[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [dhcwg] [New I-D] DHCP User-based Authentication

To: "'Kostur, Andre'" <akostur at incognito.com>
Subject: RE: [dhcwg] [New I-D] DHCP User-based Authentication
From: Amy Zhao <zhaoyuping at huawei.com>
Date: Thu, 12 Oct 2006 10:50:32 +0800
Cc: dhcwg at ietf.org
In-reply-to: <B34580038487494C8B7F36DA06160B87036A81AC@homer.incognito.com>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: dhcwg.ietf.org
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
Thread-index: Acbsw4dWISLyI7w3Qyq49YqrrgqNUAA4v17g

Title: RE: [dhcwg] [New I-D] DHCP User-based Authentication

Hello,Andre!

Thank for your comments. Please see in line.

Thanks!

B.R.
Amy

From: Kostur, Andre [mailto:akostur at incognito.com]
Sent: Wednesday, October 11, 2006 7:28 AM
To: Amy Zhao; dhcwg at ietf.org
Subject: RE: [dhcwg] [New I-D] DHCP User-based Authentication

> A New Internet-Draft is available from the on-line
> Internet-Drafts directories.
>
>
>       Title           : DHCP User-based Authentication
>       Author(s)       : Y. Zhao
>       Filename        : draft-zhao-dhc-user-authentication-00.txt
>       Pages           : 24
>       Date            : 2006-10-2
>
> This document defines an authentication mechanism to provide an
> authentication for a user in an access network by means of dhcp. The
> authentication mechanism described here couples DHCP to an
> authentication, authorization and accounting system (AAA), thus
> enabling users to supply user credentials for AAA via DHCP.

What is the benefit of the relay performing the AAA transaction instead of the DHCP server itself? If the DHCP server performs the AAA, existing relays don't have to be modified at all.

The reason is that if DHCP is to replace PPP in some environments, there will be a strong requirement to make sure that ALL the Internet Access features supported by the PPP model can be replicated in DHCP-based Internet Access scenarios.

And in many environments, NAS always acts as dhcp relay agent as well as AAA client.

Actually, why isn't this idea adjusted to be a different authentication mechanism within the RFC 3118 framework? Currently 3118 defines a cleartext shared secret, and some other key-based delayed authentication. What about defining a new algorithm/protocol for the client device to be able to pass the "username" in the Discover's authentication option?

I ever considered this solution. But I think it's better to seperate user-based authentication from device authentication. The shared secret that RFC3118 defined is shared by dhcp client and dhcp server, not shared by dhcp client and AAA server.

Although, two other questions come to mind:

1) What about devices which don't have a user? (Or don't have a user yet?)

2) What about devices which have multiple users? Which one does the system use?

Thank you. I will consider this situation.

Also I'd like to remind you of previous similar work in RFC 4104, although it depends on other authentication protocols lick 802.1x.

Thanks! I don't sure if I can add some attributes to this option?

_______________________________________________
dhcwg mailing list
dhcwg at ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg

References:
- RE: [dhcwg] [New I-D] DHCP User-based Authentication
  - From: Kostur, Andre

Prev by Date: Re: [dhcwg] [New I-D] DHCP User-based Authentication
Next by Date: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Previous by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Next by thread: RE: [dhcwg] [New I-D] DHCP User-based Authentication
Index(es):
- Date
- Thread