60 likes | 161 Views
RFC 2869bis Issues. Bernard Aboba IETF 57 Vienna, Austria Monday, July 14, 2003 15:30 - 17:30. RFC 2869bis Status. Issues list at: http://www.drizzle.com/~aboba/EAP/eapissues.html RFC 2869bis is a dependency of IEEE 802.1aa Approved for Publication as an RFC Two issues raised
E N D
RFC 2869bis Issues Bernard Aboba IETF 57 Vienna, Austria Monday, July 14, 2003 15:30 - 17:30
RFC 2869bis Status • Issues list at: • http://www.drizzle.com/~aboba/EAP/eapissues.html • RFC 2869bis is a dependency of IEEE 802.1aa • Approved for Publication as an RFC • Two issues raised • Order of attribute processing • User-Name processing • Process • Issue #157 posted to EAP WG and IEEE 802.1 mailing lists • No discussion so far • Presentation at EAP WG in Vienna, IEEE 802 Plenary in SFO • If approved, changes made in Author 48 hours
Processing Order: Issue #157 • Question: When an Access-Accept contains both an EAP-Message attribute and other attribues (e.g. Key attributes), which is processed first? • IEEE 802.1X-2001 says EAP message is sent first, then EAPOL-Key message • IEEE 802.11i agrees with IEEE 802.1X-2001 • IEEE 802.1aa has flip-flopped, but D6.1 now says EAP message is sent first • RFC 2869bis clarifications were added to conform to an earlier IEEE 802.1aa version • Now out of sync with IEEE 802 docs
Proposed Fix • In Section 2.6.4, change: “the NAS SHOULD process other attributes first, then decapsulate EAP-Message attribute(s), reconstitute the EAP packet and send it to the peer.” To:“the NAS SHOULD first decapsulate EAP-Message attribute(s), reconstitute the EAP packet and send it to the peer, then process other attributes.” • In Appendix B , change: “EAP-Message attributes are processed last (Section 2.6.4).” To: • “EAP-Message attributes are processed first (Section 2.6.4).”
Issue: User-Name Processing • EAP methods may support Identity Privacy • EAP-Response/Identity may not include the complete name • Example: @example.com (realm routing only) • Method-specific Identity provided • Question: How does the NAS know what User-Name attribute to put into Accounting messages? • Answer: If AAA server wishes a particular User-Name to be used, it is sent in the Access-Accept
Proposed Fix • In Section 3 , add:“The User-Name attribute within the Access-Accept packet need not be the same as the User-Name attribute in the Access-Request.”