[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: When to Access-Reject vs. Silently Discard
"Glen Zorn (gwz)" <gwz@cisco.com> wrote:
> > We "know" it's the right NAS, because it has the right source IP
> > and shared secret, which is the only way to identify any NAS.
>
> But it's not a _user_ authentication or authorization problem,
> either; it's neither fish nor fowl.
From the point of view of the RADIUS server, it's just more
information in the packet. It doesn't know about "users", and doesn't
need to. e.g. MAC address authentication.
If the RADIUS server doesn't like something in the packet it gets
from a trusted NAS, it sends an Access-Reject. I'm not sure how the
issue of "NAS authorized for realms" is any different than any other
case.
Alan DeKok.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>