EAP-TLS

Hi all

 

I am trying to get to the bottom of EAP-TLS, specifically step by step process explained here

 

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39068

 

Based on that, can somebody tell me at which point client gets an IP address if its DHCP based?

For me it should have an IP before TLS tunnel is established but at the same time initial dot1x conversation before port is authenticated wouldn't allow any non dot1x traffic?

 

 

Comments

  • When a supplicant talks to an authenticator after an 802.1 association and EAPOL request, the authenticator replies with a request/identity. Isn't the IP address given then?

    In EAP-TLS, the Peer-Id and Server-Id are determined from the subject or subjectAltName fields in the peer and server certificates. 
    As per the RFC
    The subjectAltName fields within each contain the IP.
     In the case where the EAP-TLS mutual authentication is successful,
    the conversation will appear as follows:

    Authenticating Peer Authenticator
    ------------------- -------------
    <- EAP-Request/
    Identity
    EAP-Response/
    Identity (MyID) ->
    <- EAP-Request/
    EAP-Type=EAP-TLS
    (TLS Start)
    EAP-Response/
    EAP-Type=EAP-TLS
    (TLS client_hello)->
    <- EAP-Request/
    EAP-Type=EAP-TLS
    (TLS server_hello,
    TLS certificate,
    [TLS server_key_exchange,]
    TLS certificate_request,
    TLS server_hello_done)
    EAP-Response/
    EAP-Type=EAP-TLS
    (TLS certificate,
    TLS client_key_exchange,
    TLS certificate_verify,
    TLS change_cipher_spec,
    TLS finished) ->
    <- EAP-Request/
    EAP-Type=EAP-TLS
    (TLS change_cipher_spec,
    TLS finished)
    EAP-Response/
    EAP-Type=EAP-TLS ->
    <- EAP-Success
  • IP address would be given potentially at the stage u mention but i cant be sure because i havent got any packet capture.

    For me DHCP request must happen before reply is given and also before TLS stage 

    At the same time TLS is to authenticate and i am told IP is given after authentication which makes no sense to me

    On 1 Jun 2013, at 00:30, pandom_ <[email protected]> wrote:

    When a supplicant talks to an authenticator after an 802.1 association and EAPOL request, the authenticator replies with a request/identity. Isn't the IP address given then?

    In EAP-TLS, the Peer-Id and Server-Id are determined from the subject or subjectAltName fields in the peer and server certificates. 
    As per the RFC
    The subjectAltName fields within each contain the IP.
     In the case where the EAP-TLS mutual authentication is successful,
    the conversation will appear as follows:

    Authenticating Peer Authenticator
    ------------------- -------------
    <- EAP-Request/
    Identity
    EAP-Response/
    Identity (MyID) ->
    <- EAP-Request/
    EAP-Type=EAP-TLS
    (TLS Start)
    EAP-Response/
    EAP-Type=EAP-TLS
    (TLS client_hello)->
    <- EAP-Request/
    EAP-Type=EAP-TLS
    (TLS server_hello,
    TLS certificate,
    [TLS server_key_exchange,]
    TLS certificate_request,
    TLS server_hello_done)
    EAP-Response/
    EAP-Type=EAP-TLS
    (TLS certificate,
    TLS client_key_exchange,
    TLS certificate_verify,
    TLS change_cipher_spec,
    TLS finished) ->
    <- EAP-Request/
    EAP-Type=EAP-TLS
    (TLS change_cipher_spec,
    TLS finished)
    EAP-Response/
    EAP-Type=EAP-TLS ->
    <- EAP-Success



    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • The way I've come to understand it, the port (or wireless session) does not accept non-dot1x traffic until after the authentication process has succeded, failed to the un-auth VLAN, or failed open due to RADIUS unreachability.  So the DHCP broadcast will not hit the network until after the port has been authorized.

     

Sign In or Register to comment.