--- 1/draft-ietf-radext-rfc3576bis-03.txt 2007-04-11 22:12:06.000000000 +0200 +++ 2/draft-ietf-radext-rfc3576bis-04.txt 2007-04-11 22:12:06.000000000 +0200 @@ -1,16 +1,17 @@ + Network Working Group Murtaza S. Chiba INTERNET-DRAFT Gopal Dommety Obsoletes: 3576 Mark Eklund Category: Informational Cisco Systems, Inc. - David Mitton -28 March 2007 RSA Security, Inc. + David Mitton +10 April 2007 RSA Security, Inc. Bernard Aboba Microsoft Corporation Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. @@ -24,21 +25,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on September 25, 2007. + This Internet-Draft will expire on October 25, 2007. Copyright Notice Copyright (C) The IETF Trust (2007). All Rights Reserved. Abstract This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access @@ -209,21 +210,21 @@ kind, and are sent in addition to the identification attributes as described in section 3. The port used, and packet format (described in Section 2.3), are the same as that for Disconnect-Request packets. The following attributes MAY be sent in a CoA-Request: Filter-ID (11) - Indicates the name of a data filter list to be applied for the session that the identification attributes map to. - NAS-Filter-Rule (TBD) - Provides a filter list to be applied + NAS-Filter-Rule (92) - Provides a filter list to be applied for the session that the identification attributes map to [RFCFilter]. +----------+ CoA-Request +----------+ | | <-------------------- | | | NAS | | RADIUS | | | CoA-Response | Server | | | ---------------------> | | +----------+ +----------+ @@ -379,22 +380,22 @@ state whether an Attribute can be included in CoA or Disconnect messages and if so, which messages it may be included in and whether it serves as an identification or authorization attribute. Even if a NAS implements an attribute for use with RADIUS authentication and accounting, it may not support inclusion of that attribute within Disconnect-Request or CoA-Request packets, given the difference in attribute semantics. This is true even for attributes specified as allowable within Access-Accept packets (such as those defined within [RFC2865], [RFC2868], [RFC2869], - [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFCFilter] and - [RFCDelegated]). If unsupported attributes are included within a + [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and + [RFCFilter]). If unsupported attributes are included within a Disconnect/CoA-Request packet, the RADIUS client will send a Disconnect-NAK/CoA-NAK in response, possibly containing an Error- Cause attribute with value Unsupported Attribute (401). If there are any Proxy-State Attributes in a Disconnect-Request or CoA-Request received from the server, the forwarding proxy or NAS MUST include those Proxy-State Attributes in its response to the server. A forwarding proxy or NAS MUST NOT modify existing Proxy-State, @@ -470,23 +471,23 @@ the session is connected. Acct-Session-Id 44 [RFC2866] The identifier uniquely identifying the session on the NAS. Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely identifying related sessions. NAS-Port-Type 61 [RFC2865] The type of port used. NAS-Port-Id 87 [RFC2869] String identifying the port where the session is. Chargeable-User- 89 [RFC4372] The CUI associated with the - Identity session. Needed in situations - where a privacy NAI is used, - so that User-Name may not be + Identity session. Needed where a + privacy NAI is used, so that + the User-Name may not be unique (e.g. "anonymous"). Originating-Line-Info 94 [RFC4005] Provides information on the characteristics of the line from which a session originated. Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier associated with the session; always sent with Framed-IPv6-Prefix. Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated @@ -800,30 +801,30 @@ 0-1 0-1 0-1 80 Message-Authenticator 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] 0+ 0 0 83 Tunnel-Preference [Note 5] 0-1 0 0 85 Acct-Interim-Interval [Note 3] 0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 88 Framed-Pool [Note 3] 0-1 0 0 89 Chargeable-User-Identity [Note 1] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] + 0-1 0 0 92 NAS-Filter-Rule [Note 3] 0-1 0 0 94 Originating-Line-Info [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] 0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3] 0-1 0 0 100 Framed-IPv6-Pool [Note 3] 0 0 0+ 101 Error-Cause - 0-1 0 0 TBD NAS-Filter-Rule [Note 3] - 0+ 0 0 TBD Delegated-IPv6-Prefix [Note 3] + 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] Request ACK NAK # Attribute Disconnect Messages Request ACK NAK # Attribute 0-1 0 0 1 User-Name [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 5 NAS-Port [Note 1] 0 0 0 6 Service-Type 0-1 0 0 8 Framed-IP-Address [Note 1] @@ -1374,34 +1375,32 @@ [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI", RFC 4330, January 2006. [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, "Chargeable User Identity", RFC 4372, January 2006. [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for Virtual LAN and Priority Support", RFC 4675, September 2006. -[MD5Attack] - Dobbertin, H., "The Status of MD5 After a Recent Attack", - CryptoBytes Vol.2 No.2, Summer 1996. - -[RFCDelegated] - Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix - Attribute", draft-ietf-radext-delegated-prefix-05.txt, - Internet draft (work in progress), October 2006. +[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix + Attribute", RFC 4818, April 2007. [RFCFilter] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule Attribute", draft-ietf-radext-filter-08.txt, Internet draft (work in progress), January 2007. +[MD5Attack] + Dobbertin, H., "The Status of MD5 After a Recent Attack", + CryptoBytes Vol.2 No.2, Summer 1996. + Acknowledgments This protocol was first developed and distributed by Ascend Communications. Example code was distributed in their free server kit. The authors would like to acknowledge the valuable suggestions and feedback from the following people: Avi Lior , @@ -1485,21 +1484,21 @@ Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Name and User-Priority attributes (Section 3.4). o Added the Chargeable-User-Identity Attribute to both the CoA- Request and Disconnect-Request Attribute Table (Section 3.4). o Added note relating to use of Service-Type="Authorize Only" for renumbering (Section 3.4). o Use of a Service-Type Attribute within a Disconnect-Request is - prohibited (Section 3.4,4). + prohibited (Sections 3.4, 4). o Added Diameter Considerations (Section 5). o Changed the text to indicate that the Event-Timestamp Attribute should not be recalculated on retransmission. The implications for replay and duplicate detection are discussed (Section 6.4). Full Copyright Statement Copyright (C) The IETF Trust (2007).