RFC (part 1 of 4): Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). RFC Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA), January Canonical URL. Extensible Authentication Protocol, or EAP, is an authentication framework frequently used in EAP Transport Layer Security (EAP-TLS), defined in RFC , is an IETF open standard that uses the . EAP-AKA is defined in RFC .

Author: Meztitaxe Juhn
Country: Central African Republic
Language: English (Spanish)
Genre: Life
Published (Last): 1 December 2018
Pages: 358
PDF File Size: 8.86 Mb
ePub File Size: 11.4 Mb
ISBN: 478-8-98989-384-3
Downloads: 39736
Price: Free* [*Free Regsitration Required]
Uploader: Tek

Protection, Replay Protection, and Confidentiality Archived from the original on 26 November Archived from the original on R UIM is an application that is resident on devices such as smart cards, which may be fixed in the terminal or distributed by CDMA operators when removable.

Network authentication fails The AKA uses shared secrets between the Peer and the Peer’s home operator, together with a sequence number, to actually perform an authentication. Figure 2 shows how the EAP server rejects the Peer due to a failed authentication.

If this process is successful the AUTN is valid and the sequence number used to generate AUTN is within the correct rangethe identity module produces an authentication result RES and sends it to the 41877 environment. The packet format and the use of attributes are specified in Section 8. Webarchive template wayback links Frc using RFC magic links All articles with specifically marked weasel-worded phrases Articles with specifically marked weasel-worded phrases from January All articles with unsourced statements Articles with unsourced statements from April Wikipedia articles with GND identifiers.


EAP is an authentication framework, not a specific authentication mechanism. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping and man-in-the-middle attack.

EAP-AKA includes optional identity privacy support, optional result indications, and an optional fast re-authentication procedure. By using this site, you agree to the Terms of Use and Privacy Policy. The client can, but does not have to be authenticated via a CA -signed PKI certificate to the server.

From the vector, the EAP server derives the keying material, as specified in Section 6.

Information on RFC ยป RFC Editor

If the peer has maintained state information for re-authentication and wants ak use fast re-authentication, then the peer indicates this by using a specific fast re-authentication identity instead of the permanent identity zka a pseudonym identity. As specified in [ RFC ], the initial identity request is not required, and MAY be bypassed in cases where the network can presume the identity, such as when using leased lines, dedicated dial-ups, etc.

AKA works in the following manner: AKA authentication may then be retried with a new authentication vector generated using the synchronized sequence number.

The alternative is to use device passwords instead, but then the device is validated on the network not the user. Fast re-authentication is based ea keys derived on full authentication.

There are currently about 40 different methods defined.

Extensible Authentication Protocol

This phase is independent of other phases; hence, any other scheme in-band or out-of-band can be used in the future. Distribution of this memo is unlimited. It is worth noting that the PAC file is issued on a per-user basis. There have also been proposals to use IEEE Permanent Username The username portion of permanent identity, i. After the server is securely authenticated to the qka via its CA certificate and optionally the client to the server, the server can then use the established secure connection “tunnel” to authenticate the client.


Message Sequence Examples Informative Nonce A value that is used at most once or that is never repeated within the same cryptographic context.

An introduction to LEAP authentication”. Microsoft Exchange Server Unleashed. Attacks against Identity Privacy It is possible to use a rff authentication credential and thereby technique in each direction. The EAP-POTP method provides two-factor user authentication, meaning that a user needs both physical access to a token and knowledge of a personal identification number PIN to perform authentication. The peer has derived the same keying material, so 487 authenticator does not forward the keying material to akka peer along with EAP-Success.

Archived from the original PDF on 12 December Used on re-authentication only. In certain circumstances, shown in Figure 4it is possible for the sequence numbers to get out of sequence.