Re: Hybrid Authentication and Remote Access

[Stephen Kent <kent@bbn.com>]

Tero,

>Because the signatures only authenticate the machine, not the user.
>For example we might have several general use machines around, with
>each one having separate private key, and when someone logs in from
>that, it only says that ok, this is this pc-55.xxx.com, but it doesn't
>say anything about who he is and does he have permission to create
>ipsec SA.

That's not necessarily true.  IPsec supports individual authentication,
e.g., a DN or an RFC 822 address, not just device authentication.  For
laptops or single-user hosts, this is just as valid a form of individual
authentication as one might provide via Radius, and it is of higher quality
that one would get from a password.  When user auth is proxied by a
security gateway one might augue for separate user auth from the end
system, but since the SA terminates at the SG, it would not seem
appropriate to make such authentication a funciton of IPsec or ISAKMP.

Steve

---

References:

• Re: Hybrid Authentication and Remote Access
• From: Moshe Litvin <moshe@checkpoint.com>
• Hybrid Authentication and Remote Access
• From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
• Re: Hybrid Authentication and Remote Access
• From: "Scott G. Kelly" <skelly@redcreek.com>
• Re: Hybrid Authentication and Remote Access
• From: moshe@checkpoint.com (Moshe Litvin)
• Re: Hybrid Authentication and Remote Access
• From: Tero Kivinen <kivinen@ssh.fi>
• Re: Hybrid Authentication and Remote Access
• From: Tero Kivinen <kivinen@ssh.fi>

---

• Prev by Date: Re: Hybrid Authentication and Remote Access
• Next by Date: Re: Hybrid Authentication and Remote Access
• Prev by thread: Re: Hybrid Authentication and Remote Access
• Next by thread: Re: Hybrid Authentication and Remote Access
• Index(es):
  • Main
  • Thread