Download
1 / 9
90 likes | 280 Views
PANA RADIUS draft-ietf-pana-aaa-interworking-00.txt. Avi Lior, Bridgewater Systems avi@bridgewatersystems.com Alper Yegin , Samsung alper.yegin@samsung.com. Introduction. PANA AAA Mapping of PANA messages & AVPs to AAA messages & Attributes Relies on the following RFCs/Drafts
E N D
PANA RADIUSdraft-ietf-pana-aaa-interworking-00.txt Avi Lior,Bridgewater Systemsavi@bridgewatersystems.com Alper Yegin, Samsungalper.yegin@samsung.com Bridgewater/Samsung
Introduction • PANA AAA • Mapping of PANA messages & AVPs to AAA messages & Attributes • Relies on the following RFCs/Drafts • draft-ietf-pana-pana-0x • RFC3579, “RADIUS Support For EAP” • draft-ietf-aaa-eap-10 Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application",November 2004. • RFC3576, “Dynamic Authorization Ext. for RADIUS” • Various RADIUS RFCs: 2865,2866,2869 • RFC 3588 Bridgewater/Samsung
Architecture +------------------------------+ +-----+ | +-----+ +---------------+ | +---------------+ | | | | | | | | | | | PaC +---+--+ PAA +--+ AAA client |--+-----+ AAA server | | | | | | | | | | | +-----+ | +-----+ +---------------+ | +---------------+ | Network Access Server(NAS) | +------------------------------+ • Simplifications: • No AAA Proxy Chains • EAP Authentication Server is collocated with AAA server • NAS consists of: PAA, AAA client; and PEP. • Possible AAA interactions: • AAA server can be Diameter or RADIUS. • AAA client can be Diameter or RADIUS. • In a single PANA session, with multiple-authentications you can have both Diameter and RADIUS interactions Bridgewater/Samsung
What was decided at IETF 62 • Accept as a working group document • Standard as opposed to Informational • Add support for Diameter Bridgewater/Samsung
Issues Raised • Multiple authentications, what if one fails? • Issue with RADIUS: “what happens when we get an Access-Reject?” • Do you tear down the session?; or • Is this a rejection of what was being authenticated? • Seems we are leaning towards: Access-Reject is for the requested service. See draft-aboba-radext-fixes-00 • For example: Even if NAP authentication has failed, network access can be granted when ISP authentication succeeds (but NAP does not provide any differentiated service to the unauthenticated client). Bridgewater/Samsung
Integration of Diameter • Diameter EAP was used. • For call flows, created an abstraction to allow us to describe the flows once (for both RADIUS and Diameter) • We have separate description, one for RADIUS and one for Diameter, for messages and attributes • There are few differences. • Needs cleanup. Bridgewater/Samsung
PANA Single Authentication PaC NAS RADIUS Server a) < Discovery and handshake phase> | | | < Authentication Authorization phase> |PANA-Auth-Request(x) | | b) |<---------------------| | |PANA-Auth-Answer(x) | | c) |--------------------->| | | | AAA-Request | d) | |----------------------->| | | AAA-Challenge | e) | |<-----------------------| |PANA-Auth-Request(x+1)| | f) |<---------------------|........................| |PANA-Auth-Answer(x+1) | | g) |--------------------->|........................| | | AAA-Request | h) | |----------------------->| | | AAA-Accept | i) | |<-----------------------| |PANA-Bind-Request | | j) |<---------------------| | |PANA-Bind-Answer | | k) |--------------------->| | | | AAA-Accounting(Start)| l) | |----------------------->| | | | < PANA access phase > Bridgewater/Samsung
What Is Next? • Align with latest PANA • New capabilities: should we try to synch up? • Review – focus on technical issues as opposed to editorial. Bridgewater/Samsung
THANK YOU Bridgewater/Samsung
