SLIDE 1
ERP IMPLEMENTATION ERP IMPLEMENTATION
Kedar Gaonkar Kedar Gaonkar IETF IETF-
- 69 Chicago, July 23rd, 2007
69 Chicago, July 23rd, 2007
Deployment Scenario
AP1 STA AP2 Home AAA Local AAA
ERP IMPLEMENTATION ERP IMPLEMENTATION Kedar Gaonkar Kedar Gaonkar - - PowerPoint PPT Presentation
ERP IMPLEMENTATION ERP IMPLEMENTATION Kedar Gaonkar Kedar Gaonkar - - PowerPoint PPT Presentation
ERP IMPLEMENTATION ERP IMPLEMENTATION Kedar Gaonkar Kedar Gaonkar IETF IETF- -69 Chicago, July 23rd, 2007 69 Chicago, July 23rd, 2007 Deployment Scenario AP1 STA Home AAA Local AAA AP2 Implementation Implementation Setup
SLIDE 2
SLIDE 3
Implementation Implementation
- Setup consists of 4 machines: Supplicant (STA), Access Point
Setup consists of 4 machines: Supplicant (STA), Access Point (AP), and Local AAA Server, and Home AAA Server (AP), and Local AAA Server, and Home AAA Server
– ‘wpa_supplicant ‘wpa_supplicant – – 0.5.7’ at Supplicant 0.5.7’ at Supplicant – ‘HostAP ‘HostAP – – 0.5.7’ at Access Point 0.5.7’ at Access Point – RADIUS implemented at AS by using ‘freeRADIUS RADIUS implemented at AS by using ‘freeRADIUS – – 1.1.6’ 1.1.6’
- EAP
EAP-
- TLS selected as the EAP method
TLS selected as the EAP method
- OpenSSL used to generate certificates
OpenSSL used to generate certificates
- STA associates with AP wirelessly through DWL
STA associates with AP wirelessly through DWL-
- G650 network
G650 network cards (Atheros Chipset) cards (Atheros Chipset)
- AP is connected to Local AAA by a CAT5 cross
AP is connected to Local AAA by a CAT5 cross-
- cable
cable
- Local AAA and Home AAA exist on common LAN.
Local AAA and Home AAA exist on common LAN.
SLIDE 4
EAP Peer State Machine EAP Peer State Machine
INITIALIZE INITIALIZE METHOD METHOD RECEIVED RECEIVED DISCARD DISCARD SEND_RESPONSE SEND_RESPONSE IDLE IDLE eapReq eapReq rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&(reqMethod== rxReq&&reqId!=lastId&&(reqMethod== selectedMethod)&&(methodState!=DONE) selectedMethod)&&(methodState!=DONE) else else selectedMethod == reqMethod selectedMethod == reqMethod ignore ignore (altAccept&&decision!=FAIL)||(idleWhile==0&& (altAccept&&decision!=FAIL)||(idleWhile==0&& decision==UNCOND_SUCC) decision==UNCOND_SUCC) NOTIFICATION NOTIFICATION RETRANSMIT RETRANSMIT FAILURE FAILURE SUCCESS SUCCESS GET_METHOD GET_METHOD IDENTITY IDENTITY rxSuccess rxSuccess && && decision!=FAIL decision!=FAIL rxSuccess&&decision==FAIL rxSuccess&&decision==FAIL rxReq&&reqId==lastId rxReq&&reqId==lastId rxReq&&reqId!=lastId&&reqMethod==NOTIFICATION rxReq&&reqId!=lastId&&reqMethod==NOTIFICATION rxReq&&reqId!=lastId&&reqMethod==IDENTITY rxReq&&reqId!=lastId&&reqMethod==IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY &&reqMethod!=NOTIFICATION &&reqMethod!=NOTIFICATION else else altReject||(idleWhile==0&&decision!=UNCOND_SUCC)||(altAccept&&methodState altReject||(idleWhile==0&&decision!=UNCOND_SUCC)||(altAccept&&methodState !=CONT&&decision==FAIL) !=CONT&&decision==FAIL)
SLIDE 5
Peer ERP State Machine
RECEIVED RECEIVED IDLE IDLE ER_INITIATE ER_INITIATE eapRespData = buildERauth(reqId) eapRespData = buildERauth(reqId) portValid = FALSE portValid = FALSE eapSuccess = FALSE eapSuccess = FALSE SEND_ER_INITIATE SEND_ER_INITIATE eapResp = TRUE erAuthenticate = FALSE eapResp = TRUE erAuthenticate = FALSE eapRespData eapRespData INITIALIZE INITIALIZE erAuthCount = 0 erAuthCount = 0 erAuthCount > 2 erAuthCount > 2 Connect to new AP Connect to new AP (EMSK valid) (EMSK valid) eapReq eapReq erFinish erFinish
