[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP requestor for Initiator

To: tomhu@cisco.com
Subject: Re: EAP requestor for Initiator
From: Yoav Nir <ynir@CheckPoint.com>
Date: Thu, 23 Oct 2003 11:57:59 +0200
Cc: ipsec@lists.tislabs.com
In-Reply-To: <3F96C70E.EA6833D2@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

It is true that EAP was added to IKEv2 with the roaming user in mind.  
However, I think your case is very similar:
- The initiator (or "peer") wants to join the cloud, so it begins the 
responder (or "authenticator" or "proxy server")
- The proxy server wants to verify the initiator's identity.  For 
verifying identities, it relies on the services of an external server, 
called the "authentication server".  This could be LDAP, or RADIUS or 
SecurID of whatever.
- The authentication server starts an EAP conversation with the "peer", 
tunneled through the authenticator (the responder)
- When it is satisfied, it sends a notification to the responder, which 
sends the client an EAP success.

This is how EAP works.  It always looks like the authenticator 
(responder) is starting the conversation.  See section 2 of RFC 2284.

On Wednesday, October 22, 2003, at 08:06 PM, Tom Hu wrote:

> Yoav,
>
> Thank your reply.
>
> I do not think my case is not client-server model.
> It rather peer-to-peer model.
>
> The application is, for example, the initiator (untrusted peer) want to
> join the secured cloud, it has to pass the authZ first.
>
> To pass the authz, the initiator has to talk to the Authorization 
> server
> thru the proxy (responder is a proxy server).
>
> In this case, we want the initiator to start EAP negotiation, not
> responder.
>
> It looks like EAP in ikev2 draft is only applicant to the client-server
> model.
>
> Tom Hu
> Yoav Nir wrote:
>>
>> In the remote-access scenario, the client is always the initiator.  In
>> EAP, the gateway (or "authenticator") is always the initiator.  How 
>> can
>> it be that the IKE initiator will also initiate the EAP?  Which is the
>> client, and which is the gateway?
>>
>> On Wednesday, October 22, 2003, at 03:14 AM, Tom Hu wrote:
>>
>>> Hi all,
>>>
>>> In the ikev2 draft, explicitely describes EAP request initiated from
>>> Responder. Is it legit to have EAP request initiated from Initiator?
>>> Please see the below exchange. Is this against IKEv2 protocol?
>>>
>>> Note: when I said EAP requestor, it means that the node sends the 
>>> first
>>> EAP packet.
>>>
>>>
>>>   Initiator                          Responder
>>>  -----------                        -----------
>>>   HDR, SAi1, KEi, Ni         -->
>>>                               <--    HDR, SAr1, KEr, Nr, [CERTREQ]
>>>
>>>   HDR, SK {IDi, [CERTREQ,] [IDr,]
>>>            SAi2, TSi, TSr}   -->
>>>                               <--    HDR, SK {IDr, [CERT,] AUTH}
>>>   HDR, SK {EAP, [AUTH]}      -->
>>>                               <--    HDR, SK {EAP, [AUTH]}
>>>
>>>   HDR, SK {EAP, [AUTH] }     -->
>>>                               <--    HDR, SK {[AUTH], SAr2, TSi, TSr 
>>> }
>>>
>>> Thanks,
>>>
>>> Tom Hu
>>>
>

Follow-Ups:
- Re: EAP requestor for Initiator
  - From: Tom Hu <tomhu@cisco.com>

References:
- Re: EAP requestor for Initiator
  - From: Tom Hu <tomhu@cisco.com>

Prev by Date: Host Identity Protocol Architecture and BOF
Next by Date: Re: SPD issues
Prev by thread: Re: EAP requestor for Initiator
Next by thread: Re: EAP requestor for Initiator
Index(es):
- Date
- Thread