RE: User Alias Identity (Was: Re: comments on draft-adrangi-radius-attributes-extension-00.tx)

[Bernard Aboba <aboba@internaut.com>]

> We must not pass back
> the User-Name in the Access-Accept even though it is highly recommended.
>
> The question is, is this an acceptable control of this function

The User-Name attribute is optional in an Access-Accept according to both
RFC 2865 and 3579.  As has been noted by Barney Wolff, a proxy-state attribute
can be used to enable proper routing of the Access-Accept, even if the
User-Name attribute is omitted.  So it would seem like you can omit the
User-Name and include a Proxy-State attribute and the Access-Accept should
still be successfully routed back to the NAS.

> allowing the User-Name to return in the Access-Accept where we can be
> assured of proper accounting transmission, but then not include the
> User-Name when keeping the originally presented NAI

I'm finding this part hard to parse.  In the previous paragraph you
mention not including the User-Name attribute.  Given the issues you
raise, I'm not sure how "proper accounting transmission" can be
guaranteed, other than by having the proxy re-write the User-Name returned
in an Access-Accept, if it is different from the User-Name attribute in
the Access-Request.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>