Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication

Tero Kivinen <kivinen@iki.fi> Wed, 11 November 2009 23:31 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19195.18766.767555.230392@fireball.kivinen.iki.fi>
Date: Thu, 12 Nov 2009 01:31:26 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com> <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com> <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C4472@XMB-BGL-41C.cisco.com> <4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com>
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Amjad Inamdar (amjads)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
Precedence: list

Yoav Nir writes:
> Since the gateway acts as a pass-through, the requirement here is
> more for the client, which is typically more integrated. The client
> should be prepared to give an identity hint both in IKE and later in
> the EAP session.

And in that case the identities should really be same, and if they
differ then the authenticated identity needs to be used for policy
lookups, meaning that the EAP identity needs to be used. So the
gateway needs to get that authenticated identity from the AAA server
so it can do policy lookups based on it. 
-- 
kivinen@iki.fi

[IPsec] Clarification on identities involved in I… Amjad Inamdar (amjads)
Re: [IPsec] Clarification on identities involved … Yoav Nir
Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
Re: [IPsec] Clarification on identities involved … Paul Hoffman
Re: [IPsec] Clarification on identities involved … shaik abdulla
Re: [IPsec] Clarification on identities involved … Andreas Steffen
Re: [IPsec] Clarification on identities involved … Srinivasu S R S Dhulipala (srinid)
Re: [IPsec] Clarification on identities involved … Yoav Nir
Re: [IPsec] Clarification on identities involved … Srinivasu S R S Dhulipala (srinid)
Re: [IPsec] Clarification on identities involved … Yoav Nir
Re: [IPsec] Clarification on identities involved … Tero Kivinen
Re: [IPsec] Clarification on identities involved … Raj Singh
Re: [IPsec] Clarification on identities involved … Yoav Nir
Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
Re: [IPsec] Clarification on identities involved … Frederic Detienne
Re: [IPsec] Clarification on identities involved … Amjad Inamdar (amjads)
Re: [IPsec] Clarification on identities involved … Murthy N Srinivas-B22237
Re: [IPsec] Clarification on identities involved … Frederic Detienne