[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue 189: Attribute Semantics

To: radiusext@ops.ietf.org
Subject: Re: Issue 189: Attribute Semantics
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Mon, 24 Apr 2006 21:55:55 -0700
Bcc:

The text of Issue 189 is enclosed below.

The proposed resolution is to insert the following text in Section 1.3:

"The attributes described in this
document apply to a single instance of a NAS port, or more
specifically an IEEE 802.1Q bridge port. [IEEE-802.1Q] [IEEE-802.1D]
and [IEEE-802.1X] do not recognize finer management granularity than "per
port". In some cases, such as with IEEE 802.11 wireless
LANs, the concept of a "virtual port" is used in place of the
physical port. Such virtual ports are typically based on
security associations and scoped by station, or MAC address.

The attributes defined in this document are
applied on per user basis and it is expected that there is a single user
per port; however in some cases that port may be a "virtual
port".  If a NAS implementation conforming to this document
supports "virtual ports", it may be possible to provision
those "virtual ports" with unique values of the attributes
described in this document, allowing multiple users sharing
the same physical port to each have a unique set of authorization
parameters."


-------------------------------------------------------------------------
Issue 189: Attribute Semantics
Submitter name: David Nelson
Submitter email address: dnelson@enterasys.com
Date first submitted: April 18, 2006
Reference: http://ops.ietf.org/lists/radiusext/2006/msg00468.html
Document: VLAN-03
Comment type: Technical
Priority: 1
Section: 1.3
Rationale/Explanation of issue:
An explanation of how the attributes in this document would be applied
to multi-user authentication environments, by means of "virtual ports"
is required. The base IEEE 802 documents assume per physical port
granularity. In the absence of explanation, conflicting results may
occur.

Requested change:

Add the following text:

The semantics of the RADIUS attributes described in this
document apply to a single instance of a NAS port, or more
specifically an IEEE 802.1Q bridge port. The underlying IEEE
802 standards, as listed in the references section, do not
recognize finer management granularity than "per port". In
some cases, such as with IEEE 802.11 wireless LANs, the concept
of a "virtual port" is used in place of the physical port.
Such virtual ports are typically based on security associations
and scoped by station, or MAC address.

If a NAS implementation, conforming to this document,
supports "virtual ports", it may be possible to provision
those "virtual ports" with unique values of the attributes
described in this document allowing multiple users sharing
the same physical port to each have a unique set of authorization
parameters. The authorization parameters are applied on a
per user basis and it is expected that there is a single user
per port, however in some cases that port may be a "virtual
port".



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Last look at RADIUS Digest Authentication Draft
Next by Date: REMINDER: RADEXT WG last call in progress on VLAN/Priority Attributes Document
Previous by thread: Last look at RADIUS Digest Authentication Draft
Next by thread: REMINDER: RADEXT WG last call in progress on VLAN/Priority Attributes Document
Index(es):
- Date
- Thread