ERP IMPLEMENTATION
ERP IMPLEMENTATION
Kedar Gaonkar
Kedar Gaonkar
IETF
Deployment Scenario
AP1
STA
AP2
Home AAA
Local AAA
Implementation
Implementation
••
Setup consists of 4 machines: Supplicant (STA), Access Point
Setup consists of 4 machines: Supplicant (STA), Access Point
(AP), and Local AAA Server, and Home AAA Server
(AP), and Local AAA Server, and Home AAA Server
–
–
‘wpa_supplicant
‘wpa_supplicant –
– 0.5.7’ at Supplicant
0.5.7’ at Supplicant
–
–
‘HostAP
‘HostAP –
– 0.5.7’ at Access Point
0.5.7’ at Access Point
–
–
RADIUS implemented at AS by using ‘freeRADIUS
RADIUS implemented at AS by using ‘freeRADIUS –
– 1.1.6’
1.1.6’
••
EAP
EAP--TLS selected as the EAP method
TLS selected as the EAP method
••
OpenSSL used to generate certificates
OpenSSL used to generate certificates
••
STA associates with AP wirelessly through DWL
STA associates with AP wirelessly through DWL--G650 network
G650 network
cards (Atheros Chipset)
cards (Atheros Chipset)
••
AP is connected to Local AAA by a CAT5 cross
AP is connected to Local AAA by a CAT5 cross--cable
cable
EAP Peer State Machine
EAP Peer State Machine
INITIALIZE INITIALIZE
METHOD METHOD RECEIVED
RECEIVED DISCARDDISCARD SEND_RESPONSESEND_RESPONSE IDLE IDLE eapReq eapReq rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&(reqMethod== rxReq&&reqId!=lastId&&(reqMethod== selectedMethod)&&(methodState!=DONE)
selectedMethod)&&(methodState!=DONE) elseelse
selectedMethod == reqMethod selectedMethod == reqMethod ignore ignore (altAccept&&decision!=FAIL)||(idleWhile==0&& (altAccept&&decision!=FAIL)||(idleWhile==0&& decision==UNCOND_SUCC) decision==UNCOND_SUCC) NOTIFICATION NOTIFICATION RETRANSMIT RETRANSMIT FAILURE FAILURE SUCCESS SUCCESS GET_METHOD GET_METHOD IDENTITY IDENTITY rxSuccess rxSuccess && && decision!=FAIL decision!=FAIL rxSuccess&&decision==FAIL rxSuccess&&decision==FAIL rxReq&&reqId==lastId rxReq&&reqId==lastId rxReq&&reqId!=lastId&&reqMethod==NOTIFICATION rxReq&&reqId!=lastId&&reqMethod==NOTIFICATION rxReq&&reqId!=lastId&&reqMethod==IDENTITY rxReq&&reqId!=lastId&&reqMethod==IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY rxReq&&reqId!=lastId&&reqMethod!=IDENTITY &&reqMethod!=NOTIFICATION
&&reqMethod!=NOTIFICATION elseelse
altReject||(idleWhile==0&&decision!=UNCOND_SUCC)||(altAccept&&methodState altReject||(idleWhile==0&&decision!=UNCOND_SUCC)||(altAccept&&methodState !=CONT&&decision==FAIL)
Peer ERP State Machine
RECEIVED RECEIVED IDLE IDLE ER_INITIATE ER_INITIATE eapRespData = buildERauth(reqId) eapRespData = buildERauth(reqId) portValid = FALSE portValid = FALSE eapSuccess = FALSE eapSuccess = FALSE SEND_ER_INITIATE SEND_ER_INITIATEeapResp = TRUE erAuthenticate = FALSE eapResp = TRUE erAuthenticate = FALSE
eapRespData eapRespData INITIALIZE INITIALIZE erAuthCount = 0 erAuthCount = 0 erAuthCount > 2 erAuthCount > 2 Connect to new AP Connect to new AP (EMSK valid) (EMSK valid) eapReq eapReq erFinish erFinish rxReq&&reqId!=lastId rxReq&&reqId!=lastId &&reqMethod!=IDENTITY &&reqMethod!=IDENTITY (EMSK valid) (EMSK valid) Timer Expires Timer Expires
eapResp = TRUE, erAuthenticate = FALSE eapResp = TRUE, erAuthenticate = FALSE
erValidReceive = FALSE erValidReceive = FALSE erAuthCount = 0 erAuthCount = 0 erAuthenticate erAuthenticate RETRANSMIT RETRANSMIT !erValidReceive !erValidReceive FAILURE FAILURE SUCCESS SUCCESS rxSuccess&&decision == FAIL rxSuccess&&decision == FAIL rxSuccess rxSuccess && && decision!=FAIL decision!=FAIL
Peer Eapol Backend State Machine
Peer Eapol Backend State Machine
INITIALIZE
INITIALIZE
REQUEST
REQUEST
IDLE
IDLE
eapolEap&&suppStart eapolEap&&suppStart eapResp eapResp eapSuccess eapSuccessRECEIVE
RECEIVE
erTimeoutWhen = erTimeoutPeriod erTimeoutWhen = erTimeoutPeriodSUCCESS
SUCCESS
TIMEOUT
TIMEOUT
FAIL
FAIL
RESPONSE
RESPONSE
If(!erValidReceive) If(!erValidReceive) { erAuthenticate = TRUE { erAuthenticate = TRUE erAuthCount++ erAuthCount++ }} eapResp eapResp eapFail eapFail erTimeoutWhen == 0 erTimeoutWhen == 0 eapSuccess eapSuccessAuthenticator EAPOL State Machine
Authenticator EAPOL State Machine
INITIALIZE
INITIALIZE
IDLE
IDLE
REQUEST
REQUEST
ER_INITIATE
ER_INITIATE
eapSuccess = FALSE
eapSuccess = FALSE
eapolERP = FALSE
eapolERP = FALSE
eapResp = TRUE
eapResp = TRUE
eapNoReq = FALSE
eapNoReq = FALSE
aWhile = serverTimeout
aWhile = serverTimeout
sendRespToServer()
sendRespToServer()
eapolERP
eapolERP
eapolEap
eapolEap
eapReq&&authStart eapReq&&authStart eapolEapeapolEap
eapReq
eapReq
eapFail&&authStart
eapFail&&authStart
eapolERP
eapolERP
RESPONSE
RESPONSE
IGNORE
IGNORE
FAIL
FAIL
TIMEOUT
TIMEOUT
SUCCESS
SUCCESS
eapReq&& eapReq&& !eapolERP !eapolERPeapSuccess
eapSuccess
eapFail
eapFail
eapTimeout
eapTimeout
aWhile == 0
aWhile == 0
eapNoReq
eapNoReq
aWhile == 0
aWhile == 0
eapFail
eapFail
eapSuccess
eapSuccess
eapolEap eapolEapp
p
q
q
Message Validation and Key Derivation at
AS
Decapsulate EAP Message
Decapsulate EAP Message
Check SEQ
Check SEQ
Lookup rIKname
Lookup rIKname
else
else
EAP_INITIATE
EAP_INITIATE
pass
pass
else
else
Compare Integrity Checksum
Compare Integrity Checksum
DISCARD
DISCARD
pass
pass
pass
pass
else
else
Generate rMSK
Generate rMSK
rMSK = TLS
rMSK = TLS--PRF
PRF--64(rRK, SEQ)
64(rRK, SEQ)
Send EAP_FINISH to AP
Build EAP
Build EAP--Finish Packet
Finish Packet
Flags=000
Flags=000
Build EAP
Build EAP--Finish Packet
Finish Packet
Flags=100
Flags=100
Validation Successful?
Validation Successful?
