[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
I proably did not make myself clear....or maybe I did and I am missing
When the NAS sends the Access-Request Auth-Only message I agree that it
MUST contain Message-Authenticator(80) etc...
What I meant is that it would be nice if there was a token or an
assertion that came from the place that did authenticate the user to
indicate in a cryptographic way that this user was authenticated.
The AAA server can use that token to verify that the user was
authenticated by an entity that it trusts. Like a kerberose ticket.
> -----Original Message-----
> From: Glen Zorn (gwz) [mailto:email@example.com]
> Sent: Tuesday, July 25, 2006 3:47 PM
> To: Avi Lior; David Harrington; Eliot Lear
> Cc: firstname.lastname@example.org; email@example.com
> Subject: RE: Follow up on Authorize Only issue (was RE:
> [Isms] ISMS session
> Avi Lior <mailto:firstname.lastname@example.org> supposedly scribbled:
> > Hi,
> > If I was specifying how this is done:
> > It would be nice if the AAA client could return some sort
> of token to
> > the AAA server to assert that the user has been authenticated by an
> > entity that it trusts. The token can be generated by the
> > Authentication Server.
> > We need this assertion to make sure we deliver the correct profile.
> I disagree: the fact that the message is being sent by an
> authenticated client at all says that the user has been
> authenticated elsewhere. Note that safety requires the
> inclusion of a MAC (either the Message-Authenticator or
> preferably the Message-Authentication-Code Attribute) in the
> Hope this helps,
> Why is it that most of the world's problems can't be solved by simply
> listening to John Coltrane? -- Henry Gabriel
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.