AAA Working Group Renjie Zhang Internet Draft Zhilei Sun October, 2002 Wenbo Lu Fiberhome Networks,WRI Extended IEEE802.1x To Support Authentication of users sharing a Single Ethernet Port This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC 2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract IEEE802.1x standard provides a method to authenticate users based on port and does not support authentication of multi-user sharing a single port.This document extended IEEE802.1x to support authentication of users sharing a single ethernet port.Also this document makes modification to the EAP(The Extensible Authentication Protocol, defined in [RFC2284])message. Renjie Zhang Extened IEEE802.1x [Page 1] Internet Draft Extened IEEE802.1x October 2002 Table of Contents Status of this Memo.........................................1 Abstract....................................................1 Table of Contents...........................................2 1. Introduction.............................................2 2. Method Description.......................................2 3. Normative references.....................................5 4. Security Considerations..................................5 1. Introduction For the purpose of providing compatible authetication and authorization mechanisms for devices interconnected by IEEE 802 LANs, IEEE802.1x specifies a general method for the provison of port-based network access control.But this method is not well suited for multi- user sharing a single port.Here we define a method to extend the standard. 1.1. Specification of Requirements In this document, several words are used to signify the requirements of the specification. These words are often capitalized. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Method Description A summary of the Ethernet form of EAPOL frame is shown below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PAE Ethernet Type | Protocol Ver | Packet Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Packet Body Length | packet Body .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1 The packtet body field is present if the Packet Type contains the value EAP-Packet,EAPOL-Key,or EAPOL-Encapsulated-Encapsulated-ASF- Alert; for all other values of Packet Type,this field is not present. Renjie Zhang Extened IEEE802.1x [Page 2] Internet Draft Extened IEEE802.1x October 2002 A summary of the EAP packet format is shown below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2 The Code field is one octet in length and identifies the types of EAP packet.EAP Codes are assigned as follows:1 Request,2 Response, 3 Success,4 Failure. Here we extend the EAP packet format as below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Session ID | Code | Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | length | Data ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3 The former Identifier field is one octet in length and allows matching of responses with requests.Thus,the use of a single octet identifier field results in a restrication of 256 authentications per System Port.We extend the Identifier field to 2 octet to support more authentications per System port. When many users share a single port, We can only identify the user through the MAC address, so we must inspect every EAP packet to see that who sends the packet. We add a Session ID Field to indentify the packet sent by user. Before the Authenticator sending the EAP-Request packet,it must select a unique session id attaching with the destionation MAC address. When the Supplicant receives such packet and reponses with it, it must insert the Session ID to the EAP-Response packet. Then the Authenticator can easily identify the user according to the Session ID field. To realise the authentication, we must establish a MAC address Access Control List. If the supplicant passed the authentication, the authenticator adds the MAC address into the MAC address Access Control List. Then the supplicant can access the network resource without restrication. Also we can record the traffic of the supplicant. Renjie Zhang Extened IEEE802.1x [Page 3] Internet Draft Extened IEEE802.1x October 2002 A summary of the MAC address Access Control Listformat is shown below. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Supplicant MAC Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Supplicant MAC Address | Output Octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Output Packets | Input Octets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Input Packets | Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4 The figure below shows an successful Authenticator-initiated conversation for the case of a One Time Password(OTP) authentication. Supplicant Authenticator Authentication Server | | | EAP-Request/Identity(Insert Unique session ID)| |<---------------------------------------------------------| | | | EAP-Response/Identity(With the session ID) |--------------------------------------------------------->| | | | EAP-Request/OTP,OTP Chanllenge(With the session ID)| |<---------------------------------------------------------| | | | EAP-Response//OTP,OTP Chanllenge(With the session ID) | |--------------------------------------------------------->| | | | Add the supplicant MAC address| | into MAC ACL.The supplicant is| | authorised to access networks.| | EAP-Success(With the session ID)| |<---------------------------------------------------------| | | Figure 5 Renjie Zhang Extened IEEE802.1x [Page 4] Internet Draft Extened IEEE802.1x October 2002 3. Normative references [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994. [RFC2284] Blunk, L., Vollbrecht, J., "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998. [IEEE802] IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture, ANSI/IEEE Std 802, 1990. [IEEE8021X] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2001, June 2001. 4. Security Considerations Adding a sessiob id field can increases the security level of IEEE802.1x in a shared media LAN. Authors' Addresses Renjie Zhang Fiberhome Networks,WRI Wuhan, China Post Code: 430074 Phone: 86-27-87693402 (ext)8992 mobile: 13808653517 E-mail: rjzhang@wri.com.cn, renjie@fhn.com.cn, zrj@sina.com Zhulei Sun Fiberhome Networks,WRI Wuhan, China E-mail: sunxiaohou@sina.com Wenbo Lu Fiberhome Networks,WRI Wuhan, China E-mail: lwb97@163.com Renjie Zhang Extened IEEE802.1x [Page 5]