Re: iSCSI: PAK: an alternative to SRP and DH-CHAP

["Julian Satran" <Julian_Satran@il.ibm.com>]

It will also not work on the (mostly) legacy IP-over-pigeon networks.

Julo

Bill Strahm <bill@strahm.net> Sent by: owner-ips@ece.cmu.edu 05/03/2002 08:39 PM Please respond to Bill Strahm

To:        Bernard Aboba <bernard_aboba@hotmail.com>         cc:        bill@strahm.net, philmac@research.bell-labs.com, ips@ece.cmu.edu         Subject:        Re: iSCSI: PAK: an alternative to SRP and DH-CHAP

I'd almost buy this argument, except that means that my custommers will
have to upgrade their environments to an updated Radius server.  Putting
deployment requirements like this on custommers is not an easy thing...

I have been told that many Radius environments in organizations are rather
old and not prone to upgrading (to do it you have to shut down authentication
for a period of time).  That is why I refer to a legacy environment, it 
is really easy if I can just say, Please use our Radius server in place
of the one that you are all ready running...  Now would you want to base
sales on that ?  

Bill
On Fri, May 03, 2002 at 10:06:30AM -0700, Bernard Aboba wrote:
> >From my understaning of PAK, I don't see a way of plugging this into
> >a legacy RADIUS environment (I don't have the password avail at the
> >iSCSI endpoint, only the ability to say please authenticate this for >me)
> 
> The  RADIUS argument is a red herring. RFC 2869 defines the use of 
> extensible authentication within RADIUS, and most RADIUS servers (including 
> versions of FreeRADIUS) now support this. So the bottom line is the iSCSI 
> should choose the authentication algorithms most appropriate to its needs 
> and not worry about RADIUS compatibility.
> 
> 
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>