There are definite advantages to doing endpoint assessment checks at the time of network access, however this use of EAP is not covered by the EAP applicability statement since it is not authentication. EAP has was designed for user authentication. Many deployments rely upon the EAP method to authenticate the EAP Peer and EAP Server and generate a Peer Name and Server Name for authorization and accounting purposes. Endpoint assessment techniques do not always provide this type of authentication and naming. In addition, if the assessment data is tightly coupled with a specific EAP authentication method it will restrict the plug-ability of EAP methods in different deployments. The draft should RECOMMEND that endpoint assessment data be incorporated into an EAP exchange along with existing peer and sever authentication as an enhancement to the authorization process. One mechanism to achieve this is to exchange the NEA data within an EAP tunnel method that can also prov ide the peer and server authentication.
Here is some suggested text for section 2.2 "2.2. Endpoint Assessment Recently, EAP methods have been used to carry endpoint posture information to assess the health of an endpoint. This is the topic of the the IETF "Network Endpoint Assessment" NEA working group. This working group is developing mechanisms for carrying posture data over EAP. The information exchanged is unrelated to user authentication - the information covers the state of the computing device only, independently of the user who is using it. Implementations of this technology have been developed that embed the posture data within another EAP method or within a stand alone method. This use of EAP is not covered by the EAP applicability statement since it is not authentication, which is what EAP was designed to do. Many deployments rely upon the EAP method to authenticate and generate an EAP Peer Name and EAP Server Name which are then used for authorization and accounting purposes. Endpoint assessment techniques do not always provide the type of authenticated name used for authorization and accounting. It is RECOMMENDED that endpoint assessment data be incorporated into an EAP exchange along with existing peer and sever authentication as an enhancement to the authorization process. One mechanism to achieve this is to exchange the NEA data within an EAP tunnel method that can also provide the peer and server authentication. The size of the posture data may also be a concern when performing endpoint assessment. Care should be taken to limit the amount and type of data communicated in the assessment process. For example, it is inappropriate to transfer software patches to be applied on the endpoint over the EAP channel since this would fall into the category of "bulk data transport". " _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
