Dan Harkins wrote: > Authentication has to do with proving an identity. Authorization has > to do with determining whether that proven identity is "good" or "bad".
That's a clear explanation. > I'm not sure what sites do what but I'm not aware of an EAP method > that checks a username and a password AND a MAC address. Bare EAP, no. But it's possible to put a MAC into a field of a client cert, and then to compare the MAC received via EAP-TLS against the MAC received in the same RADIUS packet. In this case, the MAC is part of the identity. > Channel bindings are subtly different. Since a 2-party protocol is being > used with 3 parties it is necessary to ensure that all 3 parties have a > consistent view of all 3 identities. But that's still an authentication > problem-- is this 3rd entity really who it says it is? ... and is he authorized to provide the services he's claiming to offer. Are we really authenticating the NAS, and then authorizing it, by passing tunneled data in EAP? Do we really want to go down that path? Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
