draft-ietf-radext-rfc3576bis-04.txt | draft-ietf-radext-rfc3576bis-05.txt | |||
---|---|---|---|---|
Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
<draft-ietf-radext-rfc3576bis-04.txt> David Mitton | <draft-ietf-radext-rfc3576bis-05.txt> David Mitton | |||
10 April 2007 RSA Security, Inc. | 22 May 2007 RSA Security, Inc. | |||
Bernard Aboba | Bernard Aboba | |||
Microsoft Corporation | Microsoft Corporation | |||
Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
Service (RADIUS) | Service (RADIUS) | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on October 25, 2007. | This Internet-Draft will expire on December 25, 2007. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
Abstract | Abstract | |||
This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
1.1 Applicability ................................... 3 | 1.1 Applicability ................................... 3 | |||
1.2 Requirements Language ........................... 4 | 1.2 Requirements Language ........................... 4 | |||
1.3 Terminology ..................................... 4 | 1.3 Terminology ..................................... 4 | |||
2. Overview ............................................. 5 | 2. Overview ............................................. 5 | |||
2.1 Disconnect Messages (DM) ........................ 5 | 2.1 Disconnect Messages (DM) ........................ 5 | |||
2.2 Change-of-Authorization Messages (CoA) .......... 5 | 2.2 Change-of-Authorization Messages (CoA) .......... 5 | |||
2.3 Packet Format ................................... 6 | 2.3 Packet Format ................................... 6 | |||
3. Attributes ............................................ 10 | 3. Attributes ............................................ 10 | |||
3.1 State ........................................... 12 | 3.1 Authorize Only .................................. 12 | |||
3.2 Message-Authenticator ........................... 13 | 3.2 State ........................................... 12 | |||
3.3 Error-Cause ..................................... 13 | 3.3 Message-Authenticator ........................... 13 | |||
3.4 Table of Attributes ............................. 16 | 3.4 Error-Cause ..................................... 14 | |||
4. Diameter Considerations ............................... 21 | 3.5 Table of Attributes ............................. 17 | |||
5. IANA Considerations ................................... 23 | 4. Diameter Considerations ............................... 20 | |||
6. Security Considerations ............................... 23 | 5. IANA Considerations ................................... 22 | |||
6.1 Authorization Issues ............................ 23 | 6. Security Considerations ............................... 22 | |||
6.2 Impersonation ................................... 24 | 6.1 Authorization Issues ............................ 22 | |||
6.2 Impersonation ................................... 23 | ||||
6.3 IPsec Usage Guidelines .......................... 24 | 6.3 IPsec Usage Guidelines .......................... 24 | |||
6.4 Replay Protection ............................... 27 | 6.4 Replay Protection ............................... 27 | |||
7. Example Traces ........................................ 28 | 7. Example Traces ........................................ 28 | |||
8. References ............................................ 28 | 8. References ............................................ 28 | |||
8.1 Normative References ............................ 28 | 8.1 Normative References ............................ 28 | |||
8.2 Informative References .......................... 29 | 8.2 Informative References .......................... 29 | |||
ACKNOWLEDGMENTS .............................................. 30 | ACKNOWLEDGMENTS .............................................. 30 | |||
AUTHORS' ADDRESSES ........................................... 31 | AUTHORS' ADDRESSES ........................................... 31 | |||
Appendix A - Changes from RFC 3576 ........................... 32 | Appendix A - Changes from RFC 3576 ........................... 32 | |||
Full Copyright Statement ..................................... 33 | Full Copyright Statement ..................................... 33 | |||
skipping to change at page 6, line 16 | skipping to change at page 6, line 16 | |||
| | <-------------------- | | | | | <-------------------- | | | |||
| NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | |||
ACK if the NAS is able to successfully change the authorizations for | ACK if the NAS is able to successfully change the authorizations for | |||
the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | |||
MUST respond to a CoA-Request including a Service-Type Attribute with | MUST respond to a CoA-Request including a Service-Type Attribute with | |||
value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be sent. A | an unsupported value with a CoA-NAK; an Error-Cause Attribute with | |||
NAS MUST respond to a CoA-Request including a Service-Type Attribute | value "Unsupported Service" MAY be included. | |||
with an unsupported value with a CoA-NAK; an Error-Cause Attribute | ||||
with value "Unsupported Service" MAY be included. | ||||
2.3. Packet Format | 2.3. Packet Format | |||
For either Disconnect-Request or CoA-Request packets UDP port 3799 is | For either Disconnect-Request or CoA-Request packets UDP port 3799 is | |||
used as the destination port. For responses, the source and | used as the destination port. For responses, the source and | |||
destination ports are reversed. Exactly one RADIUS packet is | destination ports are reversed. Exactly one RADIUS packet is | |||
encapsulated in the UDP Data field. | encapsulated in the UDP Data field. | |||
A summary of the data format is shown below. The fields are | A summary of the data format is shown below. The fields are | |||
transmitted from left to right. | transmitted from left to right. | |||
skipping to change at page 9, line 21 | skipping to change at page 9, line 19 | |||
here a Disconnect-NAK MUST be sent. | here a Disconnect-NAK MUST be sent. | |||
Within this specification attributes may be used for | Within this specification attributes may be used for | |||
identification, authorization or other purposes. RADIUS Attribue | identification, authorization or other purposes. RADIUS Attribue | |||
specifications created after publication of this document SHOULD | specifications created after publication of this document SHOULD | |||
state whether an Attribute can be included in CoA or Disconnect | state whether an Attribute can be included in CoA or Disconnect | |||
messages and if so, which messages it may be included in and | messages and if so, which messages it may be included in and | |||
whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
authentication and accounting, it may not support inclusion of | authentication and accounting, it is possible that it will not | |||
that attribute within Disconnect-Request or CoA-Request packets, | support inclusion of that attribute within Disconnect-Request or | |||
given the difference in attribute semantics. This is true even | CoA-Request packets, given the difference in attribute semantics. | |||
for attributes specified as allowable within Access-Accept packets | This is true even for attributes specified as allowable within | |||
(such as those defined within [RFC2865], [RFC2868], [RFC2869], | Access-Accept packets (such as those defined within [RFC2865], | |||
[RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and | [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], | |||
[RFCFilter]). If unsupported attributes are included within a | [RFC4818] and [RFCFilter]). If unsupported attributes are | |||
Disconnect/CoA-Request packet, the RADIUS client will send a | included within a Disconnect/CoA-Request packet, the RADIUS client | |||
Disconnect-NAK/CoA-NAK in response, possibly containing an Error- | will send a Disconnect-NAK/CoA-NAK in response, possibly | |||
Cause attribute with value Unsupported Attribute (401). | containing an Error-Cause attribute with value Unsupported | |||
Attribute (401). | ||||
If there are any Proxy-State Attributes in a Disconnect-Request or | If there are any Proxy-State Attributes in a Disconnect-Request or | |||
CoA-Request received from the server, the forwarding proxy or NAS | CoA-Request received from the server, the forwarding proxy or NAS | |||
MUST include those Proxy-State Attributes in its response to the | MUST include those Proxy-State Attributes in its response to the | |||
server. | server. | |||
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | |||
State, or Class Attributes present in the packet. The forwarding | State, or Class Attributes present in the packet. The forwarding | |||
proxy or NAS MUST treat any Proxy-State attributes already in the | proxy or NAS MUST treat any Proxy-State attributes already in the | |||
packet as opaque data. Its operation MUST NOT depend on the | packet as opaque data. Its operation MUST NOT depend on the | |||
skipping to change at page 11, line 7 | skipping to change at page 11, line 7 | |||
Attribute # Reference Description | Attribute # Reference Description | |||
--------- --- --------- ----------- | --------- --- --------- ----------- | |||
User-Name 1 [RFC2865] The name of the user | User-Name 1 [RFC2865] The name of the user | |||
associated with the session. | associated with the session. | |||
NAS-Port 5 [RFC2865] The port on which the | NAS-Port 5 [RFC2865] The port on which the | |||
session is terminated. | session is terminated. | |||
Attribute # Reference Description | Attribute # Reference Description | |||
