| Re: use of EAP over IKEv2 | <– Date –> <– Thread –> |
From: Bernard Aboba (aboba internaut.com)
|
|
| Date: Tue, 6 Apr 2004 11:20:01 -0400 (EDT) | |
While the AAA server could be informed that IKEv2 is being used (e.g. NAS-Port-Type), it cannot generate different keys based on that information. This would be a violation of the "media independence" property of EAP. So the bottom line is that On Tue, 6 Apr 2004, David Mariblanca (ML/EEM) wrote: > > Hi, > I have found a problem when EAP is used over IKEv2 and I would appreciate > some help on the issue. > When EAP is carried over IKEv2, a common situation is that the host where EAP > terminates is not the same as for IKEv2. In that case, the IKEv2 termination > point unpacks the IKEv2 messages, take the EAP messages and forwards them to > the EAP termination point over RADIUS or Diameter. > The problem I see is that the EAP server has no way to know that these EAP > messages are being carried over IKEv2. This knowledge is important for the > EAP server, for example to derive keys that will be used to generate AUTH > payloads in IKEv2. > The service type AVP does not have a reserved value for this, and I don't > find any other suitable parameter to convey this information. How could this > be done ? > > Thanks a lot and best regards, > David. >
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.