HTTP/1.1 200 OK Date: Tue, 09 Apr 2002 06:56:18 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Mon, 03 Mar 1997 11:33:00 GMT ETag: "304eb0-7bd6-331ab6ec" Accept-Ranges: bytes Content-Length: 31702 Connection: close Content-Type: text/plain RADIUS Working Group Pat Calhoun INTERNET-DRAFT US Robotics Access Corp. Allan C. Rubens 28 February 1997 Merit Network, Inc. Bernard Aboba Microsoft Extensible Authentication Protocol Support in RADIUS 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working docu- ments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute work- ing documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference mate- rial or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). The distribution of this memo is unlimited. It is filed as , and expires September 1, 1997. Please send comments to the authors. 2. Abstract The Extensible Authentication Protocol (EAP) is a PPP extension that provides support for additional authentication methods within PPP. This document describes how the EAP-Message and Signature attributes may be used for providing EAP support within RADIUS. 3. Introduction The Extensible Authentication Protocol (EAP), described in [1], pro- vides a standard mechanism for support of additional authentication methods within PPP. Through the use of EAP, support for a number of authentication schemes may be added, including token cards, Kerberos, Public Key, One Time Passwords, and others. In order to provide for support of EAP within RADIUS, two new attributes, EAP-Message and Sig- nature, were introduced as RADIUS extensions in [5]. This document describes how these new attributes may be used for providing EAP sup- port within RADIUS. Calhoun, Rubens & Aboba [Page 1] INTERNET-DRAFT 28 February 1997 The scheme described here is similar to that proposed in [2], in that the RADIUS server is used to shuttle RADIUS-encapsulated EAP Packets between the NAS and a backend security server. While the conversation between the RADIUS server and the backend security server will typi- cally occur using a proprietary protocol developed by the backend security server vendor, it is also possible to use RADIUS-encapsulated EAP via the EAP-Message attribute. This has the advantage of allowing the RADIUS server to support EAP without the need for authentication- specific code, which can instead reside on a backend security server. 3.1. Requirements language This specification uses the same words as [7] for defining the signif- icance of each particular requirement. These words are: MUST This word, or the adjectives "REQUIRED" or "SHALL", means that the definition is an absolute requirement of the speci- fication. MUST NOT This phrase, or the phrase "SHALL NOT", means that the defi- nition is an absolute prohibition of the specification. SHOULD This word, or the adjective "RECOMMENDED", means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. SHOULD NOT This phrase means that there may exist valid reasons in par- ticular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before imple- menting any behavior described with this label. MAY This word, or the adjective "OPTIONAL", means that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interop- erate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another imple- mentation which does not include the option.(except, of course, for the feature the option provides) An implementation is not compliant if it fails to satisfy one or more of the must or must not requirements for the protocols it implements. An implementation that satisfies all the must, must not, should and should not requirements for its protocols is said to be Calhoun, Rubens & Aboba [Page 2] INTERNET-DRAFT 28 February 1997 "unconditionally compliant"; one that satisfies all the must and must not requirements but not all the should or should not requirements for its protocols is said to be "conditionally compliant." 4. Protocol overview The EAP conversation between the authenticating peer and the NAS begins with the negotiation of EAP within LCP. Once EAP has been nego- tiated, the NAS will typically send to the RADIUS server a RADIUS Access-Request packet containing an EAP-Message attribute signifying EAP-Start. EAP-Start is indicated by sending an EAP-Message attribute with a length of 2 (no data). The Port number and NAS Identifier MUST be included in the attributes issued by the NAS in the Access-Request packet. If the RADIUS server supports EAP, it MUST respond with an Access- Challenge packet containing an EAP-Message attribute. The EAP-Message attribute includes an encapsulated EAP packet which is then passed on to the authenticating peer. The Access-Challenge typically will con- tain an EAP-Message attribute encapsulating an EAP-Request/Identity message, requesting the authenticating peer to identify itself. The NAS will then respond with a RADIUS Access-Request packet containing an EAP-Message attribute encapsulating an EAP-Response, etc. The