RFC 5176, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", January 2008Source of RFC: radext (ops)
Errata ID: 4311
Reported By: Alan DeKok
Date Reported: 2015-03-23
Verifier Name: Kathleen Moriarty
Date Verified: 2015-07-20
Section 2.3 says:
Section 2.3 says: In CoA-Request and Disconnect-Request packets, all attributes MUST be treated as mandatory.
It should say:
In CoA-Request and Disconnect-Request packets, all attributes MUST be treated as mandatory to understand by the NAS, except Proxy-State attributes that MUST be treated as opaque data. See Section 3.1 for a discussion of how the NAS must handle Proxy-State.
This was seen with vendor equipment. CoA proxying was done to the NAS, and the proxy was adding and forwarding Proxy-State as required by Section 3.1. However, the NAS was returning a CoA-NAK with Error-Cause = Unsupported-Attribute.
The issue comes because Proxy-State is called out in Section 3.1 for special handling. However, that special handling isn't called out in Section 2.3. As a result, implementors can get confused.
The RADEXT WG is rechartering with a document to address CoA proxying. We will also be addressing this issue in that document. There are additional attributes which a NAS should ignore, OR which should be filtered out by the proxy closest to the NAS.
The text was slightly updated by the WG from the originally submitted text.