Mocana delivers and open standards based, full featured, RFC compliant embedded Extensible Authentication Protocol (EAP) solution. The Mocana NanoEAP solution offers a complete peer (supplicant) as well as an authenticator that can support pass-through mode and stand-alone mode. Both the supplicant and the authenticator(s) are available individually or as a bundle. The Mocana NanoEAP solution can prevent unauthorized access to your network devices, easily update your security handling, and independently manage multiple users who require unique security configurations. Separate VLANs can be served by separate EAP instances. Upper-layer APIs enable session creation, initialization, statistics collection and provides several callback functions and APIs to configure and monitor a particular EAP session. Lower-layer APIs enable EAP communication over Ethernet, PPP, UDP, or any other protocol.

The NanoEAP model contains the following elements:

• The peer (supplicant) is the device that needs to connect to the network.
• The network access server, NAS (also known as the edge device) controls access to the network.
  
• The authenticator acts in either stand-alone mode to authenticate the peer (in two-tier authentication models) or in pass-through mode to transmit messages between the peer and an authentication server (in three-tier authentication models).
  
• The authentication server contains the data and logic, such as user names, passwords, and access rights, to make decisions about what services a peer is authorized to use.

Currently, there are approximately 40 different EAP methods. Methods defined in IETF RFCs include:

LEAP:The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary EAP method developed by Cisco Systems prior to the IEEE ratification of the 802.11i security standard.

EAP-TLS:EAP-Transport Layer Security or EAP-TLS, defined in RFC 5216, is an IETF open standard, and is well-supported among wireless vendors.

EAP-MD5: defined in RFC 3748, is the only IETF Standards Track based EAP method.

EAP-PSK: defined in RFC 4764, is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK).

EAP-TTLS: EAP-Tunneled Transport Layer Security, or EAP-TTLS is an EAP protocol that extends TLS. It was co-developed by Funk Software and Certicom. It is widely supported across platforms.

EAP-IKEv2: is an EAP method based on the Internet Key Exchange Protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server.

PEAP: is a joint proposal by Cisco Systems, Microsoft and RSA Security as an open standard. It is already widely available in products, and provides very good security. It is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication.

EAP-FAST: (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems as a replacement for LEAP.[7] The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation.

EAP for GSM: Subscriber Identity is used for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). EAP-SIM is defined in RFC 4186.

EAP for UMTS: Authentication and Key Agreement is used for authentication and session key distribution using the Universal Mobile Telecommunications System (UMTS) Universal Subscriber Identity Module (USIM). EAP AKA is defined in RFC 4187.

Supported processor platforms: Awards and Certifications Nominations

Sales | Support | Contact | Privacy Policy | FAQs | Site Map | Referral Program

Copyright © 2010 Mocana Corporation

NanoEAP™ Features

Ease of Control
Mocana NanoEAP provides system administrators complete control of authentication configuration — deciding when supplicants should be authenticated, how to handle connectivity loss, adding new authentication methods, and more. This flexibility is easily achieved using common configuration templates as models for customization.

Platform Independent
NanoEAP, like all of Mocana’s device security toolkits, is CPU-architecture and platform independent, working with any TCP/IP stack. It works seamlessly out of the box. Platforms supported out-of-the-box include Linux, Monta Vista Linux, VxWorks, OSE, Nucleus, Solaris, ThreadX, Windows, MacOS X, (ARC) MQX, pSOS, and Cygwin. NanoEAP is endian-neutral, and can be used without an RTOS if required.

IETF Compliant Implementations

• RFC-2284, PPP Extensible Authentication Protocol (EAP)
• RFC-2716, PPP EAP TLS Authentication Protocol
• RFC-2759, Microsoft PPP CHAP Extensions, Version 2
• RFC-2945, The SRP Authentication and Key Exchange System
• RFC-3268, AES Ciphersuites for Transport Layer Security
• RFC-3546, Transport Layer Security Extensions (partially supported)
• RFC-3579, RADIUS (Remote Authentication Dial In User Service) Support for Extensible Authentication Protocol (EAP)
• RFC-3580, IEEE 802.1x Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
• RFC-3748, Extensible Authentication Protocol (EAP)
• RFC-4137, State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator
• RFC-4186, Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)
• RFC-4187, Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA)
• RFC-4279, Pre-Shared Key Ciphersuites for Transport Layer Security
• EAP-PEAP (v0, v1, v2), all drafts-draft-josefsson-pppext-eap-tls-eap-07.txt and draft-josefsson-pppext-eap-tla-eap-10.txt
• EAP-TTLS (v0,v1), all drafts-draft-ietf-pppext-eap-ttls-02.txt
• EAS PSK draft-draft-bersani-eap_psk-11.txt
• EAP FAST draft-draft-cam-winget-eap-fast-03.txt

Authentication Support

• OTP (one time password)
• GTC (generic token card)
• MS-CHAP-V2 (Microsoft version of the Challengehandshake authentication protocol)
• TLS (transport layer security)
• TTLS v0 and v1 SIM (subscriber identity module)
• AKA (authentication and key agreement)
• SRP (secure remote password)
• LEAP (lightweight extensible authentication protocol, developed by Cisco Systems)
• PEAP v0/v1/v2 (protected extensible authentication protocol)
• FAST (flexible authentication via secure tunneling)
• RADIUS (remote authentication dial in user service)
• MD5

EAP-TLS and EAP-TTLS Cipher Support

• TLS-RSA-WITH-AES-256-CBC-SHA
• TLS-RSA-WITH-AES-128-CBC-SHA
• TLS-RSA-WITH-ARCFOUR-128-MD5
• TLS-RSA-WITH-ARCFOUR-128-SHA
• TLS-RSA-WITH-3DES-EDE-CBC-SHA
• TLS-RSA-WITH-DES-CBC-SHA
• TLS-DHE-RSA-WITH-AES-256-CBC-SHA
• TLS-DHE-RSA-WITH-AES-128-CBC-SHA
• TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
• TLS-DHE-RSA-WITH-DES-CBC-SHA
• TLS-DH-ANON-WITH-AES-256-CBC-SHA
• TLS-DH-ANON-WITH-AES-128-CBC-SHA
• SSL-DH-ANON-WITH-ARCFOUR-128-MD5
• SSL-DH-ANON-WITH-3DES-EDE-CBC-SHA
• SSL-DH-ANON-WITH-DES-CBC-SHA
• TLS-PSK-WITH-AES-256-CBC-SHA
• TLS-PSK-WITH-AES-128-CBC-SHA
• TLS-PSK-WITH-ARCFOUR-128-SHA
• TLS-PSK-WITH-3DES-EDE-CBC-SHA
• TLS-RSA-PSK-WITH-AES-256-CBC-SHA
• TLS-RSA-PSK-WITH-AES-128-CBC-SHA
• TLS-RSA-PSK-WITH-ARCFOUR-128-SHA
• TLS-RSA-PSK-WITH-3DES-EDE-CBC-SHA
• TLS-DHE-PSK-WITH-AES-256-CBC-SHA
• TLS-DHE-PSK-WITH-AES-128-CBC-SHA
• SSL-DHE-PSK-WITH-ARCFOUR-CBC-SHA
• SSL-DHE-PSK-WITH-3DES-EDE-CBC-SHA
• TLS-RSA-WITH-NULL-SHA
• TLS-RSA-WITH-NULL-MD5

Additional Cryptography Support

• MD2
• MD4
• MD5
• PKCS #1, Version 1.5
• PKCS #5
• PKCS #7
• PKCS #8
• PKCS #10
  
• PKCS #12
  
• SHA1
  
• SHA-224
  
• SHA-256
  
• SHA-384
  
• SHA-512

NanoEAP Features

• Transport agnostic with no dependacy on link layer (EAP packets can be transported over 802.1x, PPP, TCP, UDP and IKEv2).
• Highly customized for various timeouts, retransmission intervals and MTU configurations
• EAP session can be configured as supplicant, stand-alone authenticator or Pass-through Authenticator.
• Each EAP session can be configured to use different EAP method.
• APIs to gather statistics and logs.
• Support for multiple virtual instances of EAP authenticator.
• Easy to integrate as a library in the existing task or a process.

Supported processor platforms: Awards and Certifications Nominations

Sales | Support | Contact | Privacy Policy | FAQs | Site Map | Referral Program

Copyright © 2010 Mocana Corporation

NanoEAP™ Benefits

Speed
NanoEAP consistently outperforms. NanoEAP’s assembly language optimization and support for hardware acceleration make it the fastest embedded EAP implementation on the market. Benchmark testing on a 700 MHz Pentium III CPU with Embedded EAP-SIM, Embedded EAP peer running on Linux, and Mocana NanoEAP authenticator in RADIUS pass-through mode with 100 sessions/sec yielded only a two percent CPU utilization rate. It includes strong code reuse for a smaller memory footprint.

Flexibility
Mocana NanoEAP delivers incredible flexibility, as it is able to support multiple authentication schemes, including generic token cards, one-time passwords, AKA, TLS, RADIUS, LEAP and many others. You get to determine where supplicants should be authenticated as well as easily add new authentication methods. It’s a snap to independently manage multiple users who require unique security configurations.

Dramatically Speeds Your Development Cycle NanoEAP is a ready-made, pre-optimized and exhaustively tested EAP solution that frees your in-house development resources to focus on what’s really important: the functionality of your project. As well, NanoEap is cleared for export. As always, Mocana’s developer support team is available 24/7/365 to help you anytime.

Supported processor platforms: Awards and Certifications Nominations

Sales | Support | Contact | Privacy Policy | FAQs | Site Map | Referral Program

Copyright © 2010 Mocana Corporation

NanoEAP™ Architecture

Mocana’s products, together, make up what we call the Device Security FrameworkTM.
The DSF is designed to secure all aspects of any connected device. All components of the Device Security Framework are built on a common architecture and share a common API and cryptographic code base. As a device designer, you can choose only the components you need for your particular project... or standardize company-wide on the DSF’s common code base, future-proofing your investment with this broad, flexible and extensible security architecture.

Supported processor platforms: Awards and Certifications Nominations

Sales | Support | Contact | Privacy Policy | FAQs | Site Map | Referral Program

Copyright © 2010 Mocana Corporation