RFC (part 1 of 4): Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). RFC Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), January Canonical URL. Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in EAP Transport Layer Security (EAP-TLS), defined in RFC , is an IETF open standard that uses the . EAP-AKA is defined in RFC .

Author: Nikoramar Yozahn
Country: Bahrain
Language: English (Spanish)
Genre: Relationship
Published (Last): 20 September 2017
Pages: 55
PDF File Size: 7.62 Mb
ePub File Size: 4.34 Mb
ISBN: 262-2-43655-599-8
Downloads: 76076
Price: Free* [*Free Regsitration Required]
Uploader: Tekora

Because protected success indications are not used in this example, the EAP server sends the EAP-Success packet, indicating that the authentication was successful. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms. As specified in [ RFC ], the initial identity request is not required, and MAY be bypassed in cases where the network can presume the identity, such as when using leased lines, dedicated dial-ups, etc.

The authenticator typically communicates with an EAP server that is located on a backend authentication server using an AAA protocol.

RFC – part 1 of 4

It provides a protected communication channel, when mutual authentication is successful, for both parties to communicate and is designed for authentication over insecure networks such as IEEE Vectors may be stored in the EAP server for use at a later time, but they may not be reused. The standard also describes the conditions under which the AAA key management requirements described in RFC can be satisfied.

In certain circumstances, shown in Figure 4it is possible for the sequence numbers to get out of sequence.

Archived from the original PDF on 12 December Pseudonym Identity A pseudonym identity of the peer, including an NAI realm portion in environments where a realm is used. Attacks against Identity Privacy Network authentication fails The AKA uses shared secrets between the Peer and the Peer’s home operator, together with a sequence number, to actually perform an authentication. Wireless networking Computer access control protocols.


AKA is based on challenge-response mechanisms and symmetric cryptography. Table of Contents 1. GSM cellular networks use a subscriber identity module card to carry out user authentication.

Extensible Authentication Protocol

1487 EAP method protocol exchange is done in a minimum of four messages. In particular, the following combinations are expected to be used in practice:.

Archived from ea; original on EAP-TLS is still considered one of the most secure EAP standards available, although TLS provides strong security only as long as the user understands potential warnings about false credentials, and is universally supported by all manufacturers of wireless LAN hardware and software.

The password may be 44187 low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. Microsoft Exchange Server Unleashed.

It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping and man-in-the-middle attack.

AKA works in the following manner: Distribution of this memo is unlimited. EAP is not a wire protocol; instead it only defines message formats. In this document, the term nonce is only used to denote random nonces, and it is not used to denote counters. For example, in IEEE Brute-Force and Dictionary Attacks Please see Section 4. The identity module may be an integral part of the mobile device or it may be an application on a smart card distributed by a mobile operator.

It supports authentication techniques that are based on the following types of credentials:. This would allow for situations much like HTTPS, where a wireless hotspot allows free access and does not authenticate station clients but station clients wish to use encryption IEEE Protection, Replay Protection, and Confidentiality On full authentication, the peer’s identity response includes either the user’s International Mobile Subscriber Identity IMSIor a temporary identity pseudonym if identity privacy is in effect, as specified in Section 4.


This phase is independent of other phases; hence, any other scheme in-band or out-of-band can be used in the future. Requesting the Permanent Identity Fast Re-Authentication Identity A fast re-authentication identity of the peer, including an NAI realm portion in environments where a realm is used. EAP-AKA includes optional identity privacy support, optional result indications, and an optional fast re-authentication procedure.

PEAPv1 was defined in draft-josefsson-pppext-eap-tls-eap through draft-josefsson-pppext-eap-tls-eap[36] and PEAPv2 was defined in versions beginning with draft-josefsson-pppext-eap-tls-eap By using this site, you agree to the Terms of Use and Privacy Policy. The vector may be obtained by contacting an Authentication Centre AuC on the mobile network; for example, per UMTS specifications, several vectors may be obtained at a time. Arkko Request for Comments: Extensible Authentication Protocolor EAPis an authentication framework frequently used in wireless networks and point-to-point connections.

Archived from the original on February 9, Archived from the original on 26 November Webarchive template wayback links Pages using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced statements Articles with unsourced statements from April Wikipedia articles with GND identifiers.

The lack of mutual authentication in GSM has also been overcome.