> -----Original Message----- > From: Richard [mailto:[email protected]] > Sent: Monday, July 27, 2009 7:54 AM > To: Joseph Salowey (jsalowey); [email protected] > Subject: If we use the Radius property extension > > Hi, all: > > The link to the slide: > http://www.ietf.org/proceedings/75/slides/emu-10.ppt > Thanks for your comments in the EMU session. > > Yes, the Radius property extension could be one solution. > The problem to it is: > The Radius has to handle the WAPI packet (Certificate > authentication response), it would lead to the tight coupling > between Radius and WAPI (ASE). > > Compared to it, the EAP solution is simple and make it loose > coupling with WAPI. > Radius server need not check things going on with WAPI. (EAP-WAI). > There is a standard interface to let Radius to know the > result of authentication (EAP-SUCCESS or EAP-FAILURE). > From the AAA server perspective, there is no any special for > EAP-WAI to the other authentication methods such as EAP-TLS. > The loose coupling for EAP solution is a main advantage to > the Radius extension method. > [Joe] EAP-Success and EAP-Failure are for the Peer and not the RADIUS client. The RADIUS access-accept and access-reject are for the RADIUS client.
> Yes, the EAP framework is to authenticate the station > (supplicant). I guess the main reason is that most > authentication methods are to authenticate the supplicant, > and the behavior of Authenticator is pass-through. [Joe] Correct. > Now, WAPI is a use case of authenticating the authenticator > (the behavior of Authenticator is not Pass-through). And it > may have more protocols which have similar behavior (use > cases) like the WAPI. [Joe] When the authenticator does not run in pass-through then the EAP communication is only between the Peer and EAP-Authenticator, EAP is not communicated to the AAA. > Could we allow the EAP method behavior like the WAI over EAP > instead of forbidding it? > [Joe] Not without changing the EAP architecture. > Any way, the problem I am trying to resolve is to reuse the > AAA and avoid the tight coupling between Radius and WAPI (ASE). > > Do you have any better solution to it? > [Joe] You need to have a AAA server talk to a WAI service. You need to define some protocol or API to do this. You would like EAP to be this protocol, but this is not the appropriate use for EAP as it is bound to the communication between the EAP peer and EAP authenticator. You can define a separate protocol that includes messages that indicates success or fail clearly. This protocol can be incorporated into RADIUS attributes just as EAP can. > Regards > Richard > _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
