Jim, >1. The data is carried in a RADIUS attribute. Such an attribute may >already exist, I have not done any type of exhaustive search, and just >needs >to be documented. I can see other access points wanting to require an LOA >in just the straight RADIUS AAA world.
I'm not aware of any standardised semantics to convey this either. It could always be defined, of course, either within the standard or vendor-specific RADIUS namespaces. >2. The data could be carried in a SAML request. As long as the IdP and >the AAA Radius server are co-existent this would not be a problem. But it >does mean that the SAML request now needs to be parsed for some >information >before the EAP processes are run in order to determine which EAP methods >are >acceptable to the RP. This is certainly reasonable as SAML allows the RP to specify conditions to authentication requests. Any modern RADIUS implementation would support this for the RADIUS attribute case today (we have a FreeRADIUS module for processing SAML requests that could be extended to cover the SAML case that you describe without much difficulty I believe). You also have a third option, which is to infer the LoA from the source of the request. This obviously doesn't help in the case where an RP needs >1 LoA for a particular IdP. Josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
