[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Technical Errata Reported] RFC5176 (2012)

To: Avi Lior <avi@bridgewatersystems.com>
Subject: Re: [Technical Errata Reported] RFC5176 (2012)
From: Alan DeKok <aland@deployingradius.com>
Date: Tue, 26 Jan 2010 14:42:00 +0100
Cc: Dave Nelson <d.b.nelson@comcast.net>, Bernard Aboba <bernard_aboba@hotmail.com>, "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <0ACD7907-4B44-4C88-B870-6BA1710F2B6C@bridgewatersystems.com>
References: <20100126034315.877E0E069A@rfc-editor.org> <BLU137-DS63201FA85B1EB2023A16F935E0@phx.gbl> <F6CA0D4D-D907-4006-BEB8-2ADD60CC7C4A@bridgewatersystems.com> <BLU137-DS32A85C4C06C8C70515CF1935E0@phx.gbl> <6F6D3274-B824-4464-89D0-785314BE710A@bridgewatersystems.com> <488708FB24E5481BBA7A13FE2756CCFB@NEWTON603> <0ACD7907-4B44-4C88-B870-6BA1710F2B6C@bridgewatersystems.com>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Avi Lior wrote:
> yes.  But the danger here is that the NAS may not understand the attributes that are offering the alternate (limiting) service and would interpret the response as a full access-accept.

  I agree.  Access-Accept means "let them on the network", and only
*partially* "give them limited services".  There are just too many
unknowns around NAS behavior to over-load Access-Accept.

> If the NAS did not indicate support for the new attributes that an Access-Reject may be the correct response.

  Many systems use Reply-Message as a feedback for failed
authentication.  e.g. "Password expired".

  I'm ambivalent about using Error-Cause.  I don't see many major
problem with it.  But it does extend the meaning of Access-Reject past
"go away, and I'm not telling you why".

  In this case, Error-Cause seems to be a substitute for an
administrator actually knowing the NAS capabilities, and configuring
them properly.  This would seem to be most useful for global proxy chains.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Dave Nelson" <d.b.nelson@comcast.net>

References:
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Dave Nelson" <d.b.nelson@comcast.net>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Avi Lior <avi@bridgewatersystems.com>

Prev by Date: Re: [Technical Errata Reported] RFC5176 (2012)
Next by Date: RE: [Technical Errata Reported] RFC5176 (2012)
Previous by thread: Re: [Technical Errata Reported] RFC5176 (2012)
Next by thread: RE: [Technical Errata Reported] RFC5176 (2012)
Index(es):
- Date
- Thread