[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-carroll-dynmobileip-cdma-04.txt



Avi Lior <avi@bridgewatersystems.com> wrote:
> Access-Reject may not always result in the termination of a session etc...
> 
> For example, when I am doing authorize only, (Access-Accept with
> Service-Type = Authorize-Only) the Access-Reject is a rejection of that
> authorization and not necessarily the rejection of the entire session or
> service.  Or is it? 

  It's at least a rejection of what they asked for.  For
Authorize-Only, the semantics of the Access-Reject should clearly be
that the authorization failed.

  e.g. Cisco TACACS-style command authorization.  A request for
authorization of a command may be "rejected", but the admins session
will remain active, because no session information was sent in the request.

  For this draft, Figure 4. shows that the protocol flow is:

	11. Access-Request
	13. Access-Reject
	16. Access-Request
	17. Access-Accept

  As noted earlier, an Access-Challenge packet would normally be used
in the second step.  A more telling item I noted is that the
Access-Reject implicitly has multiple meanings.  e.g. For step 12, the
draft says:

	12. ... The RADIUS AAA Server verifies
        the MN-AAA Authentication Extension Authenticator using the
        decrypted MN_AAA key.  If successful, ...

  There's no description of what happens if the verification fails.

  My question to the draft authors is then: What happens when
verification fails?  Is the server supposed to send an Access-Reject
*without* the AA_Authenticator RADIUS VSA?  Will the client terminate
the session because of this reject?

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>