On Aug 4, 2023, at 3:47 AM, Eliot Lear <l...@lear.ch> wrote: > Having given this a bit of thought, I think we are chasing our tails, and no > text is required. Let's look at two cases: expired credentials, and > credentials that have not yet expired.
I put some additional text in the draft I published yesterday. It describes what to do in various corner cases, and should hopefully help here. > Expired Credentials I think this just falls back to provisioning. If the credentials are expired and not renewed, the user doesn't get access. If the credentials are renewed, they get access. > Not yet expired credentials The updated draft has some text here. It's largely the same as expired credentials, but with one special case. If the credentials are renewed before they expire, then the peer should keep a copy of the old credentials until it can verify that the new credentials work. Otherwise, it all falls back to the previous case of provisioning. > This now leaves the case where a renewal is taking place prior to credential > expiration. The only issue here is really whether there is any case that, > based on renewal alone, an access policy change would ever take place during > an ongoing communication. My suggestion would be to recommend against such > an action in the RFC, but if it is required, if we're in an EAP exchange then > authorization will follow and there is no need for a CoA/Disconnect, since > radius authorization information will follow. > > What am I missing? Access policies are applied after provisioning has been done. So they are entirely irrelevant until the server replies with an EAP Success. Once the server replies with an EAP Success, access policies should be applied based on the provisioned (i.e. new) credentials. This addresses all of the concerns which were raised over the last few days. i.e. there is no "change" of authorization when a user is provisioned. They're running EAP, and don't have network access. Since they have no current authorization, it can't be changed. Instead, they either get EAP Failure or Success. So the only real question is which identity is used as the basis for access policies. And that's simple, too: the new one. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
