packet type contains an EAP-Message
attribute it MUST also contain a Message-Authenticator. A RADIUS
server receiving an Access-Request not containing any of those four
attributes and also not containing a Message-Authenticator attribute
SHOULD silently discard it.
<span class="grey">Aboba & Calhoun Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
[Note 2] The Error-Cause attribute is defined in [<a href="./rfc3576" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC3576</a>].
[Note 3] The Originating-Line-Info attribute is defined in [<a href="#ref-NASREQ" title=""Diameter Network Access Server Application"">NASREQ</a>].
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present.
0+ Zero or more instances of this attribute MAY be present.
0-1 Zero or one instance of this attribute MAY be present.
1 Exactly one instance of this attribute MUST be present.
1+ One or more of these attributes MUST be present.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Security Requirements</span>
RADIUS/EAP is used in order to provide authentication and
authorization for network access. As a result, both the RADIUS and
EAP portions of the conversation are potential targets of an attack.
Threats are discussed in [<a href="./rfc2607" title=""Proxy Chaining and Policy Implementation in Roaming"">RFC2607</a>], [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], and [<a href="./rfc3162" title=""RADIUS and IP6"">RFC3162</a>].
Examples include:
[<a id="ref-1">1</a>] An adversary may attempt to acquire confidential data and
identities by snooping RADIUS packets.
[<a id="ref-2">2</a>] An adversary may attempt to modify packets containing RADIUS
messages.
[<a id="ref-3">3</a>] An adversary may attempt to inject packets into a RADIUS
conversation.
[<a id="ref-4">4</a>] An adversary may launch a dictionary attack against the RADIUS
shared secret.
[<a id="ref-5">5</a>] An adversary may launch a known plaintext attack, hoping to
recover the key stream corresponding to a Request Authenticator.
[<a id="ref-6">6</a>] An adversary may attempt to replay a RADIUS exchange.
[<a id="ref-7">7</a>] An adversary may attempt to disrupt the EAP negotiation, in
order to weaken the authentication, or gain access to peer
passwords.
[<a id="ref-8">8</a>] An authenticated NAS may attempt to forge NAS or session
identification attributes,
[<a id="ref-9">9</a>] A rogue (unauthenticated) NAS may attempt to impersonate a
legitimate NAS.
<span class="grey">Aboba & Calhoun Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
[<a id="ref-10">10</a>] An attacker may attempt to act as a man-in-the-middle.
To address these threats, it is necessary to support confidentiality,
data origin authentication, integrity, and replay protection on a
per-packet basis. Bi-directional authentication between the RADIUS
client and server also needs to be provided. There is no requirement
that the identities of RADIUS clients and servers be kept
confidential (e.g., from a passive eavesdropper).
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Security Protocol</span>
To address the security vulnerabilities of RADIUS/EAP,
implementations of this specification SHOULD support IPsec [<a href="./rfc2401" title=""Security Architecture for the Internet Protocol"">RFC2401</a>]
along with IKE [<a href="./rfc2409" title=""The Internet Key Exchange (IKE)"">RFC2409</a>] for key management. IPsec ESP [<a href="./rfc2406" title=""IP Encapsulating Security Payload (ESP)"">RFC2406</a>]
with non-null transform SHOULD be supported, and IPsec ESP with a
non-null encryption transform and authentication support SHOULD be
used to provide per-packet confidentiality, authentication, integrity
and replay protection. IKE SHOULD be used for key management.
Within RADIUS [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>], a shared secret is used for hiding of
attributes such as User-Password, as well as in computation of the
Response Authenticator. In RADIUS accounting [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>], the shared
secret is used in computation of both the Request Authenticator and
the Response Authenticator.
Since in RADIUS a shared secret is used to provide confidentiality as
well as integrity protection and authentication, only use of IPsec
ESP with a non-null transform can provide security services
sufficient to substitute for RADIUS application-layer security.
Therefore, where IPSEC AH or ESP null is used, it will typically
still be necessary to configure a RADIUS shared secret.
Where RADIUS is run over IPsec ESP with a non-null transform, the
secret shared between the NAS and the RADIUS server MAY NOT be
configured. In this case, a shared secret of zero length MUST be
assumed. However, a RADIUS server that cannot know whether incoming
traffic is IPsec-protected MUST be configured with a non-null RADIUS
shared secret.
When IPsec ESP is used with RADIUS, per-packet authentication,
integrity and replay protection MUST be used. 3DES-CBC MUST be
supported as an encryption transform and AES-CBC SHOULD be supported.
AES-CBC SHOULD be offered as a preferred encryption transform if
supported. HMAC-SHA1-96 MUST be supported as an authentication
transform. DES-CBC SHOULD NOT be used as the encryption transform.
<span class="grey">Aboba & Calhoun Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
A typical IPsec policy for an IPsec-capable RADIUS client is
"Initiate IPsec, from me to any destination port UDP 1812". This
causes an IPsec SA to be set up by the RADIUS client prior to sending
RADIUS traffic. If some RADIUS servers contacted by the client do
not support IPsec, then a more granular policy will be required:
"Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, destination
port UDP 1812".
For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept
IPsec, from any to me, destination port 1812". This causes the
RADIUS server to accept (but not require) use of IPsec. It may not
be appropriate to require IPsec for all RADIUS clients connecting to
an IPsec-enabled RADIUS server, since some RADIUS clients may not
support IPsec.
Where IPsec is used for security, and no RADIUS shared secret is
configured, it is important that the RADIUS client and server perform
an authorization check. Before enabling a host to act as a RADIUS
client, the RADIUS server SHOULD check whether the host is authorized
to provide network access. Similarly, before enabling a host to act
as a RADIUS server, the RADIUS client SHOULD check whether the host
is authorized for that role.
RADIUS servers can be configured with the IP addresses (for IKE
Aggressive Mode with pre-shared keys) or FQDNs (for certificate
authentication) of RADIUS clients. Alternatively, if a separate
Certification Authority (CA) exists for RADIUS clients, then the
RADIUS server can configure this CA as a trust anchor [<a href="./rfc3280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC3280</a>] for
use with IPsec.
Similarly, RADIUS clients can be configured with the IP addresses
(for IKE Aggressive Mode with pre-shared keys) or FQDNs (for
certificate authentication) of RADIUS servers. Alternatively, if a
separate CA exists for RADIUS servers, then the RADIUS client can
configure this CA as a trust anchor for use with IPsec.
Since unlike SSL/TLS, IKE does not permit certificate policies to be
set on a per-port basis, certificate policies need to apply to all
uses of IPsec on RADIUS clients and servers. In IPsec deployments
supporting only certificate authentication, a management station
initiating an IPsec-protected telnet session to the RADIUS server
would need to obtain a certificate chaining to the RADIUS client CA.
Issuing such a certificate might not be appropriate if the management
station was not authorized as a RADIUS client.
Where RADIUS clients may obtain their IP address dynamically (such as
an Access Point supporting DHCP), IKE Main Mode with pre-shared keys
[<a href="./rfc2409" title=""The Internet Key Exchange (IKE)"">RFC2409</a>] SHOULD NOT be used, since this requires use of a group
<span class="grey">Aboba & Calhoun Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
pre-shared key; instead, Aggressive Mode SHOULD be used. IKEv2, a
work in progress, may address this issue in the future. Where RADIUS
client addresses are statically assigned, either Aggressive Mode or
Main Mode MAY be used. With certificate authentication, Main Mode
SHOULD be used.
Care needs to be taken with IKE Phase 1 Identity Payload selection in
order to enable mapping of identities to pre-shared keys even with
Aggressive Mode. Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity
Payloads are used and addresses are dynamically assigned, mapping of
identities to keys is not possible, so that group pre-shared keys are
still a practical necessity. As a result, the ID_FQDN identity
payload SHOULD be employed in situations where Aggressive mode is
utilized along with pre-shared keys and IP addresses are dynamically
assigned. This approach also has other advantages, since it allows
the RADIUS server and client to configure themselves based on the
fully qualified domain name of their peers.
Note that with IPsec, security services are negotiated at the
granularity of an IPsec SA, so that RADIUS exchanges requiring a set
of security services different from those negotiated with existing
IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs
are also advisable where quality of service considerations dictate
different handling RADIUS conversations. Attempting to apply
different quality of service to connections handled by the same IPsec
SA can result in reordering, and falling outside the replay window.
For a discussion of the issues, see [<a href="./rfc2983" title=""Differentiated Services and Tunnels"">RFC2983</a>].
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Security Issues</span>
This section provides more detail on the vulnerabilities identified
in <a href="#section-4.1">Section 4.1</a>., and how they may be mitigated. Vulnerabilities
include:
Privacy issues
Spoofing and hijacking
Dictionary attacks
Known plaintext attacks
Replay attacks
Negotiation attacks
Impersonation
Man in the middle attacks
Separation of authenticator and authentication server
Multiple databases
<span class="grey">Aboba & Calhoun Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
<span class="h4"><a class="selflink" id="section-4.3.1" href="#section-4.3.1">4.3.1</a>. Privacy Issues</span>
Since RADIUS messages may contain the User-Name attribute as well as
NAS-IP-Address or NAS-Identifier attributes, an attacker snooping on
RADIUS traffic may be able to determine the geographic location of
peers in real time. In wireless networks, it is often assumed that
RADIUS traffic is physically secure, since it typically travels over
the wired network and that this limits the release of location
information.
However, it is possible for an authenticated attacker to spoof ARP
packets [<a href="./rfc826" title=""An Ethernet Address Resolution Protocol"">RFC826</a>] so as to cause diversion of RADIUS traffic onto the
wireless network. In this way an attacker may obtain RADIUS packets
from which it can glean peer location information, or which it can
subject to a known plaintext or offline dictionary attack. To
address these vulnerabilities, implementations of this specification
SHOULD use IPsec ESP with non-null transform and per-packet
encryption, authentication, integrity and replay protection to
protect both RADIUS authentication [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] and accounting [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>]
traffic, as described in <a href="#section-4.2">Section 4.2</a>.
<span class="h4"><a class="selflink" id="section-4.3.2" href="#section-4.3.2">4.3.2</a>. Spoofing and Hijacking</span>
Access-Request packets with a User-Password attribute establish the
identity of both the user and the NAS sending the Access-Request,
because of the way the shared secret between the NAS and RADIUS
server is used. Access-Request packets with CHAP-Password or
EAP-Message attributes do not have a User-Password attribute. As a
result, the Message-Authenticator attribute SHOULD be used in
Access-Request packets that do not have a User-Password attribute, in
order to establish the identity of the NAS sending the request.
An attacker may attempt to inject packets into the conversation
between the NAS and the RADIUS server, or between the RADIUS server
and the security server. RADIUS [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] does not support
encryption other than attribute hiding. As described in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>],
only Access-Reply and Access-Challenge packets are integrity
protected. Moreover, the per-packet authentication and integrity
protection mechanism described in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] has known weaknesses
[<a href="#ref-MD5Attack" title=""The Status of MD5 After a Recent Attack"">MD5Attack</a>], making it a tempting target for attackers looking to
subvert RADIUS/EAP.
To provide stronger security, the Message-Authenticator attribute
MUST be used in all RADIUS packets containing an EAP-Message
attribute. Implementations of this specification SHOULD use IPsec
ESP with non-null transform and per-packet encryption,
authentication, integrity and replay protection, as described in
<a href="#section-4.2">Section 4.2</a>.
<span class="grey">Aboba & Calhoun Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
<span class="h4"><a class="selflink" id="section-4.3.3" href="#section-4.3.3">4.3.3</a>. Dictionary Attacks</span>
The RADIUS shared secret is vulnerable to offline dictionary attack,
based on capture of the Response Authenticator or
Message-Authenticator attribute. In order to decrease the level of
vulnerability, [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] recommends:
The secret (password shared between the client and the RADIUS
server) SHOULD be at least as large and unguessable as a
well-chosen password. It is preferred that the secret be at least
16 octets.
The risk of an offline dictionary attack can be further reduced by
employing IPsec ESP with non-null transform in order to encrypt the
RADIUS conversation, as described in <a href="#section-4.2">Section 4.2</a>.
<span class="h4"><a class="selflink" id="section-4.3.4" href="#section-4.3.4">4.3.4</a>. Known Plaintext Attacks</span>
Since EAP [<a href="./rfc2284" title=""PPP Extensible Authentication Protocol (EAP)"">RFC2284</a>] does not support PAP, the RADIUS User-Password
attribute is not used to carry hidden user passwords within
RADIUS/EAP conversations. The User-Password hiding mechanism,
defined in [<a href="./rfc2865" title=""Remote Authentication Dial In User Service (RADIUS)"">RFC2865</a>] utilizes MD5, defined in [<a href="./rfc1321" title=""The MD5 Message-Digest Algorithm"">RFC1321</a>], in order to
generate a key stream based on the RADIUS shared secret and the
Request Authenticator. Where PAP is in use, it is possible to
collect key streams corresponding to a given Request Authenticator
value, by capturing RADIUS conversations corresponding to a PAP
authentication attempt, using a known password. Since the
User-Password is known, the key stream corresponding to a given
Request Authenticator can be determined and stored.
Since the key stream may have been determined previously from a known
plaintext attack, if the Request Authenticator repeats, attributes
encrypted using the RADIUS attribute hiding mechanism should be
considered compromised. In addition to the User-Password attribute,
which is not used with EAP, this includes attributes such as
Tunnel-Password [RFC2868, <a href="#section-3.5">section 3.5</a>] and MS-MPPE-Send-Key and
MS-MPPE-Recv-Key attributes [RFC2548, <a href="#section-2.4">section 2.4</a>], which include a
Salt field as part of the hiding algorithm.
To avoid this, <a href="./rfc2865#section-3">[RFC2865], Section 3</a> advises:
Since it is expected that the same secret MAY be used to
authenticate with servers in disparate geographic regions, the
Request Authenticator field SHOULD exhibit global and temporal
uniqueness.
<span class="grey">Aboba & Calhoun Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Where the Request Authenticator repeats, the Salt field defined in
<a href="./rfc2548#section-2.4">[RFC2548], Section 2.4</a> does not provide protection against
compromise. This is because MD5 [<a href="./rfc1321" title=""The MD5 Message-Digest Algorithm"">RFC1321</a>], rather than HMAC-MD5
[<a href="./rfc2104" title=""HMAC: Keyed-Hashing for Message Authentication"">RFC2104</a>], is used to generate the key stream, which is calculated
from the 128-bit RADIUS shared secret (S), the 128-bit Request
Authenticator (R), and the Salt field (A), using the formula b(1) =
MD5(S + R + A). Since the Salt field is placed at the end, if the
Request Authenticator were to repeat on a network where PAP is in
use, then the salted keystream could be calculated from the
User-Password keystream by continuing the MD5 calculation based on
the Salt field (A), which is sent in the clear.
Even though EAP does not support PAP authentication, a security
vulnerability can still exist where the same RADIUS shared secret is
used for hiding User-Password as well as other attributes. This can
occur, for example, if the same RADIUS proxy handles authentication
requests for both EAP and PAP.
The threat can be mitigated by protecting RADIUS with IPsec ESP with
non-null transform, as described in <a href="#section-4.2">Section 4.2</a>. Where RADIUS shared
secrets are configured, the RADIUS shared secret used by a NAS
supporting EAP MUST NOT be reused by a NAS utilizing the
User-Password attribute, since improper shared secret hygiene could
lead to compromise of hidden attributes.
<span class="h4"><a class="selflink" id="section-4.3.5" href="#section-4.3.5">4.3.5</a>. Replay Attacks</span>
The RADIUS protocol provides only limited support for replay
protection. RADIUS Access-Requests include liveness via the 128-bit
Request Authenticator. However, the Request Authenticator is not a
replay counter. Since RADIUS servers may not maintain a cache of
previous Request Authenticators, the Request Authenticator does not
provide replay protection.
RADIUS accounting [<a href="./rfc2866" title=""RADIUS Accounting"">RFC2866</a>] does not support replay protection at the
protocol level. Due to the need to support failover between RADIUS
accounting servers, protocol-based replay protection is not
sufficient to prevent duplicate accounting records. However, once
accepted by the accounting server, duplicate accounting records can
be detected by use of the the Acct-Session-Id [RFC2866, <a href="#section-5.5">section 5.5</a>]
and Event-Timestamp [RFC2869, <a href="#section-5.3">section 5.3</a>] attributes.
Unlike RADIUS authentication, RADIUS accounting does not use the
Request Authenticator as a nonce. Instead, the Request Authenticator
contains an MD5 hash calculated over the Code, Identifier, Length,
and request attributes of the Accounting Request packet, plus the
shared secret. The Response Authenticator also contains an MD5 hash
calculated over the Code, Identifier and Length, the Request
<span class="grey">Aboba & Calhoun Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Authenticator field from the Accounting-Request packet being replied
to, the response attributes and the shared secret.
Since the Accounting Response Authenticator depends in part on the
Accounting Request Authenticator, it is not possible to replay an
Accounting-Response unless the Request Authenticator repeats. While
it is possible to utilize EAP methods such as EAP TLS [<a href="./rfc2716" title=""PPP EAP TLS Authentication Protocol"">RFC2716</a>] which
include liveness checks on both sides, not all EAP messages will
include liveness so that this provides incomplete protection.
Strong replay protection for RADIUS authentication and accounting can
be provided by enabling IPsec replay protection with RADIUS, as
described in <a href="#section-4.2">Section 4.2</a>.
<span class="h4"><a class="selflink" id="section-4.3.6" href="#section-4.3.6">4.3.6</a>. Negotiation Attacks</span>
In a negotiation attack a rogue NAS, tunnel server, RADIUS proxy or
RADIUS server attempts to cause the authenticating peer to choose a
less secure authentication method. For example, a session that would
normally be authenticated with EAP would instead be authenticated via
CHAP or PAP; alternatively, a connection that would normally be
authenticated via a more secure EAP method such as EAP-TLS [<a href="./rfc2716" title=""PPP EAP TLS Authentication Protocol"">RFC2716</a>]
might be made to occur via a less secure EAP method, such as
MD5-Challenge. The threat posed by rogue devices, once thought to be
remote, has gained currency given compromises of telephone company
switching systems, such as those described in [<a href="#ref-Masters" title=""Masters of Deception."">Masters</a>].
Protection against negotiation attacks requires the elimination of
downward negotiations. The RADIUS exchange may be further protected
by use of IPsec, as described in <a href="#section-4.2">Section 4.2</a>. Alternatively, where
IPsec is not used, the vulnerability can be mitigated via
implementation of per-connection policy on the part of the
authenticating peer, and per-peer policy on the part of the RADIUS
server. For the authenticating peer, authentication policy should be
set on a per-connection basis. Per-connection policy allows an
authenticating peer to negotiate a strong EAP method when connecting
to one service, while negotiating a weaker EAP method for another
service.
With per-connection policy, an authenticating peer will only attempt
to negotiate EAP for a session in which EAP support is expected. As
a result, there is a presumption that an authenticating peer
selecting EAP requires that level of security. If it cannot be
provided, it is likely that there is some kind of misconfiguration,
or even that the authenticating peer is contacting the wrong server.
Should the NAS not be able to negotiate EAP, or should the
EAP-Request sent by the NAS be of a different EAP type than what is
expected, the authenticating peer MUST disconnect. An authenticating
<span class="grey">Aboba & Calhoun Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
peer expecting EAP to be negotiated for a session MUST NOT negotiate
a weaker method, such as CHAP or PAP. In wireless networks, the
service advertisement itself may be spoof-able, so that an attacker
could fool the peer into negotiating an authentication method
suitable for a less secure network.
For a NAS, it may not be possible to determine whether a peer is
required to authenticate with EAP until the peer's identity is known.
For example, for shared-uses NASes it is possible for one reseller to
implement EAP while another does not. Alternatively, some peer might
be authenticated locally by the NAS while other peers are
authenticated via RADIUS. In such cases, if any peers of the NAS
MUST do EAP, then the NAS MUST attempt to negotiate EAP for every
session. This avoids forcing a peer to support more than one
authentication type, which could weaken security.
If CHAP is negotiated, the NAS will pass the User-Name and
CHAP-Password attributes to the RADIUS server in an Access-Request
packet. If the peer is not required to use EAP, then the RADIUS
server will respond with an Access-Accept or Access-Reject packet as
appropriate. However, if CHAP has been negotiated but EAP is
required, the RADIUS server MUST respond with an Access-Reject,
rather than an Access-Challenge/EAP-Message/EAP-Request packet. The
authenticating peer MUST refuse to renegotiate authentication, even
if the renegotiation is from CHAP to EAP.
If EAP is negotiated but is not supported by the RADIUS proxy or
server, then the server or proxy MUST respond with an Access-Reject.
In these cases, a PPP NAS MUST send an LCP-Terminate and disconnect
the peer. This is the correct behavior since the authenticating peer
is expecting EAP to be negotiated, and that expectation cannot be
fulfilled. An EAP-capable authenticating peer MUST refuse to
renegotiate the authentication protocol if EAP had initially been
negotiated. Note that problems with a non-EAP capable RADIUS proxy
could prove difficult to diagnose, since a peer connecting from one
location (with an EAP-capable proxy) might be able to successfully
authenticate via EAP, while the same peer connecting at another
location (and encountering an EAP-incapable proxy) might be
consistently disconnected.
<span class="h4"><a class="selflink" id="section-4.3.7" href="#section-4.3.7">4.3.7</a>. Impersonation</span>
[<a id="ref-RFC2865">RFC2865</a>] <a href="#section-3">Section 3</a> states:
A RADIUS server MUST use the source IP address of the RADIUS UDP
packet to decide which shared secret to use, so that RADIUS
requests can be proxied.
<span class="grey">Aboba & Calhoun Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or
NAS-IPv6-Address attributes may not match the source address. Since
the NAS-Identifier attribute need not contain an FQDN, this attribute
also may not correspond to the source address, even indirectly, with
or without a proxy present.
As a result, the authenticity check performed by a RADIUS server or
proxy does not verify the correctness of NAS identification
attributes. This makes it possible for a rogue NAS to forge
NAS-IP-Address, NAS-IPv6-Address or NAS-Identifier attributes within
a RADIUS Access-Request in order to impersonate another NAS. It is
also possible for a rogue NAS to forge session identification
attributes such as Called-Station-Id, Calling-Station-Id, and
Originating-Line-Info.
This could fool the RADIUS server into subsequently sending
Disconnect or CoA-Request messages [<a href="./rfc3576" title=""Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)"">RFC3576</a>] containing forged
session identification attributes to a NAS targeted by an attacker.
To address these vulnerabilities RADIUS proxies SHOULD check whether
NAS identification attributes (NAS-IP-Address, NAS-IPv6-Address,
NAS-Identifier) match the source address of packets originating from
the NAS. Where a match is not found, an Access-Reject SHOULD be
sent, and an error SHOULD be logged.
However, such a check may not always be possible. Since the
NAS-Identifier attribute need not correspond to an FQDN, it may not
be resolvable to an IP address to be matched against the source
address. Also, where a NAT exists between the RADIUS client and
proxy, checking the NAS-IP-Address or NAS-IPv6-Address attributes may
not be feasible.
To allow verification of NAS and session identification parameters,
EAP methods can support the secure exchange of these parameters
between the EAP peer and EAP server. NAS identification attributes
include NAS-IP-Address, NAS-IPv6-Address and Called-Station-Id;
session identification attributes include User-Name and
Calling-Station-Id. The secure exchange of these parameters between
the EAP peer and server enables the RADIUS server to check whether
the attributes provided by the NAS match those provided by the peer;
similarly, the peer can check the parameters provided by the NAS
against those provided by the EAP server. This enables detection of
a rogue NAS.
<span class="grey">Aboba & Calhoun Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
<span class="h4"><a class="selflink" id="section-4.3.8" href="#section-4.3.8">4.3.8</a>. Man in the Middle Attacks</span>
RADIUS only provides security on a hop-by-hop basis, even where IPsec
is used. As a result, an attacker gaining control of a RADIUS proxy
could attempt to modify EAP packets in transit. To protect against
this, EAP methods SHOULD incorporate their own per-packet integrity
protection and authentication mechanisms.
<span class="h4"><a class="selflink" id="section-4.3.9" href="#section-4.3.9">4.3.9</a>. Separation of Authenticator and Authentication Server</span>
As noted in [<a href="./rfc2716" title=""PPP EAP TLS Authentication Protocol"">RFC2716</a>], it is possible for the EAP peer and
authenticator to mutually authenticate, and derive a Master Session
Key (MSK) for a ciphersuite used to protect subsequent data traffic.
This does not present an issue on the peer, since the peer and EAP
client reside on the same machine; all that is required is for the
EAP client module to derive and pass a Transient Session Key (TSK) to
the ciphersuite module.
The situation is more complex when EAP is used with RADIUS, since the
authenticator and authentication server may not reside on the same
host.
In the case where the authenticator and authentication server reside
on different machines, there are several implications for security.
First, mutual authentication will occur between the peer and the
authentication server, not between the peer and the authenticator.
This means that it is not possible for the peer to validate the
identity of the NAS or tunnel server that it is speaking to, using
EAP alone.
As described in <a href="#section-4.2">Section 4.2</a>, when RADIUS/EAP is used to encapsulate
EAP packets, IPsec SHOULD be used to provide per-packet
authentication, integrity, replay protection and confidentiality.
The Message-Authenticator attribute is also required in RADIUS
Access-Requests containing an EAP-Message attribute sent from the NAS
or tunnel server to the RADIUS server. Since the
Message-Authenticator attribute involves an HMAC-MD5 message
integrity check, it is possible for the RADIUS server to verify the
integrity of the Access-Request as well as the NAS or tunnel server's
identity, even where IPsec is not used. Similarly, Access-Challenge
packets containing an EAP-Message attribute sent from the RADIUS
server to the NAS are also authenticated and integrity protected
using an HMAC-MD5 message integrity check, enabling the NAS or tunnel
server to determine the integrity of the packet and verify the
identity of the RADIUS server, even where IPsec is not used.
Moreover, EAP packets sent using methods that contain their own
integrity protection cannot be successfully modified by a rogue NAS
or tunnel server.
<span class="grey">Aboba & Calhoun Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
The second issue that arises where the authenticator and
authentication server reside on separate hosts is that the EAP Master
Session Key (MSK) negotiated between the peer and authentication
server will need to be transmitted to the authenticator. Therefore a
mechanism needs to be provided to transmit the MSK from the
authentication server to the NAS or tunnel server that needs it. The
specification of the key transport and wrapping mechanism is outside
the scope of this document. However, it is expected that the
wrapping mechanism will provide confidentiality, integrity and replay
protection, and data origin authentication.
<span class="h4"><a class="selflink" id="section-4.3.10" href="#section-4.3.10">4.3.10</a>. Multiple Databases</span>
In many cases a security server will be deployed along with a RADIUS
server in order to provide EAP services. Unless the security server
also functions as a RADIUS server, two separate user databases will
exist, each containing information about the security requirements
for the user. This represents a weakness, since security may be
compromised by a successful attack on either of the servers, or their
databases. With multiple user databases, adding a new user may
require multiple operations, increasing the chances for error. The
problems are further magnified in the case where user information is
also being kept in an LDAP server. In this case, three stores of
user information may exist.
In order to address these threats, consolidation of databases is
recommended. This can be achieved by having both the RADIUS server
and security server store information in the same database; by having
the security server provide a full RADIUS implementation; or by
consolidating both the security server and the RADIUS server onto
the same machine.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. IANA Considerations</span>
This specification does not create any new registries, or define any
new RADIUS attributes or values.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. References</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Normative References</span>
[<a id="ref-RFC1321">RFC1321</a>] Rivest, R., "The MD5 Message-Digest Algorithm", <a href="./rfc1321">RFC</a>
<a href="./rfc1321">1321</a>, April 1992.
[<a id="ref-RFC2104">RFC2104</a>] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
Keyed-Hashing for Message Authentication", <a href="./rfc2104">RFC 2104</a>,
February 1997.
<span class="grey">Aboba & Calhoun Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2279">RFC2279</a>] Yergeau, F., "UTF-8, a transformation format of ISO
10646", <a href="./rfc2279">RFC 2279</a>, January 1998.
[<a id="ref-RFC2284">RFC2284</a>] Blunk, L. and J. Vollbrecht, "PPP Extensible
Authentication Protocol (EAP)", <a href="./rfc2284">RFC 2284</a>, March 1998.
[<a id="ref-RFC2401">RFC2401</a>] Atkinson, R. and S. Kent, "Security Architecture for
the Internet Protocol", <a href="./rfc2401">RFC 2401</a>, November 1998.
[<a id="ref-RFC2406">RFC2406</a>] Kent, S. and R. Atkinson, "IP Encapsulating Security
Payload (ESP)", <a href="./rfc2406">RFC 2406</a>, November 1998.
[<a id="ref-RFC2409">RFC2409</a>] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", <a href="./rfc2409">RFC 2409</a>, November 1998.
[<a id="ref-RFC2486">RFC2486</a>] Aboba, B. and M. Beadles, "The Network Access
Identifier", <a href="./rfc2486">RFC 2486</a>, January 1999.
[<a id="ref-RFC2865">RFC2865</a>] Rigney, C., Willens, S., Rubens, A. and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
<a href="./rfc2865">RFC 2865</a>, June 2000.
[<a id="ref-RFC2988">RFC2988</a>] Paxson, V. and M. Allman, "Computing TCP's
Retransmission Timer", <a href="./rfc2988">RFC 2988</a>, November 2000.
[<a id="ref-RFC3162">RFC3162</a>] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IP6",
<a href="./rfc3162">RFC 3162</a>, August 2001.
[<a id="ref-RFC3280">RFC3280</a>] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", <a href="./rfc3280">RFC 3280</a>,
April 2002.
[<a id="ref-RFC3576">RFC3576</a>] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", <a href="./rfc3576">RFC</a>
<a href="./rfc3576">3576</a>, July 2003.
<span class="grey">Aboba & Calhoun Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Informative References</span>
[<a id="ref-RFC826">RFC826</a>] Plummer, D., "An Ethernet Address Resolution
Protocol", STD 37, <a href="./rfc826">RFC 826</a>, November 1982.
[<a id="ref-RFC1510">RFC1510</a>] Kohl, J. and C. Neuman, "The Kerberos Network
Authentication Service (V5)", <a href="./rfc1510">RFC 1510</a>, September
1993.
[<a id="ref-RFC1661">RFC1661</a>] Simpson, W., "The Point-to-Point Protocol (PPP)", STD
51, <a href="./rfc1661">RFC 1661</a>, July 1994.
[<a id="ref-RFC2548">RFC2548</a>] Zorn, G., "Microsoft Vendor-specific RADIUS
Attributes", <a href="./rfc2548">RFC 2548</a>, March 1999.
[<a id="ref-RFC2607">RFC2607</a>] Aboba, B. and J. Vollbrecht, "Proxy Chaining and
Policy Implementation in Roaming", <a href="./rfc2607">RFC 2607</a>, June
1999.
[<a id="ref-RFC2716">RFC2716</a>] Aboba, B. and D. Simon,"PPP EAP TLS Authentication
Protocol", <a href="./rfc2716">RFC 2716</a>, October 1999.
[<a id="ref-RFC2866">RFC2866</a>] Rigney, C., "RADIUS Accounting", <a href="./rfc2866">RFC 2866</a>, June 2000.
[<a id="ref-RFC2867">RFC2867</a>] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
Modifications for Tunnel Protocol Support", <a href="./rfc2867">RFC 2867</a>,
June 2000.
[<a id="ref-RFC2868">RFC2868</a>] Zorn, G., Leifer, D., Rubens, A., Shriver, J.,
Holdrege, M. and I. Goyret, "RADIUS Attributes for
Tunnel Protocol Support", <a href="./rfc2868">RFC 2868</a>, June 2000.
[<a id="ref-RFC2869">RFC2869</a>] Rigney, C., Willats, W. and P. Calhoun, "RADIUS
Extensions", <a href="./rfc2869">RFC 2869</a>, June 2000.
[<a id="ref-RFC2983">RFC2983</a>] Black, D. "Differentiated Services and Tunnels", <a href="./rfc2983">RFC</a>
<a href="./rfc2983">2983</a>, October 2000.
[<a id="ref-RFC3580">RFC3580</a>] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J.
Roese, "IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines", <a href="./rfc3580">RFC 3580</a>,
September 2003.
[<a id="ref-IEEE802">IEEE802</a>] IEEE Standards for Local and Metropolitan Area
Networks: Overview and Architecture, ANSI/IEEE Std
802, 1990.
<span class="grey">Aboba & Calhoun Informational [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
[<a id="ref-IEEE8021X">IEEE8021X</a>] IEEE Standards for Local and Metropolitan Area
Networks: Port based Network Access Control, IEEE Std
802.1X-2001, June 2001.
[<a id="ref-MD5Attack">MD5Attack</a>] Dobbertin, H., "The Status of MD5 After a Recent
Attack", CryptoBytes Vol.2 No.2, Summer 1996.
[<a id="ref-Masters">Masters</a>] Slatalla, M. and J. Quittner, "Masters of Deception."
HarperCollins, New York, 1995.
[<a id="ref-NASREQ">NASREQ</a>] Calhoun, P., et al., "Diameter Network Access Server
Application", Work in Progress.
<span class="grey">Aboba & Calhoun Informational [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Appendix A - Examples
The examples below illustrate conversations between an authenticating
peer, NAS, and RADIUS server. The OTP and EAP-TLS protocols are used
only for illustrative purposes; other authentication protocols could
also have been used, although they might show somewhat different
behavior.
Where the NAS sends an EAP-Request/Identity as the initial packet,
the exchange appears as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
(MyID) ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request
OTP/OTP Challenge
<- EAP-Request/
OTP/OTP Challenge
EAP-Response/
OTP, OTPpw ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
OTP, OTPpw ->
<- RADIUS
Access-Accept/
EAP-Message/EAP-Success
(other attributes)
<- EAP-Success
<span class="grey">Aboba & Calhoun Informational [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case where the NAS initiates with an EAP-Request for EAP TLS
[<a href="./rfc2716" title=""PPP EAP TLS Authentication Protocol"">RFC2716</a>], and the identity is determined based on the contents of
the client certificate, the exchange will appear as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start, S bit set)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-Type=EAP-TLS->
<-RADIUS Access-Challenge/
EAP-Message/
EAP-Request/
EAP-Type=EAP-TLS
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
[TLS certificate_request,]
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished)->
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-Type=EAP-TLS->
<-RADIUS Access-Challenge/
EAP-Message/
EAP-Request/
EAP-Type=EAP-TLS
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
<span class="grey">Aboba & Calhoun Informational [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
EAP-Response/
EAP-Type=EAP-TLS ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-Type=EAP-TLS->
<-RADIUS Access-Accept/
EAP-Message/EAP-Success
(other attributes)
<- EAP-Success
In the case where the NAS first sends an EAP-Start packet to the
RADIUS server, the conversation would appear as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
RADIUS Access-Request/
EAP-Message/Start ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request/
Identity
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
Identity (MyID) ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request/
OTP/OTP Challenge
<- EAP-Request/
OTP/OTP Challenge
EAP-Response/
OTP, OTPpw ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
OTP, OTPpw ->
<- RADIUS
Access-Accept/
EAP-Message/EAP-Success
(other attributes)
<- EAP-Success
<span class="grey">Aboba & Calhoun Informational [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case where the NAS initiates with an EAP-Request for EAP TLS
[<a href="./rfc2716" title=""PPP EAP TLS Authentication Protocol"">RFC2716</a>], but the peer responds with a Nak, indicating that it would
prefer another method not implemented locally on the NAS, the
exchange will appear as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start, S bit set)
EAP-Response/
EAP-Type=Nak
(Alternative(s))->
RADIUS Access-Request/
EAP-Message/EAP-Response/
Nak ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request/
Identity
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
(MyID) ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request
OTP/OTP Challenge
<- EAP-Request/
OTP/OTP Challenge
EAP-Response/
OTP, OTPpw ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
OTP, OTPpw ->
<- RADIUS
Access-Accept/
EAP-Message/EAP-Success
(other attributes)
<- EAP-Success
<span class="grey">Aboba & Calhoun Informational [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case where the authenticating peer attempts to authenticate
the NAS, the conversation would appear as follows:
Authenticating peer NAS RADIUS Server
------------------- --- -------------
EAP-Request/
Challenge, MD5 ->
RADIUS Access-Request/
EAP-Message/EAP-Request/
Challenge, MD5 ->
<- RADIUS
Access-Reject/
EAP-Message/
EAP-Response/
Nak (no alternative)
<- EAP-Response/Nak
(no alternative)
EAP-Failure ->
<span class="grey">Aboba & Calhoun Informational [Page 38]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-39" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case where an invalid EAP Response is inserted by an attacker,
the conversation would appear as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
<- EAP-Request/
EAP-Type=Foo
EAP-Response/
EAP-Type=Foo ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-Type=Foo ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request/
EAP-Type=Foo
<- EAP-Request/
EAP-Type=Foo
Attacker spoof:
EAP-Response/
EAP-Type=Bar ->
Good guy:
EAP-Response/
EAP-Type=Foo ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-Type=Bar ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request/
EAP-Type=Foo,
Error-Cause="Invalid EAP
Packet (Ignored)"
RADIUS Access-Request/
EAP-Message/EAP-Response/
EAP-Type=Foo ->
<- Access-Accept/
EAP-Message/Success
<- EAP Success
<span class="grey">Aboba & Calhoun Informational [Page 39]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-40" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case where the client fails EAP authentication, and an error
message is sent prior to disconnection, the conversation would appear
as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
RADIUS Access-Request/
EAP-Message/Start ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Response/
Identity
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
(MyID) ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request
OTP/OTP Challenge
<- EAP-Request/
OTP/OTP Challenge
EAP-Response/
OTP, OTPpw ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
OTP, OTPpw ->
<- RADIUS
Access-Challenge/
EAP-Message/EAP-Request/
Notification
<- EAP-Request/
Notification
EAP-Response/
Notification ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
Notification ->
<- RADIUS
Access-Reject/
EAP-Message/EAP-Failure
<- EAP-Failure
(client disconnected)
<span class="grey">Aboba & Calhoun Informational [Page 40]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-41" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case that the RADIUS server or proxy does not support EAP-
Message, but no error message is sent, the conversation would appear
as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
RADIUS Access-Request/
EAP-Message/Start ->
<- RADIUS
Access-Reject
(User Disconnected)
In the case where the local RADIUS server does support EAP-Message, but
the remote RADIUS server does not, the conversation would appear as
follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
RADIUS Access-Request/
EAP-Message/Start ->
<- RADIUS
Access-Challenge/
EAP-Message/
EAP-Response/
Identity
<- EAP-Request/
Identity
EAP-Response/
Identity
(MyID) ->
RADIUS Access-Request/
EAP-Message/EAP-Response/
(MyID) ->
<- RADIUS
Access-Reject
(proxied from remote
RADIUS server)
(User Disconnected)
<span class="grey">Aboba & Calhoun Informational [Page 41]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-42" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
In the case where PPP is the link and the authenticating peer does
not support EAP, but where EAP is required for that user, the
conversation would appear as follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
<- PPP LCP Request-EAP
auth
PPP LCP NAK-EAP
auth ->
<- PPP LCP Request-CHAP
auth
PPP LCP ACK-CHAP
auth ->
<- PPP CHAP Challenge
PPP CHAP Response ->
RADIUS Access-Request/
User-Name,
CHAP-Password ->
<- RADIUS
Access-Reject
<- PPP LCP Terminate
(User Disconnected)
In the case where PPP is the link, the NAS does not support EAP, but
where EAP is required for that user, the conversation would appear as
follows:
Authenticating peer NAS RADIUS server
------------------- --- -------------
<- PPP LCP Request-CHAP
auth
PP LCP ACK-CHAP
auth ->
<- PPP CHAP Challenge
PPP CHAP Response ->
RADIUS Access-Request/
User-Name,
CHAP-Password ->
<- RADIUS
Access-Reject
<- PPP LCP Terminate
(User Disconnected)
<span class="grey">Aboba & Calhoun Informational [Page 42]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-43" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Appendix B - Change Log
The following changes have been made from <a href="./rfc2869">RFC 2869</a>:
A NAS may simultaneously support both local authentication and
pass-through; once the NAS enters pass-through mode within a session,
it cannot revert back to local authentication. Also EAP is
explicitly described as a 'lock step' protocol. (<a href="#section-2">Section 2</a>).
The NAS may initiate with an EAP-Request for an authentication Type.
If the Request is NAK'd, the NAS should send an initial
Access-Request with an EAP-Message attribute containing an
EAP-Response/Nak.
The RADIUS server may treat an invalid EAP Response as a non-fatal
error (<a href="#section-2.2">Section 2.2</a>)
For use with RADIUS/EAP, the Password-Retry (<a href="#section-2.3">Section 2.3</a>) and
Reply-Message (2.6.5) attributes are deprecated.
Each EAP session has a unique Identifier space (<a href="#section-2.6.1">Section 2.6.1</a>).
Role reversal is not supported (<a href="#section-2.6.2">Section 2.6.2</a>).
Message combinations (e.g. Access-Accept/EAP-Failure) that conflict
are discouraged (<a href="#section-2.6.3">Section 2.6.3</a>).
Only a single EAP packet may be encapsulated within a RADIUS message
(<a href="#section-3.1">Section 3.1</a>).
An Access-Request lacking explicit authentication as well as a
Message- Authenticator attribute SHOULD be silently discarded
(<a href="#section-3.3">Section 3.3</a>).
The Originating-Line-Info attribute is supported (<a href="#section-3.3">Section 3.3</a>).
IPsec ESP with non-null transform SHOULD be used and the usage model
is described in detail (<a href="#section-4.2">Section 4.2</a>).
Additional discussion of security vulnerabilities (<a href="#section-4.1">Section 4.1</a>) and
potential fixes (<a href="#section-4.3">Section 4.3</a>).
Separated normative (<a href="#section-6.1">Section 6.1</a>) and informative (<a href="#section-6.2">Section 6.2</a>)
references.
<span class="grey">Aboba & Calhoun Informational [Page 43]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-44" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Added additional examples (Appendix A): a NAS initiating with an
EAP-Request for an authentication Type; attempted role reversal.
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in <a href="https://www.rfc-editor.org/bcp/bcp11">BCP-11</a>. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Acknowledgments
Thanks to Dave Dawson and Karl Fox of Ascend, Glen Zorn of Cisco
Systems, Jari Arkko of Ericsson and Ashwin Palekar, Tim Moore and
Narendra Gidwani of Microsoft for useful discussions of this problem
space. The authors would also like to acknowledge Tony Jeffree,
Chair of IEEE 802.1 for his assistance in resolving RADIUS/EAP issues
in IEEE 802.1X-2001.
<span class="grey">Aboba & Calhoun Informational [Page 44]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-45" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Authors' Addresses
Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
Phone: +1 425 706 6605
Fax: +1 425 936 7329
EMail: bernarda@microsoft.com
Pat R. Calhoun
Airespace
110 Nortech Parkway
San Jose, California, 95134
USA
Phone: +1 408 635 2023
Fax: +1 408 635 2020
EMail: pcalhoun@airespace.com
<span class="grey">Aboba & Calhoun Informational [Page 45]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-46" ></span>
<span class="grey"><a href="./rfc3579">RFC 3579</a> RADIUS & EAP September 2003</span>
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Aboba & Calhoun Informational [Page 46]
</pre>
|
