Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication

Frederic Detienne <fd@cisco.com> Mon, 16 November 2009 13:32 UTC

Return-Path: <fd@cisco.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 62CEE3A6AAF for <ipsec@core3.amsl.com>; Mon, 16 Nov 2009 05:32:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_63=0.6, J_CHICKENPOX_82=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TFLZfIfm+zYP for <ipsec@core3.amsl.com>; Mon, 16 Nov 2009 05:32:38 -0800 (PST)
Received: from av-tac-bru.cisco.com (weird-brew.cisco.com [144.254.15.118]) by core3.amsl.com (Postfix) with ESMTP id 087653A689E for <ipsec@ietf.org>; Mon, 16 Nov 2009 05:32:37 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id nAGDP1FV023345; Mon, 16 Nov 2009 14:25:02 +0100 (CET)
Received: from ams-fdetienn-8715.cisco.com (ams-fdetienn-8715.cisco.com [10.55.136.230]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id nAGDP0g0019490; Mon, 16 Nov 2009 14:25:00 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset=us-ascii
From: Frederic Detienne <fd@cisco.com>
In-Reply-To: <2E13B90533934A499FD727F9B353613C5156CB@zin33exm29.fsl.freescale.net>
Date: Mon, 16 Nov 2009 14:24:59 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B1ECA1C-056C-4F2F-9C33-BF5BA4741558@cisco.com>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com><4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com><3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com><39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com><3A8C969225424C4D8E6BEE65ED8552DA4C4472@XMB-BGL-41C.cisco.com><4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com> <19195.18766.767555.230392@fireball.kivinen.iki.fi> <2E13B90533934A499FD727F9B353613C5155A7@zin33exm29.fsl.freescale.net> <1CFAB1B15A6C1142BD1FC07D1CA82AB2016E66F5@XMB-BGL-417.cisco.com> <2E13B90533934A499FD727F9B353613C51563E@zin33exm29.fsl.freescale.net> <1CFAB1B15A6C1142BD1FC07D1CA82AB2016E687F@XMB-BGL-417.cisco.com> <2E13B90533934A499FD727F9B353613C5156CB@zin33exm29.fsl.freescale.net>
To: Murthy N Srinivas-B22237 <B22237@freescale.com>
X-Mailer: Apple Mail (2.1077)
Cc: ipsec@ietf.org, Yoav Nir <ynir@checkpoint.com>, Tero Kivinen <kivinen@iki.fi>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 13:32:39 -0000

On 13 Nov 2009, at 10:10, Murthy N Srinivas-B22237 wrote:

> Amjad,
> 
> AAA Server (Radius server) is configured with
> 1.domain/realm part of the EAP Identity as the "user name".
> 2.Along with this we can configure a radius attribue with a unique
> identifier.This identifier is sent by AAA server to Authenticator along
> with Authention success packet.
> 3.This identifier is known to the Authenticator which controls
> policies.Multiple users can be configured at AAA server with the same
> identifier.
> 4.This way,Authenticator is not required to know the EAP-identity.

the problem is that the RADIUS ACCESS-ACCEPT and the ID would be sent at the end of the EAP exchange -- at this point, it is too late for some operations.

Some characteristics like for instance allowing the use of EAP for a given identity have to be known BEFORE EAP is complete. We do not want to waste time failing the EAP exchange if we can know from the beginning that EAP can't be used for a given identity. An other example is if the domain portion of an RFC822 ID should be used to pick a AAA server from a list of possible servers.

It is reasonable to recommend passing "a sensible" identity from the beginning.

