Capwap Mailing List: RE: Certificates, Discovery Request/Reply, and validation.

[Pat R. Calhoun (pcalhoun]

>>         For phase2:
>>               PANA seems to be defining physical/link layer independent
>> authentication mechanism.
>>               That might be suitable here. Comments?
>
>In the current deployments the security between the AP and AR relies on
>physical measures. As I understand, we don't want to make this assumption in
>here. In that case, yes, PANA can be used for authentication and
>authorization between the APs and ARs. By using an appropriate EAP method
>(e.g., EAP-TLS) cryptographic keys can be produced that are used to
>establish a protected channel between AP and AR. This ensures all the
>signaling and data traffic is secured.

So how does the AP know that 802.1x will be required for a given mobile? How 
does the AP get the 802.1x keys that it must use with the mobile? How does the 
AR handle load balancing? How does the AR handle 802.11e and 802.11i, or should 
the AP do it? What about 802.11h? What about 802.11k?

You see, the PANA architecture really only touches the tip of the iceberg. 
Moving towards a LWAPP architecture solves these issues, and significantly 
reduces the amount of protocol work required between the AP and the AR (because 
802.11 terminates in the AR, so 802.11 *is* the protocol).

We seem to be focused on EAP only, but again, I think the problem is much 
greater in scope - hence CAPWAP.

PatC