On Nov 10, 2009, at 1:40 PM, Amjad Inamdar (amjads) wrote:
Hi, With IKEv2 EAP authentication, there are 3 identities involved 1) IDi - IKEv2 initiator identity sent in msg-3 2) EAP identity that gateway (IKE2 responder) can request from the client (IKEv2 initiator) 3) Authenticated EAP identity that third party EAP server provides to the gateway (IKEv2 responder). Could someone please clarify from RFC standpoint if 1) The 3 identities mentioned above MUST/SHOULD be same
No, although they typically are.
2) If not same, what purpose should each of the above identities serve
1) mainly used as a hint for the gateway as to which AAA server to choose 2) It's the AAA server that may request the identity, and it's internal to AAA. It doesn't play in IKE 3) That's the authenticated identity of the user. That is what the responder uses for policy decisions.
3) The mandatory/recommended format for each of the above identites
All the types in section 3.5 are acceptable, but the most used ones are ID_RFC822_ADDR and ID_DER_ASN1_DN
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
