questions on NAS handling of authorization attributes

Ed Macke (ed@maxwell.meridiantc.com)
Mon, 11 Mar 1996 11:30:40 -0600 (CST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: MegaZone: "questions on NAS handling of authorization attributes (fwd)"
Previous message: Jim Ockers: "Esva radiusd on solaris/X86 ?"

Hi. I'm implementing the Network Access Server side of RADIUS for
our company, and had some more questions that I hoped the RADIUS
community could help me with.

When the RADIUS server sends Access-Accept packet to the NAS, it
may include authorization information such as the Service-Type
attribute, the Framed-Protocol attribute, the Framed-IP-Address
attribute, etc.

Question #1:
If the Access-Accept packet does not contain any such attributes,
what services should the NAS make available to the now-authenticated
user? The answer I've come up with is to have a default set of
privileges assigned to such a user; is this an acceptable answer?

Question #2:
If the Access-Accept packet does contain one or more such
attributes, how are they to be interpreted by the NAS?
One possibility would be to restrict the user to only having
access to the indicated service-type.
Another possibility would be to provide access to both the
indicated service-type and any other service types allowed
by the default set of privileges mentioned in Question #1.
What is the preferred behavior in this case?

Any help with either of these two questions will be
greatly appreciated!

Thanks in advance,
Ed Macke
Network Engineer
Meridian Technology Corporation
ed@meridiantc.com

Next message: MegaZone: "questions on NAS handling of authorization attributes (fwd)"
Previous message: Jim Ockers: "Esva radiusd on solaris/X86 ?"