[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADEXT Issue 256 (NAS management Authorization)

To: "David B. Nelson" <dnelson@elbrysnetworks.com>, <radiusext@ops.ietf.org>
Subject: RE: RADEXT Issue 256 (NAS management Authorization)
From: Bernard Aboba <bernard_aboba@hotmail.com>
Date: Wed, 11 Jun 2008 09:18:39 -0700
In-reply-to: <3F78A531608E4E46B5AA90F8B92EF385@xpsuperdvd2>
References: <3F78A531608E4E46B5AA90F8B92EF385@xpsuperdvd2>

> When a NAS receives a Framed-Management-Protocol attribute in an
> Access-Accept packet, it MUST deliver that specified form of management
> access or disconnect the session. If the NAS does not support the
> provisioned management application-layer protocol, or the management access
> protocol requested by the user does not match that of the
> Framed-Management-Protocol attribute in the Access-Accept packet, the NAS
> must treat the response packet as if it had been an Access-Reject.

[BA] Should this be "MUST"? Presumably if the NAS supports the new Service-Type,
then it is also required to understand the Framed-Management-Protocol attribute
and take the above action in response to an unsupportable value.

> It is RECOMMENDED that the NAS include an appropriately valued
> Management-Transport-Protection attribute in Access-Request packet,
^an

> indicating the level of transport protection for the management access being
> requested, when that information is available to the RADIUS Client. The
> RADIUS Server MAY use this hint attribute in making its authorization
> decision.
>
> The RADIUS Server MAY include a Management-Transport-Protection attribute in
> an Access-Accept packet that also includes a Service-Type attribute with a
> value of Framed-Management, when the RADIUS Server chooses to enforce an
> management access security policy for the authenticated user, that dictates
> a minimum level of transport security.
>
> When a NAS receives a Management-Transport-Protection attribute in an
> Access-Accept packet, it MUST deliver the management access over a transport
> with equal or better protection characteristics or disconnect the session.
> If the NAS does not support protected management transport protocols, or the
> level of protection available does not match that of the
> Management-Transport-Protection attribute in the Access-Accept packet, the
> NAS must treat the response packet as if it had been an Access-Reject.

"must" -> "MUST" as above.

Also, I'd suggest capitalizing the word "Attribute" when referring to a specific
attribute, as was the custom in RFC 2865.

> So, you're suggesting that I not expect IANA to search through the document
> for all the (TBA) placeholders, but rather enumerate all the requests here?
> OK, I can do that in version -03.

Yes. This makes it easier for them.

Follow-Ups:
- RE: RADEXT Issue 256 (NAS management Authorization)
  - From: "David B. Nelson" <d.b.nelson@comcast.net>

References:
- RADEXT Issue 256 (NAS management Authorization)
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: RE: RADEXT Issue 255 (NAS Management Authorization)
Next by Date: RE: RADEXT Issue 256 (NAS management Authorization)
Previous by thread: RADEXT Issue 256 (NAS management Authorization)
Next by thread: RE: RADEXT Issue 256 (NAS management Authorization)
Index(es):
- Date
- Thread