Hi Paul, Ticket Issue#174 opened for it. Regards, Raj ---------- Forwarded message ---------- From: Paul Hoffman <paul.hoff...@vpnc.org> Date: Wed, Feb 3, 2010 at 9:41 AM Subject: Re: Issue : Regarding EAP identity To: Raj Singh <rsjen...@gmail.com> Cc: Yaron Sheffer <yar...@checkpoint.com>
At 9:09 AM +0530 2/3/10, Raj Singh wrote: Hi Paul, In ikev2bis07 -----* ikev2-bis-07 section 2.16, last paragraph*------------------------------------------- When the initiator authentication uses EAP, it is possible that the contents of the IDi payload is used only for AAA routing purposes and selecting which EAP method to use. This value may be different from the identity authenticated by the EAP method. It is important that policy lookups and access control decisions use the actual authenticated identity. Often the EAP server is implemented in a separate AAA server that communicates with the IKEv2 responder. *In this case, the authenticated identity has to be sent from the AAA server to the IKEv2 responder.* --------------------------------------------------------------------- ------------------------------------------ It says the autheticated EAP identity "has to" be send from AAA server, our iterpretation is "has to" is obvious MUST. I believe that is correct. If AAA doesn't send the authenticated EAP identity, what should be the behavior? I would assume "everything stops" Also, what if AAA server EAP server is not AAA server? Good question. Can i open a ticket for it? Yes, please! --Paul Hoffman, Director --VPN Consortium
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