--------- --- --------- ----------- | --------- --- --------- ----------- | |||
Framed-IP-Address 8 [RFC2865] The IPv4 address associated | ||||
with the session. | ||||
Called-Station-Id 30 [RFC2865] The link address to which | Called-Station-Id 30 [RFC2865] The link address to which | |||
the session is connected. | the session is connected. | |||
Calling-Station-Id 31 [RFC2865] The link address from which | Calling-Station-Id 31 [RFC2865] The link address from which | |||
the session is connected. | the session is connected. | |||
Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
identifying the session | identifying the session | |||
on the NAS. | on the NAS. | |||
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
identifying related sessions. | identifying related sessions. | |||
NAS-Port-Type 61 [RFC2865] The type of port used. | ||||
NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
where the session is. | where the session is. | |||
Chargeable-User- 89 [RFC4372] The CUI associated with the | Chargeable-User- 89 [RFC4372] The CUI associated with the | |||
Identity session. Needed where a | Identity session. Needed where a | |||
privacy NAI is used, so that | privacy NAI is used, because | |||
the User-Name may not be | the User-Name may not be | |||
unique (e.g. "anonymous"). | unique (e.g. "anonymous"). | |||
Originating-Line-Info 94 [RFC4005] Provides information on the | ||||
characteristics of the line | ||||
from which a session | ||||
originated. | ||||
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | ||||
associated with the session; | ||||
always sent with | ||||
Framed-IPv6-Prefix. | ||||
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | ||||
with the session, always sent | ||||
with Framed-Interface-Id. | ||||
To address security concerns described in Section 6.1, and to enable | To address security concerns described in Section 6.1, either the | |||
Diameter/RADIUS translation, the User-Name Attribute SHOULD be | User-Name or Chargeable-User-Identity attribute SHOULD be present in | |||
present in Disconnect-Request or CoA-Request packets; one or more | Disconnect-Request and CoA-Request packets. | |||
additional session identification attributes MAY also be present. | ||||
For example, where a Diameter client utilizes the same Session-Id for | Where a Diameter client utilizes the same Session-Id for both | |||
both authorization and accounting, inclusion of an Acct-Session-Id | authorization and accounting, inclusion of an Acct-Session-Id | |||
Attribute in a Disconnect-Request or CoA-Request can assist with | Attribute in a Disconnect-Request or CoA-Request can assist with | |||
Diameter/RADIUS translation, since Diameter RAR and ASR commands | Diameter/RADIUS translation, since Diameter RAR and ASR commands | |||
include a Session-Id AVP. | include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be | |||
included in Disconnect-Request and CoA-Request packets. | ||||
Where a NAS offers multiple services, confusion may result with | Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not | |||
respect to interpretation of a CoA-Request or Disconnect-Request. In | present in a CoA-Request or Disconnect-Request, it is possible that | |||
order to prevent confusion a RADIUS Server SHOULD identify the | the User-Name or Chargeable-User-Identity attributes will not be | |||
session as specifically as possible. For example, an Acct-Session-Id | sufficient to uniquely identify the session (e.g. if the same user | |||
attribute SHOULD be included in Disconnect-Request and CoA-Request | has multiple sessions on the NAS, or the privacy NAI is used). As a | |||
packets, rather than just the User-Name attribute. | result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS- | |||
Port-Id attributes MAY be used as additional session identification. | ||||
To address security concerns described in Section 6.2, one or more of | To address security concerns described in Section 6.2, one or more of | |||
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | |||
in Disconnect-Request or CoA-Request packets; the NAS-Identifier | in Disconnect-Request and CoA-Request packets; the NAS-Identifier | |||
Attribute MAY be present in addition. | Attribute MAY be present. | |||
If one or more authorization changes specified in a CoA-Request | If one or more authorization changes specified in a CoA-Request | |||
cannot be carried out, or if one or more attributes or attribute- | cannot be carried out, or if one or more attributes or attribute- | |||
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | |||
are one or more unsupported attributes or attribute values in a | are one or more unsupported attributes or attribute values in a | |||
Disconnect-Request, a Disconnect-NAK MUST be sent. | Disconnect-Request, a Disconnect-NAK MUST be sent. | |||
A CoA-Request containing a Service-Type Attribute with value | ||||
"Authorize Only" MUST contain only NAS or session identification | ||||
attributes, as well as Service-Type and State attributes. If other | ||||
attributes are included in such a CoA-Request, implementations MUST | ||||
send a CoA-NAK; an Error-Cause Attribute with value "Unsupported | ||||
Attribute" MAY be included. | ||||
A Disconnect-Request MUST contain only NAS and session identification | A Disconnect-Request MUST contain only NAS and session identification | |||
attributes (see Section 3). If other attributes are included in a | attributes (see Section 3). If other attributes are included in a | |||
Disconnect-Request, implementations MUST send a Disconnect-NAK; an | Disconnect-Request, implementations MUST send a Disconnect-NAK; an | |||
Error-Cause Attribute with value "Unsupported Attribute" MAY be | Error-Cause Attribute with value "Unsupported Attribute" MAY be | |||
included. | included. | |||
3.1. State | 3.1. Authorize Only | |||
Support for a CoA-Request including a Service-Type Attribute with | ||||
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A | ||||
Service-Type Attribute MUST NOT be included within a Disconnect- | ||||
Request. | ||||
A NAS MUST respond to a CoA-Request including a Service-Type | ||||
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | ||||
NOT be sent. If the NAS does not support a Service-Type value of | ||||
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | ||||
value of 405 (Unsupported Service) SHOULD be included. | ||||
A CoA-Request containing a Service-Type Attribute with value | ||||
"Authorize Only" MUST in addition contain only NAS or session | ||||
identification attributes, as well as a State Attribute. If other | ||||
attributes are included in such a CoA-Request, a CoA-NAK MUST be | ||||
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute) | ||||
SHOULD be included. | ||||
If a CoA-Request packet including a Service-Type value of "Authorize | ||||
Only" is successfully processed, the NAS MUST respond with a CoA-NAK | ||||
containing a Service-Type Attribute with value "Authorize Only", and | ||||
an Error-Cause Attribute with value 507 (Request Initiated). The NAS | ||||
then MUST send an Access-Request to the RADIUS server including a | ||||
Service-Type Attribute with value "Authorize Only". This Access- | ||||
Request SHOULD contain the NAS identification attributes from the | ||||
CoA-Request, as well as the session identification attributes from | ||||
the CoA-Request legal for inclusion in an Access-Request as specified | ||||
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in | ||||
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be | ||||
included in an Access-Request that does not contain a User-Password, | ||||
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS | ||||
server then will respond to the Access-Request with an Access-Accept | ||||
to (re-)authorize the session or an Access-Reject to refuse to | ||||
(re-)authorize it. | ||||
3.2. State | ||||
The State Attribute is available to be sent by the RADIUS server to | ||||
the NAS in a CoA-Request packet and MUST be sent unmodified from the | ||||
NAS to the RADIUS server in a subsequent ACK or NAK packet. | ||||
[RFC2865] Section 5.44 states: | [RFC2865] Section 5.44 states: | |||
An Access-Request MUST contain either a User-Password or a CHAP- | An Access-Request MUST contain either a User-Password or a CHAP- | |||
Password or State. An Access-Request MUST NOT contain both a | Password or State. An Access-Request MUST NOT contain both a | |||
User-Password and a CHAP-Password. If future extensions allow | User-Password and a CHAP-Password. If future extensions allow | |||
other kinds of authentication information to be conveyed, the | other kinds of authentication information to be conveyed, the | |||
attribute for that can be used in an Access-Request instead of | attribute for that can be used in an Access-Request instead of | |||
User-Password or CHAP-Password. | User-Password or CHAP-Password. | |||
In order to satisfy the requirements of [RFC2865] Section 5.44, an | In order to satisfy the requirements of [RFC2865] Section 5.44, an | |||
Access-Request with Service-Type="Authorize-Only" MUST contain a | Access-Request with Service-Type="Authorize-Only" MUST contain a | |||
State attribute. | State attribute. | |||
In order to provide a State attribute to the NAS, a server sending a | In order to provide a State attribute to the NAS, a server sending a | |||
CoA-Request with a Service-Type value of "Authorize-Only" MUST | CoA-Request with a Service-Type value of "Authorize-Only" MUST | |||
include a State Attribute, and the NAS MUST include the State | include a State Attribute, and the NAS MUST send the State Attribute | |||
Attribute unchanged in the Access-Request. A NAS receiving a CoA- | unmodified to the RADIUS server in the resulting Access-Request, if | |||
Request containing a Service-Type value of "Authorize-Only" but | any. A NAS receiving a CoA-Request containing a Service-Type value | |||
lacking a State attribute MUST send a CoA-NAK and SHOULD include an | of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK | |||
Error-Cause attribute with value 402 (Missing Attribute). | and SHOULD include an Error-Cause attribute with value 402 (Missing | |||
Attribute). | ||||
3.2. Message-Authenticator | The State Attribute is also available to be sent by the RADIUS server | |||
to the NAS in a CoA-Request that also includes a Termination-Action | ||||
Attribute with the value of RADIUS-Request. If the client performs | ||||
the Termination-Action by sending a new Access-Request upon | ||||
termination of the current session, it MUST include the State | ||||
Attribute unchanged in that Access-Request. In either usage, the | ||||
client MUST NOT interpret the Attribute locally. A CoA-Request | ||||
packet must have only zero or one State Attribute. Usage of the | ||||
State Attribute is implementation dependent. | ||||
3.3. Message-Authenticator | ||||
The Message-Authenticator Attribute MAY be used to authenticate and | The Message-Authenticator Attribute MAY be used to authenticate and | |||
integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | |||
Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | |||
A RADIUS client receiving a CoA-Request or Disconnect-Request with a | A RADIUS client receiving a CoA-Request or Disconnect-Request with a | |||
Message-Authenticator Attribute present MUST calculate the correct | Message-Authenticator Attribute present MUST calculate the correct | |||
value of the Message-Authenticator and silently discard the packet if | value of the Message-Authenticator and silently discard the packet if | |||
it does not match the value sent. A RADIUS server receiving a | it does not match the value sent. A RADIUS server receiving a | |||
CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | |||
skipping to change at page 13, line 46 | skipping to change at page 14, line 29 | |||
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute should be considered to be sixteen | |||
octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
Authenticator is calculated. | Authenticator is calculated. | |||
3.3. Error-Cause | 3.4. Error-Cause | |||
Description | Description | |||
It is possible that the NAS cannot honor Disconnect-Request or | It is possible that the NAS cannot honor Disconnect-Request or | |||
CoA-Request packets for some reason. The Error-Cause Attribute | CoA-Request packets for some reason. The Error-Cause Attribute | |||
provides more detail on the cause of the problem. It MAY be | provides more detail on the cause of the problem. It MAY be | |||
included within Disconnect-ACK, Disconnect-NAK and CoA-NAK | included within Disconnect-NAK and CoA-NAK packets. | |||
packets. | ||||
A summary of the Error-Cause Attribute format is shown below. The | A summary of the Error-Cause Attribute format is shown below. The | |||
fields are transmitted from left to right. | fields are transmitted from left to right. | |||
0 1 2 3 | 0 1 2 3 | |||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Type | Length | Value | | Type | Length | Value | |||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
Value (cont) | | Value (cont) | | |||
skipping to change at page 16, line 35 | skipping to change at page 17, line 16 | |||
not be honored due to lack of available NAS resources (memory, | not be honored due to lack of available NAS resources (memory, | |||
non- volatile storage, etc.). | non- volatile storage, etc.). | |||
"Request Initiated" is a fatal error sent in response to a CoA- | "Request Initiated" is a fatal error sent in response to a CoA- | |||
Request including a Service-Type Attribute with a value of | Request including a Service-Type Attribute with a value of | |||
"Authorize Only". It indicates that the CoA-Request has not been | "Authorize Only". It indicates that the CoA-Request has not been | |||
honored, but that a RADIUS Access-Request including a Service-Type | honored, but that a RADIUS Access-Request including a Service-Type | |||
Attribute with value "Authorize Only" is being sent to the RADIUS | Attribute with value "Authorize Only" is being sent to the RADIUS | |||
server. | server. | |||
3.4. Table of Attributes | 3.5. Table of Attributes | |||
The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
in which packets, and in what quantity. | in which packets, and in what quantity. | |||
Change-of-Authorization Messages | Change-of-Authorization Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0-1 0 0-1 6 Service-Type [Note 6] | 0-1 0 0-1 6 Service-Type | |||
0-1 0 0 7 Framed-Protocol [Note 3] | 0-1 0 0 7 Framed-Protocol [Note 3] | |||
0-1 0 0 8 Framed-IP-Address [Note 1][Note 8] | 0-1 0 0 8 Framed-IP-Address [Note 6] | |||
0-1 0 0 9 Framed-IP-Netmask [Note 3] | 0-1 0 0 9 Framed-IP-Netmask [Note 6] | |||
0-1 0 0 10 Framed-Routing [Note 3] | 0-1 0 0 10 Framed-Routing [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0+ 0 0 11 Filter-ID [Note 3] | 0+ 0 0 11 Filter-ID [Note 3] | |||
0-1 0 0 12 Framed-MTU [Note 3] | 0-1 0 0 12 Framed-MTU [Note 3] | |||
0+ 0 0 13 Framed-Compression [Note 3] | 0+ 0 0 13 Framed-Compression [Note 3] | |||
0+ 0 0 14 Login-IP-Host [Note 3] | 0+ 0 0 14 Login-IP-Host [Note 3] | |||
0-1 0 0 15 Login-Service [Note 3] | 0-1 0 0 15 Login-Service [Note 3] | |||
0-1 0 0 16 Login-TCP-Port [Note 3] | 0-1 0 0 16 Login-TCP-Port [Note 3] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
0-1 0 0 19 Callback-Number [Note 3] | 0-1 0 0 19 Callback-Number [Note 3] | |||
0-1 0 0 20 Callback-Id [Note 3] | 0-1 0 0 20 Callback-Id [Note 3] | |||
0+ 0 0 22 Framed-Route [Note 3] | 0+ 0 0 22 Framed-Route [Note 3] | |||
0-1 0 0 23 Framed-IPX-Network [Note 3] | 0-1 0 0 23 Framed-IPX-Network [Note 6] | |||
0-1 0-1 0-1 24 State [Note 7] | 0-1 0-1 0-1 24 State | |||
0+ 0 0 25 Class [Note 3] | 0+ 0 0 25 Class [Note 3] | |||
0+ 0 0 26 Vendor-Specific [Note 3] | 0+ 0 0 26 Vendor-Specific [Note 3] | |||
0-1 0 0 27 Session-Timeout [Note 3] | 0-1 0 0 27 Session-Timeout [Note 3] | |||
0-1 0 0 28 Idle-Timeout [Note 3] | 0-1 0 0 28 Idle-Timeout [Note 3] | |||
0-1 0 0 29 Termination-Action [Note 3] | 0-1 0 0 29 Termination-Action [Note 3] | |||
0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
0-1 0 0 34 Login-LAT-Service [Note 3] | 0-1 0 0 34 Login-LAT-Service [Note 3] | |||
0-1 0 0 35 Login-LAT-Node [Note 3] | 0-1 0 0 35 Login-LAT-Node [Note 3] | |||
0-1 0 0 36 Login-LAT-Group [Note 3] | 0-1 0 0 36 Login-LAT-Group [Note 3] | |||
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | |||
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | |||
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | |||
0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
0+ 0 0 56 Egress-VLANID [Note 3] | 0+ 0 0 56 Egress-VLANID [Note 3] | |||
0-1 0 0 57 Ingress-Filters [Note 3] | 0-1 0 0 57 Ingress-Filters [Note 3] | |||
0+ 0 0 58 Egress-VLAN-Name [Note 3] | 0+ 0 0 58 Egress-VLAN-Name [Note 3] | |||
0-1 0 0 59 User-Priority-Table [Note 3] | 0-1 0 0 59 User-Priority-Table [Note 3] | |||
0-1 0 0 61 NAS-Port-Type [Note 1] | 0-1 0 0 61 NAS-Port-Type [Note 3] | |||
0-1 0 0 62 Port-Limit [Note 3] | 0-1 0 0 62 Port-Limit [Note 3] | |||
0-1 0 0 63 Login-LAT-Port [Note 3] | 0-1 0 0 63 Login-LAT-Port [Note 3] | |||
0+ 0 0 64 Tunnel-Type [Note 5] | 0+ 0 0 64 Tunnel-Type [Note 5] | |||
0+ 0 0 65 Tunnel-Medium-Type [Note 5] | 0+ 0 0 65 Tunnel-Medium-Type [Note 5] | |||
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] | 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] | |||
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] | 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] | |||
0+ 0 0 69 Tunnel-Password [Note 5] | 0+ 0 0 69 Tunnel-Password [Note 5] | |||
0-1 0 0 71 ARAP-Features [Note 3] | 0-1 0 0 71 ARAP-Features [Note 3] | |||
0-1 0 0 72 ARAP-Zone-Access [Note 3] | 0-1 0 0 72 ARAP-Zone-Access [Note 3] | |||
0+ 0 0 78 Configuration-Token [Note 3] | 0+ 0 0 78 Configuration-Token [Note 3] | |||
0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | |||
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | |||
0+ 0 0 83 Tunnel-Preference [Note 5] | 0+ 0 0 83 Tunnel-Preference [Note 5] | |||
0-1 0 0 85 Acct-Interim-Interval [Note 3] | 0-1 0 0 85 Acct-Interim-Interval [Note 3] | |||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
0-1 0 0 88 Framed-Pool [Note 3] | 0-1 0 0 88 Framed-Pool [Note 6] | |||
0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
0-1 0 0 92 NAS-Filter-Rule [Note 3] | 0-1 0 0 92 NAS-Filter-Rule [Note 3] | |||
0-1 0 0 94 Originating-Line-Info [Note 1] | 0 0 0 94 Originating-Line-Info | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] | 0-1 0 0 96 Framed-Interface-Id [Note 6] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] | 0+ 0 0 97 Framed-IPv6-Prefix [Note 6] | |||
0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 6] | |||
0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 6] | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
Disconnect Messages | Disconnect Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
0-1 0 0 8 Framed-IP-Address [Note 1] | 0 0 0 8 Framed-IP-Address [Note 6] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
0 0 0 24 State | 0 0 0 24 State | |||
0+ 0 0 25 Class [Note 4] | 0+ 0 0 25 Class [Note 4] | |||
0+ 0 0 26 Vendor-Specific | 0+ 0 0 26 Vendor-Specific | |||
0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
0-1 0-1 0 49 Acct-Terminate-Cause | 0-1 0-1 0 49 Acct-Terminate-Cause | |||
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
0-1 0 0 61 NAS-Port-Type [Note 1] | 0 0 0 61 NAS-Port-Type | |||
0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
0-1 0 0 94 Orginating-Line-Info [Note 1] | ||||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0-1 0 0 96 Framed-Interface-Id [Note 1] | 0 0 0 96 Framed-Interface-Id [Note 6] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Note 1] | 0 0 0 97 Framed-IPv6-Prefix [Note 6] | |||
0 0+ 0+ 101 Error-Cause | 0 0 0 100 Framed-IPv6-Pool [Note 6] | |||
0 0 0+ 101 Error-Cause | ||||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
0+ Zero or more instances of this attribute MAY be present in packet. | 0+ Zero or more instances of this attribute MAY be present in packet. | |||
0-1 Zero or one instance of this attribute MAY be present in packet. | 0-1 Zero or one instance of this attribute MAY be present in packet. | |||
1 Exactly one instance of this attribute MUST be present in packet. | 1 Exactly one instance of this attribute MUST be present in packet. | |||
[Note 1] Where NAS or session identification attributes are included | [Note 1] Where NAS or session identification attributes are included | |||
skipping to change at page 19, line 51 | skipping to change at page 20, line 26 | |||
a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be | a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be | |||
sent unmodified by the client to the accounting server in the | sent unmodified by the client to the accounting server in the | |||
Accounting Stop packet. If the Disconnect-Request is unsuccessful, | Accounting Stop packet. If the Disconnect-Request is unsuccessful, | |||
then the Class Attribute is not processed. | then the Class Attribute is not processed. | |||
[Note 5] When included within a CoA-Request, these attributes | [Note 5] When included within a CoA-Request, these attributes | |||
represent an authorization change request. Where tunnel attribute(s) | represent an authorization change request. Where tunnel attribute(s) | |||
are included within a successful CoA-Request, all existing tunnel | are included within a successful CoA-Request, all existing tunnel | |||
attributes are removed and replaced by the new attribute(s). | attributes are removed and replaced by the new attribute(s). | |||
[Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL | [Note 6] Where included within a CoA-Request, these attributes | |||
on the NAS and RADIUS server. A NAS supporting the "Authorize Only" | represent a renumbering request. Since these attributes are not used | |||
Service-Type value within a CoA-Request packet MUST respond with a | for session identification, they MUST NOT be included within a | |||
CoA-NAK containing a Service-Type Attribute with value "Authorize | Disconnect-Request. Note that renumbering may not be possible in all | |||
Only", and an Error-Cause Attribute with value "Request Initiated". | situations. For example, in order to change an IP address on receipt | |||
The NAS then sends an Access-Request to the RADIUS server with a | of a changed Framed-IP-Address address, IPCP re-negotiation could be | |||
Service-Type Attribute with value "Authorize Only". This Access- | required, which is not supported by all PPP implementations. | |||
Request SHOULD contain the NAS attributes from the CoA-Request, as | ||||
well as the session attributes from the CoA-Request legal for | ||||
inclusion in an Access-Request as specified in [RFC2865], [RFC2868], | ||||
[RFC2869] and [RFC3162]. As noted in [RFC2869] Section 5.19, a | ||||
Message-Authenticator attribute SHOULD be included in an Access- | ||||
Request that does not contain a User-Password, CHAP-Password, ARAP- | ||||
Password or EAP-Message Attribute. The RADIUS server should send | ||||
back an Access-Accept to (re-)authorize the session or an Access- | ||||
Reject to refuse to (re-)authorize it. | ||||
A NAS that does not support the Service-Type Attribute with the value | ||||
"Authorize Only" within a CoA-Request MUST respond with a CoA-NAK | ||||
including no Service-Type Attribute; an Error-Cause Attribute with | ||||
value "Unsupported Service" MAY be included. | ||||
[Note 7] The State Attribute is available to be sent by the RADIUS | ||||
server to the NAS in a CoA-Request packet and MUST be sent unmodified | ||||
from the NAS to the RADIUS server in a subsequent ACK or NAK packet. | ||||
If a Service-Type Attribute with value "Authorize Only" is included | ||||
in a CoA-Request then a State Attribute MUST be present, and MUST be | ||||
sent unmodified from the NAS to the RADIUS server in the resulting | ||||
Access-Request sent to the RADIUS server, if any. The State | ||||
Attribute is also available to be sent by the RADIUS server to the | ||||
NAS in a CoA-Request that also includes a Termination-Action | ||||
Attribute with the value of RADIUS-Request. If the client performs | ||||
the Termination-Action by sending a new Access-Request upon | ||||
termination of the current session, it MUST include the State | ||||
Attribute unchanged in that Access-Request. In either usage, the | ||||
client MUST NOT interpret the Attribute locally. A CoA-Request | ||||
packet must have only zero or one State Attribute. Usage of the | ||||
State Attribute is implementation dependent. | ||||
[Note 8] Since the Framed-IP-Address, Framed-IPv6-Prefix and Framed- | ||||
Interface-Id attributes are used for identification, these attributes | ||||
cannot be updated by including new values within a CoA-Request. | ||||
Instead, a CoA-Request with Service-Type="Authorize Only" is used, | ||||
and the new values can be supplied in response to the ensuing Access- | ||||
Request. | ||||
4. Diameter Considerations | 4. Diameter Considerations | |||
Due to differences in handling change-of-authorization requests in | Due to differences in handling change-of-authorization requests in | |||
RADIUS and Diameter, it may be difficult or impossible for a | RADIUS and Diameter, it may be difficult or impossible for a | |||
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | |||
Request (RAR) to a CoA-Request and vice versa. For example, since a | Request (RAR) to a CoA-Request and vice versa. For example, since a | |||
CoA-Request only initiates an authorization change but does not | CoA-Request only initiates an authorization change but does not | |||
initiate re-authentication, a RAR command containing a Re-Auth- | initiate re-authentication, a RAR command containing a Re-Auth- | |||
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | |||
skipping to change at page 32, line 16 | skipping to change at page 32, line 16 | |||
This Appendix lists the major changes between [RFC3576] and this | This Appendix lists the major changes between [RFC3576] and this | |||
document. Minor changes, including style, grammar, spelling, and | document. Minor changes, including style, grammar, spelling, and | |||
editorial changes are not mentioned here. | editorial changes are not mentioned here. | |||
o Added details relating to handling of the Proxy-State Attribute. | o Added details relating to handling of the Proxy-State Attribute. | |||
Added requirement for duplicate detection on the RADIUS client | Added requirement for duplicate detection on the RADIUS client | |||
(Section 2.3). | (Section 2.3). | |||
o Added Chargeable-User-Identity as a session identification | o Added Chargeable-User-Identity as a session identification | |||
attribute (Section 3). | attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | |||
Interface-Id and NAS-Port-Type attributes as session identification | ||||
attributes (Section 3). | ||||
o Added requirements for inclusion of the State Attribute in CoA- | o Added requirements for inclusion of the State Attribute in CoA- | |||
Request packets with a Service-Type of "Authorize Only" (Section | Request packets with a Service-Type of "Authorize Only" (Section | |||
3.1). | 3.2). | |||
o Added clarification on the calculation of the Message-Authenticator | o Added clarification on the calculation of the Message-Authenticator | |||
Attribute (Section 3.2). | Attribute (Section 3.3). | |||
o Added statement that support for "Authorize Only" Service-Type is | o Added statement that support for "Authorize Only" Service-Type is | |||
optional (Section 3.4). | optional (Section 3.5). | |||
o Updated CoA-Request Attribute Table to include Filter-Rule, | o Updated CoA-Request Attribute Table to include Filter-Rule, | |||
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
Name and User-Priority attributes (Section 3.4). | Name and User-Priority attributes (Section 3.5). | |||
o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
Request and Disconnect-Request Attribute Table (Section 3.4). | Request and Disconnect-Request Attribute table (Section 3.5). | |||
o Added note relating to use of Service-Type="Authorize Only" for | o Added note on the use of the CoA-Request for renumbering (Section | |||
renumbering (Section 3.4). | 3.5). | |||
o Use of a Service-Type Attribute within a Disconnect-Request is | o Use of Service-Type and Error-Cause attributes within a Disconnect- | |||
prohibited (Sections 3.4, 4). | Request is prohibited (Sections 3.5). | |||
o Added Diameter Considerations (Section 5). | o Added Diameter Considerations (Section 4). | |||
o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
Full Copyright Statement | Full Copyright Statement | |||
Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
End of changes. 48 change blocks. | ||||
155 lines changed or deleted | 146 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |