[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: alternatives for carrying eap lower layer information



Nelson, David wrote:
Jari writes ...


Yes, that was my question. I can certainly see this happening,
but I'm uncertain if RFC 2868 is able to cope with it.


I don't think it would.  Since service provisioning in RADIUS is a
result of authentication (and authorization) I'm unsure how RADIUS would
address the set-up of a tunnel that is pre-requisite to the
authentication process.  That's what the incoming tunnel in this "two
tunnel" scenario would be, right?

Well, RADIUS *is* helping to create the incoming tunnel too -- just think of IKEv2 EAP authentication in a situation where the IKEv2 GW doesn't have the user database internally. Now, if the GW is also doing some sort of mandatory tunneling for the traffic, then we are in essence doing both at the same time.

Note: I do not have a good example why both tunnels would be
needed at the same time, but I'm sure the innovative service
providers or SDOs will come up with some network scenario where
they need this :-)

--Jari

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>