Re: Capabilities (was Re: AW: Review of draft-ietf-geopriv-radius-lo-04.txt )

["Alan DeKok" <aland@ox.org>]

"Avi Lior" <avi@bridgewatersystems.com> wrote:
>  Hi Alan,
> 
> See inline....
...

  I concur with David's assesment.

  If the NAS SHOULD provide capabilites, then authentication can still
succeed if the capabilities are not provided.  If the NAS MUST provide
capabilites, then authentication MUST fail if the capabilities are not
provided.

  The problem comes in when the RADIUS server wishes to handle the
session differently, depending on the NAS capabilities.  If the RADIUS
server challenges the NAS, the session MAY be dropped, even though the
RADIUS server MAY be prepared to provide a lesser level of service.

  In that case, the NAS MUST always advertise it's new capabilities.
The presence of the advertisement tells the RADIUS server that full
capability negotiation is possible.  The absence of the advertisement
tells the RADIUS server that no capability negotiation is possible.

  One serious issue I had with the capabilities draft was that it
discussed the above situation, but didn't require the NAS to always
advertise it's capabilities.  I can't see how, then, the capability
negotiation could proceed.

  Is the above design sufficient for your needs?

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>