eap Mailing List: RE: Proposed Resolution to Issue 314: AAA-Key Confusion

[Nakhjiri Madjid-MNAKHJI1 (Madjid.Nakhjiri]

I am struggling to understand the minimum logical functionality of
pass-through authentictor, does it include receiving keys from EAP
server? If AAA protocol is the only mechanism, then it is the AAA client
that receives the keys, not the authenticator. 
I look at both EAP RFC 3748 and EAP keying and I only find: 
"authenticator
      The end of the link initiating EAP authentication.  The term
      authenticator is used in [IEEE-802.1X], and has the same meaning
      in this document."
Which does not include receiving keys.
If a keying architecture has a KDC that needs to receive a key such as
MSK from the EAP server (and later act as a key holder), would it have
to be colocated with the authenticator? Or it only needs to have AAA
client functionality? I would think the latter. 
 
-----Original Message-----
From: Bernard Aboba [mailto:bernard_aboba [at] hotmail.com] 
Sent: Tuesday, January 10, 2006 4:02 PM
To: Nakhjiri Madjid-MNAKHJI1; eap [at] frascone.com
Subject: RE: [eap] Proposed Resolution to Issue 314: AAA-Key Confusion

>Other parts of text seems to rightfully imply that the keys are 
>transported at the AAA layer, i.e. from AAA server through possibly AAA

>proxies to AAA client, so why are we saying "transported from the EAP 
>server to the authenticator"??

Transport from the EAP server to the EAP authenticator is required for
mode independence.  In this instance the AAA protocol is only a
mechanism to enable that transport.