eap Mailing List

View Index by: Date - Thread - Author
Re: Issue 391: Peer-Ids
From: Bernard Aboba (bernard_abobahotmail.com)
Date: Tue, 6 Feb 2007 10:07:31 -0800 (PST)
While the methods defined in RFC 3748 do authenticate the peer identity, that identity is not necessarily the EAP-Response/Identity.

For example, a user might enclose a decorated NAI within the EAP-Response/Identity: example.com!user [at] example2.com.

AAA proxies will strip the 'decoration' from the User-Name attribute, so that by the time the Request arrives at the AAA server, it will contain user [at] example.com.

The identity in the User-Name attribute should be utilized by EAP methods that do not create their own user-specific identities, *not* the EAP-Response/Identity, which RFC 3748 states is only to be used for routing.

Therefore the text should not suggest that the EAP-Response/Identity be exported as the Peer-Id by any method, even the Identity method.

Revised versions of Appendix A and Section 1.4 relating to Peer-Id and Server-Id are enclosed below:

Section 1.4:

  Peer-Id

     As described in [RFC3748] Section 7.3, the identity provided in
     the EAP-Response/Identity may be different from the peer identity
     authenticated by the EAP method.  For example, the identity
     provided in the EAP-Response/Identity may be a privacy identifier
     as described in "The Network Access Identifier" [RFC4282] Section
     2.3, or may be decorated as described in [RFC4282] Section 2.7.
     Where the EAP method authenticates the peer identity, that
     identity is exported by the method as the Peer-Id.  A suitable EAP
     peer name may not always be available.  Where an EAP method does
     not define a method-specific peer identity, the Peer-Id is the
     null string.

  Server-Id

     Where the EAP method authenticates the server identity, that
     identity is exported by the method as the Server-Id.  A suitable
     EAP server name may not always be available.  Where an EAP method
     does not define a method-specific server identity, the Server-Id
     is the null string.

Appendix A:

Appendix A - Exported Parameters in Existing Methods

  This Appendix specifies Session-Id, Peer-Id, Server-Id and Key-
  Lifetime for EAP methods that have been published prior to this
  specification.  Future EAP method specifications MUST include a
  definition of the Session-Id,  Peer-Id and Server-Id (could be the
  empty string).

EAP-Identity

  The EAP-Identity method is defined in [RFC3748].  It does not derive
  keys, and therefore does not define the Session-Id.  The Peer-Id and
  Server-Id are the empty string (zero length).

EAP-Notification

  The EAP-Notification method is defined in [RFC3748].  It does not
  derive keys and therefore does not define the Session-Id.  The Peer-
  Id and Server-Id are the empty string (zero length).

EAP-MD5-Challenge

  The EAP-MD5-Challenge method is defined in [RFC3748].  It does not
  derive keys and therefore does not define the Session-Id.  The Peer-
  Id and Server-Id are the empty string (zero length).

EAP-GTC

  The EAP-GTC method is defined in [RFC3748].  It does not derive keys
  and therefore does not define the Session-Id.  The Peer-Id and
  Server-Id are the empty string (zero length).

EAP-OTP

  The EAP-OTP method is defined in [RFC3748].  It does not derive keys
  and therefore does not define the Session-Id.  The Peer-Id and
  Server-Id are the empty string (zero length).

EAP-AKA

  EAP-AKA is defined in [RFC4187].  The EAP-AKA Session-Id is the
  concatenation of the EAP Type Code (0x17) with the contents of the
  RAND field from the AT_RAND attribute, followed by the contents of
  the AUTN field in the AT_AUTN attribute.

  The Peer-Id is the contents of the Identity field from the
  AT_IDENTITY attribute, using only the Actual Identity Length octets
  from the beginning, however.  Note that the contents are used as they
  are transmitted, regardless of whether the transmitted identity was a
  permanent, pseudonym, or fast EAP re-authentication identity.  The
  Server-Id is the empty string (zero length).

EAP-SIM

  EAP-SIM is defined in [RFC4186].  The EAP-SIM Session-Id is the
  concatenation of the EAP Type Code (0x12) with the contents of the
  RAND field from the AT_RAND attribute, followed by the contents of
  the NONCE_MT field in the AT_NONCE_MT attribute.

  The Peer-Id is the contents of the Identity field from the
  AT_IDENTITY attribute, using only the Actual Identity Length octets
  from the beginning, however.  Note that the contents are used as they
  are transmitted, regardless of whether the transmitted identity was a
  permanent, pseudonym, or fast EAP re-authentication identity.  The
  Server-Id is the empty string (zero length).

EAP-PSK

  EAP-PSK is defined in [RFC4764].  The EAP-PSK Session-Id is the
  concatenation of the EAP Type Code (0x2F) with the peer (RAND_P) and
  server (RAND_S) nonces.  The Peer-Id is the contents of the ID_P
  field and the Server-Id is the contents of the ID_S field.

EAP-SAKE

  EAP-SAKE is defined in [RFC4763].  The EAP-SAKE Session-Id is the
  concatenation of the EAP Type Code (0x30) with the contents of the
  RAND_S field from the AT_RAND_S attribute, followed by the contents
  of the RAND_P field in the AT_RAND_P attribute.  Note that the EAP-
  SAKE Session-Id is not the same as the "Session ID" parameter chosen
  by the Server, which is sent in the first message, and replicated in
  subsequent messages.  The Peer-Id is contained within the value field
  of the AT_PEERID attibute and the Server-Id, if available, is
  contained in the value field of the AT_SERVERID attribute.

EAP-TLS

  For EAP-TLS, the Peer-Id, Server-Id and Session-Id are defined in [I-
  D.simon-emu-rfc2716bis].


  • Issue 391: Peer-Ids Bernard Aboba, February 3 2007
    • Re: Issue 391: Peer-Ids Bernard Aboba, February 6 2007

Results generated by Tiger Technologies using MHonArc.