Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication

"Murthy N Srinivas-B22237" <B22237@freescale.com> Thu, 12 November 2009 01:59 UTC

Return-Path: <B22237@freescale.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 840F228C17B for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 17:59:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZFe+2rT8QRT for <ipsec@core3.amsl.com>; Wed, 11 Nov 2009 17:59:37 -0800 (PST)
Received: from az33egw02.freescale.net (az33egw02.freescale.net [192.88.158.103]) by core3.amsl.com (Postfix) with ESMTP id A11FE28C184 for <ipsec@ietf.org>; Wed, 11 Nov 2009 17:59:37 -0800 (PST)
Received: from az33smr02.freescale.net (az33smr02.freescale.net [10.64.34.200]) by az33egw02.freescale.net (8.14.3/az33egw02) with ESMTP id nAC1xoXf019105 for <ipsec@ietf.org>; Wed, 11 Nov 2009 18:59:55 -0700 (MST)
Received: from zin33exm29.fsl.freescale.net (zin33exm29.ap.freescale.net [10.232.192.28]) by az33smr02.freescale.net (8.13.1/8.13.0) with ESMTP id nAC1xnbO023980 for <ipsec@ietf.org>; Wed, 11 Nov 2009 19:59:50 -0600 (CST)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 12 Nov 2009 07:29:47 +0530
Message-ID: <2E13B90533934A499FD727F9B353613C5155A7@zin33exm29.fsl.freescale.net>
In-Reply-To: <19195.18766.767555.230392@fireball.kivinen.iki.fi>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
Thread-Index: AcpjJy+IbwOddBiQS5iIcvnXvUEoawAElh4g
References: <1CFAB1B15A6C1142BD1FC07D1CA82AB2015F102B@XMB-BGL-417.cisco.com><4C814C81-70C3-4597-B279-FED18230331C@checkpoint.com><3A8C969225424C4D8E6BEE65ED8552DA4C446E@XMB-BGL-41C.cisco.com><39008D85-3D9B-4B8B-A9FA-C4C91658630E@checkpoint.com><3A8C969225424C4D8E6BEE65ED8552DA4C4472@XMB-BGL-41C.cisco.com><4A5E60B4-E903-441F-A839-09FE9198B468@checkpoint.com> <19195.18766.767555.230392@fireball.kivinen.iki.fi>
From: "Murthy N Srinivas-B22237" <B22237@freescale.com>
To: "Tero Kivinen" <kivinen@iki.fi>, "Yoav Nir" <ynir@checkpoint.com>
X-Brightmail-Tracker: AAAAAQAAAWE=
X-Brightmail-Tracker: AAAAAQAAAWE=
X-Mailman-Approved-At: Thu, 12 Nov 2009 08:08:39 -0800
Cc: ipsec@ietf.org, "Amjad Inamdar \(amjads\)" <amjads@cisco.com>
Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAPauthentication
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 02:01:38 -0000

 Policy lookups are selected by Authenticator based on Authorization
information received from AAA server after successful Authentication.
The AAA sever uses an attribute(radius) to send a reference to the
Authorization information specific for the specific client.The
Authenticator need not know the EAP identitity of the client, if it is
different from IKE identity.  

The Authenticator requires to know the EAP identity only if it
implements the AAA server functionality.
 
ns murthy

-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf
Of Tero Kivinen
Sent: Thursday, November 12, 2009 5:01 AM
To: Yoav Nir
Cc: ipsec@ietf.org; Amjad Inamdar (amjads)
Subject: Re: [IPsec] Clarification on identities involved in
IKEv2EAPauthentication

Yoav Nir writes:
> Since the gateway acts as a pass-through, the requirement here is more

> for the client, which is typically more integrated. The client should 
> be prepared to give an identity hint both in IKE and later in the EAP 
> session.

And in that case the identities should really be same, and if they
differ then the authenticated identity needs to be used for policy
lookups, meaning that the EAP identity needs to be used. So the gateway
needs to get that authenticated identity from the AAA server so it can
do policy lookups based on it. 
--
kivinen@iki.fi
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec