eap Mailing List: RE: Separation of EAP authenticator and AAA client

[Bernard Aboba (aboba]

> I guess an explicit NAS-ID needs to be carried by the EAP lower layer
> unless we assume an implicit value (e.g., the MAC address of the 802.11
> AP).

I think the authenticator identity needs to be explicitly defined.  It
could just be the MAC address but without defining it you get
interoperability problems.

> As we have discussed in EAP WG, the EAP peer and server are the
> principals in an EAP conversation, and they do not utilize the
> authenticator identity except as an opaque blob for channel bindings.
>
> They do not utilize peer and AAA server identities either.

EAP methods do export the Peer-ID and the Server-ID, so I'm not sure what
you mean.

> Unless the NAS ports can convey the NAS-ID to the peer before secure
> associations, NAS should also explicitly convey the port IDs in order to
> provide the key cache boundary. What do you think?

The lower layer spec needs to explicitly define the key
scope/authenticator identity.  Typically this is either an address of some
kind (e.g. MAC address) or an identifier (NAS-ID).  A port-ID is neither
here nor there -- it doesn't tell the peer if the key derived on port X is
also usable when connecting to port Y.