"Bernard" == Bernard Aboba <aboba(_at_)internaut(_dot_)com> writes:
>> My question is more why do they need EAP in situations where
>> they are not running at the link layer than why do they want or
>> not want PANA.
Bernard> The simple answer is that there are situations which IEEE
Bernard> 802.1X cannot handle on wired networks. As specified,
Bernard> IEEE 802.1X is "network port control", which means that
Bernard> authorization is controllable only at the port level. If
Bernard> there is more than one host connected to a switch port,
Bernard> then that model no longer applies.
Yeah. I guess I wonder whether you are actually getting
network access authenticatino at that point or whether you
are getting a service that allows you to check posture. It
seems that a service that simply allows you to check posture
should be not EAP.
I fully agree. As far as I can tell, using EAP in this manner merely
reduces it to a posture transport protocol. The level of security
provided by EAPoUDP does not seem to be any greater than a
kerberos-based authentication done today in most enterprise networks,
considering the presence of switched ethernet. Hence, the only reason to
move to EAPoUDP would be to check posture and I agree with Sam that
making EAP the posture transport protocol is a bad idea.
Vidya
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf