| RE: interpretation of the identity response | <– Date –> <– Thread –> |
From: John Vollbrecht (jrv umich.edu)
|
|
| Date: Wed, 29 Oct 2003 21:24:15 -0600 (CST) | |
--On Wednesday, October 29, 2003 6:19 PM -0800 Joseph Salowey <jsalowey [at] cisco.com> wrote:
I agree with your suggestion about independent identity in a method. I am wondering if the question about format is not also valid for routing. If the identity response is used for routing, then it must be understood by all routers. If a NAS or Proxy gets something it doesn't understand how to route it presumably throws it away or sends a Failure. The implication is that the Client and NAS and any intermediate servers need to have the same routing expectations.
I think the processing of the identity response is up to the mechanism. If the NAI is decorated in non-standard means that is not known to the home AAA this can be a problem (it is also not within the NAI specification). Many mechanisms have a way to request or determine identity independent of the EAP identity response (EAP-SIM,EAP-AKA,EAP-TLS,EAP-MCSHAPv2). I If I had my preference I would use the identity response for routing only and ignore the user identity in the identity response. It should be a recommendation that mechanisms provide a way to obtain identity outside of the identity response. Joe
The spec does not say anything about how to break up the NAI for routing.
I think it is pretty complicated to come up with an agreement about what such a standard would be, and I personally don't think it is necessary at this point.
-- John
-----Original Message----- From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] On Behalf Of Adrangi, Farid Sent: Wednesday, October 29, 2003 5:53 PM To: Bernard Aboba; jarkko [at] piuha.net Cc: Lortz, Victor; Puthenkulam, Jose P; eap [at] frascone.com Subject: [eap] interpretation of the identity response
Hello Bernard/Jari:
I have a quick question regarding 2284bis-06 draft. Currently, the draft does not specify any rules on how the EAP server should interpret an identity response (in particular where it is indicated in NAI format) to extract the identity to be authenticated. For example, given the following NAI Eng%nancy [at] bigu.edu, does the EAP server use the nancy [at] bigu.edu portion or the whole string as the ID for authenticating the user? Or another NAI example, say you have ipass/nancy [at] bigu.edu (where the ipass prefix is used to indicate the RADIUS AAA server in an Access Network how to route the RADIUS packets) will the EAP server use nancy [at] bigu.edu portion or the whole string?
Thanks for your time.
BR,
Farid
-
interpretation of the identity response Adrangi, Farid, October 29 2003
-
RE: interpretation of the identity response Joseph Salowey, October 29 2003
- RE: interpretation of the identity response Bernard Aboba, October 29 2003
- RE: interpretation of the identity response John Vollbrecht, October 29 2003
-
RE: interpretation of the identity response Joseph Salowey, October 29 2003
- RE: interpretation of the identity response Adrangi, Farid, October 29 2003
Results generated by Tiger Technologies using MHonArc.