[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMP Extended Authentication
Is anyone aware of an accepted method of having a server/gateway
authenticate both a host, and the user on that host, using ISAKMP/Oakley?
X.509 certificates will be used for all users and systems.
The user certificate is stored within a smart card and will only be
available for signing after the user has entered the correct security PIN.
It is desirable to have the server/gateway authenticate both the host, which
accepts the smart card, as well as the user.
It is my understanding that ISAKMP/Oakley Phase 1 can only mutually
authenticate based upon a single certificate for both the initiator and
responder. It would appear that the methods specified in the IPSEC Draft
"Extended Authentication Within ISAKMP/Oakley",
<draft-ietf-ipsec-isakmp-xauth-03.txt>, could be extended to facilitate a
public key challenge/response authentication mechanism, permitting the user
to be authenticated after the Phase 1 negotiation was complete. The current
draft does not address the use of a public key signature for authenticating
a user. In the absence of a certificate distribution mechanism, the
authentication mechanism would need to permit the user's certificate to be
passed with the response.
This would allow the user's host and server/gateway to mutually
authenticated each other during the Phase 1 negotiation, and the user to be
authenticated to the server/gateway prior to a Phase 2 negotiation. If the
extended authentication of the user failed, the SA resulting from the Phase
1 negotiation would be removed.
Any suggestions on this topic would be appreciated.
John Irish
RABA Technologies
Follow-Ups: