draft-ietf-dime-rfc4005bis-09.txt   draft-ietf-dime-rfc4005bis-10.txt 
Network Working Group G. Zorn, Ed. Network Working Group G. Zorn, Ed.
Internet-Draft Network Zen Internet-Draft Network Zen
Obsoletes: 4005 (if approved) May 18, 2012 Obsoletes: 4005 (if approved) July 15, 2012
Intended status: Standards Track Intended status: Standards Track
Expires: November 19, 2012 Expires: January 16, 2013
Diameter Network Access Server Application Diameter Network Access Server Application
draft-ietf-dime-rfc4005bis-09 draft-ietf-dime-rfc4005bis-10
Abstract Abstract
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
Authentication, Authorization, and Accounting (AAA) services in the Authentication, Authorization, and Accounting (AAA) services in the
Network Access Server (NAS) environment; it obsoletes RFC 4005. When Network Access Server (NAS) environment; it obsoletes RFC 4005. When
combined with the Diameter Base protocol, Transport Profile, and combined with the Diameter Base protocol, Transport Profile, and
Extensible Authentication Protocol specifications, this application Extensible Authentication Protocol specifications, this application
specification satisfies typical network access services requirements. specification satisfies typical network access services requirements.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 19, 2012. This Internet-Draft will expire on January 16, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5 1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7
1.4. Advertising Application Support . . . . . . . . . . . . . 7 1.4. Advertising Application Support . . . . . . . . . . . . . 7
1.5. Application Identification . . . . . . . . . . . . . . . . 7 1.5. Application Identification . . . . . . . . . . . . . . . . 8
1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . . 8 1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . . 8
2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 8 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 8
2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 9
2.2. Diameter Session Reauthentication or Reauthorization . . . 9 2.2. Diameter Session Reauthentication or Reauthorization . . . 9
2.3. Diameter Session Termination . . . . . . . . . . . . . . . 10 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 10
3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10
3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 11 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 11
3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 13
3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 15
3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 16
3.5. Session-Termination-Request (STR) Command . . . . . . . . 16 3.5. Session-Termination-Request (STR) Command . . . . . . . . 17
3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 17 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 18
3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 19
3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 20
3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 21
3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 23
4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 24
4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 23 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 24
4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 23 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 24
4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 24 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 25
4.2.1. Call and Session Information . . . . . . . . . . . . . 24 4.2.1. Call and Session Information . . . . . . . . . . . . . 25
4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 25 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 26
4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 26
4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 26 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 27
4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 26 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 27
4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 27
4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 27 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 28
4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 27 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 28
4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 28 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 29
4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 28 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 29
4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 29 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 30
4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 29 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 30
4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 30
4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 30
4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 30 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 31
4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 30 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 31
4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 30 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 31
4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 31
4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 31
4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 31
4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 31 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 32
4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 32
4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 32
4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 33 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 34
4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 34
4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 35
4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 35
4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 35
4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35
4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 35
4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 36
4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 36
4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 37
4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 37
4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 37
4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 37
4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 37
4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 37 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 38
4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 38
4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 38
4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 38
4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 39
4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 39
4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 39
4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 39
4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 40
4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 40
4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 40
4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 40
4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 40
4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 41
4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 41
4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 41
4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 41
4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 41 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 42
4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 42
4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 42
4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 42
4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 42 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 43
4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 43
4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 43
4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 43
4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 43
4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 44
4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 44
4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 44 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 45
4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 45
4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 45 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 46
4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 46
4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 46 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 47
4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 46 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 47
4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 47 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 48
4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 48
4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 48
4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 48 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 49
4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 50
4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 50 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 51
4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 50 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 51
4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 51
4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 52
4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 52
4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 52
4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 52 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 53
4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 52 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 53
4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 53
4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 53
4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 53
4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 53 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 54
4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 54
4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 54 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 55
5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 54 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 55
5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 55
5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 57 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 58
5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 58 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 59
5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 60 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 61
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 61 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 62
7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 7. Security Considerations . . . . . . . . . . . . . . . . . . . 62
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 63
8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 8.1. Normative References . . . . . . . . . . . . . . . . . . . 63
8.2. Informative References . . . . . . . . . . . . . . . . . . 63 8.2. Informative References . . . . . . . . . . . . . . . . . . 64
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67
A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 66 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 67
A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 67 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 68
1. Introduction 1. Introduction
This document describes the Diameter protocol application used for This document describes the Diameter protocol application used for
AAA in the Network Access Server (NAS) environment. When combined AAA in the Network Access Server (NAS) environment. When combined
with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport
Profile [RFC3539], and EAP [RFC4072] specifications, this Profile [RFC3539], and EAP [RFC4072] specifications, this
specification satisfies the NAS-related requirements defined in specification satisfies the NAS-related requirements defined in
Aboba, et al. [RFC2989] and Beadles & Mitton [RFC3169]. Aboba, et al. [RFC2989] and Beadles & Mitton [RFC3169].
skipping to change at page 6, line 8 skipping to change at page 6, line 8
grouped AVP is present, it must have an Acct-Application-Id grouped AVP is present, it must have an Acct-Application-Id
inside. inside.
Thus, though the syntax of the commands has changed, the semantics Thus, though the syntax of the commands has changed, the semantics
have not (with the caveat that the Acct-Application-Id AVP can no have not (with the caveat that the Acct-Application-Id AVP can no
longer be contained in the Vendor-Specific-Application-Id AVP). longer be contained in the Vendor-Specific-Application-Id AVP).
o The lists of RADIUS attribute values have been deleted in favor of o The lists of RADIUS attribute values have been deleted in favor of
references to the appropriate IANA registries. references to the appropriate IANA registries.
o The accounting model to be used is now specified. o The accounting model to be used is now specified (see
Section 1.6).
There are many other many miscellaneous fixes that have been There are many other many miscellaneous fixes that have been
introduced in this document that may not be considered significant introduced in this document that may not be considered significant
but they are useful nonetheless. Examples are fixes to example IP but they are useful nonetheless. Examples are fixes to example IP
addresses, addition of clarifying references, etc. All of the errata addresses, addition of clarifying references, etc. All of the errata
previously filed against RFC 4005 have been fixed. A comprehensive previously filed against RFC 4005 have been fixed. A comprehensive
list of changes is not shown here for practical reasons. list of changes is not shown here for practical reasons.
1.2. Terminology 1.2. Terminology
Section 1.2 of the base Diameter specification Section 1.2 of the Diameter base protocol specification
[I-D.ietf-dime-rfc3588bis] defines most of the terminology used in [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in
this document. Additionally, the following terms and acronyms are this document. Additionally, the following terms and acronyms are
used in this application: used in this application:
NAS (Network Access Server) NAS (Network Access Server)
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
The service may be a network connection or a value-added service The service may be a network connection or a value-added service
such as terminal emulation [RFC2881]. such as terminal emulation [RFC2881].
PPP (Point-to-Point Protocol) PPP (Point-to-Point Protocol)
skipping to change at page 7, line 36 skipping to change at page 7, line 41
A protocol which allows PPP to be tunneled through an IP network A protocol which allows PPP to be tunneled through an IP network
[RFC2637]. [RFC2637].
VPN (Virtual Private Network) VPN (Virtual Private Network)
In this document, this term is used to describe access services In this document, this term is used to describe access services
that use tunneling methods. that use tunneling methods.
1.3. Requirements Language 1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
1.4. Advertising Application Support 1.4. Advertising Application Support
Diameter nodes conforming to this specification MUST advertise Diameter nodes conforming to this specification MUST advertise
support by including the value of one (1) in the Auth-Application-Id support by including the value of one (1) in the Auth-Application-Id
of the Capabilities-Exchange-Request (CER) message. of the Capabilities-Exchange-Request (CER) message.
