| RE: Re: method identification | <– Date –> <– Thread –> |
From: Bernard Aboba (aboba internaut.com)
|
|
| Date: Thu, 26 Aug 2004 09:03:27 -0400 (EDT) | |
> I think, NAS and client will know what type of authentication method > that they want to go for. The NAS only acts as the EAP server if it implements one or more EAP methods and is authenticating the user locally. Otherwise, the AAA server acts as the EAP server and the NAS is just a pass-through. Here is what RFC 3748 says: Within or associated with each authenticator, it is not anticipated that a particular named peer will support a choice of methods. This would make the peer vulnerable to attacks that negotiate the least secure method from among a set. Instead, for each named peer, there SHOULD be an indication of exactly one method used to authenticate that peer name. If a peer needs to make use of different authentication methods under different circumstances, then distinct identities SHOULD be employed, each of which identifies exactly one authentication method. > Without knowing what authentication to be > used, I am unable to visualize how NAS starts that > particular method negotiation. Unless the NAS is acting as the EAP server, it doesn't start the method negotiation -- the RADIUS server does. > Does it means that there exists a policy in RADIUS which will specify > what method has to be selected for the particular ID received in > EAP-Response/Identity. The RADIUS server needs to be able to select an EAP method for use with a particular authentication. It could require the User-Name in order to do that, or it might have the same policy for all users within a particular realm. > Yes, it is true that EAP-Request/Identity is independant of EAP method. > Is the identity received in the EAP-Response/Identity is specific to a > method? Based on the identity received, does the RADIUS server identify > that a particular EAP method has to be used? The EAP-Response/Identity is not specific to a method, because when the peer sends this packet it doesn't know what method will be requested yet. The RADIUS server may select the identity based on some or all of the contents of the EAP-Request/Identity, or it may use the same method for all users. This is purely an implementation issue.
-
Re: method identification Bernard Aboba, August 25 2004
-
RE: Re: method identification Suresh, August 25 2004
- RE: Re: method identification Bernard Aboba, August 26 2004
- RE: Re: method identification Suresh, August 27 2004
-
RE: Re: method identification Suresh, August 25 2004
-
Re: method identification Thomas Otto, August 28 2004
- Re: Re: method identification Jari Arkko, August 29 2004
- Re: method identification Thomas Otto, August 28 2004
Results generated by Tiger Technologies using MHonArc.