thanks,

	fred

> Thanks
> -nsmurthy
> 
> 
> -----Original Message-----
> From: Amjad Inamdar (amjads) [mailto:amjads@cisco.com] 
> Sent: Friday, November 13, 2009 12:31 PM
> To: Murthy N Srinivas-B22237; Tero Kivinen; Yoav Nir
> Cc: ipsec@ietf.org
> Subject: RE: [IPsec] Clarification on identities involved in
> IKEv2EAPauthentication
> 
> Hi Murthy,
> 
> IKEv2 gatway even when acting as a pass-through would need the
> authenticated EAP identity for local policy decisions. For instance,
> gateway can group remote users based on the authenticated EAP-id (e.g.
> based on the domain/realm part of the ID). Further, with PSK and PKI
> auth methods, it is the authenticated ID that is used for policy
> decisions and that should be same even with EAP auth.
> 
> Thanks,
> -Amjad 
> 
> -----Original Message-----
> From: Murthy N Srinivas-B22237 [mailto:B22237@freescale.com]
> Sent: Thursday, November 12, 2009 6:35 PM
> To: Amjad Inamdar (amjads); Tero Kivinen; Yoav Nir
> Cc: ipsec@ietf.org
> Subject: RE: [IPsec] Clarification on identities involved in
> IKEv2EAPauthentication
> 
> 
> Amjad,
> 
> If the Authenticator includes the AAA server implementation,it should no
> the EAP identity to enforce policies.If AAA server is separate,we can
> add an attribute to AAA server for this purpose and in which case
> Authenticator does not have to know the EAP identity.It will use the
> attribute to select the policies.
> 
> Thanks
> -ns murthy 
> 
> -----Original Message-----
> From: Amjad Inamdar (amjads) [mailto:amjads@cisco.com]
> Sent: Thursday, November 12, 2009 4:09 PM
> To: Murthy N Srinivas-B22237; Tero Kivinen; Yoav Nir
> Cc: ipsec@ietf.org
> Subject: RE: [IPsec] Clarification on identities involved in
> IKEv2EAPauthentication
> 
> Hi Murthy,
> 
> As per the RFC, with EAP authentication, policy lookups and access
> control decisions should be based on EAP identity, so the gatway needs
> to know the EAP identity.
> 
> The source of EAP identity for gateway is either IDi (when IDi is same
> as EAP identity) or AAA server providing authenticated EAP identity
> neither of which is mandated by RFC, and in case client(via IDi) and AAA
> server do not provide EAP identity, the only way gateway can get EAP
> identity is via EAP identity request to the client.
> 
> ----- Ikev2-bis-05 section 2.16, last paragraph -----
>   When the initiator authentication uses EAP, it is possible that the
>   contents of the IDi payload is used only for AAA routing purposes and
>   selecting which EAP method to use.  This value may be different from
>   the identity authenticated by the EAP method.  It is important that
>   policy lookups and access control decisions use the actual
>   authenticated identity.  Often the EAP server is implemented in a
>   separate AAA server that communicates with the IKEv2 responder.  In
>   this case, the authenticated identity has to be sent from the AAA
>   server to the IKEv2 responder.
> ----------------------------------------------------------
> 
> Thanks,
> -Amjad
> 
> 
> 
> -----Original Message-----
> From: Murthy N Srinivas-B22237 [mailto:B22237@freescale.com]
> Sent: Thursday, November 12, 2009 7:30 AM
> To: Tero Kivinen; Yoav Nir
> Cc: ipsec@ietf.org; Amjad Inamdar (amjads)
> Subject: RE: [IPsec] Clarification on identities involved in
> IKEv2EAPauthentication
> 
> 
> Policy lookups are selected by Authenticator based on Authorization
> information received from AAA server after successful Authentication.
> The AAA sever uses an attribute(radius) to send a reference to the
> Authorization information specific for the specific client.The
> Authenticator need not know the EAP identitity of the client, if it is
> different from IKE identity.  
> 
> The Authenticator requires to know the EAP identity only if it
> implements the AAA server functionality.
> 
> ns murthy
> 
> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
> Of Tero Kivinen
> Sent: Thursday, November 12, 2009 5:01 AM
> To: Yoav Nir
> Cc: ipsec@ietf.org; Amjad Inamdar (amjads)
> Subject: Re: [IPsec] Clarification on identities involved in
> IKEv2EAPauthentication
> 
> Yoav Nir writes:
>> Since the gateway acts as a pass-through, the requirement here is more
> 
>> for the client, which is typically more integrated. The client should 
>> be prepared to give an identity hint both in IKE and later in the EAP 
>> session.
> 
> And in that case the identities should really be same, and if they
> differ then the authenticated identity needs to be used for policy
> lookups, meaning that the EAP identity needs to be used. So the gateway
> needs to get that authenticated identity from the AAA server so it can
> do policy lookups based on it. 
> --
> kivinen@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> 
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec