[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Scope of applicability for CUI

To: jari.arkko@piuha.net, Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjiri@motorola.com>
Subject: RE: Scope of applicability for CUI
From: Avi Lior <avi@bridgewatersystems.com>
Date: Mon, 20 Dec 2004 10:38:28 -0500
Cc: 'Avi Lior' <avi@bridgewatersystems.com>, "'Nelson, David'" <dnelson@enterasys.com>, radiusext@ops.ietf.org

Hi,

In EAP and in other cases the Authentication Server may be different then
the Authorization Server.  RADIUS allows for that.
 
But the final Access-Accept carries the authorization attributes, these are
provided by some AAA entity in the network that know the identity of the
user -- cause it provides authorization attributes for the user.  That's
when CUI will be typically set.  It may also be set by the Authentication
Server as well.

> -----Original Message-----
> From: Jari Arkko [mailto:jari.arkko@piuha.net] 
> Sent: Saturday, December 18, 2004 4:21 AM
> To: Nakhjiri Madjid-MNAKHJI1
> Cc: 'Avi Lior'; 'Nelson, David'; radiusext@ops.ietf.org
> Subject: Re: Scope of applicability for CUI
> 
> 
> Nakhjiri Madjid-MNAKHJI1 wrote:
> > Hi Avi,
> > 
> > I agree with most of what you are saying. I guess I know understand 
> > the point "EAP cannot be the only use case for CUI). I can 
> think one 
> > example where CUI would not even work with EAP. The way I 
> understand 
> > it, EAP-TTLS uses a model where a TTLS server that can be different 
> > from the AAAH of the client establishes a TLS session with 
> the client. 
> > The purpose of TLS is to protect the user identity/ 
> authentication. So 
> > in the early stage of EAP you need to use a pseudo identity. If the 
> > AAAH is the only place that understands that pseudo 
> identity, then you 
> > are in trouble, because the TLS is established with the TTLS server 
> > and not with the AAAH. AAAH only comes in place when the client is 
> > authenticating. The TTLS server does not know the CUI. So 
> in that case 
> > you can't even use CUI as an alias.
> 
> This is an interesting issue. But presumably *some* server
> will eventually learn the true user identity. If this server
> is the TTLS server, it can use CUI to inform the NAS. If this 
> server is someone else, that server and the TTLS server need 
> to communicate first so that the TTLS server can send the CUI 
> to the NAS.
> 
> This also implies that the CUI is something that can be 
> learned very late in the process, perhaps even as late as in 
> the Access-Accept.
> 
> By the way, what would be the meaning of CUI for "pay as you 
> go" type of approaches, e.g., micropayments or the like over 
> EAP? There might not be any billable user identity; the only 
> thing that could be provided in those cases is some kind of a 
> session identifier so that the home AAA and the NAS can 
> correlate their accounting records.
> 
> --Jari
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Comments on draft-decnodder-radext-dynauth-client-mib-02.txt
Next by Date: RE: backwards compatible introduction of NEW attribute such as CU I
Previous by thread: Re: Scope of applicability for CUI
Next by thread: RE: Scope of applicability for CUI
Index(es):
- Date
- Thread