[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Re-auth failure
This is exactly true in the case you specify.
But consider the case where the NAS or the Device itself decides to reauthenticate OR for that matter in Diameter where we do have an Authorization LifeTime and a Session time.
NASREQ has text that covers this scenario and IMO is correct:
2.2. Diameter Session Reauthentication or Reauthorization
A Diameter server informs the NAS of the maximum time allowed before
reauthentication or reauthorization via the Authorization-Lifetime
AVP [BASE]. A NAS MAY reauthenticate and/or reauthorize before the
end, but A NAS MUST reauthenticate and/or reauthorize at the end of
the period provided by the Authorization-Lifetime AVP. The failure
of a reauthentication exchange will terminate the service.
Cant be clearer then this.
The business reasons are clearer.
A HAAA server authorizes a service and by doing so is willing to pay the NAS to deliver that service. If reauthentication fails, then the HAAA can not be on the hook for paying for service. OR from the user's perspective, if reauthentication fails you cant expect the user to pay for the service since upon presntation of a bill the user will claim it wasn't him.
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org] On Behalf Of Bernard Aboba
> Sent: Friday, March 07, 2008 2:38 PM
> To: Alper Yegin; email@example.com
> Subject: Re: Re-auth failure
> If we are talking about EAP, then Re-authentication is driven
> by the authenticator.
> RFC 3579 states that this occurs on expiration of the
> Session-Timeout value, so that the maximum session time has
> already been utilized by the time it occurs.
> Therefore if the user fails authentication, they have no
> remaining time left on the session.
> From: "Alper Yegin" <firstname.lastname@example.org>
> Sent: Friday, March 07, 2008 7:48 AM
> To: <email@example.com>
> Subject: Re-auth failure
> > RFC 3579 says:
> > Reception of a RADIUS Access-Reject packet MUST result in the NAS
> > denying
> > access to the authenticating peer.
> > Consider a host that is already authenticated and authorized for
> > network access. If it performs re-authentication say 1 hour
> before the
> > session timeout and fails authentication (EAP-Failure),
> should the NAS
> > disconnect the host from the network immediately? According
> to the RFC
> > 3579 text, it MUST eject the host immediately.
> > Shouldn't the network have the option to let the host stay
> > until the expiration of the currently granted session, if
> it chooses
> > to? If so, is there a different interpretation of the above
> text, or a
> > different message (Access-Accept with EAP-Failure?) recommended?
> > Thanks.
> > Alper
> > --
> > to unsubscribe send a message to
> firstname.lastname@example.org with
> > the word 'unsubscribe' in a single line as the message text body.
> > archive: <http://psg.com/lists/radiusext/>
> to unsubscribe send a message to
> email@example.com with the word 'unsubscribe' in
> a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.