📄 rfc2284.txt
字号:
Network Working Group L. Blunk
Request for Comments: 2284 J. Vollbrecht
Category: Standards Track Merit Network, Inc.
March 1998
PPP Extensible Authentication Protocol (EAP)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Abstract
The Point-to-Point Protocol (PPP) [1] provides a standard method for
transporting multi-protocol datagrams over point-to-point links.
PPP also defines an extensible Link Control Protocol, which allows
negotiation of an Authentication Protocol for authenticating its peer
before allowing Network Layer protocols to transmit over the link.
This document defines the PPP Extensible Authentication Protocol.
Table of Contents
1. Introduction .......................................... 2
1.1 Specification of Requirements ................... 2
1.2 Terminology ..................................... 2
2. PPP Extensible Authentication Protocol (EAP) .......... 3
2.1 Configuration Option Format ..................... 4
2.2 Packet Format ................................... 6
2.2.1 Request and Response ............................ 6
2.2.2 Success and Failure ............................. 7
3. Initial EAP Request/Response Types .................... 8
3.1 Identity ........................................ 9
3.2 Notification .................................... 10
3.3 Nak ............................................. 10
Blunk & Vollbrecht Standards Track [Page 1]
RFC 2284 EAP March 1998
3.4 MD5-Challenge ................................... 11
3.5 One-Time Password (OTP) ......................... 11
3.6 Generic Token Card .............................. 12
REFERENCES ................................................... 13
ACKNOWLEDGEMENTS ............................................. 14
CHAIR'S ADDRESS .............................................. 14
AUTHORS' ADDRESSES ........................................... 14
Full Copyright Statement ..................................... 15
1. Introduction
In order to establish communications over a point-to-point link, each
end of the PPP link must first send LCP packets to configure the data
link during Link Establishment phase. After the link has been
established, PPP provides for an optional Authentication phase before
proceeding to the Network-Layer Protocol phase.
By default, authentication is not mandatory. If authentication of
the link is desired, an implementation MUST specify the
Authentication-Protocol Configuration Option during Link
Establishment phase.
These authentication protocols are intended for use primarily by
hosts and routers that connect to a PPP network server via switched
circuits or dial-up lines, but might be applied to dedicated links as
well. The server can use the identification of the connecting host
or router in the selection of options for network layer negotiations.
This document defines the PPP Extensible Authentication Protocol
(EAP). The Link Establishment and Authentication phases, and the
Authentication-Protocol Configuration Option, are defined in The
Point-to-Point Protocol (PPP) [1].
1.1. Specification of Requirements
In this document, several words are used to signify the requirements
of the specification. These words are often capitalized. The key
words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in RFC 2119 [6].
1.2. Terminology
This document frequently uses the following terms:
Blunk & Vollbrecht Standards Track [Page 2]
RFC 2284 EAP March 1998
authenticator
The end of the link requiring the authentication. The
authenticator specifies the authentication protocol to be
used in the Configure-Request during Link Establishment
phase.
peer
The other end of the point-to-point link; the end which is
being authenticated by the authenticator.
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.
displayable message
This is interpreted to be a human readable string of
characters, and MUST NOT affect operation of the protocol.
The message encoding MUST follow the UTF-8 transformation
format [5].
2. PPP Extensible Authentication Protocol (EAP)
The PPP Extensible Authentication Protocol (EAP) is a general
protocol for PPP authentication which supports multiple
authentication mechanisms. EAP does not select a specific
authentication mechanism at Link Control Phase, but rather postpones
this until the Authentication Phase. This allows the authenticator
to request more information before determining the specific
authentication mechanism. This also permits the use of a "back-end"
server which actually implements the various mechanisms while the PPP
authenticator merely passes through the authentication exchange.
1. After the Link Establishment phase is complete, the authenticator
sends one or more Requests to authenticate the peer. The Request
has a type field to indicate what is being requested. Examples of
Request types include Identity, MD5-challenge, One-Time
Passwords, Generic Token Card, etc. The MD5-challenge type
corresponds closely to the CHAP authentication protocol.
Typically, the authenticator will send an initial Identity Request
followed by one or more Requests for authentication information.
However, an initial Identity Request is not required, and MAY be
bypassed in cases where the identity is presumed (leased lines,
dedicated dial-ups, etc.).
Blunk & Vollbrecht Standards Track [Page 3]
RFC 2284 EAP March 1998
2. The peer sends a Response packet in reply to each Request. As
with the Request packet, the Response packet contains a type field
which corresponds to the type field of the Request.
3. The authenticator ends the authentication phase with a Success or
Failure packet.
Advantages
The EAP protocol can support multiple authentication mechanisms
without having to pre-negotiate a particular one during LCP Phase.
Certain devices (e.g. a NAS) do not necessarily have to understand
each request type and may be able to simply act as a passthrough
agent for a "back-end" server on a host. The device only need look
for the success/failure code to terminate the authentication phase.
Disadvantages
EAP does require the addition of a new authentication type to LCP and
thus PPP implementations will need to be modified to use it. It also
strays from the previous PPP authentication model of negotiating a
specific authentication mechanism during LCP.
2.1. Configuration Option Format
A summary of the Authentication-Protocol Configuration Option format
to negotiate the EAP Authentication Protocol is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Authentication-Protocol |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
3
Length
4
Authentication-Protocol
C227 (Hex) for PPP Extensible Authentication Protocol (EAP)
Blunk & Vollbrecht Standards Track [Page 4]
RFC 2284 EAP March 1998
2.2. Packet Format
Exactly one PPP EAP packet is encapsulated in the Information field
of a PPP Data Link Layer frame where the protocol field indicates
type hex C227 (PPP EAP). A summary of the EAP packet format is shown
below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data ...
+-+-+-+-+
Code
The Code field is one octet and identifies the type of EAP packet.
EAP Codes are assigned as follows:
1 Request
2 Response
3 Success
4 Failure
Identifier
The Identifier field is one octet and aids in matching
responses with requests.
Length
The Length field is two octets and indicates the length of the
EAP packet including the Code, Identifier, Length and Data
fields. Octets outside the range of the Length field should
be treated as Data Link Layer padding and should be ignored on
reception.
Data
The Data field is zero or more octets. The format of the Data
field is determined by the Code field.
Blunk & Vollbrecht Standards Track [Page 5]
RFC 2284 EAP March 1998
2.2.1. Request and Response
Description
The Request packet is sent by the authenticator to the peer. Each
Request has a type field which serves to indicate what is being
requested. The authenticator MUST transmit an EAP packet with the
Code field set to 1 (Request). Additional Request packets MUST be
sent until a valid Response packet is received, or an optional
retry counter expires. Retransmitted Requests MUST be sent with
the same Identifier value in order to distinguish them from new
Requests. The contents of the data field is dependent on the
Request type. The peer MUST send a Response packet in reply to a
Request packet. Responses MUST only be sent in reply to a
received Request and never retransmitted on a timer. The
Identifier field of the Response MUST match that of the Request.
Implementation Note: Because the authentication process will
often involve user input, some care must be taken when deciding
upon retransmission strategies and authentication timeouts. It
is suggested a retransmission timer of 6 seconds with a maximum
of 10 retransmissions be used as default. One may wish to make
these timeouts longer in certain cases (e.g. where Token Cards
are involved). Additionally, the peer must be prepared to
silently discard received retransmissions while waiting for
user input.
A summary of the Request and Response packet format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Type-Data ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
1 for Request;
2 for Response.
Blunk & Vollbrecht Standards Track [Page 6]
RFC 2284 EAP March 1998
Identifier
The Identifier field is one octet. The Identifier field MUST be
the same if a Request packet is retransmitted due to a timeout
while waiting for a Response. Any new (non-retransmission)
Requests MUST modify the Identifier field. If a peer recieves a
duplicate Request for which it has already sent a Response, it
MUST resend it's Response. If a peer receives a duplicate Request
before it has sent a Response to the initial Request (i.e. it's
waiting for user input), it MUST silently discard the duplicate
Request.
Length
The Length field is two octets and indicates the length of the EAP
packet including the Code, Identifier, Length, Type, and Type-Data
fields. Octets outside the range of the Length field should be
treated as Data Link Layer padding and should be ignored on
reception.
Type
The Type field is one octet. This field indicates the Type of
Request or Response. Only one Type MUST be specified per EAP
Request or Response. Normally, the Type field of the Response
will be the same as the Type of the Request. However, there is
also a Nak Response Type for indicating that a Request type is
unacceptable to the peer. When sending a Nak in response to a
Request, the peer MAY indicate an alternative desired
authentication Type which it supports. An initial specification of
Types follows in a later section of this document.
Type-Data
The Type-Data field varies with the Type of Request and the
associated Response.
2.2.2. Success and Failure
Description
The Success packet is sent by the authenticator to the peer to
acknowledge successful authentication. The authenticator MUST
transmit an EAP packet with the Code field set to 3 (Success).
If the authenticator cannot authenticate the peer (unacceptable
Responses to one or more Requests) then the implementation MUST
transmit an EAP packet with the Code field set to 4 (Failure). An
Blunk & Vollbrecht Standards Track [Page 7]
RFC 2284 EAP March 1998
authenticator MAY wish to issue multiple Requests before sending a
Failure response in order to allow for human typing mistakes.
Implementation Note: Because the Success and Failure packets
are not acknowledged, they may be potentially lost. A peer
MUST allow for this circumstance. The peer can use a Network
Protocol packet as an alternative indication of Success.
Likewise, the receipt of a LCP Terminate-Request can be taken
as a Failure.
A summary of the Success and Failure packet format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
3 for Success;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -