[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: review of "Issues and Fixes"

To: "Bernard Aboba" <bernard_aboba@hotmail.com>
Subject: RE: review of "Issues and Fixes"
From: "Avi Lior" <avi@bridgewatersystems.com>
Date: Mon, 20 Aug 2007 16:18:19 -0400
Cc: <radiusext@ops.ietf.org>
In-reply-to: <BAY117-F358EE011ED4BB181101AEB93DB0@phx.gbl>
References: <E7CCE8A83907104ABEE91AC3AE3709A00F095193@exchange.bridgewatersys.com> <BAY117-F358EE011ED4BB181101AEB93DB0@phx.gbl>

Well, I think issues and fixes should define the term authentication
attribute.

Authentication attributes contain the information required to
authenticate the user.  Examples are: User-Password, CHAP-Password,
ARAP-Password and EAP-Message.


Regarding Message-Authenticator  -- based on your response, I don't
think that Message-Authenticator is an authentication attribute because
it does not contian information required to authenticate the user.
Message-Authenticator purpose is to protect the packet.

I think that "Other kinds of Authentication Information" must refer to
other kinds of user authentication information.

But if I am wrong, then this is another grey area that needs to be
plugged up.



-----Original Message-----
From: Bernard Aboba [mailto:bernard_aboba@hotmail.com] 
Sent: Monday, August 20, 2007 10:43 AM
To: Avi Lior
Cc: radiusext@ops.ietf.org
Subject: RE: review of "Issues and Fixes"

>  As defined in [RFC 2865] Table 5.44, Access-Request packets MAY
>    contain a State attribute.  We extend that definition here, to say
>    that Access-Request packets that contain an authentication
attribute
>    or a Service-Type attribute with the value Call Check (10) MAY
>    contain a State attribute.  Access-Request packets not matching the
>    above description MUST contain a State attribute.
>
>The term authentication attribute is not defined.  What is an 
>authentication attribute?  Is Message-Authenticator an authetication 
>attribute?

RFC 2865, Section 4.1 says:

"     An Access-Request MUST contain either a User-Password or a CHAP-
      Password or a State.  An Access-Request MUST NOT contain both a
      User-Password and a CHAP-Password.  If future extensions allow
      other kinds of authentication information to be conveyed, the
      attribute for that can be used in an Access-Request instead of
      User-Password or CHAP-Password."

RFC 2869 Section 2.2 says:

"   Only one of User-Password, CHAP-Password, or ARAP-Password needs to
   be present in an Access-Request, or one or more EAP-Messages.

   If the RADIUS server does not support ARAP it SHOULD return an
   Access-Reject to the NAS."

Based on this, User-Password, CHAP-Password, EAP-Message and
ARAP-Password 
should fall in the list of authentication attributes.   Based on RFC
4590, a 
Digest-Response Attribute also qualifies.  Not sure whether
Message-Authenticator falls into "other kinds of authentication
information."



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: review of "Issues and Fixes"
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

Prev by Date: RE: Request for Review: "Issues and Fixes" changes
Next by Date: RE: Request for Review: "Issues and Fixes" changes -- Call-Check.
Previous by thread: RE: review of "Issues and Fixes"
Index(es):
- Date
- Thread