view Side-By-Side changes
Extensible Authentication Protocol F. AdrangiNetwork Working Group F. Adrangi Internet-Draft V. LortzInternet-Draft Intel CorporationExpires:December 16, 2004February 6, 2005 Intel F. Bari AT&T Wireless P. Eronen NokiaResearch CenterM. Watson NortelJune 17,August 8, 2004Mediating Network Discovery in theIdentity selection hints for Extensible Authentication Protocol (EAP)draft-adrangi-eap-network-discovery-01draft-adrangi-eap-network-discovery-02 Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft,I certifyeach author represents that any applicable patent or other IPR claims of whichI amhe or she is aware have been or will be disclosed, and any of whichIhe or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed athttp://www.ietf.org/ietf/1id-abstracts.txt.http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onDecember 16, 2004.February 6, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document defines a mechanismto enable a wireless client to discover roaming partners ofthat allows an access networkover EAP. The purposeto Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page 1] Internet-Draft Identity selection hints for EAPNetwork Discovery JuneAugust 2004 provide identity selection hints to an EAP client. The purpose is to helpa wirelessthe clientselectin selecting the most appropriateroaming partner as a next hop for routing of AAA packets.identity and NAI decoration to use. This solution is especially useful in roaming scenarios where the access network does not have a direct relationship with thewirelessclient's homenetwork - i.e., when AAA packets can not be directly routed from access network to the home network. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Applicability . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2. Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Delivery Mechanism . . . . . . . . . . . . . . . . . . . . . . 6 4. Implementation Considerations . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 13 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 9.1 Normative References . . . . . . . . . . . . . . . . . . . . 13 9.2 Informative References . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14 Intellectual Property and Copyright Statements . . . . . . . . 15 Adrangi, et al. Expires December 16, 2004 [Page 2] Internet-Draft EAP Network Discovery June 2004network, but instead a mediating network, such as a roaming consortium or broker, is used. 1. Introduction Inwireless network access, the high level network topology is comprised ofmany roaming situations, an access network can have several roaming relationship, either with several home networks, or mediatingnetworks, and homenetworks such asdepicted in Figure 1. RADIUS [2] protocol has been assumed for AAA mediation betweenroaming consortiums and brokers, or both. A client can also have several sets of credentials, and its home network may have roaming relationships with several mediating networks. This document defines a mechanism that allows the access network to provide identity selection hints, and more specifically information about its roaming relationships, to an EAP client. This information is sent to thehome network although Diameter [3] could also be used instead of RADIUS without introducing significant architectural differences. Access Network Mediating Network 1 +-------------------+ +-----------+ Home | | | | Network A | +------+ | |AAA server;| +---------------+ | +-----+ |Access| | | Other |=====|Home AAA server| | |APs | |Router| | ||====|Components | | | | |1..n | +------+ | || +------------ | and | | +-----+ | || | Other | | +------+ | || Mediating Network 2 | Components | | +-----+ |local | | || +------------+ | | | |Users| |AAA | | || |AAA Server; |====| | | |1..n | |Server|============| Other | +---------------+ | +-----+ +------+ | || | Components | | | || +------------+ +-------------------+ || || Mediating Network 3 || +------------+ Home || | | Network B || |AAA Server; | +---------------+ ||====| Other |===|Home AAA Server| || | Components | | | || +------------+ | and | || | Other | || | Components | ||=====================| | | | +---------------+ Figure 1. Network Access Arrangement. In roaming situations, EAP authentication exchanges [5] will be carried out between the wirelessclient in an EAP Identity Request message by appending it after theaccess networkdisplayable message andan AAA server ina NUL character. Exactly how thehome network directly whenidentity hint information is used by thetwo networks have a direct roaming relationship. However when a wirelessclientroams to an access network that it does not recognizedepends largely on the client's local policy andwhich does not have a direct roaming relationship with its home network,configuration, and is outside theAAA packets havescope of this document. One possible application for this mechanism is to help in selecting what kind of NAI decoration [1] must berouted through a mediatingapplied to allow proper routing of AAAnetworkmessages to the homenetwork. For inter operator settlement reasons, it is necessary to select the bestAAA server. If there are several possible mediatingnetwork. For instance, in Figure 2, access Adrangi, et al. Expires December 16, 2004 [Page 3] Internet-Draft EAP Network Discovery June 2004 throughnetworks, theMediating Network 1 may be cheaper for isp1 user, than if Mediating Network 2 is used. However this decisionclient cannot bechoose which one to use. However, exactly how the selection is madebyis beyond theaccess network as it would be unawarescope of this document. See [6] for more detailed discussion about this problem space. 1.1 Applicability Although theroaming agreements of mediating networks 1 and 2 withproposed solution here is discussed in theisp1. For this reason,context of public IEEE 802.11 access networks, it isdesirable for the wireless clientapplicable toknow which mediatingother access networksare available through an access network,that use EAP [2] for authentication andinfluenceuse thedecision of usingNAI format [1] for identifying users. This document assumes that thedesired mediating network. +---------+ | |---------> "isp1.com" | Roaming | +---------+ | Group 1 | | |-------->| |---------> "isp2.com" User "joe | Access | +---------+ @isp1.com"--->| Network | | | +---------+ | |-------->| |---------> "isp1.com" +---------+ | Roaming | | Group 2 | | |---------> "isp3.com" +---------+ Figure 2: AmbiguousAAArouting Influencing the mediating network selection problem can be divided into three sub-problems as follows: 1. A syntax by which mediating network information can be represented. 2. A delivery mechanism by which mediating network informationprotocol in use isconveyed to a wireless client. 3. A general mechanism by which a wireless client's selection can be conveyed to the access network. Section 2.7 of [6] discusses the conditions upon which NAIs canRADIUS [8]. Diameter [7] could also be usedto affect AAA routing, i.e., problem 3 above. Problems 1 and 2 are discussed in this document. 1.1 Applicability Although the proposed solution here is discussed in the contextinstead ofpublic 802.11 access network deployment, it is applicable to other public wireless access networks where the wireless clients use the EAP specification framework [5] for authentication,RADIUS without introducing significant architectural differences. 1.2 Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", andthey present their identity to the network"OPTIONAL" inNAI [6] format.this Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page4]2] Internet-Draft Identity selection hints for EAPNetwork Discovery JuneAugust 20041.2 Terminologydocument are to be interpreted as described in [3]. Network Access Identifier (NAI) An identifier that represents awirelessclient or user identity. The basic structure of a NAI is user@realm, where the realm part of the NAI indicates the domain responsible for interpretation and resolution of the user name.PleaseSee[6][1] for more details on NAI format.Access Point (AP) A station that provides access to the distribution services via the wireless medium for associated Stations. RADIUS server This is a server which provides for authentication/ authorization via the protocol described in [2].2.Data Model Mediating network information needs to be structured in a generalPacket formatand syntax so that the EAP client software can interpret it and behave accordingly. The syntax should have minimum overhead because the proposed delivery mechanism (i.e., EAP-Identity Request) doesn't support fragmentation and therefore size of the data is