[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Radius authentication and client configuration
> By placing policy/configuration setup in ISAKMP (between Phases 1 and 2)
> under protection of the ISAKMP SA, Roy's proposal for an ISAKMP Configuration
> Method addresses the security needs quite nicely. That's not to say that
> one couldn't base the payload/exchange format on DIAMETER or whatever else
> is already out there. But the ISAKMP SA only protects ISAKMP, and until the
> IPSEC SAs are set up, ISAKMP may very well be all you can trust.
Agree.
It seems like the *cfg* and *xauth* drafts may just take existing payloads
defined elsewhere to achieve their purposes. For example, xauth
could just say: let's use EAP payloads (as I suggested
in LA). EAP did start in ppp land, but has since been applied to
(that is, its payloads have been reused in) SOCKS, RADIUS, DIAMETER.
So yes, if a good payload exists, reuse it.
-gabriel
Follow-Ups:
References: