Re: alternatives for carrying eap lower layer information

[Jari Arkko <jari.arkko@piuha.net>]

Nelson, David wrote:
> Jari writes ...
>
>
> > Yes, that was my question. I can certainly see this happening,
> > but I'm uncertain if RFC 2868 is able to cope with it.
>
>
> I don't think it would.  Since service provisioning in RADIUS is a
> result of authentication (and authorization) I'm unsure how RADIUS would
> address the set-up of a tunnel that is pre-requisite to the
> authentication process.  That's what the incoming tunnel in this "two
> tunnel" scenario would be, right?

Well, RADIUS *is* helping to create the incoming tunnel too --
just think of IKEv2 EAP authentication in a situation where the
IKEv2 GW doesn't have the user database internally. Now, if
the GW is also doing some sort of mandatory tunneling for the
traffic, then we are in essence doing both at the same time.

Note: I do not have a good example why both tunnels would be
needed at the same time, but I'm sure the innovative service
providers or SDOs will come up with some network scenario where
they need this :-)

--Jari

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>