RFC 3576bis Question: DAC and RADIUS server not co-located

["Bernard Aboba" <bernard_aboba@hotmail.com>]

A while back, we had a question about how RFC 3576bis works in the situation 
where the DAC and RADIUS server are not co-located.  Before RFC 3576bis goes 
to final IESG review, I just wanted to make sure that we haven't missed 
something.

Section 3.3 states:

  "In order to satisfy the requirements of [RFC2865] Section 5.44, an
  Access-Request with Service-Type="Authorize-Only" MUST contain a
  State attribute.

  In order to provide a State attribute to the NAS, a Dynamic
  Authorization Client sending a CoA-Request with a Service-Type value
  of "Authorize-Only" MUST include a State Attribute, and the NAS MUST
  send the State Attribute unmodified to the RADIUS server in the
  resulting Access-Request, if any. "

What happens if the DAC and RADIUS server are not co-located?  Is that 
viable in situations where a Service-Type="Authorize Only" is used on a 
CoA-Request?

Let us assume that the DAC sends a State Attribute as specified above, and 
that the NAS sends an Access-Request with Service-Type="Authorize-Only" 
containing that State Attribute.

However, the Access-Request is received by the RADIUS server, not the DAC 
that sent the State Attribute.  Are we assuming that the RADIUS server is 
able to validate a State Attribute sent by the DAC?
Or perhaps that the DAC will provide the NAS with a State Attribute obtained 
from the RADIUS server?

Since the DAC needs access to a database of State in order to track 
sessions, that database could contain the required State attribute.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>