[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

When to Access-Reject vs. Silently Discard

To: "'radiusext@ops.ietf.org'" <radiusext@ops.ietf.org>
Subject: When to Access-Reject vs. Silently Discard
From: Avi Lior <avi@bridgewatersystems.com>
Date: Wed, 6 Apr 2005 12:29:57 -0400

Title: Message

Hi,

In the RADIUS Digest thread (Issue 79) when the Server detects that the NAS is trying to authenticate a realm for which it is not authorized we need to "reject" the authentication. This can be done by either Access-Reject or Silently Discarding the packet. SO the question is which one is correct?

Its not clear: for example if Message-Authenticator(80) does not validate (as per 3579) we silently discard. When we detect a lying NAS again as per 3579 we generate an Access-Reject: "Where a match is not found, an Access-Reject SHOULD be
sent, and an error SHOULD be logged."

So is there are rule that can express the correct thing to do?

------------------------------------------------

Avi Lior
Bridgewater Systems Corporation
Phone : (613) 591-9104 x6417

Cell : (613) 297-2177
E-mail : mailto:avi@bridgewatersystems.com

www.bridgewatersystems.com

Follow-Ups:
- Re: When to Access-Reject vs. Silently Discard
  - From: "Alan DeKok" <aland@ox.org>

Prev by Date: Re: AW: AW: Issue 79; digest-auth realm validation
Next by Date: Re: When to Access-Reject vs. Silently Discard
Previous by thread: AW: AW: Issue 79; digest-auth realm validation
Next by thread: Re: When to Access-Reject vs. Silently Discard
Index(es):
- Date
- Thread