Re: [radext] New Version Notification for draft-henry-radext-stable-mac-identifier-00.txt
Alan DeKok <aland@deployingradius.com> Wed, 17 November 2021 15:15 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 973253A0D75 for <radext@ietfa.amsl.com>; Wed, 17 Nov 2021 07:15:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ccn49i9aK-l for <radext@ietfa.amsl.com>; Wed, 17 Nov 2021 07:15:29 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0272D3A0D73 for <radext@ietf.org>; Wed, 17 Nov 2021 07:15:28 -0800 (PST)
Received: from [192.168.46.129] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 4190C32D; Wed, 17 Nov 2021 15:15:25 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <30A666C7-3110-41E8-B3B3-4A8CC2F78AD7@cisco.com>
Date: Wed, 17 Nov 2021 10:15:23 -0500
Cc: "lionel.morand@orange.com" <lionel.morand@orange.com>, "radext@ietf.org" <radext@ietf.org>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>, Bernard Aboba <bernard.aboba@gmail.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2BA38406-9FF7-4FAF-B6D3-709EBB2DCB74@deployingradius.com>
References: <800563F0-0675-4B19-8286-E03589F2B64D@deployingradius.com> <7E1500CE-0320-4DB4-9615-604D4EC5E39E@gmail.com> <6A131BFA-597D-4DB9-8D92-F808B04FD205@deployingradius.com> <24224_1637145668_6194DC44_24224_211_5_fc4ddd09513d44b1b4c15dfb5c155345@orange.com> <30A666C7-3110-41E8-B3B3-4A8CC2F78AD7@cisco.com>
To: "Jerome Henry (jerhenry)" <jerhenry@cisco.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Mf7gYIqb4oAjrCoOQ9A3g8Kzn88>
Subject: Re: [radext] New Version Notification for draft-henry-radext-stable-mac-identifier-00.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2021 15:15:34 -0000
On Nov 17, 2021, at 9:43 AM, Jerome Henry (jerhenry) <jerhenry@cisco.com> wrote > > Fully agree on the right forum and the problem statement (we'll improve the problem statement and will suggest review in OPSAWG). > On the Acct-Multi-Session-Id, Acct-Multi-Session-Id is generated by the NAS, not by the device being authenticated. While the NAS can *often* tell that one device is using multiple sessions, it can't always make that decision. For the NAS to send a unique device identifier which is stable, the device has to give that information to the NAS. Generally when that happens, the device is authenticating to the network. At that point, you might as well bypass the NAS entirely, and just dump the stable identifier into EAP. A related question is: do you want the NAS to *know* that the device is the same across multiple sessions? I could see some situations (airports, coffee shops) where you don't want that information shared. But if you're doing roaming, you do want to share that information with the authentication server. As such, I think it's best to have a solution where the stable identifier isn't shared with the NAS. Alan DeKok.
- [radext] FW: New Version Notification for draft-h… Nancy Cam-Winget (ncamwing)
- Re: [radext] New Version Notification for draft-h… Alan DeKok
- Re: [radext] New Version Notification for draft-h… Bernard Aboba
- Re: [radext] New Version Notification for draft-h… Alan DeKok
- Re: [radext] FW: New Version Notification for dra… Benjamin Kaduk
- Re: [radext] New Version Notification for draft-h… lionel.morand
- Re: [radext] FW: New Version Notification for dra… Jerome Henry (jerhenry)
- Re: [radext] New Version Notification for draft-h… Jerome Henry (jerhenry)
- Re: [radext] New Version Notification for draft-h… Alan DeKok
- Re: [radext] FW: New Version Notification for dra… Nancy Cam-Winget (ncamwing)
- Re: [radext] New Version Notification for draft-h… Nancy Cam-Winget (ncamwing)
- Re: [radext] New Version Notification for draft-h… Nancy Cam-Winget (ncamwing)
- Re: [radext] FW: New Version Notification for dra… Bernard Aboba