PROTOCOL: IEEE802.1x - EAPOL: EAP over LAN authentication
(IEEE 802.1X RADIUS: Remote Authentication Dial In User Service)
PURPOSE:
The 802.1X (EAPOL) protocol provides effective authentication regardless of
whether one implements 802.11 WEP keys or no encryption at all.
If configured to implement dynamic key exchange, the 802.1X authentication
server can return session keys to the access point along with the accept
message. The access point uses the session keys to build, sign and encrypt
an EAP key message that is sent to the client immediately after sending
the success message. The client can then use contents of the key message
to define applicable encryption keys.
REFERENCE:
MODELER:
- Vishal Sankhla, University of Southern California, August 2004
ALICE_BOB:
Client -> Authenticator : EAPOL_Start
Auth -> Client : EAPOL_Request_Identity
Client -> Auth : EAPOL_Response (= NAS_ID, NAS_PORT, {Secret_Key}MD5)
Auth -> Server : Access-Request (= NAS_ID, NAS_PORT, {Secret_Key}MD5)
Server -> Auth : Access-Challenge
Auth -> Client : Access-Challenge
where Access-Challenge = Message
Client -> Auth : Access-Chall-Response
where Access-Chall-Response : {Message}Secret_Key
Auth -> Server : Access-Chall_Response
Server -> Auth : Access_Accept
Auth -> Client : EAPOL_Success
PROBLEMS: 2
- secrecy of sec_c_Kcs, sec_s_Kcs
- strong authentication on kcs
ATTACKS: None
NOTES:
Agents involved: Client, Authenticator, Radius Serv