RE: [eap] RE: [Isms] RADIUS is not a trusted third party

["Glen Zorn \(gwz\)" <gwz@cisco.com>]

Blumenthal, Uri <mailto:uri.blumenthal@intel.com> supposedly
scribbled:

>>> "EAP server" is what "eap peer" and "aaa" share.
>> 
>> An EAP server can exist on the authenticator when there is  no
AAA
>> server present.  It is a distinct entity from the EAP peer.  It
is
>> not "shared" between the EAP peer and AAA server.
> 
> In theory EAP server is a distinct entity and can be anywhere, in
> practice it's a part of AAA most of the time. Why are we arguing
> about this?  

I thought we were talking about architecture; and further,
discussing components which might or might not be utilized in that
architecture.  Maybe it's just me, but I think that it's a good idea
to understand how those components actually work (as opposed to how
we might wish or imagine they work, or the direction in which
marketeers might be pushing them).  If a building architect thought
that a brick was part of a girder, he would design a pretty strange
building and  misconceptions in networking can easily lead to
similar results.  For example, there was a recent thread on a
different list in which someone was worried about security problems
if a 4th party (!) was introduced into an EAP conversation.  There
are not 3 or 4 or 17 parties in an EAP exchange, there are exactly
2; there are also (logically) 2 parties in a RADIUS exchange, and
those sets are disjoint.

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>