[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP requestor for Initiator



Yoav,

Thank your reply. 

I do not think my case is a client-server model.
It rather peer-to-peer model.

The application is, for example, the initiator (untrusted peer) want to
join the secured cloud, it has to pass the authZ first. 

To pass the authz, the initiator has to talk to the Authorization server
thru the proxy (responder is a proxy server).

In this case, we want the initiator to start EAP negotiation, not
responder.

It looks like EAP in ikev2 draft is only applicant to the client-server
model.

Tom Hu
Yoav Nir wrote:
> 
> In the remote-access scenario, the client is always the initiator.  In
> EAP, the gateway (or "authenticator") is always the initiator.  How can
> it be that the IKE initiator will also initiate the EAP?  Which is the
> client, and which is the gateway?
> 
> On Wednesday, October 22, 2003, at 03:14 AM, Tom Hu wrote:
> 
> > Hi all,
> >
> > In the ikev2 draft, explicitely describes EAP request initiated from
> > Responder. Is it legit to have EAP request initiated from Initiator?
> > Please see the below exchange. Is this against IKEv2 protocol?
> >
> > Note: when I said EAP requestor, it means that the node sends the first
> > EAP packet.
> >
> >
> >   Initiator                          Responder
> >  -----------                        -----------
> >   HDR, SAi1, KEi, Ni         -->
> >                               <--    HDR, SAr1, KEr, Nr, [CERTREQ]
> >
> >   HDR, SK {IDi, [CERTREQ,] [IDr,]
> >            SAi2, TSi, TSr}   -->
> >                               <--    HDR, SK {IDr, [CERT,] AUTH}
> >   HDR, SK {EAP, [AUTH]}      -->
> >                               <--    HDR, SK {EAP, [AUTH]}
> >
> >   HDR, SK {EAP, [AUTH] }     -->
> >                               <--    HDR, SK {[AUTH], SAr2, TSi, TSr }
> >
> > Thanks,
> >
> > Tom Hu
> >