Re: Radius authentication and client configuration

[Gabriel Montenegro <gab@Eng.Sun.Com>]

> By placing policy/configuration setup in ISAKMP (between Phases 1 and 2)
> under protection of the ISAKMP SA, Roy's proposal for an ISAKMP Configuration
> Method addresses the security needs quite nicely.  That's not to say that
> one couldn't base the payload/exchange format on DIAMETER or whatever else
> is already out there.  But the ISAKMP SA only protects ISAKMP, and until the
> IPSEC SAs are set up, ISAKMP may very well be all you can trust.

Agree.

It seems like the *cfg* and *xauth* drafts  may just take existing payloads
defined elsewhere to achieve their purposes. For example, xauth
could just say: let's use EAP payloads (as I suggested
in LA). EAP did start in ppp land, but has since been applied to
(that is, its payloads have been reused in) SOCKS, RADIUS, DIAMETER.

So yes, if a good payload exists, reuse it.

-gabriel

---

Follow-Ups:

• Re: Radius authentication and client configuration
• From: Robert Moskowitz <rgm-sec@htt-consult.com>
• Re: Radius authentication and client configuration
• From: "pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com>

References:

• Re: Radius authentication and client configuration
• From: Shawn Mamros <smamros@BayNetworks.COM>

---

• Prev by Date: RE: Radius authentication and client configuration
• Next by Date: Re: Radius authentication and client configuration
• Prev by thread: Re: Radius authentication and client configuration
• Next by thread: Re: Radius authentication and client configuration
• Index(es):
  • Main
  • Thread