[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re-auth failure
If we are talking about EAP, then Re-authentication is driven by the
authenticator.
RFC 3579 states that this occurs on expiration of the Session-Timeout value,
so that the maximum session time has already been utilized by the time it
occurs.
Therefore if the user fails authentication, they have no remaining time left
on
the session.
--------------------------------------------------
From: "Alper Yegin" <alper.yegin@yegin.org>
Sent: Friday, March 07, 2008 7:48 AM
To: <radiusext@ops.ietf.org>
Subject: Re-auth failure
RFC 3579 says:
Reception of a RADIUS Access-Reject packet MUST result in the NAS
denying
access to the authenticating peer.
Consider a host that is already authenticated and authorized for network
access. If it performs re-authentication say 1 hour before the session
timeout and fails authentication (EAP-Failure), should the NAS disconnect
the host from the network immediately? According to the RFC 3579 text, it
MUST eject the host immediately.
Shouldn't the network have the option to let the host stay connected until
the expiration of the currently granted session, if it chooses to? If so,
is
there a different interpretation of the above text, or a different message
(Access-Accept with EAP-Failure?) recommended?
Thanks.
Alper
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>