[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Fixes Issue: Interim-Accounting-Interval and Local Configurat ion



Thanks Bik, Barney and Bernard for the responses.

I am not at all underestimating the reasons for establishing
a policy (such as if the server gives a smaller period than
the one configured in the NAS then use the one from NAS etc.,)
but the original point I raised in my mail to Bernard was that
such decisions should be left to configurations on the NAS (such
as IOS CLI for Cisco and similarly for other vendors) and we should
not preclude such business policies by MUSTing it out in the RFC.

Thanks
sai.




On Thu, 14 Jul 2005, Bikramjit Singh wrote:

> Argument can be made both ways, but technically NAS is not a proxy. A NAS
> defers to the server on almost every aspect starting from authentication to
> changing of username in accounting packets to a lot of things.
>
> A NAS is asked to grant access to the user by the server according to the
> terms and conditions specified by the server in form of attributes. So
> unless there is a very concrete case for a NAS overriding the value of an
> attribute specified by the server, it should adhere and use the values of
> attributes specified by the server.
>
> Thanks
>
> -Bik
>
> ------------------------------------
> Nomadix
> Bikramjit Singh
> Technical Project Manager
> tel: 818-575-2518
> fax: 818-597-1502
> mobile: 818-613-6998
> www.nomadix.com
> ------------------------------------
>
> -----Original Message-----
> From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On
> Behalf Of Barney Wolff
> Sent: Thursday, July 14, 2005 10:35 AM
> To: Bernard Aboba
> Cc: radiusext@ops.ietf.org
> Subject: Re: Fixes Issue: Interim-Accounting-Interval and Local
> Configuration
>
> On Thu, Jul 14, 2005 at 10:05:32AM -0700, Bernard Aboba wrote:
> >
> > The Interim Accounting Interval is often set in order to ensure against
> > loss of income by billing systems.  So I can understand why there is
> > concern if an Interim-Accounting-Interval attribute sent by a RADIUS
> > server would be ignored by the NAS.
> >
> > Although I do not recall the conversations that lead to this paragraph
> > being inserted, I think the concern may relate to inappropriately small
> > values being sent by a RADIUS server.  For example, if the implementation
> > has a setting for "minimum Interim-Accounting-Interval" then I would say
> > that this should not be overridden by a smaller value, but could be
> > overridden by a larger one.
>
> I think the issue is whose policy shall apply, when the RADIUS server
> and NAS are under different administrative control.  Setting the value
> in the NAS is the equivalent of overriding whatever value is set by
> the server in the proxy that (presumably) should exist between the NAS
> and the server in this case.
>
> > However, if the nature of the implementation setting is "use value X by
> > default, but allow the RADIUS server to override it" I don't understand
> > why that should be prohibited.
>
> One can always speculate on why values would be configured directly in
> the NAS if the proxy is under the same administration.  Perhaps the
> thinking was that some NASes may be intelligent enough to pick the right
> server based on NAI or other info without an intervening proxy.  In that
> case configuration of values on the NAS is the equivalent of doing so
> in a virtual proxy, and, since a proxy can always override attribute
> values, the NAS settings win.
>
> A definite choice, even if "wrong", is probably better than uncertainty
> in cases like this.
>
> Regards,
> Barney
>
------------------------------------
>
> From: Saikrishnan [mailto:saig@cisco.com]
> Sent: Thu 7/14/2005 9:47 AM
> To: cdr@telemancy.com; ward@cyno.com; Glen Zorn
> Cc: dnelson@enterasys.com; Bernard Aboba
> Subject: RFC 2869 and draft-aboba-radext-fixes-00.txt

> Hi,
>
> In section 2.1 of RFC 2869, it is mentioned that the
> interim-accounting-interval
> coming from the RADIUS server is superceded by the local config on the
> NAS.
>
> Pl. find below the snippet.
>
> -----
>
>  2.1.  RADIUS support for Interim Accounting Updates
>
>    When a user is authenticated, a RADIUS server issues an
> Access-Accept
>    in response to a successful Access-Request. If the server wishes to
>    receive interim accounting messages for the given user it must
>    include the Acct-Interim-Interval RADIUS attribute in the message,
>    which indicates the interval in seconds between interim messages.
>
>    It is also possible to statically configure an interim value on the
>    NAS itself. Note that a locally configured value on the NAS MUST
>    override the value found in an Access-Accept.
>
> ----
>
> But in terms of priority it makes more sense for the finer granularity
> config overriding the global config. For instance, if you
> want to apply
> an umbrella policy that all the sessions are done periodic
> accounting every
> 30 mins but for Jane's session, we need to do periodic
> accounting every
> 45 mins, the only way for provisioning this is by adding 45' to Jane's
> user profile.
>
> But the RFC MUSTs it out. I am copying the authors for clarification.
>
> Please note that in all the other attributes in Cisco IOS,
> the PER-USER
> attribute (the attribute defined in the user profile)
> overrides what is
> configured globally on the box. At minimum, this should be left for
> implementation. Pl. let me know if I am missing something.
>
> Thanks and Warm regards
> sai.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>