]> FreeRADIUS

aland@freeradius.org

Sandelman Software Works

mcr+ietf@sandelman.ca

Internet anima Working Group Internet-Draft This document describes a method by which an unconfigured device can use EAP-TLS to join a network on which further device onboarding, network attestation or other remediation can be done. While RFC 5216 supports EAP-TLS without a client certificate, that document defines no method by which unauthenticated EAP-TLS can be used. This draft addresses that issue. About This Document Status information for this document may be found at . Discussion of this document takes place on the emu Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction There are a multitude of situations where a network device needs to join a new (wireless) network but where the device does not yet have the right credentials for that network. As the device does not have credentials, it cannot access networks which typically require authentication. However, since the device does not have network access, it cannot download a new configuration which contains updated credentials. The process by which a device acquires these credentials has become known as onboarding . There are many onboarding protocols, including , , , CSA MATTER, and OPC UA Part 21. Some of these protocols use WiFi Public frames, or provide for provisioning as part of EAP, such as . Other systems require pre-existing IP connectivity in order to configure credentials for a device, which causes a circular dependancy. This document defines a method where devices can use unauthenticated EAP-TLS in order to obtain some network access, often in a captive portal . Once the device is on that basic network, it has access to the full suite of Internet Protocol (IP) technologies, and can proceed with onboarding. This method is clearer, safer, and easier to implement and deploy than alternatives as it does not attempt to replicate the IP layers or TCP transports over an EAP layer. This method also allows for multiple onboarding technologies to co-exist, and for the technologies to evolve without requiring invasive upgrades to the layer-2 infrastructure. The method detailed in this document uses the unauthenticated client mode of EAP-TLS. While defines EAP-TLS without a client certificate, that document defines no method by which unauthenticated EAP-TLS can be used. This draft addresses that issue. has defined the @eap.arpa domain, and this document builds upon it by showing how it can be used to provid network access for onboarding unauthenticated devices. Note that this specification does not specify the exact method used for onboarding devices! There are many possibilities, and some new methods may come along in the future. Not all of them are enumerated here. This document explains how to get the wireless equivalent of a plugged in wire, but without any promises of further connectivity.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The term supplicant is used to refer to the network device which is attempting to do EAP-TLS. The term pledge (from ) is used to refer to the network device which has successfully performed unauthenticated client mode EAP-TLS, and now has access to a network on which is may perform onboarding.

Protocol Details The onboarding is divided into the following phases:

• Discovery - the supplicant determines that a network can do onboarding,
• Authentication - the supplicant connects to the network as an unauthenticated device,
• Authorization - the network provides limited connectivity to the device/pledge,
• Onboarding - the device/pledge uses standard IP protocols to perform onboarding,
• Full network access - the device has provisioned credentials, and can proceed with normal network access.

Discovery The network should use 802.11u to signal that it can potentially perform onboarding, by using 802.11u and indicating that it supports the realm "eap.arpa". When a supplicant which requires onboarding sees this realm, it knows that the network may be suitable for onboarding. Note that not all such networks are suitable for onboarding using the technologies that a supplicant has. Some networks might have only a captive portal, intended for a human attended device (such a laptop or smartphone). This is the "coffee shop" case. There may be multiple such networks available, and only one (or none) may be willing to onboard this particular device. Further, the device does not necessarily trust any such network. There are situations where there may be many hundreds of networks which offer onboarding, and a supplicant device may need to try all of them until it finds a network to which it can successfully onboard. An example of such a situation is in a large (dozens to hundreds of floors) apartment building in a downtown core, where radio signals may leak from adjacent units, reflect off glass windows, come from other floors, and even cross the street from adjacent buildings. This document does not address this issue, but anticipates future work in 802.11u, perhaps involving some filtering mechanism using Bloom Filters. There is also work such as that may allow the network to more clearly match. However, these are all optimizations, allowing the pledge to find a compatible network faster. Supplicants MUST limit their actions in the onboarding network to the action of onboarding. If this process cannot be completed, the device MUST disconnect from the onboarding network, and try again, usually by selecting a different network. As soon as the device has been onboarded, the device MUST disconnect from the onboarding network, and use the provided configuration to authenticate and connect to a fully-capable network.

Authentication The supplicant presents itself as an unauthenticated peer, which is allowed by EAP-TLS Section 2.1.1. TLS 1.2 or TLS 1.3 may be used, but TLS 1.3 or higher is RECOMMENDED. The supplicant uses an identity of onboarding@eap.arpa, and provides no TLS client certificate. The use of the "eap.arpa" domain signals to the network that the device wishes to use unauthenticated EAP-TLS.

Authorization Upon receipt of a supplicant without any authentication, the AAA server returns instructions to the authenticator to place the new client into the quarantined or captive portal network. The exact method is network-dependent, but it is usually done with a dedicated VLAN which has limited network access.

Characteristics of the Onboarding/Quarantine Network The quarantine network SHOULD be segregated at layer-two (ethernet), and should not permit ethernet frames to any destination other than a small set of specified routers. Specifically, the layer infrastructure should prevent one pledge from attempting to connect to another pledge on the same quarantine network. For some onboarding protocols such as , only IPv6 Link-Local frames are needed. Such a network MUST provide a Join Proxy as specified in . For other onboarding protocols more capabilities may be needed, in particular there need for a DHCPv4 server may be critical for the device to believe it has connected correctly. This is particularly the case where a normal "smartphone" or laptop system will onboard via a captive portal. Once on the quarantine network, device uses other protocols to perform the onboarding action. Note that the Pledge could also wind up in this qurantine network when using client credentials which are expired, or if the Pledge is unable to provide Evidence that it is trustworthy. It is common for enterprises to force desktop/laptop Pledge systems into a quarantine network when it has been determined that the Pledge contains malware, or is might be considered vulnerable to current attacks. Such quarantine networks usually provide very limited access, but do include access to apply system patches, which would remedy the vulnerability.

Captive Portal While this document imposes no requirements on the rest of the network, captive portals have been used for almost two decades. The administration and operation of captive portals is typically within the authority of administrators who are responsible for network access. As such, this document defines additional behavior on, and requirements for, captive portals, so long as those changes materially benefit the network access administrator.

Privacy Considerations Devices should take care to hide all identifying information from the onboarding network. Any identifying information MUST be sent encrypted via a method such as TLS.

Security Considerations Devices using an onboarding network MUST assume that the network is untrusted. All network traffic SHOULD be encrypted in order to prevent attackers from both eavesdropping, and from modifying any provisioning information. Similarly onboarding networks MUST assume that devices are untrusted, and could be malicious. Networks MUST make provisions to prevent Denial of Service (DoS) attacks, such as when many devices attempt to connect at the same time. Networks MUST limit network access to onboarding protocols and captive portal access only. Networks SHOULD also limit the bandwidth used by any device which is being onboarded. Any returned configuration information from onboarding is likely to be small (megabytes at most), and it is reasonable to require a second or two for this process to take place. Any device which cannot be onboarded within approximately 30 seconds SHOULD be disconnected from the quarantine network if there is no obvious activity. (A device with an active download of a software patch should be allowed to finish before disconnecting) An idle device should not remain connected. Such a delay signals either a malicious device / network, or a misconfigured device / network. If onboarding cannot be finished within a short timer, the device should choose another network.

Use of eap.arpa Supplicants MUST use the "eap.arpa" domain only for onboarding and related activities. Supplicant MUST use unauthenticated EAP-TLS. Networks which support onboarding via the "eap.arpa" domain MUST require that supplicants use unauthenticated EAP-TLS. The use of other EAP types MUST result in rejection, and a denial of all network access.

IANA Considerations A new entry in the "EAP Provisioning Identifiers" is required. It is unclear what this entry should be. Perhaps it should be @nobody.eap.arpa. Perhaps it should be nobody@eap.arpa.

Acknowledgements TBD.

Changelog 05: document refresh, some minor edits. 04: document updated to be in sync with draft-ietf-emu-eap-arpa. 03: refreshed so it does not expire 01 to 02: minor edits.

References Normative References The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides support for multiple authentication methods. Transport Layer Security (TLS) provides for mutual authentication, integrity-protected ciphersuite negotiation, and key exchange between two endpoints. This document defines EAP-TLS, which includes support for certificate-based mutual authentication and key derivation. This document obsoletes RFC 2716. A summary of the changes between this document and RFC 2716 is available in Appendix A. [STANDARDS-TRACK] The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-TLS with TLS 1.3 while remaining backwards compatible with existing implementations of EAP-TLS. TLS 1.3 provides significantly improved security and privacy, and reduced latency when compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS 1.3) further improves security and privacy by always providing forward secrecy, never disclosing the peer identity, and by mandating use of revocation checking when compared to EAP-TLS with earlier versions of TLS. This document also provides guidance on authentication, authorization, and resumption for EAP-TLS in general (regardless of the underlying TLS version used). This document updates RFC 5216. InkBridge Networks This document defines the eap.arpa. domain for use only in Network Access Identifiers (NAIs) as a way for Extensible Authentication Protocol (EAP) peers to signal to EAP servers that they wish to obtain limited, and unauthenticated, network access. EAP peers signal which kind of access is required via certain predefined identifiers which use the Network Access Identifier (NAI) format of RFC 7542. A table of identifiers and meanings is defined, which includes entries for RFC 9140. This document updates RFC5216 and RFC9190 to define an unauthenticated provisioning method. Those specifications suggested that such a method has possible, but they did not define how it would be done. This document also updates RFC9140 to deprecate "eap- noob.arpa", and replace it with "@noob.eap.arpa" In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document specifies PT-TLS, a TLS-based Posture Transport (PT) protocol. The PT-TLS protocol carries the Network Endpoint Assessment (NEA) message exchange under the protection of a Transport Layer Security (TLS) secured tunnel. This document defines the Tunnel Extensible Authentication Protocol (TEAP) version 1. TEAP is a tunnel-based EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) protocol to establish a mutually authenticated tunnel. Within the tunnel, TLV objects are used to convey authentication-related data between the EAP peer and the EAP server. This document describes a captive portal architecture. Network provisioning protocols such as DHCP or Router Advertisements (RAs), an optional signaling protocol, and an HTTP API are used to provide the solution. This document specifies automated bootstrapping of an Autonomic Control Plane. To do this, a Secure Key Infrastructure is bootstrapped. This is done using manufacturer-installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline. We call this process the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol. Bootstrapping a new device can occur when using a routable address and a cloud service, only link-local connectivity, or limited/disconnected networks. Support for deployment models with less stringent security requirements is included. Bootstrapping is complete when the cryptographic identity of the new key infrastructure is successfully deployed to the device. The established secure connection can be used to deploy a locally issued certificate to the device as well. The Extensible Authentication Protocol (EAP) provides support for multiple authentication methods. This document defines the EAP-NOOB authentication method for nimble out-of-band (OOB) authentication and key derivation. The EAP method is intended for bootstrapping all kinds of Internet-of-Things (IoT) devices that have no preconfigured authentication credentials. The method makes use of a user-assisted, one-directional, out-of-band (OOB) message between the peer device and authentication server to authenticate the in-band key exchange. The device must have a nonnetwork input or output interface, such as a display, microphone, speaker, or blinking light, that can send or receive dynamically generated messages of tens of bytes in length. North Carolina State University North Carolina State University Cisco Systems The initial core schema for SCIM (System for Cross-domain Identity Management) was designed for provisioning users. This memo specifies schema extensions that enables provisioning of devices, using various underlying bootstrapping systems, such as Wi-fi Easy Connect, FIDO device onboarding vouchers, BLE passcodes, and MAC authenticated bypass. Aalto University Denpel Informatique University of Oviedo This document provides an overview of terms that are commonly used when discussing the initial security setup of Internet of Things (IoT) devices. This document also presents a brief but illustrative survey of protocols and standards available for initial security setup of IoT devices. For each protocol, we identify the terminology used, the entities involved, the initial assumptions, the processes necessary for completetion, and the knowledge imparted to the IoT devices after the setup is complete. n.d. In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.