[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Issue 226: RFC 3576bis and Renumbering



On re-reading Section 3.1, I think it could be made more clear that the last paragraph refers only to successfully processed CoA-Requests.  Also, inclusion of an Error-Cause Attribute is upgraded to a SHOULD in case of an error.  Here is the updated text:

3.1.  Authorize Only

   Support for a CoA-Request including a Service-Type Attribute with
   value "Authorize Only" is OPTIONAL on the NAS and RADIUS server.  A
   Service-Type Attribute MUST NOT be included within a Disconnect-
   Request.

   A NAS MUST respond to a CoA-Request including a Service-Type
   Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
   NOT be sent.  If the NAS does not support a Service-Type value of
   "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
   value of 405 (Unsupported Service) SHOULD be included.

   A CoA-Request containing a Service-Type Attribute with value
   "Authorize Only" MUST in addition contain only NAS or session
   identification attributes, as well as a State Attribute.  If other
   attributes are included in such a CoA-Request, a CoA-NAK MUST be
   sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
   SHOULD be included.

   If a CoA-Request packet including a Service-Type value of "Authorize
   Only" is successfully processed, the NAS MUST respond with a CoA-NAK
   containing a Service-Type Attribute with value "Authorize Only", and
   an Error-Cause Attribute with value 507 (Request Initiated).  The NAS
   then MUST send an Access-Request to the RADIUS server including a
   Service-Type Attribute with value "Authorize Only".  This Access-
   Request SHOULD contain the NAS identification attributes from the
   CoA-Request, as well as the session identification attributes from
   the CoA-Request legal for inclusion in an Access-Request as specified
   in [RFC2865], [RFC2868], [RFC2869] and [RFC3162].  As noted in
   [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
   included in an Access-Request that does not contain a User-Password,
   CHAP-Password, ARAP-Password or EAP-Message Attribute.  The RADIUS
   server then will respond to the Access-Request with an Access-Accept
   to (re-)authorize the session or an Access-Reject to refuse to
   (re-)authorize it.


From: bernard_aboba@hotmail.com
To: dnelson@elbrysnetworks.com; radiusext@ops.ietf.org
Subject: RE: Issue 226: RFC 3576bis and Renumbering
Date: Tue, 22 May 2007 12:43:24 -0700

> It strikes me that the large number and substantial nature of these notes
> suggests that they be incorporated elsewhere in the normative text of the
> document, rather as footnotes to the Table of Attributes. I think it would
> substantially enhance readability of the document. 
 
I have consolidated Note 6 into Section 3.2 (State), and Note 7 as well as other "Authorize Only" text into a new Section 3.1 (Authorize Only).  Here is the new text:
 
3.1.  Authorize Only

   Support for a CoA-Request including a Service-Type Attribute with
   value "Authorize Only" is OPTIONAL on the NAS and RADIUS server.  A
   Service-Type Attribute MUST NOT be included within a Disconnect-
   Request.

   A NAS MUST respond to a CoA-Request including a Service-Type
   Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
   NOT be sent.  If the NAS does not support a Service-Type value of
   "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
   value of 405 (Unsupported Service) SHOULD be included.

   A CoA-Request containing a Service-Type Attribute with value
   "Authorize Only" MUST in addition contain only NAS or session
   identification attributes, as well as a State Attribute.  If other
   attributes are included in such a CoA-Request, a CoA-NAK MUST be
   sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
   SHOULD be included.

   A NAS supporting a Service-Type value of "Authorize Only" within a
   CoA-Request packet MUST respond with a CoA-NAK containing a Service-
   Type Attribute with value "Authorize Only", and an Error-Cause
   Attribute with value "Request Initiated".  The NAS then sends an
   Access-Request to the RADIUS server including a Service-Type
   Attribute with value "Authorize Only".  This Access-Request SHOULD
   contain the NAS identification attributes from the CoA-Request, as
   well as the session identification attributes from the CoA-Request
   legal for inclusion in an Access-Request as specified in [RFC2865],
   [RFC2868], [RFC2869] and [RFC3162].  As noted in [RFC2869] Section
   5.19, a Message-Authenticator attribute SHOULD be included in an
   Access-Request that does not contain a User-Password, CHAP-Password,
   ARAP-Password or EAP-Message Attribute.  The RADIUS server should
   send back an Access-Accept to (re-)authorize the session or an
   Access-Reject to refuse to (re-)authorize it.

3.2.  State

   The State Attribute is available to be sent by the RADIUS server to
   the NAS in a CoA-Request packet and MUST be sent unmodified from the
   NAS to the RADIUS server in a subsequent CoA-ACK or CoA-NAK packet.

   [RFC2865] Section 5.44 states:

      An Access-Request MUST contain either a User-Password or a CHAP-
      Password or State.  An Access-Request MUST NOT contain both a
      User-Password and a CHAP-Password.  If future extensions allow
      other kinds of authentication information to be conveyed, the
      attribute for that can be used in an Access-Request instead of
      User-Password or CHAP-Password.

   In order to satisfy the requirements of [RFC2865] Section 5.44, an
   Access-Request with Service-Type="Authorize-Only" MUST contain a
   State attribute.

   In order to provide a State attribute to the NAS, a server sending a
   CoA-Request with a Service-Type value of "Authorize-Only" MUST
   include a State Attribute, and the NAS MUST send the State Attribute
   unmodified to the RADIUS server in the resulting Access-Request, if
   any.  A NAS receiving a CoA-Request containing a Service-Type value
   of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK
   and SHOULD include an Error-Cause attribute with value 402 (Missing
   Attribute).

   The State Attribute is also available to be sent by the RADIUS server
   to the NAS in a CoA-Request that also includes a Termination-Action
   Attribute with the value of RADIUS-Request.  If the client performs
   the Termination-Action by sending a new Access-Request upon
   termination of the current session, it MUST include the State
   Attribute unchanged in that Access-Request.  In either usage, the
   client MUST NOT interpret the Attribute locally.  A CoA-Request
   packet must have only zero or one State Attribute.  Usage of the
   State Attribute is implementation dependent.