| RE: RE: [Isms] RADIUS is not a trusted third party | <– Date –> <– Thread –> |
From: Alper Yegin (alper.yegin samsung.com)
|
|
| Date: Wed, 20 Apr 2005 14:20:46 -0400 (EDT) | |
> >>> what is radius for you? (you write that it is not a trusted > third > >>> party.) > >> > >> It's not. From the point of view of authentication protocols > (PAP, > >> CHAP, EAP, etc.), both RADIUS and Diameter are just "wires": > > > > What happens when we look at this picture from the "authorization" > > perspective? "Host-to-NAS authorization for the network access > > service" > > is dynamically generated from "host-to-AAA server" authorization > and > > "AAA server to client (NAS)" authorization. Wouldn't this > constitute > > a 3-party model? > > I'm pretty sure that both Sam & I were just talking about > authentication. I understand that. > In any case, could you expound a bit? I don't > actually know what you're talking about. What do "Host-to-NAS > authorization for the network access service", "host-to-AAA server > authorization" and "AAA server to client (NAS) authorization" mean? > Are you saying that somehow the host authorizes the NAS to provide > it network access? The host (or the user on the host) is authorized to access the Internet by relying on its subscription with an operator that runs the AAA server. SLAs, credentials are used to encode this relation. [1] A bunch of NASes are also authorized by the same AAA server to provide access service to subscribers of that operator. This comes in the form of roaming agreements (list of NAS identifiers, credentials, etc.) [2] Now, if host1 wants to access the Internet via NAS1, the required dynamic authorization (that host1 is allowed to access the Internet, and NAS1 is allowed to provide this service) can be generated by relying on [1] and [2]. I guess the AAA protocol that runs between the NAS and AAA server is a "wire" as you said, but the AAA server is the trusted third party. Does this make sense? Alper > > > > > Alper > > > > > >> the > >> operation of the auth protocols should be exactly the same as if > they > >> terminated in the AAA client, instead of elsewhere. Basically, > the > >> purpose of AAA (again, from the POV of an authentication > >> protocol) is simply scaling. BTW, a lot of misery has been > caused by > >> the erroneous belief that EAP is (or can be) a three-party > >> authentication protocol: it isn't, and can't be. It could > _carry_ a > >> three-party protocol (like Kerberos), but EAP in itself is a > >> two-party protocol. > >> > >>> why do you care that only one party knows that radius is used? > it > >>> could also be diameter. > >>> > >>> i would like to better understand why some people dislike the > aaa > >>> architecture (radius, diameter). > >> > >> I think that the misunderstanding mentioned above might have > >> something to do with it... > >> > >>> > >>> ciao > >>> hannes > >>> > >>> > >>>> -----Ursprüngliche Nachricht----- > >>>> Von: isms-bounces [at] lists.ietf.org > >>>> [mailto:isms-bounces [at] lists.ietf.org] Im Auftrag von Sam Hartman > >>>> Gesendet: Freitag, 15. April 2005 19:34 > >>>> An: Martin Soukup > >>>> Cc: isms [at] ietf.org > >>>> Betreff: [Isms] RADIUS is not a trusted third party > >>>> > >>>> > >>>>>>>>> "Martin" == Martin Soukup <msoukup [at] nortel.com> writes: > >>>> > >>>> Martin> RADIUS "Access-Accept" indicates a successful > >>>> Martin> authenthentication response for a user. > >>>> > >>>> Martin> The Access-Accept already returns a > "Session-Timeout", > >>>> Martin> defined as "Sets the maximum number of seconds of > >>>> service Martin> to be provided to the user before the > session > >>>> Martin> terminates. This attribute value becomes the > per-user > >>>> Martin> "absolute timeout."". > >>>> > >>>> This only tells the SNMP engine talking to the RADIUS server > the > >>>> timeout. You need to tell the other side of the exchange the > >>>> timeout too. > >>>> > >>>> Remember that RADIUS is a callout service; it is not a trusted > >>>> third party. In other words, in a particular SNMP > authentication, > >>>> only one of the parties will know that RADIUS is being used. > >>>> > >>>> > >>>> _______________________________________________ > >>>> Isms mailing list > >>>> Isms [at] lists.ietf.org > >>>> https://www1.ietf.org/mailman/listinfo/isms > >>>> > >>> > >>> _______________________________________________ > >>> Isms mailing list > >>> Isms [at] lists.ietf.org > >>> https://www1.ietf.org/mailman/listinfo/isms > >> > >> Hope this helps, > >> > >> ~gwz > >> > >> Why is it that most of the world's problems can't be solved by > simply > >> listening to John Coltrane? -- Henry Gabriel > >> _______________________________________________ > >> eap mailing list > >> eap [at] frascone.com > >> http://mail.frascone.com/mailman/listinfo/eap > > > > > > _______________________________________________ > > eap mailing list > > eap [at] frascone.com > > http://mail.frascone.com/mailman/listinfo/eap > > Hope this helps, > > ~gwz > > Why is it that most of the world's problems can't be solved by > simply > listening to John Coltrane? -- Henry Gabriel
-
RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 17 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 19 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 20 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Alper Yegin, April 19 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 19 2005
-
Re: RE: [Isms] RADIUS is not a trusted third party Jeff Mandin, April 20 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 20 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Nelson, David, April 21 2005
Results generated by Tiger Technologies using MHonArc.