[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP Handling in IKEv2

To: Jari Arkko <jari.arkko@kolumbus.fi>
Subject: Re: EAP Handling in IKEv2
From: Bernard Aboba <aboba@internaut.com>
Date: Wed, 7 May 2003 22:45:29 -0700 (PDT)
cc: radia.perlman@sun.com, Hannes Tschofenig <Hannes.Tschofenig@siemens.com>, ipsec@lists.tislabs.com
In-Reply-To: <3EB9E73B.80100@kolumbus.fi>
References: <200305080316.h483GF415582@sydney.East.Sun.COM> <3EB9E73B.80100@kolumbus.fi>
Sender: owner-ipsec@lists.tislabs.com

> It seems that the main interest is *not* supporting legacy
> authentication methods. I believe that the issue is rather
> supporting legacy credentials, such as passwords or token cards.

Exactly. Since virtually every RADIUS server (including FreeRADIUS)
already supports EAP, the issue is support for legacy credentials
rather than legacy algorithms -- since EAP support allows
algorithms to be easily changed.

I'd also note that in both the "password" and "token card" categories, key
generating methods exist -- although there are some token cards that do
not support key generation.

> If so, it may be possible to keep the credentials as they are but
> replace the existing method with a modified one when running inside IKEv2.
> When running outside IKEv2 or other sort of "EAP tunnels", use the existing
> method as-is.

Yes, this "modified method" approach is one of the proposals for dealing
with non-key generating methods.

Follow-Ups:
- Re: EAP Handling in IKEv2
  - From: Charlie_Kaufman@notesdev.ibm.com
- Re: EAP Handling in IKEv2
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:
- Re: EAP Handling in IKEv2
  - From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
- Re: EAP Handling in IKEv2
  - From: Jari Arkko <jari.arkko@kolumbus.fi>

Prev by Date: Re: EAP Handling in IKEv2
Next by Date: How to support vendor in dpd?
Prev by thread: Re: EAP Handling in IKEv2
Next by thread: Re: EAP Handling in IKEv2
Index(es):
- Date
- Thread