| Re: eap identity request and radius user-name attribute | <– Date –> <– Thread –> |
From: Srinivasa Rao Addepalli (srao intoto.com)
|
|
| Date: Thu, 9 Sep 2004 12:28:33 -0400 (EDT) | |
We were doing similar brain-storming recently among us internally.
In case of IKEv2, identity is already known and we were also not sure
whether EAP-Identity request would be honored by IKEv2 clients.
So, we finally decided to frame EAP-Identity Response (fake it) with
in Authenticator (Node running IKEv2 server) and send it via
RADIUS Access request to the RADIUS Server.
Our understanding is that, RADIUS Servers dont' start with EAP-Identity phase, if it knows the Identity of the peer. It is also our
understanding that, EAP-Identity response is accepted by the
RADIUS Servers, even if it did not initiate it. We are yet to convince
ourselves that this is the behaviour of all RADIUS Servers.
Srini
Intoto Inc.
www.intoto.com
----- Original Message ----- From: "Jari Arkko" <jari.arkko [at] piuha.net>
To: <eap [at] frascone.com>
Sent: Thursday, September 09, 2004 4:32 AM
Subject: [eap] eap identity request and radius user-name attribute
In wireless scenario (802.1x), Identity is not known to the authenticator (Access Point, in this case) and in this case, EAP-Start message can be sent to the RADIUS Server, which starts with EAP-Identity phase.
In case of IKEv2, identity is already known and we were also not sure
whether EAP-Identity request would be honored by IKEv2 clients.
So, we finally decided to frame EAP-Identity Response (fake it) with
in Authenticator (Node running IKEv2 server) and send it via
RADIUS Access request to the RADIUS Server.
Our understanding is that, RADIUS Servers dont' start with EAP-Identity phase, if it knows the Identity of the peer. It is also our
understanding that, EAP-Identity response is accepted by the
RADIUS Servers, even if it did not initiate it. We are yet to convince
ourselves that this is the behaviour of all RADIUS Servers.
Srini
Intoto Inc.
www.intoto.com
----- Original Message ----- From: "Jari Arkko" <jari.arkko [at] piuha.net>
To: <eap [at] frascone.com>
Sent: Thursday, September 09, 2004 4:32 AM
Subject: [eap] eap identity request and radius user-name attribute
While discussing the use of IKEv2 in 3G networks with my colleagues, a question relating to EAP Identity Responses and RADIUS/Diameter EAP came up.
As background, IKEv2 specification says that the EAP identity request/response exchange should not be used. The identity of the client is transported in the IKEv2 payloads instead.
The question is how this identifier is carried to the AAA server. Presumably, the identifier should go to the User-Name attribute in RADIUS.
According to RFC 3579, it is possible to set the EAP-Payload attribute to an empty string, representing EAP-Start. But what do typical AAA servers do in this case, will they rely on the username from the User-Name attribute, or issue an EAP Identity Request? The latter would seem to be a violation of the IKEv2 specifications. I think our EAP state machines allow both behaviors, but I'm curious what the current behaviour is in existing implementations.
Secondly, it was suggested that the IKEv2 node could synthethise an EAP Identity Response packet and send that along in the EAP-Payload attribute. That doesn't seem quite right either, but would this break something? Are there EAP methods that integrity protect EAP messages exchanged earlier in the process?
--Jari
_______________________________________________ eap mailing list eap [at] frascone.com http://mail.frascone.com/mailman/listinfo/eap
-
eap identity request and radius user-name attribute Jari Arkko, September 9 2004
- Re: eap identity request and radius user-name attribute Srinivasa Rao Addepalli, September 9 2004
Results generated by Tiger Technologies using MHonArc.