draft-beaulieu-ike-xauth-02.txt

ipsec vpn

   or assist in its implmentation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into



Beaulieu, Pereira                                                   16

       Extended Authentication with ISAKMP/Oakley October 2001
























































Beaulieu, Pereira                                                   17

       Extended Authentication with ISAKMP/Oakley October 2001


Appendix A


   This appendix gives more useful examples of Extended Authentication.

   SDI through RADIUS
   ==================

   The following 3 examples show examples of SDI running through
   RADIUS.  Since the edge device does not necessarily know that we are
   indeed doing SDI, the edge device will typically send everything in
   terms of Username and Password.  This of course results in the user
   being prompted with a password dialog when it isn't really a
   password which is required.  This tends to be a little confusing,
   but it is really a limitation of RADIUS.

   NOTE: The edge device may choose to try and detect these situations
   and send better suited XAUTH attributes (such as XAUTH ANSWER or
   XAUTH NEXT PIN).  The Client is typically protocol agnostic and will
   prompt the user for whatever attributes the edge device requests.



   Example A-1:
   ============
   Secure ID Next PIN mode via RADIUS (Scenario 1 - SDI generated next
   pin)

   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
                             <-- REQUEST(Username = '', Password = '')
   REPLY(Username = 'joe', Password = '1637364856') -->
                        <-- REQUEST(Username = '', Password = '',
                        XAUTH_MESSAGE = 'The system has assigned you a
                        new PIN of '1234', please re-enter your
                        username and password')
   REPLY(Username = 'joe', Password = '1234764456') -->
                                            <-- SET(XAUTH_STATUS = OK)
   ACK(XAUTH_STATUS) -->

   Example A-2:
   ============
   Secure ID Next PIN mode via RADIUS (Scenario 2 - User generated next
   pin)

   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
                             <-- REQUEST(Username = '', Password = '')
   REPLY(Username = 'joe', Password = '1637364856') -->
                        <-- REQUEST(Username = '', Password = '',
                        XAUTH_MESSAGE = 'Enter your new PIN containing
                        4-6 digits')
   REPLY(Username = 'joe', Password = '1234') -->


Beaulieu, Pereira                                                   18

       Extended Authentication with ISAKMP/Oakley October 2001


                              <-- REQUEST(Username = '', Password = '')
   REPLY(Username = 'joe', Password = '1234764456') -->
                                            <-- SET(XAUTH_STATUS = OK)
   ACK(XAUTH_STATUS) -->


   Example A-3:
   ============

   Secure ID Next PIN mode via RADIUS (Scenario 3 - RADIUS server
   offers choice of generating new PIN)

   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
                             <-- REQUEST(Username = '', Password = '')
   REPLY(Username = 'joe', Password = '1637364856') -->
                        <-- REQUEST(Username = '', Password = '',
                        XAUTH_MESSAGE = 'You must start using a new
                        PIN.  Would you like to generate your own PIN
                        (y/n)?)
   REPLY(Username = 'joe', Password = 'y') -->
                        <-- REQUEST(Username = '', Password = '', XAUTH
                        MESSAGE = 'Enter your new PIN containing 4-6
                        digits')
   REPLY(Username = 'joe', Password = '1234') -->
                              <-- REQUEST(Username = '', Password = '')
   REPLY(Username = 'joe', Password = '1234764456'
                                            <-- SET(XAUTH_STATUS = OK)
   ACK(XAUTH_STATUS) -->



   Native SDI
   ==========

   When doing native SDI between the edge device and the SDI server,
   the edge device has more information about what type of information
   is required from the user.  The edge device can therefore use more
   intuitive attributes in certain situations as compared with the
   RADIUS examples above.


   Example A-4:
   ============
   Secure ID Next PIN mode(Scenario 1 - SDI generated next pin)


   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
                             <-- REQUEST(Username = '', Passcode = '')
   REPLY(Username = 'joe', Passcode = '1637364856') -->
                        <-- REQUEST(Username = '', Passcode = '',
                        XAUTH_MESSAGE = 'The system has assigned you a

Beaulieu, Pereira                                                   19

       Extended Authentication with ISAKMP/Oakley October 2001


                        new PIN of '1234', please re-enter your
                        username and passcode')
   REPLY(Username = 'joe', Passcode = '1234764456') -->
                                                 <-- SET(STATUS = OK)
   ACK(STATUS) -->

   Example A-5:
   ============

   Secure ID Next PIN mode(Scenario 2 - User generated next pin)

   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
                             <-- REQUEST(Username = '', Passcode = '')
   REPLY(Username = 'joe', Passcode = '1637364856') -->
                        <-- REQUEST(NEXT PIN = '', XAUTH_MESSAGE =
                        'Enter your new PIN containing 4-6 digits')
   REPLY(NEXT_PIN = '1234') -->
                              <-- REQUEST(Username = '', Passcode = '')
   REPLY(Username = 'joe', Passcode = '1234764456') -->
                                                   <-- SET(STATUS = OK)
   ACK(STATUS) -->


   Example A-6:
   ============
   Secure ID Next PIN mode(Scenario 3 - SDI server offers choice of
   generating new PIN)

   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
                             <-- REQUEST(Username = '', Passcode = '')
   REPLY(Username = 'joe', Passcode = '1637364856') -->
                        <-- REQUEST(ANSWER = '', XAUTH_MESSAGE = 'You
                        must start using a new PIN.  Would you like to
                        generate your own PIN (y/n)?)
   REPLY(ANSWER = 'y') -->
                        <-- REQUEST(NEXT_PIN = '', XAUTH MESSAGE =
                        'Enter your new PIN containing 4-6 digits')
   REPLY(NEXT PIN = '1234') -->
                              <-- REQUEST(Username = '', Passcode = '')
   REPLY(Username = 'joe', Passcode = '1234764456'
                                                 <-- SET(STATUS = OK)
   ACK(STATUS) -->




   Example A-7:
   ============
   SDI next cardcode

   IPsec Client                                          IPsec Gateway

Beaulieu, Pereira                                                   20

       Extended Authentication with ISAKMP/Oakley October 2001


   ------------                                          -------------
                             <-- REQUEST(Username = '', Passcode = '')
   REPLY(Username = 'joe', Passcode = '1637364856') -->
                        <-- REQUEST(Username = '', Passcode = '',
                        XAUTH_MESSAGE = 'Your token is out of sync with
                        the server, please enter a new passcode.')
   REPLY(Username = 'joe', Passcode = '1637904324') -->
                                                   <-- SET(STATUS = OK)
   ACK(STATUS) -->



   RADIUS Chap Challenge
   =====================

   Example A-8:
   ============


   IPsec Client                                          IPsec Gateway
   ------------                                          -------------
         <-- REQUEST(TYPE = RADIUS-CHAP, Username = '', Password = '',
                       Challenge = 0x01020304050607080910111213141516)
   REPLY(TYPE = RADIUS-CHAP, Username = 'joe', Password =
   '0xaa11121314151617181920212223242526') -->
                                                 <-- SET(STATUS = OK)
   ACK(STATUS) -->

   where the Challenge in the REQUEST is the random number generated by
   the edge device, and the Password in the reply contains the ID used
   to calculate the hash 'aa' concatenated with the hash of the
   (ID+secret+challenge).






















Beaulieu, Pereira                                                   21