[radsecproxy] Re: Adding support for dynamic authorisation messages (CoA/Disconnect)
18 Jan
2021
18 Jan
'21
5:11 p.m.
Hi Harshit,
On 13.01.21, 06:24, "Harshit Jain" <hjain(a)arista.com> wrote:
This makes me wonder how CoA Servers will behave if
they receive ACK/NAK for some realms they send requests to, but not others (having
DynAuthResponse On for some realms, but not others). Haven't looked at the details if
the RFC has considered this.
I went through the RFC but I don't think the RFC has considered this. I
couldn't find any mention of how CoA Servers should behave on receiving a NAK.
Indeed. However, the way I read RFC 8559 a proxy must always respond with a NAK if it
can't proxy. Doing this for some realms but not others might confuse a home server. So
a per realm DynAuthResponse doesn't make sense to me. If any, this might be a global
config.
Regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
Phone +41 44 268 15 30, direct +41 44 268 15 39