| eap identity request and radius user-name attribute | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Thu, 9 Sep 2004 07:33:41 -0400 (EDT) | |
While discussing the use of IKEv2 in 3G networks with my colleagues, a question relating to EAP Identity Responses and RADIUS/Diameter EAP came up.
As background, IKEv2 specification says that the EAP identity request/response exchange should not be used. The identity of the client is transported in the IKEv2 payloads instead.
The question is how this identifier is carried to the AAA server. Presumably, the identifier should go to the User-Name attribute in RADIUS.
According to RFC 3579, it is possible to set the EAP-Payload attribute to an empty string, representing EAP-Start. But what do typical AAA servers do in this case, will they rely on the username from the User-Name attribute, or issue an EAP Identity Request? The latter would seem to be a violation of the IKEv2 specifications. I think our EAP state machines allow both behaviors, but I'm curious what the current behaviour is in existing implementations.
Secondly, it was suggested that the IKEv2 node could synthethise an EAP Identity Response packet and send that along in the EAP-Payload attribute. That doesn't seem quite right either, but would this break something? Are there EAP methods that integrity protect EAP messages exchanged earlier in the process?
--Jari
-
eap identity request and radius user-name attribute Jari Arkko, September 9 2004
- Re: eap identity request and radius user-name attribute Srinivasa Rao Addepalli, September 9 2004
Results generated by Tiger Technologies using MHonArc.