Re: Comments on draft-carroll-dynmobileip-cdma-04.txt

["Alan DeKok" <aland@ox.org>]

Avi Lior <avi@bridgewatersystems.com> wrote:
> In repsonse to an Access-Request for access to the network, Access-Reject
> repsonse states to the NAS not to give the Session access to the network (or
> however you want to word it).

  I agree.  Issue 68 addresses this use of Access-Reject.

> What the NAS does to the connection between it an the user's device is out
> of scope to RADIUS.  If the NAS wants to maintain the L2 connection to the
> device it can.  

  I agree.  I've submitted an additional issue for Access-Reject
semantics (I presume it will show up after IETF).  I will be adding
additional text to it, based on your recent comments about RFC 3576
and EAP-Message, etc. in Access-Reject.  These issues need to be
clarified.

  In the context of this draft, I believe that the point of contention
here is that the Access-Reject is in the *middle* of the
authentication session.  The authentication is expected to continue
after the Access-Reject, with another Access-Request containing
information based on the Access-Reject.  This is the semantics that
Access-Challenge was designed for.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>