[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
XAUTH is broken
About XAUTH:
Doing multiple cfg-exchanges with the same message-id is just
not possible. There are a several ways out of the mess:
1) Do two or three cfg-exchanges. message-id changes.
The exchanges have the same ISAKMP cookies, thus the state
information can be kept with the phase-1 data.
2) Invent a new exchange. xauth would not use cfg-mode.
3) Cut down XAUTH. Only one cfg-exchange is done:
IPSec Host Edge Device
-------------- -----------------
<-- REQUEST(TYPE=RADIUS NAME="" PASSWORD="")
REPLY(TYPE=RADIUS NAME="joe" PASSWORD="foobar") -->
And that's it. If the password is wrong, the phase-1 is killed with
an informational exchange carrying a notify payload AUTHENTICATION_FAILED.
I'd vote for 1).
Jörn Sierwald