| draft-ietf-radext-rfc3576bis-04.txt | draft-ietf-radext-rfc3576bis-05.txt | |||
|---|---|---|---|---|
| Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
| INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
| Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
| Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
| <draft-ietf-radext-rfc3576bis-04.txt> David Mitton | <draft-ietf-radext-rfc3576bis-05.txt> David Mitton | |||
| 10 April 2007 RSA Security, Inc. | 22 May 2007 RSA Security, Inc. | |||
| Bernard Aboba | Bernard Aboba | |||
| Microsoft Corporation | Microsoft Corporation | |||
| Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
| Service (RADIUS) | Service (RADIUS) | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on October 25, 2007. | This Internet-Draft will expire on December 25, 2007. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
| Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
| dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| 1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
| 1.1 Applicability ................................... 3 | 1.1 Applicability ................................... 3 | |||
| 1.2 Requirements Language ........................... 4 | 1.2 Requirements Language ........................... 4 | |||
| 1.3 Terminology ..................................... 4 | 1.3 Terminology ..................................... 4 | |||
| 2. Overview ............................................. 5 | 2. Overview ............................................. 5 | |||
| 2.1 Disconnect Messages (DM) ........................ 5 | 2.1 Disconnect Messages (DM) ........................ 5 | |||
| 2.2 Change-of-Authorization Messages (CoA) .......... 5 | 2.2 Change-of-Authorization Messages (CoA) .......... 5 | |||
| 2.3 Packet Format ................................... 6 | 2.3 Packet Format ................................... 6 | |||
| 3. Attributes ............................................ 10 | 3. Attributes ............................................ 10 | |||
| 3.1 State ........................................... 12 | 3.1 Authorize Only .................................. 12 | |||
| 3.2 Message-Authenticator ........................... 13 | 3.2 State ........................................... 12 | |||
| 3.3 Error-Cause ..................................... 13 | 3.3 Message-Authenticator ........................... 13 | |||
| 3.4 Table of Attributes ............................. 16 | 3.4 Error-Cause ..................................... 14 | |||
| 4. Diameter Considerations ............................... 21 | 3.5 Table of Attributes ............................. 17 | |||
| 5. IANA Considerations ................................... 23 | 4. Diameter Considerations ............................... 20 | |||
| 6. Security Considerations ............................... 23 | 5. IANA Considerations ................................... 22 | |||
| 6.1 Authorization Issues ............................ 23 | 6. Security Considerations ............................... 22 | |||
| 6.2 Impersonation ................................... 24 | 6.1 Authorization Issues ............................ 22 | |||
| 6.2 Impersonation ................................... 23 | ||||
| 6.3 IPsec Usage Guidelines .......................... 24 | 6.3 IPsec Usage Guidelines .......................... 24 | |||
| 6.4 Replay Protection ............................... 27 | 6.4 Replay Protection ............................... 27 | |||
| 7. Example Traces ........................................ 28 | 7. Example Traces ........................................ 28 | |||
| 8. References ............................................ 28 | 8. References ............................................ 28 | |||
| 8.1 Normative References ............................ 28 | 8.1 Normative References ............................ 28 | |||
| 8.2 Informative References .......................... 29 | 8.2 Informative References .......................... 29 | |||
| ACKNOWLEDGMENTS .............................................. 30 | ACKNOWLEDGMENTS .............................................. 30 | |||
| AUTHORS' ADDRESSES ........................................... 31 | AUTHORS' ADDRESSES ........................................... 31 | |||
| Appendix A - Changes from RFC 3576 ........................... 32 | Appendix A - Changes from RFC 3576 ........................... 32 | |||
| Full Copyright Statement ..................................... 33 | Full Copyright Statement ..................................... 33 | |||
| skipping to change at page 6, line 16 | skipping to change at page 6, line 16 | |||
| | | <-------------------- | | | | | <-------------------- | | | |||
| | NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | | ---------------------> | | | | | ---------------------> | | | |||
| +----------+ +----------+ | +----------+ +----------+ | |||
| The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | |||
| ACK if the NAS is able to successfully change the authorizations for | ACK if the NAS is able to successfully change the authorizations for | |||
| the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | |||
| MUST respond to a CoA-Request including a Service-Type Attribute with | MUST respond to a CoA-Request including a Service-Type Attribute with | |||
| value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be sent. A | an unsupported value with a CoA-NAK; an Error-Cause Attribute with | |||
| NAS MUST respond to a CoA-Request including a Service-Type Attribute | value "Unsupported Service" MAY be included. | |||
| with an unsupported value with a CoA-NAK; an Error-Cause Attribute | ||||
| with value "Unsupported Service" MAY be included. | ||||
| 2.3. Packet Format | 2.3. Packet Format | |||
| For either Disconnect-Request or CoA-Request packets UDP port 3799 is | For either Disconnect-Request or CoA-Request packets UDP port 3799 is | |||
| used as the destination port. For responses, the source and | used as the destination port. For responses, the source and | |||
| destination ports are reversed. Exactly one RADIUS packet is | destination ports are reversed. Exactly one RADIUS packet is | |||
| encapsulated in the UDP Data field. | encapsulated in the UDP Data field. | |||
| A summary of the data format is shown below. The fields are | A summary of the data format is shown below. The fields are | |||
| transmitted from left to right. | transmitted from left to right. | |||
| skipping to change at page 9, line 21 | skipping to change at page 9, line 19 | |||
| here a Disconnect-NAK MUST be sent. | here a Disconnect-NAK MUST be sent. | |||
| Within this specification attributes may be used for | Within this specification attributes may be used for | |||
| identification, authorization or other purposes. RADIUS Attribue | identification, authorization or other purposes. RADIUS Attribue | |||
| specifications created after publication of this document SHOULD | specifications created after publication of this document SHOULD | |||
| state whether an Attribute can be included in CoA or Disconnect | state whether an Attribute can be included in CoA or Disconnect | |||
| messages and if so, which messages it may be included in and | messages and if so, which messages it may be included in and | |||
| whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
| Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
| authentication and accounting, it may not support inclusion of | authentication and accounting, it is possible that it will not | |||
| that attribute within Disconnect-Request or CoA-Request packets, | support inclusion of that attribute within Disconnect-Request or | |||
| given the difference in attribute semantics. This is true even | CoA-Request packets, given the difference in attribute semantics. | |||
| for attributes specified as allowable within Access-Accept packets | This is true even for attributes specified as allowable within | |||
| (such as those defined within [RFC2865], [RFC2868], [RFC2869], | Access-Accept packets (such as those defined within [RFC2865], | |||
| [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and | [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], | |||
| [RFCFilter]). If unsupported attributes are included within a | [RFC4818] and [RFCFilter]). If unsupported attributes are | |||
| Disconnect/CoA-Request packet, the RADIUS client will send a | included within a Disconnect/CoA-Request packet, the RADIUS client | |||
| Disconnect-NAK/CoA-NAK in response, possibly containing an Error- | will send a Disconnect-NAK/CoA-NAK in response, possibly | |||
| Cause attribute with value Unsupported Attribute (401). | containing an Error-Cause attribute with value Unsupported | |||
| Attribute (401). | ||||
| If there are any Proxy-State Attributes in a Disconnect-Request or | If there are any Proxy-State Attributes in a Disconnect-Request or | |||
| CoA-Request received from the server, the forwarding proxy or NAS | CoA-Request received from the server, the forwarding proxy or NAS | |||
| MUST include those Proxy-State Attributes in its response to the | MUST include those Proxy-State Attributes in its response to the | |||
| server. | server. | |||
| A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | |||
| State, or Class Attributes present in the packet. The forwarding | State, or Class Attributes present in the packet. The forwarding | |||
| proxy or NAS MUST treat any Proxy-State attributes already in the | proxy or NAS MUST treat any Proxy-State attributes already in the | |||
| packet as opaque data. Its operation MUST NOT depend on the | packet as opaque data. Its operation MUST NOT depend on the | |||
| skipping to change at page 11, line 7 | skipping to change at page 11, line 7 | |||
| Attribute # Reference Description | Attribute # Reference Description | |||
| --------- --- --------- ----------- | --------- --- --------- ----------- | |||
| User-Name 1 [RFC2865] The name of the user | User-Name 1 [RFC2865] The name of the user | |||
| associated with the session. | associated with the session. | |||
| NAS-Port 5 [RFC2865] The port on which the | NAS-Port 5 [RFC2865] The port on which the | |||
| session is terminated. | session is terminated. | |||
| Attribute # Reference Description | Attribute # Reference Description | |||
| --------- --- --------- ----------- | --------- --- --------- ----------- | |||
| Framed-IP-Address 8 [RFC2865] The IPv4 address associated | ||||
