[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-auth failure

To: Alper Yegin <alper.yegin@yegin.org>
Subject: Re: Re-auth failure
From: Alan DeKok <aland@nitros9.org>
Date: Fri, 07 Mar 2008 17:27:25 +0100
Cc: radiusext@ops.ietf.org
In-reply-to: <0MKp8S-1JXeo13aVb-0003tQ@mrelay.perfora.net>
References: <0MKp8S-1JXeo13aVb-0003tQ@mrelay.perfora.net>
User-agent: Thunderbird 2.0.0.12 (X11/20080227)

Alper Yegin wrote:
> Shouldn't the network have the option to let the host stay connected until
> the expiration of the currently granted session, if it chooses to? If so, is
> there a different interpretation of the above text, or a different message
> (Access-Accept with EAP-Failure?) recommended?

  I tend to agree with David here.  RADIUS servers have traditionally
been authoritative, so the user has to be rejected here.

  Much of the confusion comes about because RADIUS has traditionally had
no definition of what a "session" is.  In this case, the server *is*
authoritative for a session.  However, it's unclear whether or not the
second session is related to the first, if at all.

  NASes have traditionally made fail-safe decisions: If they receive an
Access-Reject for a authentication tied to one MAC address, that MAC
address is denied access.  This happens even if there are other
"sessions" tied to that MAC which may still have access rights.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Re-auth failure
  - From: "Alper Yegin" <alper.yegin@yegin.org>

References:
- Re-auth failure
  - From: "Alper Yegin" <alper.yegin@yegin.org>

Prev by Date: RE: RADEXT Meeting Slot (was RE: Call for Agenda items for IETF 71 RADEXT WG meeting)
Next by Date: RE: Re-auth failure
Previous by thread: RE: Re-auth failure
Next by thread: RE: Re-auth failure
Index(es):
- Date
- Thread