| RE: [Isms] RADIUS is not a trusted third party | <– Date –> <– Thread –> |
From: Glen Zorn (gwz) (gwz cisco.com)
|
|
| Date: Sun, 17 Apr 2005 14:10:09 -0400 (EDT) | |
Tschofenig Hannes <> supposedly scribbled: > hi sam, > > you have intentionally chosen a provocative title for your mail. > > you write: > > " >> Remember that RADIUS is a callout service; it is not a trusted third >> party. In other words, in a particular SNMP authentication, only one >> of the parties will know that RADIUS is being used. " > > what is a "callout service"? > what is radius for you? (you write that it is not a trusted third > party.) It's not. From the point of view of authentication protocols (PAP, CHAP, EAP, etc.), both RADIUS and Diameter are just "wires": the operation of the auth protocols should be exactly the same as if they terminated in the AAA client, instead of elsewhere. Basically, the purpose of AAA (again, from the POV of an authentication protocol) is simply scaling. BTW, a lot of misery has been caused by the erroneous belief that EAP is (or can be) a three-party authentication protocol: it isn't, and can't be. It could _carry_ a three-party protocol (like Kerberos), but EAP in itself is a two-party protocol. > why do you care that only one party knows that radius is > used? it could also be diameter. > > i would like to better understand why some people dislike the aaa > architecture (radius, diameter). I think that the misunderstanding mentioned above might have something to do with it... > > ciao > hannes > > >> -----Ursprüngliche Nachricht----- >> Von: isms-bounces [at] lists.ietf.org >> [mailto:isms-bounces [at] lists.ietf.org] Im Auftrag von Sam Hartman >> Gesendet: Freitag, 15. April 2005 19:34 >> An: Martin Soukup >> Cc: isms [at] ietf.org >> Betreff: [Isms] RADIUS is not a trusted third party >> >> >>>>>>> "Martin" == Martin Soukup <msoukup [at] nortel.com> writes: >> >> Martin> RADIUS "Access-Accept" indicates a successful >> Martin> authenthentication response for a user. >> >> Martin> The Access-Accept already returns a "Session-Timeout", >> Martin> defined as "Sets the maximum number of seconds of service >> Martin> to be provided to the user before the session >> Martin> terminates. This attribute value becomes the per-user >> Martin> "absolute timeout."". >> >> This only tells the SNMP engine talking to the RADIUS server the >> timeout. You need to tell the other side of the exchange the >> timeout too. >> >> Remember that RADIUS is a callout service; it is not a trusted third >> party. In other words, in a particular SNMP authentication, only one >> of the parties will know that RADIUS is being used. >> >> >> _______________________________________________ >> Isms mailing list >> Isms [at] lists.ietf.org >> https://www1.ietf.org/mailman/listinfo/isms >> > > _______________________________________________ > Isms mailing list > Isms [at] lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms Hope this helps, ~gwz Why is it that most of the world's problems can't be solved by simply listening to John Coltrane? -- Henry Gabriel
-
RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 17 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 19 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 20 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 19 2005
Results generated by Tiger Technologies using MHonArc.