RE: Question about EAP payload

["Yoav Nir" <ynir@CheckPoint.com>]

Hello Radia,

IANA holds a list of all EAP types here:

http://www.iana.org/assignments/ppp-numbers

You can scroll down to the section "PPP EAP REQUEST/RESPONSE TYPES"

None of these types is a simple passing of username and password akin to,
say, PAP authentication.  This IMO is a limitation of EAP, because it makes
it very difficult to integrate it with various user/password schemes such as
Operating System password, RADIUS authentication and others.

"Generic token card" was intended for those beeper-sized devices that have a
little display with number that changes every minute or so.  The user would
copy the number from the device to the input field, and this would
authenticate him.  Since nothing enforces the use of such a device, you
could use this to have generic passwords that would be authenticated by
whatever method the gateway uses.  It just seems like a subversion of the
original intent.  I am sure other implementations will also use this in a
similar way, which is not so bad as long as the so-called clear password is
encrypted by IKE.

Yoav Nir

-----Original Message-----
Subject: Question about EAP payload

I've been reading the new draft of IKEv2, which
has not yet been announced, but has been submitted.

Anyway, under EAP payload, there seems to be
"OTP", "MD5-challenge", and "generic token card".
But there doesn't seem to be anything there
for just plain sending a name and password.

Is this intentional, perhaps because MD5-challenge
is considered better? (though it requires the
server to store a password-equivalent, whereas
sending password in-the-clear allows the
server to store hashes of passwords)

Or is name/password really covered under "generic
token card", because EAP just passes text back
and forth, and the server could ask for name
and password, and the client could send it?

Radia