[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Issue] Authorize Only usage in HTTP redirect

To: <radiusext@ops.ietf.org>
Subject: [Issue] Authorize Only usage in HTTP redirect
From: "Greg Weber \(gdweber\)" <gdweber@cisco.com>
Date: Thu, 2 Feb 2006 17:54:13 -0500

Description of issue: Authorize Only usage in HTTP redirect
Submitter name: Greg Weber
Submitter email address: gdweber@cisco.com
Date first submitted: February 2, 2006
Reference: http://ops.ietf.org/lists/radiusext/2006/msg00090.html
Document: IEEE802-01
Comment type: Technical
Priority: S
Section: A.2.2
Rationale/Explanation of issue:

Section A.2.2 Mid-session HTTP Redirection reads:

      If HTTP redirection is required to be applied to a service that 
      has already been started then the RADIUS server can push the 
      redirection rules, and optionally the filter rules, to the NAS 
      within a NAS-Filter-Rule(TBD) attribute using a CoA message. The 
      NAS will then commence to apply the redirection rules and/or the 
      filter rules.  
       
      Alternatively, the RADIUS server can request that the NAS re-
      authorize the session using the procedures defined in [RFC3576]. 
      The RADIUS server responds with an Access-Accept message (with 
      Service-Type(6) set to "Authorize Only" that will contain the 
      redirection and optionally filtering rules within a NAS-Filter-
      Rule(TBD) attribute. 

I don't think "Authorize Only" is a valid Service-Type value in
Access-Accept messages.  The server should be indicating the
assigned Service in the Access-Accept.  Take a look at the last
paragraph of RFC 3576's Section 1.1.  I think that describes the
process your referring to here.

Requested change:

I suggest replacing the above text with something like:

If HTTP redirection is required to be applied to a service that 
has already been started, then the RADIUS server may use either
of the procedures defined in [RFC3576]:

 - The server may send the NAS a CoA-Request message including
   a NAS-Filter-Rule which contains redirection rules and
   optionally filter rules.  The NAS will then apply the new
   rules to the existing services.
 - The server may send the NAS a CoA-Request message including
   a Service-Type attribute with the value of "Authorize Only".
   This will trigger the NAS to reauthorize the existing service
   by sending the server an Access-Request message containing a
   Service-Type attribute with the value of "Authorize Only".
   The server may then send the NAS new redirection and optionally
   filter rules within a NAS-Filter-Rule as part of an Access-
   Accept message.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: review of draft-ietf-radext-ieee802-01.txt
Next by Date: [Issue] Tag option in VLAN attributes
Previous by thread: Issue 167: Compatibility with RFC 2866 and RFC 3576 Submitter
Next by thread: RE: [Issue] Authorize Only usage in HTTP redirect
Index(es):
- Date
- Thread