eap Mailing List: RE: Re: method identification

[Suresh (sureshvv]

[BA]server acts as the EAP server and the NAS is just a pass-through.
Here is what RFC 3748 says:

   Within or associated with each authenticator, it is not anticipated
   that a particular named peer will support a choice of methods.  This
   would make the peer vulnerable to attacks that negotiate the least
   secure method from among a set.  Instead, for each named peer, there
   SHOULD be an indication of exactly one method used to authenticate
   that peer name.  If a peer needs to make use of different
   authentication methods under different circumstances, then distinct
   identities SHOULD be employed, each of which identifies exactly one
   authentication method.


Kindly tell me if my understanding is correct.

NAS need not rather should not know what EAP method
is being used, but NAS will know if at all an EAP
negotiation has to be started. i.e. to send
EAP-Request/Identity. NAS can send RADIUS access
request with EAP-Start attribute to the RADIUS Server.
But this is not default, as there are cases where
clients may not have EAP support, and may
result in un-necessary traffic to AAA.

> Without knowing what authentication to be
> used, I am unable to visualize how NAS starts that
> particular method negotiation.

[BA]Unless the NAS is acting as the EAP server, it doesn't start the method
negotiation -- the RADIUS server does.

Sending EAP-Request/Identity doesn't mean a start of method negotiation.


> Yes, it is true that EAP-Request/Identity is independant of EAP method.
> Is the identity received in the EAP-Response/Identity is specific to a
> method? Based on the identity received, does the RADIUS server identify
> that a particular EAP method has to be used?

[BA]The EAP-Response/Identity is not specific to a method, because when the
peer sends this packet it doesn't know what method will be requested yet.
The RADIUS server may select the identity based on some or all of the
contents of the EAP-Request/Identity, or it may use the same method for
all users.  This is purely an implementation issue.

Assume that my client support an EAP method M1. It has an EAP-Identity
I1.
case 1. My client software has upgraded from EAP method M1 to EAP method M2.
I1 is independant of EAP method, as the same I1 can be used for EAP method
M2.
case 2. My client software has upgraded to support both EAP methods M1 and
M2.
In which case you should require one more Identity I2. This is to negate
attacks which force client to get itself autheticated to simplest of the
EAP methods M1, M2. This is with reference to RFC 3748

   This would make the peer vulnerable to attacks that negotiate the least
   secure method from among a set.  Instead, for each named peer, there
   SHOULD be an indication of exactly one method used to authenticate
   that peer name.  If a peer needs to make use of different
   authentication methods under different circumstances, then distinct
   identities SHOULD be employed, each of which identifies exactly one
   authentication method.

case 3. My client software has upgraded to support both EAP methods M1 and
M2.
Assume that M2 is more stronger authentication method than M1. Can the
RADIUS
server force M2 to be used? It is because, the client can send I1 and not I2
in response to EAP-ID/Request.

My question:
1) Identity is independant of EAP method that is used, but client need to
have
different identities to uniquely identify a EAP method to be used, to negate
attacks
as mentioned above. So how the case 3 mentioned above generally handled.
Kindly clarify.

Thanks
Suresh