[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [eap] RE: [Isms] RADIUS is not a trusted third party
Blumenthal, Uri <mailto:email@example.com> supposedly
> It was my understanding that while EAP is between the client
> (supplicant) and NAS, and RADIUS is between NAS and AAA, *EAP
> that runs on top of EAP is between the client and RADIUS server.
No. Can we just _get it_ once and for all? AAA & EAP are
_different_ and _separate_ things: there is no part of EAP that is
"between" the EAP peer and any AAA entity.
> This tunnel created by EAP method can be considered as "trust
> the client and AAA",
> and RADIUS between NAS and AAA (however it is
> accomplished) is "trust between NAS and AAA".
> And yes, many find convenient to connect authorization decision to
> some extra information about the supplicant - such as its posture
> evaluation (Cisco NAC, Microsoft NAP, etc). Such information would
> naturally be carried in TLVs as part of EAP inner method exchange.
Or more rationally (gasp!) in a subsequent _authorization_ protocol
> Yes it seems to go way beyond the original purpose of EAP, but
> it does seem to address the today's need.
If one has a sore toe, shooting oneself in the foot may seem to
satisfy "today's need"; in the long run, however, it will probably
turn out to be counterproductive.
> -----Original Message-----
> From: firstname.lastname@example.org
> On Behalf Of Bernard Aboba
> Sent: Monday, April 25, 2005 10:02 PM
> To: Glen Zorn (gwz)
> Cc: email@example.com; firstname.lastname@example.org; email@example.com
> Subject: RE: [eap] RE: [Isms] RADIUS is not a trusted third party
> Martin Soukup said:
>> The use of RADIUS itself without a defined extension such as
>> or EAP-PEAP over RADIUS cannot securely pass attributes between
>> entities. Note that the defined EAP-TLS (or other EAP mechanisms)
>> over RADIUS provides for secure attribute passing between
>> even through proxies.
> In response to which, Glen Zorn spake thusly:
>> I thought that I was passing familiar w/EAP-TLS (and even more so
>> w/PEAP), but I am completely unaware of such capabilities. Would
>> mind explaining how this is achieved, given that RADIUS & EAP are
>> completely different protocols?
> I also was unaware of the ability of EAP-TLS to transmit RADIUS
> attributes between the EAP peer and server. I had always thought
> RADIUS was a protocol only spoken between a NAS and a RADIUS
> and that EAP-TLS didn't support transmission of TLVs. But I guess
> this is a somewhat old fashioned point of view.
> Perhaps this is referring to EAP-TLS "extended" via the following?
> Isms mailing list
Hope this helps,
Why is it that most of the world's problems can't be solved by
listening to John Coltrane? -- Henry Gabriel
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.