[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue 133: State Attribute MUST be included in "Authorize-Only" Requests

To: radiusext@ops.ietf.org
Subject: Issue 133: State Attribute MUST be included in "Authorize-Only" Requests
From: Bernard Aboba <aboba@internaut.com>
Date: Mon, 12 Sep 2005 20:10:12 -0700 (PDT)

Issue 133: State Attribute MUST be included in "Authorize-Only" Requests
Submitter name: Bernard Aboba
Submitter email address: aboba@internaut.com
Date first submitted: September 12, 2005
Reference: http://ops.ietf.org/lists/radiusext/2005/msg00842.html
Document: RFC3576bis
Comment type: T
Priority: S
Section: Various
Rationale/Explanation of issue:

RFC 2865 Section 4.1 says:

"An Access-Request MUST contain either a User-Password or a 
CHAP-Password or a State."

This statement is subsequently updated in other RADIUS RFCs
to also include additional authentication attributes
(e.g. EAP-Message or Digest attributes).  However, the statement
remains: an Access-Request without authentication attributes
MUST include a State attribute. 

Since an Access-Request with Service-Type "Authorization-Only"
does not include authentication attributes, under RFC 2865, this
message is illegal unless a State attribute is included. 

RFC 3576 indicates that 0-1 State attributes may be included
in CoA or Disconnect Request, ACK or NAK messages, and 
RFC 3576 Section 3.2, Note 7 describes the use of the State
attribute:

   [Note 7] The State Attribute is available to be sent by the RADIUS
   server to the NAS in a Disconnect-Request or CoA-Request message and
   MUST be sent unmodified from the NAS to the RADIUS server in a
   subsequent ACK or NAK message.  If a Service-Type Attribute with
   value "Authorize Only" is included in a Disconnect-Request or CoA-
   Request along with a State Attribute, then the State Attribute MUST
   be sent unmodified from the NAS to the RADIUS server in the resulting
   Access-Request sent to the RADIUS server, if any.  The State
   Attribute is also available to be sent by the RADIUS server to the
   NAS in a CoA-Request that also includes a Termination-Action
   Attribute with the value of RADIUS-Request.  If the client performs
   the Termination-Action by sending a new Access-Request upon
   termination of the current session, it MUST include the State
   Attribute unchanged in that Access-Request.  In either usage, the
   client MUST NOT interpret the Attribute locally.  A Disconnect-
   Request or CoA-Request packet must have only zero or one State
   Attribute.  Usage of the State Attribute is implementation dependent.
   If the RADIUS server does not recognize the State Attribute in the
   Access-Request, then it MUST send an Access-Reject.

However, RFC 3576 does not state that a State
attribute is REQUIRED in a Disconnect or CoA-Request
with Service-Type = "Authorize Only", nor does it state that an 
Access-Request with Service-Type = "Authorize Only"
MUST include a State attribute. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: REMINDER: Review comments on RFC 3576 MIBs (fwd)
Next by Date: Re: Clarification on RFC3576: Must Proxy-State be copied by the NAS? (fwd)
Previous by thread: Clarification on RFC3576: Must Proxy-State be copied by the NAS? (fwd)
Next by thread: RE: Issue 133: State Attribute MUST be included in "Authorize-Only" Requests
Index(es):
- Date
- Thread