| Re: RE: Question on EAP statemachine | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Wed, 29 Jun 2005 12:05:34 -0400 (EDT) | |
On Wed, Jun 29, 2005 at 06:38:56AM -0700, Mahesh Kelkar wrote: > Pasi, > > Sorry about that; by EAP-start I meant the first EAP > request packet originating from the backend authetntication > server (assuming that authenticator & backend > authentication servers are different & EAP-server resides > on the backend authetnication server). Ex. EAP-TLS sets the > start bit of the first EAP-TLS packet and hence I used the > name EAP-start packet. > > I was trying to elaborate the defintion of EAP conversation > and wanted to get some feedback on it. > > I wanted to find out if we can negotiate EAP twice (or > multiple times, one after the other and not the > simultaneous). Does peer statemachine support that? Can we > use different authentication methods for each EAP > negotiation.? etc. Yes, you can do that. Please see draft-ietf-pana-statemachine-00.txt for an example of how to do it using the EAP state machine. Yoshihiro Ohba > > Thanks > Mahesh > > --- Pasi.Eronen [at] nokia.com wrote: > > > Hi, > > > > There is no such thing as an "EAP-start" packet in EAP. > > 802.1X does have an EAPOL-Start packet, but it is sent > > by the 802.1X supplicant (peer); RADIUS (RFC3579) has > > an EAP-Start message, but it is sent by the RADIUS > > client. > > > > How multiple EAP conversations are handled depends a lot > > on the lower layer in question. For instance, PANA has > > explicit support for two separate EAP conversations. > > > > Best regards, > > Pasi > > > > > -----Original Message----- > > > From: ext Mahesh Kelkar [mailto:mkelkar [at] rocketmail.com] > > > Sent: Tuesday, June 28, 2005 6:05 PM > > > To: npetroni [at] cs.umd.edu; Eronen Pasi > > (Nokia-NRC/Helsinki); > > > jrv [at] umich.edu; yohba [at] tari.toshiba.com; eap [at] frascone.com > > > Subject: Question on EAP statemachine > > > > > > > > > > > > EAP conversation starts when the EAP-server sends the > > > EAP-start packet to the peer and it ends when the > > > EAP-server sends the EAP-success or EAP-failure packet > > to > > > the peer. As per RFC 3748, only one authentication > > method > > > is allowed to be negotiated within this conversation. > > > > > > Consider a case, where > > > 1. EAP-server (E1) authenticates the peer by > > negotiating > > > the EAP authentication method (say, A1) and sends the > > > EAP-success (with an identifier value, say 10). > > > 2. Another EAP-server (E2) is in the netowrk > > > 3. Lets assume that E1 can communicate some EAP > > negotiated > > > information to the E2 > > > > > > Question 1: > > > > > > Can EAP-server (E2) start a new EAP negotiation with > > the > > > peer by sending an Identity request pacekt or an > > EAP-start > > > packet? > > > > > > Thus, the peer would receive an EAP-sucecss packet > > followed > > > by an EAP Identity request or an EAP-start packet. > > > > > > Question 2: > > > What should the EAP-server (E2) send to the peer in > > order > > > to rekindle the negotiation? an EAP identity request or > > > EAP-start packet? > > > > > > If E1 has already conveyed the user-identity (or > > contents > > > of Type-Data field in the EAP Identity response) to E2 > > then > > > E2 can skip the identity exchange and proceed with the > > > EAP-start packet. It can help us save the user > > interaction. > > > > > > Question 3: > > > What should be the identifier value of the EAP identity > > > request or the EAP-start packet? (11?, if identifier > > value > > > of the earlier EAP-success was 10) or (any value, say > > 1) > > > > > > Question 4: > > > Can EAP-server (E2) negotiate a different EAP > > > authentication method (say, A2) with the peer? > > > > > > I could not discern this information from the peer > > > statemachine and wanted to touchbase with you since lot > > of > > > peer implementations would be based on it. > > > > > > Your responses are appreciated. > > > > > > Thanks > > > Mahesh > > > > > > > > > +++++++++++++++++++++++++++++ > > > M a h e s h V K e l k a r > > > > > +++++++++++++++++++++++++++++ > M a h e s h V K e l k a r > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > eap mailing list > eap [at] frascone.com > http://mail.frascone.com/mailman/listinfo/eap
-
Question on EAP statemachine Mahesh Kelkar, June 28 2005
-
RE: Question on EAP statemachine Pasi.Eronen, June 29 2005
-
RE: Question on EAP statemachine Mahesh Kelkar, June 29 2005
- Re: RE: Question on EAP statemachine Yoshihiro Ohba, June 29 2005
-
RE: Question on EAP statemachine Mahesh Kelkar, June 29 2005
-
RE: Question on EAP statemachine Pasi.Eronen, June 29 2005
-
RE: Question on EAP statemachine Pasi.Eronen, June 29 2005
- RE: Question on EAP statemachine Mahesh Kelkar, June 29 2005
-
RE: Question on EAP statemachine Pasi.Eronen, June 29 2005
- RE: Question on EAP statemachine Mahesh Kelkar, June 29 2005
Results generated by Tiger Technologies using MHonArc.