[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New XAUTH draft

To: "'Stephane Beaulieu'" <sbeaulieu@TimeStep.com>, "'canetti'" <canetti@watson.ibm.com>, <ipsec@lists.tislabs.com>
Subject: RE: New XAUTH draft
From: "Bernard Aboba" <aboba@internaut.com>
Date: Mon, 24 May 1999 06:19:41 -0700
Cc: "'ipsra'" <ietf-ipsra@vpnc.org>
Importance: Normal
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDFA9715B@exchange>
Reply-To: <aboba@internaut.com>
Sender: owner-ipsec@lists.tislabs.com

>For example, a user might need to talk to a DHCP server, a RADIUS
accounting
>server, and an SDI server.

The RADIUS protocol (RFC 2138 and 2139) does not involve users interacting
with
RADIUS authentication or accounting servers. Rather, the peer speaks PPP to
a NAS device, which then uses RADIUS to communicate with a central server.

Rather than including RADIUS as an authentication method in XAUTH, the draft
should be revised to include EAP as the authentication method. EAP supports
extended authentication methods, including SDI and CHAP (EAP-MD5) so that
the draft could be simplified by doing this. I would also argue that the
draft needs to include GSS_API as a method.

I would agree that a user might need to "talk" to a DHCP server, for
example, via DHCP INFORM. This is the right architecture, since doing
otherwise (as  IKECFG does), would eventually lead you down the road of
duplicating the existing DHCP options.

References:

RE: New XAUTH draft

From: Stephane Beaulieu <sbeaulieu@TimeStep.com>

Prev by Date: Re: ICMP in IPSec
Next by Date: RE: New XAUTH draft
Prev by thread: Re: New XAUTH draft
Next by thread: RE: New XAUTH draft
Index(es):
- Main
- Thread