[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issue 163: Vendor-Specific Attribute with "Authorize-Only" Service-Type

To: radiusext@ops.ietf.org
Subject: Re: issue 163: Vendor-Specific Attribute with "Authorize-Only" Service-Type
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Sun, 22 Jan 2006 14:01:45 -0800
Bcc:
Cc: steven.xu@motorola.com

The permitted attributes in a Disconnect-Request parallels the attributespermitted in a RADIUS Access-Reject to some extent. The Disconnect-Requestonly includes session identification attributes since the goal is not tochange the authorizations, but to terminate the user. Therefore the onlyattributes needed are those that are used for user-identification.

RFC 2865 only enables Reply-Message and Proxy-State attributes in anAccess-Reject; Vendor-Specific attributes are prohibited. RFC 2869 enablesinclusion of Password-Retry, EAP-Message and Message-Authenticatorattributes. RFC 3579 enables inclusion of an Error-Cause attribute withinan Access-Reject. RFC 2868 and 3162 do not enable use of the attributesdefined there within an Access-Reject.

So my take is that the omission of vendor-specific attributes from a RFC3576 Disconnect-Request is intentional.

Of course, this begs the question of why a Service-Type value of "AuthorizeOnly" is being used with a Disconnect-Request in the first place. RFC 3576is in error in stating that this is useful for Diameter interoperability;in fact, Diameter disconnect requests are handled via request/response, notvia generation of another Access-Request.







===========================================================
Issue 163: Vendor-Specific Attribute with "Authorize-Only" Service-Type
Submitter names: Steven Xu
Submitter email address: steven.xu@motorola.com
Date first submitted: January 20, 2006
Reference: http://ops.ietf.org/lists/radiusext/2006/msg00034.html
Document: FIXES-01
Comment type: 'T'echnical |
Priority: S
Section: Various
Rationale/Explanation of issue:

I am looking for a clarification on "Vendor-Specific" attribute inDisconnect-Request when it is used for "Authorize Only".

In RFC3576 section 3.2, there is no Note for "Vendor-Specific" in DisconnectRequest. (There is Note 3 for the COA). So when the Service-Type is"Authorize Only" in Disconnect-Request, can it have the Vendor-Specificattribute? The Note 3 says NO, but it is not added for DM.




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: Issue 161: Authorize-Only Service-Type
Next by Date: RE: Last Look at RFC 2618bis, 2619bis
Previous by thread: Re: Issue 161: Authorize-Only Service-Type
Next by thread: I-D ACTION:draft-ietf-radext-rfc2618bis-02.txt
Index(es):
- Date
- Thread