[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft

To: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Subject: RE: New XAUTH draft
From: Glen Zorn <gwz@acm.org>
Date: Tue, 18 May 1999 17:30:57 -0700 (PDT)
cc: Stephane Beaulieu <sbeaulieu@TimeStep.com>, ipsec@lists.tislabs.com
In-Reply-To: <29752A74B6C5D211A4920090273CA3DC4BBC25@new-exc1.ctron.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 18 May 1999, Waters, Stephen wrote:

> 
> Yes, I have a comment [on ISAKMP XAUTH].  A number of the authentication
> methods expressed here require the edge device to understand which
> authentication method is needed in advance of receiving the 'user name' from
> the remote peer.
> 
> This seems limiting to me.  Since it is likely that a these 'legacy'
> authentication methods are being used with RADIUS, wouldn't it be simple to
> re-use EAP and EAP extensions to RADIUS?

EAP is only defined over PPP.  I tried (in Orlando) to form a WG to
generalize the EAP specification to allow its use over other protocols but
was shot down by the Security ADs.

> 
> This would allow the 'edge device' to be ignorant of the authentication
> required, or the process needed to enact it. This saves complication in the
> 'edge' device, allows central control of authentication policy and higher
> granularity on user/authentication mapping.
> 
> A quote from EAP spec:
> 
>    "The PPP Extensible Authentication Protocol (EAP)  is a general
>    protocol for PPP authentication which supports multiple
>    authentication mechanisms.  EAP does not select a specific
>    authentication mechanism at Link Control Phase, but rather postpones
>    this until the Authentication Phase.  This allows the authenticator
>    to request more information before determining the specific
>    authentication mechanism.  This also permits the use of a "back-end"
>    server which actually implements the various mechanisms while the PPP
>    authenticator merely passes through the authentication exchange."
> 
> regards, Steve.
> 
> -----Original Message-----
> From: Stephane Beaulieu [mailto:sbeaulieu@TimeStep.com]
> Sent: Tuesday, May 18, 1999 4:34 PM
> To: ipsec; ipsra; internet-drafts@ietf.org
> Subject: New XAUTH draft
> 
> 
> Greetings,
> 
> 	An updated revision of the Extended Authentication within
> ISAKMP/Oakley draft is now available.  
> 
> The URL is <ftp://206.191.59.148/draft-ietf-ipsec-isakmp-xauth-04.txt>
> 
> Comments are welcome.
> 
> 
> Stephane Beaulieu     		TimeStep Corporation
> sbeaulieu@timestep.com		http://www.timestep.com
> (613) 599-3610 x4709 		Fax: (613) 599-3617
> 
>

References:

RE: New XAUTH draft

From: "Waters, Stephen" <Stephen.Waters@cabletron.com>

Prev by Date: Weak Crypto in Phase 1
Next by Date: Re: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread