[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Scope of applicability for CUI

To: Nakhjiri Madjid-MNAKHJI1 <Madjid.Nakhjiri@motorola.com>, "'jari.arkko@piuha.net'" <jari.arkko@piuha.net>
Subject: RE: Scope of applicability for CUI
From: Avi Lior <avi@bridgewatersystems.com>
Date: Mon, 20 Dec 2004 15:04:56 -0500
Cc: 'Avi Lior' <avi@bridgewatersystems.com>, "'Nelson, David'" <dnelson@enterasys.com>, radiusext@ops.ietf.org

CUI is not needed for TTLS.

Its need after. At least that is what we need if for.

> -----Original Message-----
> From: Nakhjiri Madjid-MNAKHJI1 [mailto:Madjid.Nakhjiri@motorola.com] 
> Sent: Monday, December 20, 2004 11:31 AM
> To: 'jari.arkko@piuha.net'
> Cc: 'Avi Lior'; 'Nelson, David'; radiusext@ops.ietf.org
> Subject: RE: Scope of applicability for CUI
> 
> 
> Hi Jari,
> 
> -----Original Message-----
> From: Jari Arkko [mailto:jari.arkko@piuha.net] 
> Sent: Saturday, December 18, 2004 3:21 AM
> To: Nakhjiri Madjid-MNAKHJI1
> Cc: 'Avi Lior'; 'Nelson, David'; radiusext@ops.ietf.org
> Subject: Re: Scope of applicability for CUI
> 
> Nakhjiri Madjid-MNAKHJI1 wrote:
> > Hi Avi,
> > 
> > I agree with most of what you are saying. I guess I know understand 
> > the point "EAP cannot be the only use case for CUI). I can 
> think one 
> > example where CUI would not even work with EAP. The way I 
> understand 
> > it, EAP-TTLS uses a model where a TTLS server that can be different 
> > from the AAAH of the client establishes a TLS session with 
> the client. 
> > The purpose of TLS is to protect the user identity/ 
> authentication. So 
> > in the early stage of EAP you need to use a pseudo identity. If the 
> > AAAH is the only place that understands that pseudo 
> identity, then you 
> > are in trouble, because the TLS is established with the TTLS server 
> > and not with the AAAH. AAAH only comes in place when the client is 
> > authenticating. The TTLS server does not know the CUI. So 
> in that case 
> > you can't even use CUI as an alias.
> 
> This is an interesting issue. But presumably *some* server
> will eventually learn the true user identity. If this server
> is the TTLS server, it can use CUI to inform the NAS. If this 
> server is someone else, that server and the TTLS server need 
> to communicate first so that the TTLS server can send the CUI 
> to the NAS.
> 
> Madjid>>I thought user-aliases were needed during EAP to 
> locate the TTLS 
> Madjid>>server (or AAAH server for the user), no?
> Why would the TTLS server need to send the CUI to the NAS? 
> The TTLS server knows which NAS the EAP signaling is coming 
> from. The NAS knows which the user the request is coming from 
> through L2 addressing methods. Did I miss something?
> 
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Scope of applicability for CUI
Next by Date: RE: Scope of applicability for CUI
Previous by thread: RE: Scope of applicability for CUI
Next by thread: RE: Scope of applicability for CUI
Index(es):
- Date
- Thread