| with the session. | ||||
| Called-Station-Id 30 [RFC2865] The link address to which | Called-Station-Id 30 [RFC2865] The link address to which | |||
| the session is connected. | the session is connected. | |||
| Calling-Station-Id 31 [RFC2865] The link address from which | Calling-Station-Id 31 [RFC2865] The link address from which | |||
| the session is connected. | the session is connected. | |||
| Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
| identifying the session | identifying the session | |||
| on the NAS. | on the NAS. | |||
| Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
| identifying related sessions. | identifying related sessions. | |||
| NAS-Port-Type 61 [RFC2865] The type of port used. | ||||
| NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
| where the session is. | where the session is. | |||
| Chargeable-User- 89 [RFC4372] The CUI associated with the | Chargeable-User- 89 [RFC4372] The CUI associated with the | |||
| Identity session. Needed where a | Identity session. Needed where a | |||
| privacy NAI is used, so that | privacy NAI is used, because | |||
| the User-Name may not be | the User-Name may not be | |||
| unique (e.g. "anonymous"). | unique (e.g. "anonymous"). | |||
| Originating-Line-Info 94 [RFC4005] Provides information on the | ||||
| characteristics of the line | ||||
| from which a session | ||||
| originated. | ||||
| Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | ||||
| associated with the session; | ||||
| always sent with | ||||
| Framed-IPv6-Prefix. | ||||
| Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | ||||
| with the session, always sent | ||||
| with Framed-Interface-Id. | ||||
| To address security concerns described in Section 6.1, and to enable | To address security concerns described in Section 6.1, either the | |||
| Diameter/RADIUS translation, the User-Name Attribute SHOULD be | User-Name or Chargeable-User-Identity attribute SHOULD be present in | |||
| present in Disconnect-Request or CoA-Request packets; one or more | Disconnect-Request and CoA-Request packets. | |||
| additional session identification attributes MAY also be present. | ||||
| For example, where a Diameter client utilizes the same Session-Id for | Where a Diameter client utilizes the same Session-Id for both | |||
| both authorization and accounting, inclusion of an Acct-Session-Id | authorization and accounting, inclusion of an Acct-Session-Id | |||
| Attribute in a Disconnect-Request or CoA-Request can assist with | Attribute in a Disconnect-Request or CoA-Request can assist with | |||
| Diameter/RADIUS translation, since Diameter RAR and ASR commands | Diameter/RADIUS translation, since Diameter RAR and ASR commands | |||
| include a Session-Id AVP. | include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be | |||
| included in Disconnect-Request and CoA-Request packets. | ||||
| Where a NAS offers multiple services, confusion may result with | Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not | |||
| respect to interpretation of a CoA-Request or Disconnect-Request. In | present in a CoA-Request or Disconnect-Request, it is possible that | |||
| order to prevent confusion a RADIUS Server SHOULD identify the | the User-Name or Chargeable-User-Identity attributes will not be | |||
| session as specifically as possible. For example, an Acct-Session-Id | sufficient to uniquely identify the session (e.g. if the same user | |||
| attribute SHOULD be included in Disconnect-Request and CoA-Request | has multiple sessions on the NAS, or the privacy NAI is used). As a | |||
| packets, rather than just the User-Name attribute. | result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS- | |||
| Port-Id attributes MAY be used as additional session identification. | ||||
| To address security concerns described in Section 6.2, one or more of | To address security concerns described in Section 6.2, one or more of | |||
| the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | |||
| in Disconnect-Request or CoA-Request packets; the NAS-Identifier | in Disconnect-Request and CoA-Request packets; the NAS-Identifier | |||
| Attribute MAY be present in addition. | Attribute MAY be present. | |||
| If one or more authorization changes specified in a CoA-Request | If one or more authorization changes specified in a CoA-Request | |||
| cannot be carried out, or if one or more attributes or attribute- | cannot be carried out, or if one or more attributes or attribute- | |||
| values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | |||
| are one or more unsupported attributes or attribute values in a | are one or more unsupported attributes or attribute values in a | |||
| Disconnect-Request, a Disconnect-NAK MUST be sent. | Disconnect-Request, a Disconnect-NAK MUST be sent. | |||
| A CoA-Request containing a Service-Type Attribute with value | ||||
| "Authorize Only" MUST contain only NAS or session identification | ||||
| attributes, as well as Service-Type and State attributes. If other | ||||
| attributes are included in such a CoA-Request, implementations MUST | ||||
| send a CoA-NAK; an Error-Cause Attribute with value "Unsupported | ||||
| Attribute" MAY be included. | ||||
