RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)
RFC 3579

 
Document Type RFC - Informational (September 2003; No errata)
Updated by RFC 5080
Updates RFC 2869
Last updated 2013-03-02
Stream ISE
Formats plain text pdf html
Stream ISE state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3579 (Informational)
Telechat date
Responsible AD Randy Bush
Send notices to <aboba@internaut.com>, <pcalhoun@bstormnetworks.com>
Network Working Group                                           B. Aboba
Request for Comments: 3579                                     Microsoft
Updates: 2869                                                 P. Calhoun
Category: Informational                                        Airespace
                                                          September 2003

          RADIUS (Remote Authentication Dial In User Service)
          Support For Extensible Authentication Protocol (EAP)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document defines Remote Authentication Dial In User Service
   (RADIUS) support for the Extensible Authentication Protocol (EAP), an
   authentication framework which supports multiple authentication
   mechanisms.  In the proposed scheme, the Network Access Server (NAS)
   forwards EAP packets to and from the RADIUS server, encapsulated
   within EAP-Message attributes.  This has the advantage of allowing
   the NAS to support any EAP authentication method, without the need
   for method-specific code, which resides on the RADIUS server.  While
   EAP was originally developed for use with PPP, it is now also in use
   with IEEE 802.

   This document updates RFC 2869.

Aboba & Calhoun              Informational                      [Page 1]
RFC 3579                      RADIUS & EAP                September 2003

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  Specification of Requirements. . . . . . . . . . . . . .  3
       1.2.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  3
   2.  RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . .  4
       2.1.  Protocol Overview. . . . . . . . . . . . . . . . . . . .  5
       2.2.  Invalid Packets. . . . . . . . . . . . . . . . . . . . .  9
       2.3.  Retransmission . . . . . . . . . . . . . . . . . . . . . 10
       2.4.  Fragmentation. . . . . . . . . . . . . . . . . . . . . . 10
       2.5.  Alternative uses . . . . . . . . . . . . . . . . . . . . 11
       2.6.  Usage Guidelines . . . . . . . . . . . . . . . . . . . . 11
   3.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 14
       3.1.  EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 15
       3.2.  Message-Authenticator. . . . . . . . . . . . . . . . . . 16
       3.3.  Table of Attributes. . . . . . . . . . . . . . . . . . . 18
   4.  Security Considerations. . . . . . . . . . . . . . . . . . . . 19
       4.1.  Security Requirements. . . . . . . . . . . . . . . . . . 19
       4.2.  Security Protocol. . . . . . . . . . . . . . . . . . . . 20
       4.3.  Security Issues. . . . . . . . . . . . . . . . . . . . . 22
   5.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 30
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
       6.1.  Normative References . . . . . . . . . . . . . . . . . . 30
       6.2.  Informative References . . . . . . . . . . . . . . . . . 32
   Appendix A - Examples. . . . . . . . . . . . . . . . . . . . . . . 34
   Appendix B - Change Log. . . . . . . . . . . . . . . . . . . . . . 43
   Intellectual Property Statement. . . . . . . . . . . . . . . . . . 44
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 44
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46

1.  Introduction

   The Remote Authentication Dial In User Service (RADIUS) is an
   authentication, authorization and accounting protocol used to control
   network access.  RADIUS authentication and authorization is specified
   in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS
   over IPv6 is specified in [RFC3162].

   The Extensible Authentication Protocol (EAP), defined in [RFC2284],
   is an authentication framework which supports multiple authentication
   mechanisms.  EAP may be used on dedicated links, switched circuits,
   and wired as well as wireless links.

   To date, EAP has been implemented with hosts and routers that connect
   via switched circuits or dial-up lines using PPP [RFC1661].  It has
   also been implemented with bridges supporting [IEEE802].  EAP
   encapsulation on IEEE 802 wired media is described in [IEEE8021X].

Aboba & Calhoun              Informational                      [Page 2]
RFC 3579                      RADIUS & EAP                September 2003

   RADIUS attributes are comprised of variable length Type-Length-Value
Show full document text