[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue: Consolidation of "Authorize Only" Text

Issue:  Consolidation of "Authorize Only" Text
Submitter name: Bernard Aboba
Submitter email address: aboba@internaut.com
Date first submitted: May 26, 2007
Reference:
Document: RFC3576bis-06
Comment type: Editorial
Priority: S
Section: 3.2, 4
Rationale/Explanation of issue:

Currently text relating to "Authorize Only" usage is included within Section 4 as well as Section 3.1.  Having normative text in two places makes the document harder to read, and also can potentially introduce contradictions.    

The proposed resolution is as follows:

Change the following paragraph in Section 4 from:

"  To simplify translation between RADIUS and Diameter, a server
   compliant with this specification MAY include a Service-Type
   Attribute with value "Authorize Only" within a CoA-Request.  Such a
   CoA-Request MUST contain a State Attribute.  A NAS supporting the
   "Authorize Only" Service-Type within a CoA-Request responds with a
   CoA-NAK containing a Service-Type Attribute with value "Authorize
   Only", and an Error-Cause Attribute with value "Request Initiated".
   The NAS will then send an Access-Request containing a Service-Type
   Attribute with a value of "Authorize Only", along with a State
   Attribute.  A Diameter/RADIUS gateway receiving a CoA-Request
   containing a Service-Type with value "Authorize Only" translates this
   to a RAR with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY".
   The received RAA is then translated to a CoA-NAK with a Service-Type
   value of "Authorize Only".   If the Result-Code AVP in the RAA has a
   value in the success category, then an Error-Cause Attribute with
   value "Request Initiated" is included in the CoA-NAK.   If the
   Result-Code AVP in the RAA has a value indicating a Protocol Error or
   a Transient or Permanent Failure, then an alternate Error-Cause
   Attribute is returned as suggested below."

To:

"  To simplify translation between RADIUS and Diameter, Dynamic
   Authorization Clients can include a Service-Type Attribute with value
   "Authorize Only" within a CoA-Request, as described in Section 3.2.
   A Diameter/RADIUS gateway receiving a CoA-Request containing a
   Service-Type with value "Authorize Only" translates this to a RAR
   with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY".  The
   received RAA is then translated to a CoA-NAK with a Service-Type
   value of "Authorize Only".   If the Result-Code AVP in the RAA has a
   value in the success category, then an Error-Cause Attribute with
   value "Request Initiated" is included in the CoA-NAK.   If the
   Result-Code AVP in the RAA has a value indicating a Protocol Error or
   a Transient or Permanent Failure, then an alternate Error-Cause
   Attribute is returned as suggested below."

Change Section 3.2 from:
"3.2.  Authorize Only

   Support for a CoA-Request including a Service-Type Attribute with
   value "Authorize Only" is OPTIONAL on the NAS and RADIUS server.  A
   Service-Type Attribute MUST NOT be included within a Disconnect-
   Request.

   A NAS MUST respond to a CoA-Request including a Service-Type
   Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
   NOT be sent.  If the NAS does not support a Service-Type value of
   "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
   value of 405 (Unsupported Service) SHOULD be included.

   A CoA-Request containing a Service-Type Attribute with value
   "Authorize Only" MUST in addition contain only NAS or session
   identification attributes, as well as a State Attribute.  If other
   attributes are included in such a CoA-Request, a CoA-NAK MUST be
   sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
   SHOULD be included.

   If a CoA-Request packet including a Service-Type value of "Authorize
   Only" is successfully processed, the NAS MUST respond with a CoA-NAK
   containing a Service-Type Attribute with value "Authorize Only", and
   an Error-Cause Attribute with value 507 (Request Initiated).  The NAS
   then MUST send an Access-Request to the RADIUS server including a
   Service-Type Attribute with value "Authorize Only".  This Access-
   Request SHOULD contain the NAS identification attributes from the
   CoA-Request, as well as the session identification attributes from
   the CoA-Request legal for inclusion in an Access-Request as specified
   in [RFC2865], [RFC2868], [RFC2869] and [RFC3162].  As noted in
   [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
   included in an Access-Request that does not contain a User-Password,
   CHAP-Password, ARAP-Password or EAP-Message Attribute.  The RADIUS
   server then will respond to the Access-Request with an Access-Accept
   to (re-)authorize the session or an Access-Reject to refuse to
   (re-)authorize it."

To:

"3.2 Authorize Only

   Support for a CoA-Request including a Service-Type Attribute with
   value "Authorize Only" is OPTIONAL on the NAS and Dynamic
   Authorization Client.  A Service-Type Attribute MUST NOT be included
   within a Disconnect-Request.

   A NAS MUST respond to a CoA-Request including a Service-Type
   Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
   NOT be sent.  If the NAS does not support a Service-Type value of
   "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
   value of 405 (Unsupported Service) SHOULD be included.

   A CoA-Request containing a Service-Type Attribute with value
   "Authorize Only" MUST in addition contain only NAS or session
   identification attributes, as well as a State Attribute.  If other
   attributes are included in such a CoA-Request, a CoA-NAK MUST be
   sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
   SHOULD be included.

   If a CoA-Request packet including a Service-Type value of "Authorize
   Only" is successfully processed, the NAS MUST respond with a CoA-NAK
   containing a Service-Type Attribute with value "Authorize Only", and
   an Error-Cause Attribute with value 507 (Request Initiated).  The NAS
   then MUST send an Access-Request to the RADIUS server including a
   Service-Type Attribute with value "Authorize Only", along with a
   State Attribute.  This Access-Request SHOULD contain the NAS
   identification attributes from the CoA-Request, as well as the
   session identification attributes from the CoA-Request legal for
   inclusion in an Access-Request as specified in [RFC2865], [RFC2868],
   [RFC2869] and [RFC3162].  As noted in [RFC2869] Section 5.19, a
   Message-Authenticator attribute SHOULD be included in an Access-
   Request that does not contain a User-Password, CHAP-Password, ARAP-
   Password or EAP-Message Attribute.  The RADIUS server
   then will respond to the Access-Request with an Access-Accept to
   (re-)authorize the session or an Access-Reject to refuse to
   (re-)authorize it."