Hi Yaov, Thanks for your reply. Please see my comments inline.
-----Original Message----- From: Yoav Nir [mailto:y...@checkpoint.com] Sent: Tuesday, November 10, 2009 5:29 PM To: Amjad Inamdar (amjads) Cc: ipsec@ietf.org Subject: Re: [IPsec] Clarification on identities involved in IKEv2 EAPauthentication On Nov 10, 2009, at 1:40 PM, Amjad Inamdar (amjads) wrote: > Hi, > > With IKEv2 EAP authentication, there are 3 identities involved > > 1) IDi - IKEv2 initiator identity sent in msg-3 > 2) EAP identity that gateway (IKE2 responder) can request from the > client (IKEv2 initiator) > 3) Authenticated EAP identity that third party EAP server provides to > the gateway (IKEv2 responder). > > > Could someone please clarify from RFC standpoint if > > 1) The 3 identities mentioned above MUST/SHOULD be same No, although they typically are. [Amjad] Is there a use case for not having IDi same as EAP identity? Having them same would simplify policy decisions. > 2) If not same, what purpose should each of the above identities serve 1) mainly used as a hint for the gateway as to which AAA server to choose [Amjad] EAP authentication is typically used with remote access and IDi of type IP_ADDR may not be very useful here as a hint for AAA server. So it will help to have recommened ID types for such cases. 2) It's the AAA server that may request the identity, and it's internal to AAA. It doesn't play in IKE [Amjad] Does it mean that if gateway is just acting as a pass-through, gateway MUST-NOT request EAP identity from the client as per RFC? If AAA server does not provide authenticated identity to the gateway (RFC does not seem to mandate that), the only way for gateway is to request EAP identity from the client, for policy decisions, unless IDi carries EAP identity which again is not mandated by RFC. 3) That's the authenticated identity of the user. That is what the responder uses for policy decisions. > 3) The mandatory/recommended format for each of the above identites All the types in section 3.5 are acceptable, but the most used ones are ID_RFC822_ADDR and ID_DER_ASN1_DN [Amjad] Are IKEv2 identity types acceptable as EAP identity as well? Thanks, -Amjad _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
