[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] RE: Follow up on Authorize Only issue
- To: "Nelson, David" <dnelson@enterasys.com>
- Subject: RE: [Isms] RE: Follow up on Authorize Only issue
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Wed, 26 Jul 2006 08:26:38 -0700
- Authentication-results: sj-dkim-3.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Cc: <isms@ietf.org>, <radiusext@ops.ietf.org>
- Dkim-signature: a=rsa-sha1; q=dns; l=2111; t=1153927616; x=1154791616; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20[Isms]=20RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue; X=v=3Dcisco.com=3B=20h=3Dj5JHVHOkk4k+d3Gjk+Lsn4+lNFg=3D; b=CfzLecCuCUZnMCr0rQ/fP9Ij8SuYhMVV17B0Vinm3cpEIlgOXDuwmKFrTJcy5edofItXqcoR KjIXc/s7Ni/YEYOYc1/Z9kyZoeeH1F54sFM5skbSV2KXFJyY3JynvHBB;
Nelson, David <mailto:dnelson@enterasys.com> supposedly scribbled:
> Glen Zorn writes...
>
>>> If this attribute is used for its intended purpose, to allow the
>>> RADIUS server to know what service to provision, then it cannot also
>>> be used to indicate authorize-only mode.
>
>> Too late, it already is.
>
> Yes, for the Dynamic RADIUS Change of Authorization use case, as
> specified in RFC 3576. It has no formally specified usage outside
> 3576, that I recall. We need not use that method for the "general"
> authorization only case. We could devise a new method, such as the
> Asserted-Identity attribute, and relegate the Service-Type =
> "Authorize Only" usage to CoA only.
We could, but it seems like a waste of attribute space since the value if any would of necessity be identical to that carried by the User-Name Attribute.
>
> I tend to agree with Jeff that this portion if RFC 3576 was probably
> a "mistake".
Perhaps, but if so, it lines up very well with the original definition of the Service-Type Attribute. In fact, I can't find any trace of the architectural purity imputed to the Attribute by Jeff: only some of the values of Service-Type are related to service as he has defined it. Although I wasn't involved (except as a critic ;-) with the development of RFC 3576 either, it would make perfect sense to me to add a value of "Authorize Only" to an Attribute that already had values of "Authenticate Only" & "Call Check" defined, the latter being purely authorizational in character.
> I can say that as I had nothing to do with that
> document. Whether it was or wasn't, we are not obligated to carry
> that particular usage into other areas of application for RADIUS.
>
>
>
>
> _______________________________________________
> Isms mailing list
> Isms@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/isms
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>