eap Mailing List: Re: Authenticator versus AAA client

[Yoshihiro Ohba (yohba]

On Wed, Nov 30, 2005 at 05:47:49PM -0500, Nakhjiri Madjid-MNAKHJI1 wrote:
>  
> Hi folks,
> 
> We are struggling to understand the true definition of EAP pass-through
> authenticator and how it differs from a AAA client. So here are some
> functions that we have in mind, we are trying to understand what
> function fits where:
> 
> 
> AAA client functionality:
> Run AAA protocol with AAA server.
> Receive authorization info  from AAA server
> 
> EAP pass-through Authenticator
> Understand EAP success/ failure, but not EAP request/ responses.

EAP pass-through authenticator does understand EAP Requests and
Responses for matching the Requests with Responses.  But EAP
path-through authenticator does not need to understand the content of
the Data field of the Requests and Responses.

> 
> 
> Things we need but not sure where to fit? Authenticator or AAA client?
> Converting EAP/link layer to EAP/AAA? I would say this is AAA client.
> Receiving master keys from AAA server? Yes, EAP keying defines this as
> authenticator, but it would seem that this is AAA client, since keys are
> sent over AAA protocol.

AAA client receives the master keys from AAA server, but it just
passes the received keys to the EAP pass-through authenticator and
never caches the keys.  So I think the pass-through authenticator 
is the final receiver of the master keys.

Yoshihiro Ohba

> 
> Any guidance?
> 
> Thanks,
> 
> Madjid Nakhjiri
> 
> _________________________________________________________________
> To unsubscribe or modify your subscription options, please visit:
> http://lists.frascone.com/mailman/listinfo/eap
> 
> Arhives: http://lists.frascone.com/pipermail/eap