1.5. Application Identification 1.5. Application Identification
When used in this application, the Auth-Application-Id AVP MUST be When used in this application, the Auth-Application-Id AVP MUST be
skipping to change at page 10, line 17 skipping to change at page 10, line 27
2.3. Diameter Session Termination 2.3. Diameter Session Termination
When a NAS receives an indication that a user's session is being When a NAS receives an indication that a user's session is being
disconnected by the client (e.g., an LCP Terminate-Request message disconnected by the client (e.g., an LCP Terminate-Request message
[RFC1661] is received) or an administrative command, the NAS MUST [RFC1661] is received) or an administrative command, the NAS MUST
issue a Session-Termination-Request (STR) [I-D.ietf-dime-rfc3588bis] issue a Session-Termination-Request (STR) [I-D.ietf-dime-rfc3588bis]
to its Diameter Server. This will ensure that any resources to its Diameter Server. This will ensure that any resources
maintained on the servers are freed appropriately. maintained on the servers are freed appropriately.
Furthermore, a NAS that receives an Abort-Session-Request (ASR) Furthermore, a NAS that receives an Abort-Session-Request (ASR)
[I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session [I-D.ietf-dime-rfc3588bis] MUST issue an Abort-Session-Answer (ASA)
identified is active and disconnect the PPP (or tunneling) session. if the session identified is active and disconnect the PPP (or
tunneling) session.
If accounting is active, an Accounting STOP_RECORD message If accounting is active, an Accounting STOP_RECORD message
[I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the
session context. session context.
More information on Diameter Session Termination can be found in More information on Diameter Session Termination can be found in
Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis]. Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis].
3. Diameter NAS Application Messages 3. Diameter NAS Application Messages
skipping to change at page 11, line 11 skipping to change at page 11, line 26
| Accounting-Request | ACR | 271 | Section 3.9 | | Accounting-Request | ACR | 271 | Section 3.9 |
| Accounting-Answer | ACA | 271 | Section 3.10 | | Accounting-Answer | ACA | 271 | Section 3.10 |
+-----------------------------------+---------+------+--------------+ +-----------------------------------+---------+------+--------------+
3.1. AA-Request (AAR) Command 3.1. AA-Request (AAR) Command
The AA-Request (AAR), which is indicated by setting the Command-Code The AA-Request (AAR), which is indicated by setting the Command-Code
field to 265 and the 'R' bit in the Command Flags field, is used to field to 265 and the 'R' bit in the Command Flags field, is used to
request authentication and/or authorization for a given NAS user. request authentication and/or authorization for a given NAS user.
The type of request is identified through the Auth-Request-Type AVP The type of request is identified through the Auth-Request-Type AVP
[I-D.ietf-dime-rfc3588bis] The recommended value for most situations [I-D.ietf-dime-rfc3588bis]. The recommended value for most
is AUTHORIZE_AUTHENTICATE. situations is AUTHORIZE_AUTHENTICATE.
If Authentication is requested, the User-Name attribute SHOULD be If Authentication is requested, the User-Name attribute SHOULD be
present, as well as any additional authentication AVPs that would present, as well as any additional authentication AVPs that would
carry the password information. A request for authorization SHOULD carry the password information. A request for authorization SHOULD
only include the information from which the authorization will be only include the information from which the authorization will be
performed, such as the User-Name, Called-Station-Id, or Calling- performed, such as the User-Name, Called-Station-Id, or Calling-
Station-Id AVPs. All requests SHOULD contain AVPs uniquely Station-Id AVPs. All requests SHOULD contain AVPs uniquely
identifying the source of the call, such as Origin-Host and NAS-Port. identifying the source of the call, such as Origin-Host and NAS-Port.
Certain networks MAY use different AVPs for authorization purposes. Certain networks MAY use different AVPs for authorization purposes.
A request for authorization will include some AVPs defined in A request for authorization will include some AVPs defined in
skipping to change at page 18, line 28 skipping to change at page 19, line 28
[ Origin-State-Id ] [ Origin-State-Id ]
* [ Redirect-Host ] * [ Redirect-Host ]
[ Redirect-Host-Usase ] [ Redirect-Host-Usase ]
[ Redirect-Max-Cache-Time ] [ Redirect-Max-Cache-Time ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ AVP ] * [ AVP ]
3.7. Abort-Session-Request (ASR) Command 3.7. Abort-Session-Request (ASR) Command
The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis] The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis]
may be sent by any server to the NAS providing session service, to may be sent by any Diameter server to the NAS providing session
request that the session identified by the Session-Id be stopped. service, to request that the session identified by the Session-Id be
stopped.
Message Format Message Format
<AS-Request> ::= < Diameter Header: 274, REQ, PXY > <AS-Request> ::= < Diameter Header: 274, REQ, PXY >
< Session-Id > < Session-Id >
{ Origin-Host } { Origin-Host }
{ Origin-Realm } { Origin-Realm }
{ Destination-Realm } { Destination-Realm }
{ Destination-Host } { Destination-Host }
{ Auth-Application-Id } { Auth-Application-Id }
skipping to change at page 22, line 27 skipping to change at page 23, line 27
[ Login-TCP-Port ] [ Login-TCP-Port ]
* [ Tunneling ] * [ Tunneling ]
* [ Proxy-Info ] * [ Proxy-Info ]
* [ Route-Record ] * [ Route-Record ]
* [ AVP ] * [ AVP ]
3.10. Accounting-Answer (ACA) Command 3.10. Accounting-Answer (ACA) Command
The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an
Accounting-Request command. The Accounting-Answer command contains Accounting-Request command. The Accounting-Answer command contains
the same Session-Id as the Request. The same level of security MUST the same Session-Id as the Request.
be applied to both the Accounting-Request and the corresponding
Accounting-Answer message. For example, if the ACR was protected
using end-to-end security techniques then the corresponding ACA
message MUST be protected in the same way; note, however, that the
definition of such techniques is outside the scope of this document.
Only the target Diameter Server or home Diameter Server SHOULD Only the target Diameter Server or home Diameter Server SHOULD
respond with the Accounting-Answer command. respond with the Accounting-Answer command.
The Acct-Application-Id AVP MUST be present. The Acct-Application-Id AVP MUST be present.
The AVPs listed in the Base protocol specification The AVPs listed in the Base protocol specification
[I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as
appropriate. NAS service-specific accounting AVPs SHOULD be present appropriate. NAS service-specific accounting AVPs SHOULD be present
as described in Section 4.6 and the rest of this specification. as described in Section 4.6 and the rest of this specification.
skipping to change at page 26, line 20 skipping to change at page 27, line 20
NASes that cannot conveniently number their ports. NASes that cannot conveniently number their ports.
4.2.4. NAS-Port-Type AVP 4.2.4. NAS-Port-Type AVP
The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and
contains the type of the port on which the NAS is authenticating the contains the type of the port on which the NAS is authenticating the
user. This AVP SHOULD be present if the NAS uses the same NAS-Port user. This AVP SHOULD be present if the NAS uses the same NAS-Port
number ranges for different service types concurrently. number ranges for different service types concurrently.
The currently supported values of the NAS-Port-Type AVP are listed in The currently supported values of the NAS-Port-Type AVP are listed in
[RADIUSTypes]. [RADIUSAttrVals].
4.2.5. Called-Station-Id AVP 4.2.5. Called-Station-Id AVP
The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and
allows the NAS to send the ASCII string describing the Layer 2 allows the NAS to send the ASCII string describing the Layer 2
address the user contacted in the request. For dialup access, this address the user contacted in the request. For dialup access, this
can be a phone number obtained by using the Dialed Number can be a phone number obtained by using the Dialed Number
Identification Service (DNIS) or a similar technology. Note that Identification Service (DNIS) or a similar technology. Note that
this may be different from the phone number the call comes in on. this may be different from the phone number the call comes in on.
For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC
skipping to change at page 29, line 38 skipping to change at page 30, line 38
disconnected. This AVP is primarily intended for use when the disconnected. This AVP is primarily intended for use when the
Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP.
4.3.3. Prompt AVP 4.3.3. Prompt AVP
The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present
in the AA-Answer message. When present, it is used by the NAS to in the AA-Answer message. When present, it is used by the NAS to
determine whether the user's response, when entered, should be determine whether the user's response, when entered, should be
echoed. echoed.
The supported values are listed in [RADIUSTypes] The supported values are listed in [RADIUSAttrVals]
4.3.4. CHAP-Auth AVP 4.3.4. CHAP-Auth AVP
The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the
information necessary to authenticate a user using the PPP Challenge- information necessary to authenticate a user using the PPP Challenge-
Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth
AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8) AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8)
MUST be present as well. The optional AVPs containing the CHAP MUST be present as well. The optional AVPs containing the CHAP
response depend upon the value of the CHAP-Algorithm AVP response depend upon the value of the CHAP-Algorithm AVP
(Section 4.3.8). The grouped AVP has the following ABNF grammar: (Section 4.3.8). The grouped AVP has the following ABNF grammar:
skipping to change at page 33, line 24 skipping to change at page 34, line 24
When used in a request, the Service-Type AVP SHOULD be considered a When used in a request, the Service-Type AVP SHOULD be considered a
hint to the server that the NAS believes the user would prefer the hint to the server that the NAS believes the user would prefer the
kind of service indicated. The server is not required to honor the kind of service indicated. The server is not required to honor the
hint. Furthermore, if the service specified by the server is hint. Furthermore, if the service specified by the server is
supported, but not compatible with the current mode of access, the supported, but not compatible with the current mode of access, the
NAS MUST fail to start the session. The NAS MUST also generate the NAS MUST fail to start the session. The NAS MUST also generate the
appropriate error message(s). appropriate error message(s).
The complete list of defined values that the Service-Type AVP can The complete list of defined values that the Service-Type AVP can
take can be found in [RFC2865] and [RADIUSTypes], but the following take can be found in [RFC2865] and [RADIUSAttrVals], but the
values require further qualification here: following values require further qualification here:
Login (1) Login (1)
The user should be connected to a host. The message MAY The user should be connected to a host. The message MAY
include additional AVPs as defined in Section 4.4.11.4 or include additional AVPs as defined in Section 4.4.11.4 or
Section 4.4.11.5. Section 4.4.11.5.
Framed (2) Framed (2)
A Framed Protocol, such as PPP or SLIP, should be started for A Framed Protocol, such as PPP or SLIP, should be started for
the User. The message MAY include additional AVPs defined in the User. The message MAY include additional AVPs defined in
Section 4.4.10, or Section 4.5 for tunneling services. Section 4.4.10, or Section 4.5 for tunneling services.
skipping to change at page 36, line 20 skipping to change at page 37, line 20
This section lists the authorization AVPs necessary to support framed This section lists the authorization AVPs necessary to support framed
access, such as PPP and SLIP. AVPs defined in this section MAY be access, such as PPP and SLIP. AVPs defined in this section MAY be
present in a message if the Service-Type AVP was set to "Framed" or present in a message if the Service-Type AVP was set to "Framed" or
"Callback Framed". "Callback Framed".
4.4.10.1. Framed-Protocol AVP 4.4.10.1. Framed-Protocol AVP
The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and
contains the framing to be used for framed access. This AVP MAY be contains the framing to be used for framed access. This AVP MAY be
present in both requests and responses. The supported values are present in both requests and responses. The supported values are
listed in [RADIUSTypes]. listed in [RADIUSAttrVals].
4.4.10.2. Framed-Routing AVP 4.4.10.2. Framed-Routing AVP
The Framed-Routing AVP (AVP Code 10) is of type Enumerated and The Framed-Routing AVP (AVP Code 10) is of type Enumerated and
contains the routing method for the user when the user is a router to contains the routing method for the user when the user is a router to
a network. This AVP SHOULD only be present in authorization a network. This AVP SHOULD only be present in authorization
responses. The supported values are listed in [RADIUSTypes]. responses. The supported values are listed in [RADIUSAttrVals].
4.4.10.3. Framed-MTU AVP 4.4.10.3. Framed-MTU AVP
The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains
the Maximum Transmission Unit (MTU) to be configured for the user, the Maximum Transmission Unit (MTU) to be configured for the user,
when it is not negotiated by some other means (such as PPP). This when it is not negotiated by some other means (such as PPP). This
AVP SHOULD only be present in authorization responses. The MTU value AVP SHOULD only be present in authorization responses. The MTU value
MUST be in the range from 64 to 65535. MUST be in the range from 64 to 65535.
4.4.10.4. Framed-Compression AVP 4.4.10.4. Framed-Compression AVP
skipping to change at page 36, line 49 skipping to change at page 37, line 49
The Framed-Compression AVP (AVP Code 13) is of type Enumerated and The Framed-Compression AVP (AVP Code 13) is of type Enumerated and
contains the compression protocol to be used for the link. It MAY be contains the compression protocol to be used for the link. It MAY be
used in an authorization request as a hint to the server that a used in an authorization request as a hint to the server that a
specific compression type is desired, but the server is not required specific compression type is desired, but the server is not required
to honor the hint in the corresponding response. to honor the hint in the corresponding response.
More than one compression protocol AVP MAY be sent. The NAS is More than one compression protocol AVP MAY be sent. The NAS is
responsible for applying the proper compression protocol to the responsible for applying the proper compression protocol to the
appropriate link traffic. appropriate link traffic.
The supported values are listed in [RADIUSTypes]. The supported values are listed in [RADIUSAttrVals].
4.4.10.5. IP Access Authorization AVPs 4.4.10.5. IP Access Authorization AVPs
The AVPs defined in this section are used when the user requests, or The AVPs defined in this section are used when the user requests, or
is being granted, access service to IP. is being granted, access service to IP.
4.4.10.5.1. Framed-IP-Address AVP 4.4.10.5.1. Framed-IP-Address AVP
The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type
OctetString and contains an IPv4 address of the type specified in the OctetString and contains an IPv4 address of the type specified in the
skipping to change at page 41, line 11 skipping to change at page 42, line 11
present in the AA-Accept message if the Framed-Protocol AVP is set to present in the AA-Accept message if the Framed-Protocol AVP is set to
the value of ARAP. See RFC 2869 for more information about the the value of ARAP. See RFC 2869 for more information about the
format of this AVP. format of this AVP.
4.4.10.8.2. ARAP-Zone-Access AVP 4.4.10.8.2. ARAP-Zone-Access AVP
The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY
be present in the AA-Accept message if the Framed-Protocol AVP is set be present in the AA-Accept message if the Framed-Protocol AVP is set
to the value of ARAP. to the value of ARAP.
The supported values are listed in [RADIUSTypes] and defined in RFC The supported values are listed in [RADIUSAttrVals] and defined in
2869. RFC 2869.
4.4.11. Non-Framed Access Authorization AVPs 4.4.11. Non-Framed Access Authorization AVPs
This section contains the authorization AVPs that are needed to This section contains the authorization AVPs that are needed to
support terminal server functionality. AVPs defined in this section support terminal server functionality. AVPs defined in this section
MAY be present in a message if the Service-Type AVP was set to MAY be present in a message if the Service-Type AVP was set to
"Login" or "Callback Login". "Login" or "Callback Login".
4.4.11.1. Login-IP-Host AVP 4.4.11.1. Login-IP-Host AVP
skipping to change at page 46, line 13 skipping to change at page 47, line 13
honor the hint in the corresponding response. honor the hint in the corresponding response.
