>
> The nice thing is that this leaves everything in RADIUS. There's a
>bit of magic required to derive the identities. There's a bit of magic
>required to separate Client authentication from end-user authentication.
>
> I think it's pretty similar to the approach in the draft.
Yes, as Sam says we have considered a similar approach, using something
like draft-santesson-tls-gssapi to transport GSS EAP within the TLS
handshake of the RadSec connection. This is actually my preferred strategy
but Sam has some compelling practical counter-arguments.
I'm confused at your step (4); how are you framing EAP in the RadSec
connection between Client and Server?
(Another benefit of using RADIUS rather than another substrate such as
HTTP, I have previously argued, is that it allows you to fold Trust Router
and Key Negotiation Protocol into a single protocol. Trust Router becomes
an exchange of new RADIUS messages with BGP-like semantics, transported
over an EAP-authenticated RadSec connection).
Josh.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
|