Re: Issue 226: RFC 3576bis and Renumbering

[Alan DeKok <aland@nitros9.org>]

Avi Lior wrote:
> [Avi] Yes I agree that it "can" be used.  But Alan seems to make it
> mandatory.

  To clarify: If Acct-Session-Id is improper for any reason, we should
create a new session identification attribute specifically for this use.

> [Avi] I agree that the IP Address is not *required*.  I think that
> nothing should be *required*  because different scenarios will use
> different session identifiers.

  How does the CoA client know what to send as session identifiers?  How
does the recipient of the CoA message know what to do, given that the
session identifiers you talk about can apply to many sessions?

  My proposal involves  mandating a new session key.  This key ensures
that everyone agrees which session the CoA request applies to.  I would
recommend *also* using Acct-Session-Id, because it applies to the
individual sessions you want to control.

  Every single session you want to control can be individually addressed
using those two keys.  There is no need for a guesswork: "try CUI, or
maybe Framed-IP-Address, or maybe something else will work".

  If those two keys are NOT sufficient, then I again question how RADIUS
is being used to control sessions it knows nothing about.

>  Furthermore, I think they should be used
> in combination.  For example, User-Name + Accounting Session Id to
> delete the session associated with Accounting session id is better
> practice then just using Accounting Session Id.  

  And for sessions that don't have User-Name, which attribute do you
choose, and why?  That's why I suggest using a new key.  It avoids all
of the problems with guessing which attribute will be accepted by the
NAS as a session key.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>