Re: [radext] Extended IDs
Peter Deacon <peterd@iea-software.com> Wed, 13 December 2017 02:49 UTC
Return-Path: <peterd@iea-software.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E48A1289B5 for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 18:49:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzA44TFqMIx2 for <radext@ietfa.amsl.com>; Tue, 12 Dec 2017 18:49:25 -0800 (PST)
Received: from aspen.iea-software.com (www.iea-software.com [70.89.142.193]) by ietfa.amsl.com (Postfix) with ESMTP id EABED126CBF for <radext@ietf.org>; Tue, 12 Dec 2017 18:49:24 -0800 (PST)
Received: from smurf (unverified [10.0.3.195]) by aspen.iea-software.com (Rockliffe SMTPRA 7.0.6) with ESMTP id <B0006062041@aspen.iea-software.com>; Tue, 12 Dec 2017 18:49:24 -0800
Date: Tue, 12 Dec 2017 18:49:27 -0800
From: Peter Deacon <peterd@iea-software.com>
To: "Naiming Shen (naiming)" <naiming@cisco.com>
cc: "radext@ietf.org" <radext@ietf.org>
In-Reply-To: <B41EF4CD-309C-4E0F-BE7A-B77A244DA421@cisco.com>
Message-ID: <alpine.WNT.2.21.1.1712121824110.2252@smurf>
References: <fef698a5-9802-c9be-04d7-1e869651c988@restena.lu> <dfd0ff02-c9e8-7253-4fb4-1e6def3e93b2@restena.lu> <933E6F70-A7C1-4168-9AC9-F925EF78D9E2@jisc.ac.uk> <AE2036D0-1294-45B5-A0D7-16F91E0B4248@cisco.com> <alpine.WNT.2.21.1.1712121615090.2252@smurf> <EE3BB1A7-EAD9-4BE1-9EA2-B780580E5C95@cisco.com> <alpine.WNT.2.21.1.1712121704430.2252@smurf> <B41EF4CD-309C-4E0F-BE7A-B77A244DA421@cisco.com>
User-Agent: Alpine 2.21.1 (WNT 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; CHARSET="US-ASCII"; FORMAT="flowed"
Content-ID: <alpine.WNT.2.21.1.1712121831121.2252@smurf>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/e93qs8EAksE-9KR7-q-qzF0EQdk>
Subject: Re: [radext] Extended IDs
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 02:49:26 -0000
On Wed, 13 Dec 2017, Naiming Shen (naiming) wrote:
>> How specifically can this be achieved? What is your proposal? Risks?
>> Implementation complexity?
> As the draft currently specified, the server-status message returned by
> the proxy/server has to match the specified pattern/bits; the returned
Please assume status server is NOT being used and all configuration is
manual as allowed per section 2.2:
" Unless specified by configuration, a client MUST NOT send a RADIUS
packet (other than the Status-Server request) with the "Extended
Identifier Attribute" to a server until it has received a response
from the server confirming its support for the Extended Identifier
feature using the "Extended Identifier Attribute"."
I failed to explicitly state this when responding to your question
regarding misconfiguration and ability for clients to detect problems. I
apologize for any confusion this has caused.
> authentication-reply message has to match the id, extended-id, if not
> there is an error. if the error is accumulated, the radius-client should
> know. simple to implement.
Unfortunately it's not this simple. The problem described is one in which
packets are being dropped while at the same time the client is also
receiving exact extended-id attribute and values it expects to see during
normal successful operation.
How does detection algorithm work so client can detect this
misconfiguration? How does it know lack of any response packet is caused
by misconfiguration vs packet loss and or system issues? Can you offer
technical details?
regards,
Peter
- [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Robert Raszuk
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Astrid Smith
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stig Venaas
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Arran Cudbard-Bell
- Re: [radext] Extended IDs peter
- Re: [radext] Extended IDs Bernard Aboba
- Re: [radext] Extended IDs Alan DeKok
- [radext] FW: Extended IDs Albert Tian
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Brian Weis (bew)
- Re: [radext] Extended IDs David Carrel
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Jun Zhuang
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Jakob Heitz (jheitz)
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Naiming Shen (naiming)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Peter Deacon
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Adam Bishop
- Re: [radext] Extended IDs Enke Chen
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Alan DeKok
- Re: [radext] Extended IDs Acee Lindem (acee)
- Re: [radext] Extended IDs Stefan Winter
- Re: [radext] Extended IDs Alexander Clouter