RE: Issue: draft-ietf-radext-digest-auth-06.txt Digest MD5-sess

["Avi Lior" <avi@bridgewatersystems.com>]

See inline: 

> -----Original Message-----
> From: owner-radiusext@ops.ietf.org 
> [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Alan DeKok
> Sent: Friday, December 30, 2005 12:51 PM
> To: radiusext@ops.ietf.org
> Subject: Re: Issue: draft-ietf-radext-digest-auth-06.txt 
> Digest MD5-sess
> 
> Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> > I brought up this question mainly to ask if the Digest extension to 
> > Radius intentionally blocks session based Digest authentication 
> > (MD5-sess with offload of authentication of further requests within 
> > the same session), or if it is just an oversight thinking 
> that Digest 
> > is only per-reqest authentication.
> 
>   RADIUS *is* per-request authentication.  

Lets not get dogmatic here.  At the RADIUS level perhaps this is true
but certainly there are scenarios where once the NAS has received a
positive repsonse, the NAS can continue to authenticate without relying
on RADIUS.

So one example is in Mobile IP.  Once the HA has validated the
Registration Request or Binding Update with RADIUS.  It can continue to
authentication subsequent bind request or Registration Request received
from that user. This is only limited by a lifetime received from the AAA
server.

I can give you more examples if you want.




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>