ONOS AAA app: Authentication and Authorization logic.

Change-Id: I36eb889eeab38edf12377c13e780a147551459a4
diff --git a/app.xml b/app.xml
new file mode 100644
index 0000000..167a419
--- /dev/null
+++ b/app.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2015 Open Networking Laboratory
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<app name="org.onosproject.aaa" origin="ATT" version="${project.version}"
+     featuresRepo="mvn:${project.groupId}/${project.artifactId}/${project.version}/xml/features"
+     features="${project.artifactId}">
+    <description>${project.description}</description>
+    <artifact>mvn:${project.groupId}/${project.artifactId}/${project.version}</artifact>
+    <artifact>mvn:${project.groupId}/onos-app-xos-integration/${project.version}</artifact>
+    <bundle>mvn:com.sun.jersey/jersey-client/1.19</bundle>
+</app>
diff --git a/features.xml b/features.xml
new file mode 100644
index 0000000..3825ec5
--- /dev/null
+++ b/features.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+  ~ Copyright 2015 Open Networking Laboratory
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<features xmlns="http://karaf.apache.org/xmlns/features/v1.2.0" name="${project.artifactId}-${project.version}">
+    <repository>mvn:${project.groupId}/${project.artifactId}/${project.version}/xml/features</repository>
+    <feature name="${project.artifactId}" version="${project.version}"
+             description="${project.description}">
+        <feature>onos-api</feature>
+        <bundle>mvn:com.sun.jersey/jersey-client/1.19</bundle>
+        <bundle>mvn:${project.groupId}/${project.artifactId}/${project.version}</bundle>
+        <bundle>mvn:${project.groupId}/onos-app-xos-integration/${project.version}</bundle>
+    </feature>
+</features>
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..6f85075
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2014 Open Networking Laboratory
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+
+    <parent>
+        <groupId>org.onosproject</groupId>
+        <artifactId>onos-apps</artifactId>
+        <version>1.3.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>onos-app-aaa</artifactId>
+    <packaging>bundle</packaging>
+
+    <description>ONOS authentication application</description>
+
+    <properties>
+        <onos.app.name>org.onosproject.aaa</onos.app.name>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.osgi</groupId>
+            <artifactId>org.osgi.compendium</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onlab-junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onos-api</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+         <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onlab-osgi</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.felix</groupId>
+            <artifactId>org.apache.felix.scr.annotations</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onos-app-xos-integration</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+
+
+        <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-bundle-plugin</artifactId>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.felix</groupId>
+                <artifactId>maven-scr-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.onosproject</groupId>
+                <artifactId>onos-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>
diff --git a/src/main/java/org/onosproject/aaa/AAA.java b/src/main/java/org/onosproject/aaa/AAA.java
new file mode 100644
index 0000000..9168017
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/AAA.java
@@ -0,0 +1,556 @@
+/*
+ * Copyright 2015 AT&T Foundry
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onosproject.aaa;
+
+import com.google.common.base.Strings;
+import org.apache.felix.scr.annotations.Activate;
+import org.apache.felix.scr.annotations.Component;
+import org.apache.felix.scr.annotations.Deactivate;
+import org.apache.felix.scr.annotations.Modified;
+import org.apache.felix.scr.annotations.Property;
+import org.apache.felix.scr.annotations.Reference;
+import org.apache.felix.scr.annotations.ReferenceCardinality;
+import org.onlab.packet.Ethernet;
+import org.onlab.packet.IPv4;
+import org.onlab.packet.Ip4Address;
+import org.onlab.packet.IpAddress;
+import org.onlab.packet.MacAddress;
+import org.onlab.packet.UDP;
+import org.onlab.packet.VlanId;
+import org.onlab.util.Tools;
+import org.onosproject.aaa.packet.EAP;
+import org.onosproject.aaa.packet.EAPEthernet;
+import org.onosproject.aaa.packet.EAPOL;
+import org.onosproject.aaa.packet.RADIUS;
+import org.onosproject.aaa.packet.RADIUSAttribute;
+import org.onosproject.cfg.ComponentConfigService;
+import org.onosproject.core.ApplicationId;
+import org.onosproject.core.CoreService;
+import org.onosproject.net.ConnectPoint;
+import org.onosproject.net.DeviceId;
+import org.onosproject.net.Host;
+import org.onosproject.net.PortNumber;
+import org.onosproject.net.flow.DefaultTrafficSelector;
+import org.onosproject.net.flow.DefaultTrafficTreatment;
+import org.onosproject.net.flow.FlowRuleService;
+import org.onosproject.net.flow.TrafficSelector;
+import org.onosproject.net.flow.TrafficTreatment;
+import org.onosproject.net.host.HostService;
+import org.onosproject.net.intent.IntentService;
+import org.onosproject.net.packet.DefaultOutboundPacket;
+import org.onosproject.net.packet.InboundPacket;
+import org.onosproject.net.packet.OutboundPacket;
+import org.onosproject.net.packet.PacketContext;
+import org.onosproject.net.packet.PacketPriority;
+import org.onosproject.net.packet.PacketProcessor;
+import org.onosproject.net.packet.PacketService;
+import org.onosproject.net.topology.TopologyService;
+import org.onosproject.xosintegration.VoltTenantService;
+import org.osgi.service.component.ComponentContext;
+import org.slf4j.Logger;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.util.Collections;
+import java.util.Dictionary;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+
+/**
+ * AAA application for Onos.
+ */
+@Component(immediate = true)
+public class AAA {
+    // a list of our dependencies :
+    // to register with ONOS as an application - described next
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected CoreService coreService;
+
+    // topology information
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected TopologyService topologyService;
+
+    // to receive Packet-in events that we'll respond to
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected PacketService packetService;
+
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected FlowRuleService flowService;
+
+    // to submit/withdraw intents for traffic manipulation
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected IntentService intentService;
+
+    // end host information
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected HostService hostService;
+
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected VoltTenantService voltTenantService;
+
+
+    // for verbose output
+    private final Logger log = getLogger(getClass());
+
+    // our application-specific event handler
+    private ReactivePacketProcessor processor = new ReactivePacketProcessor();
+
+    // our unique identifier
+    private ApplicationId appId;
+
+    // Map of state machines. Each state machine is represented by an
+    // unique identifier on the switch: dpid + port number
+    Map stateMachineMap = null;
+
+    // RADIUS server IP address
+    private static final String DEFAULT_RADIUS_IP = "192.168.1.10";
+    // NAS IP address
+    private static final String DEFAULT_NAS_IP = "192.168.1.11";
+    // RADIUS uplink port
+    private static final int DEFAULT_RADIUS_UPLINK = 2;
+    // RADIUS server shared secret
+    private static final String DEFAULT_RADIUS_SECRET = "ONOSecret";
+    //RADIUS MAC address
+    private static final String RADIUS_MAC_ADDRESS =  "00:00:00:00:01:10";
+    //NAS MAC address
+    private static final String NAS_MAC_ADDRESS = "00:00:00:00:10:01";
+    //Radius Switch Id
+    private static final String DEFAULT_RADIUS_SWITCH = "of:5e3e486e73000187";
+    //Radius Port Number
+    private static final String DEFAULT_RADIUS_PORT = "5";
+
+    @Property(name = "radiusIpAddress", value = DEFAULT_RADIUS_IP,
+            label = "RADIUS IP Address")
+    private String radiusIpAddress = DEFAULT_RADIUS_IP;
+
+    @Property(name = "nasIpAddress", value = DEFAULT_NAS_IP,
+            label = "NAP IP Address")
+    private String nasIpAddress = DEFAULT_NAS_IP;
+
+    @Property(name = "radiusMacAddress", value = RADIUS_MAC_ADDRESS,
+            label = "RADIUS MAC Address")
+    private String radiusMacAddress = RADIUS_MAC_ADDRESS;
+
+    @Property(name = "nasMacAddress", value = NAS_MAC_ADDRESS,
+            label = "NAP MAC Address")
+    private String nasMacAddress = NAS_MAC_ADDRESS;
+
+    @Property(name = "radiusSecret", value = DEFAULT_RADIUS_SECRET,
+            label = "RADIUS shared secret")
+    private String radiusSecret = DEFAULT_RADIUS_SECRET;
+
+    @Property(name = "radiusSwitchId", value = DEFAULT_RADIUS_SWITCH,
+            label = "Radius switch")
+    private String radiusSwitch = DEFAULT_RADIUS_SWITCH;
+
+    @Property(name = "radiusPortNumber", value = DEFAULT_RADIUS_PORT,
+            label = "Radius port")
+    private String radiusPort = DEFAULT_RADIUS_PORT;
+
+    // Parsed RADIUS server IP address
+    protected InetAddress parsedRadiusIpAddress;
+
+    // Parsed NAS IP address
+    protected InetAddress parsedNasIpAddress;
+
+    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
+    protected ComponentConfigService cfgService;
+
+    @Modified
+    public void modified(ComponentContext context) {
+        Dictionary<?, ?> properties = context.getProperties();
+
+        String s = Tools.get(properties, "radiusIpAddress");
+        try {
+            parsedRadiusIpAddress = InetAddress.getByName(s);
+            radiusIpAddress = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_IP : s;
+        } catch (UnknownHostException e) {
+            log.error("Invalid RADIUS IP address specification: {}", s);
+        }
+        try {
+            s = Tools.get(properties, "nasIpAddress");
+            parsedNasIpAddress = InetAddress.getByName(s);
+            nasIpAddress = Strings.isNullOrEmpty(s) ? DEFAULT_NAS_IP : s;
+        } catch (UnknownHostException e) {
+            log.error("Invalid NAS IP address specification: {}", s);
+        }
+
+        s = Tools.get(properties, "radiusMacAddress");
+        radiusMacAddress = Strings.isNullOrEmpty(s) ? RADIUS_MAC_ADDRESS : s;
+
+        s = Tools.get(properties, "nasMacAddress");
+        nasMacAddress = Strings.isNullOrEmpty(s) ? NAS_MAC_ADDRESS : s;
+
+        s = Tools.get(properties, "radiusSecret");
+        radiusSecret = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_SECRET : s;
+
+        s = Tools.get(properties, "radiusSwitchId");
+        radiusSwitch = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_SWITCH : s;
+
+        s = Tools.get(properties, "radiusPortNumber");
+        radiusPort = Strings.isNullOrEmpty(s) ? DEFAULT_RADIUS_PORT : s;
+    }
+
+    @Activate
+    public void activate(ComponentContext context) {
+        cfgService.registerProperties(getClass());
+        modified(context);
+        // "org.onosproject.aaa" is the FQDN of our app
+        appId = coreService.registerApplication("org.onosproject.aaa");
+        // register our event handler
+        packetService.addProcessor(processor, PacketProcessor.ADVISOR_MAX + 2);
+        TrafficSelector.Builder selector = DefaultTrafficSelector.builder();
+
+        selector.matchEthType(EAPEthernet.TYPE_PAE);
+        packetService.requestPackets(selector.build(),
+                PacketPriority.CONTROL, appId);
+
+        // Instantiate the map of the state machines
+        Map<String, StateMachine> stateMachines = new HashMap<String, StateMachine>();
+        stateMachineMap = Collections.synchronizedMap(stateMachines);
+
+        hostService.startMonitoringIp(IpAddress.valueOf(radiusIpAddress));
+
+    }
+
+    @Deactivate
+    public void deactivate() {
+        cfgService.unregisterProperties(getClass(), false);
+        // de-register and null our handler
+        packetService.removeProcessor(processor);
+        processor = null;
+    }
+
+    // our handler defined as a private inner class
+
+    /**
+     * Packet processor responsible for forwarding packets along their paths.
+     */
+    private class ReactivePacketProcessor implements PacketProcessor {
+        @Override
+        public void process(PacketContext context) {
+
+            // Extract the original Ethernet frame from the packet information
+            InboundPacket pkt = context.inPacket();
+            Ethernet ethPkt = pkt.parsed();
+            if (ethPkt == null) {
+                return;
+            }
+            //identify if incoming packet comes from supplicant (EAP) or RADIUS
+            switch (ethPkt.getEtherType()) {
+                case (short) 0x888e:
+                    handleSupplicantPacket(ethPkt, context);
+                    break;
+                case 0x800:
+                    IPv4 ipv4Packet = (IPv4) ethPkt.getPayload();
+                    Ip4Address srcIp = Ip4Address.valueOf(ipv4Packet.getSourceAddress());
+                    Ip4Address radiusIp4Address = Ip4Address.valueOf(parsedRadiusIpAddress);
+                    if (srcIp.equals(radiusIp4Address) && ipv4Packet.getProtocol() == IPv4.PROTOCOL_UDP) {
+                        // TODO: check for port as well when it's configurable
+                        UDP udpPacket = (UDP) ipv4Packet.getPayload();
+                        // RADIUS radiusPacket = (RADIUS) udpPacket.getPayload();
+                        byte[] datagram = udpPacket.getPayload().serialize();
+                        RADIUS radiusPacket = new RADIUS();
+                        radiusPacket = (RADIUS) radiusPacket.deserialize(datagram, 0, datagram.length);
+                        handleRadiusPacket(radiusPacket);
+                    }
+                    break;
+                default:
+                    return;
+            }
+        }
+
+
+        /**
+         * Handle PAE packets (supplicant).
+         * @param ethPkt Ethernet packet coming from the supplicant.
+         */
+        private void handleSupplicantPacket(Ethernet ethPkt, PacketContext context) {
+            // Where does it come from?
+            MacAddress srcMAC = ethPkt.getSourceMAC();
+
+            DeviceId deviceId = context.inPacket().receivedFrom().deviceId();
+            PortNumber portNumber = context.inPacket().receivedFrom().port();
+            String sessionId = deviceId.toString() + portNumber.toString();
+            StateMachine stateMachine = getStateMachine(sessionId);
+            //Reserialize the data of the eth packet into our EAPOL format
+            // this code will go once it is in the onos repository.
+            byte[] bullshit = ethPkt.getPayload().serialize();
+            EAPOL eapol = (EAPOL) new EAPOL().deserialize(bullshit, 0, bullshit.length);
+
+            switch (eapol.getEapolType()) {
+                case EAPOL.EAPOL_START:
+                    try {
+                        stateMachine.start();
+                        stateMachine.supplicantConnectpoint = context.inPacket().receivedFrom();
+
+                        //send an EAP Request/Identify to the supplicant
+                        EAP eapPayload = new EAP(EAP.REQUEST, stateMachine.getIdentifier(), EAP.ATTR_IDENTITY, null);
+                        Ethernet eth =  EAPOL.buildEapolResponse(srcMAC, MacAddress.valueOf(1L),
+                                                                 ethPkt.getVlanID(), EAPOL.EAPOL_PACKET,
+                                                                 eapPayload);
+                        stateMachine.supplicantAddress = srcMAC;
+                        stateMachine.vlanId = ethPkt.getVlanID();
+
+                        this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint);
+                    } catch (StateMachineException e) {
+                        e.printStackTrace();
+                    }
+
+                    break;
+                case EAPOL.EAPOL_PACKET:
+                    //check if this is a Response/Idenfity or  a Response/TLS
+                    EAP eapPacket = (EAP) eapol.getPayload();
+
+                    byte dataType = eapPacket.getDataType();
+                    switch (dataType) {
+                        case EAP.ATTR_IDENTITY:
+                            try {
+                                //request id access to RADIUS
+                                RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
+                                        eapPacket.getIdentifier());
+                                radiusPayload.setIdentifier(stateMachine.getIdentifier());
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
+                                        eapPacket.getData());
+                                stateMachine.setUsername(eapPacket.getData());
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
+                                        AAA.this.parsedNasIpAddress.getAddress());
+
+                                radiusPayload.encapsulateMessage(eapPacket);
+
+                                // set Request Authenticator in StateMachine
+                                stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
+                                radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
+                                sendRadiusMessage(radiusPayload);
+
+                                //change the state to "PENDING"
+                                stateMachine.requestAccess();
+                            } catch (StateMachineException e) {
+                                e.printStackTrace();
+                            }
+                            break;
+                        case EAP.ATTR_MD5:
+                            //verify if the EAP identifier corresponds to the challenge identifier from the client state
+                            //machine.
+                            if (eapPacket.getIdentifier() == stateMachine.getChallengeIdentifier()) {
+                                //send the RADIUS challenge response
+                                RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
+                                        eapPacket.getIdentifier());
+                                radiusPayload.setIdentifier(stateMachine.getChallengeIdentifier());
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
+                                        stateMachine.getUsername());
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
+                                        AAA.this.parsedNasIpAddress.getAddress());
+
+                                radiusPayload.encapsulateMessage(eapPacket);
+
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
+                                        stateMachine.getChallengeState());
+                                radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
+                                sendRadiusMessage(radiusPayload);
+                            }
+                            break;
+                        case EAP.ATTR_TLS:
+                            try {
+                                //request id access to RADIUS
+                                RADIUS radiusPayload = new RADIUS(RADIUS.RADIUS_CODE_ACCESS_REQUEST,
+                                        eapPacket.getIdentifier());
+                                radiusPayload.setIdentifier(stateMachine.getIdentifier());
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_USERNAME,
+                                        stateMachine.getUsername());
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_NAS_IP,
+                                        AAA.this.parsedNasIpAddress.getAddress());
+
+                                radiusPayload.encapsulateMessage(eapPacket);
+
+                                radiusPayload.setAttribute(RADIUSAttribute.RADIUS_ATTR_STATE,
+                                        stateMachine.getChallengeState());
+                                stateMachine.setRequestAuthenticator(radiusPayload.generateAuthCode());
+
+                                radiusPayload.addMessageAuthenticator(AAA.this.radiusSecret);
+
+                                sendRadiusMessage(radiusPayload);
+                                // TODO: this gets called on every fragment, should only be called at TLS-Start
+                                stateMachine.requestAccess();
+                            } catch (StateMachineException e) {
+                                e.printStackTrace();
+                            }
+                            break;
+                        default:
+                            return;
+                    }
+                    break;
+                default:
+                    return;
+            }
+        }
+
+        /**
+         * Handle RADIUS packets.
+         * @param radiusPacket RADIUS packet coming from the RADIUS server.
+         */
+        private void handleRadiusPacket(RADIUS radiusPacket) {
+            StateMachine stateMachine = getStateMachineById(radiusPacket.getIdentifier());
+            if (stateMachine == null) {
+                log.error("Invalid session identifier, exiting...");
+                return;
+            }
+
+            byte[] eapMessage = null;
+            EAP eapPayload = new EAP();
+            Ethernet eth = null;
+            switch (radiusPacket.getCode()) {
+                case RADIUS.RADIUS_CODE_ACCESS_CHALLENGE:
+                    byte[] challengeState = radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_STATE).getValue();
+                    eapPayload = radiusPacket.decapsulateMessage();
+                    stateMachine.setChallengeInfo(eapPayload.getIdentifier(), challengeState);
+                    eth = EAPOL.buildEapolResponse(stateMachine.supplicantAddress,
+                            MacAddress.valueOf(1L), stateMachine.vlanId, EAPOL.EAPOL_PACKET, eapPayload);
+                    this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint);
+                    break;
+                case RADIUS.RADIUS_CODE_ACCESS_ACCEPT:
+                    try {
+                        //send an EAPOL - Success to the supplicant.
+                        eapMessage =
+                                radiusPacket.getAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE).getValue();
+                        eapPayload = new EAP();
+                        eapPayload = (EAP) eapPayload.deserialize(eapMessage, 0, eapMessage.length);
+                        eth = EAPOL.buildEapolResponse(stateMachine.supplicantAddress,
+                                MacAddress.valueOf(1L), stateMachine.vlanId, EAPOL.EAPOL_PACKET, eapPayload);
+                        this.sendPacketToSupplicant(eth, stateMachine.supplicantConnectpoint);
+
+                        stateMachine.authorizeAccess();
+                    } catch (StateMachineException e) {
+                        e.printStackTrace();
+                    }
+                    break;
+                case RADIUS.RADIUS_CODE_ACCESS_REJECT:
+                    try {
+                        stateMachine.denyAccess();
+                    } catch (StateMachineException e) {
+                        e.printStackTrace();
+                    }
+                    break;
+                default:
+                    log.warn("Unknown RADIUS message received with code: {}", radiusPacket.getCode());
+            }
+        }
+
+        private StateMachine getStateMachineById(byte identifier) {
+            StateMachine stateMachine = null;
+            Set stateMachineSet = stateMachineMap.entrySet();
+
+            synchronized (stateMachineMap) {
+                Iterator itr = stateMachineSet.iterator();
+                while (itr.hasNext()) {
+                    Map.Entry entry = (Map.Entry) itr.next();
+                    stateMachine = (StateMachine) entry.getValue();
+                    if (identifier == stateMachine.getIdentifier()) {
+                        //the state machine has already been created for this session session
+                        stateMachine = (StateMachine) entry.getValue();
+                        break;
+                    }
+                }
+            }
+
+            return stateMachine;
+        }
+
+        private StateMachine getStateMachine(String sessionId) {
+            StateMachine stateMachine = null;
+            Set stateMachineSet = stateMachineMap.entrySet();
+
+            synchronized (stateMachineMap) {
+                Iterator itr = stateMachineSet.iterator();
+                while (itr.hasNext()) {
+
+                    Map.Entry entry = (Map.Entry) itr.next();
+                    if (sessionId.equals(entry.getKey())) {
+                        //the state machine has already been created for this session session
+                        stateMachine = (StateMachine) entry.getValue();
+                        break;
+                    }
+                }
+            }
+
+            if (stateMachine == null) {
+                stateMachine = new StateMachine(sessionId, voltTenantService);
+                stateMachineMap.put(sessionId, stateMachine);
+            }
+
+            return stateMachine;
+        }
+
+        private void sendRadiusMessage(RADIUS radiusMessage) {
+            Set<Host> hosts = hostService.getHostsByIp(IpAddress.valueOf(radiusIpAddress));
+            Optional<Host> odst = hosts.stream().filter(h -> h.vlan().toShort() == VlanId.UNTAGGED).findFirst();
+
+            Host dst;
+            if (!odst.isPresent()) {
+                log.info("Radius server {} is not present", radiusIpAddress);
+                return;
+            } else {
+                dst = odst.get();
+            }
+
+            UDP udp = new UDP();
+            IPv4 ip4Packet = new IPv4();
+            Ethernet ethPkt = new Ethernet();
+            radiusMessage.setParent(udp);
+            udp.setDestinationPort((short) 1812);
+            udp.setSourcePort((short) 1812); // TODO: make this configurable
+            udp.setPayload(radiusMessage);
+            udp.setParent(ip4Packet);
+            ip4Packet.setSourceAddress(AAA.this.nasIpAddress);
+            ip4Packet.setDestinationAddress(AAA.this.radiusIpAddress);
+            ip4Packet.setProtocol(IPv4.PROTOCOL_UDP);
+            ip4Packet.setPayload(udp);
+            ip4Packet.setParent(ethPkt);
+            ethPkt.setDestinationMACAddress(radiusMacAddress);
+            ethPkt.setSourceMACAddress(nasMacAddress);
+            ethPkt.setEtherType(Ethernet.TYPE_IPV4);
+            ethPkt.setPayload(ip4Packet);
+
+            TrafficTreatment treatment = DefaultTrafficTreatment.builder()
+                    .setOutput(PortNumber.portNumber(Integer.parseInt(radiusPort))).build();
+            OutboundPacket packet = new DefaultOutboundPacket(DeviceId.deviceId(radiusSwitch),
+                    treatment, ByteBuffer.wrap(ethPkt.serialize()));
+            packetService.emit(packet);
+
+        }
+
+
+        /**
+         * Send the ethernet packet to the supplicant.
+         * @param ethernetPkt the ethernet packet
+         */
+        private void sendPacketToSupplicant(Ethernet ethernetPkt, ConnectPoint connectPoint) {
+            TrafficTreatment treatment = DefaultTrafficTreatment.builder().setOutput(connectPoint.port()).build();
+            OutboundPacket packet = new DefaultOutboundPacket(connectPoint.deviceId(),
+                    treatment, ByteBuffer.wrap(ethernetPkt.serialize()));
+            packetService.emit(packet);
+        }
+
+    }
+
+}
diff --git a/src/main/java/org/onosproject/aaa/StateMachine.java b/src/main/java/org/onosproject/aaa/StateMachine.java
new file mode 100644
index 0000000..4c595ed
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/StateMachine.java
@@ -0,0 +1,467 @@
+/*
+ *
+ * Copyright 2015 AT&T Foundry
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onosproject.aaa;
+
+import org.onlab.packet.MacAddress;
+import org.onosproject.net.ConnectPoint;
+import org.onosproject.xosintegration.VoltTenant;
+import org.onosproject.xosintegration.VoltTenantService;
+import org.slf4j.Logger;
+import java.util.BitSet;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+/**
+ * AAA Finite State Machine.
+ */
+
+class StateMachine {
+    //INDEX to identify the state in the transition table
+    static final int STATE_IDLE = 0;
+    static final int STATE_STARTED = 1;
+    static final int STATE_PENDING = 2;
+    static final int STATE_AUTHORIZED = 3;
+    static final int STATE_UNAUTHORIZED = 4;
+
+    //INDEX to identify the transition in the transition table
+    static final int TRANSITION_START = 0; // --> started
+    static final int TRANSITION_REQUEST_ACCESS = 1;
+    static final int TRANSITION_AUTHORIZE_ACCESS = 2;
+    static final int TRANSITION_DENY_ACCESS = 3;
+    static final int TRANSITION_LOGOFF = 4;
+
+    //map of access identifiers (issued at EAPOL START)
+    static BitSet bitSet = new BitSet();
+    private final VoltTenantService voltService;
+
+    private int identifier = -1;
+    private byte challengeIdentifier;
+    private byte[] challengeState;
+    private byte[] username;
+    private byte[] requestAuthenticator;
+
+    // Supplicant connectivity info
+    protected ConnectPoint supplicantConnectpoint;
+    protected MacAddress supplicantAddress;
+    protected short vlanId;
+
+    private String sessionId = null;
+
+    private final Logger log = getLogger(getClass());
+
+
+    private State[] states = {
+            new Idle(), new Started(), new Pending(), new Authorized(), new Unauthorized()
+    };
+
+
+    //State transition table
+    /*
+
+                state       IDLE    |   STARTED         |   PENDING         |   AUTHORIZED  |   UNAUTHORIZED
+             ////
+       input
+       ----------------------------------------------------------------------------------------------------
+
+       START                STARTED |   _               |   _               |   _           |   _
+
+       REQUEST_ACCESS       _       |   PENDING         |   _               |   _           |   _
+
+       AUTHORIZE_ACCESS     _       |   _               |   AUTHORIZED      |   _           |   _
+
+       DENY_ACCESS          _       |   -               |   UNAUTHORIZED    |   _           |   _
+
+       LOGOFF               _       |   _               |   _               |   IDLE        |   IDLE
+     */
+
+    private int[] idleTransition =
+            {STATE_STARTED, STATE_IDLE, STATE_IDLE, STATE_IDLE, STATE_IDLE};
+    private int[] startedTransition =
+            {STATE_STARTED, STATE_PENDING, STATE_STARTED, STATE_STARTED, STATE_STARTED};
+    private int[] pendingTransition =
+            {STATE_PENDING, STATE_PENDING, STATE_AUTHORIZED, STATE_UNAUTHORIZED, STATE_PENDING};
+    private int[] authorizedTransition =
+            {STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_AUTHORIZED, STATE_IDLE};
+    private int[] unauthorizedTransition =
+            {STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_UNAUTHORIZED, STATE_IDLE};
+
+    //THE TRANSITION TABLE
+    private int[][] transition =
+            {idleTransition, startedTransition, pendingTransition, authorizedTransition,
+                    unauthorizedTransition};
+
+    private int currentState = STATE_IDLE;
+
+
+    /**
+     * State Machine Constructor.
+     * @param sessionId Session Id represented by the switch dpid +  port number
+     */
+    public StateMachine(String sessionId, VoltTenantService voltService) {
+        log.info("Creating a new state machine for {}", sessionId);
+        this.sessionId = sessionId;
+        this.voltService = voltService;
+
+    }
+
+    /**
+     * Get the client id that is requesting for access.
+     * @return The client id.
+     */
+    public String getSessionId() {
+        return this.sessionId;
+    }
+
+    /**
+     * Create the identifier for the state machine (happens when goes to STARTED state).
+     */
+    private void createIdentifier() throws StateMachineException {
+        log.debug("Creating Identifier.");
+        int index = -1;
+
+        try {
+            //find the first available spot for identifier assignment
+            index = StateMachine.bitSet.nextClearBit(0);
+
+            //there is a limit of 256 identifiers
+            if (index == 256) {
+                throw new StateMachineException("Cannot handle any new identifier. Limit is 256.");
+            }
+        } catch (IndexOutOfBoundsException e) {
+            throw new StateMachineException(e.getMessage());
+        }
+
+        log.info("Assigning identifier {}", index);
+        StateMachine.bitSet.set(index);
+        this.identifier = index;
+    }
+
+    /**
+     * Set the challenge identifier and the state issued by the RADIUS.
+     * @param challengeIdentifier The challenge identifier set into the EAP packet from the RADIUS message.
+     * @param challengeState The challenge state from the RADIUS.
+     */
+    protected void setChallengeInfo(byte challengeIdentifier, byte[] challengeState) {
+        this.challengeIdentifier = challengeIdentifier;
+        this.challengeState = challengeState;
+    }
+    /**
+     * Set the challenge identifier issued by the RADIUS on the access challenge request.
+     * @param challengeIdentifier The challenge identifier set into the EAP packet from the RADIUS message.
+     */
+    protected void setChallengeIdentifier(byte challengeIdentifier) {
+        log.info("Set Challenge Identifier to {}", challengeIdentifier);
+        this.challengeIdentifier = challengeIdentifier;
+    }
+
+    /**
+     * Get the challenge EAP identifier set by the RADIUS.
+     * @return The challenge EAP identifier.
+     */
+    protected byte getChallengeIdentifier() {
+        return this.challengeIdentifier;
+    }
+
+
+    /**
+     * Set the challenge state info issued by the RADIUS.
+     * @param challengeState The challenge state from the RADIUS.
+     */
+    protected void setChallengeState(byte[] challengeState) {
+        log.info("Set Challenge State");
+        this.challengeState = challengeState;
+    }
+
+    /**
+     * Get the challenge state set by the RADIUS.
+     * @return The challenge state.
+     */
+    protected byte[] getChallengeState() {
+        return this.challengeState;
+    }
+
+    /**
+     * Set the username.
+     * @param username The username sent to the RADIUS upon access request.
+     */
+    protected void setUsername(byte[] username) {
+        this.username = username;
+    }
+
+
+    /**
+     * Get the username.
+     * @return The requestAuthenticator.
+     */
+    protected byte[] getReqeustAuthenticator() {
+        return this.requestAuthenticator;
+    }
+
+    /**
+     * Set the username.
+     * @param authenticator The username sent to the RADIUS upon access request.
+     */
+    protected void setRequestAuthenticator(byte[] authenticator) {
+        this.requestAuthenticator = authenticator;
+    }
+
+
+    /**
+     * Get the username.
+     * @return The username.
+     */
+    protected byte[] getUsername() {
+        return this.username;
+    }
+
+    /**
+     * Return the identifier of the state machine.
+     * @return The state machine identifier.
+     */
+    public byte getIdentifier() {
+        return (byte) this.identifier;
+    }
+
+
+    protected void deleteIdentifier() {
+        if (this.identifier != -1) {
+            log.info("Freeing up " + this.identifier);
+            //this state machine should be deleted and free up the identifier
+            StateMachine.bitSet.clear(this.identifier);
+            this.identifier = -1;
+        }
+    }
+
+
+    /**
+     * Move to the next state.
+     * @param msg
+     */
+    private void next(int msg)  {
+        currentState = transition[currentState][msg];
+        log.info("Current State " + currentState);
+    }
+
+    /**
+     * Client has requested the start action to allow network access.
+     */
+    public void start() throws StateMachineException {
+        try {
+            states[currentState].start();
+            //move to the next state
+            next(TRANSITION_START);
+            createIdentifier();
+        } catch (StateMachineInvalidTransitionException e) {
+            e.printStackTrace();
+        }
+    }
+
+    /**
+     * An Identification information has been sent by the supplicant.
+     * Move to the next state if possible.
+     */
+    public void requestAccess() throws StateMachineException {
+        try {
+            states[currentState].requestAccess();
+            //move to the next state
+            next(TRANSITION_REQUEST_ACCESS);
+        } catch (StateMachineInvalidTransitionException e) {
+            e.printStackTrace();
+        }
+    }
+
+    /**
+     * RADIUS has accepted the identification.
+     * Move to the next state if possible.
+     */
+    public void authorizeAccess() throws StateMachineException {
+        try {
+            states[currentState].radiusAccepted();
+            //move to the next state
+            next(TRANSITION_AUTHORIZE_ACCESS);
+
+            if (voltService != null) {
+                voltService.addTenant(
+                        VoltTenant.builder()
+                                .withHumanReadableName("VCPE-" + this.identifier)
+                                .withId(this.identifier)
+                                .withProviderService(1)
+                                .withServiceSpecificId(String.valueOf(this.identifier))
+                                .withPort(this.supplicantConnectpoint)
+                                .withVlanId(String.valueOf(this.vlanId)).build());
+            }
+
+            deleteIdentifier();
+        } catch (StateMachineInvalidTransitionException e) {
+            e.printStackTrace();
+        }
+
+    }
+
+    /**
+     * RADIUS has denied the identification.
+     * Move to the next state if possible.
+     */
+    public void denyAccess() throws StateMachineException {
+        try {
+            states[currentState].radiusDenied();
+            //move to the next state
+            next(TRANSITION_DENY_ACCESS);
+            deleteIdentifier();
+        } catch (StateMachineInvalidTransitionException e) {
+            e.printStackTrace();
+        }
+    }
+
+    /**
+     * Logoff request has been requested.
+     * Move to the next state if possible.
+     */
+    public void logoff() throws StateMachineException {
+        try {
+            states[currentState].logoff();
+            //move to the next state
+            next(TRANSITION_LOGOFF);
+        } catch (StateMachineInvalidTransitionException e) {
+            e.printStackTrace();
+        }
+    }
+
+    /**
+     * Get the current state.
+     * @return The current state. Could be STATE_IDLE, STATE_STARTED, STATE_PENDING, STATE_AUTHORIZED,
+     * STATE_UNAUTHORIZED.
+     */
+    public int getState() {
+        return currentState;
+    }
+
+
+
+    public String toString() {
+        return ("sessionId: " + this.sessionId) + "\t" + ("identifier: " + this.identifier) + "\t" +
+                ("state: " + this.currentState);
+    }
+}
+
+abstract class State {
+    private final Logger log = getLogger(getClass());
+
+    private String name = "State";
+
+    public void start() throws StateMachineInvalidTransitionException {
+        log.warn("START transition from this state is not allowed.");
+    }
+    public void requestAccess() throws StateMachineInvalidTransitionException {
+        log.warn("REQUEST ACCESS transition from this state is not allowed.");
+    }
+    public void radiusAccepted() throws StateMachineInvalidTransitionException {
+        log.warn("AUTHORIZE ACCESS transition from this state is not allowed.");
+    }
+    public void radiusDenied() throws StateMachineInvalidTransitionException {
+        log.warn("DENY ACCESS transition from this state is not allowed.");
+    }
+    public void logoff() throws StateMachineInvalidTransitionException {
+        log.warn("LOGOFF transition from this state is not allowed.");
+    }
+}
+
+/**
+ * Idle state: supplicant is logged of from the network.
+ */
+class Idle extends State {
+    private final Logger log = getLogger(getClass());
+    private String name = "IDLE_STATE";
+
+    public void start() {
+        log.info("Moving from IDLE state to STARTED state.");
+    }
+}
+
+/**
+ * Started state: supplicant has entered the network and informed the authenticator.
+ */
+class Started extends State {
+    private final Logger log = getLogger(getClass());
+    private String name = "STARTED_STATE";
+
+    public void requestAccess() {
+        log.info("Moving from STARTED state to PENDING state.");
+    }
+}
+
+/**
+ * Pending state: supplicant has been identified by the authenticator but has not access yet.
+ */
+class Pending extends State {
+    private final Logger log = getLogger(getClass());
+    private String name = "PENDING_STATE";
+
+    public void radiusAccepted() {
+        log.info("Moving from PENDING state to AUTHORIZED state.");
+    }
+
+    public void radiusDenied() {
+        log.info("Moving from PENDING state to UNAUTHORIZED state.");
+    }
+}
+
+/**
+ * Authorized state: supplicant port has been accepted, access is granted.
+ */
+class Authorized extends State {
+    private final Logger log = getLogger(getClass());
+    private String name = "AUTHORIZED_STATE";
+
+    public void logoff() {
+
+        log.info("Moving from AUTHORIZED state to IDLE state.");
+    }
+}
+
+/**
+ * Unauthorized state: supplicant port has been rejected, access is denied.
+ */
+class Unauthorized extends State {
+    private final Logger log = getLogger(getClass());
+    private String name = "UNAUTHORIZED_STATE";
+
+    public void logoff() {
+        log.info("Moving from UNAUTHORIZED state to IDLE state.");
+    }
+}
+
+
+/**
+ * Exception for the State Machine.
+ */
+class StateMachineException extends Exception {
+    public StateMachineException(String message) {
+        super(message);
+
+    }
+}
+/**
+ * Exception raised when the transition from one state to another is invalid.
+ */
+class StateMachineInvalidTransitionException extends StateMachineException {
+    public StateMachineInvalidTransitionException(String message) {
+        super(message);
+    }
+}
diff --git a/src/main/java/org/onosproject/aaa/package-info.java b/src/main/java/org/onosproject/aaa/package-info.java
new file mode 100644
index 0000000..19c5a5d
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2014 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * AAA implmentation.
+ */
+package org.onosproject.aaa;
diff --git a/src/main/java/org/onosproject/aaa/packet/EAP.java b/src/main/java/org/onosproject/aaa/packet/EAP.java
new file mode 100644
index 0000000..ed2718e
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/packet/EAP.java
@@ -0,0 +1,226 @@
+/*
+ *
+ *  * Copyright 2015 AT&T Foundry
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *     http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.onosproject.aaa.packet;
+
+import org.onlab.packet.BasePacket;
+import org.onlab.packet.IPacket;
+
+import java.nio.ByteBuffer;
+
+
+/**
+ *
+ */
+public class EAP extends BasePacket {
+    public static final short MIN_LEN = 0x4;
+    public static final short EAP_HDR_LEN_REQ_RESP = 5;
+    public static final short EAP_HDR_LEN_SUC_FAIL = 4;
+
+    /* EAP Code */
+    public static final byte REQUEST  = 0x1;
+    public static final byte RESPONSE = 0x2;
+    public static final byte SUCCESS  = 0x3;
+    public static final byte FAILURE  = 0x4;
+
+    /* EAP Attribute Type */
+    public static final byte ATTR_IDENTITY = 0x1;
+    public static final byte ATTR_NOTIFICATION = 0x2;
+    public static final byte ATTR_NAK = 0x3;
+    public static final byte ATTR_MD5 = 0x4;
+    public static final byte ATTR_OTP = 0x5;
+    public static final byte ATTR_GTC = 0x6;
+    public static final byte ATTR_TLS = 0xd;
+
+    protected byte code;
+    protected byte identifier;
+    protected short length;
+    protected byte type;
+    protected byte[] data;
+
+
+    /**
+     * Get the EAP code.
+     * @return EAP code
+     */
+    public byte getCode() {
+        return this.code;
+    }
+
+
+    /**
+     * Set the EAP code.
+     * @param code EAP code
+     * @return this
+     */
+    public EAP setCode(final byte code) {
+        this.code = code;
+        return this;
+    }
+
+    /**
+     * Get the EAP identifier.
+     * @return EAP identifier
+     */
+    public byte getIdentifier() {
+        return this.identifier;
+    }
+
+    /**
+     * Set the EAP identifier.
+     * @param identifier
+     * @return this
+     */
+    public EAP setIdentifier(final byte identifier) {
+        this.identifier = identifier;
+        return this;
+    }
+
+    /**
+     * Get the get packet length.
+     * @return packet length
+     */
+    public short getLength() {
+        return this.length;
+    }
+
+    /**
+     * Set the packet length.
+     * @param length packet length
+     * @return this
+     */
+    public EAP setLength(final short length) {
+        this.length = length;
+        return this;
+    }
+
+    /**
+     * Get the data type.
+     * @return data type
+     */
+    public byte getDataType() {
+        return this.type;
+    }
+
+    /**
+     * Set the data type.
+     * @param type data type
+     * @return this
+     */
+    public EAP setDataType(final byte type) {
+        this.type = type;
+        return this;
+    }
+
+    /**
+     * Get the EAP data.
+     * @return EAP data
+     */
+    public byte[] getData() {
+        return this.data;
+    }
+
+    /**
+     * Set the EAP data.
+     * @param data EAP data to be set
+     * @return this
+     */
+    public EAP setData(final byte[] data) {
+        this.data = data;
+        return this;
+    }
+
+    /**
+     * Default EAP constructor that set the EAP code to 0.
+     */
+    public EAP() {
+        this.code = 0;
+    }
+
+    /**
+     * EAP constructor that initially sets all fields.
+     * @param code EAP code
+     * @param identifier EAP identifier
+     * @param type packet type
+     * @param data EAP data
+     */
+    public EAP(byte code, byte identifier, byte type, byte[] data) {
+        this.code = code;
+        this.identifier = identifier;
+        if (this.code == REQUEST || this.code == RESPONSE) {
+            this.length = (short) (5 + (data == null ? 0 : data.length));
+            this.type = type;
+        } else {
+            this.length = (short) (4 + (data == null ? 0 : data.length));
+        }
+        this.data = data;
+    }
+
+    /**
+     * Serializes the packet, based on the code/type using the payload
+     * to compute its length.
+     * @return the serialized payload
+     */
+    @Override
+    public byte[] serialize() {
+        final byte[] data = new byte[this.length];
+
+        final ByteBuffer bb = ByteBuffer.wrap(data);
+        bb.put(this.code);
+        bb.put(this.identifier);
+        bb.putShort(this.length);
+        if (this.code == REQUEST || this.code == RESPONSE) {
+            bb.put(this.type);
+        }
+        if (this.data != null) {
+            bb.put(this.data);
+        }
+        return data;
+    }
+
+    @Override
+    public IPacket deserialize(final byte[] data, final int offset,
+                               final int length) {
+        final ByteBuffer bb = ByteBuffer.wrap(data, offset, length);
+        this.code = bb.get();
+        this.identifier = bb.get();
+        this.length = bb.getShort();
+
+        int dataLength;
+        if (this.code == REQUEST || this.code == RESPONSE) {
+            this.type = bb.get();
+            dataLength = this.length - 5;
+        } else {
+            dataLength = this.length - 4;
+        }
+        this.data = new byte[dataLength];
+        bb.get(this.data);
+        return this;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 3889;
+        int result = super.hashCode();
+        result = prime * result + this.code;
+        result = prime * result + this.identifier;
+        result = prime * result + this.length;
+        result = prime * result + this.type;
+        return result;
+    }
+}
diff --git a/src/main/java/org/onosproject/aaa/packet/EAPEthernet.java b/src/main/java/org/onosproject/aaa/packet/EAPEthernet.java
new file mode 100644
index 0000000..be2dae4
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/packet/EAPEthernet.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2015 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onosproject.aaa.packet;
+
+import org.onlab.packet.ARP;
+import org.onlab.packet.Ethernet;
+import org.onlab.packet.IPv4;
+import org.onlab.packet.IPv6;
+import org.onlab.packet.LLDP;
+
+/**
+ * Created by jono on 5/19/15.
+ */
+public final class EAPEthernet extends Ethernet {
+
+    public static final short TYPE_PAE = (short) 0x888e;
+
+    private EAPEthernet() {
+
+    }
+
+    static {
+        Ethernet.ETHER_TYPE_CLASS_MAP.put(org.onlab.packet.Ethernet.TYPE_ARP, ARP.class);
+        org.onlab.packet.Ethernet.ETHER_TYPE_CLASS_MAP.put(org.onlab.packet.Ethernet.TYPE_RARP, ARP.class);
+        org.onlab.packet.Ethernet.ETHER_TYPE_CLASS_MAP.put(org.onlab.packet.Ethernet.TYPE_IPV4, IPv4.class);
+        org.onlab.packet.Ethernet.ETHER_TYPE_CLASS_MAP.put(org.onlab.packet.Ethernet.TYPE_IPV6, IPv6.class);
+        org.onlab.packet.Ethernet.ETHER_TYPE_CLASS_MAP.put(org.onlab.packet.Ethernet.TYPE_LLDP, LLDP.class);
+        org.onlab.packet.Ethernet.ETHER_TYPE_CLASS_MAP.put(org.onlab.packet.Ethernet.TYPE_BSN, LLDP.class);
+        org.onlab.packet.Ethernet.ETHER_TYPE_CLASS_MAP.put(TYPE_PAE, EAPOL.class);
+    }
+}
diff --git a/src/main/java/org/onosproject/aaa/packet/EAPOL.java b/src/main/java/org/onosproject/aaa/packet/EAPOL.java
new file mode 100644
index 0000000..3179e28
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/packet/EAPOL.java
@@ -0,0 +1,200 @@
+/*
+ *
+ *  * Copyright 2015 AT&T Foundry
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *     http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.onosproject.aaa.packet;
+
+import org.onlab.packet.BasePacket;
+import org.onlab.packet.Ethernet;
+import org.onlab.packet.IPacket;
+import org.onlab.packet.MacAddress;
+
+import java.nio.ByteBuffer;
+
+/**
+ *
+ */
+public class EAPOL extends BasePacket {
+
+    private byte version = 0x01;
+    private byte eapolType;
+    private short packetLength;
+
+    /* EAPOL Packet Type */
+    public static final byte EAPOL_PACKET = 0x0;
+    public static final byte EAPOL_START  = 0x1;
+    public static final byte EAPOL_LOGOFF = 0x2;
+    public static final byte EAPOL_KEY    = 0x3;
+    public static final byte EAPOL_ASF    = 0x4;
+
+    public static final MacAddress PAE_GROUP_ADDR = MacAddress.valueOf(new byte[] {
+            (byte) 0x01, (byte) 0x80, (byte) 0xc2, (byte) 0x00, (byte) 0x00, (byte) 0x03
+    });
+
+
+    /**
+     * Get version.
+     * @return version
+     */
+    public byte getVersion() {
+        return this.version;
+    }
+
+    /**
+     * Set version.
+     * @param version EAPOL version
+     * @return this
+     */
+    public EAPOL setVersion(final byte version) {
+        this.version = version;
+        return this;
+    }
+
+    /**
+     * Get type.
+     * @return EAPOL type
+     */
+    public byte getEapolType() {
+        return this.eapolType;
+    }
+
+    /**
+     * Set EAPOL type.
+     * @param eapolType EAPOL type
+     * @return this
+     */
+    public EAPOL setEapolType(final byte eapolType) {
+        this.eapolType = eapolType;
+        return this;
+    }
+
+    /**
+     * Get packet length.
+     * @return packet length
+     */
+    public short getPacketLength() {
+        return this.packetLength;
+    }
+
+    /**
+     * Set packet length.
+     * @param packetLen packet length
+     * @return this
+     */
+    public EAPOL setPacketLength(final short packetLen) {
+        this.packetLength = packetLen;
+        return this;
+    }
+
+
+
+    /**
+     * Serializes the packet, based on the code/type using the payload
+     * to compute its length.
+     * @return this
+     */
+    @Override
+    public byte[] serialize() {
+
+        byte[] payloadData = null;
+
+        if (this.payload != null) {
+            this.payload.setParent(this);
+            payloadData = this.payload.serialize();
+        }
+
+        //prepare the buffer to hold the version (1), packet type (1), packet length (2) and the eap payload.
+        //if there is no payload, packet length is 0
+        byte[] data = new byte[4 + this.packetLength];
+        final ByteBuffer bb = ByteBuffer.wrap(data);
+        bb.put(this.version);
+        bb.put(this.eapolType);
+        bb.putShort(this.packetLength);
+
+        //put the EAP payload
+        if (payloadData != null) {
+            bb.put(payloadData);
+        }
+
+        return data;
+    }
+
+    @Override
+    public IPacket deserialize(final byte[] data, final int offset,
+                               final int length) {
+        final ByteBuffer bb = ByteBuffer.wrap(data, offset, length);
+
+
+        //deserialize the EAPOL header
+        this.version = bb.get();
+        this.eapolType = bb.get();
+        this.packetLength = bb.getShort();
+
+        if (this.packetLength > 0) {
+            //deserialize the EAP Payload
+            this.payload = new EAP();
+
+            this.payload = this.payload.deserialize(data, bb.position(), length - 4);
+            this.payload.setParent(this);
+        }
+
+
+        return this;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 3889;
+        int result = super.hashCode();
+        result = prime * result + this.version;
+        result = prime * result + this.eapolType;
+        result = prime * result + this.packetLength;
+        return result;
+    }
+
+    /**
+     *
+     * @param dstMac
+     * @param srcMac
+     * @param eapolType
+     * @param eap
+     * @return Ethernet frame
+     */
+    public static Ethernet buildEapolResponse(MacAddress dstMac, MacAddress srcMac,
+                                              short vlan, byte eapolType, EAP eap) {
+
+        Ethernet eth = new Ethernet();
+        eth.setDestinationMACAddress(dstMac.toBytes());
+        eth.setSourceMACAddress(srcMac.toBytes());
+        eth.setEtherType(EAPEthernet.TYPE_PAE);
+        if (vlan != Ethernet.VLAN_UNTAGGED) {
+            eth.setVlanID(vlan);
+        }
+        //eapol header
+        EAPOL eapol = new EAPOL();
+        eapol.setEapolType(eapolType);
+        eapol.setPacketLength(eap.getLength());
+
+        //eap part
+        eapol.setPayload(eap);
+
+        eth.setPayload(eapol);
+        eth.setPad(true);
+        return eth;
+    }
+}
+
diff --git a/src/main/java/org/onosproject/aaa/packet/RADIUS.java b/src/main/java/org/onosproject/aaa/packet/RADIUS.java
new file mode 100644
index 0000000..753490b
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/packet/RADIUS.java
@@ -0,0 +1,313 @@
+/*
+ *
+ *  * Copyright 2015 AT&T Foundry
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *     http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.onosproject.aaa.packet;
+
+import org.onlab.packet.BasePacket;
+import org.onlab.packet.IPacket;
+import org.slf4j.Logger;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import static org.slf4j.LoggerFactory.getLogger;
+
+/**
+ *
+ */
+public class RADIUS extends BasePacket {
+    protected byte code;
+    protected byte identifier;
+    protected short length = RADIUS_MIN_LENGTH;
+    protected byte[] authenticator = new byte[16];
+    protected ArrayList<RADIUSAttribute> attributes = new ArrayList<>();
+
+    /* RADIUS parameters */
+    public static final short RADIUS_MIN_LENGTH = 20;
+    public static final short MAX_ATTR_VALUE_LENGTH = 253;
+    public static final short RADIUS_MAX_LENGTH = 4096;
+
+    /* RADIUS packet types */
+    public static final byte RADIUS_CODE_ACCESS_REQUEST = 0x01;
+    public static final byte RADIUS_CODE_ACCESS_ACCEPT = 0x02;
+    public static final byte RADIUS_CODE_ACCESS_REJECT = 0x03;
+    public static final byte RADIUS_CODE_ACCOUNTING_REQUEST = 0x04;
+    public static final byte RADIUS_CODE_ACCOUNTING_RESPONSE = 0x05;
+    public static final byte RADIUS_CODE_ACCESS_CHALLENGE = 0x0b;
+
+    private final Logger log = getLogger(getClass());
+
+    public RADIUS() {
+    }
+
+    public RADIUS(byte code, byte identifier) {
+        this.code = code;
+        this.identifier = identifier;
+    }
+
+    public byte getCode() {
+        return this.code;
+    }
+
+    public void setCode(byte code) {
+        this.code = code;
+    }
+
+    public byte getIdentifier() {
+        return this.identifier;
+    }
+
+    public void setIdentifier(byte identifier) {
+        this.identifier = identifier;
+    }
+
+    public byte[] getAuthenticator() {
+        return this.authenticator;
+    }
+
+    public void setAuthenticator(byte[] a) {
+        this.authenticator = a;
+    }
+
+    public byte[] generateAuthCode() {
+        new SecureRandom().nextBytes(this.authenticator);
+        return this.authenticator;
+    }
+
+    public boolean isValidCode() {
+        return this.code == RADIUS_CODE_ACCESS_REQUEST ||
+                this.code == RADIUS_CODE_ACCESS_ACCEPT ||
+                this.code == RADIUS_CODE_ACCESS_REJECT ||
+                this.code == RADIUS_CODE_ACCOUNTING_REQUEST ||
+                this.code == RADIUS_CODE_ACCOUNTING_RESPONSE ||
+                this.code == RADIUS_CODE_ACCESS_CHALLENGE;
+    }
+
+    public RADIUSAttribute addMessageAuthenticator(String key) {
+        /* Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes)
+           When the message integrity check is calculated the signature string should be considered to be
+           sixteen octets of zero.
+         */
+        byte[] hashOutput = new byte[16];
+        Arrays.fill(hashOutput, (byte) 0);
+
+        RADIUSAttribute authAttribute = this.getAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH);
+        if (authAttribute != null) {
+            // If Message-Authenticator was already present, override it
+            this.log.warn("Attempted to add duplicate Message-Authenticator");
+            authAttribute = this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput);
+        } else {
+            // Else generate a new attribute padded with zeroes
+            authAttribute = this.setAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput);
+        }
+        // Calculate the MD5 HMAC based on the message
+        try {
+            SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacMD5");
+            Mac mac = Mac.getInstance("HmacMD5");
+            mac.init(keySpec);
+            hashOutput = mac.doFinal(this.serialize());
+            // Update HMAC in Message-Authenticator
+            authAttribute = this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, hashOutput);
+        } catch (Exception e) {
+            this.log.error("Failed to generate message authenticator: {}", e.getMessage());
+        }
+
+        return authAttribute;
+    }
+
+    public boolean checkMessageAuthenticator(String key) {
+        byte[] newHash = new byte[16];
+        Arrays.fill(newHash, (byte) 0);
+        byte[] messageAuthenticator = this.getAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH).getValue();
+        this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, newHash);
+        // Calculate the MD5 HMAC based on the message
+        try {
+            SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "HmacMD5");
+            Mac mac = Mac.getInstance("HmacMD5");
+            mac.init(keySpec);
+            newHash = mac.doFinal(this.serialize());
+        } catch (Exception e) {
+            log.error("Failed to generate message authenticator: {}", e.getMessage());
+        }
+        this.updateAttribute(RADIUSAttribute.RADIUS_ATTR_MESSAGE_AUTH, messageAuthenticator);
+        // Compare the calculated Message-Authenticator with the one in the message
+        return Arrays.equals(newHash, messageAuthenticator);
+    }
+
+    /**
+     * @param message
+     *            EAP message object to be embedded in the RADIUS EAP-Message attributed
+     */
+    public void encapsulateMessage(EAP message) {
+        if (message.length <= MAX_ATTR_VALUE_LENGTH) {
+            // Use the regular serialization method as it fits into one EAP-Message attribute
+            this.setAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE,
+                    message.serialize());
+        } else {
+            // Segment the message into chucks and embed them in several EAP-Message attributes
+            short remainingLength = message.length;
+            byte[] messageBuffer = message.serialize();
+            final ByteBuffer bb = ByteBuffer.wrap(messageBuffer);
+            while (bb.hasRemaining()) {
+                byte[] messageAttributeData;
+                if (remainingLength > MAX_ATTR_VALUE_LENGTH) {
+                    // The remaining data is still too long to fit into one attribute, keep going
+                    messageAttributeData = new byte[MAX_ATTR_VALUE_LENGTH];
+                    bb.get(messageAttributeData, 0, MAX_ATTR_VALUE_LENGTH);
+                    remainingLength -= MAX_ATTR_VALUE_LENGTH;
+                } else {
+                    // The remaining data fits, this will be the last chunk
+                    messageAttributeData = new byte[remainingLength];
+                    bb.get(messageAttributeData, 0, remainingLength);
+                }
+                this.attributes.add(new RADIUSAttribute(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE,
+                        (byte) (messageAttributeData.length + 2), messageAttributeData));
+
+                // Adding the size of the data to the total RADIUS length
+                this.length += (short) (messageAttributeData.length & 0xFF);
+                // Adding the size of the overhead attribute type and length
+                this.length += 2;
+            }
+        }
+    }
+
+    /**
+     * @return An EAP object containing the reassembled EAP message
+     */
+    public EAP decapsulateMessage() {
+        EAP message = new EAP();
+        ByteArrayOutputStream messageStream = new ByteArrayOutputStream();
+        // Iterating through EAP-Message attributes to concatenate their value
+        for (RADIUSAttribute ra : this.getAttributeList(RADIUSAttribute.RADIUS_ATTR_EAP_MESSAGE)) {
+            try {
+                messageStream.write(ra.getValue());
+            } catch (IOException e) {
+                log.error("Error while reassembling EAP message: {}", e.getMessage());
+            }
+        }
+        // Assembling EAP object from the concatenated stream
+        message.deserialize(messageStream.toByteArray(), 0, messageStream.size());
+        return message;
+    }
+
+    /**
+     * @param attrType
+     *            the type field of the required attributes
+     * @return List of the attributes that matches the type or an empty list if there is none
+     */
+    public ArrayList<RADIUSAttribute> getAttributeList(byte attrType) {
+        ArrayList<RADIUSAttribute> attrList = new ArrayList<>();
+        for (int i = 0; i < this.attributes.size(); i++) {
+            if (this.attributes.get(i).getType() == attrType) {
+                attrList.add(this.attributes.get(i));
+            }
+        }
+        return attrList;
+    }
+
+    /**
+     * @param attrType
+     *            the type field of the required attribute
+     * @return the first attribute that matches the type or null if does not exist
+     */
+    public RADIUSAttribute getAttribute(byte attrType) {
+        for (int i = 0; i < this.attributes.size(); i++) {
+            if (this.attributes.get(i).getType() == attrType) {
+                return this.attributes.get(i);
+            }
+        }
+        return null;
+    }
+
+    /**
+     * @param attrType
+     *            the type field of the attribute to set
+     * @param value
+     *            value to be set
+     * @return reference to the attribute object
+     */
+    public RADIUSAttribute setAttribute(byte attrType, byte[] value) {
+        byte attrLength = (byte) (value.length + 2);
+        RADIUSAttribute newAttribute = new RADIUSAttribute(attrType, attrLength, value);
+        this.attributes.add(newAttribute);
+        this.length += (short) (attrLength & 0xFF);
+        return newAttribute;
+    }
+
+    public RADIUSAttribute updateAttribute(byte attrType, byte[] value) {
+        for (int i = 0; i < this.attributes.size(); i++) {
+            if (this.attributes.get(i).getType() == attrType) {
+                this.length -= (short) (this.attributes.get(i).getLength() & 0xFF);
+                RADIUSAttribute newAttr = new RADIUSAttribute(attrType, (byte) (value.length + 2), value);
+                this.attributes.set(i, newAttr);
+                this.length += (short) (newAttr.getLength() & 0xFF);
+                return newAttr;
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public byte[] serialize() {
+        final byte[] data = new byte[this.length];
+        final ByteBuffer bb = ByteBuffer.wrap(data);
+
+        bb.put(this.code);
+        bb.put(this.identifier);
+        bb.putShort(this.length);
+        bb.put(this.authenticator);
+        for (int i = 0; i < this.attributes.size(); i++) {
+            RADIUSAttribute attr = this.attributes.get(i);
+            bb.put(attr.getType());
+            bb.put(attr.getLength());
+            bb.put(attr.getValue());
+        }
+
+        return data;
+    }
+
+    @Override
+    public IPacket deserialize(final byte[] data, final int offset,
+                               final int length) {
+        final ByteBuffer bb = ByteBuffer.wrap(data, offset, length);
+        this.code = bb.get();
+        this.identifier = bb.get();
+        this.length = bb.getShort();
+        bb.get(this.authenticator, 0, 16);
+
+        int remainingLength = this.length - RADIUS_MIN_LENGTH;
+        while (remainingLength > 0 && bb.hasRemaining()) {
+            RADIUSAttribute attr = new RADIUSAttribute();
+            attr.setType(bb.get());
+            attr.setLength(bb.get());
+            short attrLength = (short) (attr.length & 0xff);
+            attr.value = new byte[attrLength - 2];
+            bb.get(attr.value, 0, attrLength - 2);
+            this.attributes.add(attr);
+            remainingLength -= attr.length;
+        }
+        return this;
+    }
+
+}
diff --git a/src/main/java/org/onosproject/aaa/packet/RADIUSAttribute.java b/src/main/java/org/onosproject/aaa/packet/RADIUSAttribute.java
new file mode 100644
index 0000000..5b0fe45
--- /dev/null
+++ b/src/main/java/org/onosproject/aaa/packet/RADIUSAttribute.java
@@ -0,0 +1,125 @@
+/*
+ *
+ *  * Copyright 2015 AT&T Foundry
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *     http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.onosproject.aaa.packet;
+
+import java.nio.ByteBuffer;
+
+public class RADIUSAttribute {
+    protected byte type;
+    protected byte length;
+    protected byte[] value;
+
+    /* RADIUS attribute types */
+    public static final byte RADIUS_ATTR_USERNAME = 1;
+    public static final byte RADIUS_ATTR_NAS_IP = 4;
+    public static final byte RADIUS_ATTR_NAS_PORT = 5;
+    public static final byte RADIUS_ATTR_FRAMED_MTU = 12;
+    public static final byte RADIUS_ATTR_STATE = 24;
+    public static final byte RADIUS_ATTR_VENDOR_SPECIFIC = 26;
+    public static final byte RADIUS_ATTR_CALLING_STATION_ID = 31;
+    public static final byte RADIUS_ATTR_NAS_ID = 32;
+    public static final byte RADIUS_ATTR_ACCT_SESSION_ID = 44;
+    public static final byte RADIUS_ATTR_NAS_PORT_TYPE = 61;
+    public static final byte RADIUS_ATTR_EAP_MESSAGE = 79;
+    public static final byte RADIUS_ATTR_MESSAGE_AUTH = 80;
+    public static final byte RADIUS_ATTR_NAS_PORT_ID = 87;
+
+    public RADIUSAttribute() {
+    }
+
+    public RADIUSAttribute(final byte type, final byte length, final byte[] value) {
+        this.type = type;
+        this.length = length;
+        this.value = value;
+    }
+
+    public boolean isValidType() {
+        return this.type == RADIUS_ATTR_USERNAME ||
+                this.type == RADIUS_ATTR_NAS_IP ||
+                this.type == RADIUS_ATTR_NAS_PORT ||
+                this.type == RADIUS_ATTR_VENDOR_SPECIFIC ||
+                this.type == RADIUS_ATTR_CALLING_STATION_ID ||
+                this.type == RADIUS_ATTR_NAS_ID ||
+                this.type == RADIUS_ATTR_ACCT_SESSION_ID ||
+                this.type == RADIUS_ATTR_NAS_PORT_TYPE ||
+                this.type == RADIUS_ATTR_EAP_MESSAGE ||
+                this.type == RADIUS_ATTR_MESSAGE_AUTH ||
+                this.type == RADIUS_ATTR_NAS_PORT_ID;
+    }
+
+    /**
+     * @return the type
+     */
+    public byte getType() {
+        return this.type;
+    }
+
+    /**
+     * @param type
+     *            the code to set
+     * @return this
+     */
+    public RADIUSAttribute setType(final byte type) {
+        this.type = type;
+        return this;
+    }
+
+    /**
+     * @return the length
+     */
+    public byte getLength() {
+        return this.length;
+    }
+
+    /**
+     * @param length
+     *            the length to set
+     * @return this
+     */
+    public RADIUSAttribute setLength(final byte length) {
+        this.length = length;
+        return this;
+    }
+
+    /**
+     * @return the value
+     */
+    public byte[] getValue() {
+        return this.value;
+    }
+
+    /**
+     * @param value
+     *            the data to set
+     * @return this
+     */
+    public RADIUSAttribute setValue(final byte[] value) {
+        this.value = value;
+        return this;
+    }
+
+    public byte[] serialize() {
+        final byte[] data = new byte[this.length];
+        final ByteBuffer bb = ByteBuffer.wrap(data);
+        bb.put(this.type);
+        bb.put(this.length);
+        bb.put(this.value);
+        return data;
+    }
+}
diff --git a/src/test/java/org/onosproject/aaa/AAATest.java b/src/test/java/org/onosproject/aaa/AAATest.java
new file mode 100644
index 0000000..1b581ab
--- /dev/null
+++ b/src/test/java/org/onosproject/aaa/AAATest.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2014 Open Networking Laboratory
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.onosproject.aaa;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * Set of tests of the ONOS application component.
+ */
+public class AAATest {
+
+    private AAA aaa;
+
+    @Before
+    public void setUp() {
+
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    @Test
+    public void basics() {
+
+    }
+
+}
diff --git a/src/test/java/org/onosproject/aaa/StateMachineTest.java b/src/test/java/org/onosproject/aaa/StateMachineTest.java
new file mode 100644
index 0000000..2fe44ab
--- /dev/null
+++ b/src/test/java/org/onosproject/aaa/StateMachineTest.java
@@ -0,0 +1,270 @@
+/*
+ *
+ * Copyright 2015 AT&T Foundry
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.onosproject.aaa;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+
+public class StateMachineTest {
+    StateMachine stateMachine = null;
+
+    @Before
+    public void setUp() {
+        System.out.println("Set Up.");
+        StateMachine.bitSet.clear();
+        stateMachine = new StateMachine("session0", null);
+    }
+
+    @After
+    public void tearDown() {
+        System.out.println("Tear Down.");
+        StateMachine.bitSet.clear();
+        stateMachine = null;
+    }
+
+    @Test
+    /**
+     * Test all the basic inputs from state to state: IDLE -> STARTED -> PENDING -> AUTHORIZED -> IDLE
+     */
+    public void basic() throws StateMachineException {
+        System.out.println("======= BASIC =======.");
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+    }
+
+    @Test
+    /**
+     * Test all inputs from an IDLE state (starting with the ones that are not impacting the current state)
+     */
+    public void testIdleState() throws StateMachineException {
+        System.out.println("======= IDLE STATE TEST =======.");
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+        stateMachine.denyAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+    }
+
+    @Test
+    /**
+     * Test all inputs from an STARTED state (starting with the ones that are not impacting the current state)
+     */
+    public void testStartedState() throws StateMachineException {
+        System.out.println("======= STARTED STATE TEST =======.");
+        stateMachine.start();
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+        stateMachine.denyAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_STARTED);
+
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+    }
+
+    @Test
+    /**
+     * Test all inputs from a PENDING state (starting with the ones that are not impacting the current state).
+     * The next valid state for this test is AUTHORIZED
+     */
+    public void testPendingStateToAuthorized() throws StateMachineException {
+        System.out.println("======= PENDING STATE TEST (AUTHORIZED) =======.");
+        stateMachine.start();
+        stateMachine.requestAccess();
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+        stateMachine.denyAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+    }
+
+    @Test
+    /**
+     * Test all inputs from an PENDING state (starting with the ones that are not impacting the current state).
+     * The next valid state for this test is UNAUTHORIZED
+     */
+    public void testPendingStateToUnauthorized() throws StateMachineException {
+        System.out.println("======= PENDING STATE TEST (DENIED) =======.");
+        stateMachine.start();
+        stateMachine.requestAccess();
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_PENDING);
+
+        stateMachine.denyAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+    }
+
+    @Test
+    /**
+     * Test all inputs from an AUTHORIZED state (starting with the ones that are not impacting the current state).
+     */
+    public void testAuthorizedState() throws StateMachineException {
+        System.out.println("======= AUTHORIZED STATE TEST =======.");
+        stateMachine.start();
+        stateMachine.requestAccess();
+        stateMachine.authorizeAccess();
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+        stateMachine.denyAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_AUTHORIZED);
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+    }
+
+    @Test
+    /**
+     * Test all inputs from an UNAUTHORIZED state (starting with the ones that are not impacting the current state).
+     */
+    public void testUnauthorizedState() throws StateMachineException {
+        System.out.println("======= UNAUTHORIZED STATE TEST =======.");
+        stateMachine.start();
+        stateMachine.requestAccess();
+        stateMachine.denyAccess();
+
+        stateMachine.start();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+        stateMachine.requestAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+        stateMachine.authorizeAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+        stateMachine.denyAccess();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_UNAUTHORIZED);
+
+        stateMachine.logoff();
+        Assert.assertEquals(stateMachine.getState(), StateMachine.STATE_IDLE);
+    }
+
+
+    @Test
+    public void testIdentifierAvailability() throws StateMachineException {
+        System.out.println("======= IDENTIFIER TEST =======.");
+        byte identifier = stateMachine.getIdentifier();
+        System.out.println("State: " + stateMachine.getState());
+        System.out.println("Identifier: " + Byte.toUnsignedInt(identifier));
+        Assert.assertEquals(-1, identifier);
+        stateMachine.start();
+
+
+        StateMachine sm247 = null;
+        StateMachine sm3 = null;
+
+
+        //create 255 others state machines
+        for (int i = 1; i <= 255; i++) {
+                StateMachine sm = new StateMachine("session" + i, null);
+                sm.start();
+                byte id = sm.getIdentifier();
+                Assert.assertEquals(i, Byte.toUnsignedInt(id));
+                if (i == 3) {
+                    sm3 = sm;
+                    System.out.println("SM3: " + sm3.toString());
+                }
+                if (i == 247) {
+                    sm247 = sm;
+                    System.out.println("SM247: " + sm247.toString());
+                }
+        }
+
+        //simulate the state machine for a specific session and logoff so we can free up a spot for an identifier
+        //let's choose identifier 247 then we free up 3
+        sm247.requestAccess();
+        sm247.authorizeAccess();
+        sm247.logoff();
+        sm247 = null;
+
+        sm3.requestAccess();
+        sm3.authorizeAccess();
+        sm3.logoff();
+        sm3 = null;
+
+        StateMachine otherSM3 = new StateMachine("session3b", null);
+        otherSM3.start();
+        otherSM3.requestAccess();
+        byte id3 = otherSM3.getIdentifier();
+        Assert.assertEquals(3, Byte.toUnsignedInt(id3));
+
+        StateMachine otherSM247 = new StateMachine("session247b", null);
+        otherSM247.start();
+        otherSM247.requestAccess();
+        byte id247 = otherSM247.getIdentifier();
+        Assert.assertEquals(247, Byte.toUnsignedInt(id247));
+
+    }
+}