Glen Zorn wrote: > No. Please don't confuse authentication with authorization. The parameters > you mention above are policy-related, not related to authentication.
You are making arbitrary distinctions between pieces of information. Ones you like are deemed "authentication". Ones you don't like are deemed "authorization". > What authentication server is that? Not RADIUS: the semantics of the > Access-Reject message don't distinguish between failed authentication and > failed authorization. This is the EMU WG, not RADIUS. EAP has an "EAP-Failure" code. > A server can tell me that I'm not authorized without knowing who I am? Yes. A policy could state that all logins between 5pm and 9am are to be rejected. In that case, it can reject you without knowing (or caring) who you are. This process can't be "authorization", because it can happen *before* authentication. >> If we restrict EAP to solely "authentication", then I would ask what >> that means. An authentication protocol that is incapable of >> transporting the data required to make authentication decisions would >> be >> perfectly secure: No one would ever be authenticated. > > I have no idea what you're talking about. Explain what criteria you use to distinguish between "authentication" data and "authorization" data. Give a name to the policies that get processed *before* a user is authenticated. Such policies exist, and are in wide use. The NEA use of EAP falls within this use. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