The Tunnel-Type AVP SHOULD also be included in ACR messages. The Tunnel-Type AVP SHOULD also be included in ACR messages.
A tunnel initiator is not required to implement any of these tunnel A tunnel initiator is not required to implement any of these tunnel
types. If a tunnel initiator receives a response that contains only types. If a tunnel initiator receives a response that contains only
unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave
as though a response were received with the Result-Code indicating a as though a response were received with the Result-Code indicating a
failure. failure.
The supported values are listed in [RADIUSTypes]. The supported values are listed in [RADIUSAttrVals].
4.5.3. Tunnel-Medium-Type AVP 4.5.3. Tunnel-Medium-Type AVP
The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and
contains the transport medium to use when creating a tunnel for contains the transport medium to use when creating a tunnel for
protocols (such as L2TP [RFC3931]) that can operate over multiple protocols (such as L2TP [RFC3931]) that can operate over multiple
transports. It MAY be used in an authorization request as a hint to transports. It MAY be used in an authorization request as a hint to
the server that a specific medium is desired, but the server is not the server that a specific medium is desired, but the server is not
required to honor the hint in the corresponding response. required to honor the hint in the corresponding response.
The supported values are listed in [RADIUSTypes]. The supported values are listed in [RADIUSAttrVals].
4.5.4. Tunnel-Client-Endpoint AVP 4.5.4. Tunnel-Client-Endpoint AVP
The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String
and contains the address of the initiator end of the tunnel. It MAY and contains the address of the initiator end of the tunnel. It MAY
be used in an authorization request as a hint to the server that a be used in an authorization request as a hint to the server that a
specific endpoint is desired, but the server is not required to honor specific endpoint is desired, but the server is not required to honor
the hint in the corresponding response. This AVP SHOULD be included the hint in the corresponding response. This AVP SHOULD be included
in the corresponding ACR messages, in which case it indicates the in the corresponding ACR messages, in which case it indicates the
address from which the tunnel was initiated. This AVP, along with address from which the tunnel was initiated. This AVP, along with
skipping to change at page 52, line 29 skipping to change at page 53, line 29
The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and
indicates the length of the current session in seconds. It can only indicates the length of the current session in seconds. It can only
be present in ACR messages with an Accounting-Record-Type of be present in ACR messages with an Accounting-Record-Type of
INTERIM_RECORD or STOP_RECORD. INTERIM_RECORD or STOP_RECORD.
4.6.6. Acct-Authentic AVP 4.6.6. Acct-Authentic AVP
The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and
specifies how the user was authenticated. The supported values are specifies how the user was authenticated. The supported values are
listed in [RADIUSTypes]. listed in [RADIUSAttrVals].
4.6.7. Accounting-Auth-Method AVP 4.6.7. Accounting-Auth-Method AVP
The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated.
A NAS MAY include this AVP in an Accounting-Request message to A NAS MAY include this AVP in an Accounting-Request message to
indicate the method used to authenticate the user. (Note that this indicate the method used to authenticate the user. (Note that this
AVP is semantically equivalent, and the supported values are AVP is semantically equivalent, and the supported values are
identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS
attribute [RFC2548]). attribute [RFC2548]).
skipping to change at page 61, line 36 skipping to change at page 62, line 36
Termination-Cause | 0-1 | 0-1 | Termination-Cause | 0-1 | 0-1 |
User-Name | 0-1 | 0-1 | User-Name | 0-1 | 0-1 |
---------------------------------------|-----+-----+ ---------------------------------------|-----+-----+
6. IANA Considerations 6. IANA Considerations
Several of the namespaces used in this document are managed by the Several of the namespaces used in this document are managed by the
Internet Assigned Numbers Authority [IANA], including the AVP Codes Internet Assigned Numbers Authority [IANA], including the AVP Codes
[AVP-Codes], AVP Specific Values [AVP-Vals], Application IDs [AVP-Codes], AVP Specific Values [AVP-Vals], Application IDs
[App-Ids], Command Codes [Command-Codes] and RADIUS Attribute Values [App-Ids], Command Codes [Command-Codes] and RADIUS Attribute Values
[RADIUSTypes]. [RADIUSAttrVals].
