| RE: Issue 204: Peer-to-peer operation | <– Date –> <– Thread –> |
From: Joseph Salowey (jsalowey cisco.com)
|
|
| Date: Wed, 26 Nov 2003 12:00:53 -0600 (CST) | |
> -----Original Message----- > From: Bernard Aboba [mailto:aboba [at] internaut.com] > Sent: Wednesday, November 26, 2003 9:56 AM > To: Joseph Salowey > Cc: eap [at] frascone.com > Subject: RE: [eap] Issue 204: Peer-to-peer operation > > > > [Joe] OK, sorry to be playing catch up, so the possibility > is that the > > Peer has not had its policy satisfied so it will not open its port, > > but the authenticator may not have any way to know this > since it may > > have considered its policy complete. It would seem that in > this case > > the peer would then want to reverse roles and authenticate the > > previous authenticator. Can't this be signaled in 802.1x? > > The authenticator originates EAP authentication and then it > offers access to the peer, or it doesn't. It might like to > send some packets to the peer, in which case it is interested > in whether the peer has accepted the access it offered, but > it may not know that. [Joe] So the protected result is not just signaling that the authentication was successful, but also that the peer has authorized the opening of its port. If the Peer actually wanted to do bi-drection authenticaiton perhaps using a different EAP method then it wouldn't send a protected result indication of succss even if the first method succeeded? > If so, then it could send an EAP-Start > to the peer, to signal the peer that it would like to start > an authentication in the other direction. So it's not a big > deal, really. > [Joe] Couldn't the peer to signal to the authenticator to start authentication in the other direction since it is the peer that knows if it has opened. If it can't then this seems like a .1x problem. If it can then I don't think it is a big deal. > The point (for RFC 2284bis at least) is just to describe the > situation in Section 2.4, Peer-to-peer operation. I think > that some changes may be required in the EAP SM to allow the > signals to be passed to the lower layer though. [Joe] Yes, I think we need to revisit the method interfaces in the state machines (for issue 203 as well).
- RE: Issue 204: Peer-to-peer operation, (continued)
- RE: Issue 204: Peer-to-peer operation Joseph Salowey, November 26 2003
- RE: Issue 204: Peer-to-peer operation Bernard Aboba, November 26 2003
- RE: Issue 204: Peer-to-peer operation Joseph Salowey, November 26 2003
- RE: Issue 204: Peer-to-peer operation Bernard Aboba, November 26 2003
- RE: Issue 204: Peer-to-peer operation Joseph Salowey, November 26 2003
- RE: Issue 204: Peer-to-peer operation Bernard Aboba, November 26 2003
- RE: Issue 204: Peer-to-peer operation Bernard Aboba, November 25 2003
Results generated by Tiger Technologies using MHonArc.