[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: kickstart and SSPP

To: 'Nakhjiri Madjid-MNAKHJI1' <Madjid.Nakhjiri@motorola.com>, Avi Lior <avi@bridgewatersystems.com>, "'Nelson, David'" <dnelson@enterasys.com>
Subject: RE: kickstart and SSPP
From: Avi Lior <avi@bridgewatersystems.com>
Date: Tue, 16 Dec 2003 15:55:19 -0500
Cc: radiusext@ops.ietf.org

Not sure what you mean by no flixibility in secret lookup?


> -----Original Message-----
> From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri@motorola.com] 
> Sent: Tuesday, December 16, 2003 3:32 PM
> To: 'Avi Lior'; Nakhjiri Madjid-MNAKHJI1; 'Nelson, David'
> Cc: radiusext@ops.ietf.org
> Subject: RE: kickstart and SSPP
> 
> 
> Thanks for the comments.
> 
> Ok, so it seems that there is some flexibility as far as 
> methods of representing NAS (its ID). but no flexibility in 
> secret lookup (has to be done based on IP address and nothing else).
> 
> Madjid
> 
> -----Original Message-----
> From: Avi Lior [mailto:avi@bridgewatersystems.com]
> Sent: Tuesday, December 16, 2003 11:18 AM
> To: 'Nakhjiri Madjid-MNAKHJI1'; 'Nelson, David'
> Cc: radiusext@ops.ietf.org
> Subject: RE: kickstart and SSPP
> 
> 
> The home radius server may store the NAS ID and/or the NAS IP 
> as well as other information.
> 
> Remember that RADIUS is stateless so what is stored by RADIUS 
> is highly dependant on the deployment or the use of the AAA.
> 
> For example, if the home network wanted to issue a Disconnect 
> Message or a Change of Authorization message (see RFC 3576) 
> then it would need the NAS identity and user session 
> identities inorder to issue these messages.
> 
> Hope this helps.
> 
> > -----Original Message-----
> > From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri@motorola.com]
> > Sent: Friday, December 12, 2003 5:07 PM
> > To: 'Nelson, David'; Nakhjiri Madjid-MNAKHJI1
> > Cc: radiusext@ops.ietf.org
> > Subject: RE: kickstart and SSPP
> > 
> > 
> > Hi Dave,
> > 
> > Thank you for your answers.
> > 
> > What types of ID does the NAS use (beside IP address) in the
> > NAS ID field? Would the RADIUS server then later store this 
> > ID or the NAS IP address in its database? Also I am wondering 
> > if the RADIUS server keeps any entry about the user's IP address?
> > 
> > Thanks in advance,
> > 
> > Madjid
> > P.S. It seems that the SSPP and kick start drafts have found
> > a new home in Enroll WG.
> > 
> > 
> > The NAS has a transitive trust relationship with the home
> > server, via the proxy server chain, but no direct trust 
> > relationship.  Each proxy server will generally validate the 
> > NAS identity before forwarding a request.  If you have a 
> > "rogue" proxy in the chain, security problems will obviously exist.
> > 
> > > > The NAS ID is the of originating client, not the proxy.
> > > 
> > > Madjid>>So are you saying the packet carries both an IP 
> address (for
> > the
> > > proxy or NAS) and a NAS ID for originating NAS?
> > 
> > Yes.  The packet's source IP address is in the IP header and
> > the NAS ID (or NAS IP Address) is in the packet payload.  It 
> > is the Source IP address from the IP header that is used to 
> > look up the shared secret.
> > 
> > 
> > --
> > to unsubscribe send a message to
> > radiusext-request@ops.ietf.org with the word 'unsubscribe' in 
> > a single line as the message text body.
> > archive: <http://psg.com/lists/radiusext/>
> > 
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: kickstart and SSPP
Next by Date: RE: QoS attributes
Previous by thread: RE: kickstart and SSPP
Next by thread: RE: kickstart and SSPP
Index(es):
- Date
- Thread