RE: Additional comments on draft-ietf-radext-management-authorization-03.txt

["David B. Nelson" <d.b.nelson@comcast.net>]

Following up on an open issue:

> > Section 12
> >
> > Within the document, the CoA-Request is mentioned, but the table
> > does not describe which attributes can be included in CoA or
> > Disconnect Request, ACK or NAK packets.  Is it accurate to assume
> > that none of the attributes defined in this document can be
> > contained in a CoA or Disconnect packet?
> 
> Good question.  I need to think about this for a bit.

I've taken the time to re-read RFC 5176.  It's not entirely clear to me if
and how Dynamic Authorization ought to apply to NAS management.  There's a
clear and straightforward application for Disconnect-Request, to terminate a
management session for administrative reasons.

I'm a little less clear that there is an application for
Change-of-Authorization for management sessions.  One could well imagine
possible, hypothetical use cases, of course.  The question remains whether
there is an actual user requirement to be met.  OTOH, I see no reason to
explicitly prohibit the usage of Dynamic Authorization with NAS Management
Authorization, especially if such usage is entirely optional.

RCF 5176 Section 2.3 (page 9, second to last paragraph) requests that future
documents defining RADIUS attributes specify the nature of their usage in
CoA or Disconnect messages, and whether each attribute can be used as a
session identifier, for session provisioning, or for both.

I will take a stab at that, and hereby solicit WG feedback on the proposal.

Add the following text to Section 12 (as currently numbered):

Change-of-Authorization Messages

   Request   ACK   NAK    #     Attribute

      0       0     0   TBA-2   Framed-Management-Protocol
      0       0     0   TBA-3   Management-Transport-Protection
      0-1     0     0   TBA-4   Management-Policy-Id (Note 2)
      0-1     0     0   TBA-5   Management-Privilege-Level (Note 2)


Disconnect Messages

   Request   ACK   NAK   #   Attribute

      0-1     0     0   TBA-2   Framed-Management-Protocol (Note 1)
      0-1     0     0   TBA-3   Management-Transport-Protection (Note 1)
      0       0     0   TBA-4   Management-Policy-Id
      0       0     0   TBA-5   Management-Privilege-Level



(Note 1) Where NAS or session identification attributes are included
   in Disconnect-Request or CoA-Request packets, they are used for
   identification purposes only.  These attributes MUST NOT be used for
   purposes other than identification (e.g., within CoA-Request packets
   to request authorization changes).

(Note 2) When included within a CoA-Request, these attributes
   represent an authorization change request.  When one of these
   attributes is omitted from a CoA-Request, the NAS assumes that the
   attribute value is to remain unchanged.  Attributes included in a
   CoA-Request replace all existing values of the same attribute(s).


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>