[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on "practical deployments"
David B. Nelson wrote:
>> If the only way to obtain network access is via EAP, then you have a
>> bootstrapping problem. Once the users have signed up, everything is
>> great. The users who *haven't* signed up are shut out. Permanently.
>
> So, this is really an enrollment issue, not an authentication issue?
No. Think of roaming, which I've been spending a lot of time on lately.
If authentication is required for any IP-based network access, then
how do roaming users know that they can authenticate using the local
network? Pre-provisioning devices with roaming knowledge doesn't scale,
and it doesn't handle dynamic networks. 802.11af doesn't scale either,
and isn't designed to scale.
When the user doesn't have any network access, they can't determine
whether or not authentication is possible. They can't determine which
authentication credentials to use. So requiring authentication means
*forbidding* network access to a large class of users who could
*potentially* obtain network access.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>