[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 3576bis Question: DAC and RADIUS server not co-located
Yet another revision:
" In order to compose CoA-Request or Disconnect-Request packets, the
DAC is assumed to have access to data (such as NAS and session
identification attributes) which is typically gleaned from RADIUS
authentication or accounting packets. While access to this
information does not require the DAC to be co-located with a RADIUS
server (e.g. the data could be stored in a database accessed by the
DAC), where the DAC is not co-located with a RADIUS server some
information necessary to build a compliant CoA-Request or Disconnect-
Request packet may not be available. For example, as described in
Section 3.3, a CoA-Request packet containing a Service-Type Attribute
with value "Authorize Only" is required to contain a State Attribute
that the NAS will subsequently transmit to the RADIUS server in an
Access-Request. In order for the DAC to include a State Attribute
that the RADIUS server will subsequently accept, some coordination
may be required. In these situations, the DAC SHOULD send CoA-
Request or Disconnect-Request packets to a RADIUS server acting as a
proxy, rather than sending them directly to the NAS. A RADIUS server
receiving a CoA-Request or Disconnect-Request packet from the DAC MAY
then add or update attributes (such as adding NAS or session
identification attributes or appending a State Attribute), prior to
forwarding the packet. Having CoA/Disconnect-Requests forwarded by a
RADIUS server can also enable upstream RADIUS proxies to perform a
Reverse Path Forwarding (RPF) check (see Section 6.1)."
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>