For the current values allocated, and the policies governing For the current values allocated, and the policies governing
allocation in those namespaces, please see the above-referenced allocation in those namespaces, please see the above-referenced
registries. registries.
7. Security Considerations 7. Security Considerations
This document describes the extension of Diameter for the NAS This document describes the extension of Diameter for the NAS
application. The security considerations of the Diameter protocol application. The security considerations of the Diameter protocol
itself are discussed in [I-D.ietf-dime-rfc3588bis]. Use of this itself are discussed in [I-D.ietf-dime-rfc3588bis]. Use of this
skipping to change at page 62, line 36 skipping to change at page 63, line 36
8.1. Normative References 8.1. Normative References
[ANITypes] NANPA Number Resource Info, "ANI [ANITypes] NANPA Number Resource Info, "ANI
Assignments", <http://www.nanpa.com/ Assignments", <http://www.nanpa.com/
number_resource_info/ number_resource_info/
ani_ii_assignments.html>. ani_ii_assignments.html>.
[I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and
G. Zorn, "Diameter Base Protocol", G. Zorn, "Diameter Base Protocol",
draft-ietf-dime-rfc3588bis-33 (work in draft-ietf-dime-rfc3588bis-34 (work in
progress), May 2012. progress), June 2012.
[RFC1994] Simpson, W., "PPP Challenge Handshake [RFC1994] Simpson, W., "PPP Challenge Handshake
Authentication Protocol (CHAP)", Authentication Protocol (CHAP)",
RFC 1994, August 1996. RFC 1994, August 1996.
[RFC2119] Bradner, S., "Key words for use in RFCs [RFC2119] Bradner, S., "Key words for use in RFCs
to Indicate Requirement Levels", BCP 14, to Indicate Requirement Levels", BCP 14,
RFC 2119, March 1997. RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and [RFC2865] Rigney, C., Willens, S., Rubens, A., and
skipping to change at page 64, line 13 skipping to change at page 65, line 13
Standardization, "Information technology Standardization, "Information technology
- 8-bit single byte coded graphic - - 8-bit single byte coded graphic -
character sets - Part 1: Latin alphabet character sets - Part 1: Latin alphabet
No. 1, JTC1/SC2", ISO Standard 8859-1, No. 1, JTC1/SC2", ISO Standard 8859-1,
1987. 1987.
[LAT] Digital Equipment Corp., "Local Area [LAT] Digital Equipment Corp., "Local Area
Transport (LAT) Specification V5.0", AA- Transport (LAT) Specification V5.0", AA-
NL26A-TE, June 1989. NL26A-TE, June 1989.
[RADIUSTypes] IANA, "IANA Radius Attribute Values [RADIUSAttrVals] IANA, "IANA Radius Attribute Values
Registry", <http://www.iana.org/ Registry", <http://www.iana.org/
assignments/radius-types-3>. assignments/radius-types/
radius-types.xml#radius-types-3>.
[RFC1334] Lloyd, B. and W. Simpson, "PPP [RFC1334] Lloyd, B. and W. Simpson, "PPP
Authentication Protocols", RFC 1334, Authentication Protocols", RFC 1334,
October 1992. October 1992.
[RFC1661] Simpson, W., "The Point-to-Point Protocol [RFC1661] Simpson, W., "The Point-to-Point Protocol
(PPP)", STD 51, RFC 1661, July 1994. (PPP)", STD 51, RFC 1661, July 1994.
[RFC1990] Sklower, K., Lloyd, B., McGregor, G., [RFC1990] Sklower, K., Lloyd, B., McGregor, G.,
Carr, D., and T. Coradetti, "The PPP Carr, D., and T. Coradetti, "The PPP
 End of changes. 28 change blocks. 
155 lines changed or deleted 155 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/