Issue 298: Extended Attributes Restrictions
Submitter name: Bernard Aboba
Submitter email address: bernard_aboba@hotmail.com
Date first submitted: December 14, 2008
Reference:
Document: EXTENDED
Comment type: Technical
Priority: S
Section: Various
Rationale/Explanation of issue:
RFC 2866 Section 5.13 states:
The following table provides a guide to which attributes may be found
in Accounting-Request packets. No attributes should be found in
Accounting-Response packets except Proxy-State and possibly Vendor-
Specific.
Given that RADIUS Extended Attributes are VSAs, the question arises as to whether
they are allowed in Accounting-Responses or not. My take would be "no" -- they
should be treated like RADIUS standard attributes.
In RFC 5176, VSAs are listed as not permitted within CoA-ACK, CoA-NAK, Disconnect-ACK
or Disconnect-NAK packets. They are listed as "0+" within CoA-Request and
Disconnect-Request packets, however:
(Note 7) Within Disconnect-Request packets, Vendor-Specific
Attributes (VSAs) MAY be used for session identification. Within
CoA-Request packets, VSAs MAY be used for either session
identification or authorization change. However, the same Attribute
MUST NOT be used for both purposes simultaneously.
So, do the restrictions on VSA usage apply to Extended Attributes as well?
|