eap scenarios and 802 1af n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
EAP Scenarios and 802.1af PowerPoint Presentation
Download Presentation
EAP Scenarios and 802.1af

Loading in 2 Seconds...

play fullscreen
1 / 11

EAP Scenarios and 802.1af - PowerPoint PPT Presentation


  • 177 Views
  • Uploaded on

EAP Scenarios and 802.1af. Joseph Salowey jsalowey@cisco.com 1/12/2006. Basic EAP Model. Authentication. EAP Server. EAP Peer. EAP Authen- ticator. Keys. AAA Model. Authentication. AAA Server. EAP Server. EAP Peer. EAP Authen- ticator. Keys.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'EAP Scenarios and 802.1af' - Anita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
eap scenarios and 802 1af

EAP Scenarios and 802.1af

Joseph Salowey

jsalowey@cisco.com

1/12/2006

basic eap model
Basic EAP Model

Authentication

EAP

Server

EAP

Peer

EAP

Authen-

ticator

Keys

aaa model
AAA Model

Authentication

AAA

Server

EAP

Server

EAP

Peer

EAP

Authen-

ticator

Keys

(Authorization)

aaa model notes
AAA Model Notes
  • Peer authenticates AAA server
  • AAA server provides authenticator with key
  • Possession indicates to peer that authenticator is authorized
  • Peer does not know the identity of the authenticator, by default it can’t differentiate between authenticators
  • Authenticator receives authorizations from AAA server
3 rd party authentication model
3rd Party Authentication Model

Authentication

EAP

Authen-

ticator

EAP

Server

EAP

Peer

(Online or

Offline)

Authentication

Services

3 rd party authentication model notes
3rd Party Authentication ModelNotes
  • Peer authenticates the authenticator
  • Peer knows the authenticator’s identity
  • Peer must be able to authorize based on identity information
  • Authenticator does not get authorization based on authentication exchange
  • Authentication service may be offline as in PKI CA
  • Authentication service may be online as in Kerberos
approaches to modifying the aaa model channel bindings
Approaches to modifying the AAA model (“channel bindings”)
  • Bind authenticator/service identity into EAP exchange
    • EAP methods do not interpret the data, instead transport data
    • Draft-arkko-eap-service-identity-auth-04
  • Specify target authenticator/service
    • Mechanism dependent implementation (kerberos, channel binding, credential selection)
  • Bind authenticator/service identity to key material
    • Draft-obha-aaa-key-binding-01
3 rd party authentication case
3rd Party authentication case

Mutual

Authentication

SW1

SW2

Authentication

Services

(offline)

unilateral aaa case
Unilateral AAA case

Mutual

Authentication

SW1

SW2

AAA

bilateral aaa case
Bilateral AAA case

Mutual

Authentication x 2

AAA

SW1

SW2

AAA

AZ

AZ

eap and keys
EAP and keys
  • EAP methods can derive key material
    • MSK available to the authenticator
    • EMSK reserved (for derivation of other keys TBD)
  • MSK may be used to derive session keys data encryption (802.11i)
  • MSK may be used to derive KEK to encrypt key descriptor to distribute keys (group keys)
  • Either or both approaches may be useful for CAK establishment