RE: Issue 38 - Ordering of filter attributes

[Bernard Aboba <aboba@internaut.com>]

> How often do you forsee generating a single NAS-Filter-Rule that would
> blow out a single RADIUS attribute?  Even so, why couldn't you spread
> out the rule over multiple attributes with the same net effect?  If
> anything, I do see an issue in running out of space for multiple rules
> (i.e. multiple NAS-Filter-Rule attributes) within a single
> Access-Accept.

Today's enterprise networks frequently involve many devices and prefixes.
It is not uncommon to see networks with 200 prefixes or thousands of
servers.

As a result, filters can easily become very large.  I have encountered a
situation with a customer where NAS-Filter-Rule attributes would be
unlikely to fit within a single RADIUS Access-Accept, even though each
rule would probably fit within a single attribute.

The question is what we do about it.  I asked about mixing Filter-Id
with NAS-Filter-Rule because it is compact.  Might there be a way of
supporting "named" filters where a subsequent Access-Accept could refer
back to a name?

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>