(4) RADIUS Servers SHOULD exercise appropriate policy enforcement in terms of providing any NAS with attributes that might disclose security sensitive information related to a user, e.g. keys, unless that user has been successfully authenticated to the RADIUS Server via the NAS in question. This affects RADIUS Server behavior during any Authorize Only service provisioning.
For this to be successful, the RADIUS server needs to know what service is being requested by the NAS, so that it can limit the attributes to those relevant to that service (or refuse to authorize the service). The service cannot be characterized by saying it is "authorize-only" -- that is merely a particular (authorize-only) mode of a particular service which needs to be specified by the NAS.
In any of the use cases, it is important that the NAS, i.e. the RADIUS Client, be able to communicate the kind of service being sought via hint attributes to the RADIUS Server, in the Access-Request message.
Service-Type is not a "hint". A RADIUS client that receives an Access-Accept with an unknown Service-Type does not treat the attribute as a "hint" -- it treats it as an Access-Reject. This is mandatory behavior in RFC 2865.
-- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>