Solutions AAA agent checks AAA agent (proxy, redirect, etc.) can see if NAS attributes match expected ones Doesn’t prevent NAS from lying to the peer, only from lying to the AAA Logging Peer and AS can log information sent by the NAS, if a dispute arises, can verify later Useful only for forensics Key mixing Peer and AS include attributes when calculating the AAA-Key If NAS provides different info to Peer and AS, then Peer and NAS won’t be able to communicate Only viable if relevant attributes are few and well defined, not easily extensible Method-specific binding EAP method includes exchange of attributes between the peer and EAP server Peer and EAP server compare the exchanged values with ones sent by the NAS Examples: EAP Archie, PEAPv2 |