| RE: RE: [Isms] RADIUS is not a trusted third party | <– Date –> <– Thread –> |
From: Glen Zorn (gwz) (gwz cisco.com)
|
|
| Date: Tue, 26 Apr 2005 11:13:18 -0400 (EDT) | |
Blumenthal, Uri <mailto:uri.blumenthal [at] intel.com> supposedly scribbled: > It was my understanding that while EAP is between the client > (supplicant) and NAS, and RADIUS is between NAS and AAA, *EAP method* > that runs on top of EAP is between the client and RADIUS server. No. Can we just _get it_ once and for all? AAA & EAP are _different_ and _separate_ things: there is no part of EAP that is "between" the EAP peer and any AAA entity. > > This tunnel created by EAP method can be considered as "trust between > the client and AAA", See above. > and RADIUS between NAS and AAA (however it is > accomplished) is "trust between NAS and AAA". > > And yes, many find convenient to connect authorization decision to > some extra information about the supplicant - such as its posture > evaluation (Cisco NAC, Microsoft NAP, etc). Such information would > naturally be carried in TLVs as part of EAP inner method exchange. Or more rationally (gasp!) in a subsequent _authorization_ protocol exchange. > Yes it seems to go way beyond the original purpose of EAP, but then > it does seem to address the today's need. If one has a sore toe, shooting oneself in the foot may seem to satisfy "today's need"; in the long run, however, it will probably turn out to be counterproductive. > > -----Original Message----- > From: isms-bounces [at] lists.ietf.org [mailto:isms-bounces [at] lists.ietf.org] > On Behalf Of Bernard Aboba > Sent: Monday, April 25, 2005 10:02 PM > To: Glen Zorn (gwz) > Cc: radiusext [at] ops.ietf.org; eap [at] frascone.com; isms [at] ietf.org > Subject: RE: [eap] RE: [Isms] RADIUS is not a trusted third party > > Martin Soukup said: > >> The use of RADIUS itself without a defined extension such as EAP-TLS >> or EAP-PEAP over RADIUS cannot securely pass attributes between >> entities. Note that the defined EAP-TLS (or other EAP mechanisms) >> over RADIUS provides for secure attribute passing between entities >> even through proxies. > > In response to which, Glen Zorn spake thusly: > >> I thought that I was passing familiar w/EAP-TLS (and even more so >> w/PEAP), but I am completely unaware of such capabilities. Would you >> mind explaining how this is achieved, given that RADIUS & EAP are >> completely different protocols? > > I also was unaware of the ability of EAP-TLS to transmit RADIUS > attributes between the EAP peer and server. I had always thought > RADIUS was a protocol only spoken between a NAS and a RADIUS server, > and that EAP-TLS didn't support transmission of TLVs. But I guess > this is a somewhat old fashioned point of view. > > Perhaps this is referring to EAP-TLS "extended" via the following? > http://www.ietf.org/internet-drafts/draft-funk-tls-inner-application -ext > ension-01.txt > > > > _______________________________________________ > Isms mailing list > Isms [at] lists.ietf.org > https://www1.ietf.org/mailman/listinfo/isms Hope this helps, ~gwz Why is it that most of the world's problems can't be solved by simply listening to John Coltrane? -- Henry Gabriel
- RE: RE: [Isms] RADIUS is not a trusted third party, (continued)
- RE: RE: [Isms] RADIUS is not a trusted third party Nelson, David, April 22 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Bernard Aboba, April 25 2005
-
RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 25 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Bernard Aboba, April 25 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Glen Zorn (gwz), April 26 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Bernard Aboba, April 26 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Nelson, David, April 26 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Nelson, David, April 26 2005
- RE: RE: [Isms] RADIUS is not a trusted third party Bernard Aboba, April 26 2005
Results generated by Tiger Technologies using MHonArc.