Hi. I had a few discussions in Prague and think that we're all basically on the same page about what the document should say. I'm going to describe that consensus here. I'd like to ask Russ to confirm that the document reflects the consensus and if so to ask me to remove my discuss and approve the document. Unless I've really gotten something wrong here, I think we're done deciding what we are trying to say and are only left with deciding if we've managed to say it. When two parties communicate in these protocols they must authenticate each other. Typically EAP is used to authenticate the peer and the EAP server. Typically AAA protocols authenticate the authenticator and the AAA server. Typically secure association protocols run between the peer and authenticator. It's common for the EAP layer identities to be different from the lower layer identities. There are two types of lower layer identities: those that are used for authorization and those that are not. AN example of an identity not used for authorization would be a network that had a concept like a MAC address that is not used for access control. The MAC address is used to look up keys, but all people granted access to the network have the same authorizations. In this case it's not important to make sure that the peer is claiming a MAC address that is appropriate for the EAP layer identity of the peer. However in a network where the MAC address is used to make authorization decisions, someone needs to make sure that the peer's EAP identity is authorized to claim the MAC address that it claims. Typically the AAA server fills this role. However it would be OK to architect a design where the authenticator filled that role--I don't think you'd use RADIUS or Diameter in such a design though. The authenticator probably has a lower layer identity too. The AAA server needs to authorize this identity to the peer. Typically this would happen by the AAA server looking at what authenticator the peer claims it is connecting to, looking at the higher layer identity that the authenticator is using to communicate to the AAA server and confirming that the higher layer identity is authorized to claim the lower layer identity to peers. It's OK to have things like WLAN switches that are authenticators including a large number of physical devices. They can have one higher layer identifier and a lot of lower layer identifiers. They could potentially also have one lower layer identifier. Unlike the peer identity, we always assume that the lower layer authenticator identity needs to be authorized. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf