[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure legacy authentication for IKEv2



Sorry for the delayed reply....

Charlie_Kaufman@xxxxxxxxxxxxxxxx writes:

> > This question is really directed at folks who have implementation
> > experience with EAP.  Is it the case that existing EAP implementations
> > generally do not require the optional identity exchange when they have
> > an identity available from some other out-of-band source?  I was hoping
> > some EAP folks would speak up here...  Or do you sometimes masquerade
> > in an EAP hat?  :-)
> 
> I checked my hat collection and none say EAP. I agree it would be nice to
> get feedback. Anyone???

I do not claim to be an EAP expert, but I have been working on a
Kerberos EAP method (so I do have some EAP experience printed on my
hat).  The answer is yes, the Identity is not required.  If the server
can somehow deduce the client's identity then it can initiate the EAP
Challenge directly to the client without the Identity Request.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@xxxxxxxxx             www.ihtfp.com