> > >>>>> "Bernard" == Bernard Aboba <aboba@xxxxxxxxxxxxx> writes: > > >> My question is more why do they need EAP in situations where > >> they are not running at the link layer than why do they want or > >> not want PANA. > > Bernard> The simple answer is that there are situations which IEEE > Bernard> 802.1X cannot handle on wired networks. As specified, > Bernard> IEEE 802.1X is "network port control", which means that > Bernard> authorization is controllable only at the port level. If > Bernard> there is more than one host connected to a switch port, > Bernard> then that model no longer applies. > > Yeah. I guess I wonder whether you are actually getting > network access authenticatino at that point or whether you > are getting a service that allows you to check posture. It > seems that a service that simply allows you to check posture > should be not EAP. > I fully agree. As far as I can tell, using EAP in this manner merely reduces it to a posture transport protocol. The level of security provided by EAPoUDP does not seem to be any greater than a kerberos-based authentication done today in most enterprise networks, considering the presence of switched ethernet. Hence, the only reason to move to EAPoUDP would be to check posture and I agree with Sam that making EAP the posture transport protocol is a bad idea. Vidya > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www1.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf