[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: kickstart and SSPP

To: "'Avi Lior'" <avi@bridgewatersystems.com>, Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjiri@motorola.com>, "'Nelson, David'" <dnelson@enterasys.com>
Subject: RE: kickstart and SSPP
From: Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjiri@motorola.com>
Date: Tue, 16 Dec 2003 14:31:46 -0600
Cc: radiusext@ops.ietf.org

Thanks for the comments.

Ok, so it seems that there is some flexibility as far as methods
of representing NAS (its ID). but no flexibility in secret lookup
(has to be done based on IP address and nothing else).

Madjid

-----Original Message-----
From: Avi Lior [mailto:avi@bridgewatersystems.com]
Sent: Tuesday, December 16, 2003 11:18 AM
To: 'Nakhjiri Madjid-MNAKHJI1'; 'Nelson, David'
Cc: radiusext@ops.ietf.org
Subject: RE: kickstart and SSPP


The home radius server may store the NAS ID and/or the NAS IP as well as
other information.

Remember that RADIUS is stateless so what is stored by RADIUS is highly
dependant on the deployment or the use of the AAA.

For example, if the home network wanted to issue a Disconnect Message or a
Change of Authorization message (see RFC 3576) then it would need the NAS
identity and user session identities inorder to issue these messages.

Hope this helps.

> -----Original Message-----
> From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri@motorola.com] 
> Sent: Friday, December 12, 2003 5:07 PM
> To: 'Nelson, David'; Nakhjiri Madjid-MNAKHJI1
> Cc: radiusext@ops.ietf.org
> Subject: RE: kickstart and SSPP
> 
> 
> Hi Dave,
> 
> Thank you for your answers. 
> 
> What types of ID does the NAS use (beside IP address) in the 
> NAS ID field? Would the RADIUS server then later store this 
> ID or the NAS IP address in its database? Also I am wondering 
> if the RADIUS server keeps any entry about the user's IP address?
> 
> Thanks in advance,
> 
> Madjid
> P.S. It seems that the SSPP and kick start drafts have found 
> a new home in Enroll WG.
> 
> 
> The NAS has a transitive trust relationship with the home 
> server, via the proxy server chain, but no direct trust 
> relationship.  Each proxy server will generally validate the 
> NAS identity before forwarding a request.  If you have a 
> "rogue" proxy in the chain, security problems will obviously exist.
> 
> > > The NAS ID is the of originating client, not the proxy.
> > 
> > Madjid>>So are you saying the packet carries both an IP address (for
> the
> > proxy or NAS) and a NAS ID for originating NAS?
> 
> Yes.  The packet's source IP address is in the IP header and 
> the NAS ID (or NAS IP Address) is in the packet payload.  It 
> is the Source IP address from the IP header that is used to 
> look up the shared secret.
> 
> 
> --
> to unsubscribe send a message to 
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in 
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: QoS attributes
Next by Date: RE: kickstart and SSPP
Previous by thread: RE: kickstart and SSPP
Next by thread: RE: kickstart and SSPP
Index(es):
- Date
- Thread