Like I said over PCP ML, the AAA message that delivers EAP Success and MSK also delivers the authorized lifetime. This is one of the tasks of the Authentication-"Authorization"-Accounting (AAA) server. To tell the NAS for how long the authenticated entity is authorized to access the requested service. The session lifetime can be set to this received value, or a smaller value by the NAS and the authenticated client -- hopefully in a coordinated way. The MSK lifetime is set to this value as well.
Now, if someone tells me the NAS can set the lifetime value to anything irrespective of the lifetime received from the AAA, then I say he's using a centralized AA (authentication and accounting) server with distributed A (Authorization). An interesting case, not typical but doable. Someone may have a very special reason to do that. Regarding the application state that is created within the authorized application session, yes I understand and agree that it may survive beyond the authorized session. But that's very application specific. We need to discuss that in the scope of specific applications. Alper On Oct 19, 2012, at 9:09 PM, Sam Hartman wrote: > OK. > If we're all agreed that it is clear I'm fine adding no text. > However, Alper claimed that the EAP keying framework requires something > close to option 2. > > It sounds like that's not my interpretation or your interpretation. > If we think others might read things the same as Alper, then I think we > should clarify things in the applicability statement. > If we think that sort of reading is unlikely, I'm fine saying nothing. > > --Sam > _______________________________________________ > abfab mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/abfab _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
