[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Xauth Transaction Identifier



Hi Stephane:

Thanks for your answers.
To follow up your suggestions for the change password
support. Yes, I do think there might be some cases
that client couldn't use the regular LAN traffic/protocol
to change their passwords if they want to.
For example, if the edge device does maintain its own
authentication database or some RADIUS server does
support password change but rely on the edge device
to pass on the requests. Then there is a need to create
such mechanism in xauth to do so.

In your new draft, XAUTH_ANSWER is very specific to
SecurID support. If we can relax the limitation, we 
may be able to allow the client to initiate the password
change request. For example,

	Client <--> GW
	<-- REQ (Username = '', pwd = '')
	REPLY (Username = 'joe', pwd = 'mypwd') -->
	<-- REQ (answer = '', msg = 'Your password is about 
	to expire, do you want to change your password ?")
	REPLY (answer = 'y') -->
	<<< passowrd change details...>>>
	<-- SET (OK)
	ACK() -->

Or we could simply have another attribute "XAUTH_PASSWORD_CHANGE"
to allow client to initiate the action.

Just try to throw some ideas and point out the need for such
features. Not sure if any other vendors have also thought
about this ?

Thanks.

Leemay


> In addition, have you thought about how to support "password change",
which
> can be initiated by the end host or even the edge device ?

I would suggest the following for something initiated by the edge device.

Client <--> GW
<-- REQ (Username = '', pwd = '')
REPLY (Username = 'joe', pwd = 'mypwd') -->
<-- REQ (pwd = '', msg = 'Your password has expired, please enter a new
password')
REPLY (pwd = 'mynewpwd') -->
<-- SET (OK)
ACK() -->

As for the Client side initiated change of password.  I would presume that
in systems that allow this, it could be done by the Client at any time after
the tunnel comes up.  For example, I'm actually tunneling into my VPN at
Cisco using XAUTH with NT domain authentication.  Using this configuration,
I've just successfully changed my NT domain password on the corporate net.

Please let me know if you can think of problems with other types of
authentication systems in which this would not be possible.

Regards,
Stephane.

>
> Thanks again for your advise.
>
> Leemay Yen
> RapidStream, Inc.
>
>