[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Summary of Authorize Only issue

To: <isms@ietf.org>, <radiusext@ops.ietf.org>
Subject: RE: Summary of Authorize Only issue
From: "Nelson, David" <dnelson@enterasys.com>
Date: Wed, 26 Jul 2006 16:19:32 -0400

Bernard Aboba writes...

> For this to be successful, the RADIUS server needs to know what 
> service is being requested by the NAS, so that it can limit the 
> attributes to those relevant to that service (or refuse to 
> authorize the service).  The service cannot be characterized by
> saying it is "authorize-only" -- that is merely a particular 
> (authorize-only) mode of a particular service which needs to
> be specified by the NAS.

I agree (100%).
 
> >In any of the use cases, it is important that the NAS, i.e.
> >the RADIUS Client, be able to communicate the kind of service
> >being sought via hint attributes to the RADIUS Server, in the
> >Access-Request message.
> 
> Service-Type is not a "hint". 

It is when it appears in an Access-Request message.  This is the context
of the foregoing paragraph.

> A RADIUS client that receives 
> an Access-Accept with an unknown Service-Type does not treat 
> the attribute as a "hint" -- it treats it as an Access-Reject. 
> This is mandatory behavior in RFC 2865.

I agree, when it appears in an Access-Accept message.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Summary of Authorize Only issue
Next by Date: Re: [Isms] Summary of Authorize Only issue
Previous by thread: Re: [Isms] Summary of Authorize Only issue
Index(es):
- Date
- Thread