[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 133: State Attribute MUST be included in "Authorize-Only" Requests
Hi Bernard,
I might be missing something. A NAS would only have State attribute to
send in an Access-Request Authorize-Only if it received the State
attribute in the COA or DM.
[Note 1] in section 5.44 Table of Attributes in 2865 may also be wrong
since a NAS can only include the State attribute in an Access-Request if
it received one in the Challenge that it is replying to.
So shouldn't it be that:
The NAS MUST include the State attribute in an DM ACK, DM NAK, COA ACK,
COA NAK and Access-Request Authorize-Only message if it received the
State attribute in the COA or DM message.
> -----Original Message-----
> From: owner-radiusext@ops.ietf.org
> [mailto:owner-radiusext@ops.ietf.org] On Behalf Of Bernard Aboba
> Sent: Monday, September 12, 2005 11:10 PM
> To: radiusext@ops.ietf.org
> Subject: Issue 133: State Attribute MUST be included in
> "Authorize-Only" Requests
>
> Issue 133: State Attribute MUST be included in
> "Authorize-Only" Requests Submitter name: Bernard Aboba
> Submitter email address: aboba@internaut.com Date first
> submitted: September 12, 2005
> Reference: http://ops.ietf.org/lists/radiusext/2005/msg00842.html
> Document: RFC3576bis
> Comment type: T
> Priority: S
> Section: Various
> Rationale/Explanation of issue:
>
> RFC 2865 Section 4.1 says:
>
> "An Access-Request MUST contain either a User-Password or a
> CHAP-Password or a State."
>
> This statement is subsequently updated in other RADIUS RFCs
> to also include additional authentication attributes (e.g.
> EAP-Message or Digest attributes). However, the statement
> remains: an Access-Request without authentication attributes
> MUST include a State attribute.
>
> Since an Access-Request with Service-Type "Authorization-Only"
> does not include authentication attributes, under RFC 2865,
> this message is illegal unless a State attribute is included.
>
> RFC 3576 indicates that 0-1 State attributes may be included
> in CoA or Disconnect Request, ACK or NAK messages, and RFC
> 3576 Section 3.2, Note 7 describes the use of the State
> attribute:
>
> [Note 7] The State Attribute is available to be sent by the RADIUS
> server to the NAS in a Disconnect-Request or CoA-Request
> message and
> MUST be sent unmodified from the NAS to the RADIUS server in a
> subsequent ACK or NAK message. If a Service-Type Attribute with
> value "Authorize Only" is included in a Disconnect-Request or CoA-
> Request along with a State Attribute, then the State Attribute MUST
> be sent unmodified from the NAS to the RADIUS server in
> the resulting
> Access-Request sent to the RADIUS server, if any. The State
> Attribute is also available to be sent by the RADIUS server to the
> NAS in a CoA-Request that also includes a Termination-Action
> Attribute with the value of RADIUS-Request. If the client performs
> the Termination-Action by sending a new Access-Request upon
> termination of the current session, it MUST include the State
> Attribute unchanged in that Access-Request. In either usage, the
> client MUST NOT interpret the Attribute locally. A Disconnect-
> Request or CoA-Request packet must have only zero or one State
> Attribute. Usage of the State Attribute is implementation
> dependent.
> If the RADIUS server does not recognize the State Attribute in the
> Access-Request, then it MUST send an Access-Reject.
>
> However, RFC 3576 does not state that a State attribute is
> REQUIRED in a Disconnect or CoA-Request with Service-Type =
> "Authorize Only", nor does it state that an Access-Request
> with Service-Type = "Authorize Only"
> MUST include a State attribute.
>
> --
> to unsubscribe send a message to
> radiusext-request@ops.ietf.org with the word 'unsubscribe' in
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
>
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>