Yes
Yes
No
No
Encapsulate into
Encapsulate into
ACCESS ACCEPT
ACCESS ACCEPT
Encapsulate into
Encapsulate into
ACCESS REJECT
ACCESS REJECT
Send RADIUS packet to AP
Send RADIUS packet to AP
Add RADIUS Attributes
Add RADIUS Attributes
Message Validation and Key Derivation at
Peer
Decapsulate EAP Message
Decapsulate EAP Message
Check SEQ
Check SEQ
Lookup rIKname
Lookup rIKname
else
else
EAP_FINISH
EAP_FINISH
pass
pass
else
else
Compare Integrity Checksum
Compare Integrity Checksum
DISCARD
DISCARD
pass
pass
Pass
Pass
else
else
Generate rMSK
Generate rMSK
rMSK = TLS
rMSK = TLS--PRF
PRF--64(rRK, SEQ)
64(rRK, SEQ)
erValidReceive = TRUE
erValidReceive = TRUE
4
4--way key exchange
way key exchange
FAIL
FAIL
Flags ==000
New RADIUS attributes proposed
New RADIUS attributes proposed
••
Local AAA server requests key from Home AAA server
Local AAA server requests key from Home AAA server
••
Two new RADIUS Attributes:
Two new RADIUS Attributes:
–
–
Key
Key--Request Attribute
Request Attribute
–
Initial EAP exchange
EAP Response/Identity
EAP Response/Identity RADIUS AccessRADIUS Access--ReqReq
[Username, NAS
[Username, NAS--IPIP--Addr, NASAddr, NAS--Port,Port, Called
Called--StationID, CallingStationID, Calling--StationID,StationID, Framed MTU, NAS
Framed MTU, NAS--PortPort--Type, ConnectType, Connect--Info,Info, EAP
EAP--Message, MessageMessage, Message--Authenticator]Authenticator]
[Username NAS
[Username NAS--IPIP--Addr NASAddr NAS--PortPort RADIUS Access
RADIUS Access--ReqReq
Peer
Peer
AP2
AP2
Local AAA
Local AAA
Home AAA
Home AAA
EAP Request/Identity EAP Request/Identity
[Username, NAS
[Username, NAS--IPIP--Addr, NASAddr, NAS--Port,Port, Called
Called--StationID, CallingStationID, Calling--StationID,StationID, Framed MTU, NAS
Framed MTU, NAS--PortPort--Type, ConnectType, Connect--Info,Info, EAP
EAP--Message, MessageMessage, Message--Authenticator,Authenticator,
Key
Key--RequestRequest]]
RADIUS Access
RADIUS Access--AcceptAccept [MS
[MS--MPPEMPPE--RecvRecv--Key, MSKey, MS--MPPEMPPE--Send Send--Key, EAP
Key, EAP--Finish/ReauthFinish/Reauth--Message, Message, Message
Message--Authenticator, Username, Authenticator, Username, Session
Session--Timeout, Timeout, KeyKey--ResponseResponse]] RADIUS Access
RADIUS Access--AcceptAccept [MS
[MS--MPPEMPPE--RecvRecv--Key, MSKey, MS--MPPEMPPE--SendSend--Key, Key, EAP
EAP--Finish/ReauthFinish/Reauth--Message, MessageMessage, Message--Authenticator, Username, Session
Authenticator, Username, Session--Timeout]Timeout] EAP Success
EAP Success
EAP Method Exhange EAP Method Exhange
During ERP Reauthentication
[SEQ, rIK name, rIKname as NAI,Crypto [SEQ, rIK name, rIKname as NAI,Crypto Suite, Authentication Tag]
Suite, Authentication Tag] EAP Initiate/Reauth EAP Initiate/Reauth
RADIUS Access RADIUS Access--ReqReq
[Username, NAS
[Username, NAS--IPIP--Addr, NASAddr, NAS--Port,Port, Called
Called--StationID, CallingStationID, Calling--StationID,StationID, Framed MTU, NAS
Framed MTU, NAS--PortPort--Type, ConnectType, Connect--Info,Info, EAP
EAP--Message, MessageMessage, Message--Authenticator]Authenticator]
Peer
Peer
AP2
AP2
Local AAA
Local AAA
Home AAA
Home AAA
No need to Contact No need to Contact
RADIUS Access
RADIUS Access--AcceptAccept [MS
[MS--MPPEMPPE--RecvRecv--Key, MSKey, MS--MPPEMPPE--SendSend--Key, Key, EAP
EAP--Finish/ReauthFinish/Reauth--Message, MessageMessage, Message--Authenticator, Username, Session
Authenticator, Username, Session--Timeout]Timeout]
EAP Finish/Reauth EAP Finish/Reauth
[SEQ, rIK name, rIKname as NAI,Crypto Suite, [SEQ, rIK name, rIKname as NAI,Crypto Suite, Authentication Tag]
Authentication Tag]
Home AAA Server Home AAA Server
Acknowledgments
• freeRADIUS Team
• Host AP and wpa_supplicant : Jouni
M li
Thank You!
Questions?
Questions?
