[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Joseph Salowey writes...
> Here is text for section 4.6:
Thanks! If no one objects, I'll incorporate that text into the next draft
> I'm not sure what to provide for text for negotiation, because
> RADIUS does not support capability negotiation.
Right. It comes down to the RADIUS client advertising what it can support,
by means of hint attributes included in the Access-Request packet, and the
RADIUS server picking at most one of the options. The client doesn't get to
exercise its "preferences" here, but that's the basic nature of RADIUS, is
it not? An Access-Reject packet means that either (a) the offered
cipher-suites were not acceptable or (b) something else about the
Access-Request was unacceptable / invalid. In either case, you're not
getting access, at least without first contacting the system administrator.
The end user gets no indication of this, other than the fact that access is
denied. Does it make a whole lot of difference to the user as to why? If
it involves a Help Desk call in any event, and the system administrator can
determine the failure reason from the server logs, isn't that enough for a
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.