[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RADIUS FIXES] Authorize Only

To: "Alan DeKok" <aland@ox.org>, "Bernard Aboba" <aboba@internaut.com>, "Nelson, David" <dnelson@enterasys.com>
Subject: [RADIUS FIXES] Authorize Only
From: "Avi Lior" <avi@bridgewatersystems.com>
Date: Mon, 25 Jul 2005 14:15:38 -0400
Cc: <radiusext@ops.ietf.org>

Hi,

Read through radius fixes.  I have one immediate issue:

In RADIUS FIXES you state:

" A Service-Type of "Authorization-Only"
   MUST NOT be included in a RADIUS Challenge or Reject packet and MAY
   only be included in an Access-Request or Accept packet as part of an
   exchange resulting from the sending of a Disconnect-Request or CoA-
   Request containing a Service-Type value of "Authorization-Only"
"

I don't aggree that Service-Type of Authorization-Only should be limited
to operations relating to COA or DM.

First, I don't think that 3576 prohibited the use of Authorize-Only --
some implementation and specification already use Authorize-Only.

Second, I think that having "Authorize-Only" has utility. In fact one
case is prepaid where the NAS and Server maintain a conversation
regarding the replenshiment of prepaid quota.  The replenishing of the
quota is triggered by the NAS (usually) using an Access-Request (Note
the NAS is the only entity that knows when the quota is used up).
Without the having the ability to use the semantics provided by
"Authorize-Only" we would have no option but to reauthenticate.  This
would be unacceptable especially today when multi round EAP methods are
being used.

Support for Authorize-Only is key in supporting many new functionality
that allow the NAS to authorize new resources without authenticating the
user.  For example, we may want to authorize a Voip call for an already
existing session.  I feel strongly that we need to support this
capability in RADIUS.

Finally, note that in Diameter base, the use of Authorize-Only is not
limited to only RAR/RAA transactions.  Therefore we should not limit the
use in RADIUS either since we may run into translation problems later
on.


========================
Avi Lior                                    
Bridgewater Systems Corporation 
Phone :  +1 (613) 591-9104 x6417
Cell    :  +1 (613) 796-4183
E-mail : mailto:avi@bridgewatersystems.com
www.bridgewatersystems.com 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [RADIUS FIXES] Authorize Only
  - From: "Alan DeKok" <aland@ox.org>

Prev by Date: FYI I-D ACTION:draft-lior-radius-prepaid-extensions-08.txt
Next by Date: Re: [RADIUS FIXES] Authorize Only
Previous by thread: FYI I-D ACTION:draft-lior-radius-prepaid-extensions-08.txt
Next by thread: Re: [RADIUS FIXES] Authorize Only
Index(es):
- Date
- Thread