[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New XAUTH draft



Pat,

Irrespective of whether the private key associated with the cert is stored
on a laptop and protected by a password, or whether it is kept in a smart
card, if the cert asserts a user identity, then it is a user authentication
mechanism.

If one employs a separate protocol for user auth, outside of IPsec, then
the SPD cannot be used to provide the same granularity of access control as
if the user auth is done as part of IPsec.  Your observation is correct,
based on existing deployed Radius systems, but if one always insists on
sticking with existing deployed databases, migration to newer technologies
is impeded.

Steve


References: