[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: New XAUTH draft
On Tue, 18 May 1999, Waters, Stephen wrote:
>
> Yes, I have a comment [on ISAKMP XAUTH]. A number of the authentication
> methods expressed here require the edge device to understand which
> authentication method is needed in advance of receiving the 'user name' from
> the remote peer.
>
> This seems limiting to me. Since it is likely that a these 'legacy'
> authentication methods are being used with RADIUS, wouldn't it be simple to
> re-use EAP and EAP extensions to RADIUS?
EAP is only defined over PPP. I tried (in Orlando) to form a WG to
generalize the EAP specification to allow its use over other protocols but
was shot down by the Security ADs.
>
> This would allow the 'edge device' to be ignorant of the authentication
> required, or the process needed to enact it. This saves complication in the
> 'edge' device, allows central control of authentication policy and higher
> granularity on user/authentication mapping.
>
> A quote from EAP spec:
>
> "The PPP Extensible Authentication Protocol (EAP) is a general
> protocol for PPP authentication which supports multiple
> authentication mechanisms. EAP does not select a specific
> authentication mechanism at Link Control Phase, but rather postpones
> this until the Authentication Phase. This allows the authenticator
> to request more information before determining the specific
> authentication mechanism. This also permits the use of a "back-end"
> server which actually implements the various mechanisms while the PPP
> authenticator merely passes through the authentication exchange."
>
> regards, Steve.
>
> -----Original Message-----
> From: Stephane Beaulieu [mailto:sbeaulieu@TimeStep.com]
> Sent: Tuesday, May 18, 1999 4:34 PM
> To: ipsec; ipsra; internet-drafts@ietf.org
> Subject: New XAUTH draft
>
>
> Greetings,
>
> An updated revision of the Extended Authentication within
> ISAKMP/Oakley draft is now available.
>
> The URL is <ftp://206.191.59.148/draft-ietf-ipsec-isakmp-xauth-04.txt>
>
> Comments are welcome.
>
>
> Stephane Beaulieu TimeStep Corporation
> sbeaulieu@timestep.com http://www.timestep.com
> (613) 599-3610 x4709 Fax: (613) 599-3617
>
>
References: