Yoav Nir writes: > Since the gateway acts as a pass-through, the requirement here is > more for the client, which is typically more integrated. The client > should be prepared to give an identity hint both in IKE and later in > the EAP session.
And in that case the identities should really be same, and if they differ then the authenticated identity needs to be used for policy lookups, meaning that the EAP identity needs to be used. So the gateway needs to get that authenticated identity from the AAA server so it can do policy lookups based on it. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec