Ok, we might be having an Agree-O-thon... On 04.08.23 11:49, Alan DeKok wrote:
Access policies are applied after provisioning has been done. So they are entirely irrelevant until the server replies with an EAP Success.
Yes. So COAs and Disconnects aren't necessary at that point.
Once the server replies with an EAP Success, access policies should be applied based on the provisioned (i.e. new) credentials. This addresses all of the concerns which were raised over the last few days.
Yupper.
i.e. there is no "change" of authorization when a user is provisioned.
Yup.
They're running EAP, and don't have network access.
Yup.
Since they have no current authorization, it can't be changed.
Yup.
Instead, they either get EAP Failure or Success. So the only real question is which identity is used as the basis for access policies. And that's simple, too: the new one.
Yep. Eliot
Alan DeKok.
OpenPGP_0x87B66B46D9D27A33.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu