eap Mailing List: Re: Issue 290: State Tracking

[Jari Arkko (jari.arkko]

Works for me.

Adrangi, Farid wrote:
> Actually, I would revise my proposal slightly, as below
>
> "
>    The EAP authenticator MAY send an identity hint to the peer in the
>    initial EAP-Request/Identity.  If the identity hint is not sent
>    initially (such as when the authenticator does not support this
>    specification), then if the local AAA proxy implementing this
>    specification receives an EAP-Response/Identity with an unknown
>    realm, it SHOULD reply with an EAP-Request/Identity containing an
>    identity hint.
>
>    If after the local AAA proxy sends an EAP-Request/Identity containing
>    an identity hint, the peer responds with an EAP-Response/Identity
>    containing an unknown realm, then the local AAA proxy MAY respond
>    immediately with an EAP Failure packet, or it MAY first send an
>    EAP-Notification providing the reason for the failure.
>
>    When an Identity hint is sent by a AAA proxy, the AAA proxy MUST be
>    able to determine if an identity hint had previously been sent by it 
>    to the EAP peer.  For example, when RADIUS is used, State(24)
> attribute
>    can be used to achieve this.
> "
>
> BR,
> Farid
>
>
>
> > -----Original Message-----
> > From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] 
> > On Behalf Of Adrangi, Farid
> > Sent: Saturday, February 19, 2005 12:24 PM
> > To: Bernard Aboba; eap [at] frascone.com
> > Subject: RE: [eap] Issue 290: State Tracking
> >
> >
> > Hi Bernard,
> >
> > Good catch!  Thanks! We explain this in the appendix -- but 
> > now since we
> > changed the language in section 2 we need to mention this in the
> > normative part.  We can revise the text as below
> >
> > "
> >   The EAP authenticator MAY send an identity hint to the peer in the
> >   initial EAP-Request/Identity.  If the identity hint is not sent
> >   initially (such as when the authenticator does not support this
> >   specification), then if the local AAA proxy implementing this
> >   specification receives an EAP-Response/Identity with an unknown
> >   realm, it SHOULD reply with an EAP-Request/Identity containing an
> >   identity hint.
> >
> >   When an Identity hint is sent by a RADIUS proxy, a RADIUS
> >   State (24) attribute can be used to help the RADIUS proxy
> >   determine if an identity hint had previously been sent by it to the
> >   EAP peer.
> >
> >   If after the local AAA proxy sends an EAP-Request/Identity 
> > containing
> >   an identity hint, the peer responds with an EAP-Response/Identity
> >   containing an unknown realm, then the local AAA proxy MAY respond
> >   immediately with an EAP Failure packet, or it MAY first send an
> >   EAP-Notification providing the reason for the failure.
> > "  
> >
> > The second paragraph above will be removed from the appendix. 
> > Will this
> > work for you?
> >
> > BR,
> > Farid
> >
> >
> > > -----Original Message-----
> > > From: eap-admin [at] frascone.com [mailto:eap-admin [at] frascone.com] 
> > > On Behalf Of Bernard Aboba
> > > Sent: Saturday, February 19, 2005 11:59 AM
> > > To: eap [at] frascone.com
> > > Subject: [eap] Issue 290: State Tracking
> > >
> > >
> > > Issue 290: State Tracking
> > > Submitter name: Bernard Aboba
> > > Submitter email address: aboba [at] internaut.com
> > > Date first submitted: 2/18/2005
> > > Reference:
> > > Document: IDSEL-08
> > > Comment type: T
> > > Priority: S
> > > Section: 2
> > > Rationale/Explanation of issue
> > >
> > > There are paragraphs in the latest version of the draft which 
> > > change the
> > > behavior of AAA proxies:
> > >
> > > "  The EAP authenticator MAY send an identity hint to the 
> >
> > peer in the
> >
> > >   initial EAP-Request/Identity.  If the identity hint is not sent
> > >   initially (such as when the authenticator does not support this
> > >   specification), then if the local AAA proxy implementing this
> > >   specification receives an EAP-Response/Identity with an unknown
> > >   realm, it SHOULD reply with an EAP-Request/Identity containing an
> > >   identity hint.
> > >
> > >   If after the local AAA proxy sends an EAP-Request/Identity 
> > > containing
> > >   an identity hint, the peer responds with an EAP-Response/Identity
> > >   containing an unknown realm, then the local AAA proxy MAY respond
> > >   immediately with an EAP Failure packet, or it MAY first send an
> > >   EAP-Notification providing the reason for the failure."
> > >
> > > I think the document needs to suggest how the above changes can be
> > > implemented without requiring RADIUS proxies to keep state.  
> > > For example,
> > > use of the State attribute might be mentioned.
> > > _______________________________________________
> > > eap mailing list
> > > eap [at] frascone.com
> > > http://mail.frascone.com/mailman/listinfo/eap
> >
> > _______________________________________________
> > eap mailing list
> > eap [at] frascone.com
> > http://mail.frascone.com/mailman/listinfo/eap
>
> _______________________________________________
> eap mailing list
> eap [at] frascone.com
> http://mail.frascone.com/mailman/listinfo/eap