[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Radius authentication and client configuration

To: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
Subject: Re: Radius authentication and client configuration
From: "pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com>
Date: Thu, 16 Apr 1998 15:07:16 -0700 (PDT)
Cc: Patrice.Calhoun@Eng.Sun.Com, smamros@BayNetworks.COM, gab@Eng.Sun.Com, ipsec@tis.com, periera@TimeStep.com, rgm-sec@htt-consult.com
In-Reply-To: "Your message with ID" <libSDtMail.9804161434.2238.vgupta@nobel>
Reply-To: "pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com>
Sender: owner-ipsec@ex.tis.com

> 
> 
> > > It seems like the *cfg* and *xauth* drafts  may just take existing
> payloads > > defined elsewhere to achieve their purposes. For example, xauth
> > > could just say: let's use EAP payloads (as I suggested
> > > in LA). EAP did start in ppp land, but has since been applied to
> > > (that is, its payloads have been reused in) SOCKS, RADIUS, DIAMETER.
> > > 
> > > So yes, if a good payload exists, reuse it.
> > > 
> > > -gabriel
> > > 
> > I would like to second Gabriel's statement here. I also would strongly favor
> > the use of EAP as opposed to another mechanism. If you take a look at
> > draft-calhoun-diameter-eap-01.txt and draft-ietf-radius-eap-02.txt you will
> > see how EAP fits into the Policy infrastructure.
> > 
> > In addition, my draft draft-ietf-aft-socks-eap-00.txt proves that EAP is not a
> > PPP-only protocol and can be re-used in a variety of services. I would hope
> > that IPSEC would be a good candidate. (btw, there already exists an ISAKMP
> > extension to EAP that you may want to take a look at -
> > draft-ietf-pppext-eapisakmp-00.txt).
> > 
> > PatC
> > 
> 
>   IMO, draft-ietf-pppext-eapisakmp-00.txt solves a different problem
>   than what Roy's *xauth* draft is addressing. With most other
>   EAP methods (e.g. token cards), only one of the parties is authenticated
>   (client to the server but not mutual authentication) and
> *pppext-eapisakmp-* 
>   and *pppext-eaptls-02.txt are attempts to fix that.
> 
>   Roy's draft, on the other hand, is trying to tie in existing
>   *user authentication* mechanisms (like OTPs and Token cards) with
>   IPSec.
> 
>   vipul

Agreed. I threw out the eap-isakmp draft in order to make the list aware of
it. As for Roy's intent to tie it in with existing token/smart cards I would
not recommend this. The problem that we are currently faced with is that it
requires vendors to include proprietary code from token/smart card vendors and
ties them into a single solution. EAP will provide vendors with the ability to
support ANY token/smart cards that support EAP.

PatC

Follow-Ups:

Re: Radius authentication and client configuration

From: Shawn Mamros <smamros@BayNetworks.COM>

References:

Re: Radius authentication and client configuration

From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>

Prev by Date: Re: Radius authentication and client configuration
Next by Date: RE: Radius authentication and client configuration
Prev by thread: Re: Radius authentication and client configuration
Next by thread: Re: Radius authentication and client configuration
Index(es):
- Main
- Thread