[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Request for Review: "Issues and Fixes" changes

To: <radiusext@ops.ietf.org>
Subject: RE: Request for Review: "Issues and Fixes" changes
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Mon, 20 Aug 2007 16:23:56 -0400
In-reply-to: <BAY117-F3319D56833A106247316D093DB0@phx.gbl>
Organization: Elbrys Networks, Inc.
References: <001901c7e343$0b5e6c80$5d1216ac@xpsuperdvd2> <BAY117-F3319D56833A106247316D093DB0@phx.gbl>

Bernard Aboba writes...

> If I read RFC 2865 correctly, it would seem that an Access-Request
> containing Service-Type="Call-Check" MUST contain a State attribute,
> since this won't contain User-Password, CHAP-Password or any other
> "authentication" attribute".  Now, I'm not sure I understand where
> the NAS is supposed to get the State Attribute from...

Indeed.  This brings to mind one of my favorite sayings regarding software:
"How did this ever work?".

My understanding of the use case for a Access-Request with a Service-Type of
Call-Check is that the Calling-Station-ID (and possibly the
Called-Station-ID) provides the identity of the remote user for the purpose
of a pre-screening authentication, originally used to decide whether the NAS
should accept the call set-up on an ISDN or DSL link, terminating in a modem
pool.  The idea was to avoid tying up a modem, if the user wasn't one of
your authorized customers.  In this use case there can be no valid source of
the State attribute in the NAS.

> ...but that does seem to be what RFC 2865 is saying.

Well, I wonder...
 
> > >    Any Access-Request that does not contain an authentication
> > >    attribute MUST contain a State attribute.  This list of
> > >    authorization parameters is not exhaustive, and may be extended
> > >    in future specifications.
> >
> >In the second sentence, did you mean "authentication" rather than
> >"authorization"?
> 
> This quote came from RFC 2865, so I'm not sure what it means.  
> That's for us to figure out, I guess :)

I'll look at this again, in context, but taken out of context it does seem
confusing.

> That is already in RFC 2865, I believe.

Yes, and we think it's correct!  :-)

> BTW, I believe that there may be some other hints on this in
> RFC 2869. For example, in the ARAP section there is some discussion
> of how NASes that don't support ARAP are supposed to behave.

OK, we can look at that text for any possible guidance.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: Request for Review: "Issues and Fixes" changes
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: Request for Review: "Issues and Fixes" changes
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>

Prev by Date: RE: Request for Review: "Issues and Fixes" changes -- Call-Check.
Next by Date: RE: Request for Review: "Issues and Fixes" changes -- Call-Check.
Previous by thread: RE: Request for Review: "Issues and Fixes" changes
Next by thread: RE: Request for Review: "Issues and Fixes" changes
Index(es):
- Date
- Thread