[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: L2 NAS-Filter-Rule syntax choices

To: "Bernard Aboba" <aboba@internaut.com>
Subject: RE: L2 NAS-Filter-Rule syntax choices
From: "Congdon, Paul T (ProCurve)" <paul.congdon@hp.com>
Date: Wed, 27 Apr 2005 11:31:32 -0700
Cc: <radiusext@ops.ietf.org>

There are two strategies for this:

1. We anticipate working with whatever general capabilities
advertisement mechanism is defined for Radius.  I think this particular
application points out the need for some level of granularity around
what is advertised.

2. We are also specifying that for NAS devices that understand the
attribute, but are not capable of supporting it are, by default, to
treat the Access-Accept as an Access-Reject.  We are also recommending
that this default action and behavior be something NAS devices can
configure differently if so desired.


It is fairly common these days to have some simple levels of L2
filtering as well as L3 filtering in switches and access points.

Paul 

> -----Original Message-----
> From: Bernard Aboba [mailto:aboba@internaut.com] 
> Sent: Wednesday, April 27, 2005 7:47 AM
> To: Congdon, Paul T (ProCurve)
> Cc: radiusext@ops.ietf.org
> Subject: Re: L2 NAS-Filter-Rule syntax choices
> 
> > The belief is the current proposal covers all bases and is still 
> > usable, but perhaps specifies more than many NAS devices could 
> > actually implement or are interested in supporting.
> 
> Question: how do you know whether a particular NAS device 
> supports all of the syntax covered in the NAS-Filter-Rule?  
> For example, a layer 2 switch might only support layer 2 
> filters, or a NAS might only support layer 3 filters.  A 
> unified syntax makes sense, but allowing layer 2 and layer 3 
> filters to be included in one attribute implies that devices 
> have to implement both layer 2 and layer 3 filters.  If a 
> device only supports part of the syntax, there is no easy way 
> for it to advertise that.
> 
> Or is support for both layer 2 and layer 3 filtering common 
> enough at this point that we don't need to worry about this?
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: Re: L2 NAS-Filter-Rule syntax choices
Next by Date: RE: [eap] RE: [Isms] RADIUS is not a trusted third party
Previous by thread: Re: L2 NAS-Filter-Rule syntax choices
Next by thread: RE: [Issue 297] Review of Identity Selection -12
Index(es):
- Date
- Thread