The selection of AAA server will be based on IDi then EAP will happen. The gateway will get EAP authenticated ID from the AAA server. If EAP identity is different from IDi and no policy is found for EAP identity. The gateway should initiate deletion of the SA. Also, if policy is found based on EAP identity, but its different from IDi, EAP identity should be given priority and its attributes should be applied on that SA.
On Thu, Nov 12, 2009 at 5:01 AM, Tero Kivinen <kivi...@iki.fi> wrote: > Yoav Nir writes: > > Since the gateway acts as a pass-through, the requirement here is > > more for the client, which is typically more integrated. The client > > should be prepared to give an identity hint both in IKE and later in > > the EAP session. > > And in that case the identities should really be same, and if they > differ then the authenticated identity needs to be used for policy > lookups, meaning that the EAP identity needs to be used. So the > gateway needs to get that authenticated identity from the AAA server > so it can do policy lookups based on it. > -- > kivi...@iki.fi > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
