[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-auth failure
Alper Yegin wrote:
> Shouldn't the network have the option to let the host stay connected until
> the expiration of the currently granted session, if it chooses to? If so, is
> there a different interpretation of the above text, or a different message
> (Access-Accept with EAP-Failure?) recommended?
I tend to agree with David here. RADIUS servers have traditionally
been authoritative, so the user has to be rejected here.
Much of the confusion comes about because RADIUS has traditionally had
no definition of what a "session" is. In this case, the server *is*
authoritative for a session. However, it's unclear whether or not the
second session is related to the first, if at all.
NASes have traditionally made fail-safe decisions: If they receive an
Access-Reject for a authentication tied to one MAC address, that MAC
address is denied access. This happens even if there are other
"sessions" tied to that MAC which may still have access rights.
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.