[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session

To: Avi Lior <avi@bridgewatersystems.com>
Subject: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Date: Wed, 26 Jul 2006 10:55:06 +0200
Cc: "Glen Zorn (gwz)" <gwz@cisco.com>, David Harrington <ietfdbh@comcast.net>, Eliot Lear <lear@cisco.com>, isms@ietf.org, radiusext@ops.ietf.org
In-reply-to: <E7CCE8A83907104ABEE91AC3AE3709A006882EEA@exchange.bridgewatersys.com>
References: <E7CCE8A83907104ABEE91AC3AE3709A006882EEA@exchange.bridgewatersys.com>
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

Hi Avi,

I like the idea of using some information to tie the authentication andthe authorization process/exchange together. In fact we discussed thisat the last IETF meeting when David gave his presentation.

I suggested to use an existing mechanism to accomplish this binding,namely SAML. I can elaborate a bit more about the details if someonecase about it.


Ciao
Hannes

Avi Lior wrote:

I proably did not make myself clear....or maybe I did and I am missing
something.

When the NAS sends the Access-Request Auth-Only message I agree that it
MUST contain Message-Authenticator(80) etc...

What I meant is that it would be nice if there was a token or an
assertion that came from the place that did authenticate the user  to
indicate in a cryptographic way that this user was authenticated.

The AAA server can use that token to verify that the user was
authenticated by an entity that it trusts.  Like a kerberose ticket.
-----Original Message-----
From: Glen Zorn (gwz) [mailto:gwz@cisco.com]Sent: Tuesday, July 25, 2006 3:47 PM
To: Avi Lior; David Harrington; Eliot Lear
Cc: isms@ietf.org; radiusext@ops.ietf.org
Subject: RE: Follow up on Authorize Only issue (was RE:[Isms] ISMS session
Avi Lior <mailto:avi@bridgewatersystems.com> supposedly scribbled:
Hi,

If I was specifying how this is done:
It would be nice if the AAA client could return some sort
of token to
the AAA server to assert that the user has been authenticated by anentity that it trusts. The token can be generated by theAuthentication Server.
We need this assertion to make sure we deliver the correct profile.
I disagree: the fact that the message is being sent by anauthenticated client at all says that the user has beenauthenticated elsewhere. Note that safety requires theinclusion of a MAC (either the Message-Authenticator orpreferably the Message-Authentication-Code Attribute) in theAccess-Request.
Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by simply
 listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
  - From: "Avi Lior" <avi@bridgewatersystems.com>

References:
- RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
  - From: "Avi Lior" <avi@bridgewatersystems.com>

Prev by Date: Re: [Isms] RE: Follow up on Authorize Only issue
Next by Date: RE: [Isms] RE: Follow up on Authorize Only issue
Previous by thread: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Next by thread: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Index(es):
- Date
- Thread