Re: [Emu] EAP and authorization

To: Glen Zorn <glenzorn at comcast.net>
Subject: Re: [Emu] EAP and authorization
From: Stephen Hanna <shanna at juniper.net>
Date: Wed, 12 Aug 2009 07:03:48 -0400
Accept-language: en-US
Acceptlanguage: en-US
Cc: "emu at ietf.org" <emu at ietf.org>
Delivered-to: emu at core3.amsl.com
In-reply-to: <00e001ca1ad8$97a63230$c6f29690$ at net>
List-archive: <http://www.ietf.org/mail-archive/web/emu>
List-help: <mailto:emu-request@ietf.org?subject=help>
List-id: "EAP Methods Update $EMU$" <emu.ietf.org>
List-post: <mailto:emu@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
References: <012d01ca1763$496a12d0$dc3e3870$ at yegin@yegin.org> <4A819BD1.90802 at deployingradius.com> <008f01ca1aad$137353b0$3a59fb10$ at net> <4A81BA2B.1090400 at deployingradius.com> <00c201ca1ac1$64b9f800$2e2de800$ at net> <AC6674AB7BC78549BB231821ABF7A9AE8E777159FD at EMBX01-WF.jnpr.net> <00e001ca1ad8$97a63230$c6f29690$ at net>
Thread-index: Acoasqiu621ufxpGTRex8HWnRlMLhgADXykAAADFFYAAA9IWAAAWw+zg
Thread-topic: [Emu] EAP and authorization

Glen,

Thanks for clarifying your position. I believe that your argument is
that because EAP is an "authentication framework", it should not be
allowed to carry anything other than authentication protocols.
Is that correct? My apologies if this is not quite right. I am
having some difficulty finding a crisp summary of your position
in your emails. Please feel free to clarify your point of view.

I would argue that an "authentication framework" should not just be
concerned with verifying the EAP peer's identity. EAP should also
include other elements relevant to the authentication process and
the decision about whether to grant network access. For example,
password change requests should be allowed. Channel bindings are
another example. Having the peer send information about the NAS to
the EAP server allows the server to warn the peer about a lying NAS.
It also helps the server decide whether the peer is authorized to
obtain the requested network service. Performing a NEA assessment
helps the server decide whether the peer is secure enough to connect
to the network.

I suppose that my basic argument is a practical one. Password change,
channel bindings, and NEA assessments are useful things to do during
the EAP exchange. They are relevant to the authentication process and
the server's decision about whether to grant network access. There is
no harm in doing them as part of the EAP exchange. And there is no
better way to implement them. Would you like to argue with any of
these assertions?

Thanks,

Steve

Follow-Ups:
- Re: [Emu] EAP and authorization
  - From: Dave Nelson

References:
- [Emu] EAP and authorization
  - From: Alper Yegin
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Alan DeKok
- Re: [Emu] EAP and authorization
  - From: Glen Zorn
- Re: [Emu] EAP and authorization
  - From: Stephen Hanna
- Re: [Emu] EAP and authorization
  - From: Glen Zorn

Prev by Date: Re: [Emu] EAP and authorization
Next by Date: Re: [Emu] EAP and authorization
Previous by thread: Re: [Emu] EAP and authorization
Next by thread: Re: [Emu] EAP and authorization
Index(es):
- Date
- Thread

Re: [Emu] EAP and authorization

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.