Re: ssh authentication and service authorization questions

[Alan DeKok <aland@deployingradius.com>]

Bernard Aboba wrote:
> Several ideas come to mind:

  Or use Service-Type = Authorize-Only?

  It's intended for CoA, but there's no technical reason it couldn't be
used here.

  i.e.

1,2) Access-Request for initial session (user + password)
     Access-Accept contains State

3)  For each service:

       Access-Request + User-Name + State + Authorize-Only + ...
       ...

  The State attribute ties the later Access-Requests to the first one.
The RADIUS server can authorize individual services, based on their
connection with the initial Access-Request.

  IIRC, this is already being done for WiMAX, for authorizing individual
TCP connections.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>