Issues with the 802.1X State Machine - PowerPoint PPT Presentation

Mia_John
issues with the 802 1x state machine n.
Skip this Video
Loading SlideShow in 5 Seconds..
Issues with the 802.1X State Machine PowerPoint Presentation
Download Presentation
Issues with the 802.1X State Machine

play fullscreen
1 / 7
Download Presentation
Issues with the 802.1X State Machine
323 Views
Download Presentation

Issues with the 802.1X State Machine

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Issues with the 802.1X State Machine IEEE 802.1X Revision PAR Bernard Aboba Microsoft (excerpted from IEEE 802.11-01/252) Bernard Aboba, Microsoft

  2. Goals • To describe issues with IEEE 802.1X state machine and 802.11 roaming • To recommend a solution Bernard Aboba, Microsoft

  3. Roaming Requirements • Enterprise • User is identified by user-name (NAI), not IP or MAC address • Security is not compromised • Roaming needs to be available for all potential 802.1X authentication methods • Desirable for user to be able to keep the same IP address when roaming, if possible • MUST be able to roam without reauthentication if desired • MUST be able to roam without dropping traffic in case of reauthentication • “Hot Spot” • User is identified by user-name (NAI), not IP or MAC address • Security is not compromised • Roaming should be fast • Going back to the home authentication server may cause substantial delays (~ seconds) Bernard Aboba, Microsoft

  4. Context Transfer & IEEE 802.1X State Machine • Goal • User context can move to new AP without reauthentication, if desired • May wish to enable delayed reauthentication on roam • Process • Client reassociates to new AP • New AP validates reassociate, attempts context transfer from old AP • Context transfer succeeds: AP sends EAP-Success to client • Context transfer fails: re-associate treated as an associate • Requirements • Successful reassociate has same result as if new AP authenticated successfully to backend authentication server • Unsuccessful reassociate has same result as an associate • Authentication for reassociate, disassociate, beacon messages • Issues • No 802.1X event or state corresponding to associate or successful re-associate! Bernard Aboba, Microsoft

  5. Additions to Backend Authentication State Machine (Figure 8-12) • Goal • Successful re-associate has same result as if new AP authenticated to backend authentication server • Successful reassociate equivalent to: • Setting aSuccess=TRUE; aWhile=serverTimeout; reqCount=0; currentId=0; rxResp=aFail=FALSE; authTimeout=FALSE; aReq=FALSE • Transition to SUCCESS state • Causes canned Success message to be sent • Unsuccessful reassociate equivalent to associate: • Set authAbort=TRUE • Transition to INITIALIZE state • Authentication starts again Bernard Aboba, Microsoft

  6. Additions to Authenticator PAE State Machine (Figure 8-8) • Goal • Successful re-associate has same result as if new AP authenticated to backend authentication server • Unsuccessful reassociate equivalent to: • Set portEnabled=TRUE; currentId=1; portMode=Auto; portStatus=Unauthorized; eapLogff=FALSE; reAuthCount=0; • Transition to CONNECTING state • Successful reassociate with no-reauth == TRUE equivalent to: • Set portMode=Auto; eapLogoff=FALSE; reAuthCount=1; currentId=1; portStatus=Unauthorized; eapStart=FALSE; reAuthenticate=FALSE; authSuccess=TRUE; authFail=FALSE; authTimeout=FALSE; portEnabled=TRUE; • Transition to AUTHENTICATED • Successful reassociate with no-reauth == FALSE equivalent to: • Set portMode=Auto; currentId = 2; eapLogoff=FALSE; reAuthCount=0; portStatus=Authorized; portEnabled=TRUE; reAuthenticate=TRUE; • Transition to CONNECTING Bernard Aboba, Microsoft

  7. Additions to Supplicant PAE State Machine (Figure 8-14) • Goal • Successful reassociate has same result as if supplicant successfully authenticated to authenticator • Sequence of events for successful reassociate • Supplicant in AUTHENTICATED state • Reassociate request sent by Supplicant • Success sent by Authenticator • Supplicant remains in AUTHENTICATED state • Sequence of events for unsuccessful reassociate • Supplicant in AUTHENTICATED state • Reassociate request sent by Supplicant • EAP-Request/Identity sent by Authenticator • On EAP-Request/Identity, supplicant transitions to ACQUIRED state Bernard Aboba, Microsoft