| Re: Re: [802.1] Re: 802.1X interface variable | <– Date –> <– Thread –> |
From: John Vollbrecht (jrv umich.edu)
|
|
| Date: Tue, 13 Jan 2004 11:20:46 -0500 (EST) | |
--On Monday, January 12, 2004 6:24 PM -0800 Yoshihiro Ohba <yohba [at] tari.toshiba.com> wrote:
On Mon, Jan 12, 2004 at 08:40:37PM -0500, John Vollbrecht wrote:I am not sure of your meaning. Are you agreeing that the EAP authentication does not have to be mutual? Or are you thinking the second authentication would be in the same method? My thinking is that if the second authentication is done after the first has allowed attaching to the network at the walled garden, then (in this example) the first (EAP) method is not mutual.>> The question is that suppose one uses TLS host only authentication >> (not mutual). Is it possible for (master) keys to be derived at >> authenticator and peer? I think this is possible and desirable for >> allowing access to a walled garden environment. Am I wrong? >> > > That case is another form of Case C). I think host only > authentication is as vulnerable to rogue NAS attack as server only > authentication. How the host can know whether it is connected to the > walled garden instead of the attacker's network without authenticating > the server?
I think a stardard case would be to have the user authenticate the server using TLS, then authenticate some other way over the protected connection into the walled garden. For example one might setup a VPN from the client to an edge device leaving the walled garden. In this case I don't think it is necessary to do mutual authentication initially.
As long as two one-way authentications in different directions are cryptographically bound, it is ok. But it actually forms a mutual authentication if we view the combined authentications as a unified mechanism (e.g., the EAP usage in IKEv2).
In fact, if the user does not want to leave the walled garden, then the second authentication may never be done. The walled garden provider does not care who the user is, and the user knows who the walled garden is.
I think this is ok - do you agree?
-- John
- Re: Re: [802.1] Re: 802.1X interface variable, (continued)
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 10 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 13 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 13 2004
- Resolution of 802.1X/EAP-SM issue Bernard Aboba, January 13 2004
Results generated by Tiger Technologies using MHonArc.