For those of us that are just trying to follow this discussion,
what does the word "posture" mean in this context?
--
Eric
--> -----Original Message-----
--> From: Narayanan, Vidya [mailto:vidyan(_at_)qualcomm(_dot_)com]
--> Sent: Friday, May 26, 2006 2:05 PM
--> To: Sam Hartman; Bernard Aboba
--> Cc: ietf(_at_)ietf(_dot_)org
--> Subject: RE: The Emperor Has No Clothes: Is PANA actually useful?
-->
--> >
--> > >>>>> "Bernard" == Bernard Aboba <aboba(_at_)internaut(_dot_)com> writes:
--> >
--> > >> My question is more why do they need EAP in
--> situations where
--> > >> they are not running at the link layer than why do
--> they want or
--> > >> not want PANA.
--> >
--> > Bernard> The simple answer is that there are
--> situations which IEEE
--> > Bernard> 802.1X cannot handle on wired networks. As
--> specified,
--> > Bernard> IEEE 802.1X is "network port control", which
--> means that
--> > Bernard> authorization is controllable only at the
--> port level. If
--> > Bernard> there is more than one host connected to a
--> switch port,
--> > Bernard> then that model no longer applies.
--> >
--> > Yeah. I guess I wonder whether you are actually getting
--> > network access authenticatino at that point or whether you
--> > are getting a service that allows you to check posture. It
--> > seems that a service that simply allows you to check posture
--> > should be not EAP.
--> >
-->
-->
--> I fully agree. As far as I can tell, using EAP in this manner merely
--> reduces it to a posture transport protocol. The level of security
--> provided by EAPoUDP does not seem to be any greater than a
--> kerberos-based authentication done today in most enterprise
--> networks,
--> considering the presence of switched ethernet. Hence, the
--> only reason to
--> move to EAPoUDP would be to check posture and I agree with Sam that
--> making EAP the posture transport protocol is a bad idea.
-->
--> Vidya
-->
-->
--> > _______________________________________________
--> > Ietf mailing list
--> > Ietf(_at_)ietf(_dot_)org
--> > https://www1.ietf.org/mailman/listinfo/ietf
--> >
-->
--> _______________________________________________
--> Ietf mailing list
--> Ietf(_at_)ietf(_dot_)org
--> https://www1.ietf.org/mailman/listinfo/ietf
-->
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf