[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] RE: Follow up on Authorize Only issue
Glen Zorn writes...
> > If this attribute is used for its intended purpose, to allow the
> > RADIUS server to know what service to provision, then it
> > cannot also be used to indicate authorize-only mode.
> Too late, it already is.
Yes, for the Dynamic RADIUS Change of Authorization use case, as specified in RFC 3576. It has no formally specified usage outside 3576, that I recall. We need not use that method for the "general" authorization only case. We could devise a new method, such as the Asserted-Identity attribute, and relegate the Service-Type = "Authorize Only" usage to CoA only.
I tend to agree with Jeff that this portion if RFC 3576 was probably a "mistake". I can say that as I had nothing to do with that document. Whether it was or wasn't, we are not obligated to carry that particular usage into other areas of application for RADIUS.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.