eap Mailing List: RE: Question on EAP statemachine

[Pasi.Eronen (Pasi.Eronen]

Hi,

There is no such thing as an "EAP-start" packet in EAP.
802.1X does have an EAPOL-Start packet, but it is sent 
by the 802.1X supplicant (peer); RADIUS (RFC3579) has
an EAP-Start message, but it is sent by the RADIUS client.

How multiple EAP conversations are handled depends a lot
on the lower layer in question. For instance, PANA has 
explicit support for two separate EAP conversations.

Best regards,
Pasi

> -----Original Message-----
> From: ext Mahesh Kelkar [mailto:mkelkar [at] rocketmail.com]
> Sent: Tuesday, June 28, 2005 6:05 PM
> To: npetroni [at] cs.umd.edu; Eronen Pasi (Nokia-NRC/Helsinki);
> jrv [at] umich.edu; yohba [at] tari.toshiba.com; eap [at] frascone.com
> Subject: Question on EAP statemachine
> 
> 
> 
> EAP conversation starts when the EAP-server sends the
> EAP-start packet to the peer and it ends when the
> EAP-server sends the EAP-success or EAP-failure packet to
> the peer. As per RFC 3748, only one authentication method
> is allowed to be negotiated within this conversation.
> 
> Consider a case, where 
> 1. EAP-server (E1) authenticates the peer by negotiating
> the EAP authentication method (say, A1) and sends the
> EAP-success (with an identifier value, say 10). 
> 2. Another EAP-server (E2) is in the netowrk
> 3. Lets assume that E1 can communicate some EAP negotiated
> information to the E2
> 
> Question 1:
> 
> Can EAP-server (E2) start a new EAP negotiation with the
> peer by sending an Identity request pacekt or an EAP-start
> packet? 
> 
> Thus, the peer would receive an EAP-sucecss packet followed
> by an EAP Identity request or an EAP-start packet.
> 
> Question 2:
> What should the EAP-server (E2) send to the peer in order
> to rekindle the negotiation? an EAP identity request or
> EAP-start packet? 
> 
> If E1 has already conveyed the user-identity (or contents
> of Type-Data field in the EAP Identity response) to E2 then
> E2 can skip the identity exchange and proceed with the
> EAP-start packet. It can help us save the user interaction.
> 
> Question 3:
> What should be the identifier value of the EAP identity
> request or the EAP-start packet? (11?, if identifier value
> of the earlier EAP-success was 10) or (any value, say 1)
> 
> Question 4:
> Can EAP-server (E2) negotiate a different EAP
> authentication method (say, A2) with the peer?
> 
> I could not discern this information from the peer
> statemachine and wanted to touchbase with you since lot of
> peer implementations would be based on it.
> 
> Your responses are appreciated.
> 
> Thanks
> Mahesh
> 
> 
> +++++++++++++++++++++++++++++
>  M a h e s h  V  K e l k a r