Archive

> -----Original Message-----
> From: Bernard Aboba [mailto:aboba@internaut.com] 
> Sent: Thursday, August 25, 2005 11:40 PM
> To: Salowey, Joe
> Cc: Ali Fessi; secmech@ietf.org
> Subject: RE: [SECMECH] Framework Bindings Vs. Mechanism Bridges
> 
> > > EAP-Kerb/IAKERB/GSS is inherently different other EAP methods 
> > > because it requires support for the method on the NAS.  
> That is, the 
> > > NAS needs to support Kerberos for a peer to be able to 
> submit a TGS 
> > > to the NAS in order to obtain network access.
> > > 
> > [Joe] I'm not quite sure what you mean. If a AAA server is not 
> > involved then this is not really any different than 
> terminating EAP-TLS on a NAS.
> 
> It's different because the NAS needs to support Kerberos even 
> if it is operating in "Pass-through" mode.  

[Joe] Then its not operating in "Pass-through" mode, it is terminating
EAP (acting as an EAP server).

> In contrast, a 
> NAS operating in pass-through mode for EAP-TLS doesn't need 
> to validate the client certificate. 
> 
> > It could also be possible to still involve a AAA and have 
> it terminate 
> > the method and talk to the KDC. If you are trying to implement a 
> > method that is evaluated by both the NAS and the AAA in the same 
> > transaction you are really doing something other than EAP.
> 
> In all the EAP Kerberos proposals I've seen the method is 
> terminated on either the NAS or AAA server, but not both.  
> But in any scenario, the NAS still needs to support Kerberos, 
> in order to validate the "network access" service ticket. 

[Joe] If this is done in the same method execution instance it seems
problematic to me, because you have in effect two EAP-servers (one in
the AAA and one in the NAS) processing the EAP messages.  This is not
EAP. 

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech