| RE: Issue 290: State Tracking | <– Date –> <– Thread –> |
From: Adrangi, Farid (farid.adrangi intel.com)
|
|
| Date: Sat, 19 Feb 2005 15:23:58 -0500 (EST) | |
Hi Bernard, Good catch! Thanks! We explain this in the appendix -- but now since we changed the language in section 2 we need to mention this in the normative part. We can revise the text as below " The EAP authenticator MAY send an identity hint to the peer in the initial EAP-Request/Identity. If the identity hint is not sent initially (such as when the authenticator does not support this specification), then if the local AAA proxy implementing this specification receives an EAP-Response/Identity with an unknown realm, it SHOULD reply with an EAP-Request/Identity containing an identity hint. When an Identity hint is sent by a RADIUS proxy, a RADIUS State (24) attribute can be used to help the RADIUS proxy determine if an identity hint had previously been sent by it to the EAP peer. If after the local AAA proxy sends an EAP-Request/Identity containing an identity hint, the peer responds with an EAP-Response/Identity containing an unknown realm, then the local AAA proxy MAY respond immediately with an EAP Failure packet, or it MAY first send an EAP-Notification providing the reason for the failure. " The second paragraph above will be removed from the appendix. Will this work for you? BR, Farid > -----Original Message----- > From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] > On Behalf Of Bernard Aboba > Sent: Saturday, February 19, 2005 11:59 AM > To: eap [at] frascone.com > Subject: [eap] Issue 290: State Tracking > > > Issue 290: State Tracking > Submitter name: Bernard Aboba > Submitter email address: aboba [at] internaut.com > Date first submitted: 2/18/2005 > Reference: > Document: IDSEL-08 > Comment type: T > Priority: S > Section: 2 > Rationale/Explanation of issue > > There are paragraphs in the latest version of the draft which > change the > behavior of AAA proxies: > > " The EAP authenticator MAY send an identity hint to the peer in the > initial EAP-Request/Identity. If the identity hint is not sent > initially (such as when the authenticator does not support this > specification), then if the local AAA proxy implementing this > specification receives an EAP-Response/Identity with an unknown > realm, it SHOULD reply with an EAP-Request/Identity containing an > identity hint. > > If after the local AAA proxy sends an EAP-Request/Identity > containing > an identity hint, the peer responds with an EAP-Response/Identity > containing an unknown realm, then the local AAA proxy MAY respond > immediately with an EAP Failure packet, or it MAY first send an > EAP-Notification providing the reason for the failure." > > I think the document needs to suggest how the above changes can be > implemented without requiring RADIUS proxies to keep state. > For example, > use of the State attribute might be mentioned. > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap >
-
Issue 290: State Tracking Bernard Aboba, February 19 2005
- RE: Issue 290: State Tracking Adrangi, Farid, February 19 2005
-
RE: Issue 290: State Tracking Adrangi, Farid, February 19 2005
- Re: Issue 290: State Tracking Jari Arkko, February 20 2005
Results generated by Tiger Technologies using MHonArc.