[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New XAUTH draft
On Tue, 18 May 1999, Scott G. Kelly wrote:
> "Waters, Stephen" wrote:
> >
> > Yes, I have a comment [on ISAKMP XAUTH]. A number of the authentication
> > methods expressed here require the edge device to understand which
> > authentication method is needed in advance of receiving the 'user name' from
> > the remote peer.
>
> I would add that *all* of the authentication methods require the edge
> device to understand their respective protocols. Translation? Oodles of
> added complexity to our (secure?) key exchange protocol. Godzillakmp.
An observation that many others have made, as well. IKE is just not the
place to do user authentication.
>
> > This seems limiting to me. Since it is likely that a these 'legacy'
> > authentication methods are being used with RADIUS, wouldn't it be simple to
> > re-use EAP and EAP extensions to RADIUS?
> >
> > This would allow the 'edge device' to be ignorant of the authentication
> > required, or the process needed to enact it. This saves complication in the
> > 'edge' device, allows central control of authentication policy and higher
> > granularity on user/authentication mapping.
> >
>
> <trimmed...>
>
> Perhaps this gets to the heart of it. What is the compelling argument
> for adding such complexity to the security device in order to support
> these legacy authentication methods?
> Shouldn't we instead be trying to
> move people toward PKI and other such mechanisms, rather than
> encouraging the continued use of text passwords/phrases?
>
> Scott
>
Follow-Ups:
References: