Glen Zorn wrote: > Indeed it could, but all you really seem to be asking for is a way for the > corporation to be able to control the configuration of the client.
That is already done outside of the scope of EAP. (VPN config, Directory services, etc.) The only requirement I see for EAP is that it support channel bindings, and an indication that the home AAA approves of the connection. > As you point out, it is reasonable to expect that the corporation knows the > identity of its own access points; why does it matter what the client > _thinks_ (for lack of a better word) that it is attached to? I cannot see > any purpose for the client sending the SSID of the network to which it > attached. It's part of the channel binding. It closes the loop between what the NAS tells the AAA, and what the NAS tells the client. Right now in a commercial roaming scenario, the NAS could tell the user "we're partner X: $0.05 / minute". It could *really* be partner Y: $5.00 / minute. The user naively connects, and the bill is larger than expected. The partner gets paid, and the user gets blamed for not paying attention. > In fact, it seems that all that is necessary is the ability to > remotely modify the configuration of a client; why is the job of EAP, again? I don't think it is. I think EAP might *motivate* changes in the config. i.e. I could provision a machine to run a script after authentication. That script would check the SSID, and enforce a local configuration for that SSID. But it's not the role of EAP to "change the configuration". Alan DeKok. _______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
