Re: Questions on RADIUS Extended attributes

["Alan DeKok" <aland@nitros9.org>]

"Nelson, David" <dnelson@enterasys.com> wrote:
> By "list of such attributes", do you mean a sequence comprising an
> initial attribute and continuation (concatenation) attributes?  I was
> thinking that removing one or more continuation attributes from the
> middle of a sequence would be very bad.

  Yes, and yes.

  But most proxies either (1) forward everything unchanged, or (b)
implement local policy.

> Mangling by whom?  Noticed by whom?  It would certainly seem to me that
> the NAS or the Server would notice!

  A proxying server that implements local policy enforcement has no
business forwarding attributes it doesn't understand.

  A proxying server that does nothing more than routing or aggregation
has no business changing the policies it's transporting.

  A NAS that expects Extended-Type has a trust relationship with a
local RADIUS server.  If that server doesn't understand Extended-Type,
it (a) won't send Extended-Type to the NAS, or (b) has no business
forwarding Extended-Type from a home server to the NAS.

> Tagging would support grouping, but not nested grouping.  Do we think
> that single-level grouping is sufficient to solve the "80% problem"?

  I believe so.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>