[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: review of "Issues and Fixes"

To: <radiusext@ops.ietf.org>
Subject: FW: review of "Issues and Fixes"
From: "David B. Nelson" <d.b.nelson@comcast.net>
Date: Mon, 20 Aug 2007 08:06:51 -0400

Forwarding to the list...

From: Avi Lior [mailto:avi@bridgewatersystems.com] 
Sent: Monday, August 20, 2007 8:03 AM
To: aland@freeradius.org; d.b.nelson@comcast.net; Bernard Aboba
Subject: review of "Issues and Fixes"

First comment:

In the following text:

 As defined in [RFC 2865] Table 5.44, Access-Request packets MAY
   contain a State attribute.  We extend that definition here, to say
   that Access-Request packets that contain an authentication attribute
   or a Service-Type attribute with the value Call Check (10) MAY
   contain a State attribute.  Access-Request packets not matching the
   above description MUST contain a State attribute.
The term authentication attribute is not defined.  What is an authentication
attribute?  Is Message-Authenticator an authetication attribute.

Second Comment:

The State attribute is needed to be included in an Access-Request with
Service-Type set to "Authorize-Only".

Currently it is not clear how the State attribute is available at the NAS. 
In the case of COA we are very explicit.  Currently 2865 states:

This Attribute(State) is available to be sent by the server to the client
      in an Access-Accept that also includes a Termination-Action
      Attribute with the value of RADIUS-Request.  

The assumption here is that Termination-Action can trigger another
Access-Request and thus we want to use the State attribute to link them
together.  However, today a NAS can send an Access-Request with Service-Type
Authorize-Only for other reasons.   Thus it would be helpful to allow a
State attribute to be included in an Access-Accept period.

I would suggest the following text or something similar for Issues and
Fixes.

A RADIUS server MAY include the State attribute in an Access-Accept.  A
RADIUS server MUST include the State attribute in an Access-Accept if it is
anticipated that the RADIUS client will generate an Access-Request with
Service-Type set to "Authorize-Only".

========================
Avi Lior                                    
Bridgewater Systems Corporation 
Phone :  +1 (613) 591-9104 x6417
Cell    :  +1 (613) 796-4183
E-mail : mailto:avi@bridgewatersystems.com
www.bridgewatersystems.com 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Update on RFC 4590bis
Next by Date: Re: Request for Review: "Issues and Fixes" changes
Previous by thread: Update on RFC 4590bis
Next by thread: RE: review of "Issues and Fixes"
Index(es):
- Date
- Thread