draft-ietf-dime-rfc4005bis-06.txt   draft-ietf-dime-rfc4005bis-07.txt 
Network Working Group G. Zorn Network Working Group G. Zorn, Ed.
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) January 3, 2012 Obsoletes: 4005 (if approved) February 4, 2012
Intended status: Standards Track Intended status: Standards Track
Expires: July 6, 2012 Expires: August 7, 2012
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-06 draft-ietf-dime-rfc4005bis-07
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment; it obsoletes RFC 4005. When Network Access Server (NAS) environment; it obsoletes RFC 4005. When
combined with the Diameter Base protocol, Transport Profile, and combined with the Diameter Base protocol, Transport Profile, and
Extensible Authentication Protocol specifications, this application Extensible Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 6, 2012. This Internet-Draft will expire on August 7, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 13
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6
1.3. Advertising Application Support . . . . . . . . . . . . . 6 1.3. Advertising Application Support . . . . . . . . . . . . . 6
1.4. Application Identification . . . . . . . . . . . . . . . . 7
1.5. Accounting Model . . . . . . . . . . . . . . . . . . . . . 7
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7
2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8
2.2. Diameter Session Reauthentication or Reauthorization . . . 7 2.2. Diameter Session Reauthentication or Reauthorization . . . 8
2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 9
3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9
3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 10
3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12
3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14
3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15
3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 3.5. Session-Termination-Request (STR) Command . . . . . . . . 16
3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 17
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22
4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23
4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 23
4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 23
4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 24
4.2.1. Call and Session Information . . . . . . . . . . . . . 23 4.2.1. Call and Session Information . . . . . . . . . . . . . 24
4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 25
4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25
4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 26
4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 26
4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26
4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 27
4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 27
4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 28
4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 28
4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 29
4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 29
4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29
4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29
4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 30
4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 30
4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 30
4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30
4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30
4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30
4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 31
4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31
4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31
4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 32 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 33
4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33
4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34
4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 35 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 36 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 37 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59
7. Security Considerations . . . . . . . . . . . . . . . . . . . 59 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60
8.1. Normative References . . . . . . . . . . . . . . . . . . . 60 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61
8.2. Informative References . . . . . . . . . . . . . . . . . . 61 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 62
A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 63 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 64 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport
Profile [RFC3539], and EAP [RFC4072] specifications, this Profile [RFC3539], and EAP [RFC4072] specifications, this
specification satisfies the NAS-related requirements defined in specification satisfies the NAS-related requirements defined in
[RFC2989] and [RFC3169]. [RFC2989] and [RFC3169].
skipping to change at page 6, line 51 skipping to change at page 6, line 51
1.2. Requirements Language 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
1.3. Advertising Application Support 1.3. Advertising Application Support
Diameter applications conforming to this specification MUST advertise Diameter applications conforming to this specification MUST advertise
support by including the value of one (1) in the Auth-Application-Id support by including the value of one (1) in the Auth-Application-Id
of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- of the Capabilities-Exchange-Request (CER) message.
Answer (AAA) messages. All other messages use the Base application
id value [I-D.ietf-dime-rfc3588bis]. 1.4. Application Identification
The Auth-Application-Id AVP MUST be set to the value one (1) in the
following messages
o AA-Request (Section 3.1)
o Re-Auth-Request(Section 3.3)
o Session-Termination-Request (Section 3.5)
o Abort-Session-Request (Section 3.7)
1.5. Accounting Model
It is RECOMMENDED that the coupled accounting model (Section 9.3 of
[I-D.ietf-dime-rfc3588bis]) be used with this application; therefore,
the value of the Acct-Application-Id AVP in the Accounting-Request
(Section 3.10) and Accounting-Answer (Section 3.9) messages SHOULD be
set to one (1).
2. NAS Calls, Ports, and Sessions 2. NAS Calls, Ports, and Sessions
The arrival of a new call or service connection at a port of a The arrival of a new call or service connection at a port of a
Network Access Server (NAS) starts a Diameter NAS message exchange. Network Access Server (NAS) starts a Diameter NAS message exchange.
Information about the call, the identity of the user, and the user's Information about the call, the identity of the user, and the user's
authentication information are packaged into a Diameter AA-Request authentication information are packaged into a Diameter AA-Request
(AAR) message and sent to a server. (AAR) message and sent to a server.
The server processes the information and responds with a Diameter AA- The server processes the information and responds with a Diameter AA-
skipping to change at page 28, line 45 skipping to change at page 29, line 45
determine whether the user's response, when entered, should be determine whether the user's response, when entered, should be
echoed. echoed.
The supported values are listed in [RADIUSTypes] The supported values are listed in [RADIUSTypes]
4.3.4. CHAP-Auth AVP 4.3.4. CHAP-Auth AVP
The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the
information necessary to authenticate a user using the PPP Challenge- information necessary to authenticate a user using the PPP Challenge-
Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth
AVP is found in a message, the CHAP-Challenge AVP Section 4.3.8 MUST AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8)
be present as well. The optional AVPs containing the CHAP response MUST be present as well. The optional AVPs containing the CHAP
depend upon the value of the CHAP-Algorithm AVP Section 4.3.8. The response depend upon the value of the CHAP-Algorithm AVP
grouped AVP has the following ABNF grammar: (Section 4.3.8). The grouped AVP has the following ABNF grammar:
CHAP-Auth ::= < AVP Header: 402 > CHAP-Auth ::= < AVP Header: 402 >
{ CHAP-Algorithm } { CHAP-Algorithm }
{ CHAP-Ident } { CHAP-Ident }
[ CHAP-Response ] [ CHAP-Response ]
* [ AVP ] * [ AVP ]
4.3.5. CHAP-Algorithm AVP 4.3.5. CHAP-Algorithm AVP
The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and
contains the algorithm identifier used in the computation of the CHAP contains the algorithm identifier used in the computation of the CHAP
response [RFC1994]. The following values are currently supported: response [RFC1994]. The following values are currently supported:
CHAP with MD5 5 The CHAP response is computed by using the procedure CHAP with MD5 5 The CHAP response is computed by using the procedure
described in [RFC1994] This algorithm requires that the CHAP- described in [RFC1994] This algorithm requires that the CHAP-
Response AVP Section 4.3.7 MUST be present in the CHAP-Auth AVP Response AVP (Section 4.3.7) MUST be present in the CHAP-Auth AVP
Section 4.3.4. (Section 4.3.4).
4.3.6. CHAP-Ident AVP 4.3.6. CHAP-Ident AVP
The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains
the 1 octet CHAP Identifier used in the computation of the CHAP the 1 octet CHAP Identifier used in the computation of the CHAP
response [RFC1994] response [RFC1994]
4.3.7. CHAP-Response AVP 4.3.7. CHAP-Response AVP
The CHAP-Response AVP (AVP Code 405) is of type OctetString and The CHAP-Response AVP (AVP Code 405) is of type OctetString and
skipping to change at page 30, line 38 skipping to change at page 31, line 38
challenge or response associated with the ARAP Security Module challenge or response associated with the ARAP Security Module
specified in the ARAP-Security AVP (Section 4.3.11). specified in the ARAP-Security AVP (Section 4.3.11).
4.4. NAS Authorization AVPs 4.4. NAS Authorization AVPs
This section contains the authorization AVPs supported in the NAS This section contains the authorization AVPs supported in the NAS
Application. The Service-Type AVP SHOULD be present in all messages Application. The Service-Type AVP SHOULD be present in all messages
and, based on its value, additional AVPs defined in this section and and, based on its value, additional AVPs defined in this section and
Section 4.5 MAY be present. Section 4.5 MAY be present.
The following table gives the possible flag values for the session The following table gives the possible flag values for the session-
level AVPs and specifies whether the AVP MAY be encrypted. level AVPs and specifies whether the AVP MAY be encrypted.
+----------+ +----------+
| AVP Flag | | AVP Flag |
| rules | | rules |
|----+-----| |----+-----|
|MUST| MUST| |MUST| MUST|
Attribute Name Section Defined | | NOT| Attribute Name Section Defined | | NOT|
-----------------------------------------|----+-----| -----------------------------------------|----+-----|
Service-Type 4.4.1 | M | V | Service-Type 4.4.1 | M | V |
skipping to change at page 33, line 20 skipping to change at page 34, line 20
4.4.3. Callback-Id AVP 4.4.3. Callback-Id AVP
The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains
the name of a place to be called, to be interpreted by the NAS. This the name of a place to be called, to be interpreted by the NAS. This
AVP MAY be present in an authentication and/or authorization AVP MAY be present in an authentication and/or authorization
response. response.
