> " Where a Service-Type Attribute with value "Authorize Only" is > included within a CoA-Request, attributes representing an > authorization change MUST NOT be included; On first reading, that could be interpreted as "when asking for change of authorization, authorization changes are not permitted". I suggest adding text stating what it means to have CoA-Request without authorization changes. I'm not sure what to suggest, though.
How about this? "Where a Service-Type Attribute with value "Authorize Only" is included within a CoA-Request, only NAS or session identification attributesare permitted, as well as Service-Type, Nonce and State attributes. If other attributes are included in such a CoA-Request, implementations MUST send a CoA-NAK; an Error-Cause Attribute with value "Unsupported Attribute" MAY be included."
BTW, since the NAS only needs the session identification attributes in order to prepare its response, it would seem that it would be "liberal in what you accept" to just ignore additional attributes.
-- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>