[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

radius-digest-auth: Issue 11

To: jari.arkko@kolumbus.fi, radiusext@ops.ietf.org
Subject: radius-digest-auth: Issue 11
From: "Beck01, Wolfgang" <BeckW@t-systems.com>
Date: Mon, 14 Feb 2005 10:21:10 +0100

Hi Jari,

on http://www.drizzle.com/~aboba/RADEXT/, issue 11 is still marked
as 'open'. Most of this has been addressed in
http://www.ietf.org/internet-drafts/draft-ietf-radext-digest-auth-00.txt.
One remaining thing is your concern about the interoperation of RADIUS
clients and servers that may or may not support nonce generation.

Here's a proposal:
"If the RADIUS server generates nonces, its RADIUS clients MUST NOT
try to generate nonces.  If the RADIUS server does not generate
nonces, its RADIUS clients MUST generate nonces locally.
If at least one HTTP-style client requires AKA authentication
[RFC3310], the RADIUS server MUST generate nonces and its RADIUS
clients MUST NOT generate nonces locally."

However, if a RADIUS client accidentally chooses a nonce:

"If the RADIUS server does not accept the nonce received in an
Access-Request message but authentication was successful, the RADIUS
server MUST send an Access-Challenge message containing a
Digest-Stale attribute set to 'true' (without quotes).  The RADIUS
server MUST add Digest-Nonce, Digest-Algorithm, Digest-Realm, SHOULD
add one or more Digest-Qop and MAY add Digest-Domain, Digest-Opaque
attributes to the Access-Challenge message."

and the RADIUS client will deal with it:
"  If the RADIUS client receives an Access-Challenge message in response
   to an Access-Request containing a Digest-Nonce attribute, the RADIUS
   server did not accept the nonce.  If a Digest-Stale attribute is
   present in the Access-Challenge and has a value of 'true' (without
   quotes), the RADIUS client sends an error (401 or 407) response
   containing WWW-/Proxy-Authenticate header with the directive 'stale'
   and the digest directives derived from the Digest-* attributes."

If neither RADIUS client nor RADIUS support nonce generation:
"  If the RADIUS server receives an Access-Request message with a
   Digest-Method and a Digest-URI attribute but without a Digest-Nonce
   attribute, it chooses a nonce.  [..] If the server cannot choose a
   nonce, it replies with an Access-Reject message."

To summarize, we don't want to mix modes but if you do, the behaviour
is predictable. If you RADIUS server supports nonce generation, you
are on the safe side.

Is this sufficient to close the issue?

Wolfgang

--
T-Systems
Internet Platforms
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: [AAA-WG]: AAA WG Last Call on Diameter SIP Application
Next by Date: Re: digest-auth: proposed text for SIP-AOR, Realm
Previous by thread: Issus in Radius HTTP/SIP Digest authentication
Next by thread: AW: digest-auth: proposed text for SIP-AOR, Realm
Index(es):
- Date
- Thread