Re: draft-ietf-radext-digest-auth06.txt Digest MD5-sess

["Alan DeKok" <aland@ox.org>]

Henrik Nordstrom <henrik@henriknordstrom.net> wrote:
> Has there been any thought of allowing RADIUS to be used for session based 
> MD5-Sess authentication, where processing of further authentication within 
> the same session is carried out by the radius client (i.e. HTTP 
> server/proxy) rather than the RADIUS server?

  Not really.  The discussion surrounding the Digest-HA1 attribute was
about solving a different problem.

  http://www.drizzle.com/~aboba/RADEXT/.  See the discussion in "Issue
8: Rspauth generation...".

> This is quite interesting in HTTP applications, where quite many requests 
> can be seen within the same session and at a relatively high rate. (i.e. 
> thousands of requests/second, for a active end-user population of a few 
> thousands). Having the bulk of the authentication verifications carried 
> out in the RADIUS client (HTTP server/proxy) can significantly reduce the 
> load on the RADIUS server and greatly improve the request latency 
> (quality) of the service provided.

  I don't think there's any objection to that point.  The objection is
elsewhere, to the change in the security model of RADIUS.

  RADIUS is intended to have the RADIUS server perform authentication.
If the RADIUS client caches information and "short-circuits"
subsequent authentication requests from the user, then I would say
that such behavior is outside of the scope of the RADIUS standards.
Implementations may choose to do what they want, but the standards
should follow design goals and best practices.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>