[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
> -----Original Message-----
> From: Darren Dukes [mailto:ddukes@cisco.com]
> Sent: Tuesday, April 15, 2003 11:38 AM
> To: Derek Atkins; Michael Richardson
> Cc: ipsec@lists.tislabs.com
> Subject: RE: CALL FOR DISCUSSION: DHCP over IKE vs
> Configuration Payload
>
--SNIP--
> >
> > On another note, can you even start the configuration process before
> > EAP finishes? I'm not convinced you can run it
> concurrently with EAP,
> > which implies that the extra messages from EAP and then DHCP would
> > have to be serialized, making the exchange even longer! I say this
> > because I don't see how a server can respond with a DHCPOFFER until
> > the client has authenticated (e.g. EAP finished).
> >
> > Am I missing something?
>
> Nope, you are correct. DHCP should be done after EAP, the
> same as CP is
> done after/with the last EAP message. I think
> implementations could get
> clever and block DHCPREQUESTs until after the client
> authenticates, but it
> seems simpler to require the client side to start the
> DHCP-over-IKE exchange
> after EAP completes and the client is authenticated.
>
In the case of a RADIUS back-end, the EAP is absolutely required, because it
is the only way to get the credentials by which to lookup/validate the user,
by which to know which configuration parameters to offer them.
This is all detailed out in the draft darren and I wrote. (We never got to
submitting it... sorry). It's at VPNC:
<http://www.vpnc.org/temp-draft-lebovitz-ipsec-scalable-ikev2cp-00.txt>