RE: [Isms] RE: Follow up on Authorize Only issue

["Glen Zorn \(gwz\)" <gwz@cisco.com>]

Jeffrey Hutzelman <mailto:jhutz@cmu.edu> supposedly scribbled:

> On Tuesday, July 25, 2006 02:20:49 PM -0700 "Glen Zorn (gwz)"
> <gwz@cisco.com> wrote:
> 
>> Actually, no, at least in current usage an authentication type
>> _always_ has an associated attribute, which can be seen as something
>> that the server doesn't understand.
> 
> Is there a requirement that a server reject a request which contains
> any attributes it doesn't understand? 
> 
> 
> 
>>> A RADIUS server which supports authorize-only will
>>> probably want to return success for the request using that feature,
>>> but still must return failure for requests using methods it doesn't
>>> understand.  To make the distinction, you need an affirmative
>>> indication from the client that it wants authorize-only;
>> 
>> Is that not provided by the Service-Type of Authorize-Only?
> 
> Not if you want to use Service-Type to actually indicate the service
> type, 
> instead of overloading it to mean something else.  As I understand
> it, this 
> attribute is _supposed_ to indicate the type of service the NAS is
> providing to the user, and overloading it to mean something else was a
> mistake.  If this attribute is used for its intended purpose, to
> allow the 
> RADIUS server to know what service to provision, then it cannot also
> be 
> used to indicate authorize-only mode.

Too late, it already is.

Hope this helps,

~gwz

Why is it that most of the world's problems can't be solved by simply
  listening to John Coltrane? -- Henry Gabriel

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>