EAP NAK

EAP NAK

By CWNP On 09/04/2007 - 13 Comments

While it's often not a topic of discussion because EAP types are usually manually configured, supplicants and authentication servers can "negotiate" an EAP authentication protocol type.

In EAP, the initial portion of the frame exchange works like this:

EAPoL-Start (an optional frame that's almost always present) ..... Supplicant > Authenticator
EAPoL-Request/ID (The Authenticator requests the ID of the Supplicant) ..... Authenticator > Supplicant
EAPoL-Response/ID (The Supplicant sends either its real username or a bogus username) ..... Supplicant > Authenticator

 

Now this is where it gets interesting. The above 3 steps are generic to every EAP type used in wireless.  The next EAP frame is unique per EAP type. Before this frame, you don't know which type of EAP you're going to be dealing with.

EAPoL-Request (PEAP, EAP-TTLS, LEAP, TLS, etc) ..... Authentication Server (AS) > Authenticator > Supplicant.

This unique frame informs the supplicant of the EAP type that the AS wants to use for this authentication session.  The AS decides on which type of EAP it wants to start based on a priority list (if multiple EAP types are supported on the AS).  If the station doesn't support the specified EAP type, it will send a NAK to the AS along with a suggested EAP type.  This "suggestion" is found in the "Authentication Type" field specified in RFC2284.  A nice list of these authentication types can be found on page 165 of this document.

If the AS supports the suggested EAP type, it will then start that EAP type with the supplicant.  If not, then it move to the next highest-priority supported EAP type and start the process over at the "4th" EAPoL-Request frame.  For example:

EAPoL-Start
EAPoL-Request/ID
EAPoL-Response/ID
EAPoL-Request (PEAP-Start)
EAPoL-Response (NAK + Suggested EAP type = LEAP)
EAPoL-Request (LEAP)
EAPoL-Response (LEAP)
EAPoL-Success

or

EAPoL-Start
EAPoL-Request/ID
EAPoL-Response/ID
EAPoL-Request (PEAP)
EAPoL-Response (NAK + Auth Type = LEAP)
EAPoL-Request (TTLS)
EAPoL-Response (NAK + Auth Type = LEAP)
EAPoL-Request (TLS)
EAPoL-Response (NAK + Auth Type = LEAP)


Blog Disclaimer: The opinions expressed within these blog posts are solely the author’s and do not reflect the opinions and beliefs of the Certitrek, CWNP or its affiliates.


0 Responses to EAP NAK

Subscribe by Email
There are no comments yet.
<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

-Darren
Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

-Ben
Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

-Glenn
Read More