[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 226: RFC 3576bis and Renumbering

To: "David B. Nelson" <dnelson@elbrysnetworks.com>, <radiusext@ops.ietf.org>
Subject: RE: Issue 226: RFC 3576bis and Renumbering
From: Bernard Aboba <bernard_aboba@hotmail.com>
Date: Tue, 22 May 2007 12:43:24 -0700

> It strikes me that the large number and substantial nature of these notes
> suggests that they be incorporated elsewhere in the normative text of the
> document, rather as footnotes to the Table of Attributes. I think it would
> substantially enhance readability of the document.

I have consolidated Note 6 into Section 3.2 (State), and Note 7 as well as other "Authorize Only" text into a new Section 3.1 (Authorize Only). Here is the new text:

3.1. Authorize Only

   Support for a CoA-Request including a Service-Type Attribute with
   value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
   Service-Type Attribute MUST NOT be included within a Disconnect-
   Request.

   A NAS MUST respond to a CoA-Request including a Service-Type
   Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
   NOT be sent. If the NAS does not support a Service-Type value of
   "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
   value of 405 (Unsupported Service) SHOULD be included.

   A CoA-Request containing a Service-Type Attribute with value
   "Authorize Only" MUST in addition contain only NAS or session
   identification attributes, as well as a State Attribute. If other
   attributes are included in such a CoA-Request, a CoA-NAK MUST be
   sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
   SHOULD be included.

   A NAS supporting a Service-Type value of "Authorize Only" within a
   CoA-Request packet MUST respond with a CoA-NAK containing a Service-
   Type Attribute with value "Authorize Only", and an Error-Cause
   Attribute with value "Request Initiated". The NAS then sends an
   Access-Request to the RADIUS server including a Service-Type
   Attribute with value "Authorize Only". This Access-Request SHOULD
   contain the NAS identification attributes from the CoA-Request, as
   well as the session identification attributes from the CoA-Request
   legal for inclusion in an Access-Request as specified in [RFC2865],
   [RFC2868], [RFC2869] and [RFC3162]. As noted in [RFC2869] Section
   5.19, a Message-Authenticator attribute SHOULD be included in an
   Access-Request that does not contain a User-Password, CHAP-Password,
   ARAP-Password or EAP-Message Attribute. The RADIUS server should
   send back an Access-Accept to (re-)authorize the session or an
   Access-Reject to refuse to (re-)authorize it.

3.2. State

   The State Attribute is available to be sent by the RADIUS server to
   the NAS in a CoA-Request packet and MUST be sent unmodified from the
   NAS to the RADIUS server in a subsequent CoA-ACK or CoA-NAK packet.

   [RFC2865] Section 5.44 states:

      An Access-Request MUST contain either a User-Password or a CHAP-
      Password or State. An Access-Request MUST NOT contain both a
      User-Password and a CHAP-Password. If future extensions allow
      other kinds of authentication information to be conveyed, the
      attribute for that can be used in an Access-Request instead of
      User-Password or CHAP-Password.

   In order to satisfy the requirements of [RFC2865] Section 5.44, an
   Access-Request with Service-Type="Authorize-Only" MUST contain a
   State attribute.

   In order to provide a State attribute to the NAS, a server sending a
   CoA-Request with a Service-Type value of "Authorize-Only" MUST
   include a State Attribute, and the NAS MUST send the State Attribute
   unmodified to the RADIUS server in the resulting Access-Request, if
   any. A NAS receiving a CoA-Request containing a Service-Type value
   of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK
   and SHOULD include an Error-Cause attribute with value 402 (Missing
   Attribute).

   The State Attribute is also available to be sent by the RADIUS server
   to the NAS in a CoA-Request that also includes a Termination-Action
   Attribute with the value of RADIUS-Request. If the client performs
   the Termination-Action by sending a new Access-Request upon
   termination of the current session, it MUST include the State
   Attribute unchanged in that Access-Request. In either usage, the
   client MUST NOT interpret the Attribute locally. A CoA-Request
   packet must have only zero or one State Attribute. Usage of the
   State Attribute is implementation dependent.

Prev by Date: RE: Issue 226: RFC 3576bis and Renumbering
Next by Date: RE: Issue: Error-Cause Attribute in Disconnect-ACK?
Previous by thread: RE: Issue 226: RFC 3576bis and Renumbering
Next by thread: RE: Issue 226: RFC 3576bis and Renumbering
Index(es):
- Date
- Thread