rxReq&&reqId!=lastId rxReq&&reqId!=lastId &&reqMethod!=IDENTITY &&reqMethod!=IDENTITY
(EMSK valid) (EMSK valid) Timer Expires Timer Expires eapResp = TRUE, erAuthenticate = FALSE eapResp = TRUE, erAuthenticate = FALSE erValidReceive = FALSE erValidReceive = FALSE erAuthCount = 0 erAuthCount = 0 erAuthenticate erAuthenticate RETRANSMIT RETRANSMIT !erValidReceive !erValidReceive FAILURE FAILURE SUCCESS SUCCESS rxSuccess&&decision == FAIL rxSuccess&&decision == FAIL rxSuccess rxSuccess && && decision!=FAIL decision!=FAIL
SLIDE 6
Peer Eapol Backend State Machine Peer Eapol Backend State Machine
INITIALIZE INITIALIZE REQUEST REQUEST IDLE IDLE
eapolEap&&suppStart eapolEap&&suppStart eapResp eapResp eapSuccess eapSuccess
RECEIVE RECEIVE
erTimeoutWhen = erTimeoutPeriod erTimeoutWhen = erTimeoutPeriod
SUCCESS SUCCESS TIMEOUT TIMEOUT FAIL FAIL RESPONSE RESPONSE
If(!erValidReceive) If(!erValidReceive) { erAuthenticate = TRUE { erAuthenticate = TRUE erAuthCount++ erAuthCount++ } eapResp eapResp eapFail eapFail erTimeoutWhen == 0 erTimeoutWhen == 0 eapSuccess eapSuccess
SLIDE 7
Authenticator EAPOL State Machine Authenticator EAPOL State Machine
INITIALIZE INITIALIZE IDLE IDLE REQUEST REQUEST ER_INITIATE ER_INITIATE
eapSuccess = FALSE eapSuccess = FALSE eapolERP = FALSE eapolERP = FALSE eapResp = TRUE eapResp = TRUE eapNoReq = FALSE eapNoReq = FALSE aWhile = serverTimeout aWhile = serverTimeout sendRespToServer() sendRespToServer() eapolERP eapolERP eapolEap eapolEap
eapReq&&authStart eapReq&&authStart eapolEap eapolEap
eapReq eapReq eapFail&&authStart eapFail&&authStart eapolERP eapolERP
RESPONSE RESPONSE IGNORE IGNORE FAIL FAIL TIMEOUT TIMEOUT SUCCESS SUCCESS
eapReq&& eapReq&& !eapolERP !eapolERP
eapSuccess eapSuccess eapFail eapFail eapTimeout eapTimeout aWhile == 0 aWhile == 0 eapNoReq eapNoReq aWhile == 0 aWhile == 0 eapFail eapFail eapSuccess eapSuccess
eapolEap eapolEap
p q p q
SLIDE 8
Message Validation and Key Derivation at AS
Decapsulate EAP Message Decapsulate EAP Message Check SEQ Check SEQ Lookup rIKname Lookup rIKname else else
EAP_INITIATE EAP_INITIATE
pass pass else else Compare Integrity Checksum Compare Integrity Checksum DISCARD DISCARD pass pass pass pass else else Generate rMSK Generate rMSK rMSK = TLS rMSK = TLS-
- PRF
PRF-
- 64(rRK, SEQ)
64(rRK, SEQ)
SLIDE 9
Send EAP_FINISH to AP
Build EAP Build EAP-
- Finish Packet
Finish Packet Flags=000 Flags=000 Build EAP Build EAP-
- Finish Packet
Finish Packet Flags=100 Flags=100 Validation Successful? Validation Successful? Yes Yes No No Encapsulate into Encapsulate into ACCESS ACCEPT ACCESS ACCEPT Encapsulate into Encapsulate into ACCESS REJECT ACCESS REJECT Send RADIUS packet to AP Send RADIUS packet to AP Add RADIUS Attributes Add RADIUS Attributes
SLIDE 10
Message Validation and Key Derivation at Peer
Decapsulate EAP Message Decapsulate EAP Message Check SEQ Check SEQ Lookup rIKname Lookup rIKname else else
EAP_FINISH EAP_FINISH
pass pass else else Compare Integrity Checksum Compare Integrity Checksum DISCARD DISCARD pass pass Pass Pass else else Generate rMSK Generate rMSK rMSK = TLS rMSK = TLS-
- PRF
PRF-
- 64(rRK, SEQ)
64(rRK, SEQ) erValidReceive = TRUE erValidReceive = TRUE 4-
- way key exchange
way key exchange FAIL FAIL Flags ==000 Flags ==000 Flags ==100 Flags ==100
SLIDE 11
New RADIUS attributes proposed New RADIUS attributes proposed
- Local AAA server requests key from Home AAA server
Local AAA server requests key from Home AAA server
- Two new RADIUS Attributes:
Two new RADIUS Attributes: – Key Key-
- Request Attribute
Request Attribute – Key Key-
- Response Attribute
Response Attribute
SLIDE 12
Initial EAP exchange
EAP Response/Identity EAP Response/Identity RADIUS Access RADIUS Access-
- Req
Req [Username, NAS [Username, NAS-
- IP
IP-
- Addr, NAS
Addr, NAS-
- Port,
Port, Called Called-
- StationID, Calling
StationID, Calling-
- StationID,
StationID, Framed MTU, NAS Framed MTU, NAS-
- Port
Port-
- Type, Connect
Type, Connect-
- Info,
Info, EAP EAP-
- Message, Message
Message, Message-
- Authenticator]
Authenticator] [Username NAS [Username NAS-IP IP-Addr NAS Addr NAS-Port Port RADIUS Access RADIUS Access-
- Req
Req
Peer Peer AP2 AP2 Local AAA Local AAA Home AAA Home AAA
EAP Request/Identity EAP Request/Identity [Username, NAS [Username, NAS-IP IP-Addr, NAS Addr, NAS-Port, Port, Called Called-
- StationID, Calling
StationID, Calling-
- StationID,
StationID, Framed MTU, NAS Framed MTU, NAS-
- Port
Port-
- Type, Connect
Type, Connect-
- Info,
Info, EAP EAP-
- Message, Message
Message, Message-
- Authenticator,
Authenticator, Key Key-
- Request
Request] RADIUS Access RADIUS Access-
- Accept
Accept [MS [MS-
- MPPE
MPPE-Recv Recv-
- Key, MS
Key, MS-
- MPPE
MPPE-Send Send-
- Key, EAP
Key, EAP-
- Finish/Reauth
Finish/Reauth-
- Message,
Message, Message Message-
- Authenticator, Username,
Authenticator, Username, Session Session-
- Timeout,
Timeout, Key Key-
- Response
Response] RADIUS Access RADIUS Access-
- Accept
Accept [MS [MS-
- MPPE
MPPE-
- Recv
Recv-
- Key, MS
Key, MS-
- MPPE
MPPE-
- Send
Send-
- Key,
Key, EAP EAP-
- Finish/Reauth
Finish/Reauth-
- Message, Message
Message, Message-
- Authenticator, Username, Session
Authenticator, Username, Session-
- Timeout]
Timeout] EAP Success EAP Success EAP Method Exhange EAP Method Exhange
SLIDE 13
During ERP Reauthentication
[SEQ, rIK name, rIKname as NAI,Crypto [SEQ, rIK name, rIKname as NAI,Crypto Suite, Authentication Tag] Suite, Authentication Tag] EAP Initiate/Reauth EAP Initiate/Reauth RADIUS Access RADIUS Access-
- Req
Req [Username, NAS [Username, NAS-
- IP
IP-
- Addr, NAS
Addr, NAS-
- Port,
Port, Called Called-
- StationID, Calling
StationID, Calling-
- StationID,
StationID, Framed MTU, NAS Framed MTU, NAS-
- Port
Port-
- Type, Connect
Type, Connect-
- Info,
Info, EAP EAP-
- Message, Message
Message, Message-
- Authenticator]
Authenticator]
Peer Peer AP2 AP2 Local AAA Local AAA Home AAA Home AAA
No need to Contact No need to Contact RADIUS Access RADIUS Access-
- Accept
Accept [MS [MS-
- MPPE
MPPE-
- Recv
Recv-
- Key, MS
Key, MS-
- MPPE
MPPE-
- Send
Send-
- Key,
Key, EAP EAP-
- Finish/Reauth
Finish/Reauth-
- Message, Message
Message, Message-
- Authenticator, Username, Session
Authenticator, Username, Session-
- Timeout]
Timeout] EAP Finish/Reauth EAP Finish/Reauth [SEQ, rIK name, rIKname as NAI,Crypto Suite, [SEQ, rIK name, rIKname as NAI,Crypto Suite, Authentication Tag] Authentication Tag] Home AAA Server Home AAA Server
SLIDE 14
Acknowledgments
- freeRADIUS Team
- Host AP and wpa_supplicant : Jouni
M li Malinen
SLIDE 15