RE: Issue 298

["D. B. Nelson" <d.b.nelson@comcast.net>]

> Issue 298 -- This issue relates to whether Extended Attributes are
> treated like VSAs or not.  For implementations of this document, the
answer
> is probably "no" -- they are treated like any other standard attribute.

I heartily agree!

> However, for implementations that don't support Extended Attributes,
> the answer is probably "yes" -- which has implications for 
> Accounting-Responses (where VSAs are permitted, but few standard
attributes)
> and Disconnect-Responses (where VSAs may only be used for session
identification).

I think we want to be very careful here.  The correct behavior for
implementations that have not included the Extended Attribute functionality
is to treat them as unrecognized / unknown VSAs, and to ignore them.  They
may be logged in some fashion, of course.  Whether they should be included
in RADIUS Accounting or Dynamic RADIUS packets as "unknown attributes" is
open to debate.

What I think should not happen is for Extended Attributes to be
"selectively" understood.  The implementation either "groks" the Extended
Attribute format, in which case the rules for standard attributes (or SDO
Specific Attributes) apply, or it simply sees them as unrecognized / unknown
VSAs, in which case the rules for unknown attributes apply.  We should not
encourage implementations to treat them as unknown for one purpose but known
for another.

> So one question is whether this implies that a NAS should signal its
> support for Extended Attributes in the Access-Request in some way -- 
> so as to make it clear to the RADIUS server how those attributes would
> be interpreted.  

I think we should make that feature a MUST.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>