| RE: RE: [Isms] RADIUS is not a trusted third party | <– Date –> <– Thread –> |
From: Alper Yegin (alper.yegin samsung.com)
|
|
| Date: Tue, 19 Apr 2005 20:29:22 -0400 (EDT) | |
Glen, > > what is radius for you? (you write that it is not a trusted third > > party.) > > It's not. From the point of view of authentication protocols (PAP, > CHAP, EAP, etc.), both RADIUS and Diameter are just "wires": What happens when we look at this picture from the "authorization" perspective? "Host-to-NAS authorization for the network access service" is dynamically generated from "host-to-AAA server" authorization and "AAA server to client (NAS)" authorization. Wouldn't this constitute a 3-party model? Alper > the > operation of the auth protocols should be exactly the same as if > they terminated in the AAA client, instead of elsewhere. Basically, > the purpose of AAA (again, from the POV of an authentication > protocol) is simply scaling. BTW, a lot of misery has been caused > by the erroneous belief that EAP is (or can be) a three-party > authentication protocol: it isn't, and can't be. It could _carry_ a > three-party protocol (like Kerberos), but EAP in itself is a > two-party protocol. > > > why do you care that only one party knows that radius is > > used? it could also be diameter. > > > > i would like to better understand why some people dislike the aaa > > architecture (radius, diameter). > > I think that the misunderstanding mentioned above might have > something to do with it... > > > > > ciao > > hannes > > > > > >> -----Ursprüngliche Nachricht----- > >> Von: isms-bounces [at] lists.ietf.org > >> [mailto:isms-bounces [at] lists.ietf.org] Im Auftrag von Sam Hartman > >> Gesendet: Freitag, 15. April 2005 19:34 > >> An: Martin Soukup > >> Cc: isms [at] ietf.org > >> Betreff: [Isms] RADIUS is not a trusted third party > >> > >> > >>>>>>> "Martin" == Martin Soukup <msoukup [at] nortel.com> writes: > >> > >> Martin> RADIUS "Access-Accept" indicates a successful > >> Martin> authenthentication response for a user. > >> > >> Martin> The Access-Accept already returns a > "Session-Timeout", > >> Martin> defined as "Sets the maximum number of seconds of > service > >> Martin> to be provided to the user before the session > >> Martin> terminates. This attribute value becomes the per-user > >> Martin> "absolute timeout."". > >> > >> This only tells the SNMP engine talking to the RADIUS server the > >> timeout. You need to tell the other side of the exchange the > >> timeout too. > >> > >> Remember that RADIUS is a callout service; it is not a trusted > third > >> party. In other words, in a particular SNMP authentication, only > one > >> of the parties will know that RADIUS is being used. > >> > >> > >> _______________________________________________ > >> Isms mailing list > >> Isms [at] lists.ietf.org > >> https://www1.ietf.org/mailman/listinfo/isms > >> > > > > _______________________________________________ > > Isms mailing list > > Isms [at] lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/isms > > Hope this helps, > > ~gwz > > Why is it that most of the world's problems can't be solved by > simply > listening to John Coltrane? -- Henry Gabriel > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap
-
RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 17 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 19 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 20 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
- Re: RE: [Isms] RADIUS is not a trusted third party Jeff Mandin, April 20 2005
Results generated by Tiger Technologies using MHonArc.