eap Mailing List: Re: Authenticator versus AAA client

[Jari Arkko (jari.arkko]

Nakhjiri Madjid-MNAKHJI1 wrote:

> Hi folks,
>
> We are struggling to understand the true definition of EAP pass-through
> authenticator and how it differs from a AAA client. So here are some
> functions that we have in mind, we are trying to understand what
> function fits where:
>
>
> AAA client functionality:
> Run AAA protocol with AAA server.
> Receive authorization info  from AAA server
>
> EAP pass-through Authenticator
> Understand EAP success/ failure, but not EAP request/ responses.
>
>
> Things we need but not sure where to fit? Authenticator or AAA client?
> Converting EAP/link layer to EAP/AAA? 
> Receiving master keys from AAA server? Yes, EAP keying defines this as
> authenticator, but it would seem that this is AAA client, since keys are
> sent over AAA protocol.
>  
This is what the EAP keying framework says:

... On EAP
server, keying material requested by and passed down to the AAA layer
may be replicated to the AAA layer on the authenticator. On the
authenticator, the AAA layer may provide the replicated keying
material to the lower layer over which the EAP authentication
conversation took place. This enables "mode independence" to be
maintained.

As illustrated in Figure 4, a AAA client receiving transported EAP
keying material and parameters passes them to the EAP authenticator
and EAP layers, which then provide them to the authenticator lower
layer using the same mechanisms that would be used if the EAP peer
and authenticator were conducting a stand-alone conversation. The
resulting key state in the lower layer is indistinguishable between
the standalone and pass-through cases, as required by the principle
of mode independence. In order to prevent the compromise of
transported EAP keying material and parameters, the AAA client and
EAP authenticator MUST be co-resident.

Hope this helps -- let us know if you want some specific clarification
to the text.

--Jari