On Nov 11, 2009, at 3:39 PM, Srinivasu S R S Dhulipala (srinid) wrote: > >> 2) If not same, what purpose should each of the above identities serve > > 1) mainly used as a hint for the gateway as to which AAA server to > choose > 2) It's the AAA server that may request the identity, and it's > internal to AAA. It doesn't play in IKE > > [SRINI] Does this imply that gateway SHOULD not send EAP identity > request to the client, > we see that one 3rd party IKEv2 client is sending IP address > as IDi, from which we can't > take any hints. Moreover, the same client is expecting an > EAP-ID request to be sent, > else EAP is failing. > I've started another thread about why did we demote "SHOULD" > to "should" if the gateway is > Not supposed to send EAP-identity request to the client. I > think we should promote it back.
The gateway never sends any EAP identity requests at all. If such a request exists, it is sent by the AAA server. The gateway serves only as a pass-through. For that reason, there is typically no reason for the gateway to inspect the contents of the EAP payload.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
