Fletcher E Kittredge wrote:
On Tue, 26 Jun 2001 00:21:46 -0400 William Allen Simpson wrote:
RADIUS (speaking as one of the original authors) has nothing to do with PPP. It was just a simple mechanism to communicate to a NAS for authentication purposes.
Correct. Let me restate that again. Radius was designed for an different purpose than for authenticating in an IPoE environment. There is no NAS in an well designed IPoE environment.
There is no such thing as a "well designed IPoE environment", that's a contradiction in terms. But there is ALWAYS a Network Access Server! Unless, you are postulating something without network access, in which case why are you pontificating on NANOG? RADIUS was designed for authentication. (It's in the name.) Cable needs authentication, too, as all its users are "Remote".
... DHCP only does a fraction of what Radius does; DHCP only allocates IPs and "suggests" client parameters. No accounting... No auth... Personally, I think that multiple protocols, one for each task, is a better approach.
We are in agreement on the latter. Which is why there are separate protocols, instead of 1. However, you seem to have some misconceptions. DHCP is a "Host" protocol. RADIUS is a "Server" protocol. (It's in the names.) Hosts never talk RADIUS. The host to NAS authentication protocols vary. For serial point-to- point links, PPP is the natural mechanism. For multipoint broadcast media, we developed IPsec tunnels. There are other efforts, such as 802.1x. It could fill the niche, but has complicated problems, and has not seen much deployment. And unlike IPsec, it is not well integrated with privacy.
... I am having problems visualizing how Kerberos' ticket model would work in a public access network with potentially hundreds of thousands of users wandering on and off in millions of short lived sessions per day (check for mail every five minutes...)
Works here.... OK, only tens of thousands, but if you are postulating hundreds of thousands on a single cable, you will be rather seriously oversubscribed. (I have seen Kerberos used across realms throughout North America, with potentially hundreds of thousands of simultaneous users. I have seen Kerberos used as a backend for RADIUS users. The pioneering code was done at Merit, which should not surprise anyone :-) -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32