| A Disconnect-Request MUST contain only NAS and session identification | A Disconnect-Request MUST contain only NAS and session identification | |||
| attributes (see Section 3). If other attributes are included in a | attributes (see Section 3). If other attributes are included in a | |||
| Disconnect-Request, implementations MUST send a Disconnect-NAK; an | Disconnect-Request, implementations MUST send a Disconnect-NAK; an | |||
| Error-Cause Attribute with value "Unsupported Attribute" MAY be | Error-Cause Attribute with value "Unsupported Attribute" MAY be | |||
| included. | included. | |||
| 3.1. State | 3.1. Authorize Only | |||
| Support for a CoA-Request including a Service-Type Attribute with | ||||
| value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A | ||||
| Service-Type Attribute MUST NOT be included within a Disconnect- | ||||
| Request. | ||||
| A NAS MUST respond to a CoA-Request including a Service-Type | ||||
| Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | ||||
| NOT be sent. If the NAS does not support a Service-Type value of | ||||
| "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | ||||
| value of 405 (Unsupported Service) SHOULD be included. | ||||
| A CoA-Request containing a Service-Type Attribute with value | ||||
| "Authorize Only" MUST in addition contain only NAS or session | ||||
| identification attributes, as well as a State Attribute. If other | ||||
| attributes are included in such a CoA-Request, a CoA-NAK MUST be | ||||
| sent; an Error-Cause Attribute with value 401 (Unsupported Attribute) | ||||
| SHOULD be included. | ||||
| If a CoA-Request packet including a Service-Type value of "Authorize | ||||
| Only" is successfully processed, the NAS MUST respond with a CoA-NAK | ||||
| containing a Service-Type Attribute with value "Authorize Only", and | ||||
| an Error-Cause Attribute with value 507 (Request Initiated). The NAS | ||||
| then MUST send an Access-Request to the RADIUS server including a | ||||
| Service-Type Attribute with value "Authorize Only". This Access- | ||||
| Request SHOULD contain the NAS identification attributes from the | ||||
| CoA-Request, as well as the session identification attributes from | ||||
| the CoA-Request legal for inclusion in an Access-Request as specified | ||||
| in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in | ||||
| [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be | ||||
| included in an Access-Request that does not contain a User-Password, | ||||
| CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS | ||||
| server then will respond to the Access-Request with an Access-Accept | ||||
| to (re-)authorize the session or an Access-Reject to refuse to | ||||
| (re-)authorize it. | ||||
| 3.2. State | ||||
| The State Attribute is available to be sent by the RADIUS server to | ||||
| the NAS in a CoA-Request packet and MUST be sent unmodified from the | ||||
| NAS to the RADIUS server in a subsequent ACK or NAK packet. | ||||
| [RFC2865] Section 5.44 states: | [RFC2865] Section 5.44 states: | |||
| An Access-Request MUST contain either a User-Password or a CHAP- | An Access-Request MUST contain either a User-Password or a CHAP- | |||
| Password or State. An Access-Request MUST NOT contain both a | Password or State. An Access-Request MUST NOT contain both a | |||
| User-Password and a CHAP-Password. If future extensions allow | User-Password and a CHAP-Password. If future extensions allow | |||
| other kinds of authentication information to be conveyed, the | other kinds of authentication information to be conveyed, the | |||
| attribute for that can be used in an Access-Request instead of | attribute for that can be used in an Access-Request instead of | |||
| User-Password or CHAP-Password. | User-Password or CHAP-Password. | |||
| In order to satisfy the requirements of [RFC2865] Section 5.44, an | In order to satisfy the requirements of [RFC2865] Section 5.44, an | |||
| Access-Request with Service-Type="Authorize-Only" MUST contain a | Access-Request with Service-Type="Authorize-Only" MUST contain a | |||
| State attribute. | State attribute. | |||
| In order to provide a State attribute to the NAS, a server sending a | In order to provide a State attribute to the NAS, a server sending a | |||
| CoA-Request with a Service-Type value of "Authorize-Only" MUST | CoA-Request with a Service-Type value of "Authorize-Only" MUST | |||
| include a State Attribute, and the NAS MUST include the State | include a State Attribute, and the NAS MUST send the State Attribute | |||
| Attribute unchanged in the Access-Request. A NAS receiving a CoA- | unmodified to the RADIUS server in the resulting Access-Request, if | |||
| Request containing a Service-Type value of "Authorize-Only" but | any. A NAS receiving a CoA-Request containing a Service-Type value | |||
| lacking a State attribute MUST send a CoA-NAK and SHOULD include an | of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK | |||
| Error-Cause attribute with value 402 (Missing Attribute). | and SHOULD include an Error-Cause attribute with value 402 (Missing | |||
| Attribute). | ||||
| 3.2. Message-Authenticator | The State Attribute is also available to be sent by the RADIUS server | |||
| to the NAS in a CoA-Request that also includes a Termination-Action | ||||
| Attribute with the value of RADIUS-Request. If the client performs | ||||
| the Termination-Action by sending a new Access-Request upon | ||||
| termination of the current session, it MUST include the State | ||||
| Attribute unchanged in that Access-Request. In either usage, the | ||||
| client MUST NOT interpret the Attribute locally. A CoA-Request | ||||
| packet must have only zero or one State Attribute. Usage of the | ||||
| State Attribute is implementation dependent. | ||||
| 3.3. Message-Authenticator | ||||
| The Message-Authenticator Attribute MAY be used to authenticate and | The Message-Authenticator Attribute MAY be used to authenticate and | |||
| integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | |||
| Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | |||
| A RADIUS client receiving a CoA-Request or Disconnect-Request with a | A RADIUS client receiving a CoA-Request or Disconnect-Request with a | |||
| Message-Authenticator Attribute present MUST calculate the correct | Message-Authenticator Attribute present MUST calculate the correct | |||
| value of the Message-Authenticator and silently discard the packet if | value of the Message-Authenticator and silently discard the packet if | |||
| it does not match the value sent. A RADIUS server receiving a | it does not match the value sent. A RADIUS server receiving a | |||
| CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | |||
| skipping to change at page 13, line 46 | skipping to change at page 14, line 29 | |||
| Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
| Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
| When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
| Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute should be considered to be sixteen | |||
| octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
| corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
| is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
| Authenticator is calculated. | Authenticator is calculated. | |||
| 3.3. Error-Cause | 3.4. Error-Cause | |||
| Description | Description | |||
| It is possible that the NAS cannot honor Disconnect-Request or | It is possible that the NAS cannot honor Disconnect-Request or | |||
| CoA-Request packets for some reason. The Error-Cause Attribute | CoA-Request packets for some reason. The Error-Cause Attribute | |||
| provides more detail on the cause of the problem. It MAY be | provides more detail on the cause of the problem. It MAY be | |||
| included within Disconnect-ACK, Disconnect-NAK and CoA-NAK | included within Disconnect-NAK and CoA-NAK packets. | |||
| packets. | ||||
| A summary of the Error-Cause Attribute format is shown below. The | A summary of the Error-Cause Attribute format is shown below. The | |||
| fields are transmitted from left to right. | fields are transmitted from left to right. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Type | Length | Value | | Type | Length | Value | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Value (cont) | | Value (cont) | | |||
| skipping to change at page 16, line 35 | skipping to change at page 17, line 16 | |||
| not be honored due to lack of available NAS resources (memory, | not be honored due to lack of available NAS resources (memory, | |||
| non- volatile storage, etc.). | non- volatile storage, etc.). | |||
| "Request Initiated" is a fatal error sent in response to a CoA- | "Request Initiated" is a fatal error sent in response to a CoA- | |||
| Request including a Service-Type Attribute with a value of | Request including a Service-Type Attribute with a value of | |||
| "Authorize Only". It indicates that the CoA-Request has not been | "Authorize Only". It indicates that the CoA-Request has not been | |||
| honored, but that a RADIUS Access-Request including a Service-Type | honored, but that a RADIUS Access-Request including a Service-Type | |||
| Attribute with value "Authorize Only" is being sent to the RADIUS | Attribute with value "Authorize Only" is being sent to the RADIUS | |||
| server. | server. | |||
| 3.4. Table of Attributes | 3.5. Table of Attributes | |||
| The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
| in which packets, and in what quantity. | in which packets, and in what quantity. | |||
| Change-of-Authorization Messages | Change-of-Authorization Messages | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| 0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
| 0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
| 0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
| 0-1 0 0-1 6 Service-Type [Note 6] | 0-1 0 0-1 6 Service-Type | |||
| 0-1 0 0 7 Framed-Protocol [Note 3] | 0-1 0 0 7 Framed-Protocol [Note 3] | |||
| 0-1 0 0 8 Framed-IP-Address [Note 1][Note 8] | 0-1 0 0 8 Framed-IP-Address [Note 6] | |||
| 0-1 0 0 9 Framed-IP-Netmask [Note 3] | 0-1 0 0 9 Framed-IP-Netmask [Note 6] | |||
| 0-1 0 0 10 Framed-Routing [Note 3] | 0-1 0 0 10 Framed-Routing [Note 3] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0+ 0 0 11 Filter-ID [Note 3] | 0+ 0 0 11 Filter-ID [Note 3] | |||
| 0-1 0 0 12 Framed-MTU [Note 3] | 0-1 0 0 12 Framed-MTU [Note 3] | |||
| 0+ 0 0 13 Framed-Compression [Note 3] | 0+ 0 0 13 Framed-Compression [Note 3] | |||
| 0+ 0 0 14 Login-IP-Host [Note 3] | 0+ 0 0 14 Login-IP-Host [Note 3] | |||
| 0-1 0 0 15 Login-Service [Note 3] | 0-1 0 0 15 Login-Service [Note 3] | |||
| 0-1 0 0 16 Login-TCP-Port [Note 3] | 0-1 0 0 16 Login-TCP-Port [Note 3] | |||
| 0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
| 0-1 0 0 19 Callback-Number [Note 3] | 0-1 0 0 19 Callback-Number [Note 3] | |||
| 0-1 0 0 20 Callback-Id [Note 3] | 0-1 0 0 20 Callback-Id [Note 3] | |||
| 0+ 0 0 22 Framed-Route [Note 3] | 0+ 0 0 22 Framed-Route [Note 3] | |||
| 0-1 0 0 23 Framed-IPX-Network [Note 3] | 0-1 0 0 23 Framed-IPX-Network [Note 6] | |||
| 0-1 0-1 0-1 24 State [Note 7] | 0-1 0-1 0-1 24 State | |||
| 0+ 0 0 25 Class [Note 3] | 0+ 0 0 25 Class [Note 3] | |||
| 0+ 0 0 26 Vendor-Specific [Note 3] | 0+ 0 0 26 Vendor-Specific [Note 3] | |||
| 0-1 0 0 27 Session-Timeout [Note 3] | 0-1 0 0 27 Session-Timeout [Note 3] | |||
| 0-1 0 0 28 Idle-Timeout [Note 3] | 0-1 0 0 28 Idle-Timeout [Note 3] | |||
| 0-1 0 0 29 Termination-Action [Note 3] | 0-1 0 0 29 Termination-Action [Note 3] | |||
| 0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
| 0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
| 0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
| 0-1 0 0 34 Login-LAT-Service [Note 3] | 0-1 0 0 34 Login-LAT-Service [Note 3] | |||
| 0-1 0 0 35 Login-LAT-Node [Note 3] | 0-1 0 0 35 Login-LAT-Node [Note 3] | |||
| 0-1 0 0 36 Login-LAT-Group [Note 3] | 0-1 0 0 36 Login-LAT-Group [Note 3] | |||
| 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | |||
| 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | |||
| 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | |||
| 0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
| 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
| 0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
| 0+ 0 0 56 Egress-VLANID [Note 3] | 0+ 0 0 56 Egress-VLANID [Note 3] | |||
| 0-1 0 0 57 Ingress-Filters [Note 3] | 0-1 0 0 57 Ingress-Filters [Note 3] | |||
| 0+ 0 0 58 Egress-VLAN-Name [Note 3] | 0+ 0 0 58 Egress-VLAN-Name [Note 3] | |||
| 0-1 0 0 59 User-Priority-Table [Note 3] | 0-1 0 0 59 User-Priority-Table [Note 3] | |||
| 0-1 0 0 61 NAS-Port-Type [Note 1] | 0-1 0 0 61 NAS-Port-Type [Note 3] | |||
| 0-1 0 0 62 Port-Limit [Note 3] | 0-1 0 0 62 Port-Limit [Note 3] | |||
| 0-1 0 0 63 Login-LAT-Port [Note 3] | 0-1 0 0 63 Login-LAT-Port [Note 3] | |||
| 0+ 0 0 64 Tunnel-Type [Note 5] | 0+ 0 0 64 Tunnel-Type [Note 5] | |||
| 0+ 0 0 65 Tunnel-Medium-Type [Note 5] | 0+ 0 0 65 Tunnel-Medium-Type [Note 5] | |||
| 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] | 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] | |||
| 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] | 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] | |||
| 0+ 0 0 69 Tunnel-Password [Note 5] | 0+ 0 0 69 Tunnel-Password [Note 5] | |||
| 0-1 0 0 71 ARAP-Features [Note 3] | 0-1 0 0 71 ARAP-Features [Note 3] | |||
| 0-1 0 0 72 ARAP-Zone-Access [Note 3] | 0-1 0 0 72 ARAP-Zone-Access [Note 3] | |||
| 0+ 0 0 78 Configuration-Token [Note 3] | 0+ 0 0 78 Configuration-Token [Note 3] | |||
| 0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
| 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | |||
| 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | |||
| 0+ 0 0 83 Tunnel-Preference [Note 5] | 0+ 0 0 83 Tunnel-Preference [Note 5] | |||
| 0-1 0 0 85 Acct-Interim-Interval [Note 3] | 0-1 0 0 85 Acct-Interim-Interval [Note 3] | |||
| 0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
| 0-1 0 0 88 Framed-Pool [Note 3] | 0-1 0 0 88 Framed-Pool [Note 6] | |||
| 0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
| 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
| 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
| 0-1 0 0 92 NAS-Filter-Rule [Note 3] | 0-1 0 0 92 NAS-Filter-Rule [Note 3] | |||
| 0-1 0 0 94 Originating-Line-Info [Note 1] | 0 0 0 94 Originating-Line-Info | |||
| 0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
| 0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] | 0-1 0 0 96 Framed-Interface-Id [Note 6] | |||
| 0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] | 0+ 0 0 97 Framed-IPv6-Prefix [Note 6] | |||
| 0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
| 0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
| 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 6] | |||
| 0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
| 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 6] | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| Disconnect Messages | Disconnect Messages | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| 0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
| 0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
| 0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
| 0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
| 0-1 0 0 8 Framed-IP-Address [Note 1] | 0 0 0 8 Framed-IP-Address [Note 6] | |||
| 0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
| 0 0 0 24 State | 0 0 0 24 State | |||
| 0+ 0 0 25 Class [Note 4] | 0+ 0 0 25 Class [Note 4] | |||
| 0+ 0 0 26 Vendor-Specific | 0+ 0 0 26 Vendor-Specific | |||
| 0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
| 0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
| 0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
| 0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
| 0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
| 0-1 0-1 0 49 Acct-Terminate-Cause | 0-1 0-1 0 49 Acct-Terminate-Cause | |||
| 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
| 0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
| 0-1 0 0 61 NAS-Port-Type [Note 1] | 0 0 0 61 NAS-Port-Type | |||
| 0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
| 0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
| 0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
| 0-1 0 0 94 Orginating-Line-Info [Note 1] | ||||
| 0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
| 0-1 0 0 96 Framed-Interface-Id [Note 1] | 0 0 0 96 Framed-Interface-Id [Note 6] | |||
| 0+ 0 0 97 Framed-IPv6-Prefix [Note 1] | 0 0 0 97 Framed-IPv6-Prefix [Note 6] | |||
| 0 0+ 0+ 101 Error-Cause | 0 0 0 100 Framed-IPv6-Pool [Note 6] | |||
| 0 0 0+ 101 Error-Cause | ||||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
| 0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
| 0+ Zero or more instances of this attribute MAY be present in packet. | 0+ Zero or more instances of this attribute MAY be present in packet. | |||
| 0-1 Zero or one instance of this attribute MAY be present in packet. | 0-1 Zero or one instance of this attribute MAY be present in packet. | |||
| 1 Exactly one instance of this attribute MUST be present in packet. | 1 Exactly one instance of this attribute MUST be present in packet. | |||
| [Note 1] Where NAS or session identification attributes are included | [Note 1] Where NAS or session identification attributes are included | |||
| skipping to change at page 19, line 51 | skipping to change at page 20, line 26 | |||
| a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be | a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be | |||
| sent unmodified by the client to the accounting server in the | sent unmodified by the client to the accounting server in the | |||
| Accounting Stop packet. If the Disconnect-Request is unsuccessful, | Accounting Stop packet. If the Disconnect-Request is unsuccessful, | |||
| then the Class Attribute is not processed. | then the Class Attribute is not processed. | |||
| [Note 5] When included within a CoA-Request, these attributes | [Note 5] When included within a CoA-Request, these attributes | |||
| represent an authorization change request. Where tunnel attribute(s) | represent an authorization change request. Where tunnel attribute(s) | |||
| are included within a successful CoA-Request, all existing tunnel | are included within a successful CoA-Request, all existing tunnel | |||
| attributes are removed and replaced by the new attribute(s). | attributes are removed and replaced by the new attribute(s). | |||
| [Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL | [Note 6] Where included within a CoA-Request, these attributes | |||
| on the NAS and RADIUS server. A NAS supporting the "Authorize Only" | represent a renumbering request. Since these attributes are not used | |||
| Service-Type value within a CoA-Request packet MUST respond with a | for session identification, they MUST NOT be included within a | |||
| CoA-NAK containing a Service-Type Attribute with value "Authorize | Disconnect-Request. Note that renumbering may not be possible in all | |||
| Only", and an Error-Cause Attribute with value "Request Initiated". | situations. For example, in order to change an IP address on receipt | |||
| The NAS then sends an Access-Request to the RADIUS server with a | of a changed Framed-IP-Address address, IPCP re-negotiation could be | |||
| Service-Type Attribute with value "Authorize Only". This Access- | required, which is not supported by all PPP implementations. | |||
| Request SHOULD contain the NAS attributes from the CoA-Request, as | ||||
| well as the session attributes from the CoA-Request legal for | ||||
| inclusion in an Access-Request as specified in [RFC2865], [RFC2868], | ||||
| [RFC2869] and [RFC3162]. As noted in [RFC2869] Section 5.19, a | ||||
| Message-Authenticator attribute SHOULD be included in an Access- | ||||
| Request that does not contain a User-Password, CHAP-Password, ARAP- | ||||
| Password or EAP-Message Attribute. The RADIUS server should send | ||||
| back an Access-Accept to (re-)authorize the session or an Access- | ||||
| Reject to refuse to (re-)authorize it. | ||||
| A NAS that does not support the Service-Type Attribute with the value | ||||
| "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK | ||||
| including no Service-Type Attribute; an Error-Cause Attribute with | ||||
| value "Unsupported Service" MAY be included. | ||||
| [Note 7] The State Attribute is available to be sent by the RADIUS | ||||
| server to the NAS in a CoA-Request packet and MUST be sent unmodified | ||||
| from the NAS to the RADIUS server in a subsequent ACK or NAK packet. | ||||
| If a Service-Type Attribute with value "Authorize Only" is included | ||||
| in a CoA-Request then a State Attribute MUST be present, and MUST be | ||||
| sent unmodified from the NAS to the RADIUS server in the resulting | ||||
| Access-Request sent to the RADIUS server, if any. The State | ||||
| Attribute is also available to be sent by the RADIUS server to the | ||||
| NAS in a CoA-Request that also includes a Termination-Action | ||||
| Attribute with the value of RADIUS-Request. If the client performs | ||||
| the Termination-Action by sending a new Access-Request upon | ||||
| termination of the current session, it MUST include the State | ||||
| Attribute unchanged in that Access-Request. In either usage, the | ||||
| client MUST NOT interpret the Attribute locally. A CoA-Request | ||||
| packet must have only zero or one State Attribute. Usage of the | ||||
| State Attribute is implementation dependent. | ||||
| [Note 8] Since the Framed-IP-Address, Framed-IPv6-Prefix and Framed- | ||||
| Interface-Id attributes are used for identification, these attributes | ||||
| cannot be updated by including new values within a CoA-Request. | ||||
| Instead, a CoA-Request with Service-Type="Authorize Only" is used, | ||||
| and the new values can be supplied in response to the ensuing Access- | ||||
| Request. | ||||
| 4. Diameter Considerations | 4. Diameter Considerations | |||
| Due to differences in handling change-of-authorization requests in | Due to differences in handling change-of-authorization requests in | |||
| RADIUS and Diameter, it may be difficult or impossible for a | RADIUS and Diameter, it may be difficult or impossible for a | |||
| Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | |||
| Request (RAR) to a CoA-Request and vice versa. For example, since a | Request (RAR) to a CoA-Request and vice versa. For example, since a | |||
| CoA-Request only initiates an authorization change but does not | CoA-Request only initiates an authorization change but does not | |||
| initiate re-authentication, a RAR command containing a Re-Auth- | initiate re-authentication, a RAR command containing a Re-Auth- | |||
| Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | |||
| skipping to change at page 32, line 16 | skipping to change at page 32, line 16 | |||
| This Appendix lists the major changes between [RFC3576] and this | This Appendix lists the major changes between [RFC3576] and this | |||
| document. Minor changes, including style, grammar, spelling, and | document. Minor changes, including style, grammar, spelling, and | |||
| editorial changes are not mentioned here. | editorial changes are not mentioned here. | |||
| o Added details relating to handling of the Proxy-State Attribute. | o Added details relating to handling of the Proxy-State Attribute. | |||
| Added requirement for duplicate detection on the RADIUS client | Added requirement for duplicate detection on the RADIUS client | |||
| (Section 2.3). | (Section 2.3). | |||
| o Added Chargeable-User-Identity as a session identification | o Added Chargeable-User-Identity as a session identification | |||
| attribute (Section 3). | attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | |||
| Interface-Id and NAS-Port-Type attributes as session identification | ||||
| attributes (Section 3). | ||||
| o Added requirements for inclusion of the State Attribute in CoA- | o Added requirements for inclusion of the State Attribute in CoA- | |||
| Request packets with a Service-Type of "Authorize Only" (Section | Request packets with a Service-Type of "Authorize Only" (Section | |||
| 3.1). | 3.2). | |||
| o Added clarification on the calculation of the Message-Authenticator | o Added clarification on the calculation of the Message-Authenticator | |||
| Attribute (Section 3.2). | Attribute (Section 3.3). | |||
| o Added statement that support for "Authorize Only" Service-Type is | o Added statement that support for "Authorize Only" Service-Type is | |||
| optional (Section 3.4). | optional (Section 3.5). | |||
| o Updated CoA-Request Attribute Table to include Filter-Rule, | o Updated CoA-Request Attribute Table to include Filter-Rule, | |||
| Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
| Name and User-Priority attributes (Section 3.4). | Name and User-Priority attributes (Section 3.5). | |||
| o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
| Request and Disconnect-Request Attribute Table (Section 3.4). | Request and Disconnect-Request Attribute table (Section 3.5). | |||
| o Added note relating to use of Service-Type="Authorize Only" for | o Added note on the use of the CoA-Request for renumbering (Section | |||
| renumbering (Section 3.4). | 3.5). | |||
| o Use of a Service-Type Attribute within a Disconnect-Request is | o Use of Service-Type and Error-Cause attributes within a Disconnect- | |||
| prohibited (Sections 3.4, 4). | Request is prohibited (Sections 3.5). | |||
| o Added Diameter Considerations (Section 5). | o Added Diameter Considerations (Section 4). | |||
| o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
| should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
| replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| This document is subject to the rights, licenses and restrictions | This document is subject to the rights, licenses and restrictions | |||
| End of changes. 48 change blocks. | ||||
| 155 lines changed or deleted | 146 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||