draft-ietf-radext-rfc3576bis-03.txt | draft-ietf-radext-rfc3576bis-04.txt | |||
---|---|---|---|---|
Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
<draft-ietf-radext-rfc3576bis-03.txt> David Mitton | <draft-ietf-radext-rfc3576bis-04.txt> David Mitton | |||
28 March 2007 RSA Security, Inc. | 10 April 2007 RSA Security, Inc. | |||
Bernard Aboba | Bernard Aboba | |||
Microsoft Corporation | Microsoft Corporation | |||
Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
Service (RADIUS) | Service (RADIUS) | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
skipping to change at page 1, line 35 | skipping to change at page 1, line 36 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on September 25, 2007. | This Internet-Draft will expire on October 25, 2007. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
Abstract | Abstract | |||
This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
skipping to change at page 5, line 48 | skipping to change at page 5, line 48 | |||
kind, and are sent in addition to the identification attributes as | kind, and are sent in addition to the identification attributes as | |||
described in section 3. The port used, and packet format (described | described in section 3. The port used, and packet format (described | |||
in Section 2.3), are the same as that for Disconnect-Request packets. | in Section 2.3), are the same as that for Disconnect-Request packets. | |||
The following attributes MAY be sent in a CoA-Request: | The following attributes MAY be sent in a CoA-Request: | |||
Filter-ID (11) - Indicates the name of a data filter list | Filter-ID (11) - Indicates the name of a data filter list | |||
to be applied for the session that the | to be applied for the session that the | |||
identification attributes map to. | identification attributes map to. | |||
NAS-Filter-Rule (TBD) - Provides a filter list to be applied | NAS-Filter-Rule (92) - Provides a filter list to be applied | |||
for the session that the identification | for the session that the identification | |||
attributes map to [RFCFilter]. | attributes map to [RFCFilter]. | |||
+----------+ CoA-Request +----------+ | +----------+ CoA-Request +----------+ | |||
| | <-------------------- | | | | | <-------------------- | | | |||
| NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
skipping to change at page 9, line 26 | skipping to change at page 9, line 26 | |||
state whether an Attribute can be included in CoA or Disconnect | state whether an Attribute can be included in CoA or Disconnect | |||
messages and if so, which messages it may be included in and | messages and if so, which messages it may be included in and | |||
whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
authentication and accounting, it may not support inclusion of | authentication and accounting, it may not support inclusion of | |||
that attribute within Disconnect-Request or CoA-Request packets, | that attribute within Disconnect-Request or CoA-Request packets, | |||
given the difference in attribute semantics. This is true even | given the difference in attribute semantics. This is true even | |||
for attributes specified as allowable within Access-Accept packets | for attributes specified as allowable within Access-Accept packets | |||
(such as those defined within [RFC2865], [RFC2868], [RFC2869], | (such as those defined within [RFC2865], [RFC2868], [RFC2869], | |||
[RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFCFilter] and | [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and | |||
[RFCDelegated]). If unsupported attributes are included within a | [RFCFilter]). If unsupported attributes are included within a | |||
Disconnect/CoA-Request packet, the RADIUS client will send a | Disconnect/CoA-Request packet, the RADIUS client will send a | |||
Disconnect-NAK/CoA-NAK in response, possibly containing an Error- | Disconnect-NAK/CoA-NAK in response, possibly containing an Error- | |||
Cause attribute with value Unsupported Attribute (401). | Cause attribute with value Unsupported Attribute (401). | |||
If there are any Proxy-State Attributes in a Disconnect-Request or | If there are any Proxy-State Attributes in a Disconnect-Request or | |||
CoA-Request received from the server, the forwarding proxy or NAS | CoA-Request received from the server, the forwarding proxy or NAS | |||
MUST include those Proxy-State Attributes in its response to the | MUST include those Proxy-State Attributes in its response to the | |||
server. | server. | |||
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | |||
skipping to change at page 11, line 22 | skipping to change at page 11, line 22 | |||
the session is connected. | the session is connected. | |||
Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
identifying the session | identifying the session | |||
on the NAS. | on the NAS. | |||
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
identifying related sessions. | identifying related sessions. | |||
NAS-Port-Type 61 [RFC2865] The type of port used. | NAS-Port-Type 61 [RFC2865] The type of port used. | |||
NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
where the session is. | where the session is. | |||
Chargeable-User- 89 [RFC4372] The CUI associated with the | Chargeable-User- 89 [RFC4372] The CUI associated with the | |||
Identity session. Needed in situations | Identity session. Needed where a | |||
where a privacy NAI is used, | privacy NAI is used, so that | |||
so that User-Name may not be | the User-Name may not be | |||
unique (e.g. "anonymous"). | unique (e.g. "anonymous"). | |||
Originating-Line-Info 94 [RFC4005] Provides information on the | Originating-Line-Info 94 [RFC4005] Provides information on the | |||
characteristics of the line | characteristics of the line | |||
from which a session | from which a session | |||
originated. | originated. | |||
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | |||
associated with the session; | associated with the session; | |||
always sent with | always sent with | |||
Framed-IPv6-Prefix. | Framed-IPv6-Prefix. | |||
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | |||
skipping to change at page 18, line 15 | skipping to change at page 18, line 15 | |||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | |||
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | |||
0+ 0 0 83 Tunnel-Preference [Note 5] | 0+ 0 0 83 Tunnel-Preference [Note 5] | |||
0-1 0 0 85 Acct-Interim-Interval [Note 3] | 0-1 0 0 85 Acct-Interim-Interval [Note 3] | |||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
0-1 0 0 88 Framed-Pool [Note 3] | 0-1 0 0 88 Framed-Pool [Note 3] | |||
0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
0-1 0 0 92 NAS-Filter-Rule [Note 3] | ||||
0-1 0 0 94 Originating-Line-Info [Note 1] | 0-1 0 0 94 Originating-Line-Info [Note 1] | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] | 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] | 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] | |||
0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | |||
0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
0-1 0 0 TBD NAS-Filter-Rule [Note 3] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | |||
0+ 0 0 TBD Delegated-IPv6-Prefix [Note 3] | ||||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
Disconnect Messages | Disconnect Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
0-1 0 0 8 Framed-IP-Address [Note 1] | 0-1 0 0 8 Framed-IP-Address [Note 1] | |||
skipping to change at page 30, line 18 | skipping to change at page 30, line 18 | |||
[RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for | [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for | |||
IPv4, IPv6 and OSI", RFC 4330, January 2006. | IPv4, IPv6 and OSI", RFC 4330, January 2006. | |||
[RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | |||
"Chargeable User Identity", RFC 4372, January 2006. | "Chargeable User Identity", RFC 4372, January 2006. | |||
[RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | |||
Virtual LAN and Priority Support", RFC 4675, September 2006. | Virtual LAN and Priority Support", RFC 4675, September 2006. | |||
[MD5Attack] | [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | |||
Dobbertin, H., "The Status of MD5 After a Recent Attack", | Attribute", RFC 4818, April 2007. | |||
CryptoBytes Vol.2 No.2, Summer 1996. | ||||
[RFCDelegated] | ||||
Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | ||||
Attribute", draft-ietf-radext-delegated-prefix-05.txt, | ||||
Internet draft (work in progress), October 2006. | ||||
[RFCFilter] | [RFCFilter] | |||
Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | |||
Attribute", draft-ietf-radext-filter-08.txt, Internet draft | Attribute", draft-ietf-radext-filter-08.txt, Internet draft | |||
(work in progress), January 2007. | (work in progress), January 2007. | |||
[MD5Attack] | ||||
Dobbertin, H., "The Status of MD5 After a Recent Attack", | ||||
CryptoBytes Vol.2 No.2, Summer 1996. | ||||
Acknowledgments | Acknowledgments | |||
This protocol was first developed and distributed by Ascend | This protocol was first developed and distributed by Ascend | |||
Communications. Example code was distributed in their free server | Communications. Example code was distributed in their free server | |||
kit. | kit. | |||
The authors would like to acknowledge the valuable suggestions and | The authors would like to acknowledge the valuable suggestions and | |||
feedback from the following people: | feedback from the following people: | |||
Avi Lior <avi@bridgewatersystems.com>, | Avi Lior <avi@bridgewatersystems.com>, | |||
skipping to change at page 32, line 39 | skipping to change at page 32, line 39 | |||
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
Name and User-Priority attributes (Section 3.4). | Name and User-Priority attributes (Section 3.4). | |||
o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
Request and Disconnect-Request Attribute Table (Section 3.4). | Request and Disconnect-Request Attribute Table (Section 3.4). | |||
o Added note relating to use of Service-Type="Authorize Only" for | o Added note relating to use of Service-Type="Authorize Only" for | |||
renumbering (Section 3.4). | renumbering (Section 3.4). | |||
o Use of a Service-Type Attribute within a Disconnect-Request is | o Use of a Service-Type Attribute within a Disconnect-Request is | |||
prohibited (Section 3.4,4). | prohibited (Sections 3.4, 4). | |||
o Added Diameter Considerations (Section 5). | o Added Diameter Considerations (Section 5). | |||
o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
Full Copyright Statement | Full Copyright Statement | |||
Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
End of changes. 11 change blocks. | ||||
20 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |