RE: FW: HTTP digest and RADIUS; new version of the Sterman draft

[Bernard Aboba <aboba@internaut.com>]

> Recall that RADIUS clients MAY handle an unknown
> attribute by treating the packet as if it were an Access-Reject.

RFC 2865 Section 1.1 says:

   A NAS that does not implement a given service MUST NOT implement the
   RADIUS attributes for that service.  For example, a NAS that is
   unable to offer ARAP service MUST NOT implement the RADIUS attributes
   for ARAP.  A NAS MUST treat a RADIUS access-accept authorizing an
   unavailable service as an access-reject instead.

At the same time, Section 5 says:

      A RADIUS server MAY ignore Attributes with an unknown Type.
      A RADIUS client MAY ignore Attributes with an unknown Type.

My interpretation of this is that RFC 2865 defines attributes authorizing
a service as "mandatory", whereas other attributes are optional.  The next
question is "which attributes advertise a service?"  The definition of a
service in RFC 2865 is:

   service   The NAS provides a service to the dial-in user, such as PPP
             or Telnet.

This example seems to correspond to the definition of the Service-Type
attribute (which can authorize Framed or Login services, among others).
So at least the Service-Type attribute needs to be considered Mandatory.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>