On Nov 12, 2009, at 5:34 AM, Raj Singh wrote: > The selection of AAA server will be based on IDi then EAP will happen. > The gateway will get EAP authenticated ID from the AAA server. > If EAP identity is different from IDi and no policy is found for EAP identity. > The gateway should initiate deletion of the SA.
Actually, the gateway doesn't need to delete the SA. The gateway receives the EAP identity before the end of the IKE_AUTH exchanges, so it can terminate with an AUTHENTICATION_FAILED. No need for DELETE
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec