[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re-auth failure

To: "'David B. Nelson'" <dnelson@elbrysnetworks.com>, <radiusext@ops.ietf.org>
Subject: RE: Re-auth failure
From: "Alper Yegin" <alper.yegin@yegin.org>
Date: Fri, 7 Mar 2008 18:54:11 +0200
In-reply-to: <001201c8806c$5f15d9f0$1f0a0a0a@xpsuperdvd2>

Thank you for the response.

> > Shouldn't the network have the option to let the host stay connected
> > until the expiration of the currently granted session, if it chooses
> > to?
> 
> I suppose that depends on whether one considers the responses of the
> RADIUS
> Server to be authoritative or merely advisory.  One can construct
> reasonable
> use cases to support either notion, 

For example, if the user is on a pre-paid account and his credit has reached
0 yet still has 1 more hour to go with the current session, that left-over
time shall not be taken away from him just because his "request to extend"
the session was not granted. [I don't know pre-paid support well enough to
say whether this is already taken care of by some means.]

> although historically we have
> considered
> the responses of the RADIUS Server to be authoritative.
> 
> If the Access-Reject was caused by a transient failure somewhere in the
> system, including the back-end authentication service, one might want to
> allow a customer to finish out his pre-allocated session time.  If the
> Access-Reject was caused by a system administrator's action to de-
> authorize
> a user (maybe an employee who is about to be fired), one would almost
> certainly want the session to be terminated upon a failed re-
> authentication.

That makes sense. AAA server can have its own reasons for expecting
different outcomes from issuing Access-Reject. But how does the NAS know how
to react to receiving an Access-Reject? Unless some auxiliary info is
provided to the NAS, it cannot know the real intention of the AAA when
issuing the reject. I wonder if there are such cases where a RADIUS
attribute is used for helping NAS make the right decision.

Thank you.

Alper




> 
> 
> 
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Re-auth failure
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: Re-auth failure
  - From: "Glen Zorn" <glenzorn@comcast.net>

References:
- RE: Re-auth failure
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: Re: Re-auth failure
Next by Date: RE: Re-auth failure
Previous by thread: RE: Re-auth failure
Next by thread: RE: Re-auth failure
Index(es):
- Date
- Thread