RE: New XAUTH draft

[Tim Jenkins <tjenkins@TimeStep.com>]

Or, you could put a certificate on a kiosk PC and make the (multiple) users
use extended authentication for the system to figure out who they are.

In the long run, yes, those users will have their certs on a token.

But for now, XAUTH solves real problems that customers are having today, so
XAUTH is not pointless.

Finally, just because XAUTH with pre-shared keys is possible, it doesn't
mean you have to implement it. Have your system do only certificates with
XAUTH if you like.

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617



> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@network-alchemy.com]
> Sent: May 20, 1999 3:05 PM
> To: Tim Jenkins
> Cc: Scott G. Kelly; Stephane Beaulieu; Glen Zorn; Waters, Stephen;
> ipsec@lists.tislabs.com
> Subject: Re: New XAUTH draft 
> 
> 
> On Thu, 20 May 1999 12:45:41 EDT you wrote
> > 
> > The only way XAUTH reduces the existing authentication of IKE is if
> > the sysadmin use pre-shared key authentication and share it 
> everywhere
> > or set it to null (if that's even possible).
> 
> But this is precisely the way it's used. If you had a 
> pre-shared key bound
> to a specific user (as opposed to a group) or if you had a certificate
> binding a specific user to a public key then there would be 
> no need for
> XAUTH. Any subsequent radius/tacacs/whatever method of authentication
> would be pointless.
> 
>   Dan.
>

---

Follow-Ups:

• Re: New XAUTH draft
• From: Dan Harkins <dharkins@network-alchemy.com>

---

• Prev by Date: Re: New XAUTH draft
• Next by Date: Re: New XAUTH draft
• Prev by thread: RE: New XAUTH draft
• Next by thread: Re: New XAUTH draft
• Index(es):
  • Main
  • Thread