Network Working Group D. Simon
Request for Comments: 5216 B. Aboba
Obsoletes: 2716 R. Hurst
Category: Standards Track Microsoft Corporation
March 2008
The EAP-TLS Authentication Protocol
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
The Extensible Authentication Protocol (EAP), defined in RFC 3748,
provides support for multiple authentication methods. Transport
Layer Security (TLS) provides for mutual authentication, integrity-
protected ciphersuite negotiation, and key exchange between two
endpoints. This document defines EAP-TLS, which includes support for
certificate-based mutual authentication and key derivation.
This document obsoletes RFC 2716. A summary of the changes between
this document and RFC 2716 is available in Appendix A.
Simon, et al. Standards Track [Page 1]
RFC 5216 EAP-TLS Authentication Protocol March 2008
Table of Contents
1. Introduction ....................................................2
1.1. Requirements ...............................................3
1.2. Terminology ................................................3
2. Protocol Overview ...............................................4
2.1. Overview of the EAP-TLS Conversation .......................4
2.1.1. Base Case ...........................................4
2.1.2. Session Resumption ..................................7
2.1.3. Termination .........................................8
2.1.4. Privacy ............................................11
2.1.5. Fragmentation ......................................14
2.2. Identity Verification .....................................16
2.3. Key Hierarchy .............................................17
2.4. Ciphersuite and Compression Negotiation ...................19
3. Detailed Description of the EAP-TLS Protocol ...................20
3.1. EAP-TLS Request Packet ....................................20
3.2. EAP-TLS Response Packet ...................................22
4. IANA Considerations ............................................23
5. Security Considerations ........................................24
5.1. Security Claims ...........................................24
5.2. Peer and Server Identities ................................25
5.3. Certificate Validation ....................................26
5.4. Certificate Revocation ....................................27
5.5. Packet Modification Attacks ...............................28
6. References .....................................................29
6.1. Normative References ......................................29
6.2. Informative References ....................................29
Acknowledgments ...................................................31
Appendix A -- Changes from RFC 2716 ...............................32
1. Introduction
The Extensible Authentication Protocol (EAP), described in [RFC3748],
provides a standard mechanism for support of multiple authentication
methods. Through the use of EAP, support for a number of
authentication schemes may be added, including smart cards, Kerberos,
Public Key, One Time Passwords, and others. EAP has been defined for
use with a variety of lower layers, including the Point-to-Point
Protocol (PPP) [RFC1661], Layer 2 tunneling protocols such as the
Point-to-Point Tunneling Protocol (PPTP) [RFC2637] or Layer 2
Tunneling Protocol (L2TP) [RFC2661], IEEE 802 wired networks
[IEEE-802.1X], and wireless technologies such as IEEE 802.11 [IEEE-
802.11] and IEEE 802.16 [IEEE-802.16e].
While the EAP methods defined in [RFC3748] did not support mutual
authentication, the use of EAP with wireless technologies such as
[IEEE-802.11] has resulted in development of a new set of
Simon, et al. Standards Track [Page 2]
RFC 5216 EAP-TLS Authentication Protocol March 2008
requirements. As described in "Extensible Authentication Protocol
(EAP) Method Requirements for Wireless LANs" [RFC4017], it is
datatracker.ietf.org