| Re: Re: [802.1] Re: 802.1X interface variable | <– Date –> <– Thread –> |
From: John Vollbrecht (jrv umich.edu)
|
|
| Date: Mon, 12 Jan 2004 20:29:49 -0500 (EST) | |
--On Sunday, January 11, 2004 10:04 PM -0800 Yoshihiro Ohba <yohba [at] tari.toshiba.com> wrote:
On Sat, Jan 10, 2004 at 01:40:21PM -0500, John Vollbrecht wrote:
I try to clarify the question below --
--On Friday, January 9, 2004 1:32 PM -0800 Yoshihiro Ohba <yohba [at] tari.toshiba.com> wrote:
> On Wed, Jan 07, 2004 at 04:01:09PM -0500, John Vollbrecht wrote: >> >> I have some question about the cases. See below - >> >> --On Friday, January 2, 2004 2:44 PM -0800 Yoshihiro Ohba >> <yohba [at] tari.toshiba.com> wrote: >> >>> (A) One-way authentication without key derivation (e.g., >>> MD5-Challenge) (B) One-way authentication with key derivation >>> (C) Mutual authentication without key derivation >>> (D) Mutual authentication with key derivation >>> >>> Case A) does not provide protected method indication and thus the >>> authentication server cannot securely know whether the peer is >>> satisfied. So, defining a new AAA attribute does not provide useful >>> information to the pass-through authenticator. >> >> is the assumption then that if there is no key that there is no mutual >> authentication? Does this overload the key to mean that mutual >> authentication occurred? Or can I only make a decision about whether >> I have a key? > > I am not sure I understand the question, but there is certainly a case > where there is mutual authentication but there is no key (derivation), > which is Case C). > The question is that suppose one uses TLS host only authentication (not mutual). Is it possible for (master) keys to be derived at authenticator and peer? I think this is possible and desirable for allowing access to a walled garden environment. Am I wrong?
That case is another form of Case C). I think host only authentication is as vulnerable to rogue NAS attack as server only authentication. How the host can know whether it is connected to the walled garden instead of the attacker's network without authenticating the server?
I think a stardard case would be to have the user authenticate the server using TLS, then authenticate some other way over the protected connection into the walled garden. For example one might setup a VPN from the client to an edge device leaving the walled garden. In this case I don't think it is necessary to do mutual authentication initially.
John
Yoshihiro Ohba
- Re: Re: [802.1] Re: 802.1X interface variable, (continued)
-
Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 7 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 9 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 10 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 13 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 13 2004
-
Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 7 2004
- Resolution of 802.1X/EAP-SM issue Bernard Aboba, January 13 2004
Results generated by Tiger Technologies using MHonArc.