[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
I proably did not make myself clear....or maybe I did and I am missing
something.
When the NAS sends the Access-Request Auth-Only message I agree that it
MUST contain Message-Authenticator(80) etc...
What I meant is that it would be nice if there was a token or an
assertion that came from the place that did authenticate the user to
indicate in a cryptographic way that this user was authenticated.
The AAA server can use that token to verify that the user was
authenticated by an entity that it trusts. Like a kerberose ticket.
> -----Original Message-----
> From: Glen Zorn (gwz) [mailto:gwz@cisco.com]
> Sent: Tuesday, July 25, 2006 3:47 PM
> To: Avi Lior; David Harrington; Eliot Lear
> Cc: isms@ietf.org; radiusext@ops.ietf.org
> Subject: RE: Follow up on Authorize Only issue (was RE:
> [Isms] ISMS session
>
> Avi Lior <mailto:avi@bridgewatersystems.com> supposedly scribbled:
>
> > Hi,
> >
> > If I was specifying how this is done:
> >
> > It would be nice if the AAA client could return some sort
> of token to
> > the AAA server to assert that the user has been authenticated by an
> > entity that it trusts. The token can be generated by the
> > Authentication Server.
> >
> > We need this assertion to make sure we deliver the correct profile.
>
> I disagree: the fact that the message is being sent by an
> authenticated client at all says that the user has been
> authenticated elsewhere. Note that safety requires the
> inclusion of a MAC (either the Message-Authenticator or
> preferably the Message-Authentication-Code Attribute) in the
> Access-Request.
>
> Hope this helps,
>
> ~gwz
>
> Why is it that most of the world's problems can't be solved by simply
> listening to John Coltrane? -- Henry Gabriel
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>