[hannes] to me it seems reasonable not to include location information with
every request. a visited network which knows that it has to send location
information to a particular home network might do so. i also think that it
would be good to have an error attribute to indicate that it was not
possible to authorize the user properly based on the missing location
information.
we have added the usage of the error-cause attribute. within the iana
section we need to register a new type:
I am confused by the model that is described here. I could understand why
the NAS might not send the NAS location with every Access-Request. But
user location is another matter. If the NAS is set up to send user
location data, why would it not send it on each request?
My reading of RFC 2865 is that service provisioning attributes (including
VSAs) are forbidden in a RADIUS Access-Reject. However, information on
why the request failed is ok (e.g. Reply-Message, EAP-Message/EAP-Failure,
etc.). So I think that Error-Cause can be included.
However, Error-Cause will not solve the problem that is described. If the
NAS is not sending User location on every Access-Request and the server
requires this, then every Access-Request that is sent without the user
location will be denied.
I'd suggest that language be included in the document to say that "by
default, a NAS that is set up to provide user location information to the
RADIUS server MUST provide this information in every Access-Request."