[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RADIUS FIXES] Authorize Only

To: "Avi Lior" <avi@bridgewatersystems.com>
Subject: Re: [RADIUS FIXES] Authorize Only
From: "Alan DeKok" <aland@ox.org>
Date: Tue, 26 Jul 2005 12:53:38 -0400
Cc: "Bernard Aboba" <aboba@internaut.com>, "Nelson, David" <dnelson@enterasys.com>, radiusext@ops.ietf.org
In-reply-to: Your message of "Tue, 26 Jul 2005 10:51:35 EDT." <E7CCE8A83907104ABEE91AC3AE3709A0115DD3@exchange.bridgewatersys.com>

"Avi Lior" <avi@bridgewatersystems.com> wrote:
> I don't understand why you would say it's a vendor-specific value of
> Service-Type.

  See:

http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/share/dictionary.bay?rev=1.5&content-type=text/x-cvsweb-markup

  Look for "Service-Type".  Vendor-specific values are of the form
((vendor-id << 16) | num), One of the RFC's refers to this practice,
but I can't recall which right now.

> Thanx for the support.  I don't agree that the use of Authorize-Only
> should be discouraged though.  It has tremendous use for allowing the
> NAS and Server to manage an already established session without the need
> for re-authentication.

  I agree.  My only point of discussion is what should the name be,
and should we re-use an existing value.

> I would perfer that RADIUS issues and fixes provide guidelines on how to
> use Authorize-Only.

  I agree.

> I would have rather had the following Service-Type:
> 
> Re-Authorize:  this is what 3576 should be using.  It completely
> re-triggers the re-authorization of the session.

  That's reasonable, but I don't think you're proposing to change RFC
3576.

> Authorize-Only: is used the way I describe.  We do not completely
> reauthorize the session but rather the context of what is being
> reauthorized is determined from the contents of the packet.  It still
> must be bound to an Authenticated Session or entity.
> The binding being the same or similar to 3576.

  Then I have few problems with re-using the name.

> Note:  if someone can propose a new Service-Type value to achieve the
> same then I would be for that.  Although I belive there is already an
> specification for Authorize-Only outside the IETF.

  All the more reason to use vendor-specific values, so
vendor-specific practices don't re-use existing definitions.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: [RADIUS FIXES] Authorize Only
  - From: "Avi Lior" <avi@bridgewatersystems.com>

Prev by Date: RE: [RADIUS FIXES] Authorize Only
Next by Date: RE: [RADIUS FIXES] Authorize Only
Previous by thread: RE: [RADIUS FIXES] Authorize Only
Next by thread: Re: [RADIUS FIXES] Authorize Only
Index(es):
- Date
- Thread