| Re: method identification | <– Date –> <– Thread –> |
From: Bernard Aboba (aboba internaut.com)
|
|
| Date: Wed, 25 Aug 2004 14:23:40 -0400 (EDT) | |
> I have the following two questions? Kindly clarify. > > Question 1 > This is regarding EAP behaving as a relay. RFC-3579 (RADIUS support for EAP) > states, that NAS can send a RADIUS access request with EAP-Start attribute > to the RADIUS server. [BA] This is not the typical mode because it implies that the NAS will be sending an Access-Request every time a user connects, even if they cannot respond to an Identity Request. So if there are hosts that don't support EAP, this generates a high RADIUS server load. > How does the NAS inform the RADIUS server, to frame a particular > method specific start request for the above sent Access request? i.e. how > does the NAS informs the RADIUS server that a particular method > functionality is required? In RADIUS/EAP, the NAS acts as a passthrough so it lets the RADIUS server make that determination. > What I understood from the RFC is that, RADIUS server may frame EAP-ID > request and to that client responds. Based on the ID received, the RADIUS > server identifies an EAP-Method i.e. ID very specific to the method. Is > there any specific reason that, there is no attribute in the RADIUS Access > Request to identify an EAP-method to be used by the RADIUS server, so that > identity will be independant of method? Kindly clarify. The EAP-Request/Identity is independent of the EAP method. There is no attribute to request an EAP method because the NAS acts as a passthrough in RADIUS/EAP. > Question 2 > How does the RADIUS server keeps track of each EAP authentication context? > Is there any concept of re-authentication, in Client-NAS mutual > authentication using EAP? i.e. Can RADIUS server identify a particular > connection has already authenticated, and it is going for re-uthentication. Typically the RADIUS server keeps track of the context via a State attribute. Reauthentication is supported via the Session-Timeout attribute in RADIUS, as explained in RFC 3580. Since a re-authentication looks exactly like a regular authentication, there is typically no need for the RADIUS to distinguish between them.
-
Re: method identification Bernard Aboba, August 25 2004
-
RE: Re: method identification Suresh, August 25 2004
-
RE: Re: method identification Bernard Aboba, August 26 2004
- RE: Re: method identification Suresh, August 27 2004
-
RE: Re: method identification Bernard Aboba, August 26 2004
- Re: method identification Thomas Otto, August 28 2004
-
RE: Re: method identification Suresh, August 25 2004
Results generated by Tiger Technologies using MHonArc.