eap Mailing List: RE: Re: method identification

[Suresh (sureshvv]

-----Original Message-----
From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com]On Behalf 
Of
Bernard Aboba
Sent: Thursday, August 26, 2004 12:03 AM
To: eap [at] frascone.com
Subject: [eap] Re: method identification


> I have the following two questions? Kindly clarify.
>
> Question 1
> This is regarding EAP behaving as a relay. RFC-3579 (RADIUS support for
EAP)
> states, that NAS can send a RADIUS access request with EAP-Start attribute
> to the RADIUS server.

[BA] This is not the typical mode because it implies that the NAS will be
sending an Access-Request every time a user connects, even if they cannot
respond to an Identity Request.  So if there are hosts that don't support
EAP, this generates a high RADIUS server load.

I think, NAS and client will know what type of authetication method
that they want to go for. Without knowing what authentication to be
used, I am unable to visualize how NAS starts that
particular method negotiation. And for each user that connects to the
NAS, I think there is no need to send a RADIUS access request
with EAP-Start attribute. If the NAS and the client negotiates
to go for EAP, then only NAS sends a RADIUS access request with
EAP-Start attribute to the RADIUS server. This is what I have seen
in IKEv2 using EAP as mutual authentication. The initiator in IKEv2
desires to go for EAP authentication by sending third message
without AUTH payload. I think it is similar in case of PPP.
Is there any exception?


> How does the NAS inform the RADIUS server, to frame a particular
> method specific start request for the above sent Access request? i.e. how
> does the NAS informs the RADIUS server that a particular method
> functionality is required?

[BA]In RADIUS/EAP, the NAS acts as a passthrough so it lets the RADIUS
server
make that determination.

Does it means that there exists a policy in RADIUS which will specify
what method has to be selected for the particular ID received in
EAP-Response/Identity.

> What I understood from the RFC is that, RADIUS server may frame EAP-ID
> request and to that client responds. Based on the ID received, the RADIUS
> server identifies an EAP-Method i.e. ID very specific to the method. Is
> there any specific reason that, there is no attribute in the RADIUS Access
> Request to identify an EAP-method to be used by the RADIUS server, so that
> identity will be independant of method? Kindly clarify.

[BA]The EAP-Request/Identity is independent of the EAP method.  There is no
attribute to request an EAP method because the NAS acts as a passthrough
in RADIUS/EAP.

Yes, it is true that EAP-Request/Identity is independant of EAP method.
Is the identity received in the EAP-Response/Identity is specific to a
method? Based on the identity received, does the RADIUS server identify
that a particular EAP method has to be used?


> Question 2
> How does the RADIUS server keeps track of each EAP authentication context?
> Is there any concept of re-authentication, in Client-NAS mutual
> authentication using EAP? i.e. Can RADIUS server identify a particular
> connection has already authenticated, and it is going for
re-uthentication.

Typically the RADIUS server keeps track of the context via a State
attribute.  Reauthentication is supported via the Session-Timeout
attribute in RADIUS, as explained in RFC 3580.  Since a re-authentication
looks exactly like a regular authentication, there is typically no need
for the RADIUS to distinguish between them.

Thank you very much for the clarification.

_______________________________________________
eap mailing list
eap [at] frascone.com
http://mail.frascone.com/mailman/listinfo/eap