Sam,
>In some ways it might be better if we didn't use EAP in passthrough
>authenticator mode but instead had peer-to-peer credentials.
Agreed. Actually this had been my working assumption :-)
>Our implementation doesn't really support that.
>We could run an AAA server on each trust router, but that also seems
>messy.
Well, that would still be pass-through, but to a local AAA server. In
non-pass-thru there is no break-out to AAA at all. So I guess this
credential would be part of the trust link configuration.
>The COR's authentication infrastructure does need to be highly
>replicated as it is a potential point of failure.
Yes, this is one of those unavoidable costs of an online trust system.
>there's an interesting question how cross-organizational links are
>handled.
>My assumption is that you'd pick which organization's infrastructure is
>used.
>Possibly you could credential in both and use the credential of the
>organization making the connection.
Sounds sensible to me.
Josh.
Janet is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
|