EAP AVPs
EAP (application id: 5)
The Extensible Authentication Protocol (EAP) is an authentication framework that supports multiple authentication mechanisms. EAP can be used on dedicated links, switched circuits, and both wired and wireless links. The Diameter EAP application is based on the Diameter Network Access Server Application (NASREQ) and is intended for environments similar to NASREQ.
In the Diameter EAP application, authentication occurs between the EAP client and its home Diameter server. This end-to-end authentication reduces the possibility of fraudulent authentication, such as replay and man-in-the-middle attacks. End-to-end authentication also provides the possibility for mutual authentication, which is not feasible with PAP and CHAP in a roaming PPP environment.
EAP interface workflow
EAP Initiation
- The EAP conversation begins when the user initiates EAP within a link layer protocol such as PPP (Point-to-Point Protocol) or IEEE 802.11.
- The NAS receives this initiation and sends a Diameter-EAP-Request message to the Diameter server, containing an empty EAP-Payload AVP to signify EAP-Start.
EAP-Start Message
- The Diameter server responds with a Diameter-EAP-Answer message, including an EAP-Payload AVP that encapsulates an EAP packet.
- The NAS forwards the EAP payload to the EAP client (User).
Multi-Round EAP Exchange
- Identity Request and Response: The initial Diameter-EAP-Answer typically includes an EAP-Request/Identity, requesting the user to identify themselves.
- The user responds with an EAP-Response/Identity, which the NAS forwards as another Diameter-EAP-Request to the Diameter server.
Processing Identity:
- The Diameter server processes the EAP-Response/Identity and may issue further EAP requests for authentication methods like EAP-TLS.
- These EAP messages are encapsulated within Diameter-EAP-Request and Diameter-EAP-Answer messages, continuing the exchange until authentication is complete.
Final Authentication Result
- Upon successful completion of the EAP exchange, the Diameter server sends a final Diameter-EAP-Answer.
- The Result-Code AVP in this message indicates success or failure, and it may include additional AVPs such as authorization AVPs if required.
For complete technical specification of EAP interface in Diameter protocol please refer to: [RFC 4072].
package com.mobius.software.telco.protocols.diameter.primitives.eap
|
Name |
AVP Code |
Data Type |
Vendor |
|
Accounting-EAP-Auth-Method |
465 |
Unsigned64 |
IETF |
|
Encodes the EAP (Extensible Authentication Protocol) authentication method used during an accounting session. Specifically, for expanded EAP types, the value represents a combination of the Vendor-ID and Vendor-Type according to the formula: Value = (Vendor-ID ×2^32) + Vendor-Type |
|||
|
EAP-Key-Name |
102 |
OctetString |
IETF |
|
An opaque key identifier generated by the Extensible Authentication Protocol (EAP) method. It is designed to act as a key identifier for use in various link-layer protocols. Its usage, however, is dependent on the specific link layer and falls outside the scope of Diameter or EAP standards documentation. |
|||
|
EAP-Master-Session-Key |
464 |
OctetString |
IETF |
|
Security-focused AVP that provides keying material for protecting communication between the user and the Network Access Server (NAS). |
|||
|
EAP-Payload |
462 |
OctetString |
IETF |
|
Encapsulates the actual EAP (Extensible Authentication Protocol) packet being exchanged between the EAP client and the home Diameter server. It acts as a carrier for the raw EAP data, facilitating the communication of EAP messages within Diameter protocol exchanges. |
|||
|
EAP-Reissued-Payload |
463 |
OctetString |
IETF |
|
Used to encapsulate reissued EAP packets. This AVP is part of scenarios where a previously issued EAP packet needs to be resent or retransmitted due to specific authentication flow requirements or error recovery mechanisms. |
|||
Start innovating with Mobius
What's next? Let's talk!