[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Issue] Authorize Only usage in HTTP redirect

To: "Greg Weber \(gdweber\)" <gdweber@cisco.com>, <radiusext@ops.ietf.org>
Subject: RE: [Issue] Authorize Only usage in HTTP redirect
From: "Avi Lior" <avi@bridgewatersystems.com>
Date: Thu, 9 Feb 2006 16:20:40 -0500

Greg is right.  The spec is silent about whether or not the
Access-Accept contains a Service-Type or even what value it will have. 

I don't have a problem with the proposed text. 

> -----Original Message-----
> From: owner-radiusext@ops.ietf.org 
> [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Greg Weber 
> (gdweber)
> Sent: Thursday, February 02, 2006 5:54 PM
> To: radiusext@ops.ietf.org
> Subject: [Issue] Authorize Only usage in HTTP redirect
> 
> Description of issue: Authorize Only usage in HTTP redirect 
> Submitter name: Greg Weber Submitter email address: 
> gdweber@cisco.com Date first submitted: February 2, 2006
> Reference: http://ops.ietf.org/lists/radiusext/2006/msg00090.html
> Document: IEEE802-01
> Comment type: Technical
> Priority: S
> Section: A.2.2
> Rationale/Explanation of issue:
> 
> Section A.2.2 Mid-session HTTP Redirection reads:
> 
>       If HTTP redirection is required to be applied to a service that 
>       has already been started then the RADIUS server can push the 
>       redirection rules, and optionally the filter rules, to the NAS 
>       within a NAS-Filter-Rule(TBD) attribute using a CoA 
> message. The 
>       NAS will then commence to apply the redirection rules 
> and/or the 
>       filter rules.  
>        
>       Alternatively, the RADIUS server can request that the NAS re-
>       authorize the session using the procedures defined in 
> [RFC3576]. 
>       The RADIUS server responds with an Access-Accept message (with 
>       Service-Type(6) set to "Authorize Only" that will contain the 
>       redirection and optionally filtering rules within a NAS-Filter-
>       Rule(TBD) attribute. 
> 
> I don't think "Authorize Only" is a valid Service-Type value 
> in Access-Accept messages.  The server should be indicating 
> the assigned Service in the Access-Accept.  Take a look at 
> the last paragraph of RFC 3576's Section 1.1.  I think that 
> describes the process your referring to here.
> 
> Requested change:
> 
> I suggest replacing the above text with something like:
> 
> If HTTP redirection is required to be applied to a service 
> that has already been started, then the RADIUS server may use 
> either of the procedures defined in [RFC3576]:
> 
>  - The server may send the NAS a CoA-Request message including
>    a NAS-Filter-Rule which contains redirection rules and
>    optionally filter rules.  The NAS will then apply the new
>    rules to the existing services.
>  - The server may send the NAS a CoA-Request message including
>    a Service-Type attribute with the value of "Authorize Only".
>    This will trigger the NAS to reauthorize the existing service
>    by sending the server an Access-Request message containing a
>    Service-Type attribute with the value of "Authorize Only".
>    The server may then send the NAS new redirection and optionally
>    filter rules within a NAS-Filter-Rule as part of an Access-
>    Accept message.
> 
> --
> to unsubscribe send a message to 
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in 
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Issue
Next by Date: RE: Issue: Allowed Usage
Previous by thread: [Issue] Authorize Only usage in HTTP redirect
Next by thread: [Issue] Tag option in VLAN attributes
Index(es):
- Date
- Thread