Status:

Verified

Type:

Technical

Reported By:

Avi Lior

Date Reported:

2010-01-25

Verified by:

Dan Romascanu

Date Verified:

2010-11-02

Section 3.5 says:

Values 200-299 represent successful completion, so that these
values may only be sent within CoA-ACK or Disconnect-ACK packets
and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet.

It should say:

Values 200-299 represent successful completion, so that these
values may be sent in other reply messages such as Access-Reject, Access-Challenge, CoA-ACK or Disconnect-ACK packets
and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet.

Notes:

RFC 3579  allows for Error-Cause to be sent (specifically) in an access-challenge and also in Reject messages as well.

The specification in 5176 restricts the usage and should be clarified especially since 5176 was published after 3579.

I proposed minimal text but I think a broader approach is needed for this attribute.  Here are some thoughts:
1) Error-Cause is needed in Access-Reject (as is allowed by 3579)
2) IANA should have procedures for defining new values (currently no procedure is defined). SDO need to be able to use Error-Cause to report back why an Authentication/Authorization failed.  Error-Cause seems to be the only solution other than Reply-Message which is not really designed for reporting error cause to the NAS.