Re: Is provisioning services in Accounting-Request packets bad?

["David B. Nelson" <dnelson@elbrysnetworks.com>]

On Jun 15, 2010, at 2:06 PM, Alan DeKok wrote:

> It creates FW rules for the user.  It does *not* relay the result back
> to the NAS.

OK, I think I get it.

> The NAS sends an Access-Request to the RADIUS server.
> The RADIUS server originates the Accounting-Request.

To a RADIUS Accounting Server?

Let's see if I've got this....

The NAS (Node A) sends an Access-Request to the RADIUs Server (Node B) which then sends an Accounting-Request to the RADIUS Accounting Server (Node C), and subsequently the RADIUS Server (Node B) sends an Access-Accept to the NAS (Node A)?  The RADIUS Accounting Server (Node C) by some means creates access rules for the user and sends them to the Firewall (Node D)?

Yikes.

> The *intent* appears to be that waiting the extra 1/10s for the NAS to
> originate the Accounting-Request would be a catastrophic delay.  The
> "network setup" side of the user session needs to be done before the
> Access-Accept is received by the NAS.
>
> The "simplest" way to do this is to overload RADIUS.

Well, RADIUS has a history of being an eminently overload-able protocol.  :-)

I think it's unusual, to say the least, for a RADIUS Server to initiate a request on behalf of a NAS unless that RADIUS Server is acting in the role of RADIUS Proxy Server.  That doesn't seem to be the case here.

Regards,

Dave

David B. Nelson

Elbrys Networks, Inc.
282 Corporate Drive, Unit 1
Portsmouth, NH 03801

+1.603.570.2636
www.elbrysnetworks.com
dnelson@elbrysnetworks.com






--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>