RFC (part 1 of 4): Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). RFC Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), January Canonical URL. Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in EAP Transport Layer Security (EAP-TLS), defined in RFC , is an IETF open standard that uses the . EAP-AKA is defined in RFC .

Author: Dajora Dusida
Country: Chile
Language: English (Spanish)
Genre: Automotive
Published (Last): 13 June 2005
Pages: 338
PDF File Size: 12.68 Mb
ePub File Size: 14.18 Mb
ISBN: 746-8-87248-378-4
Downloads: 68177
Price: Free* [*Free Regsitration Required]
Uploader: Arara

Related Documentation

The password may be a low-entropy one and may be drawn from dfc set of possible passwords, like a dictionary, which is available to an attacker.

Archived from the original on February 9, It supports authentication techniques that are based on the following types of credentials:. Permanent Identity The permanent identity of the peer, including an NAI realm portion in environments where a realm is used.

In-band provisioning—provide the peer with a shared secret to be used in secure phase 1 conversation. As specified in [ RFC ], the initial identity request is not required, and MAY be bypassed in cases where the rffc can presume the identity, such as when using leased lines, dedicated dial-ups, etc. It was co-developed by Funk Software and Certicom and is widely supported across platforms.

AKA authentication may then be retried with a new authentication vector generated using the synchronized sequence number. In this document, both modules are referred to as identity modules. Used on re-authentication only.


In the 3rd generation mobile networks, AKA is used for both radio network authentication and IP multimedia service authentication purposes.

GSM cellular networks use a subscriber identity module card to carry out user authentication. Archived from the original PDF on 12 December Views Read Edit View tfc.

From Wikipedia, the free encyclopedia. Used on full authentication only.

EAP Types – Extensible Authentication Protocol Types information

EAP is not a wire protocol ; instead it only defines message formats. Attacks against Identity Privacy Message Format and Protocol Extensibility Pseudonym Username The username portion of pseudonym identity, i. An introduction to LEAP authentication”. For example, in IEEE The EAP server may also include derived keying material in the message it sends to the authenticator. If this process is successful the AUTN is valid and the sequence number used to generate AUTN is within the correct rangethe identity module produces an authentication result RES and sends it to the home environment.

Protected Extensible Authentication Protocol.

RFC – part 1 of 4

PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from kaa link layer mechanisms. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number PIN to perform authentication.

Fast re-authentication is based on keys derived on full authentication. The packet format and the use of attributes are specified in Section 8.


Nonce A value that is used at most once or that is never repeated within the same cryptographic context.

If the peer has maintained state information for re-authentication and wants to use fast re-authentication, then the peer indicates this by using a specific fast re-authentication identity instead of the permanent identity or a pseudonym identity. In certain aep, shown in Figure 4it is possible for the sequence numbers to get out of sequence.

Extensible Authentication Protocol

In addition to the full authentication scenarios described above, EAP-AKA includes a fast re-authentication procedure, which is specified in Section 5.

In particular, the following combinations are expected to be used in practice:. It is more likely that the physical theft of a smart card would be noticed and the smart card immediately revoked than a typical password theft would be noticed. Figure 2 shows how the EAP server rejects the Peer due to a failed authentication.

Microsoft Exchange Server Unleashed. Fast Re-Authentication Identity A fast re-authentication identity of the peer, including an NAI realm portion in environments where a realm is used.

When EAP is invoked by an In general, a nonce can be predictable e. When verifying AUTN, the identity module may detect that the sequence number the network uses is not within the correct range.