ERP IMPLEMENTATION ERP IMPLEMENTATION Kedar Gaonkar Kedar Gaonkar IETF IETF- -69 Chicago, July 23rd, 2007 69 Chicago, July 23rd, 2007
Deployment Scenario AP1 STA Home AAA Local AAA AP2
Implementation Implementation • Setup consists of 4 machines: Supplicant (STA), Access Point Setup consists of 4 machines: Supplicant (STA), Access Point (AP), and Local AAA Server, and Home AAA Server (AP), and Local AAA Server, and Home AAA Server – ‘wpa_supplicant ‘wpa_supplicant – – 0.5.7’ at Supplicant 0.5.7’ at Supplicant – ‘HostAP ‘HostAP – – 0.5.7’ at Access Point 0.5.7’ at Access Point – RADIUS implemented at AS by using ‘freeRADIUS RADIUS implemented at AS by using ‘freeRADIUS – – 1.1.6’ 1.1.6’ • EAP- EAP -TLS selected as the EAP method TLS selected as the EAP method • OpenSSL used to generate certificates OpenSSL used to generate certificates • STA associates with AP wirelessly through DWL STA associates with AP wirelessly through DWL- -G650 network G650 network cards (Atheros Chipset) cards (Atheros Chipset) • AP is connected to Local AAA by a CAT5 cross AP is connected to Local AAA by a CAT5 cross- -cable cable • Local AAA and Home AAA exist on common LAN. Local AAA and Home AAA exist on common LAN.
EAP Peer State Machine EAP Peer State Machine INITIALIZE INITIALIZE (altAccept&&decision!=FAIL)||(idleWhile==0&& (altAccept&&decision!=FAIL)||(idleWhile==0&& IDLE IDLE decision==UNCOND_SUCC) decision==UNCOND_SUCC) eapReq eapReq DISCARD DISCARD SEND_RESPONSE SEND_RESPONSE RECEIVED RECEIVED ignore ignore rxReq&&reqId!=lastId&&(reqMethod== rxReq&&reqId!=lastId&&(reqMethod== else else selectedMethod)&&(methodState!=DONE) selectedMethod)&&(methodState!=DONE) METHOD METHOD selectedMethod == reqMethod selectedMethod == reqMethod rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY else else &&reqMethod!=NOTIFICATION &&reqMethod!=NOTIFICATION GET_METHOD GET_METHOD rxSuccess rxSuccess rxReq&&reqId!=lastId&&reqMethod==IDENTITY rxReq&&reqId!=lastId&&reqMethod==IDENTITY IDENTITY IDENTITY && && decision!=FAIL decision!=FAIL rxReq&&reqId!=lastId&&reqMethod==NOTIFICATION rxReq&&reqId!=lastId&&reqMethod==NOTIFICATION NOTIFICATION NOTIFICATION rxSuccess&&decision==FAIL rxSuccess&&decision==FAIL RETRANSMIT RETRANSMIT rxReq&&reqId==lastId rxReq&&reqId==lastId SUCCESS SUCCESS FAILURE FAILURE altReject||(idleWhile==0&&decision!=UNCOND_SUCC)||(altAccept&&methodState altReject||(idleWhile==0&&decision!=UNCOND_SUCC)||(altAccept&&methodState !=CONT&&decision==FAIL) !=CONT&&decision==FAIL)
Peer ERP State Machine IDLE IDLE eapReq eapReq Connect to new AP Connect to new AP ER_INITIATE ER_INITIATE rxReq&&reqId!=lastId rxReq&&reqId!=lastId eapRespData = buildERauth(reqId) eapRespData = buildERauth(reqId) RECEIVED RECEIVED Timer Expires Timer Expires &&reqMethod!=IDENTITY &&reqMethod!=IDENTITY portValid = FALSE portValid = FALSE (EMSK valid) (EMSK valid) (EMSK valid) (EMSK valid) eapSuccess = FALSE eapSuccess = FALSE eapRespData eapRespData erFinish erFinish SEND_ER_INITIATE SEND_ER_INITIATE erAuthCount > 2 erAuthCount > 2 INITIALIZE INITIALIZE eapResp = TRUE erAuthenticate = FALSE eapResp = TRUE erAuthenticate = FALSE eapResp = TRUE, erAuthenticate = FALSE eapResp = TRUE, erAuthenticate = FALSE erAuthCount = 0 erAuthCount = 0 erAuthCount = 0 erAuthCount = 0 erValidReceive = FALSE erValidReceive = FALSE rxSuccess rxSuccess erAuthenticate erAuthenticate && && decision!=FAIL decision!=FAIL RETRANSMIT RETRANSMIT !erValidReceive !erValidReceive rxSuccess&&decision == FAIL rxSuccess&&decision == FAIL SUCCESS SUCCESS FAILURE FAILURE
Peer Eapol Backend State Machine Peer Eapol Backend State Machine INITIALIZE INITIALIZE IDLE IDLE eapolEap&&suppStart eapolEap&&suppStart eapSuccess eapSuccess REQUEST REQUEST eapResp eapResp eapResp eapResp RESPONSE RESPONSE RECEIVE RECEIVE eapFail eapFail eapSuccess eapSuccess erTimeoutWhen = erTimeoutPeriod erTimeoutWhen = erTimeoutPeriod erTimeoutWhen == 0 erTimeoutWhen == 0 TIMEOUT TIMEOUT If(!erValidReceive) If(!erValidReceive) FAIL FAIL SUCCESS SUCCESS { erAuthenticate = TRUE { erAuthenticate = TRUE erAuthCount++ erAuthCount++ }
Authenticator EAPOL State Machine Authenticator EAPOL State Machine INITIALIZE INITIALIZE ER_INITIATE ER_INITIATE eapFail&&authStart eapFail&&authStart eapolERP eapolERP eapSuccess = FALSE eapSuccess = FALSE IDLE IDLE eapolERP = FALSE eapolERP = FALSE eapResp = TRUE eapResp = TRUE eapNoReq = FALSE eapNoReq = FALSE eapReq&&authStart eapReq&&authStart eapolERP eapolERP aWhile = serverTimeout aWhile = serverTimeout eapolEap eapolEap REQUEST REQUEST sendRespToServer() sendRespToServer() eapReq eapReq p p q q eapolEap eapolEap eapolEap eapolEap aWhile == 0 aWhile == 0 eapNoReq eapNoReq RESPONSE RESPONSE eapReq&& eapReq&& !eapolERP !eapolERP aWhile == 0 aWhile == 0 eapFail eapFail eapSuccess eapSuccess IGNORE IGNORE SUCCESS SUCCESS eapSuccess eapSuccess eapTimeout eapTimeout TIMEOUT TIMEOUT eapFail eapFail FAIL FAIL
Message Validation and Key Derivation at AS Decapsulate EAP Message Decapsulate EAP Message EAP_INITIATE EAP_INITIATE else else Lookup rIKname Lookup rIKname pass pass else else Check SEQ Check SEQ pass pass else else Compare Integrity Checksum Compare Integrity Checksum pass pass Generate rMSK Generate rMSK DISCARD DISCARD rMSK = TLS rMSK = TLS- -PRF PRF- -64(rRK, SEQ) 64(rRK, SEQ)
Send EAP_FINISH to AP Validation Successful? Validation Successful? No No Yes Yes Build EAP Build EAP- -Finish Packet Finish Packet Build EAP Build EAP- -Finish Packet Finish Packet Flags=000 Flags=000 Flags=100 Flags=100 Encapsulate into Encapsulate into Encapsulate into Encapsulate into ACCESS REJECT ACCESS REJECT ACCESS ACCEPT ACCESS ACCEPT Add RADIUS Attributes Add RADIUS Attributes Send RADIUS packet to AP Send RADIUS packet to AP
Message Validation and Key Derivation at Peer Decapsulate EAP Message Decapsulate EAP Message EAP_FINISH EAP_FINISH else else Lookup rIKname Lookup rIKname pass pass else else Check SEQ Check SEQ pass pass else else Compare Integrity Checksum Compare Integrity Checksum Pass Pass Flags ==000 Flags ==000 Flags ==100 Flags ==100 DISCARD DISCARD Generate rMSK Generate rMSK FAIL FAIL rMSK = TLS rMSK = TLS- -PRF PRF- -64(rRK, SEQ) 64(rRK, SEQ) erValidReceive = TRUE erValidReceive = TRUE 4- -way key exchange way key exchange
New RADIUS attributes proposed New RADIUS attributes proposed • Local AAA server requests key from Home AAA server Local AAA server requests key from Home AAA server • Two new RADIUS Attributes: Two new RADIUS Attributes: – Key Key- -Request Attribute Request Attribute – Key Key- -Response Attribute Response Attribute
Initial EAP exchange Peer Peer AP2 AP2 Local AAA Local AAA Home AAA Home AAA EAP Request/Identity EAP Request/Identity EAP Response/Identity EAP Response/Identity RADIUS Access- RADIUS Access -Req Req [Username, NAS [Username, NAS- -IP IP- -Addr, NAS Addr, NAS- -Port, Port, Called Called- -StationID, Calling StationID, Calling- -StationID, StationID, Framed MTU, NAS Framed MTU, NAS- -Port Port- -Type, Connect Type, Connect- -Info, Info, EAP EAP- -Message, Message Message, Message- -Authenticator] Authenticator] RADIUS Access RADIUS Access- -Req Req [Username, NAS-IP [Username, NAS [Username NAS-IP [Username NAS IP-Addr NAS IP-Addr, NAS Addr NAS-Port Addr, NAS-Port, Port Port, Called Called- -StationID, Calling StationID, Calling- -StationID, StationID, Framed MTU, NAS Framed MTU, NAS- -Port Port- -Type, Connect Type, Connect- -Info, Info, EAP- EAP -Message, Message Message, Message- -Authenticator, Authenticator, Key Key- -Request Request] EAP Method Exhange EAP Method Exhange RADIUS Access RADIUS Access- -Accept Accept [MS [MS- -MPPE MPPE-Recv Recv- -Key, MS Key, MS- -MPPE MPPE-Send Send- - Key, EAP- Key, EAP -Finish/Reauth Finish/Reauth- -Message, Message, Message Message- -Authenticator, Username, Authenticator, Username, Session Session- -Timeout, Timeout, Key Key- -Response Response] RADIUS Access RADIUS Access- -Accept Accept [MS [MS- -MPPE MPPE- -Recv Recv- -Key, MS Key, MS- -MPPE MPPE- -Send Send- -Key, Key, EAP- EAP -Finish/Reauth Finish/Reauth- -Message, Message Message, Message- - EAP Success EAP Success Authenticator, Username, Session Authenticator, Username, Session- -Timeout] Timeout]
Recommend
More recommend
