[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue: RADIUS Response and Retransmissions

To: "Bernard Aboba" <bernard_aboba@hotmail.com>
Subject: Re: Issue: RADIUS Response and Retransmissions
From: "Alan DeKok" <aland@nitros9.org>
Date: Fri, 16 Jun 2006 19:26:29 -0400
Cc: radiusext@ops.ietf.org
In-reply-to: Your message of "Fri, 16 Jun 2006 14:44:30 PDT." <BAY106-F210E540865B9C44A501B3093830@phx.gbl>

> Therefore for a RADIUS retransmission it is possible that the ID and Request 
> Authenticator will remain the same or that they will change.

  I'm not sure what is meant by a "retransmission" if the
Access-Request packet contents change.  Which attributes determine a
"session"?

  Section 1.2 of RFC 2865 says:

   session   Each service provided by the NAS to a dial-in user
             constitutes a session, with the beginning of the session
             defined as the point where service is first provided and
             the end of the session defined as the point where service
             is ended.  A user may have multiple sessions in parallel or
             series if the NAS supports that.

  But it doesn't describe how to distinguish multiple parallel
sessions on the same NAS.  Many implementations assume a unique
session is at least (NAS-IP-Address, NAS-Port), but there may be other
viable approaches.

  In the absence of a clear and consistent definition for "session",
the RADIUS server MAY treat a "retransmit with new ID" as a different
session.  It MAY return Access-Accept for one request, and
Access-Reject for another.  This can happen when multiple simultaneous
login restrictions are enforced, among other scenarios.

  So the problem appears to be larger than just the NAS behavior.

  Again, in the absence of a clear and consistent definition for
"session", the presumed behavior of a NAS when it "retransmits with a
new ID" is that the old session is being discarded, and a new session
is being initiated.  In that case, the response of the server (if any)
is irrelevant, as the NAS has decided to stop supporting that session.

  So silently discarding the response associated with the "old"
session would appear to be the correct thing to do.  The NAS *could*
validate the response, but that would serve as a check that it was a
valid response, and an indication that the RADIUS server is still
alive.  That response would make no difference in subsequent NAS
behavior, as it already had decided to drop that session.

  My question is that if the NAS is supposed to validate the
response... what does it do then with that response?  How does it's
behavior cange over silently dropping the response?  How does it
handle the case where one "session" returns Access-Accept, and the
other Access-Reject?  Which session wins, and why?

  Silently discarding the old session would seem to me to be the
safest thing to do.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: Issue: RADIUS Response and Retransmissions
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

References:
- Issue: RADIUS Response and Retransmissions
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

Prev by Date: Issue: RADIUS Response and Retransmissions
Next by Date: Re: Issue: RADIUS Response and Retransmissions
Previous by thread: Issue: RADIUS Response and Retransmissions
Next by thread: Re: Issue: RADIUS Response and Retransmissions
Index(es):
- Date
- Thread