eap Mailing List: Re: method identification

[Thomas Otto (t.otto]

> case 3. My client software has upgraded to support both EAP methods 
> M1 and M2. Assume that M2 is more stronger authentication method than M1.
> Can the RADIUS server force M2 to be used? It is because, the client can
> send I1 and not I2 in response to EAP-ID/Request.

> My question:
> 1) Identity is independant of EAP method that is used, but client need to
> have different identities to uniquely identify a EAP method to be used, to
> negate attacks as mentioned above. So how the case 3 mentioned above
> generally handled. 

Scenario: 
Peer and EAP server support several EAP methods. Let the common set 
of EAP methods contain two or more methods. 

According to RFC 3748, each EAP method is assigned a different Identifier:
M1 <--> ID1
M2 <--> ID2
Now, the peer choose some (following Suresh, the weakest) EAP method, M1, 
by sending EAP-Response/Identity (ID1). The question arise how the EAP
server can force the execution of a stronger EAP method?

We can generalize the problem above saying
"After sending the EAP-Request/Identity, the peer responds an Identifier ID 
within EAP-Response/Identity(ID) of an arbitrarily chosen supported EAP 
method."

Arbitrary, because ID may correspond to the
- preferred EAP method
- weakest EAP method (downgrade attack)
- EAP method with heavy computational cost on server side (DOS attack)
... 

However, the chosen method is not that one the EAP server wanted to perform.

Now my (immature) first idea: 
Isn't it possible for the EAP server to include in the EAP-Request/Identity
appropriate information about the preferred EAP method? Similar to the I-D
"Network Discovery and Selection" of F.Adrangi et al, where this message has
also been extended. 


Thomas