eap Mailing List: RE: Question on EAP statemachine

[Mahesh Kelkar (mkelkar]

Pasi,

This particular example refers to the L2tp setup as
described below

 Peer         LAC               LNS
  |---- PPP----|                  |             
  |            |                  |
  |            |---- PPP/L2TP ----|
  |            |                  |
  |            |<--L2TP Tunnel--->|
  |                               |
  |<---------PPP Session--------->|
  |                               |

The peer first negotiates PPP-LCP with the LAC; then LAC
negotiates the EAP with the Peer (or acts as a paas-thru);
As an outcome of the successful authentication, the LAC
tunnels PPP session to the LNS; and now LNS starts
negotiating the EAP with the peer;

Thus, in this case, the peer negotiates EAP/EAP method with
the LAC; receives the EAP-success followed by the EAP
request/Identity (or EAP request/auth method) from the LNS.

I don't think lower layer would initate the multiple
conversations. The peer has a point to point lower layer,
hence it would not be able to distinguish if the incoming
EAP packets are coming from the LAC or LNS. Hence  I was
wondering if the statemachine is equiped to handle such a
back to back EAP/EAP method negotiations?

Thanks
Mahesh

--- Pasi.Eronen [at] nokia.com wrote:

> 
> Mahesh,
> 
> Negotiating the use of EAP and triggering the start of an
> EAP
> conversation happens in the lower layer outside EAP, so
> it's
> really beyond the scope of the peer state machine.
> 
> But I don't think there's anything in
> draft-ietf-eap-statemachine 
> that would prevent a lower layer from having several
> separate EAP 
> conversations, either in sequence like (in PANA), or in
> parallel 
> (in which case you need multiple "instances" of the state
> machine).
> 
> Best regards,
> Pasi
> 
> > -----Original Message-----
> > From: ext Mahesh Kelkar [mailto:mkelkar [at] rocketmail.com]
> > Sent: Wednesday, June 29, 2005 4:39 PM
> > To: Eronen Pasi (Nokia-NRC/Helsinki); eap [at] frascone.com
> > Subject: RE: Question on EAP statemachine
> > 
> > 
> > Pasi,
> > 
> > Sorry about that; by EAP-start I meant the first EAP
> > request packet originating from the backend
> authetntication
> > server (assuming that authenticator & backend
> > authentication servers are different & EAP-server
> resides
> > on the backend authetnication server). Ex. EAP-TLS sets
> the
> > start bit of the first EAP-TLS packet and hence I used
> the
> > name EAP-start packet.
> > 
> > I was trying to elaborate the defintion of EAP
> conversation
> > and wanted to get some feedback on it. 
> > 
> > I wanted to find out if we can negotiate EAP twice (or
> > multiple times, one after the other and not the
> > simultaneous). Does peer statemachine support that? Can
> we
> > use different authentication methods for each EAP
> > negotiation.? etc. 
> > 
> > Thanks
> > Mahesh
> > 
> > --- Pasi.Eronen [at] nokia.com wrote:
> > 
> > > Hi,
> > > 
> > > There is no such thing as an "EAP-start" packet in
> EAP.
> > > 802.1X does have an EAPOL-Start packet, but it is
> sent 
> > > by the 802.1X supplicant (peer); RADIUS (RFC3579) has
> > > an EAP-Start message, but it is sent by the RADIUS
> > > client.
> > > 
> > > How multiple EAP conversations are handled depends a
> lot
> > > on the lower layer in question. For instance, PANA
> has 
> > > explicit support for two separate EAP conversations.
> > > 
> > > Best regards,
> > > Pasi
> <snip>
> 


+++++++++++++++++++++++++++++
 M a h e s h  V  K e l k a r


                
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com