[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 3576bis Question: DAC and RADIUS server not co-located

To: aland@nitros9.org
Subject: Re: RFC 3576bis Question: DAC and RADIUS server not co-located
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Fri, 28 Sep 2007 13:26:29 -0700
Bcc:
Cc: radiusext@ops.ietf.org
In-reply-to: <46FCA2AD.1070905@nitros9.org>

Bernard Aboba wrote:
> What happens if the DAC and RADIUS server are not co-located?

  The simplest thing to do is to have the DAC send the CoA to the RADIUS
server, which then sends it to the NAS.  The RADIUS server can add
information such as State.

>  Is that
> viable in situations where a Service-Type="Authorize Only" is used on a
> CoA-Request?

  I can see it being useful.  The issue for me is that RADIUS is
normally controlling the users session information.  If a DAC sends
requests directly to the NAS, then it is out of the normal AAA policy.
By proxying through the RADIUS server, it gains capabilities (i.e.
adding State), and works through the normal AAA process.


This also solves the problem of allowing the RPF check to function.

> However, the Access-Request is received by the RADIUS server, not the
> DAC that sent the State Attribute.  Are we assuming that the RADIUS
> server is able to validate a State Attribute sent by the DAC?

  If that is possible, how this is done is out of scope.

> Or perhaps that the DAC will provide the NAS with a State Attribute
> obtained from the RADIUS server?

  It would be easier to have the DAC proxy through the RADIUS server,
which would in turn supply a State in the CoA packet.

Yes, I think this makes sense. Can you suggest some text that would makethis clear?

> Since the DAC needs access to a database of State in order to track
> sessions, that database could contain the required State attribute.

  The RADIUS server already tracks sessions.  I would recommend against
DACs re-implementing that.

Some how the DAC needs to know which NAS to send the CoA/Disconnect-Requestto, correct?

  I understand that this proposed architecture may limit certain
implementations, but it should make implementations much easier, too.


That would be good.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: RFC 3576bis Question: DAC and RADIUS server not co-located
  - From: Alan DeKok <aland@nitros9.org>

References:
- Re: RFC 3576bis Question: DAC and RADIUS server not co-located
  - From: Alan DeKok <aland@nitros9.org>

Prev by Date: Re: RFC 3576bis Question: DAC and RADIUS server not co-located
Next by Date: RE: Vendor-Id for radext extended attributes
Previous by thread: Re: RFC 3576bis Question: DAC and RADIUS server not co-located
Next by thread: Re: RFC 3576bis Question: DAC and RADIUS server not co-located
Index(es):
- Date
- Thread