Re: RFC 3576bis Question: DAC and RADIUS server not co-located

[Alan DeKok <aland@deployingradius.com>]

Glen Zorn wrote:
> How is that possible, given that there is no "logoff" message in RADIUS?
> Surely you mean that the RADIUS _Accounting_ server tracks sessions, no?

  Sure.  In most systems deploying CoA, I expect that there will be a
strong relationship between CoA, authentication, and accounting systems.

> OK, I give: how does the DAC even know that there is a session to modify if
> it has no access to session state?

  If the DAC client is co-located, or has access to the session DB,
there's no problem.

  Otherwise, (as was discussed here), the DAC may be trying to
disconnect a TCP session, or an IP session based on data in the IP
traffic.  The DAC can send the IP session information to the RADIUS
server, which uses it's database to discover the underlying RADIUS
session.  It can then send a properly formatted CoA to the NAS.

  The NAS may not be able to ascertain RADIUS session solely from IP
parameters, because it may need additional information.  (port, vlan, etc.)

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>