"Charles" == Charles Clancy <clancy(_at_)cs(_dot_)umd(_dot_)edu> writes:
Charles> Sam Hartman wrote:
>>>>>>> "Charles" == Charles Clancy <clancy(_at_)cs(_dot_)umd(_dot_)edu>
Charles> I don't think I'm convinced that EAP channel bindings are
Charles> doing this binding to the L2 channel. The identity used
Charles> in an EAP channel binding must be bound to the AAA
Charles> security association between the authenticator and the
Charles> peer in order for everything to work, so it would be more
>> I'm not sure I'd describe the association between the peer and
>> authenticator as an AAA association. I agree with the rest.
Charles> Ah, I mistyped. I meant AAA security association between
Charles> the authenticator and EAP server.
I'd define the EAP channel binding problem as follows. There are two
sets of identities that the peer and authenticator use: one at the EAP
layer and one at a lower layer. There is an additional identity that
the authenticator may use to authenticate to the AAA server. The
channel binding problem is to make sure that the EAP server authorizes
the authenticator's use of the lower layer identity to the peer and
the peer's use of a given lower layer identity.
In performing this authorization the EAP server must authorize that
the authenticator is actually allowed to claim the lower layer
identity it wants to claim. In doing that it will have to make an
authorization decision about whether the identity the authenticator
uses to authenticate to the AAA server is authorized to claim the
given lower layer identity. However that identity--between the NAS
and the AAA server doesn't inherently appear anywhere else. It sounds
like 802.11R does plan to expose that identity, but that's a design
decision for that lower layer.
Ietf mailing list