Sam Hartman [mailto:hartmans-i...@mit.edu] writes:
> >>>>> "Glen" == Glen Zorn <g...@net-zen.net> writes: > > > Glen> Or we could use the more direct & much simpler approach of > Glen> allowing the client to authenticate the network to which it is > Glen> attached & use that data to decide by itself. This can be > Glen> done today using EAP-TTLS. > > How? > I'd appreciate an answer in approximately similar level of detail as I > have given you the answer on the channel binding approach. I was hoping that someone with a higher level of expertise WRT eap-ttls than mine would jump in here (Steve Hannah, for example) but I'll do my best. Section 5 of RFC 5281 says: 5. Architectural Model The network architectural model for EAP-TTLS usage and the type of security it provides is shown below. +----------+ +----------+ +----------+ +----------+ | | | | | | | | | client |<---->| access |<---->| TTLS AAA |<---->| AAA/H | | | | point | | server | | server | | | | | | | | | +----------+ +----------+ +----------+ +----------+ <---- secure password authentication tunnel ---> <---- secure data tunnel ----> The entities depicted above are logical entities and may or may not correspond to separate network components. For example, the TTLS server and AAA/H server might be a single entity; the access point and TTLS server might be a single entity; or, indeed, the functions of the access point, TTLS server and AAA/H server might be combined into a single physical device. The above diagram illustrates the division of labor among entities in a general manner and shows how a distributed system might be constructed; however, actual systems might be realized more simply. Note also that one or more AAA proxy servers might be deployed between access point and TTLS server, or between TTLS server and AAA/H server. Such proxies typically perform aggregation or are required for realm-based message routing. However, such servers play no direct role in EAP-TTLS and are therefore not shown. If certificate-based TLS authentication is used & the TTLS server is located in the visited network (something that the client can check by matching the identity advertised with a name in the cert), the task is accomplished (in that the problem becomes one of policy, provisioning and implementation rather than protocol design or standardization). _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu