Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication

Raj Singh <rsjenwar@gmail.com> Thu, 12 November 2009 03:34 UTC

Return-Path: <rsjenwar@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A4B273A676A for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 19:34:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kpdmw4J7362x for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 19:34:06 -0800 (PST)
Received: from mail-bw0-f223.google.com (mail-bw0-f223.google.com [209.85.218.223]) by core3.amsl.com (Postfix) with ESMTP id 836D33A67AB for <ipsec@ietf.org>; Wed, 11 Nov 2009 19:34:06 -0800 (PST)
Received: by bwz23 with SMTP id 23so1803234bwz.29 for <ipsec@ietf.org>; Wed, 11 Nov 2009 19:34:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=fFhoB+x20dgDr+HY7uTU2rLzanuR1+ncxsU4tnOWUgQ=; b=x8TYZVAYxs/kdW5rEZm4h6Z9nGrdcFDEyKaYnvnj9krfWxJsG1lE3YBhfaCciSh7C1 mBqsxQv0Oc/LP0Q/GebOxi1O9vBn0x+6wLNOcq4OyY1QlCt20BykCCx7AZrC46QpKJ6T 18gI+4UEB9nKY7nBgpjAIboLx6dz1Rk5lA9ng=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=kLGITk/qRx2ZGqd+B1nb6M56JNrkRlFDudPYzXd7HWXC1igsNJmTm344u7X1x6QWyW IlHSFAmfbY4oilbk0t652aQ2qeawuspa3ytTwaeTw24pt5mX4I0HCNwOsFLhC8jtb6b7 LdbXdocgwj/oHjQTkB4owxII7H+lkVUj3pppo=
MIME-Version: 1.0
Received: by 10.216.93.17 with SMTP id k17mr30504wef.31.1257996872563; Wed, 11 Nov 2009 19:34:32 -0800 (PST)
In-Reply-To: <19195.18766.767555.230392@fireball.kivinen.iki.fi>
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com> <4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com> <39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com> <3A8C969225424C4D8E6BEE65ED8552DA4C4472@XMB-BGL-41C.cisco.com> <4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com> <19195.18766.767555.230392@fireball.kivinen.iki.fi>
Date: Thu, 12 Nov 2009 09:04:32 +0530
Message-ID: <7ccecf670911111934u70f28feegf053b835ff3fb0f@mail.gmail.com>
From: Raj Singh <rsjenwar@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary=0016e6d7e33ab7bb4a047824382c
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 03:34:07 -0000

The selection of AAA server will be based on IDi then EAP will happen.
The gateway will get EAP authenticated ID from the AAA server.
If EAP identity is different from IDi and no policy is found for EAP
identity.
The gateway should initiate deletion of the SA.
Also, if policy is found based on EAP identity, but its different from IDi,
EAP identity should be given priority and its attributes should be applied
on that SA.

On Thu, Nov 12, 2009 at 5:01 AM, Tero Kivinen <kivinen@iki.fi> wrote:

> Yoav Nir writes:
> > Since the gateway acts as a pass-through, the requirement here is
> > more for the client, which is typically more integrated. The client
> > should be prepared to give an identity hint both in IKE and later in
> > the EAP session.
>
> And in that case the identities should really be same, and if they
> differ then the authenticated identity needs to be used for policy
> lookups, meaning that the EAP identity needs to be used. So the
> gateway needs to get that authenticated identity from the AAA server
> so it can do policy lookups based on it.
> --
> kivinen@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>