>> - I am missing the "authenticated peer identity", which I would assume
>> should arrive from the AAA server. This should be the basis of RFC4301
>> policy decisions on the IKE gateway. Does ERP provide this identity?
>
> The EAP-Initiate/Re-auth packet carries a keyName-NAI TLV, but that is sent
> from the client (or "peer") to the authentication server through the gateway.
> (section 5.3.2 of the bis document)
> The EAP-Finish/Re-auth packet also carries a keyName-NAI TLV, and that is
> sent from the authentication server through the gateway to the client.
> But these don't really help, because the username part of NAI is the 64-bit
> EMSKname, which is not directly related to user name.
> However, these messages come within an Access-Accept packet from the RADIUS
> server, and those include a proper user name.
[Qin]: If you are talking about the second identity specified in section 6.4 of
RFC5998, I think, unlike EAP, ERP does not provide such identity.
ERP only define two types: one is Re-auth-Start, the other is Re-Auth.
KeyName-NAI TLV defined in RFC5296 and RFC5296bis more looks like the first
idenity described in section 6.4 of RFC5998.
As decribed in section 5.1 of RFC5296,
"
When an ERP-capable authenticator receives the EAP-Initiate/
Re-auth message from a peer, it copies the contents of the
^^^^^^^^^^^^^^^^^^^^
keyName-NAI into the User-Name attribute of RADIUS [13].
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"
>
>> - Does this draft coexist with certificate-less mutual EAP
>> authentication, as per RFC5998?
>
> I think the handed-over keying material is cryptographic proof enough and
> that certificates will usually be unnecessary, so I think yes.
[Qin]: Correct.
>>
>> Thanks,
>> Yaron
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