limited by the link layer MTU. Mediating networkIdentity hint information is placed after the displayable string andNULLa NUL character in theEAP-IdentityEAP Identity Request.It is structured asThe following ABNF [4] defines a "NAIRealms" attribute for presenting the identity hint information. The attribute's value consists of a set ofcomma-separated attributerealm namesand values according to the following ABNF [1]:separated by a semicolon. identity-request-data = [ displayable-string ] [%d0 network-info%x00 "NAIRealms=" realm-list ] displayable-string =*CHAR network-info = attribute "=" value attribute = 1*( ALPHA / "-" / "_" / DIGIT) value*OCTET realm-list =1*( %x01-2Brealm /%x2D-FF( realm-list ";" realm ); any non-null UTF-8 char except ","TheCHAR, DIGIT, ALPHA terminals are"OCTET" rule is defined in[1]. Only one attribute[4] and the "realm" rule is definedhere, the NAIRealms attribute. The usein [1]. A sample hex dump ofthis facility for other purposesan EAP Identity Request packet isdiscouraged due toshown below. 01 ; Code: Request 00 ; Identifier: 0 00 43 ; Length: 67 octets 01 ; Type: Identity 48 65 6c 6c 6f 21 00 4e ; "Hello\0NAIRealms=example.com;mnc014. 41 49 52 65 61 6c 6d 73 ; mcc310.3gppnetwork.org" 3d 69 73 70 2e 65 78 61 6d 70 6c 65 2e 63 6f 6d 3b 6d 6e 63 30 31 34 2e 6d 63 63 33 31 30 2e 33 67 70 70 6e 65 74 77 6f 72 6b 2e 6f 72 67 EAP does not support fragmentation for Identity Request messages, so thelimited amountsize ofspace availableidentity hint information is limited by the link MTU. The exact limit depends on the lower layer inEAP packets.question, but it is at least 1020 octets. Some existing systems are known to use Identity Request messages to Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page5]3] Internet-Draft Identity selection hints for EAPNetwork Discovery JuneAugust 2004The format and semantics of the NAIRealms attribute value are as follows: value = Realm [ ";" Realm ] Wheresend proprietary information to theRealmclient. This proprietary information isdefinedconsidered to be part of the displayable-string in[6]. An example "NAIRealms" attribute isthe ABNF shownbelow: NAIRealms=anyisp.com;mnc123.mcc334.3gppnetwork.orgabove. In other words, the NUL character followed by the NAIRealms list MUST be placed at the end. 3. DeliveryMechanism There aremechanisms This section describes threepossibledifferent optionsoffor deliveringmediating networkthe identity hint information toa wireless client by using an EAP-Identity Request. These options are: Option 1 - Use the Initial EAP-Identity Request issued bytheaccess network NAS Mediating network informationclient. The main difference ispushed to a wireless clientwhich entity in theinitial EAP-Identity Request issued by the AP. Option 2 - Use the initial EAP-Identity Request issued by theaccess networkRADIUS server This is similar to Option 1, butcreates theinitial EAP-Identity Request is issued byEAP Identity Request: this could be either the accessnetwork RADIUS Server instead. Oncepoint or awireless client associates with an accessRADIUS server. Access networkAP using native IEEE 802.11 procedures, the AP sends an EAP-Start message [4] within a RADIUS Access-Request to trigger an EAP conversation initiated by the access network RADIUS server. Option 3 - Use a subsequent EAP-Identity Request issued by the access network RADIUS server Mediating network information is delivered to a wireless client in a subsequent EAP-Identity request, after the initial EAP-Identity Request/Response exchange, issued by by the access network RADIUS server. 4. Implementation Considerations - In general, an option that requires changes only to a central AAA server is much preferred than a one that impacts a distributed set of Adrangi, et al. Expires December 16, 2004 [Page 6] Internet-Draft EAP Network Discovery June 2004 APs. The reasons for this preference include ease of operation and deployment, update costs, backwards compatibility and possible impact on current standards. Option 3 is therefore preferred as it does not require any changes to the AP. Option 2 is also equally desirable if the AP supports the EAP-Start message [4]. - In order for a wireless client software implementation to work with all options transparently,operators can choose to deploy any of the options. Client implementation MUSTnot require the arrival of mediating network information on a particular EAP-Identity Request (i.e., the initial or a subsequent Request). Access network operators therefore MAY choose to deploy any of the above delivery mechanism options in their network without losing interoperability. However, delivery mechanism options 2 and 3 are recommended as they are backward-compatible with the currently-deployed APs. - Whensupport all three options. 3.1 Option3 is used, upon receipt of a RADIUS Access-Request packet containing the initial EAP-Identity Response, the1: Initial request from accessnetwork RADIUS proxy/server MAY send an EAP-Identity Request containing mediating network information to thepoint In typical IEEE 802.11 wirelessclient if it cannot route the RADIUS packet to the next AAA hop based on the realm portion (i.e., string after the @ sign) of the NAI in the RADIUS User-Name attribute. When a RADIUS Access-Request containing a subsequent EAP-Identity Response is received, if the RADIUS proxy/ server still cannot route the RADIUS packet to the next AAA hop based on the realm portion of the NAI, then it MUST discard the packet. - The use of the mechanism described in this document SHOULD be reserved for situations where the WLAN client can not identify a direct route to its home network based on the available SSIDs in the hotspot. 5. IANA Considerations This document does not define a new name space, therefore, there are no considerations for IANA. 6. Security Considerations Mediating network information delivered inside an EAP-Identity Request before the user authenticates to the network. Therefore, it is considered as a hint in guiding the wireless client to select the desired mediating network through which the AAA packets should be routed. It should also be noted that at least with some EAP methods, there is no way for the home network RADIUS server to verify that the mediating network used was actually the same one that the wireless client had requested. Adrangi, et al. Expires December 16, 2004 [Page 7] Internet-Draft EAP Network Discovery June 2004 7. Appendix The railroad diagrams below illustrate conversations between a wireless client, AP, Access Network (AN) RADIUS proxy/server, Mediating Network (MN) RADIUS proxy/server, and Home Network (HN) RADIUS server for the three options described above. Option 1 - Use the Initial EAP-Identity Request issued by the access network AP Wireless AP AN RADIUS MN RADIUS HN RADIUS Client server server Server | (1) | | | | | EAP Id. Req. | | | | |(Network Info) | | | | |< -------------| | | | | | | | | | (2a) | | | | | EAP Id. Resp. | | | | |(Decorated NAI)| | | | | *OR* | | | | | (2b) | | | | | EAP Id. Resp. | | | | |(normal NAI) | | | | |------------- >| (3) | | | | |Access Request | | | | |(EAP Id. Resp.)| | | | |------------- >| (4) | | | | |Access Request | | | | |(EAP Id. Resp.)| | | | |------------- >| | | | | | | | | | |Access Request | | | | |(EAP Id. Resp.)| | | | (5) |------------- >| | ... | ... | ... | ... | | < EAP Authentication Methods > | | ... | | ... | ... | | | | | | | | | | | | EAP Success | | | | |< ------------ | | | | | | | | | The following describes each message flow in details. 1. The AP sends the initial EAP-Identity Request containing mediating network information to the wireless client. Adrangi, et al. Expires December 16, 2004 [Page 8] Internet-Draft EAP Network Discovery June 2004 2. The wireless client sends an EAP-Identity Response containing a Decorated NAI indicating the selected MN to the AP. OR, 3. The wireless client sends an EAP-Identity Response containing a normal NAI (i.e., non-decorated)to the AP. 4. The AP sends a RADIUS Access Request packet containing the EAP-Identity Response to the access network RADIUS proxy/server as described in [4]. Please note that NAI in the EAP-Identity Response is copied to the RADIUS User-Name attribute in the Access-Request packet as per [4]. 5. The access network RADIUS proxy/server forwards the received Access-Request packet to the next AAA hop based on the realm portion of the NAI in the RADIUS User-Name attribute. 6. The MN RADIUS proxy/server forwards the received Access-Request packet based on the NAI in the RADIUS User-Name attribute to the next AAA hop (i.e., HN RADIUS Server). 