Opened 12 years ago

Closed 12 years ago

#174 closed defect (fixed)

How to behave when EAP identity is not send by AAA.

Reported by: rsjenwar@… Owned by: Raj
Priority: normal Milestone:
Component: draft-ietf-ipsecme-ikev2bis Severity: Active WG Document
Keywords: EAP identity Cc:

Description

In ikev2bis07

----- ikev2-bis-07 section 2.16, last paragraph ------------

When the initiator authentication uses EAP, it is possible that the contents of the IDi payload is used only for AAA routing purposes and selecting which EAP method to use. This value may be different from the identity authenticated by the EAP method. It is important that policy look ups and access control decisions use the actual authenticated identity. Often the EAP server is implemented in a separate AAA server that communicates with the IKEv2 responder. In this case, the authenticated identity has to be sent from the AAA server to the IKEv2 responder.


It says the authenticated EAP identity "has to" be send from AAA server, my interpretation and implementation "has to" is obvious MUST. If AAA doesn't send the authenticated EAP identity, what should be the behavior? Also, what if AAA server EAP server is not AAA server?

Change History (1)

comment:1 Changed 12 years ago by paul.hoffman@…

  • Resolution set to fixed
  • Status changed from new to closed

Changed "the authenticated identity has to be sent" to "the authenticated identity, if different from that in the IDi payload, has to be sent"

Note: See TracTickets for help on using tickets.