[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 226: RFC 3576bis and Renumbering
On re-reading Section 3.1, I think it could be made more clear that the last paragraph refers only to successfully processed CoA-Requests. Also, inclusion of an Error-Cause Attribute is upgraded to a SHOULD in case of an error. Here is the updated text:
3.1. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
Service-Type Attribute MUST NOT be included within a Disconnect-
Request.
A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other
attributes are included in such a CoA-Request, a CoA-NAK MUST be
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
SHOULD be included.
If a CoA-Request packet including a Service-Type value of "Authorize
Only" is successfully processed, the NAS MUST respond with a CoA-NAK
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value 507 (Request Initiated). The NAS
then MUST send an Access-Request to the RADIUS server including a
Service-Type Attribute with value "Authorize Only". This Access-
Request SHOULD contain the NAS identification attributes from the
CoA-Request, as well as the session identification attributes from
the CoA-Request legal for inclusion in an Access-Request as specified
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
included in an Access-Request that does not contain a User-Password,
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS
server then will respond to the Access-Request with an Access-Accept
to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it.
From: bernard_aboba@hotmail.com
To: dnelson@elbrysnetworks.com; radiusext@ops.ietf.org
Subject: RE: Issue 226: RFC 3576bis and Renumbering
Date: Tue, 22 May 2007 12:43:24 -0700
> It strikes me that the large number and substantial nature of these notes
> suggests that they be incorporated elsewhere in the normative text of the
> document, rather as footnotes to the Table of Attributes. I think it would
> substantially enhance readability of the document.
I have consolidated Note 6 into Section 3.2 (State), and Note 7 as well as other "Authorize Only" text into a new Section 3.1 (Authorize Only). Here is the new text:
3.1. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
Service-Type Attribute MUST NOT be included within a Disconnect-
Request.
A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other
attributes are included in such a CoA-Request, a CoA-NAK MUST be
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
SHOULD be included.
A NAS supporting a Service-Type value of "Authorize Only" within a
CoA-Request packet MUST respond with a CoA-NAK containing a Service-
Type Attribute with value "Authorize Only", and an Error-Cause
Attribute with value "Request Initiated". The NAS then sends an
Access-Request to the RADIUS server including a Service-Type
Attribute with value "Authorize Only". This Access-Request SHOULD
contain the NAS identification attributes from the CoA-Request, as
well as the session identification attributes from the CoA-Request
legal for inclusion in an Access-Request as specified in [RFC2865],
[RFC2868], [RFC2869] and [RFC3162]. As noted in [RFC2869] Section
5.19, a Message-Authenticator attribute SHOULD be included in an
Access-Request that does not contain a User-Password, CHAP-Password,
ARAP-Password or EAP-Message Attribute. The RADIUS server should
send back an Access-Accept to (re-)authorize the session or an
Access-Reject to refuse to (re-)authorize it.
3.2. State
The State Attribute is available to be sent by the RADIUS server to
the NAS in a CoA-Request packet and MUST be sent unmodified from the
NAS to the RADIUS server in a subsequent CoA-ACK or CoA-NAK packet.
[RFC2865] Section 5.44 states:
An Access-Request MUST contain either a User-Password or a CHAP-
Password or State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow
other kinds of authentication information to be conveyed, the
attribute for that can be used in an Access-Request instead of
User-Password or CHAP-Password.
In order to satisfy the requirements of [RFC2865] Section 5.44, an
Access-Request with Service-Type="Authorize-Only" MUST contain a
State attribute.
In order to provide a State attribute to the NAS, a server sending a
CoA-Request with a Service-Type value of "Authorize-Only" MUST
include a State Attribute, and the NAS MUST send the State Attribute
unmodified to the RADIUS server in the resulting Access-Request, if
any. A NAS receiving a CoA-Request containing a Service-Type value
of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK
and SHOULD include an Error-Cause attribute with value 402 (Missing
Attribute).
The State Attribute is also available to be sent by the RADIUS server
to the NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent.