[dhcwg] comments on draft-ietf-dhc-agentopt-radius-00.txt

["Glen Zorn" <gwz@cisco.com>]

A couple of comments:

1) the description of 802.1X authentication is not completely accurate, in
that 802.1X only refers to RADIUS in an exemplary fashion, on purpose.  The
term used is "authentication server", and although RADIUS usage as an
authentication protocol is well-developed in that document, many other
protocols could be used, including Diameter or even COPS.

2) the draft appears to violate RFC 2865 in that the inclusion of the
Calling-Station-Id Attribute in Access-Accept messages is disallowed by that
document; this doesn't seem to be a major problem, however, since it's
difficult to see why this data needs to be returned from the RADIUS server,
since in almost any condition it would be known to the access device.

3) the usage of the Class Attribute is novel: since that Attribute was
designed to carry information from a RADIUS authentication server to a
RADIUS accounting server, it would behelpful if the draft described what
data was to be included in the Class Attribute to the DHCP server.

4) Attributes containing IP addresses for the supplicant can be returned by
a RADIUS server.  What should happen if this is the case _and_ an address is
requested via DHCP?

~gwz

Glen Zorn
CTO Consulting Engineer
Security and Integrity Group
Consulting Engineering
Cisco Systems

PGP Key Fingerprint: 4F41 B93A 007D E2FC 9769  FB97 FBCF 7DA4 9A2D 1963


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg