[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question on draft-ietf-radext-management-authorization-04.txt

Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Date: Fri, 11 Jul 2008 15:48:16 -0400
Cc: <radiusext@ops.ietf.org>
In-reply-to: <Pine.LNX.4.64.0807111224280.3167@internaut.com>
Organization: Elbrys Networks, Inc.
References: <Pine.LNX.4.64.0807102313240.30663@internaut.com> <01d801c8e351$a301a7f0$6401a8c0@NEWTON603> <Pine.LNX.4.64.0807110635470.501@internaut.com> <75F159F3CDB946CA91F48C99323A0FF1@xpsuperdvd2> <Pine.LNX.4.64.0807111224280.3167@internaut.com>

> So I think we're talking about trying to dis-ambiguate a situation
> where there is a valid User-Name attribute, but perhaps multiple
> sessions associated with that.  It might be worth quoting some
> text from RFC 5176 regarding the recommended NAS and session 
> identification attributes, since it might not necessarily be 
> obvious that an Access-Request for a management session should
> necessarily have a NAS-Port/NAS-Port-Id + Acct-Session-Id 
> associated with it.

I can remove the Framed-Management-Protocol and
Management-Transport-Protection Attributes from usage as "session
identifiers" for Dynamic Authorization and quote chapter and verse from RFC
5176 as to what SHOULD be used as "session identifiers".

I think that will cover the "80% problem" without introducing too many
opportunities for odd behaviors and wild-card usages.

The only reason that I could see for a NAS to not include the appropriate
session identifier attributes in an Access-Request message would be if the
NAS implementation didn't assign identifiers until it processed the
Access-Accept message, i.e. didn't want to assign IDs to sessions that may
never materialize, or the NAS implementation didn't support RADIUS
accounting, and thus had no notion of session identifiers.

Do we need to add some wiggle room to cover those corner cases?



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Question on draft-ietf-radext-management-authorization-04.txt
  - From: Bernard Aboba <aboba@internaut.com>
- RE: Question on draft-ietf-radext-management-authorization-04.txt
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- RE: Question on draft-ietf-radext-management-authorization-04.txt
  - From: Bernard Aboba <aboba@internaut.com>
- RE: Question on draft-ietf-radext-management-authorization-04.txt
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: Question on draft-ietf-radext-management-authorization-04.txt
  - From: Bernard Aboba <aboba@internaut.com>

Prev by Date: RE: Question on draft-ietf-radext-management-authorization-04.txt
Next by Date: RE: Question on draft-ietf-radext-management-authorization-04.txt
Previous by thread: RE: Question on draft-ietf-radext-management-authorization-04.txt
Next by thread: RE: Question on draft-ietf-radext-management-authorization-04.txt
Index(es):
- Date
- Thread