[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issue: Consolidation of "Authorize Only" Text
Issue: Consolidation of "Authorize Only" Text
Submitter name: Bernard Aboba
Submitter email address: aboba@internaut.com
Date first submitted: May 26, 2007
Reference:
Document: RFC3576bis-06
Comment type: Editorial
Priority: S
Section: 3.2, 4
Rationale/Explanation of issue:
Currently text relating to "Authorize Only" usage is included within Section 4 as well as Section 3.1. Having normative text in two places makes the document harder to read, and also can potentially introduce contradictions.
The proposed resolution is as follows:
Change the following paragraph in Section 4 from:
" To simplify translation between RADIUS and Diameter, a server
compliant with this specification MAY include a Service-Type
Attribute with value "Authorize Only" within a CoA-Request. Such a
CoA-Request MUST contain a State Attribute. A NAS supporting the
"Authorize Only" Service-Type within a CoA-Request responds with a
CoA-NAK containing a Service-Type Attribute with value "Authorize
Only", and an Error-Cause Attribute with value "Request Initiated".
The NAS will then send an Access-Request containing a Service-Type
Attribute with a value of "Authorize Only", along with a State
Attribute. A Diameter/RADIUS gateway receiving a CoA-Request
containing a Service-Type with value "Authorize Only" translates this
to a RAR with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY".
The received RAA is then translated to a CoA-NAK with a Service-Type
value of "Authorize Only". If the Result-Code AVP in the RAA has a
value in the success category, then an Error-Cause Attribute with
value "Request Initiated" is included in the CoA-NAK. If the
Result-Code AVP in the RAA has a value indicating a Protocol Error or
a Transient or Permanent Failure, then an alternate Error-Cause
Attribute is returned as suggested below."
To:
" To simplify translation between RADIUS and Diameter, Dynamic
Authorization Clients can include a Service-Type Attribute with value
"Authorize Only" within a CoA-Request, as described in Section 3.2.
A Diameter/RADIUS gateway receiving a CoA-Request containing a
Service-Type with value "Authorize Only" translates this to a RAR
with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY". The
received RAA is then translated to a CoA-NAK with a Service-Type
value of "Authorize Only". If the Result-Code AVP in the RAA has a
value in the success category, then an Error-Cause Attribute with
value "Request Initiated" is included in the CoA-NAK. If the
Result-Code AVP in the RAA has a value indicating a Protocol Error or
a Transient or Permanent Failure, then an alternate Error-Cause
Attribute is returned as suggested below."
Change Section 3.2 from:
"3.2. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
Service-Type Attribute MUST NOT be included within a Disconnect-
Request.
A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other
attributes are included in such a CoA-Request, a CoA-NAK MUST be
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
SHOULD be included.
If a CoA-Request packet including a Service-Type value of "Authorize
Only" is successfully processed, the NAS MUST respond with a CoA-NAK
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value 507 (Request Initiated). The NAS
then MUST send an Access-Request to the RADIUS server including a
Service-Type Attribute with value "Authorize Only". This Access-
Request SHOULD contain the NAS identification attributes from the
CoA-Request, as well as the session identification attributes from
the CoA-Request legal for inclusion in an Access-Request as specified
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
included in an Access-Request that does not contain a User-Password,
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS
server then will respond to the Access-Request with an Access-Accept
to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it."
To:
"3.2 Authorize Only
Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and Dynamic
Authorization Client. A Service-Type Attribute MUST NOT be included
within a Disconnect-Request.
A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other
attributes are included in such a CoA-Request, a CoA-NAK MUST be
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
SHOULD be included.
If a CoA-Request packet including a Service-Type value of "Authorize
Only" is successfully processed, the NAS MUST respond with a CoA-NAK
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value 507 (Request Initiated). The NAS
then MUST send an Access-Request to the RADIUS server including a
Service-Type Attribute with value "Authorize Only", along with a
State Attribute. This Access-Request SHOULD contain the NAS
identification attributes from the CoA-Request, as well as the
session identification attributes from the CoA-Request legal for
inclusion in an Access-Request as specified in [RFC2865], [RFC2868],
[RFC2869] and [RFC3162]. As noted in [RFC2869] Section 5.19, a
Message-Authenticator attribute SHOULD be included in an Access-
Request that does not contain a User-Password, CHAP-Password, ARAP-
Password or EAP-Message Attribute. The RADIUS server
then will respond to the Access-Request with an Access-Accept to
(re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it."