Hi Yoav, Please see inline for [SRINI].
Thanks, Srinivas -----Original Message----- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Yoav Nir Sent: Tuesday, November 10, 2009 5:29 PM To: Amjad Inamdar (amjads) Cc: ipsec@ietf.org Subject: Re: [IPsec] Clarification on identities involved in IKEv2EAP authentication On Nov 10, 2009, at 1:40 PM, Amjad Inamdar (amjads) wrote: > Hi, > > With IKEv2 EAP authentication, there are 3 identities involved > > 1) IDi - IKEv2 initiator identity sent in msg-3 > 2) EAP identity that gateway (IKE2 responder) can request from the > client (IKEv2 initiator) > 3) Authenticated EAP identity that third party EAP server provides to > the gateway (IKEv2 responder). > > > Could someone please clarify from RFC standpoint if > > 1) The 3 identities mentioned above MUST/SHOULD be same No, although they typically are. > 2) If not same, what purpose should each of the above identities serve 1) mainly used as a hint for the gateway as to which AAA server to choose 2) It's the AAA server that may request the identity, and it's internal to AAA. It doesn't play in IKE [SRINI] Does this imply that gateway SHOULD not send EAP identity request to the client, we see that one 3rd party IKEv2 client is sending IP address as IDi, from which we can't take any hints. Moreover, the same client is expecting an EAP-ID request to be sent, else EAP is failing. I've started another thread about why did we demote "SHOULD" to "should" if the gateway is Not supposed to send EAP-identity request to the client. I think we should promote it back. 3) That's the authenticated identity of the user. That is what the responder uses for policy decisions. > 3) The mandatory/recommended format for each of the above identites All the types in section 3.5 are acceptable, but the most used ones are ID_RFC822_ADDR and ID_DER_ASN1_DN _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
