Re: [RADIUS FIXES] Authorize Only

[Bernard Aboba <aboba@internaut.com>]

>   I agree.
>
>   Before I offer suggestions, I have a question.  How do you tie the
> VOIP call into the existing session?  How do you deal with security
> issues such as spoofing, etc?  How does the RADIUS server associate
> the two requests?
>
>   The answers to those questions will influence any suggestion I might
> have for a solution.

Yes, I think these questions are the important ones.  RFC 2865 and
subsequent RADIUS RFCs have required authentication of every RADIUS
session.  My understanding is that "Authorize Only" was discussed in
the original RADIUS WG, but the decision was made to prohibit it.

The prohibition was loosened in RFC 3576 because in dynamic authorization
authentication had already occurred.  An "Authorize Only" Access-Request
can only occur as the result of a Disconnect or CoA-Request relating to a
session that had previously been authenticated.  Although RFC 3576 does
not say so, it would be wise for a RADIUS server receiving an "Authorize
Only" request to check whether the request was legitimate before answering
-- such a request cannot, for example, be for a user that had not
previously established a session, or be for an established user on a
different NAS than the one which received the Disconnect or CoA-Request.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>