Vijay Devarapalli writes: > My proposal is to limit the REDIRECT payload to appear in message #4 (in > the first IKE_AUTH response), based on the identity presented by the > client. And leave EAP scenarios out of scope for this document.
If others feel this is needed, I am willing to accept that solution, as it should still be fixed defined location, which means testing it will be simplier. > If someone wants the AAA server to redirect the client based on the > EAP exchange, a separate document could be written. And this > document can specify that the REDIRECT message can be sent in > message 10. In this case I would rather propose doing the IKE AUTH exchange completely and then using the INFORMATIONAL exchange to redirect the client, i.e. if REDIRECT is allowed in IKE_AUTH, only allow it in the first response IKE_AUTH packet of the exchage, and nowhere else. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
