Re: [Emu] EAP and authorization

To: "'Alan DeKok'" <aland at deployingradius.com>
Subject: Re: [Emu] EAP and authorization
From: "Glen Zorn" <glenzorn at comcast.net>
Date: Tue, 11 Aug 2009 21:28:22 -0700
Cc: emu at ietf.org
Delivered-to: emu at core3.amsl.com
In-reply-to: <4A81EBBB.7040507 at deployingradius.com>
List-archive: <http://www.ietf.org/mail-archive/web/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update $EMU$" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <012d01ca1763$496a12d0$dc3e3870$ at yegin@yegin.org> <4A819BD1.90802 at deployingradius.com> <008f01ca1aad$137353b0$3a59fb10$ at net> <4A81BA2B.1090400 at deployingradius.com> <AC6674AB7BC78549BB231821ABF7A9AE8E777157FB at EMBX01-WF.jnpr.net> <00c301ca1ac3$8a0af800$9e20e800$ at net> <4A81EBBB.7040507 at deployingradius.com>
Thread-index: Acoa0DBWSX5MayXsQnaKne2c8GFcJQACTUQw

Alan DeKok [mailto:aland at deployingradius.com] writes:

> Glen Zorn wrote:
> > Hmm.  Has another way been tried or is it the best way because it's
> the
> > easiest (or only) way we've tried?
> 
>   Authentication decisions have traditionally involved more than just
> username / password checking.  Authentication decisions are also
> commonly based on "pre-authorization" data, such as:
> 
>  * time of day
>  * location
>    * physical
>    * network
>  * account balance
>  * past behavior
>  * machine used to authenticate
> 
>   And so on.

No.  Please don't confuse authentication with authorization.  The parameters
you mention above are policy-related, not related to authentication.

> 
>   An authentication server may use any of that information to return a
> "failed authentication" status to the client, even if the username /
> password is superficially correct.  

What authentication server is that?  Not RADIUS: the semantics of the
Access-Reject message don't distinguish between failed authentication and
failed authorization.

> This is not "authorization",
> because
> the user has not been authenticated.  

A server can tell me that I'm not authorized without knowing who I am?  This
is incredibly cool technology!  Where can I get some of that?  But
seriously, the initial authorization checks made by a RADIUS server for
example are based upon so-called "simple" authentication (as used daily by
billions of humans).  Although this consists of my telling you my name & you
believing me (for the time being anyway), it is authentication all the same.

> But that information is still
> used
> to make authentication decisions.

No, they are authorization decisions.

> 
>   Enabling EAP to carry this information is well within the bounds of
> the protocol.  TLS-based EAP methods can carry information such as time
> of life for a certificate, issuer, etc.

I suppose so, but since all those things are typically in the cert, I don't
know why.  In any case, those things are directly related to authentication.

> 
>   If we restrict EAP to solely "authentication", then I would ask what
> that means.  An authentication protocol that is incapable of
> transporting the data required to make authentication decisions would
> be
> perfectly secure: No one would ever be authenticated.

I have no idea what you're talking about.

Follow-Ups:
- Re: [Emu] EAP and authorization
  - From: Alan DeKok

References:
- [Emu] EAP and authorization
  - From: Alper Yegin
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Stephen Hanna
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok

Prev by Date: Re: [Emu] EAP and authorization
Next by Date: Re: [Emu] EAP and authorization
Previous by thread: Re: [Emu] EAP and authorization
Next by thread: Re: [Emu] EAP and authorization
Index(es):
- Date
- Thread

Re: [Emu] EAP and authorization

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.