| RE: Separation of EAP authenticator and AAA client | <– Date –> <– Thread –> |
From: Alper Yegin (alper.yegin samsung.com)
|
|
| Date: Wed, 29 Jun 2005 16:57:17 -0400 (EDT) | |
> > I guess an explicit NAS-ID needs to be carried by the EAP lower layer > > unless we assume an implicit value (e.g., the MAC address of the 802.11 > > AP). > > I think the authenticator identity needs to be explicitly defined. It > could just be the MAC address but without defining it you get > interoperability problems. I agree. > > As we have discussed in EAP WG, the EAP peer and server are the > > principals in an EAP conversation, and they do not utilize the > > authenticator identity except as an opaque blob for channel bindings. > > > > They do not utilize peer and AAA server identities either. > > EAP methods do export the Peer-ID and the Server-ID, so I'm not sure what > you mean. I was thinking that none of these identities are explicitly carried in EAP headers. Yes, the EAP methods can export the peer and server IDs, much like the EAP lower layer can export the NAS ID. Btw, the former ones are used for key scoping. Isn't this related to where we need to use the NAS ID as well? > > Unless the NAS ports can convey the NAS-ID to the peer before secure > > associations, NAS should also explicitly convey the port IDs in order to > > provide the key cache boundary. What do you think? > > The lower layer spec needs to explicitly define the key > scope/authenticator identity. Typically this is either an address of some > kind (e.g. MAC address) or an identifier (NAS-ID). A port-ID is neither > here nor there -- it doesn't tell the peer if the key derived on port X is > also usable when connecting to port Y. If the NAS has multiple ports (like a CAPWAP AC controlling multiple APs), key cache boundary is the set of all these ports. For that I think the EAP peer should know the identity of these ports. I think there is one alternative approach. Even if the NAS does not convey the list of ports to the EAP peer, the peer may discover them as it encounters each port. For example, when the peer moves to port Y (from port X where it had performed the EAP authentication), if the port Y can convey the associated NAS ID, then the peer can dynamically discover that it is still within the same key cache boundary. I prefer the first approach where the NAS explicitly conveys the list of ports to the EAP peer. Alper > >
-
Separation of EAP authenticator and AAA client Bernard Aboba, June 27 2005
-
RE: Separation of EAP authenticator and AAA client Alper Yegin, June 28 2005
-
RE: Separation of EAP authenticator and AAA client Bernard Aboba, June 28 2005
- RE: Separation of EAP authenticator and AAA client Alper Yegin, June 29 2005
-
RE: Separation of EAP authenticator and AAA client Bernard Aboba, June 28 2005
- Message not available
- Re: RE: Separation of EAP authenticator and AAA client Bernard Aboba, June 28 2005
-
RE: Separation of EAP authenticator and AAA client Alper Yegin, June 28 2005
-
RE: Separation of EAP authenticator and AAA client Sood, Kapil, June 28 2005
- RE: Separation of EAP authenticator and AAA client Bernard Aboba, June 28 2005
- RE: RE: Separation of EAP authenticator and AAA client Narayanan Vidya-CVN065, June 29 2005
Results generated by Tiger Technologies using MHonArc.