RFC 3748 - Extensible Authentication Protocol (EAP)
Status of this Memo: Standards Track
Published: June 2004
Obsoletes: RFC 2284
Abstract
This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this.
This document obsoletes RFC 2284. A summary of the changes between this document and RFC 2284 is available in Appendix A.
Contents
- 1. Introduction
- 2. Extensible Authentication Protocol (EAP)
- 3. Lower Layer Behavior
- 4. EAP Packet Format
- 5. Initial EAP Request/Response Types
- 6. IANA Considerations
- 7. Security Considerations
- 7.1. Threat Model
- 7.2. Security Claims
- 7.3. Identity Protection
- 7.4. Man-in-the-Middle Attacks
- 7.5. Packet Modification Attacks
- 7.6. Dictionary Attacks
- 7.7. Connection to an Untrusted Network
- 7.8. Negotiation Attacks
- 7.9. Implementation Idiosyncrasies
- 7.10. Key Derivation
- 7.11. Weak Ciphersuites
- 7.12. Link Layer
- 7.13. Separation of Authenticator and Backend Authentication Server
- 7.14. Cleartext Passwords
- 7.15. Channel Binding
- 7.16. Protected Result Indications
- 8. Acknowledgements
- 9. References
- Appendix A. Changes from RFC 2284
- Authors' Addresses