RE: [Isms] What granularity of attributes do we need for the secure transport?

["Bernard Aboba" <Bernard_Aboba@hotmail.com>]

David Nelson spoke thusly:

"My question is whether this sort of configuration of the secure transport
protocol is something that needs to be checked by the NAS, using differing
criteria, on each and every user authentication?  I think that granularity
of configuration is generally handled by, well... configuration, and not
handled as part of user authorization."

With respect to IEEE 802.11 access, there are no RADIUS attributes that 
specify whether a given user is allowed to do WEP/WPA/WPA2.  It is 
assumed that security is negotiated between the AP and STA based on 
their configuration.  This seems to work OK, particularly
since separate SSIDs are typically provisioned for each supported security 
mechanism, so that user authorization can be handled based on the
SSID (provided in the Called-Station-Id).   

A similar approach might well work here -- we assume that the NAS is set 
up to allow/require various security mechanisms.  It might be useful for
the NAS to tell the RADIUS server what security mechanism has been
negotiated, and the RADIUS server might Accept/Reject the authentication
based on that information as well as the user-name.  But there is no
notion that the RADIUS server can exercise *control* over what is 
negotiated -- it is "here is what I'm doing, take it or leave it". 




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>