RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Bernard Aboba <> Fri, 26 August 2005 14:17 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E8f1l-0004Zn-Lp; Fri, 26 Aug 2005 10:17:53 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E8Xsz-0002L5-JW for; Fri, 26 Aug 2005 02:40:21 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id CAA00642 for <>; Fri, 26 Aug 2005 02:40:16 -0400 (EDT)
Received: from ([] ident=mailnull) by with esmtp (Exim 4.43) id 1E8Xta-0001zg-Kz for; Fri, 26 Aug 2005 02:40:59 -0400
Received: from ([] by with esmtpa (Exim 4.51) id 1E8Xsj-000GT3-Aq; Fri, 26 Aug 2005 02:40:05 -0400
Received: by (Postfix, from userid 1000) id 5F65160D6A; Thu, 25 Aug 2005 23:40:04 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4F2AF60D69; Thu, 25 Aug 2005 23:40:04 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: aboba
Date: Thu, 25 Aug 2005 23:40:04 -0700 (PDT)
From: Bernard Aboba <>
To: "Salowey, Joe" <>
Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
X-Mailman-Approved-At: Fri, 26 Aug 2005 10:17:44 -0400
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

> > EAP-Kerb/IAKERB/GSS is inherently different other EAP methods 
> > because it requires support for the method on the NAS.  That 
> > is, the NAS needs to support Kerberos for a peer to be able 
> > to submit a TGS to the NAS in order to obtain network access. 
> > 
> [Joe] I'm not quite sure what you mean. If a AAA server is not involved
> then this is not really any different than terminating EAP-TLS on a NAS.

It's different because the NAS needs to support Kerberos even if it is 
operating in "Pass-through" mode.  In contrast, a NAS operating in 
pass-through mode for EAP-TLS doesn't need to validate the client 

> It could also be possible to still involve a AAA and have it terminate
> the method and talk to the KDC. If you are trying to implement a method
> that is evaluated by both the NAS and the AAA in the same transaction
> you are really doing something other than EAP. 

In all the EAP Kerberos proposals I've seen the method is terminated on
either the NAS or AAA server, but not both.  But in any scenario, the
NAS still needs to support Kerberos, in order to validate the "network
access" service ticket. 

SECMECH mailing list