eap-6----Page:1
1
|
draft-arkko-eap-service-identity-auth-01 Background: EAP does not authenticate any identifier (or other attributes) of the NAS to the client One compromised NAS can impersonate any other NAS (to the client) We have lived with this so far But already becoming a problem as EAP gets used for more things… One way to fix this: AAA server tells the client “I’m sending the AAA-Key/MSK to NAS XYZ” Can be done in a way that works with existing EAP methods and is backwards-compatible |