[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Isms] RADIUS is not a trusted third party



Tschofenig Hannes <> supposedly scribbled:

> hi sam,
> 
> you have intentionally chosen a provocative title for your mail.
> 
> you write:
> 
> "
>> Remember that RADIUS is a callout service; it is not a trusted
third
>> party.  In other words, in a particular SNMP authentication, only
one
>> of the parties will know that RADIUS is being used. "
> 
> what is a "callout service"?
> what is radius for you? (you write that it is not a trusted third
> party.) 

It's not.  From the point of view of authentication protocols (PAP,
CHAP, EAP, etc.), both RADIUS and Diameter are just "wires": the
operation of the auth protocols should be exactly the same as if
they terminated in the AAA client, instead of elsewhere.  Basically,
the purpose of AAA (again, from the POV of an authentication
protocol) is simply scaling.  BTW, a lot of misery has been caused
by the erroneous belief that EAP is (or can be) a three-party
authentication protocol: it isn't, and can't be.  It could _carry_ a
three-party protocol (like Kerberos), but EAP in itself is a
two-party protocol.

> why do you care that only one party knows that radius is
> used? it could also be diameter.  
> 
> i would like to better understand why some people dislike the aaa
> architecture (radius, diameter). 

I think that the misunderstanding mentioned above might have
something to do with it...

> 
> ciao
> hannes
> 
> 
>> -----Ursprüngliche Nachricht-----
>> Von: isms-bounces@lists.ietf.org
>> [mailto:isms-bounces@lists.ietf.org] Im Auftrag von Sam Hartman
>> Gesendet: Freitag, 15. April 2005 19:34
>> An: Martin Soukup
>> Cc: isms@ietf.org
>> Betreff: [Isms] RADIUS is not a trusted third party
>> 
>> 
>>>>>>> "Martin" == Martin Soukup <msoukup@nortel.com> writes:
>> 
>>     Martin> RADIUS "Access-Accept" indicates a successful
>>     Martin> authenthentication response for a user.
>> 
>>     Martin> The Access-Accept already returns a
"Session-Timeout",
>>     Martin> defined as "Sets the maximum number of seconds of
service
>>     Martin> to be provided to the user before the session
>>     Martin> terminates. This attribute value becomes the per-user
>>     Martin> "absolute timeout."".
>> 
>> This only tells the SNMP engine talking to the RADIUS server the
>> timeout.  You need to tell the other side of the exchange the
>> timeout too. 
>> 
>> Remember that RADIUS is a callout service; it is not a trusted
third
>> party.  In other words, in a particular SNMP authentication, only
one
>> of the parties will know that RADIUS is being used.
>> 
>> 
>> _______________________________________________
>> Isms mailing list
>> Isms@lists.ietf.org
>> https://www1.ietf.org/mailman/listinfo/isms
>> 
> 
> _______________________________________________
> Isms mailing list
> Isms@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>