rfc3579.txt

radius服务器

Network Working Group                                           B. Aboba
Request for Comments: 3579                                     Microsoft
Updates: 2869                                                 P. Calhoun
Category: Informational                                        Airespace
                                                          September 2003


          RADIUS (Remote Authentication Dial In User Service)
          Support For Extensible Authentication Protocol (EAP)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document defines Remote Authentication Dial In User Service
   (RADIUS) support for the Extensible Authentication Protocol (EAP), an
   authentication framework which supports multiple authentication
   mechanisms.  In the proposed scheme, the Network Access Server (NAS)
   forwards EAP packets to and from the RADIUS server, encapsulated
   within EAP-Message attributes.  This has the advantage of allowing
   the NAS to support any EAP authentication method, without the need
   for method-specific code, which resides on the RADIUS server.  While
   EAP was originally developed for use with PPP, it is now also in use
   with IEEE 802.

   This document updates RFC 2869.

















Aboba & Calhoun              Informational                      [Page 1]

RFC 3579                      RADIUS & EAP                September 2003


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Specification of Requirements. . . . . . . . . . . . . .  3
       1.2.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  3
   2.  RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . .  4
       2.1.  Protocol Overview. . . . . . . . . . . . . . . . . . . .  5
       2.2.  Invalid Packets. . . . . . . . . . . . . . . . . . . . .  9
       2.3.  Retransmission . . . . . . . . . . . . . . . . . . . . . 10
       2.4.  Fragmentation. . . . . . . . . . . . . . . . . . . . . . 10
       2.5.  Alternative uses . . . . . . . . . . . . . . . . . . . . 11
       2.6.  Usage Guidelines . . . . . . . . . . . . . . . . . . . . 11
   3.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 14
       3.1.  EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 15
       3.2.  Message-Authenticator. . . . . . . . . . . . . . . . . . 16
       3.3.  Table of Attributes. . . . . . . . . . . . . . . . . . . 18
   4.  Security Considerations. . . . . . . . . . . . . . . . . . . . 19
       4.1.  Security Requirements. . . . . . . . . . . . . . . . . . 19
       4.2.  Security Protocol. . . . . . . . . . . . . . . . . . . . 20
       4.3.  Security Issues. . . . . . . . . . . . . . . . . . . . . 22
   5.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 30
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
       6.1.  Normative References . . . . . . . . . . . . . . . . . . 30
       6.2.  Informative References . . . . . . . . . . . . . . . . . 32
   Appendix A - Examples. . . . . . . . . . . . . . . . . . . . . . . 34
   Appendix B - Change Log. . . . . . . . . . . . . . . . . . . . . . 43
   Intellectual Property Statement. . . . . . . . . . . . . . . . . . 44
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 44
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46

1.  Introduction

   The Remote Authentication Dial In User Service (RADIUS) is an
   authentication, authorization and accounting protocol used to control
   network access.  RADIUS authentication and authorization is specified
   in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS
   over IPv6 is specified in [RFC3162].

   The Extensible Authentication Protocol (EAP), defined in [RFC2284],
   is an authentication framework which supports multiple authentication
   mechanisms.  EAP may be used on dedicated links, switched circuits,
   and wired as well as wireless links.

   To date, EAP has been implemented with hosts and routers that connect
   via switched circuits or dial-up lines using PPP [RFC1661].  It has
   also been implemented with bridges supporting [IEEE802].  EAP
   encapsulation on IEEE 802 wired media is described in [IEEE8021X].



Aboba & Calhoun              Informational                      [Page 2]

RFC 3579                      RADIUS & EAP                September 2003


   RADIUS attributes are comprised of variable length Type-Length-Value
   3-tuples.  New attribute values can be added without disturbing
   existing implementations of the protocol.  This specification
   describes RADIUS attributes supporting the Extensible Authentication
   Protocol (EAP): EAP-Message and Message-Authenticator.  These
   attributes now have extensive field experience.  The purpose of this
   document is to provide clarification and resolve interoperability
   issues.

   As noted in [RFC2865], a Network Access Server (NAS) that does not
   implement a given service MUST NOT implement the RADIUS attributes
   for that service.  This implies that a NAS that is unable to offer
   EAP service MUST NOT implement the RADIUS attributes for EAP.  A NAS
   MUST treat a RADIUS Access-Accept requesting an unavailable service
   as an Access-Reject instead.

1.1.  Specification of Requirements

   In this document, several words are used to signify the requirements
   of the specification.  These words are often capitalized.  The key
   words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
   "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this document
   are to be interpreted as described in [RFC2119].

1.2.  Terminology

   This document frequently uses the following terms:

   authenticator
             The end of the link requiring the authentication.  Also
             known as the Network Access Server (NAS) or RADIUS client.
             Within IEEE 802.1X terminology, the term Authenticator is
             used.

   peer      The other end of the point-to-point link (PPP),
             point-to-point LAN segment (IEEE 802.1X) or wireless link,
             which is being authenticated by the authenticator.  In IEEE
             802.1X, this end is known as the Supplicant.

   authentication server
             An authentication server is an entity that provides an
             authentication service to an authenticator (NAS).  This
             service verifies from the credentials provided by the peer,
             the claim of identity made by the peer; it also may provide
             credentials allowing the peer to verify the identity of the
             authentication server.  Within this document it is assumed
             that the NAS operates as a pass-through, forwarding EAP
             packets between the RADIUS server and the EAP peer.



Aboba & Calhoun              Informational                      [Page 3]

RFC 3579                      RADIUS & EAP                September 2003


             Therefore the RADIUS server operates as an authentication
             server.

   silently discard
             This means the implementation discards the packet without
             further processing.  The implementation SHOULD provide the
             capability of logging the error, including the contents of
             the silently discarded packet, and SHOULD record the event
             in a statistics counter.

   displayable message
             This is interpreted to be a human readable string of
             characters, and MUST NOT affect operation of the protocol.
             The message encoding MUST follow the UTF-8 transformation
             format [RFC2279].

   Network Access Server (NAS)
             The device providing access to the network.  Also known as
             the Authenticator (IEEE 802.1X or EAP terminology) or
             RADIUS client.

   service   The NAS provides a service to the user, such as IEEE 802 or
             PPP.

   session   Each service provided by the NAS to a peer constitutes a
             session, with the beginning of the session defined as the
             point where service is first provided and the end of the
             session defined as the point where service is ended.  A
             peer may have multiple sessions in parallel or series if
             the NAS supports that, with each session generating a
             separate start and stop accounting record.

2.  RADIUS Support for EAP

   The Extensible Authentication Protocol (EAP), described in [RFC2284],
   provides a standard mechanism for support of additional
   authentication methods without the NAS to be upgraded to support each
   new method.  Through the use of EAP, support for a number of
   authentication schemes may be added, including smart cards, Kerberos
   [RFC1510], Public Key [RFC2716], One Time Passwords [RFC2284], and
   others.

   One of the advantages of the EAP architecture is its flexibility.
   EAP is used to select a specific authentication mechanism.  Rather
   than requiring the NAS to be updated to support each new
   authentication method, EAP permits the use of an authentication
   server implementing authentication methods, with the NAS acting as a
   pass-through for some or all methods and peers.



Aboba & Calhoun              Informational                      [Page 4]

RFC 3579                      RADIUS & EAP                September 2003


   A NAS MAY authenticate local peers while at the same time acting as a
   pass-through for non-local peers and authentication methods it does
   not implement locally.  A NAS implementing this specification is not
   required to use RADIUS to authenticate every peer.  However, once the
   NAS begins acting as a pass-through for a particular session, it can
   no longer perform local authentication for that session.

   In order to support EAP within RADIUS, two new attributes,
   EAP-Message and Message-Authenticator, are introduced in this
   document.  This section describes how these new attributes may be
   used for providing EAP support within RADIUS.

2.1.  Protocol Overview

   In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP
   Packets between the NAS and an authentication server.

   The authenticating peer and the NAS begin the EAP conversation by
   negotiating use of EAP.  Once EAP has been negotiated, the NAS SHOULD
   send an initial EAP-Request message to the authenticating peer.  This
   will typically be an EAP-Request/Identity, although it could be an
   EAP-Request for an authentication method (Types 4 and greater).  A
   NAS MAY be configured to initiate with a default authentication
   method.  This is useful in cases where the identity is determined by
   another means (such as Called-Station-Id, Calling-Station-Id and/or
   Originating-Line-Info); where a single authentication method is
   required, which includes its own identity exchange; where identity
   hiding is desired, so that the identity is not requested until after
   a protected channel has been set up.

   The peer replies with an EAP-Response.  The NAS MAY determine from
   the Response that it should proceed with local authentication.
   Alternatively, the NAS MAY act as a pass-through, encapsulating the
   EAP-Response within EAP-Message attribute(s) sent to the RADIUS
   server within a RADIUS Access-Request packet.  If the NAS sends an
   EAP-Request/Identity message as the initial packet, the peer responds
   with an EAP-Response/Identity.  The NAS may determine that the peer
   is local and proceed with local authentication.  If no match is found
   against the list of local users, the NAS encapsulates the
   EAP-Response/Identity message within an EAP-Message attribute,
   enclosed within an Access-Request packet.

   On receiving a valid Access-Request packet containing EAP-Message
   attribute(s), a RADIUS server compliant with this specification and
   wishing to authenticate with EAP MUST respond with an
   Access-Challenge packet containing EAP-Message attribute(s).  If the
   RADIUS server does not support EAP or does not wish to authenticate
   with EAP, it MUST respond with an Access-Reject.



Aboba & Calhoun              Informational                      [Page 5]

RFC 3579                      RADIUS & EAP                September 2003


   EAP-Message attribute(s) encapsulate a single EAP packet which the
   NAS decapsulates and passes on to the authenticating peer.  The peer
   then responds with an EAP-Response packet, which the NAS encapsulates
   within an Access-Request containing EAP-Message attribute(s).  EAP is