[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [eap] RE: [Isms] RADIUS is not a trusted third party

To: "'Martin Soukup'" <msoukup@nortel.com>, "'Thierry Moreau'" <thierry.moreau@connotech.com>, "'Bernard Aboba'" <aboba@internaut.com>
Subject: RE: [eap] RE: [Isms] RADIUS is not a trusted third party
From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
Date: Mon, 25 Apr 2005 10:28:56 -0700
Cc: <radiusext@ops.ietf.org>, <eap@frascone.com>, <isms@ietf.org>
In-reply-to: <0BDFFF51DC89434FA33F8B37FCE363D5030B9BBA@zcarhxm2.corp.nortel.com>
Reply-to: <gwz@cisco.com>

Title: RE: [eap] RE: [Isms] RADIUS is not a trusted third party

The use of RADIUS itself without a defined extension such as EAP-TLS or EAP-PEAP over RADIUS cannot securely pass attributes between entities. Note that the defined EAP-TLS (or other EAP mechanisms) over RADIUS provides for secure attribute passing between entities even through proxies.

I thought that I was passing familiar w/EAP-TLS (and even more so w/PEAP), but I am completely unaware of such capabilities. Would you mind explaining how this is achieved, given that RADIUS & EAP are completely different protocols?

Martin.

> -----Original Message-----
> From: isms-bounces@lists.ietf.org
> [mailto:isms-bounces@lists.ietf.org] On Behalf Of Thierry Moreau
> Sent: April 22, 2005 1:56 PM
> To: Bernard Aboba
> Cc: radiusext@ops.ietf.org; isms@ietf.org; eap@frascone.com
> Subject: Re: [eap] RE: [Isms] RADIUS is not a trusted third party
>
>
> Thanks for these explanations.
>
> See comments in-line below.
>
>
>
> Bernard Aboba wrote:
>
> [... explanations about end-to-end (NAS to server) and current RADIUS
> protocols ...]
>
> >
> > Are you proposing creating a new RADIUS security model that
> would only
> > be used by ISMS? That seems like a lot of work for little overall
> > benefit to the RADIUS community.
> >
>
> I did assume that an implementation-specific attribute to the RADIUS
> Access-Accept packet would pass unmodified through a RADIUS
> proxy, which
> in fact is a matter of proxy policy (RFC2865 , section 2.3).
> With this
> erroneous assumption, I thought I was proposing an
> implementation-specific use of existing RADIUS protocol
> facility. I did
> not expect any "benefit to the RADIUS community".
>
> >
> >
> > Rather than designing a new version of RADIUS to meet its needs, it
> > seems more profitable for ISMS to either figure out how to use the
> > protocol as it exists today, or to summarize its
> requirements for new
> > work and ask that it be chartered outside of ISMS.
> >
>
> Point well taken. I just looked at RFC3576, abstract reproduced below
>
>     "This document describes a currently deployed extension
> to the Remote
>     Authentication Dial In User Service (RADIUS) protocol, allowing
>     dynamic changes to a user session, as implemented by
> network access
>     server products. This includes support for disconnecting
> users and
>     changing authorizations applicable to a user session."
>
> Unfortunately, the security section of RFC3576 raises a number of
> concerns. E.g. the following sentence: "It is RECOMMENDED
> that IPsec be
> employed to afford better security."
>
> Again, thanks for your comments.
>
> --
>
> - Thierry Moreau
>
> CONNOTECH Experts-conseils inc.
> 9130 Place de Montgolfier
> Montreal, Qc
> Canada   H2M 2A1
>
> Tel.: (514)385-5691
> Fax: (514)385-5900
>
> web site: http://www.connotech.com
> e-mail: thierry.moreau@connotech.com
>
>
> _______________________________________________
> Isms mailing list
> Isms@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
>
>

Follow-Ups:
- RE: [eap] RE: [Isms] RADIUS is not a trusted third party
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: Re: Implementation Survey: How does your EAP peer/RADIUS proxy handle internationalization?
Next by Date: Issue:
Previous by thread: RE: [eap] RE: [Isms] RADIUS is not a trusted third party
Next by thread: RE: [eap] RE: [Isms] RADIUS is not a trusted third party
Index(es):
- Date
- Thread