[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Isms] RE: Follow up on Authorize Only issue

To: <isms@ietf.org>, <radiusext@ops.ietf.org>
Subject: RE: [Isms] RE: Follow up on Authorize Only issue
From: "Nelson, David" <dnelson@enterasys.com>
Date: Wed, 26 Jul 2006 07:45:29 -0400
References: <4C0FAAC489C8B74F96BEAD85EAEB262502597F90@xmb-sjc-215.amer.cisco .com>

Glen Zorn writes...
 
> > If this attribute is used for its intended purpose, to allow the
> > RADIUS server to know what service to provision, then it 
> > cannot also be used to indicate authorize-only mode.

> Too late, it already is.

Yes, for the Dynamic RADIUS Change of Authorization use case, as specified in RFC 3576.  It has no formally specified usage outside 3576, that I recall.  We need not use that method for the "general" authorization only case.  We could devise a new method, such as the Asserted-Identity attribute, and relegate the Service-Type = "Authorize Only" usage to CoA only.

I tend to agree with Jeff that this portion if RFC 3576 was probably a "mistake".  I can say that as I had nothing to do with that document.  Whether it was or wasn't, we are not obligated to carry that particular usage into other areas of application for RADIUS.

 


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Next by Date: RE: [Isms] RE: Follow up on Authorize Only issue
Previous by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Next by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Index(es):
- Date
- Thread