Hi Raj On Feb 19, 2010, at 9:25 AM, Raj Singh wrote:
> Hi Yoav, > > >> Issue #174 - How to behave when EAP identity is not send by AAA >> =============================================================== >> In ikev2bis07 >> >> ----- ikev2-bis-07 section 2.16, last paragraph ------------ >> >> When the initiator authentication uses EAP, it is possible that the >> contents of the IDi payload is used only for AAA routing purposes and >> selecting which EAP method to use. This value may be different from the >> identity authenticated by the EAP method. It is important that policy >> look ups and access control decisions use the actual authenticated >> identity. Often the EAP server is implemented in a separate AAA server >> that communicates with the IKEv2 responder. In this case, the >> authenticated identity has to be sent from the AAA server to the IKEv2 >> responder. >> >> It says the authenticated EAP identity "has to" be send from AAA server, >> my interpretation and implementation "has to" is obvious MUST. If AAA >> doesn't send the authenticated EAP identity, what should be the >> behavior? Also, what if AAA server EAP server is not AAA server? >> >> >> There has been a lively discussion about this (a thread titled >> "Regarding EAP identity"). I can't say that the thread reached any firm >> conclusion, but a lot of ground has been covered about how AAA servers >> work, and about whether or not they communicate to the server something >> other then identity, such as policy. Despite the fact that the second A >> in AAA stands for "authorization", it was generally agreed that it is >> still the job of the IKE gateway to enforce policy, and if that policy >> comes from a AAA server, that is totally outside the scope of this >> document. >> >> So in conclusion, how about replacing "the authenticated identity has to >> be sent" with "the authenticated identity, if different from that in the >> IDi payload, has to be sent..." ? Would that satisfy everyone? > > "the authenticated identity, if different from that in the > IDi payload, MUST/SHOULD be sent..." would be good. Two reasons why I disagree: 1. This is a new MUST/SHOULD requirement, and we're very wary of doing that. 2. This is a requirement for the AAA server. It really says that the AAA server MUST/SHOULD send the identity. In this document, we're specifying the behavior of the IKE gateway, not the AAA server, so RFC 2119 language is not appropriate. This is simply stating fact, that if the authenticated identity is different, it has to come from the EAP server. In any case, the IKE gateway cannot enforce this - it doesn't know about a different authenticated identity unless the EAP server tells it. All we can say is that the IKE gateway should treat the IDi as the authenticated identity, unless the EAP server tells it something different. _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
