[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
- To: "Avi Lior" <avi@bridgewatersystems.com>, "David Harrington" <ietfdbh@comcast.net>, "Eliot Lear" <lear@cisco.com>
- Subject: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Tue, 25 Jul 2006 12:46:42 -0700
- Authentication-results: sj-dkim-5.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <isms@ietf.org>, <radiusext@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=913; t=1153856804; x=1154720804; c=relaxed/simple; s=sjdkim5002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue=20(was=20RE=3A=20[Is ms]=20ISMS=20session; X=v=3Dcisco.com=3B=20h=3DEvtPMlNbcxEdOSYlFBdUnxJo5Vs=3D; b=fxUoPuQCxPbQfmVGBRMUcKpa0f7wjQWdK7ZwlIKuX1p9o4BpbEX3Ymm6sXjxiCxiMvPIu/os Nrhe4Eh54ttiSl1q/Jbl8aZ9CuUFHToSgUvD0xP5eQEHceayZ5/QTxy/;
Avi Lior <mailto:avi@bridgewatersystems.com> supposedly scribbled:
> Hi,
>
> If I was specifying how this is done:
>
> It would be nice if the AAA client could return some sort of token to
> the AAA server to assert that the user has been authenticated by an
> entity that it trusts. The token can be generated by the
> Authentication Server.
>
> We need this assertion to make sure we deliver the correct profile.
I disagree: the fact that the message is being sent by an authenticated client at all says that the user has been authenticated elsewhere. Note that safety requires the inclusion of a MAC (either the Message-Authenticator or preferably the Message-Authentication-Code Attribute) in the Access-Request.
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>