Re: Review of draft-ietf-geopriv-radius-lo-04.txt

["Alan DeKok" <aland@ox.org>]

Bernard Aboba <aboba@internaut.com> wrote:
> If the RADIUS authentication mechanism doesn't already utilize an 
> Access-Challenge, this will not work. 

  On the other hand, if the NAS is updated to include location
information, it may be acceptable to add additional requirements such
as this.

  For simple password-style authentication methods such as PAP or
CHAP, adding another step would be relatively easy.  For methods
already involving Access-Challenge, your previous suggestion would
apply.

> But we can't impose that requirement retroactively. 

  I agree.

  However, RADIUS proxies already pass Access-Challenge packets back
and forth for protocols they don't understand.  (e.g. EAP).  So it
would seem that this proposal may work for non-location-aware proxies.

  For non-location-aware NASes, the RFC's already require
implementations to treat unexpected Access-Challenges as
Access-Rejects, so this idea would appear to be fail-safe there, too.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>