draft-haverinen-pppext-eap-sim-11.txt
来自「linux 下通过802.1认证的安装包」· 文本 代码 · 共 1,303 行 · 第 1/5 页
TXT
1,303 行
pseudonym received in AT_NEXT_PSEUDONYM. For example, the client
MUST NOT prepend any leading characters in the pseudonym.
On re-authentication, the client uses the re-authentication identity
received as part of the previous authentication sequence as the NAI.
A new re-authentication identity may be delivered as part of both
full authentication and re-authentication. The client MUST NOT
modify the re-authentication identity received in AT_NEXT_REAUTH_ID.
For example, the client MUST NOT prepend any leading characters in
the re-authentication identity.
If no configured realm name is available, the client MAY derive the
realm name from the MCC and MNC portions of the IMSI. A recommended
way to derive the realm from the IMSI will be specified in [6].
Haverinen and Salowey Expires in six months [Page 9]
Internet Draft EAP SIM Authentication June 2003
Alternatively, the realm name may be obtained by concatenating
"mnc", the MNC digits of IMSI, ".mcc", the MCC digits of IMSI and
".owlan.org". For example, if the IMSI is 123456789098765, and the
MNC is three digits long, then the derived realm name is
"mnc456.mcc123.owlan.org".
If the client is not able to determine whether the MNC is two or
three digits long, the client MAY use a 3-digit MNC. If the correct
length of the MNC is two, then the MNC used in the realm name will
include the first digit of MSIN. Hence, when configuring AAA
networks for operators that have 2-digit MNC's, the network SHOULD
also be prepared for realm names with incorrect 3-digit MNC's.
5.2. Obtaining Subscriber Identity via EAP/SIM Messages
It may be useful to obtain the identity of the subscriber through
means other than EAP Request/Identity. This can eliminate the need
for an identity request when using EAP method negotiation. If this
was not possible then it might not be possible to negotiate EAP/SIM
as the second method since it is not specified how to deal with a
new EAP Request/Identity.
If the EAP server has not received any identity (permanent identity,
pseudonym or re-authentication identity) from the client when
sending the first EAP/SIM request, then the EAP server SHOULD issue
the EAP-Request/SIM/Start packet and includes the AT_ANY_ID_REQ
attribute (specified in Section 9). This attribute does not contain
any data.
If the EAP server has received an EAP-Response/Identity packet but
the contents do not appear to be a valid permanent identity,
pseudonym or a re-authentication identity, the EAP server SHOULD
issue an EAP-Request/SIM/Start packet with the AT_ANY_ID_REQ
attribute.
In some environments the intermediate entities or software layers in
the client may modify the identity string in the EAP-
Response/Identity packet. For example, some EAP layer
implementations may cache the identity string from the first
authentication and do not obtain a new identity string from the EAP
method implementation on subsequent authentication exchanges.
Because the identity string is used in key derivation, such
modifications will result in failed authentication unless the EAP
server uses the AT_ANY_ID_REQ attribute to obtain an unmodified copy
of the identity string. Therefore, in cases when there is a
possibility that an intermediate element or software layer may
modify the EAP-Response/Identity packet, the EAP server SHOULD
always use the AT_ANY_ID_REQ attribute, even if the identity
received in EAP-Response/Identity was valid.
The AT_ANY_ID_REQ attribute requests the client to include the
AT_IDENTITY attribute (specified in Section 10) in the EAP-
Response/SIM/Start packet. The identity format in the AT_IDENTITY
Haverinen and Salowey Expires in six months [Page 10]
Internet Draft EAP SIM Authentication June 2003
attribute is the same as in the EAP-Response/Identity packet. The
AT_IDENTITY attribute contains a permanent identity, a pseudonym
identity or a re-authentication identity. If the server does not
support re-authentication, it uses the AT_FULLAUTH_ID_REQ attribute
instead of the AT_ANY_ID_REQ attribute to directly request for a
full authentication identity (either the permanent identity or a
pseudonym identity). If the server uses the AT_FULLAUTH_ID_REQ
attribute, the client MUST NOT use a re-authentication identity in
the AT_IDENTITY attribute.
The use of pseudonyms for anonymity is specified in Section 5.3. The
use of re-authentication identities is specified in Section 6.
This case for full authentication is illustrated in the figure
below. In this case, AT_IDENTITY contains either the permanent
identity or a pseudonym identity. The same sequence is also used in
case the server uses the AT_FULLAUTH_ID_REQ in EAP-
Request/SIM/Start.
Client Authenticator
| |
| +------------------------------+
| | Server does not have any |
| | Subscriber identity available|
| | When starting EAP/SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
If the client wants to perform full authentication, it includes the
permanent identity or a pseudonym identity in the AT_IDENTITY
attribute. The client may use these identities in response to either
AT_ANY_ID_REQ or AT_FULLAUTH_ID_REQ. In this case, the client MUST
include AT_NONCE_MT and AT_SELECTED_VERSION attributes in EAP-
Response/SIM/Start message, as required on full authentication.
If the server uses the AT_ANY_ID_REQ and the client wants to perform
re-authentication, then the client includes a re-authentication
identity in the AT_IDENTITY attribute. On re-authentication, the
client MUST NOT include AT_NONCE_MT or AT_SELECTED_VERSION
attributes. This case is illustrated below.
Haverinen and Salowey Expires in six months [Page 11]
Internet Draft EAP SIM Authentication June 2003
Client Authenticator
| |
| +------------------------------+
| | Server does not have any |
| | Subscriber identity available|
| | When starting EAP/SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY containing a re-authentication identity) |
|------------------------------------------------------>|
| |
If the client uses its full authentication identity and the
AT_IDENTITY attribute contains a valid permanent identity or a valid
pseudonym identity that the EAP server is able to decode to the
permanent identity, then the full authentication sequence proceeds
as usual with the EAP Server issuing the EAP-Request/SIM/Challenge
message.
On re-authentication, if the AT_IDENTITY attribute contains a valid
re-authentication identity and the server agrees on using re-
authentication, then the server proceeds with the re-authentication
sequence and issues the EAP-Request/SIM/Re-authentication packet, as
specified in Section 6. If the server does not recognize the re-
authentication identity, then the server issues a second EAP-
Request/SIM/Start message and includes the AT_FULLAUTH_ID_REQ
attribute. In this case, a second EAP/SIM/Start round trip is
required. The messages used on the first roundtrip are ignored.
(However, all EAP/SIM/Start messages are taken into account when
calculating the checkcode for AT_CHECKCODE. AT_CHECKCODE is
specified in Section 8.2.) This is illustrated below.
Haverinen and Salowey Expires in six months [Page 12]
Internet Draft EAP SIM Authentication June 2003
Client Authenticator
| |
| +------------------------------+
| | Server does not have any |
| | Subscriber identity available|
| | When starting EAP/SIM |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_ANY_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY containing a re-authentication identity) |
|------------------------------------------------------>|
| |
| +------------------------------+
| | Server does not recognize |
| | The re-authentication |
| | Identity |
| +------------------------------+
| |
| EAP-Request/SIM/Start |
| (AT_FULLAUTH_ID_REQ, AT_VERSION_LIST) |
|<------------------------------------------------------|
| |
| |
| EAP-Response/SIM/Start |
| (AT_IDENTITY with a full-auth. identity, AT_NONCE_MT, |
| AT_SELECTED_VERSION) |
|------------------------------------------------------>|
| |
If the server recognizes the re-authentication identity, but still
wants to fall back on full authentication, the server may issue the
EAP-Request/SIM/Start packet without any identity request attributes
(AT_FULLAUTH_ID_REQ or AT_PERMANENT_ID_REQ). In this case, the
server only includes the AT_VERSION_LIST attribute, and full
authentication proceeds as usual. The client does not include any
identity attributes in the EAP-Response/SIM/Start packet.
An extra EAP/SIM/Start round trip is also required in cases when the
AT_IDENTITY attribute contains a pseudonym identity that the EAP
server fails to decode. The operation in this case is specified in
Section 5.3.
5.3. Identity Privacy Support
EAP/SIM includes optional identity privacy (anonymity) support that
can be used to hide the cleartext permanent identity and to make the
subscriber's connections unlinkable to eavesdroppers. Identity
Haverinen and Salowey Expires in six months [Page 13]
Internet Draft EAP SIM Authentication June 2003
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?