[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Question about Extended Authentication in IKE
An extract from the draft :
"This protocol can therefore be used in conjunction with any existing basic
ISAKMP authentication method as defined in [IKE]. If mutual authentication
is not required, then the phase 1 negotiation SHOULD use an authentication
method of shared-secret and have that shared-secret be null. This, is
however, NOT suggested since the edge-device is NOT authenticated.
This authentication MUST be used after a phase 1 exchange has completed and
before a phase 2 exchange. The Transaction exchange is therefore attached
(appended) to the phase 1 exchanges (MainMode, AggressiveMode). If the
extended authentication fails, then the phase 1 SA MUST be deleted."
Hi,
If I want to use RADIUS to scale my IPSEC remote access, I could use IKECFG
messages to do that. Since the draft suggests that NULL Phase-1
authentication is "NOT suggested", then the problem is how to scale the
Phase-1 authentication?
Assuming I still use pre-sharded secret, then I would HAVE to use
Aggresvice-mode, AND have a way of finding the appropriate pre-shard secret
for each client. Can I use this same mechanism to retrieve pre-sharded
secret information (which I may cache I guess)?
If I went for signature authentication (certificates), why should I consider
using any other form of authentication?
Cheers, Steve.
* Stephen Waters
Cabletron Systems Ltd. - R&D
Unit 1, Heron Industrial Estate
Basingstoke Road, Spencers Wood
Reading, Berkshire, RG7 1PJ
* External number: +44 118 988 0024
Internal extension: 12024
External fax: +44 118 988 0001
* Stephen.Waters@ctron.com