[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue 79; digest-auth realm validation
Here's a complete text proposal:
The RADIUS server MUST check if the user identified by the User-Name
attribute
o is authorized to access the protection space defined by the
Digest-URI and Digest-Realm attributes,
o is authorized to use the URI included in the SIP-AOR attribute, if
this attribute is present.
If any of those checks fails, the RADIUS server MUST send an
Access-Reject.
Correlation between User-Name and SIP-AOR AVP values is required just
to avoid that any user can register or misuse a SIP-AOR allocated to
another user.
A RADIUS server MUST check if the RADIUS client is authorized to
serve users of the realm mentioned in the Digest-Realm attribute. If
the RADIUS client is not authorized, the RADIUS server sends an
Access-Reject. The RADIUS server considers this client as
compromised. It notifies the operator and rejects all future
requests from this client, until some management action tells it to
do so again.
Please send me a note if you have objections/additions about this text so
we can close the issue.
Wolfgang
--
T-Systems
Next Generation IP Services and Systems
+49 6151 937 2863
Am Kavalleriesand 3
64295 Darmstadt
Germany
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>