[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Hi Hannes,
When I wrote the word "assertion" I was thinking a SAML assertion.
A word of caution though, everytime I mention XML to my AAA developers
they conspire to kill me.
XML, parsing strings etc are performance killers for a AAA server.
> -----Original Message-----
> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net]
> Sent: Wednesday, July 26, 2006 4:55 AM
> To: Avi Lior
> Cc: Glen Zorn (gwz); David Harrington; Eliot Lear;
> isms@ietf.org; radiusext@ops.ietf.org
> Subject: Re: Follow up on Authorize Only issue (was RE:
> [Isms] ISMS session
>
> Hi Avi,
>
> I like the idea of using some information to tie the
> authentication and the authorization process/exchange
> together. In fact we discussed this at the last IETF meeting
> when David gave his presentation.
>
> I suggested to use an existing mechanism to accomplish this
> binding, namely SAML. I can elaborate a bit more about the
> details if someone case about it.
>
> Ciao
> Hannes
>
> Avi Lior wrote:
> > I proably did not make myself clear....or maybe I did and I
> am missing
> > something.
> >
> > When the NAS sends the Access-Request Auth-Only message I
> agree that
> > it MUST contain Message-Authenticator(80) etc...
> >
> > What I meant is that it would be nice if there was a token or an
> > assertion that came from the place that did authenticate
> the user to
> > indicate in a cryptographic way that this user was authenticated.
> >
> > The AAA server can use that token to verify that the user was
> > authenticated by an entity that it trusts. Like a kerberose ticket.
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Glen Zorn (gwz) [mailto:gwz@cisco.com]
> >>Sent: Tuesday, July 25, 2006 3:47 PM
> >>To: Avi Lior; David Harrington; Eliot Lear
> >>Cc: isms@ietf.org; radiusext@ops.ietf.org
> >>Subject: RE: Follow up on Authorize Only issue (was RE:
> >>[Isms] ISMS session
> >>
> >>Avi Lior <mailto:avi@bridgewatersystems.com> supposedly scribbled:
> >>
> >>
> >>>Hi,
> >>>
> >>>If I was specifying how this is done:
> >>>
> >>>It would be nice if the AAA client could return some sort
> >>
> >>of token to
> >>
> >>>the AAA server to assert that the user has been
> authenticated by an
> >>>entity that it trusts. The token can be generated by the
> >>>Authentication Server.
> >>>
> >>>We need this assertion to make sure we deliver the correct profile.
> >>
> >>I disagree: the fact that the message is being sent by an
> >>authenticated client at all says that the user has been
> authenticated
> >>elsewhere. Note that safety requires the inclusion of a
> MAC (either
> >>the Message-Authenticator or preferably the
> >>Message-Authentication-Code Attribute) in the Access-Request.
> >>
> >>Hope this helps,
> >>
> >>~gwz
> >>
> >>Why is it that most of the world's problems can't be solved
> by simply
> >> listening to John Coltrane? -- Henry Gabriel
> >>
> >
> >
> > --
> > to unsubscribe send a message to
> radiusext-request@ops.ietf.org with
> > the word 'unsubscribe' in a single line as the message text body.
> > archive: <http://psg.com/lists/radiusext/>
> >
> >
>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>