eap Mailing List: RE: interpretation of the identity response

[Joseph Salowey (jsalowey]

Title: Message

I think the processing of the identity response is up to the mechanism.  If the NAI is decorated in non-standard means that is not known to the home AAA this can be a problem (it is also not within the NAI specification). Many mechanisms have a way to request or determine identity independent of the EAP identity response (EAP-SIM,EAP-AKA,EAP-TLS,EAP-MCSHAPv2).   I If I had my preference I would use the identity response for routing only and ignore the user identity in the identity response.  It should be a recommendation that mechanisms provide a way to obtain identity outside of the identity response. 

 

Joe

-----Original Message-----
From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On Behalf Of Adrangi, Farid
Sent: Wednesday, October 29, 2003 5:53 PM
To: Bernard Aboba; jarkko [at] piuha.net
Cc: Lortz, Victor; Puthenkulam, Jose P; eap [at] frascone.com
Subject: [eap] interpretation of the identity response

Hello Bernard/Jari:

 

I have a quick question regarding 2284bis-06 draft.  Currently, the draft does not specify any rules on how the EAP server should interpret an identity response (in particular where it is indicated in NAI format) to extract the identity to be authenticated.  For example, given the following NAI Eng%nancy [at] bigu.edu,  does the EAP server use the nancy [at] bigu.edu portion or the whole string as the ID for authenticating the user?  Or another NAI example, say you have ipass/nancy [at] bigu.edu (where the ipass prefix is used to indicate the RADIUS AAA server in an Access Network how to route the RADIUS packets) will the EAP server use nancy [at] bigu.edu portion or the whole string?

 

Thanks for your time.

 

BR,

Farid