[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Summary of Authorize Only issue



(4) RADIUS Servers SHOULD exercise appropriate policy enforcement in
terms of providing any NAS with attributes that might disclose security
sensitive information related to a user, e.g. keys, unless that user has
been successfully authenticated to the RADIUS Server via the NAS in
question.  This affects RADIUS Server behavior during any Authorize Only
service provisioning.

For this to be successful, the RADIUS server needs to know what service is being requested by the NAS, so that it can limit the attributes to those relevant to that service (or refuse to authorize the service). The service cannot be characterized by saying it is "authorize-only" -- that is merely a particular (authorize-only) mode of a particular service which needs to be specified by the NAS.

In any of the use cases, it is important that the NAS, i.e. the RADIUS
Client, be able to communicate the kind of service being sought via hint
attributes to the RADIUS Server, in the Access-Request message.

Service-Type is not a "hint". A RADIUS client that receives an Access-Accept with an unknown Service-Type does not treat the attribute as a "hint" -- it treats it as an Access-Reject. This is mandatory behavior in RFC 2865.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>