[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: When to Access-Reject vs. Silently Discard

To: gwz@cisco.com
Subject: Re: When to Access-Reject vs. Silently Discard
From: "Alan DeKok" <aland@ox.org>
Date: Thu, 07 Apr 2005 14:07:50 -0400
Cc: radiusext@ops.ietf.org
In-reply-to: Your message of "Wed, 06 Apr 2005 18:20:42 PDT." <200504070120.j371Kh3S019502@sj-core-4.cisco.com>

"Glen Zorn (gwz)" <gwz@cisco.com> wrote:
> > We "know" it's the right NAS, because it has the right source IP
> > and shared secret, which is the only way to identify any NAS.
>
> But it's not a _user_ authentication or authorization problem,
> either; it's neither fish nor fowl.

  From the point of view of the RADIUS server, it's just more
information in the packet.  It doesn't know about "users", and doesn't
need to.  e.g. MAC address authentication.

  If the RADIUS server doesn't like something in the packet it gets
from a trusted NAS, it sends an Access-Reject.  I'm not sure how the
issue of "NAS authorized for realms" is any different than any other
case.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- RE: When to Access-Reject vs. Silently Discard
  - From: "Glen Zorn \(gwz\)" <gwz@cisco.com>

Prev by Date: Re: When to Access-Reject vs. Silently Discard
Next by Date: RE: When to Access-Reject vs. Silently Discard
Previous by thread: Re: When to Access-Reject vs. Silently Discard
Next by thread: RE: When to Access-Reject vs. Silently Discard
Index(es):
- Date
- Thread