Tunnel Extensible Authentication Protocol (TEAP) Version 1
RFC 7170

 
Document Type RFC - Proposed Standard (May 2014; No errata)
Last updated 2014-05-07
Replaces draft-zhou-emu-eap-fastv2
Stream IETF
Formats plain text pdf html
Stream WG state WG Document
Consensus Unknown
Document shepherd Alan DeKok
Shepherd write-up Show (last changed 2013-06-18)
IESG IESG state RFC 7170 (Proposed Standard)
Telechat date
Responsible AD Sean Turner
Send notices to emu-chairs@ietf.org, draft-ietf-emu-eap-tunnel-method@ietf.org
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack

Email authors IPR 2 References Referenced by Nits Search lists

Internet Engineering Task Force (IETF)                           H. Zhou
Request for Comments: 7170                                 N. Cam-Winget
Category: Standards Track                                     J. Salowey
ISSN: 2070-1721                                            Cisco Systems
                                                                S. Hanna
                                                   Infineon Technologies
                                                                May 2014

       Tunnel Extensible Authentication Protocol (TEAP) Version 1

Abstract

   This document defines the Tunnel Extensible Authentication Protocol
   (TEAP) version 1.  TEAP is a tunnel-based EAP method that enables
   secure communication between a peer and a server by using the
   Transport Layer Security (TLS) protocol to establish a mutually
   authenticated tunnel.  Within the tunnel, TLV objects are used to
   convey authentication-related data between the EAP peer and the EAP
   server.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7170.

Zhou, et al.                 Standards Track                    [Page 1]
RFC 7170                          TEAP                          May 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   5
     1.1.  Specification Requirements  . . . . . . . . . . . . . . .   5
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   6
   2.  Protocol Overview . . . . . . . . . . . . . . . . . . . . . .   6
     2.1.  Architectural Model . . . . . . . . . . . . . . . . . . .   7
     2.2.  Protocol-Layering Model . . . . . . . . . . . . . . . . .   8
   3.  TEAP Protocol . . . . . . . . . . . . . . . . . . . . . . . .   9
     3.1.  Version Negotiation . . . . . . . . . . . . . . . . . . .   9
     3.2.  TEAP Authentication Phase 1: Tunnel Establishment . . . .  10
       3.2.1.  TLS Session Resume Using Server State . . . . . . . .  11
       3.2.2.  TLS Session Resume Using a PAC  . . . . . . . . . . .  12
       3.2.3.  Transition between Abbreviated and Full TLS Handshake  13
     3.3.  TEAP Authentication Phase 2: Tunneled Authentication  . .  14
       3.3.1.  EAP Sequences . . . . . . . . . . . . . . . . . . . .  14
       3.3.2.  Optional Password Authentication  . . . . . . . . . .  15
       3.3.3.  Protected Termination and Acknowledged Result
               Indication  . . . . . . . . . . . . . . . . . . . . .  15
     3.4.  Determining Peer-Id and Server-Id . . . . . . . . . . . .  16
     3.5.  TEAP Session Identifier . . . . . . . . . . . . . . . . .  17
     3.6.  Error Handling  . . . . . . . . . . . . . . . . . . . . .  17
       3.6.1.  Outer-Layer Errors  . . . . . . . . . . . . . . . . .  18
       3.6.2.  TLS Layer Errors  . . . . . . . . . . . . . . . . . .  18
       3.6.3.  Phase 2 Errors  . . . . . . . . . . . . . . . . . . .  19
     3.7.  Fragmentation . . . . . . . . . . . . . . . . . . . . . .  19
     3.8.  Peer Services . . . . . . . . . . . . . . . . . . . . . .  20
       3.8.1.  PAC Provisioning  . . . . . . . . . . . . . . . . . .  21
       3.8.2.  Certificate Provisioning within the Tunnel  . . . . .  22
       3.8.3.  Server Unauthenticated Provisioning Mode  . . . . . .  23
       3.8.4.  Channel Binding . . . . . . . . . . . . . . . . . . .  23

Zhou, et al.                 Standards Track                    [Page 2]
RFC 7170                          TEAP                          May 2014

   4.  Message Formats . . . . . . . . . . . . . . . . . . . . . . .  24
     4.1.  TEAP Message Format . . . . . . . . . . . . . . . . . . .  24
Show full document text