I've written the following report as a masters degree student:
In order to gain access to a network, users connect to an access device. Usually, network providers have multiple access devices, and one central device. Such a central device can be used for two distinct functions: First, for provisioning: the central device configures each access device with a certain policy. Second, this central device can be used as an authentication server that authenticates each user who connects to an access device. An example of the first function would be a server that configures multiple edge devices from an ISP. An example of the second function would be a dial-in server (network access device) where users authenticate themselves using PAP or CHAP, and where the dial-in server checks the identity at a central authentication server.
Until now, it was not possible to create a device that combines automatic configuration and per-session authentication using a single protocol. The RAP group, an IETF working group, has described a framework and created a data structure, which can combine these two functions when the data instances are transported between an access device and a central server. The data structure is described in an Internet draft called Framework for Binding Access Control to COPS Provisioning (the "Access Bind PIB" for short).
This thesis will describe the situation from the perspective of a generic AAA-architecture (Authentication, Authorisation and Accounting), as defined in RFC 2903. It will describe the limitations of the draft, and on which existing technologies it is based: the DiffServ model, the COPS and COPS-PR protocol and EAP.