Re: Radius authentication and client configuration
"pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com> Thu, 16 April 1998 20:15 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id QAA14291 for ipsec-outgoing; Thu, 16 Apr 1998 16:15:39 -0400 (EDT)
Date: Thu, 16 Apr 1998 13:28:41 -0700
From: "pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com>
Reply-To: "pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com>
Subject: Re: Radius authentication and client configuration
To: Gabriel Montenegro <gab@Eng.Sun.Com>
Cc: Shawn Mamros <smamros@BayNetworks.COM>, "pcalhoun@eng.sun.com" <Patrice.Calhoun@Eng.Sun.Com>, "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: "Your message with ID" <Roam.SIMC.2.0.6.892741806.31348.gab@eng.sun.com>
Message-ID: <Roam.SIMCSD.2.0.4.892758521.30379.pcalhoun@hsmpka>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET="US-ASCII"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> > By placing policy/configuration setup in ISAKMP (between Phases 1 and 2) > > under protection of the ISAKMP SA, Roy's proposal for an ISAKMP Configuration > > Method addresses the security needs quite nicely. That's not to say that > > one couldn't base the payload/exchange format on DIAMETER or whatever else > > is already out there. But the ISAKMP SA only protects ISAKMP, and until the > > IPSEC SAs are set up, ISAKMP may very well be all you can trust. > > Agree. > > It seems like the *cfg* and *xauth* drafts may just take existing payloads > defined elsewhere to achieve their purposes. For example, xauth > could just say: let's use EAP payloads (as I suggested > in LA). EAP did start in ppp land, but has since been applied to > (that is, its payloads have been reused in) SOCKS, RADIUS, DIAMETER. > > So yes, if a good payload exists, reuse it. > > -gabriel > I would like to second Gabriel's statement here. I also would strongly favor the use of EAP as opposed to another mechanism. If you take a look at draft-calhoun-diameter-eap-01.txt and draft-ietf-radius-eap-02.txt you will see how EAP fits into the Policy infrastructure. In addition, my draft draft-ietf-aft-socks-eap-00.txt proves that EAP is not a PPP-only protocol and can be re-used in a variety of services. I would hope that IPSEC would be a good candidate. (btw, there already exists an ISAKMP extension to EAP that you may want to take a look at - draft-ietf-pppext-eapisakmp-00.txt). PatC
- Radius authentication and client configuration Leonard Schwartz
- Re: Radius authentication and client configuration Robert Moskowitz
- Re: Radius authentication and client configuration pcalhoun@eng.sun.com
- Re: Radius authentication and client configuration Robert Moskowitz
- Re: Radius authentication and client configuration pcalhoun@eng.sun.com
- RE: Radius authentication and client configuration Roy Pereira
- RE: Radius authentication and client configuration pcalhoun@eng.sun.com
- Re: Radius authentication and client configuration Shawn Mamros
- Re: Radius authentication and client configuration Gabriel Montenegro
- Re: Radius authentication and client configuration Robert Moskowitz
- Re: Radius authentication and client configuration Robert Moskowitz
- Re: Radius authentication and client configuration pcalhoun@eng.sun.com
- RE: Radius authentication and client configuration Roy Pereira
- Re: Radius authentication and client configuration pcalhoun@eng.sun.com
- RE: Radius authentication and client configuration pcalhoun@eng.sun.com
- RE: Radius authentication and client configuration Roy Pereira
- RE: Radius authentication and client configuration Roy Pereira
- RE: Radius authentication and client configuration Roy Pereira
- Re: Radius authentication and client configuration Shawn Mamros
- Re: Radius authentication and client configuration Vipul Gupta
- RE: Radius authentication and client configuration pcalhoun@eng.sun.com
- RE: Radius authentication and client configuration pcalhoun@eng.sun.com
- RE: Radius authentication and client configuration pcalhoun@eng.sun.com