7. The EAP Authentication continues as described in [4]. Option 2 - UseLANs, the initialEAP-Identity Request issued by the access network RADIUS server. Wireless AP AN RADIUS MN RADIUS HN RADIUS Client server server Server | (1) | | | | | Association | | | | |------------ >| (2) | | | | |Access Request | | | | |(EAP-Start) | | | | |-------------- >| | | | | | | | | | (3) | | | | |Access Challenge| | | | |(EAP Id. Req. + | | | | | (Network Info) | | | | (4) |< --------------| | | | EAP Id. Req. | | | | |(Network Info)| | | | |< ------------| | | | | | | | | | (5a) | | | | |EAP Id. Resp. | | | | | | | | | Adrangi, et al. Expires December 16, 2004 [Page 9] Internet-Draft EAP Network Discovery June 2004 | (5b) | | | | |EAP Id. Resp. | | | | |------------ >| (6) | | | | |AccessEAP Identity Request is sent by the access point. In the simplest case, the identity hint information is simply included in this request, as shown below. Wireless AP AN RADIUS next RADIUS client server server | | | ||(EAP Id. Resp.) | || 1. Association ||-------------- >| (7)| | |------------------->| | ||Access Req. (| 2. EAP Id.Req. | | ||EAP Id. Resp.)|| (NAIRealms) | ||------------ >|| |<-------------------| | | ||Access Request3. EAP Id.Resp. | | | |------------------->| ||(EAP Id. Resp.)|| | ||------------- >|4. Access-Request |...|... |..|...| (EAP Id.Resp.) |< EAP Authentication Methods >| |...|------------------->| ||...|...| | 5. Access-Request | | | | (EAP Id.Resp.) |EAP Success| | |------------------->| | ||< ------------|| | |The following describes each message flow in details. 1. The wireless client associates with the AP. 2. An EAP-Start message encapsulated within a RADIUS Access-Request sent to the access network RADIUS server. 3. The access network RADIUS server processes the received Access-Request message and initiates an<-- EAP conversationby sending an EAP-Identity Request containing mediating network information encapsulated within a RADIUS Access-Challenge. 4. The AP extracts the EAP-Identity Request from the received Access-Challenge and sends it to the wireless client. 5. The wireless client sends an EAP-Identity Response containing its decorated NAI indicating the selected MN to the AP. OR, 6. The wireless client sends an EAP-Identity Response containing a normal NAI (i.e., non-decorated) to the AP. 7. The AP sends a RADIUS Access-Request packet containing the EAP-Identity Response to the--> | Current accessnetwork RADIUS server as described in [4]. Please note that NAI in the EAP-Identity Response is copied topoints do not support this mechanism, so other options may be preferable. This option can also require configuring theRADIUS User-Name attributeidentity hint information inthe Access-Request packet as per [4]. 8. Thea potentially large number of accessnetwork RADIUS proxy/server forwardspoints, which may be problematic if thereceivedinformation changes often. Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page10]4] Internet-Draft Identity selection hints for EAPNetwork Discovery JuneAugust 2004Access-Request packet3.2 Option 2: Initial request from access network RADIUS server This is similar to Option 1, but thenext AAA hop based on the realm portion of the NAI ininitial EAP Identity Request is created by the access network RADIUSUser-Name attribute. 9. The MN RADIUS proxy/server forwards the received Access-Request packet based on the NAI inserver instead of theRADIUS User-Name attribute toaccess point. Once a client associates with an access network AP using IEEE 802.11 procedures, thenext AAA hop (i.e., HNAP sends an EAP-Start message [5] within a RADIUSServer). 10.Access-Request. TheEAP Authentication continues as described in [4]. Option 3 - Use a subsequent EAP-Identity Request issued by theaccess network RADIUS server can then send the EAP Identity Request containing the identity hint information. Wireless AP AN RADIUSMN RADIUS HNnext RADIUSClientclient server serverServer|(1)| | | | 1. Association |EAP Id. Req.| | |------------------->| | ||< ------------|| | 2. Access-Request | | | | (EAP-Start) | | |(2)|------------------->| | | | 3.Access-Challenge | | |EAP Id. Resp.|| (EAP Id.Req. with | ||------------ >| (3)| | NAIRealms) | ||Access Request| |<-------------------| | | 4. EAP Id.Req. | ||(EAP Id. Resp.)