Re: [Emu] EAP and authorization

[Qin Wu <sunseawq at huawei.com>]

Hi, Alan:
----- Original Message ----- 
From: "Alan DeKok" <aland at deployingradius.com>
To: "Joseph Salowey (jsalowey)" <jsalowey at cisco.com>
Cc: <emu at ietf.org>
Sent: Friday, August 14, 2009 2:16 PM
Subject: Re: [Emu] EAP and authorization


> Joseph Salowey (jsalowey) wrote:
>> There are other ways in which EAP has proposed authorization
>> enhancements.  Other proposals have dealt with requesting authorizations
>> for or providing authorization data to services other than the one that
>> is performing the authentication.  In addition proposals have discussed
>> authorization after the initial authentication to the service.  
> 
>  I think part of the concern here is that authorization has
> traditionally involved the PDP telling the PEP how the user should be
> treated.  The proposals on the table for EAP do not communicate
> authorization information over EAP to the PEP.  As such, they do not fit
> well into the traditional model.
> 
>> I think carrying channel bindings within EAP is useful and necessary.  I
>> believe it is also reasonable to carry other exchanges to establish data
>> for authorization.
> 
>  ... of who, to what?  This could be made clearer in the document.
> 
>>  However, I think there are some limitations.  For
>> example carrying large amounts of data is probably not a good thing.  I
>> also think we have to be careful to not leave end stations with the only
>> means to communicate is through EAP.  I don't think we should be
>> applying patches or browsing the web through EAP (I don't think anyone
>> is proposing this, but I'm not certain).
> 
>  I can propose EAP-IP: carrying IP packets in EAP.  It's crazy, but
> possible.  The main limitation on bulk data transfer is that most EAP to
> RADIUS gateways (AP's, etc.) will terminate an EAP session after ~50
> packets.

[Qin] Why not carry EAP over Http, in this way, you can browse Web through EAP.
Actually there are still other way for Web Authentication, e.g., SIP.

>> When we get into the realm of using EAP for establishing authorization
>> data for other services, requesting authorization or invoking
>> authorization at times other than authentication I think there is a much
>> bigger gray area.  
> 
>  ERP is leveraging EAP to obtain authentication and authorization at
> later points in time.  This seems to be acceptable.

[Qin]: I agree that the authorization is well integrated into ERP authentication. 
However these authorization data (i.e., authorization indication described in section 5.3.4 of ERP)
is only limited to Called-Station-Id ,Calling-Station-Id , NAS-Identifier, NAS-IP-address, NAS-IPv6-address which is listed in RFC3748.
What's more, ERP has nothing to do with EAP method.

>  Alan DeKok.
> _______________________________________________
> Emu mailing list
> Emu at ietf.org
> https://www.ietf.org/mailman/listinfo/emu