con- versation continues until either a RADIUS Access-Reject packet is received (with an EAP-Message attribute encapsulating EAP-Failure) which results in the NAS disconnecting the user, or a RADIUS Access- Accept packet is received (with an EAP-Message attribute encapsulating EAP-Success) successfully ending the authentication phase. Note that if a RADIUS Access-Reject packet with an EAP-Message attribute encap- sulating EAP-Failure is received from the RADIUS Server, the NAS SHOULD issue an LCP Terminate Request to the authenticating peer. The above scenario creates a situation in which the NAS never needs to manipulate an EAP packet. An alternative may be used in situations where an EAP-Request/Identity message will always be sent by the NAS to the authenticating peer. This involves having the NAS send an EAP- Request/Identity message to the authenticating peer, and forwarding the EAP-Response/Identity packet to the RADIUS server in the EAP-Mes- sage attribute of a RADIUS Access-Request packet. While this approach will save a round-trip, it cannot be universally employed. There are circumstances in which the user's identity may not be needed (such as when authentication and accounting is handled based on the calling or called phone number), and therefore an EAP-Request/Identity packet may not necessarily be issued by the NAS to the authenticating peer. Unless the NAS interprets the EAP-Response/Identity packet returned by the authenticating peer, it will not have access to the user's iden- tity. Therefore, the RADIUS Server SHOULD return the user's identity by inserting it in the User-Name attribute of subsequent Access-Chal- lenge and Access-Accept packets. Without the user's identity, account- ing and billing becomes very difficult to manage. Calhoun, Rubens & Aboba [Page 3] INTERNET-DRAFT 28 February 1997 In cases where a backup RADIUS servers is available, were the primary server to fail at any time during the EAP conversation, it would be desirable for the NAS to be able to redirect the conversation to an alternate RADIUS server. However, for the backup server to be able to pick up the conversation, it must be provided with the state of the EAP conversation prior to the interruption. This can be accomplished by having the RADIUS Access-Request include the series of EAP-Message attributes representing the previous history of the EAP conversation. Similarly, the RADIUS Challenge returned by the RADIUS server must also include all previous EAP-Message attributes. The sequence number field in the EAP-Message attribute MUST be used in order to determine which attribute is to be processed. The attribute with the highest sequence number is the most recent attribute. The RADIUS Access-Accept/EAP-Message/EAP-Success packet MUST contain all of the expected attributes which are currently returned in an Access-Accept packet. For proxied RADIUS requests there are two methods of processing. If the domain is determined based on the DNIS the RADIUS Server may proxy the initial RADIUS Access-Request/EAP-Start. If the domain is deter- mined based on the user's identity, the local RADIUS Server MUST respond with a RADIUS Access-Challenge/EAP-Identity packet. The response from the authenticating peer MUST be proxied to the final authentication server. For proxied RADIUS requests, the NAS may receive an Access-Reject packet in response to its Access-Request/EAP-Identity packet. This would occur if the message was proxied to a RADIUS Server which does not support the EAP-Message extension. At this point, the NAS MUST re-open LCP with the authenticating peer and request either CHAP or PAP as the authentication protocol. Again, such an Access-Reject packet indicating lack of EAP capability will not contain an EAP-Mes- sage attribute. If the NAS is unable to negotiate EAP with the authenticating peer, what happens next is a matter of policy. In circumstances where EAP is required of all users accessing the NAS, the NAS MUST disconnect the user. However, in circumstances where EAP is mandatory for some users, and optional or not required for others, the decision cannot be made until the user's identity is ascertained. In this case, the NAS will negotiate another authentication method, such as CHAP, and will pass the User-Name and CHAP-Password attributes to the RADIUS Server in an Access-Request packet. If the user is not required to use EAP, then the RADIUS Server will respond with an Access-Accept or Access-Reject packet as appropriate. However, should the user require EAP, then the RADIUS Server will respond with an Access-Challenge packet containing an EAP-Message attribute. The EAP-Message attribute will either encap- sulate an EAP-Request/Identity packet, or if the RADIUS Server makes use of the User-Name attribute in the Access-Request, it may encapsu- late an EAP challenge. On receiving the EAP-Message attribute, the NAS will either attempt to negotiate EAP if it had not done so previously, Calhoun, Rubens & Aboba [Page 4] INTERNET-DRAFT 28 February 1997 or if negotiation had previously been attempted and failed, it MUST disconnect the user. The NAS is not responsible for the retransmission of any EAP messages. The authenticating peer and the RADIUS Server are responsible for any retransmissions. The example below shows the conversation between the authenticating peer, NAS, and RADIUS server, for the case of a One Time Password (OTP) authentication. OTP is used only for illustrative purposes; other authentication protocols could also have been used, although they would show somewhat different behavior. For brevity, the history of previous EAP messages (which will be transmitted in each Access- Request and Access-Challenge packet) has been left out. Authenticating Peer NAS RADIUS Server ------------------- --- ------------- <- PPP LCP Request-EAP auth PPP LCP ACK-EAP auth -> RADIUS Access-Request/ EAP-Message/Start -> <- RADIUS Access-Challenge/ EAP-Message/Identity <- PPP EAP-Request/ Identity PPP EAP-Response/ Identity (MyID) -> RADIUS Access-Request/ EAP-Message/ EAP-Response/ (MyID) -> <- RADIUS Access-Challenge/ EAP-Message/EAP-Request OTP/OTP Challenge <- PPP EAP-Request/ OTP/OTP Challenge PPP EAP-Response/ OTP, OTPpw -> RADIUS Access-Request/ EAP-Message/ EAP-Response/ OTP, OTPpw -> <- RADIUS Access-Accept/ EAP-Message/EAP-Success Calhoun, Rubens & Aboba [Page 5] INTERNET-DRAFT 28 February 1997 (other attributes) <- PPP EAP-Success PPP Authentication Phase complete, NCP Phase starts In the case where the NAS sends the authenticating peer an EAP- Request/Identity packet without first sending an EAP-Start packet to the RADIUS server, the conversation would appear as follows: Authenticating Peer NAS RADIUS Server ------------------- --- ------------- <- PPP LCP Request-EAP auth PPP LCP ACK-EAP auth -> <- PPP EAP-Request/ Identity PPP EAP-Response/ Identity (MyID) -> RADIUS Access-Request/ EAP-Message/ EAP-Response/ (MyID) -> <- RADIUS Access-Challenge/ EAP-Message/EAP-Request OTP/OTP Challenge <- PPP EAP-Request/ OTP/OTP Challenge PPP EAP-Response/ OTP, OTPpw -> RADIUS Access-Request/ EAP-Message/ EAP-Response/ OTP, OTPpw -> <- RADIUS Access-Accept/ EAP-Message/EAP-Success (other attributes) <- PPP EAP-Success PPP Authentication Phase complete, NCP Phase starts In the case where the client fails EAP authentication, the conversa- tion would appear as follows: Authenticating Peer NAS RADIUS Server ------------------- --- ------------- Calhoun, Rubens & Aboba [Page 6] INTERNET-DRAFT 28 February 1997 <- PPP LCP Request-EAP auth PPP LCP ACK-EAP auth -> Access-Request/ EAP-Message/Start -> <- RADIUS Access-Challenge/ EAP-Message/Identity <- PPP EAP-Request/ Identity PPP EAP-Response/ Identity (MyID) -> RADIUS Access-Request/ EAP-Message/ EAP-Response/ (MyID) -> <- RADIUS Access-Challenge/ EAP-Message/EAP-Request OTP/OTP Challenge <- PPP EAP-Request/ OTP/OTP Challenge PPP EAP-Response/ OTP, OTPpw -> RADIUS Access-Request/ EAP-Message/ EAP-Response/ OTP, OTPpw -> <- RADIUS Access-Reject/ EAP-Message/EAP-Failure <- PPP EAP-Failure (client disconnected) In the case that the RADIUS server or proxy does not support EAP-Mes- sage, the conversation would appear as follows: Authenticating Peer NAS RADIUS Server ------------------- --- ------------- <- PPP LCP Request-EAP auth PPP LCP ACK-EAP auth -> RADIUS Access-Request/ EAP-Message/Start -> <- RADIUS Access-Reject <- PPP LCP Request-CHAP auth Calhoun, Rubens & Aboba [Page 7] INTERNET-DRAFT 28 February 1997 PPP LCP ACK-CHAP auth -> <- PPP CHAP Challenge PPP CHAP Response -> RADIUS Access-Request-> <- RADIUS Access-Accept <- PPP LCP CHAP-Success PPP Authentication Phase complete, NCP Phase starts In the case where the local RADIUS Server does support EAP-Message, but the remote RADIUS Server does not, the conversation would appear as follows: Authenticating Peer NAS RADIUS Server ------------------- --- ------------- <- PPP LCP Request-EAP auth PPP LCP ACK-EAP auth -> RADIUS Access-Request/ EAP-Message/Start -> <- RADIUS Access-Challenge/ EAP-Message/Identity <- PPP EAP-Request/ Identity PPP EAP-Response/ Identity (MyID) -> RADIUS Access-Request/ EAP-Message/EAP-Response/ (MyID) -> <- RADIUS Access-Reject (proxied from remote RADIUS Server) <- PPP LCP Request-CHAP auth PPP LCP ACK-CHAP auth -> <- PPP CHAP Challenge PPP CHAP Response -> RADIUS Access-Request-> <- RADIUS Access-Accept Calhoun, Rubens & Aboba [Page 8] INTERNET-DRAFT 28 February 1997 (proxied from remote RADIUS Server) <- PPP LCP CHAP-Success PPP Authentication Phase complete, NCP Phase starts In the case where the authenticating peer does not support EAP, but where EAP is required for that user, the conversation would appear as follows: Authenticating Peer NAS RADIUS Server ------------------- --- ------------- <- PPP LCP Request-EAP auth PPP LCP NAK-EAP auth -> <- PPP LCP Request-CHAP auth PPP LCP ACK-CHAP auth -> <- PPP CHAP Challenge PPP CHAP Response -> RADIUS Access-Request/ User-Name, CHAP-Password -> <- RADIUS Access-Challenge/ EAP-Message (User Disconnected) 5. Alternative uses Currently the conversation between the backend security server and the RADIUS server is proprietary because of lack of standardization. In order to increase standardization and provide interoperability between Radius vendors and backend security vendors, it is recommended that RADIUS-encapsulated EAP be used for this conversation. This has the advantage of allowing the RADIUS server to support EAP without the need for authentication-specific code within the RADIUS server. Authentication-specific code can then reside on a backend security server instead. In the case where RADIUS-encapsulated EAP is used in a conversation between a RADIUS server and a backend security server, the Security Server will typically return an Access-Accept/EAP-Success message without inclusion of the expected attributes currently returned in an Access-Accept. This means that the RADIUS server MUST add these attributes prior to sending an Access-Accept/EAP-Success message to Calhoun, Rubens & Aboba [Page 9] INTERNET-DRAFT 28 February 1997 the NAS. 6. Attributes 6.1. EAP-Message Description This attribute encapsulates Extensible Authentication Protocol [1] packets so as to allow the NAS to authenticate dial-in users via EAP without having to understand the protocol. The NAS places EAP messages received from the authenticating peer into one or more EAP-Message attributes and forwards them to the RADIUS Server within an Access-Request message. The RADIUS Server may then return EAP message in Access-Challenge, Access-Accept and Access-Reject packets. Access-Request packets including one or more EAP-Message attributes MUST also contain a Signature attribute, described in [5], in order to provide for authentication of the shuttled EAP packets. Access- Requests including an EAP-Message attribute without a Signature attribute SHOULD be silently discarded by the RADIUS server. A RADIUS Server supporting EAP-Message MUST calculate the correct value of the Signature and silently discard the packet if it does not match the value sent. A RADIUS Server not supporting EAP-Mes- sage MUST return an Access-Reject. A RADIUS Server receiving EAP messages that it does not understand SHOULD return an Access- Reject. A summary of the EAP-Message attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Sequence No. | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 67 for EAP-Message Length >=5 (EAP packet enclosed) =2 (EAP start message) Sequence Number Calhoun, Rubens & Aboba [Page 10] INTERNET-DRAFT 28 February 1997 The Sequence Number field, which is two octets in length, is used in order to build a "history" of the transaction. The EAP-Message attribute with the highest identifier represents the current packet to process. The history is passed along in each Access- request/Access-Challenge in order to support the concept of RADIUS backup servers, as described earlier. EAP-Message attributes with the same sequence number are to be con- catenated, in order to allow an EAP packet to be larger than the 253 octet limit for a RADIUS attribute. String The String field includes EAP packets, as defined in [1]: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / / / Data / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 7. Acknowledgments Thanks to Dave Dawson and Karl Fox of Ascend, and Glen Zorn and Naren- dra Gidwani of Microsoft for useful discussions of this problem space. 8. References [1] L. J. Blunk, J. R. Vollbrecht. "PPP Extensible Authentication Protocol (EAP)." draft-ietf-pppext-eap-auth-02.txt, Merit Network, Inc., June, 1996. [2] A. Rubens, P.R. Calhoun. "DIAMETER Extensible Authentication Pro- tocol Support." draft-calhoun-diameter-eap-00.txt, Merit Network, Inc., US Robotics Access Corp., February, 1997. [3] C. Rigney, A. Rubens, W. Simpson, S. Willens. "Remote Authenti- cation Dial In User Service (RADIUS)." RFC 2058, Livingston, Merit, Daydreamer, January, 1997. [4] C. Rigney. "RADIUS Accounting." RFC 2059, Livingston, January, 1997. [5] C. Rigney, W. Willats. "RADIUS Extensions." draft-ietf-radius- ext-00.txt, Livingston, January, 1997. [6] R. Rivest, S. Dusse. "The MD5 Message-Digest Algorithm", RFC 1321, MIT Laboratory for Computer Science, RSA Data Security Inc., Calhoun, Rubens & Aboba [Page 11] INTERNET-DRAFT 28 February 1997 April 1992. [7] S. Bradner. "Key words for use in RFCs to Indicate Requirement Levels." draft-bradner-key-words-02.txt, Harvard University, August, 1996. 9. Authors' Addresses Pat R. Calhoun US Robotics Access Corp. 8100 N. McCormick Blvd. Skokie, IL 60076-2999 Phone: 847-342-6898 EMail: pcalhoun@usr.com Allan C. Rubens Merit Network, Inc. 4251 Plymouth Rd. Ann Arbor, MI 48105-2785 Phone: 313-647-0417 EMail: acr@merit.edu Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052 Phone: 206-936-6605 EMail: bernarda@microsoft.com Calhoun, Rubens & Aboba [Page 12]