This seems to contradict the proposed text in section 2.1.1 of the Issues & Fixes draft: An Access-Request sent as a result of a new or restarted authentication run MUST NOT include the State attribute, even if the State attribute has previously been received in an Access-Challenge for the same user and port. My preference is to keep the text from the Issues & Fixes document, with the idea that States are tied to a session, not to a user.
I think that's right, as long as we define a "Session" carefully. For example, a re-authentication would result in a new session, whereas an RFC 3576 CoA-Request would not, correct? I was somewhat surprised to read the RFC 2865 text relating to use of State along with Termination-Action.
On going back and re-reading the Issues & Fixes document, I think the case I raised here is mostly covered by the existing text.
I think you're right. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>