[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on "practical deployments"

To: "David B. Nelson" <dnelson@elbrysnetworks.com>
Subject: Re: Comments on "practical deployments"
From: Alan DeKok <aland@nitros9.org>
Date: Thu, 27 Dec 2007 19:35:02 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <002c01c848a4$12f10180$5d1216ac@xpsuperdvd2>
References: <tslabo4d851.fsf@mit.edu> <BAY117-W1792E6240C29062FF9B6F2935F0@phx.gbl> <47729414.9070608@nitros9.org> <BAY117-DS2531749CE88B51BFA1941935B0@phx.gbl> <4772AC0D.1000401@nitros9.org> <BAY117-W3433D8E315C9DE7FCAE78C935B0@phx.gbl> <47732D87.5030501@nitros9.org> <002c01c848a4$12f10180$5d1216ac@xpsuperdvd2>
User-agent: Thunderbird 2.0.0.6 (X11/20071022)

David B. Nelson wrote:
>>   If the only way to obtain network access is via EAP, then you have a
>> bootstrapping problem.  Once the users have signed up, everything is
>> great.  The users who *haven't* signed up are shut out.  Permanently.
> 
> So, this is really an enrollment issue, not an authentication issue?

  No.  Think of roaming, which I've been spending a lot of time on lately.

  If authentication is required for any IP-based network access, then
how do roaming users know that they can authenticate using the local
network?  Pre-provisioning devices with roaming knowledge doesn't scale,
and it doesn't handle dynamic networks.  802.11af doesn't scale either,
and isn't designed to scale.

  When the user doesn't have any network access, they can't determine
whether or not authentication is possible.  They can't determine which
authentication credentials to use.  So requiring authentication means
*forbidding* network access to a large class of users who could
*potentially* obtain network access.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: [ Comments on automated key management and crypto agility
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: [ Comments on automated key management and crypto agility
  - From: Alan DeKok <aland@nitros9.org>
- Re: Comments on "practical deployments"
  - From: <Bernard_Aboba@hotmail.com>
- Re: Comments on "practical deployments"
  - From: Alan DeKok <aland@nitros9.org>
- RE: Comments on "practical deployments"
  - From: Bernard Aboba <bernard_aboba@hotmail.com>
- Re: Comments on "practical deployments"
  - From: Alan DeKok <aland@nitros9.org>
- RE: Comments on "practical deployments"
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: RE: Comments on "practical deployments"
Next by Date: Re: Comments on "practical deployments"
Previous by thread: RE: Comments on "practical deployments"
Index(es):
- Date
- Thread