Re: [IPsec] Fwd: Issue : Regarding EAP identity

Tue, 02 Feb 2010 21:52:46 -0800 

The authenticated identity needs to be sent by the AAA server to the IKE 
responder in some cases only. For example, in EAP-SIM/AKA people often use 
“temporary” (anonymized) identities in IDi. But in other cases, like 
EAP-MSCHAPv2 or (God forbid!) EAP-GTC, there’s no need for a separate 
“authenticated identity”. In these cases the IKE responder should simply use 
the original IDi for policy lookup.

Thanks,
                Yaron

From: [email protected] [mailto:[email protected]] On Behalf Of Raj 
Singh
Sent: Wednesday, February 03, 2010 7:45
To: ipsec
Subject: [IPsec] Fwd: Issue : Regarding EAP identity

Hi Paul, Ticket Issue#174 opened for it. Regards, Raj
---------- Forwarded message ----------
From: Paul Hoffman <[email protected]<mailto:[email protected]>>
Date: Wed, Feb 3, 2010 at 9:41 AM
Subject: Re: Issue : Regarding EAP identity
To: Raj Singh <[email protected]<mailto:[email protected]>>
Cc: Yaron Sheffer <[email protected]<mailto:[email protected]>>

At 9:09 AM +0530 2/3/10, Raj Singh wrote:
Hi Paul,

In ikev2bis07
  ----- ikev2-bis-07 section 2.16, last paragraph 
-------------------------------------------
 When the initiator authentication uses EAP, it is possible that the
 contents of the IDi payload is used only for AAA routing purposes and
 selecting which EAP method to use.  This value may be different from
 the identity authenticated by the EAP method.  It is important that
 policy lookups and access control decisions use the actual
 authenticated identity.  Often the EAP server is implemented in a
 separate AAA server that communicates with the IKEv2 responder.  In
 this case, the authenticated identity has to be sent from the AAA
 server to the IKEv2 responder.
---------------------------------------------------------------------------------------------------------------
It says the autheticated EAP identity "has to" be send from AAA server, our 
iterpretation is "has to" is obvious MUST.

I believe that is correct.
If AAA doesn't send the authenticated EAP identity, what should be the behavior?

I would assume "everything stops"

Also, what if AAA server EAP server is not AAA server?

Good question.
Can i open a ticket for it?

Yes, please!

--Paul Hoffman, Director
--VPN Consortium


_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to