[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 196: User-Name Attribute
- To: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Subject: RE: Issue 196: User-Name Attribute
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Sun, 4 Jun 2006 07:50:46 -0700
- Authentication-results: sj-dkim-7.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <radiusext@ops.ietf.org>, "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Dkim-signature: a=rsa-sha1; q=dns; l=1902; t=1149432648; x=1150296648; c=relaxed/simple; s=sjdkim7001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20Issue=20196=3A=20User-Name=20Attribute; X=v=3Dcisco.com=3B=20h=3DE+UT+eR2CF3wfzNhZIKzbkkksNk=3D; b=KvP/2pI7CkVqNCyCJsb0NoV66YVmVyvHbmqF0gWfOVwBBhNyw2kUzqmciKCPDFpUoPWMYx80 goj9y3iAauVAQKVahWHtpyKU7LZw40imTToSDJ44yGIgD02DIhHFs5TC;
Bernard Aboba <> supposedly scribbled:
>> Who cares? I'm not being facetious: if the value is unknown by the
>> client & unused by the >server, why does it matter what the value is?
>
> The lack of a User-Name attribute may prevent proxies from forwarding
> the Access-Request. Also, some RADIUS servers will not be able to
> handle an Access-Request without a User-Name attribute.
Right, but it's my understanding (laboriously gained, yet perhaps still flawed) that the SIP proxy functionality was expected to deliver the SIP request to the destination realm; if the user has no account in that realm, they are simply out of luck. This would seem to imply that RADIUS proxies are unnecessary, at least insofar as inter-realm routing is concerned.
>
> Note that this problem has been encountered before. For example, in
> RFC 3579 there are situations in which the User-Name is not known,
> such as when the NAS does not send an EAP-Reuqest/Identity to
> initiate the EAP exchange (e.g. NAS could start off with an
> EAP-Request for a method, or could send an EAP-Start to the RADIUS
> server). Despite this, RFC 3579 always fills in the User-Name
> attribute.
>
> RFC 3579 Section 2.1 recommends:
>
> " If the NAS initially sends an EAP-Request for an
> authentication method, and the peer identity cannot be determined
> from the EAP-Response, then the User-Name attribute SHOULD be
> determined by another means. As noted in [RFC2865] Section 5.6, it
> is recommended that Access-Requests use the value of the
> Calling-Station-Id as the value of the User-Name attribute."
OK, I give up: how does the Calling-Station-Id help to route RADIUS packets?
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>