[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re-auth failure

To: <radiusext@ops.ietf.org>
Subject: RE: Re-auth failure
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Fri, 7 Mar 2008 11:00:31 -0500
In-reply-to: <0MKp8S-1JXeo13aVb-0003tQ@mrelay.perfora.net>
Organization: Elbrys Networks, Inc.
References: <0MKp8S-1JXeo13aVb-0003tQ@mrelay.perfora.net>

Alper Yegin writes...

> Shouldn't the network have the option to let the host stay connected
> until the expiration of the currently granted session, if it chooses
> to?

I suppose that depends on whether one considers the responses of the RADIUS
Server to be authoritative or merely advisory.  One can construct reasonable
use cases to support either notion, although historically we have considered
the responses of the RADIUS Server to be authoritative.

If the Access-Reject was caused by a transient failure somewhere in the
system, including the back-end authentication service, one might want to
allow a customer to finish out his pre-allocated session time.  If the
Access-Reject was caused by a system administrator's action to de-authorize
a user (maybe an employee who is about to be fired), one would almost
certainly want the session to be terminated upon a failed re-authentication.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Re-auth failure
  - From: "Alper Yegin" <alper.yegin@yegin.org>

References:
- Re-auth failure
  - From: "Alper Yegin" <alper.yegin@yegin.org>

Prev by Date: Re-auth failure
Next by Date: RE: RADEXT Meeting Slot (was RE: Call for Agenda items for IETF 71 RADEXT WG meeting)
Previous by thread: Re-auth failure
Next by thread: RE: Re-auth failure
Index(es):
- Date
- Thread