issues with the 802 1x state machine n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Issues with the 802.1X State Machine PowerPoint Presentation
Download Presentation
Issues with the 802.1X State Machine

Loading in 2 Seconds...

play fullscreen
1 / 7

Issues with the 802.1X State Machine - PowerPoint PPT Presentation


  • 311 Views
  • Uploaded on

Issues with the 802.1X State Machine. IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE 802.11-01/252). Goals. To describe issues with IEEE 802.1X state machine and 802.11 roaming To recommend a solution. Roaming Requirements. Enterprise

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Issues with the 802.1X State Machine' - Mia_John


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
issues with the 802 1x state machine

Issues with the 802.1X State Machine

IEEE 802.1X Revision PAR

Bernard Aboba

Microsoft

(excerpted from IEEE 802.11-01/252)

Bernard Aboba, Microsoft

goals
Goals
  • To describe issues with IEEE 802.1X state machine and 802.11 roaming
  • To recommend a solution

Bernard Aboba, Microsoft

roaming requirements
Roaming Requirements
  • Enterprise
    • User is identified by user-name (NAI), not IP or MAC address
    • Security is not compromised
    • Roaming needs to be available for all potential 802.1X authentication methods
    • Desirable for user to be able to keep the same IP address when roaming, if possible
    • MUST be able to roam without reauthentication if desired
    • MUST be able to roam without dropping traffic in case of reauthentication
  • “Hot Spot”
    • User is identified by user-name (NAI), not IP or MAC address
    • Security is not compromised
    • Roaming should be fast
      • Going back to the home authentication server may cause substantial delays (~ seconds)

Bernard Aboba, Microsoft

context transfer ieee 802 1x state machine
Context Transfer & IEEE 802.1X State Machine
  • Goal
    • User context can move to new AP without reauthentication, if desired
      • May wish to enable delayed reauthentication on roam
  • Process
    • Client reassociates to new AP
    • New AP validates reassociate, attempts context transfer from old AP
      • Context transfer succeeds: AP sends EAP-Success to client
      • Context transfer fails: re-associate treated as an associate
  • Requirements
    • Successful reassociate has same result as if new AP authenticated successfully to backend authentication server
    • Unsuccessful reassociate has same result as an associate
    • Authentication for reassociate, disassociate, beacon messages
  • Issues
    • No 802.1X event or state corresponding to associate or successful re-associate!

Bernard Aboba, Microsoft

additions to backend authentication state machine figure 8 12
Additions to Backend Authentication State Machine (Figure 8-12)
  • Goal
    • Successful re-associate has same result as if new AP authenticated to backend authentication server
  • Successful reassociate equivalent to:
    • Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0; currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE
    • Transition to SUCCESS state
      • Causes canned Success message to be sent
  • Unsuccessful reassociate equivalent to associate:
    • Set authAbort=TRUE
    • Transition to INITIALIZE state
      • Authentication starts again

Bernard Aboba, Microsoft

additions to authenticator pae state machine figure 8 8
Additions to Authenticator PAE State Machine (Figure 8-8)
  • Goal
    • Successful re-associate has same result as if new AP authenticated to backend authentication server
  • Unsuccessful reassociate equivalent to:
    • Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized; eapLogff=FALSE; reAuthCount=0;
    • Transition to CONNECTING state
  • Successful reassociate with no-reauth == TRUE equivalent to:
    • Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1; portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE;
    • Transition to AUTHENTICATED
  • Successful reassociate with no-reauth == FALSE equivalent to:
    • Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0; portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE;
    • Transition to CONNECTING

Bernard Aboba, Microsoft

additions to supplicant pae state machine figure 8 14
Additions to Supplicant PAE State Machine (Figure 8-14)
  • Goal
    • Successful reassociate has same result as if supplicant successfully authenticated to authenticator
  • Sequence of events for successful reassociate
    • Supplicant in AUTHENTICATED state
    • Reassociate request sent by Supplicant
    • Success sent by Authenticator
    • Supplicant remains in AUTHENTICATED state
  • Sequence of events for unsuccessful reassociate
    • Supplicant in AUTHENTICATED state
    • Reassociate request sent by Supplicant
    • EAP-Request/Identity sent by Authenticator
    • On EAP-Request/Identity, supplicant transitions to ACQUIRED state

Bernard Aboba, Microsoft