RE: EAP Handling in IKEv2

["Yoav Nir" <ynir@CheckPoint.com>]

Several legacy authentication schemes involve some secret (or password)
shared between the user and a backend authentication server, such as RADIUS.
The "authenticator" or PPP server or access concentrator or LNS or whatever
it's called acts as a passthrough for the authentication, and does not ever
see the password.
While this is very attractive from a security POV, this has the limitation
that the authentication algorithm must be shared between the client and the
backend.  This is not always practical, because we're talking about old
authentication backends that may not support EAP.  In fact, there are plenty
of RADIUS servers out there that do not support EAP.

IMO there are two EAP algorithms that should be recommended:
  6 - Generic Token Card
 29 - EAP-MSCHAP-V2

The former simply passes to the user a string such as "What is your
password?" and receives the password in the "clear".  This allows the AC to
support any legacy backend server that we wish, since the AC has the real
password and can do whatever hashing is required.
The latter also works for user/password schemes and has the advantage of
generating a session key.  It does require the backend server to support
EAP-MSCHAP-V2, but I suppose this support is coming.

-----Original Message-----
From: Charlie_Kaufman@notesdev.ibm.com
Sent: Sunday, May 11, 2003 12:41 AM
Subject: Re: EAP Handling in IKEv2

> For interoperability, it would be good to specify recommended EAP
> algorithms, probably in the algorithms document. Do people know what
> algorithms we're expecting to see?
>
>       --Charlie Kaufman