Re: [dhcwg] draft-ietf-dhc-agentopt-radius-00.txt
John Schnizlein <jschnizl@cisco.com> Tue, 05 March 2002 12:52 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA26798 for <dhcwg-archive@odin.ietf.org>; Tue, 5 Mar 2002 07:52:52 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id HAA00714 for dhcwg-archive@odin.ietf.org; Tue, 5 Mar 2002 07:52:54 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA00578; Tue, 5 Mar 2002 07:51:22 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id HAA00557 for <dhcwg@optimus.ietf.org>; Tue, 5 Mar 2002 07:51:20 -0500 (EST)
Received: from wells.cisco.com (wells.cisco.com [171.71.177.223]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA26701 for <dhcwg@ietf.org>; Tue, 5 Mar 2002 07:51:18 -0500 (EST)
Received: from JSCHNIZL-W2K1.cisco.com (rtp-vpn1-18.cisco.com [10.82.224.18]) by wells.cisco.com (8.8.6 (PHNE_14041)/CISCO.SERVER.1.2) with ESMTP id EAA19570; Tue, 5 Mar 2002 04:50:47 -0800 (PST)
Message-Id: <4.3.2.7.2.20020305071458.01ed6cc8@diablo.cisco.com>
X-Sender: jschnizl@diablo.cisco.com
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 05 Mar 2002 07:50:13 -0500
To: Thomas Narten <narten@us.ibm.com>
From: John Schnizlein <jschnizl@cisco.com>
Subject: Re: [dhcwg] draft-ietf-dhc-agentopt-radius-00.txt
Cc: Ralph Droms <rdroms@cisco.com>, dhcwg@ietf.org
In-Reply-To: <200203050736.g257akm02046@cichlid.adsl.duke.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: dhcwg-admin@ietf.org
Errors-To: dhcwg-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: <dhcwg.ietf.org>
X-BeenThere: dhcwg@ietf.org
At 02:36 AM 3/5/2002, Thomas Narten wrote: >I'd like to better understand the need for this document and what >problem it solves. This draft specifies the particular use of the already accepted relay agent information option to convey the user's identity from a RADIUS authentication (as used with 802.1X) to the DHC server. This enables the DHC server to allocate parameters, including addresses, based on the user's identity without requiring an additional (repetitive) demand for credentials from the user. >The model here seems to be: Correct summary deleted. >What I'd like to understand better: > >1) is this used to (say) assign an address from the correct VLAN? If > so, can't this be done without using the radius AVPs? I.e., say > with a generic agent options sub-options that identifies the vlan This option is not necessary for selecting the VLAN. An 802.1X authenticator can get a VLAN ID as a AVP from the (RADIUS) AAA and put the port in that VLAN. The DCH server would learn the subnet from which to assign an address through the GIADDR field. If different address pools within the VLAN were to be used for different users, the radius agentopt could provide the additional information about the user's identity. >2) Seems like it might be dangerous to cache the radius stuff and then > later (how much later? hours?) include it in messages to the DHC > server. Could you identify a specific danger due to the 802.1X switch holding the identity of the user associated with the port, please? > How does the server know the information is accurate or relevant? The DHC server is assumed to trust the administration of the switch and the RADIUS server. The only way for the information to get associated with the port is a valid user authentication because it is sent by the AAA (RADIUS) server with an Accept message. The switch and RADIUS server are all part of the trusted network infrastructure, not necessarily the host. We anticipate further discussion of the security considerations in Minneapolis because forgery and replay of the identity in the option may not be blocked in sufficient depth. Perimeter protection may be insufficient. > Moreover, should the DHC server trust those radius AVPs > without itself checking with the radius server? I would think not, > in which case what is the benefit of even including that info in > the DHCP messages, when the DHC server can presumably just get the > info directly from the radius server itself? In most cases the host's next requirement, after enabling forwarding through the switch port, is an IP address to enable communication beyond the local (layer-2) link. Why add another AAA transaction by the DHC server when the user's identity has just been authenticated at the same access point for 802.1X? In order to check with the RADIUS server, the DHC server would need to provide user's credentials. But since the user in not actually involved in this check, any use of the user's credentials would be a replay, which some authentication methods (e.g. one-time passwords) effectively prevent. >3) Seems like a more general (and less radius specific) approach would > be for the relay agent to include the information that the client > provided, and then let the DHC server query the radius server > itself (just like the access device does). Or, in fact, maybe it > will query a diameter server. Why wire the RADIUS stuff into the > DHCP protocol? As answered above, the DHC server should not (cannot where one-time passwords are used) replay the user authentication. The DCHP traffic cannot pass the 802.1X switch until the original authentication is done. If the 802.1X switch is configured to use Diameter authentication, it would need an agentopt very similar to this one for that method. Since we have the Congdon et. al draft specifying RADIUS back-end authentication, we specified that. John _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] draft-ietf-dhc-agentopt-radius-00.txt Thomas Narten
- Re: [dhcwg] draft-ietf-dhc-agentopt-radius-00.txt Ralph Droms
- Re: [dhcwg] draft-ietf-dhc-agentopt-radius-00.txt John Schnizlein