[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [RADIUS FIXES] Authorize Only

To: "Bernard Aboba" <aboba@internaut.com>, "Alan DeKok" <aland@ox.org>
Subject: RE: [RADIUS FIXES] Authorize Only
From: "Avi Lior" <avi@bridgewatersystems.com>
Date: Tue, 26 Jul 2005 10:40:31 -0400
Cc: "Nelson, David" <dnelson@enterasys.com>, <radiusext@ops.ietf.org>

I think in my last email I covered Bernard's concern.

So far, authorize only is bound to an existing session using the same
mechanism in Dynamic Auth.

In prepaid -- which relies on Auth-Only we even go further a also tie
the quotas appearing in the access request Authorize Only to quotas
delivered in a previous access-accept by using a QID that changes for
every exchange of Accept/Request.




> -----Original Message-----
> From: Bernard Aboba [mailto:aboba@internaut.com] 
> Sent: Monday, July 25, 2005 10:16 PM
> To: Alan DeKok
> Cc: Avi Lior; Nelson, David; radiusext@ops.ietf.org
> Subject: Re: [RADIUS FIXES] Authorize Only
> 
> 
> >   I agree.
> >
> >   Before I offer suggestions, I have a question.  How do 
> you tie the 
> > VOIP call into the existing session?  How do you deal with security 
> > issues such as spoofing, etc?  How does the RADIUS server associate 
> > the two requests?
> >
> >   The answers to those questions will influence any 
> suggestion I might 
> > have for a solution.
> 
> Yes, I think these questions are the important ones.  RFC 
> 2865 and subsequent RADIUS RFCs have required authentication 
> of every RADIUS session.  My understanding is that "Authorize 
> Only" was discussed in the original RADIUS WG, but the 
> decision was made to prohibit it.
> 
> The prohibition was loosened in RFC 3576 because in dynamic 
> authorization authentication had already occurred.  An 
> "Authorize Only" Access-Request can only occur as the result 
> of a Disconnect or CoA-Request relating to a session that had 
> previously been authenticated.  Although RFC 3576 does not 
> say so, it would be wise for a RADIUS server receiving an 
> "Authorize Only" request to check whether the request was 
> legitimate before answering
> -- such a request cannot, for example, be for a user that had 
> not previously established a session, or be for an 
> established user on a different NAS than the one which 
> received the Disconnect or CoA-Request.
> 
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: [RADIUS FIXES] Authorize Only
Next by Date: RE: [RADIUS FIXES] Authorize Only
Previous by thread: Re: [RADIUS FIXES] Authorize Only
Next by thread: RE: [RADIUS FIXES] Authorize Only
Index(es):
- Date
- Thread