[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [RADIUS FIXES] Authorize Only

To: "Alan DeKok" <aland@ox.org>
Subject: RE: [RADIUS FIXES] Authorize Only
From: "Avi Lior" <avi@bridgewatersystems.com>
Date: Tue, 26 Jul 2005 13:55:59 -0400
Cc: "Bernard Aboba" <aboba@internaut.com>, "Nelson, David" <dnelson@enterasys.com>, <radiusext@ops.ietf.org>

Alan,

I am not seeking a vendor specific solution.  So vendor specific value
for Service Type is not a starter.

I am not seeking a change to 3576 either.  So how about the following:

Authorize-Only:  complete reauthorization of the session as defined by
3576.

How about these two values:

Service-Reauthorization: a reauthorization of a service associated with
the session.

Service-Authorization: an initial authorization of a service associated
with the session.


I would be very happy with this and in one case where we use
Authorize-Only we could make the change to Service-Reauthorization.

(If we could only have one of the above the Service-Authorization would
work for me).


> -----Original Message-----
> From: aland@nitros9.org [mailto:aland@nitros9.org] On Behalf 
> Of Alan DeKok
> Sent: Tuesday, July 26, 2005 12:54 PM
> To: Avi Lior
> Cc: Bernard Aboba; Nelson, David; radiusext@ops.ietf.org
> Subject: Re: [RADIUS FIXES] Authorize Only
> 
> 
> "Avi Lior" <avi@bridgewatersystems.com> wrote:
> > I don't understand why you would say it's a vendor-specific 
> value of 
> > Service-Type.
> 
>   See:
> 
> http://www.freeradius.org/cgi-bin/cvsweb.cgi/radiusd/share/dic
> tionary.bay?rev=1.5&content-type=text/x-cvsweb-markup
> 
>   Look for "Service-Type".  Vendor-specific values are of the 
> form ((vendor-id << 16) | num), One of the RFC's refers to 
> this practice, but I can't recall which right now.
> 
> > Thanx for the support.  I don't agree that the use of 
> Authorize-Only 
> > should be discouraged though.  It has tremendous use for 
> allowing the 
> > NAS and Server to manage an already established session without the 
> > need for re-authentication.
> 
>   I agree.  My only point of discussion is what should the 
> name be, and should we re-use an existing value.
> 
> > I would perfer that RADIUS issues and fixes provide 
> guidelines on how 
> > to use Authorize-Only.
> 
>   I agree.
> 
> > I would have rather had the following Service-Type:
> > 
> > Re-Authorize:  this is what 3576 should be using.  It completely 
> > re-triggers the re-authorization of the session.
> 
>   That's reasonable, but I don't think you're proposing to 
> change RFC 3576.
> 
> > Authorize-Only: is used the way I describe.  We do not completely 
> > reauthorize the session but rather the context of what is being 
> > reauthorized is determined from the contents of the packet. 
>  It still 
> > must be bound to an Authenticated Session or entity. The 
> binding being 
> > the same or similar to 3576.
> 
>   Then I have few problems with re-using the name.
> 
> > Note:  if someone can propose a new Service-Type value to 
> achieve the 
> > same then I would be for that.  Although I belive there is 
> already an 
> > specification for Authorize-Only outside the IETF.
> 
>   All the more reason to use vendor-specific values, so 
> vendor-specific practices don't re-use existing definitions.
> 
>   Alan DeKok.
> 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: [RADIUS FIXES] Authorize Only
  - From: "Alan DeKok" <aland@ox.org>

Prev by Date: Re: [RADIUS FIXES] Authorize Only
Next by Date: RE: [RADIUS FIXES] Authorize Only
Previous by thread: RE: [RADIUS FIXES] Authorize Only
Next by thread: Re: [RADIUS FIXES] Authorize Only
Index(es):
- Date
- Thread