[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [eap] RE: [Isms] RADIUS is not a trusted third party



Blumenthal, Uri <mailto:uri.blumenthal@intel.com> supposedly
scribbled:

> It was my understanding that while EAP is between the client
> (supplicant) and NAS, and RADIUS is between NAS and AAA, *EAP
method*
> that runs on top of EAP is between the client and RADIUS server. 

No.  Can we just _get it_ once and for all?  AAA & EAP are
_different_ and _separate_ things: there is no part of EAP that is
"between" the EAP peer and any AAA entity.

> 
> This tunnel created by EAP method can be considered as "trust
between
> the client and AAA", 

See above.

> and RADIUS between NAS and AAA (however it is 
> accomplished) is "trust between NAS and AAA".
> 
> And yes, many find convenient to connect authorization decision to
> some extra information about the supplicant - such as its posture
> evaluation (Cisco NAC, Microsoft NAP, etc). Such information would
> naturally be carried in TLVs as part of EAP inner method exchange.

Or more rationally (gasp!) in a subsequent _authorization_ protocol
exchange.

> Yes it seems to go way beyond the original purpose of EAP, but
then
> it does seem to address the today's need.  

If one has a sore toe, shooting oneself in the foot may seem to
satisfy "today's need"; in the long run, however, it will probably
turn out to be counterproductive.
   
> 
> -----Original Message-----
> From: isms-bounces@lists.ietf.org
[mailto:isms-bounces@lists.ietf.org]
> On Behalf Of Bernard Aboba
> Sent: Monday, April 25, 2005 10:02 PM
> To: Glen Zorn (gwz)
> Cc: radiusext@ops.ietf.org; eap@frascone.com; isms@ietf.org
> Subject: RE: [eap] RE: [Isms] RADIUS is not a trusted third party
> 
> Martin Soukup said:
> 
>> The use of RADIUS itself without a defined extension such as
EAP-TLS
>> or EAP-PEAP over RADIUS cannot securely pass attributes between
>> entities. Note that the defined EAP-TLS (or other EAP mechanisms)
>> over RADIUS provides for secure attribute passing between
entities
>> even through proxies.
> 
> In response to which, Glen Zorn spake thusly:
> 
>> I thought that I was passing familiar w/EAP-TLS (and even more so
>> w/PEAP), but I am completely unaware of such capabilities.  Would
you
>> mind explaining how this is achieved, given that RADIUS & EAP are
>> completely different protocols?
> 
> I also was unaware of the ability of EAP-TLS to transmit RADIUS
> attributes between the EAP peer and server.  I had always thought
> RADIUS was a protocol only spoken between a NAS and a RADIUS
server,
> and that EAP-TLS didn't support transmission of TLVs.  But I guess
> this is a somewhat old fashioned point of view.    
> 
> Perhaps this is referring to EAP-TLS "extended" via the following?
>
http://www.ietf.org/internet-drafts/draft-funk-tls-inner-application
-ext
> ension-01.txt
> 
> 
> 
> _______________________________________________
> Isms mailing list
> Isms@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by
simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>