[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Technical Errata Reported] RFC5176 (2012)

To: Dave Nelson <d.b.nelson@comcast.net>
Subject: Re: [Technical Errata Reported] RFC5176 (2012)
From: Avi Lior <avi@bridgewatersystems.com>
Date: Tue, 26 Jan 2010 09:33:35 -0500
Accept-language: en-US
Acceptlanguage: en-US
Cc: Alan DeKok <aland@deployingradius.com>, Bernard Aboba <bernard_aboba@hotmail.com>, "radiusext@ops.ietf.org" <radiusext@ops.ietf.org>
In-reply-to: <961AD7B27D16457D8965FFDF4E0CBE72@NEWTON603>
References: <20100126034315.877E0E069A@rfc-editor.org> <BLU137-DS63201FA85B1EB2023A16F935E0@phx.gbl> <F6CA0D4D-D907-4006-BEB8-2ADD60CC7C4A@bridgewatersystems.com> <BLU137-DS32A85C4C06C8C70515CF1935E0@phx.gbl> <6F6D3274-B824-4464-89D0-785314BE710A@bridgewatersystems.com> <488708FB24E5481BBA7A13FE2756CCFB@NEWTON603> <0ACD7907-4B44-4C88-B870-6BA1710F2B6C@bridgewatersystems.com> <4B5EF128.8070300@deployingradius.com> <961AD7B27D16457D8965FFDF4E0CBE72@NEWTON603>

The summary for this discussion is:

-Access-Accept should be used as defined by 5080.
-However there are dangers - which a capability negotiation could have solved.
-Error-Cause is for protocol errors mostly.  Having said that it does have a an Error Code 501 "Administratively Prohibited" which would be a stretch to call a protocol error.

Regarding the Errata. I still think it should be issued because it is not that obvious where Error-Cause can be included.  But we know.

-IANA should have clear instruction on how to extend Error-Cause.  Currently i dont think they do.

-Unless i am missing something, except for values 0-199 and 300-399, the RFCs do not reserve unused values for Error-Cause -- and then we wonder why people just grab numbers.

-It would have been useful to allow VSA to be included in Access-Reject. So at least an SDO can return an Error-Cause of their own or even Authorization-Failure-Cause or Authentication-Failure-Cause instead of hacking the Reply-Message attribute.




On 26-01-2010, at 21:51 , Dave Nelson wrote:

>> There are just too many unknowns around NAS behavior to over-load
>> Access-Accept.
> 
> I don't think anyone has suggested over-loading Access-Accept.  If use as
> originally intended, to provision service, it works just fine, at least if
> the service is described in the Service-Type attribute.
> 
> After all, RADIUS is not about answering authorization questions from NASes,
> it's about identifying users and *telling* them what service they get, based
> on their identity, and contextual hints from the NAS.
> 
> 


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

References:
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Avi Lior <avi@bridgewatersystems.com>
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Dave Nelson" <d.b.nelson@comcast.net>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Avi Lior <avi@bridgewatersystems.com>
- Re: [Technical Errata Reported] RFC5176 (2012)
  - From: Alan DeKok <aland@deployingradius.com>
- RE: [Technical Errata Reported] RFC5176 (2012)
  - From: "Dave Nelson" <d.b.nelson@comcast.net>

Prev by Date: Re: [Technical Errata Reported] RFC5176 (2012)
Next by Date: Re: [Technical Errata Reported] RFC5176 (2012)
Previous by thread: Re: [Technical Errata Reported] RFC5176 (2012)
Next by thread: Re: [Technical Errata Reported] RFC5176 (2012)
Index(es):
- Date
- Thread