> There have been a lot of proposals about EAP and authorization in the > past. At its very basis EAP performs authentication at the time of > service access and the data resulting from the authentication can then > be used for authorization and accounting purposes.
[Qin]: So the data resulting from the authentication not only can be used in the authentication, but also can be used in authorization. I wonder what it is called as, authentication data or authorization data? On the other hand, the data resulting from authorization also can be used in the second authentication. e.g., PEAP uses TLS to create an encrypted tunnel from the authentication server to the supplicant after verifying the identity of the authentication server. Once the encrypted tunnel is established, a second EAP authorization process occurs inside the tunnel to extend the TLS connection. Any implemented EAP authorization type (tokens, passwords, certificates, etc.) can be used as the client is authenticated in the second EAP authentication process running inside the TLS connection. As regarding these data from authorization, what is it called as, authentication data or authorization data? >Some of the proposals attempt to enhance this in various ways. > One way is to carry additional data for use in the authorization > process. EAP channel bindings are perhaps the simplest form of > authorization data proposed for EAP. The authorization data is directly > related to the service which is performing the authentication, at the > time of authentication and the exchange is relatively simple; data sent > from client and result response from server. This exchange helps to > ensure that an authenticator isn't trying to provide services that it is > not authorized to. I don't see much purpose in channel bindings if > they are not used for authorization or accounting for later forensic > analysis of authorization after the event. > _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