| | (NAIRealms) | ||-------------- >|| |<-------------------| | | | 5. EAP Id.Resp. | | | |------------------->| | |(4)| | 6. Access-Request | ||Access Challenge|| | (EAP Id.Resp.) ||(EAP Id. Req. +| | |------------------->| | | |(Network Info)| 7. Access-Request | | |(5) |< --------------|| (EAP Id.Resp.) | |EAP Id. Req.| |------------------->| | | ||(Network Info)|| | <-- EAP conversation --> | This option can work with current access points if they support the EAP-Start message. 3.3 Option 3: Subsequent request from access network RADIUS server In the third option, the access point sends the initial EAP Idntity Request without any hint information. The client then responds with an Identity Response, which is forwarded to the local RADIUS server. If the RADIUS server cannot route the message based on the identity provided by the client, it sends a second EAP Identity Request containing the identity hint information. Adrangi, et al. Expires February 6, 2005 [Page 5] Internet-Draft Identity selection hints for EAP August 2004 Wireless AP AN RADIUS next RADIUS client server server ||< ------------|| | | | 1. Association | | | |------------------->| | |(6)| 2. EAP Id.Req. | | ||EAP Id. Resp.| (w/o NAIRealms) | | | |<-------------------| | | | 3. EAP Id.Resp. | ||------------ >| (7)| |------------------->| | | ||Access Request| 4. Access-Request | | ||(EAP Id. Resp.)| (EAP Id.Resp.) | | ||-------------- >| (8)|------------------->| | | | 5.Access-Challenge ||Access Req.(| | | (EAP Id.Req. with ||EAP Id. Resp.)|| | ||------------ >|NAIRealms) | | | |<-------------------| ||Access Request| 6. EAP Id.Req. | | ||(EAP Id. Resp.)|| (NAIRealms) | ||------------- >||...|<-------------------| |... |..|...|Adrangi, et al. Expires December 16, 2004 [Page 11] Internet-Draft7. EAPNetwork Discovery June 2004Id.Resp. |< EAP Authentication Methods >| |...|------------------->| |... |...|...| | 8. Access-Request | | | |EAP Success(EAP Id.Resp.) | | | |------------------->| ||< ------------|| | |The following describes each message flow in details. 1. The access network AP issues an EAP-Identity Request to a wireless client 2. The wireless client replies with an EAP-Identity Response containing a normal NAI (i.e., non-decorated), or perhaps a Decorated NAI [6] based on the mediating network information cached from the most recent authentication session to the access network. 3. The AP creates a RADIUS9. Access-Requestpacket encapsulating the EAP-Identity Response and sends it to| | | | (EAP Id.Resp.) | | | |------------------->| | | | | | <-- EAP conversation --> | When theaccess network RADIUS server. 4. The access network RADIUS proxy/server sends ainitial RADIUSAccess-Challenge packet encapsulating an EAP-Identity Request containing mediating network information. Or, the step 8Access-Request isexecutedreceived, if the access networkproxy/server canRADIUS proxy cannot route thepacket based on the realm portion of the NAI in theRADIUSUser-Name attributepacket to the next AAAhop. 5. The access network AP forwards the EAP-Identity Request containing the mediating networkhop, it SHOULD send identity hint information to thewireless client. 6. The wirelessclientreplies with(via Access-Challenge encapsulating anEAP-Identity Response containingEAP Identity Request). When aDecorated NAI indicating the preferred MN. Wireless client can still send an undecorated NAI to thesubsequent RADIUSproxy/ server, if itAccess-Request isa legacy client. It should also be noted that the wireless client may also decide not to connect toreceived, if the access networkin the absence ofRADIUS proxy still cannot route thedesired MN inRADIUS packet to thereceived MN information in step (4). 7. The access network AP forwardsnext AAA hop, then it SHOULD discard theEAP-Identity Response topacket. Optionally, the access network RADIUS serverover RADIUS protocol. 8. The access network RADIUS proxy/server forwards the received Access Request to thecan also send an error notification (via Access-Challenge encapsulating an EAP Notification) with an appropriateMN RADIUS server based on the realm portion of the NAIerror message. This option does not require changes to existing NASes, so it may be preferable inthe RADIUS User-Name attribute. 9. The MN RADIUS proxy/server forwards the received Access-Requestmany environments. 4. IANA Considerations This document does not define any new namespaces to be managed by Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page12]6] Internet-Draft Identity selection hints for EAPNetwork Discovery JuneAugust 2004packet based onIANA, and does not require any assignments in existing namespaces. 5. Security considerations Identity hint information is delivered inside an EAP Identity Request before the user authenticates to the network, and before the network is authenticated to the user. This information can be modified by an attacker. Therefore, is MUST be considered just an unauthenticated hint that does not override any local policies at the client. In case the identity hint information is used to select a mediating network for NAIindecoration, it should be noted that at least with some EAP methods, there is no way for the home network RADIUSUser-Name attributeserver to verify that thenext AAA hop (i.e., HN RADIUS Server). The EAP Authentication continues as described in [4]. 8. Acknowledgementmediating network used was actually the same one that the client had requested. 6. Acknowledgements The authors would specially like to thank Jari Arkko(of Ericsson)and Bernard Aboba forhistheir help in scoping the problem, for reviewing the draft work in progress and for suggesting improvements to it. The authors would also like to acknowledge and thankJari Arkko (of Ericson), Bernard Aboba (of Microsoft),AdrianBuckley (of RIM),Buckley, BlairBullock (of iPass) ,Bullock, JosePuthenkulam (of Intel),Puthenkulam, JohannaWild (of Motorola),Wild, JoeSalowey (of Cisco),Salowey, MarcoSpini (of Telecom Italia),Spini, SimoneRuffino (of Telecom Italia) andRuffino, MarkGrayson (of Cisco)forGrayson, and Avi Lior for their support, feedback and guidance during the various stages of this work.9.7. References9.17.1 NormativeReferencesreferences [1] Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The Network Access Identifier", draft-arkko-roamops-rfc2486bis-02 (work in progress), July 2004. [2] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H. Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [4] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.[2] Rigney, C., Willens, S., Rubens, A.7.2 Informative references [5] Aboba, B. andW. Simpson, "RemoteP. Calhoun, "RADIUS (Remote Authentication Dial In Adrangi, et al. Expires February 6, 2005 [Page 7] Internet-Draft Identity selection hints for EAP August 2004 UserService (RADIUS)",Service) Support For Extensible Authentication Protocol (EAP)", RFC2865, June 2000. [3]3579, September 2003. [6] Arkko, J. and B. Aboba, "Network Discovery and Selection Problem", draft-ietf-eap-netsel-problem-01 (work in progress), July 2004. [7] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003.[4] Aboba, B.[8] Rigney, C., Willens, S., Rubens, A. andP. Calhoun, "RADIUS (RemoteW. Simpson, "Remote Authentication Dial In UserService) Support For Extensible Authentication Protocol (EAP)",Service (RADIUS)", RFC3579, September 2003. [5] Blunk, L., "Extensible Authentication Protocol (EAP)", draft-ietf-eap-rfc2284bis-09 (work in progress), February 2004. [6] Aboba, B., "The Network Access Identifier", draft-arkko-roamops-rfc2486bis-00 (work in progress), February 2004. 9.2 Informative References Adrangi, et al. Expires December 16, 2004 [Page 13] Internet-Draft EAP Network Discovery2865, June20042000. Authors' Addresses Farid Adrangi Intel Corporation 2111 N.E. 25th AvenueHillsboroHillsboro, OR 97124 USA Phone: +1 503-712-1791 EMail: farid.adrangi@intel.com Victor Lortz Intel Corporation 2111 N.E. 25th AvenueHillsboroHillsboro, OR 97124 USA Phone: +1 503-264-3253 EMail: victor.lortz@intel.com Farooq Bari AT&T Wireless 7277 164th Avenue N.E.RedmondRedmond, WA 98052 USA Phone: +1 425-580-5526 EMail:Farooq.bari@attws.comfarooq.bari@attws.com Adrangi, et al. Expires February 6, 2005 [Page 8] Internet-Draft Identity selection hints for EAP August 2004 Pasi Eronen Nokia Research Center P.O. Box 407FIN-0005FIN-00045 Nokia Group Finland EMail: pasi.eronen@nokia.com Mark Watson Nortel2221,Networks 2221 Lakeside BlvdRichardsonRichardson, TX 75082 USA EMail: mwatson@nortel.com Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page14]9] Internet-Draft Identity selection hints for EAPNetwork Discovery JuneAugust 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Adrangi, et al. ExpiresDecember 16, 2004February 6, 2005 [Page15]10] ----