[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue 165 - Allowed Usage

To: "Bernard Aboba" <bernard_aboba@hotmail.com>
Subject: Issue 165 - Allowed Usage
From: "Sanchez, Mauricio (PNB Roseville)" <mauricio.sanchez@hp.com>
Date: Wed, 1 Feb 2006 17:42:30 -0800
Cc: <radiusext@ops.ietf.org>

Bernard rightly noticed... 

> -----Original Message-----
> In Section 4, the Table of Attributes states the following:
> 
>       The following table provides a guide to which attributes may be
>       found in which kinds of packets, and in what quantity.
> 
>       Access- Access- Access- Access-   CoA-
>       Request Accept  Reject  Challenge Req  #   Attribute
>       0       0+      0       0         0+   TBD Egress-VLANID
>       0       0-1     0       0         0-1  TBD Ingress-Filters
>       0       0-1     0       0         0-1  TBD User-Priority-Table
> 
> The Egress-VLAN-Name attribute is not included in this table, 
> nor is it included in the IANA considerations section.

Oversight.  We will add it in. 

> 
> Section 2.1:
> 
>          Multiple Egress-VLANID attributes can be delivered in an
>          authentication response; each attribute adds the 
> specified VLAN
>          to the list of allowed egress VLANs for the port.
> 
> This would appear to indicate that the Egress-VLAN-Name 
> attribute is allowed in Access-Challenge, Access-Reject and 
> Access-Accept packets.
> Yet, the attribute table in Section 4 does not seem to permit 
> inclusion in Reject or Challenge packets.

Will changing
"Multiple Egress-VLANID attributes can be delivered in an authentication
response..."
to
"The RADIUS server can return multiple Egress-VLANID attributes in an
Access-Accept or CoA-Request packet..."
address this issue?

> Section 2.3:
> 
>          Multiple Egress-VLAN-Name attributes can be delivered in an
>          authentication response; each attribute adds the 
> named VLAN to
>          the list of allowed egress VLANs for the port.
> 
> This would appear to indicate that the Egress-VLAN-Name 
> attribute is allowed in Access-Challenge, Access-Reject and 
> Access-Accept packets.
> There is no entry in the Attribute Table to confirm this.

Will changing
"Multiple Egress-VLAN-Name attributes can be delivered in an
authentication response..."
to
"The RADIUS server can return multiple Egress-VLAN-Name attributes in an
Access-Accept or CoA-Request packet..."
address this issue?

> 
> Section 2.4:
> 
> There is no material on permitted usage of the 
> User-Priority-Table attribute.

Will adding the following sentence address this issue?

The RADIUS server MAY only send a single User-Priority-Table attribute
within an Access-Accept or COA-Request; this attribute MUST NOT be sent
within an Access-Request, Access-Challenge, Access-Reject, or
Disconnect-Request.

Cheers,
MS

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Issue 102 in ieee802-01
Next by Date: Re: review of draft-ietf-radext-ieee802-01.txt
Previous by thread: RE: Issue 111: Accounting
Next by thread: Some questions about IEEE802-01
Index(es):
- Date
- Thread