| EAP and roaming | <– Date –> <– Thread –> |
From: Julien Bournelle (julien.bournelle int-evry.fr)
|
|
| Date: Fri, 13 May 2005 06:12:41 -0400 (EDT) | |
Hi all, In the roaming case, the EAP authenticator and EAP server do not belong to the same administrative entity. LEt's say that authenticator belong to company A and EAP server to company B. In draft-ietf-eap-keying-06.txt, it is assumed that the AAA-Key is provided in a AAA-Token. From security requirements in p. 51: "TO ensure against compromise, the AAA-Token MUST be integrity protected, authenticated, replay protected and encrypted in transit, using well-established cryptographic algorithms" TO follow this requirement, it implies that the A's EAP authenticator has a direct SA with B's EAP server. So if the company B does not allow SA establishment between its EAP server with EAP authenticator from other company, EAP shouldn't be used. Am I missing something ? -- julien.bournelle at int-evry.fr
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.