All,
> I agree that EAP was originally defined solely for the purpose > of authentication. I agree that it is wise for us to consider > carefully whether we want to also allow it to be used to carry > information that is useful in authorization. While I believe that > this is a good idea, I think that we'll want to continue to place > constraints on the amount and kind of data that should be > conveyed over EAP. EAP is not a bulk data transfer protocol > and it should not be used as one. That will only result in > heartache for all involved (due to the limit of one packet > in flight at any time, the frequently long round trip times > when RADIUS proxies are used, and the short timeouts given > by many NASs, among other issues). > > At some level we need to really consider some level of enhanced authentication meta-data to flow over the EAP session. I would still argue that it is not all really authorization in the traditional sense. There is a big fat gray area these days. Organizations are looking at using these traditioinal chunks of data to make more educated authenitcation decisions. Simply trusting a username/password is not longer sufficient. We want to be able to make sure the person is using the computer that was assigned to them, the computer is still fully compliant with security policy, the user is in the office that was assigned to them, and a slew of other things. If all of these and the stars align just right, then we will authenticate them to the network and then they can be granted network access and normal network authorization processes can take place through processes and protocols that exist or will be created. Bret --------------------------------------------------------------------------------- Bret Jordan CISSP "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
