Re: Is provisioning services in Accounting-Request packets bad?

[Alan DeKok <aland@deployingradius.com>]

David B. Nelson wrote:
> What does the provisioning system do with the information and how does it relate the result back to the NAS?

  It creates FW rules for the user.  It does *not* relay the result back
to the NAS.

> What entity sends the Accounting-Request, the NAS or he RADIUS server.  You use "it" and I'm unclear what "it" refers to.

  The NAS sends an Access-Request to the RADIUS server.  The RADIUS
server originates the Accounting-Request.

  The *intent* appears to be that waiting the extra 1/10s for the NAS to
originate the Accounting-Request would be a catastrophic delay.  The
"network setup" side of the user session needs to be done before the
Access-Accept is received by the NAS.

  The "simplest" way to do this is to overload RADIUS.

> Well, I personally think that provisioning services via an Accounting-Request is bad, but I don't yet see how the NAS is actually being provisioned by a request message.  What is fairly common practice is to build resource management systems around RADIUS Accounting.  Is that the sort of thing you're talking about?

  I can understand making decisions (e.g. Disconnect-Request) on
reception of an Accounting-Request packet.  i.e. "user is over 2G, kick
them off of the net".

  The above discussion isn't that.  It's the RADIUS server *fabricating*
an Accounting-Request packet for a user session, because it's faster to
do it that way than to wait for the NAS.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>