eap Mailing List: RE: Question on EAP statemachine

[Mahesh Kelkar (mkelkar]

Pasi,

Sorry about that; by EAP-start I meant the first EAP
request packet originating from the backend authetntication
server (assuming that authenticator & backend
authentication servers are different & EAP-server resides
on the backend authetnication server). Ex. EAP-TLS sets the
start bit of the first EAP-TLS packet and hence I used the
name EAP-start packet.

I was trying to elaborate the defintion of EAP conversation
and wanted to get some feedback on it. 

I wanted to find out if we can negotiate EAP twice (or
multiple times, one after the other and not the
simultaneous). Does peer statemachine support that? Can we
use different authentication methods for each EAP
negotiation.? etc. 

Thanks
Mahesh

--- Pasi.Eronen [at] nokia.com wrote:

> Hi,
> 
> There is no such thing as an "EAP-start" packet in EAP.
> 802.1X does have an EAPOL-Start packet, but it is sent 
> by the 802.1X supplicant (peer); RADIUS (RFC3579) has
> an EAP-Start message, but it is sent by the RADIUS
> client.
> 
> How multiple EAP conversations are handled depends a lot
> on the lower layer in question. For instance, PANA has 
> explicit support for two separate EAP conversations.
> 
> Best regards,
> Pasi
> 
> > -----Original Message-----
> > From: ext Mahesh Kelkar [mailto:mkelkar [at] rocketmail.com]
> > Sent: Tuesday, June 28, 2005 6:05 PM
> > To: npetroni [at] cs.umd.edu; Eronen Pasi
> (Nokia-NRC/Helsinki);
> > jrv [at] umich.edu; yohba [at] tari.toshiba.com; eap [at] frascone.com
> > Subject: Question on EAP statemachine
> > 
> > 
> > 
> > EAP conversation starts when the EAP-server sends the
> > EAP-start packet to the peer and it ends when the
> > EAP-server sends the EAP-success or EAP-failure packet
> to
> > the peer. As per RFC 3748, only one authentication
> method
> > is allowed to be negotiated within this conversation.
> > 
> > Consider a case, where 
> > 1. EAP-server (E1) authenticates the peer by
> negotiating
> > the EAP authentication method (say, A1) and sends the
> > EAP-success (with an identifier value, say 10). 
> > 2. Another EAP-server (E2) is in the netowrk
> > 3. Lets assume that E1 can communicate some EAP
> negotiated
> > information to the E2
> > 
> > Question 1:
> > 
> > Can EAP-server (E2) start a new EAP negotiation with
> the
> > peer by sending an Identity request pacekt or an
> EAP-start
> > packet? 
> > 
> > Thus, the peer would receive an EAP-sucecss packet
> followed
> > by an EAP Identity request or an EAP-start packet.
> > 
> > Question 2:
> > What should the EAP-server (E2) send to the peer in
> order
> > to rekindle the negotiation? an EAP identity request or
> > EAP-start packet? 
> > 
> > If E1 has already conveyed the user-identity (or
> contents
> > of Type-Data field in the EAP Identity response) to E2
> then
> > E2 can skip the identity exchange and proceed with the
> > EAP-start packet. It can help us save the user
> interaction.
> > 
> > Question 3:
> > What should be the identifier value of the EAP identity
> > request or the EAP-start packet? (11?, if identifier
> value
> > of the earlier EAP-success was 10) or (any value, say
> 1)
> > 
> > Question 4:
> > Can EAP-server (E2) negotiate a different EAP
> > authentication method (say, A2) with the peer?
> > 
> > I could not discern this information from the peer
> > statemachine and wanted to touchbase with you since lot
> of
> > peer implementations would be based on it.
> > 
> > Your responses are appreciated.
> > 
> > Thanks
> > Mahesh
> > 
> > 
> > +++++++++++++++++++++++++++++
> >  M a h e s h  V  K e l k a r
> 


+++++++++++++++++++++++++++++
 M a h e s h  V  K e l k a r

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com