This AVP is not roaming-friendly as it assumes that the Callback-Id This AVP is not roaming-friendly as it assumes that the Callback-Id
is configured on the NAS. Using the Callback-Number AVP is configured on the NAS. Using the Callback-Number AVP
Section 4.4.2 is therefore preferable. (Section 4.4.2) is therefore preferable.
4.4.4. Idle-Timeout AVP 4.4.4. Idle-Timeout AVP
The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the
maximum number of consecutive seconds of idle connection allowable to maximum number of consecutive seconds of idle connection allowable to
the user before termination of the session or before a prompt is the user before termination of the session or before a prompt is
issued. The default is none, or system specific. issued. The default is none, or system specific.
4.4.5. Port-Limit AVP 4.4.5. Port-Limit AVP
skipping to change at page 34, line 10 skipping to change at page 35, line 10
the name of the filter list for this user. Zero or more Filter-Id the name of the filter list for this user. Zero or more Filter-Id
AVPs MAY be sent in an authorization answer. AVPs MAY be sent in an authorization answer.
Identifying a filter list by name allows the filter to be used on Identifying a filter list by name allows the filter to be used on
different NASes without regard to filter-list implementation details. different NASes without regard to filter-list implementation details.
However, this AVP is not roaming-friendly, as filter naming differs However, this AVP is not roaming-friendly, as filter naming differs
from one service provider to another. from one service provider to another.
In environments where backward compatibility with RADIUS is not In environments where backward compatibility with RADIUS is not
required, it is RECOMMENDED that the NAS-Filter-Rule AVP required, it is RECOMMENDED that the NAS-Filter-Rule AVP
Section 4.4.6 be used instead. (Section 4.4.6) be used instead.
4.4.8. Configuration-Token AVP 4.4.8. Configuration-Token AVP
The Configuration-Token AVP (AVP Code 78) is of type OctetString and The Configuration-Token AVP (AVP Code 78) is of type OctetString and
is sent by a Diameter Server to a Diameter Proxy Agent in an AA- is sent by a Diameter Server to a Diameter Proxy Agent in an AA-
Answer command to indicate a type of user profile to be used. It Answer command to indicate a type of user profile to be used. It
should not be sent to a Diameter Client (NAS). should not be sent to a Diameter Client (NAS).
The format of the Data field of this AVP is site specific. The format of the Data field of this AVP is site specific.
4.4.9. QoS-Filter-Rule AVP 4.4.9. QoS-Filter-Rule AVP
The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule
Section 4.1.1 and provides QoS filter rules that need to be (Section 4.1.1) and provides QoS filter rules that need to be
configured on the NAS for the user. One or more such AVPs MAY be configured on the NAS for the user. One or more such AVPs MAY be
present in an authorization response. present in an authorization response.
DSCP <color> If action is set to tag Section 4.1.1 this option MUST The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen,
be included in the rule. et al. [RFC5777] SHOULD be used instead.
DSCP <color> If action is set to tag (Section 4.1.1) this option
MUST be included in the rule.
Color values are defined in [RFC2474]. Exact matching of DSCP Color values are defined in [RFC2474]. Exact matching of DSCP
values is required (no masks or ranges). values is required (no masks or ranges).
metering <rate> <color_under> <color_over> The metering option metering <rate> <color_under> <color_over> The metering option
provides Assured Forwarding, as defined in [RFC2597]. and MUST provides Assured Forwarding, as defined in [RFC2597]. and MUST
be present if the action is set to meter Section 4.1.1 The rate be present if the action is set to meter (Section 4.1.1) The
option is the throughput, in bits per second, used by the rate option is the throughput, in bits per second, used by the
access device to mark packets. Traffic over the rate is marked access device to mark packets. Traffic over the rate is marked
with the color_over codepoint, and traffic under the rate is with the color_over codepoint, and traffic under the rate is
marked with the color_under codepoint. The color_under and marked with the color_under codepoint. The color_under and
color_over options contain the drop preferences and MUST color_over options contain the drop preferences and MUST
conform to the recommended codepoint keywords described in conform to the recommended codepoint keywords described in
[RFC2597] (e.g., AF13). [RFC2597] (e.g., AF13).
The metering option also supports the strict limit on traffic The metering option also supports the strict limit on traffic
required by Expedited Forwarding, as defined in [RFC3246]. The required by Expedited Forwarding, as defined in [RFC3246]. The
color_over option may contain the keyword "drop" to prevent color_over option may contain the keyword "drop" to prevent
skipping to change at page 39, line 36 skipping to change at page 40, line 36
instances of this AVP in the same message are not allowed. instances of this AVP in the same message are not allowed.
The codification of this field's allowed range is outside the scope The codification of this field's allowed range is outside the scope
of this specification. of this specification.
4.4.10.8. AppleTalk Remote Access AVPs 4.4.10.8. AppleTalk Remote Access AVPs
The AVPs defined in this section are used when the user requests, or The AVPs defined in this section are used when the user requests, or
is being granted, access to the AppleTalk network via the AppleTalk is being granted, access to the AppleTalk network via the AppleTalk
Remote Access Protocol [ARAP]. They are only present if the Framed- Remote Access Protocol [ARAP]. They are only present if the Framed-
Protocol AVP Section 4.4.10.1 is set to ARAP. Section 2.2 of RFC Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC
2869 [RFC2869] describes the operational use of these attributes. 2869 [RFC2869] describes the operational use of these attributes.
4.4.10.8.1. ARAP-Features AVP 4.4.10.8.1. ARAP-Features AVP
The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be
present in the AA-Accept message if the Framed-Protocol AVP is set to present in the AA-Accept message if the Framed-Protocol AVP is set to
the value of ARAP. See [RFC2869] for more information about the the value of ARAP. See [RFC2869] for more information about the
format of this AVP. format of this AVP.
4.4.10.8.2. ARAP-Zone-Access AVP 4.4.10.8.2. ARAP-Zone-Access AVP
skipping to change at page 63, line 30 skipping to change at page 64, line 30
August 2005. August 2005.
[RFC4301] Kent, S. and K. Seo, "Security [RFC4301] Kent, S. and K. Seo, "Security
Architecture for the Internet Protocol", Architecture for the Internet Protocol",
RFC 4301, December 2005. RFC 4301, December 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The [RFC5246] Dierks, T. and E. Rescorla, "The
Transport Layer Security (TLS) Protocol Transport Layer Security (TLS) Protocol
Version 1.2", RFC 5246, August 2008. Version 1.2", RFC 5246, August 2008.
[RFC5777] Korhonen, J., Tschofenig, H.,
Arumaithurai, M., Jones, M., and A. Lior,
"Traffic Classification and Quality of
Service (QoS) Attributes for Diameter",
RFC 5777, February 2010.
Appendix A. Acknowledgements Appendix A. Acknowledgements
A.1. RFC 4005 A.1. RFC 4005
The authors would like to thank Carl Rigney, Allan C. Rubens, William The authors would like to thank Carl Rigney, Allan C. Rubens, William
Allen Simpson, and Steve Willens for their work on the original Allen Simpson, and Steve Willens for their work on the original
RADIUS protocol, from which many of the concepts in this RADIUS protocol, from which many of the concepts in this
specification were derived. Thanks, also, to Carl Rigney for specification were derived. Thanks, also, to Carl Rigney for
[RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn,
Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory
skipping to change at page 64, line 11 skipping to change at page 65, line 16
C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul
Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce,
Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg.
Finally, Pat Calhoun would like to thank Sun Microsystems, as most of Finally, Pat Calhoun would like to thank Sun Microsystems, as most of
the effort put into this document was done while he was in their the effort put into this document was done while he was in their
employ. employ.
A.2. RFC 4005bis A.2. RFC 4005bis
The vast majority of the text in this document was lifted directly The vast majority of the text in this document was taken directly
from RFC 4005; the editor owes a debt of gratitude to the authors from RFC 4005; the editor owes a debt of gratitude to the authors
thereof (especially Dave Mitton, who somehow managed to make nroff thereof (especially Dave Mitton, who somehow managed to make nroff
paginate the AVP Occurance Tables correctly!). paginate the AVP Occurance Tables correctly!).
Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien
Decugis, Jouni Korhonen and Stefan Winter for their useful reviews Decugis, Jouni Korhonen, Mark Jones, Hannes Tschofenig and Stefan
and helpful comments. Winter for their useful reviews and helpful comments.
Author's Address Author's Address
Glen Zorn Glen Zorn (editor)
Network Zen Network Zen
227/358 Thanon Sanphawut 227/358 Thanon Sanphawut
Bang Na, Bangkok 10260 Bang Na, Bangkok 10260
Thailand Thailand
Phone: +66 (0) 87-040-4617 Phone: +66 (0) 87-040-4617
EMail: glenzorn@gmail.com EMail: glenzorn@gmail.com
 End of changes. 22 change blocks. 
147 lines changed or deleted 178 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/