Question about Extended Authentication in IKE

[Waters Stephen <stephen.Waters@cabletron.com>]

An extract from the draft :
"This protocol can therefore be used in conjunction with any existing basic
ISAKMP authentication method as defined in [IKE]. If mutual authentication
is not required, then the phase 1 negotiation SHOULD use an authentication
method of shared-secret and have that shared-secret be null. This, is
however, NOT suggested since the edge-device is NOT authenticated. 
This authentication MUST be used after a phase 1 exchange has completed and
before a phase 2 exchange. The Transaction exchange is therefore attached
(appended) to the phase 1 exchanges (MainMode, AggressiveMode). If the
extended authentication fails, then the phase 1 SA MUST be deleted."

Hi,
If I want to use RADIUS to scale my IPSEC remote access, I could use IKECFG
messages to do that.  Since the draft suggests that NULL Phase-1
authentication is "NOT suggested",  then the problem is how to scale the
Phase-1 authentication?
Assuming I still use pre-sharded secret, then I would HAVE to use
Aggresvice-mode, AND have a way of finding the appropriate pre-shard secret
for each client.  Can I use this same mechanism to retrieve pre-sharded
secret information (which I may cache I guess)?
If I went for signature authentication (certificates), why should I consider
using any other form of authentication?
Cheers, Steve.


*	Stephen Waters
		Cabletron Systems Ltd. - R&D
		Unit 1, Heron Industrial Estate
		Basingstoke Road, Spencers Wood
		Reading, Berkshire, RG7 1PJ

*	External number:  +44 118 988 0024
	Internal extension:  12024
	External fax: +44 118 988 0001

*	Stephen.Waters@ctron.com

---

• Prev by Date: Re: Bridging non-IP traffic over IPSec
• Next by Date: RE: Question about Extended Authentication in IKE
• Prev by thread: Re: freeBSD
• Next by thread: RE: Question about Extended Authentication in IKE
• Index(es):
  • Main
  • Thread