draft-ietf-dhc-agentopt-radius-00.txt   draft-ietf-dhc-agentopt-radius-01.txt 
Network Working Group R. Droms Network Working Group R. Droms
Internet-Draft J. Schnizlein Internet-Draft J. Schnizlein
Expires: August 15, 2002 Cisco Systems Expires: April 23, 2003 Cisco Systems
February 14, 2002 October 23, 2002
RADIUS Attributes Sub-option for the DHCP Relay Agent Information RADIUS Attributes Sub-option for the DHCP Relay Agent Information
Option Option
draft-ietf-dhc-agentopt-radius-00.txt draft-ietf-dhc-agentopt-radius-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 15, 2002. This Internet-Draft will expire on April 23, 2003.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved. Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract Abstract
A network access device may choose to authenticate the identity of a A network access device may choose to authenticate the identity of a
device before granting that device access to the network. The IEEE device before granting that device access to the network. The IEEE
802.1X protocol is an example of a mechanism for providing 802.1X protocol is an example of a mechanism for providing
authenticated layer 2 network access. A network element using RADIUS authenticated layer 2 network access. A network element using RADIUS
as an authentication authority will receive attributes from a RADIUS as an authentication authority will receive attributes from a RADIUS
server that may be used by a DHCP server in the selection of an IP server that may be used by a DHCP server in the selection of an IP
address for assignment to the device through its DHCP client. The address for assignment to the device through its DHCP client. The
RADIUS Attributes sub-option allows a network element to pass along RADIUS Attributes sub-option enables a network element to pass along
attributes for the user of a device received during RADIUS attributes for the user of a device received during RADIUS
authentication to a DHCP server. authentication to a DHCP server.
1. Introduction and Background 1. Introduction and Background
The RADIUS Attributes sub-option for the DHCP Relay Agent option The RADIUS Attributes sub-option for the DHCP Relay Agent option
provides a way through which network elements can pass information provides a way through which network elements can pass information
obtained through layer 2 authentication to a DHCP server. IEEE obtained through layer 2 authentication to a DHCP server [4]. IEEE
802.1X [2] is an example of a mechanism through which a device such 802.1X [2] is an example of a mechanism through which a device such
as a switch or a wireless LAN access point can authenticate the as a switch or a wireless LAN access point can authenticate the
identity of the user of a device before providing layer 2 network identity of the user of a device before providing layer 2 network
access. In 802.1X authenticated access, a device must first exchange access. In 802.1X authenticated access, a device must first exchange
some authentication credentials with the network access device. The some authentication credentials with the network access device. The
access device then supplies these credentials to a RADIUS server [3], access device then supplies these credentials to a RADIUS server [3],
which either confirms or denies the identity of the user of the which either confirms or denies the identity of the user of the
device requesting network access. The access device, based on the device requesting network access. The access device, based on the
reply of the RADIUS server, then allows or denies network access to reply of the RADIUS server, then allows or denies network access to
the requesting device. the requesting device.
skipping to change at page 4, line 28 skipping to change at page 4, line 28
The RADIUS attributes are carried as attribute-value pairs (AVPs), The RADIUS attributes are carried as attribute-value pairs (AVPs),
encoded according to the encoding rules in RFC 2865, in bytes encoded according to the encoding rules in RFC 2865, in bytes
b1...bN. b1...bN.
4. DHCP Relay Agent Behavior 4. DHCP Relay Agent Behavior
When the DHCP relay agent receives a DHCP message from the client, it When the DHCP relay agent receives a DHCP message from the client, it
MAY append a DHCP Relay Agent Information option containing the MAY append a DHCP Relay Agent Information option containing the
RADIUS Attributes sub-option, along with any other sub-options it is RADIUS Attributes sub-option, along with any other sub-options it is
configured to supply. The RADIUS Attributes sub-option MUST contain configured to supply. The RADIUS Attributes sub-option MUST contain
the attributes recieved in response to the client's authentication the attributes received in response to the client's authentication
with the RADIUS service. The DHCP relay agent MUST NOT add more than with the RADIUS service. The DHCP relay agent MUST NOT add more than
one RADIUS Attributes sub-option in a message. one RADIUS Attributes sub-option in a message.
The relay agent SHOULD include the User-Name, Calling-Station-ID and The relay agent SHOULD include the User-Name and Class attributes in
Class attributes in the RADIUS Attributes sub-option, and MAY include the RADIUS Attributes sub-option, and MAY include other attributes.
other attributes.
5. DHCP Server Behavior 5. DHCP Server Behavior
When the DHCP server receives a message from an relay agent When the DHCP server receives a message from an relay agent
containing a RADIUS Attributes sub-option, it extracts the contents containing a RADIUS Attributes sub-option, it extracts the contents
of the of the sub-option and uses that information in selecting of the of the sub-option and uses that information in selecting
configuration parameters for the client. configuration parameters for the client.
6. DHCP Client Behavior 6. DHCP Client Behavior
The host need not make any special provision for the use of the The host need not make any special provision for the use of the
RADIUS Attributes sub-option. RADIUS Attributes sub-option.
7. RADIUS Server Behavior 7. RADIUS Server Behavior
The RADIUS server MUST return the User-Name, Calling-Station-ID and The RADIUS server MUST return the User-Name and Class attributes to
Class attributes to the access device, and MAY return other the access device, and MAY return other attributes.
attributes.
8. Security Considerations 8. Security Considerations
DHCP as currently defined provides no authentication or security Message authentication in DHCP for intradomain use where the out-of-
mechanisms. Potential exposures to attack are discussed in section 7 band exchange of a shared secret is feasible is defined in RFC 3118
of the DHCP protocol specification in RFC 2131. [6]. Potential exposures to attack are discussed in section 7 of the
DHCP protocol specification in RFC 2131.
The DHCP Relay Agent option depends on a trusted relationship between The DHCP Relay Agent option depends on a trusted relationship between
the DHCP relay agent and the server, as described in section 5 of RFC the DHCP relay agent and the server, as described in section 5 of RFC
3046. Because the RADIUS attributes are not encrypted or protected 3046. While the introduction of fraudulent relay-agent options can
against modification in any way, the contents can be spoofed or be prevented by a perimeter defense that blocks these options unless
modifed by hostile devices in an unsecured network. the relay agent is trusted, a deeper defense using the authentication
option for relay agent options [7] SHOULD be deployed as well.
9. IANA Considerations 9. IANA Considerations
IANA has assigned the value of TBD for the DHCP Relay Agent IANA has assigned the value of TBD for the DHCP Relay Agent
Information option sub-option code for this sub-option. This Information option sub-option code for this sub-option. This
document does not define any new namespaces or other constants for document does not define any new namespaces or other constants for
which IANA must maintain a registry. which IANA must maintain a registry.
10. Terms of Use 10. Terms of Use
skipping to change at page 6, line 4 skipping to change at page 6, line 4
[3] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote [3] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[4] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, [4] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
March 1997. March 1997.
[5] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046, [5] Patrick, M., "DHCP Relay Agent Information Option", RFC 3046,
January 2001. January 2001.
[6] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
RFC 3118, June 2001.
[7] Lemon, T. and M. Stapp, "The Authentication Suboption for the
DHCP Relay Agent Option", draft-ietf-dhc-auth-suboption-00 (work
in progress), June 2002.
Authors' Addresses Authors' Addresses
Ralph Droms Ralph Droms
Cisco Systems Cisco Systems
250 Apollo Drive 250 Apollo Drive
Chelmsford, MA 01824 Chelmsford, MA 01824
USA USA
EMail: rdroms@cisco.com EMail: rdroms@cisco.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/