draft-ietf-radext-rfc3576bis-03.txt   draft-ietf-radext-rfc3576bis-04.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
<draft-ietf-radext-rfc3576bis-03.txt> David Mitton <draft-ietf-radext-rfc3576bis-04.txt> David Mitton
28 March 2007 RSA Security, Inc. 10 April 2007 RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 1, line 35 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 25, 2007. This Internet-Draft will expire on October 25, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document describes a currently deployed extension to the Remote This document describes a currently deployed extension to the Remote
Authentication Dial In User Service (RADIUS) protocol, allowing Authentication Dial In User Service (RADIUS) protocol, allowing
dynamic changes to a user session, as implemented by network access dynamic changes to a user session, as implemented by network access
skipping to change at page 5, line 48 skipping to change at page 5, line 48
kind, and are sent in addition to the identification attributes as kind, and are sent in addition to the identification attributes as
described in section 3. The port used, and packet format (described described in section 3. The port used, and packet format (described
in Section 2.3), are the same as that for Disconnect-Request packets. in Section 2.3), are the same as that for Disconnect-Request packets.
The following attributes MAY be sent in a CoA-Request: The following attributes MAY be sent in a CoA-Request:
Filter-ID (11) - Indicates the name of a data filter list Filter-ID (11) - Indicates the name of a data filter list
to be applied for the session that the to be applied for the session that the
identification attributes map to. identification attributes map to.
NAS-Filter-Rule (TBD) - Provides a filter list to be applied NAS-Filter-Rule (92) - Provides a filter list to be applied
for the session that the identification for the session that the identification
attributes map to [RFCFilter]. attributes map to [RFCFilter].
+----------+ CoA-Request +----------+ +----------+ CoA-Request +----------+
| | <-------------------- | | | | <-------------------- | |
| NAS | | RADIUS | | NAS | | RADIUS |
| | CoA-Response | Server | | | CoA-Response | Server |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
skipping to change at page 9, line 26 skipping to change at page 9, line 26
state whether an Attribute can be included in CoA or Disconnect state whether an Attribute can be included in CoA or Disconnect
messages and if so, which messages it may be included in and messages and if so, which messages it may be included in and
whether it serves as an identification or authorization attribute. whether it serves as an identification or authorization attribute.
Even if a NAS implements an attribute for use with RADIUS Even if a NAS implements an attribute for use with RADIUS
authentication and accounting, it may not support inclusion of authentication and accounting, it may not support inclusion of
that attribute within Disconnect-Request or CoA-Request packets, that attribute within Disconnect-Request or CoA-Request packets,
given the difference in attribute semantics. This is true even given the difference in attribute semantics. This is true even
for attributes specified as allowable within Access-Accept packets for attributes specified as allowable within Access-Accept packets
(such as those defined within [RFC2865], [RFC2868], [RFC2869], (such as those defined within [RFC2865], [RFC2868], [RFC2869],
[RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFCFilter] and [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and
[RFCDelegated]). If unsupported attributes are included within a [RFCFilter]). If unsupported attributes are included within a
Disconnect/CoA-Request packet, the RADIUS client will send a Disconnect/CoA-Request packet, the RADIUS client will send a
Disconnect-NAK/CoA-NAK in response, possibly containing an Error- Disconnect-NAK/CoA-NAK in response, possibly containing an Error-
Cause attribute with value Unsupported Attribute (401). Cause attribute with value Unsupported Attribute (401).
If there are any Proxy-State Attributes in a Disconnect-Request or If there are any Proxy-State Attributes in a Disconnect-Request or
CoA-Request received from the server, the forwarding proxy or NAS CoA-Request received from the server, the forwarding proxy or NAS
MUST include those Proxy-State Attributes in its response to the MUST include those Proxy-State Attributes in its response to the
server. server.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
skipping to change at page 11, line 22 skipping to change at page 11, line 22
the session is connected. the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session identifying the session
on the NAS. on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions. identifying related sessions.
NAS-Port-Type 61 [RFC2865] The type of port used. NAS-Port-Type 61 [RFC2865] The type of port used.
NAS-Port-Id 87 [RFC2869] String identifying the port NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is. where the session is.
Chargeable-User- 89 [RFC4372] The CUI associated with the Chargeable-User- 89 [RFC4372] The CUI associated with the
Identity session. Needed in situations Identity session. Needed where a
where a privacy NAI is used, privacy NAI is used, so that
so that User-Name may not be the User-Name may not be
unique (e.g. "anonymous"). unique (e.g. "anonymous").
Originating-Line-Info 94 [RFC4005] Provides information on the Originating-Line-Info 94 [RFC4005] Provides information on the
characteristics of the line characteristics of the line
from which a session from which a session
originated. originated.
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
associated with the session; associated with the session;
always sent with always sent with
Framed-IPv6-Prefix. Framed-IPv6-Prefix.
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
skipping to change at page 18, line 15 skipping to change at page 18, line 15
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5] 0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3] 0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 3] 0-1 0 0 88 Framed-Pool [Note 3]
0-1 0 0 89 Chargeable-User-Identity [Note 1] 0-1 0 0 89 Chargeable-User-Identity [Note 1]
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 92 NAS-Filter-Rule [Note 3]
0-1 0 0 94 Originating-Line-Info [Note 1] 0-1 0 0 94 Originating-Line-Info [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8]
0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8]
0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3]
0-1 0 0 100 Framed-IPv6-Pool [Note 3] 0-1 0 0 100 Framed-IPv6-Pool [Note 3]
0 0 0+ 101 Error-Cause 0 0 0+ 101 Error-Cause
0-1 0 0 TBD NAS-Filter-Rule [Note 3] 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3]
0+ 0 0 TBD Delegated-IPv6-Prefix [Note 3]
Request ACK NAK # Attribute Request ACK NAK # Attribute
Disconnect Messages Disconnect Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type 0 0 0 6 Service-Type
0-1 0 0 8 Framed-IP-Address [Note 1] 0-1 0 0 8 Framed-IP-Address [Note 1]
skipping to change at page 30, line 18 skipping to change at page 30, line 18
[RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for
IPv4, IPv6 and OSI", RFC 4330, January 2006. IPv4, IPv6 and OSI", RFC 4330, January 2006.
[RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney,
"Chargeable User Identity", RFC 4372, January 2006. "Chargeable User Identity", RFC 4372, January 2006.
[RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for
Virtual LAN and Priority Support", RFC 4675, September 2006. Virtual LAN and Priority Support", RFC 4675, September 2006.
[MD5Attack] [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Dobbertin, H., "The Status of MD5 After a Recent Attack", Attribute", RFC 4818, April 2007.
CryptoBytes Vol.2 No.2, Summer 1996.
[RFCDelegated]
Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", draft-ietf-radext-delegated-prefix-05.txt,
Internet draft (work in progress), October 2006.
[RFCFilter] [RFCFilter]
Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule
Attribute", draft-ietf-radext-filter-08.txt, Internet draft Attribute", draft-ietf-radext-filter-08.txt, Internet draft
(work in progress), January 2007. (work in progress), January 2007.
[MD5Attack]
Dobbertin, H., "The Status of MD5 After a Recent Attack",
CryptoBytes Vol.2 No.2, Summer 1996.
Acknowledgments Acknowledgments
This protocol was first developed and distributed by Ascend This protocol was first developed and distributed by Ascend
Communications. Example code was distributed in their free server Communications. Example code was distributed in their free server
kit. kit.
The authors would like to acknowledge the valuable suggestions and The authors would like to acknowledge the valuable suggestions and
feedback from the following people: feedback from the following people:
Avi Lior <avi@bridgewatersystems.com>, Avi Lior <avi@bridgewatersystems.com>,
skipping to change at page 32, line 39 skipping to change at page 32, line 39
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.4). Name and User-Priority attributes (Section 3.4).
o Added the Chargeable-User-Identity Attribute to both the CoA- o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute Table (Section 3.4). Request and Disconnect-Request Attribute Table (Section 3.4).
o Added note relating to use of Service-Type="Authorize Only" for o Added note relating to use of Service-Type="Authorize Only" for
renumbering (Section 3.4). renumbering (Section 3.4).
o Use of a Service-Type Attribute within a Disconnect-Request is o Use of a Service-Type Attribute within a Disconnect-Request is
prohibited (Section 3.4,4). prohibited (Sections 3.4, 4).
o Added Diameter Considerations (Section 5). o Added Diameter Considerations (Section 5).
o Changed the text to indicate that the Event-Timestamp Attribute o Changed the text to indicate that the Event-Timestamp Attribute
should not be recalculated on retransmission. The implications for should not be recalculated on retransmission. The implications for
replay and duplicate detection are discussed (Section 6.4). replay and duplicate detection are discussed (Section 6.4).
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
 End of changes. 11 change blocks. 
20 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/