Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
Tero Kivinen <kivinen@iki.fi> Wed, 11 November 2009 23:31 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D2773A67D9 for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 15:31:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gyrRoTYormcE for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 15:31:12 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 0243228C0DD for <ipsec@ietf.org>; Wed, 11 Nov 2009 15:31:11 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nABNVSr9017098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Nov 2009 01:31:28 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nABNVQUO019610; Thu, 12 Nov 2009 01:31:26 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19195.18766.767555.230392@fireball.kivinen.iki.fi>
Date: Thu, 12 Nov 2009 01:31:26 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com> <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com> <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C4472@XMB-BGL-41C.cisco.com> <4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 4 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Amjad Inamdar (amjads)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2009 23:31:13 -0000
Yoav Nir writes: > Since the gateway acts as a pass-through, the requirement here is > more for the client, which is typically more integrated. The client > should be prepared to give an identity hint both in IKE and later in > the EAP session. And in that case the identities should really be same, and if they differ then the authenticated identity needs to be used for policy lookups, meaning that the EAP identity needs to be used. So the gateway needs to get that authenticated identity from the AAA server so it can do policy lookups based on it. -- kivinen@iki.fi
- [IPsec] Clarification on identities involved in I… Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Paul Hoffman
- Re: [IPsec] Clarification on identities involved … shaik abdulla
- Re: [IPsec] Clarification on identities involved … Andreas Steffen
- Re: [IPsec] Clarification on identities involved … Srinivasu S R S Dhulipala (srinid)
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Srinivasu S R S Dhulipala (srinid)
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Tero Kivinen
- Re: [IPsec] Clarification on identities involved … Raj Singh
- Re: [IPsec] Clarification on identities involved … Yoav Nir
- Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
- Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
- Re: [IPsec] Clarification on identities involved … Frederic Detienne
- Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
- Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
- Re: [IPsec] Clarification on identities involved … Frederic Detienne