Network Working Group B. Aboba
Request for Comments: 3748 Microsoft
Obsoletes: 2284 L. Blunk
Category: Standards Track Merit Network, Inc
J. Vollbrecht
Vollbrecht Consulting LLC
J. Carlson
Sun
H. Levkowetz, Ed.
ipUnplugged
June 2004
Extensible Authentication Protocol (EAP)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
This document defines the Extensible Authentication Protocol (EAP),
an authentication framework which supports multiple authentication
methods. EAP typically runs directly over data link layers such as
Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP
provides its own support for duplicate elimination and
retransmission, but is reliant on lower layer ordering guarantees.
Fragmentation is not supported within EAP itself; however, individual
EAP methods may support this.
This document obsoletes RFC 2284. A summary of the changes between
this document and RFC 2284 is available in Appendix A.
Aboba, et al. Standards Track [Page 1]
RFC 3748 EAP June 2004
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Specification of Requirements . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Applicability . . . . . . . . . . . . . . . . . . . . . 6
2. Extensible Authentication Protocol (EAP). . . . . . . . . . . 7
2.1. Support for Sequences . . . . . . . . . . . . . . . . . 9
2.2. EAP Multiplexing Model. . . . . . . . . . . . . . . . . 10
2.3. Pass-Through Behavior . . . . . . . . . . . . . . . . . 12
2.4. Peer-to-Peer Operation. . . . . . . . . . . . . . . . . 14
3. Lower Layer Behavior. . . . . . . . . . . . . . . . . . . . . 15
3.1. Lower Layer Requirements. . . . . . . . . . . . . . . . 15
3.2. EAP Usage Within PPP. . . . . . . . . . . . . . . . . . 18
3.2.1. PPP Configuration Option Format. . . . . . . . . 18
3.3. EAP Usage Within IEEE 802 . . . . . . . . . . . . . . . 19
3.4. Lower Layer Indications . . . . . . . . . . . . . . . . 19
4. EAP Packet Format . . . . . . . . . . . . . . . . . . . . . . 20
4.1. Request and Response. . . . . . . . . . . . . . . . . . 21
4.2. Success and Failure . . . . . . . . . . . . . . . . . . 23
4.3. Retransmission Behavior . . . . . . . . . . . . . . . . 26
5. Initial EAP Request/Response Types. . . . . . . . . . . . . . 27
5.1. Identity. . . . . . . . . . . . . . . . . . . . . . . . 28
5.2. Notification. . . . . . . . . . . . . . . . . . . . . . 29
5.3. Nak . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.3.1. Legacy Nak . . . . . . . . . . . . . . . . . . . 31
5.3.2. Expanded Nak . . . . . . . . . . . . . . . . . . 32
5.4. MD5-Challenge . . . . . . . . . . . . . . . . . . . . . 35
5.5. One-Time Password (OTP) . . . . . . . . . . . . . . . . 36
5.6. Generic Token Card (GTC). . . . . . . . . . . . . . . . 37
5.7. Expanded Types. . . . . . . . . . . . . . . . . . . . . 38
5.8. Experimental. . . . . . . . . . . . . . . . . . . . . . 40
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
6.1. Packet Codes. . . . . . . . . . . . . . . . . . . . . . 41
6.2. Method Types. . . . . . . . . . . . . . . . . . . . . . 41
7. Security Considerations . . . . . . . . . . . . . . . . . . . 42
7.1. Threat Model. . . . . . . . . . . . . . . . . . . . . . 42
7.2. Security Claims . . . . . . . . . . . . . . . . . . . . 43
7.2.1. Security Claims Terminology for EAP Methods. . . 44
7.3. Identity Protection . . . . . . . . . . . . . . . . . . 46
datatracker.ietf.org