| RE: Issue 189: Handling of the identity response | <– Date –> <– Thread –> |
From: John Vollbrecht (jrv umich.edu)
|
|
| Date: Fri, 31 Oct 2003 14:51:15 -0600 (CST) | |
--On Friday, October 31, 2003 12:32 PM -0800 Joseph Salowey <jsalowey [at] cisco.com> wrote:
[John] I think the Identity may be used by some methods (actually I am not sure this is true) which are capable of doing whatever treating of the method to get its meaning. However some methods may also use the identity from the RADIUS User-ID to get the identity. These are not the same, as the NAS may modify the EAP Identity data to support RADIUS proxy routing.> > > how about > > > > > > When an EAP Identity Method is used, Data in the EAP-Identity > > > Response is typically provided to subsequent EAP Methods. The > > > subsequent Method MAY > > > use this in its processing its algorithm. Note that the > > > information in the > > > Identity Response is primarily used for routiing following > > > EAP requests and > > > for selecting a method to process the request. A method > > > SHOULD NOT use > > > information in the Identity response as the actual Identity to be > > > authenticated. > > > > > [Joe] I'm not sure about the last sentence. The SHOULD NOT may > > conflict with the previous MAY. How about. "A method > SHOULD provide a > > method specific means for obtaining identity so it does not have to > > rely upon the information in identity response. > > > [John] I understand your point. I was trying to say that the > algorithm MAY > use the information, otherwise why would we give it to him? > However, it > should not use it as the method's identity. Note that it may use the > identity or identity as modified by the NAS to select which > EAP method to > use. That is different than using it in the method. > [Joe] Isn't the method section is done before the method gets the identity? Some existing methods may require the identity that is why it should be provided to the method. I think we want to discourage reliance on the identity response in methods moving forward.
I am thinking the second case [routing] is governed by a set of rules agreed to by the organization of clients and NASs not covered in this spec. This is ok.
The first case - where the method uses the Identity Response data from the previous request as an identity does not seem right. In thinking about it I am not sure it actually happens in any implementations [as opposed to selecting the method instance based on the Response Data]. I think this is what you are saying should be discouraged, and I am wondering if it is SHOULD or MUST not.
_______________________________________________ eap mailing list eap [at] frascone.com http://mail.frascone.com/mailman/listinfo/eap
- Re: Issue 189: Handling of the identity response, (continued)
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
-
RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
- RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
- RE: Issue 189: Handling of the identity response John Vollbrecht, November 4 2003
-
RE: Issue 189: Handling of the identity response Joseph Salowey, October 31 2003
-
Re: Issue 189: Handling of the identity response John Vollbrecht, October 31 2003
Results generated by Tiger Technologies using MHonArc.