draft-ietf-radext-rfc3576bis-04.txt   draft-ietf-radext-rfc3576bis-05.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
<draft-ietf-radext-rfc3576bis-04.txt> David Mitton <draft-ietf-radext-rfc3576bis-05.txt> David Mitton
10 April 2007 RSA Security, Inc. 22 May 2007 RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 25, 2007. This Internet-Draft will expire on December 25, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document describes a currently deployed extension to the Remote This document describes a currently deployed extension to the Remote
Authentication Dial In User Service (RADIUS) protocol, allowing Authentication Dial In User Service (RADIUS) protocol, allowing
dynamic changes to a user session, as implemented by network access dynamic changes to a user session, as implemented by network access
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Applicability ................................... 3 1.1 Applicability ................................... 3
1.2 Requirements Language ........................... 4 1.2 Requirements Language ........................... 4
1.3 Terminology ..................................... 4 1.3 Terminology ..................................... 4
2. Overview ............................................. 5 2. Overview ............................................. 5
2.1 Disconnect Messages (DM) ........................ 5 2.1 Disconnect Messages (DM) ........................ 5
2.2 Change-of-Authorization Messages (CoA) .......... 5 2.2 Change-of-Authorization Messages (CoA) .......... 5
2.3 Packet Format ................................... 6 2.3 Packet Format ................................... 6
3. Attributes ............................................ 10 3. Attributes ............................................ 10
3.1 State ........................................... 12 3.1 Authorize Only .................................. 12
3.2 Message-Authenticator ........................... 13 3.2 State ........................................... 12
3.3 Error-Cause ..................................... 13 3.3 Message-Authenticator ........................... 13
3.4 Table of Attributes ............................. 16 3.4 Error-Cause ..................................... 14
4. Diameter Considerations ............................... 21 3.5 Table of Attributes ............................. 17
5. IANA Considerations ................................... 23 4. Diameter Considerations ............................... 20
6. Security Considerations ............................... 23 5. IANA Considerations ................................... 22
6.1 Authorization Issues ............................ 23 6. Security Considerations ............................... 22
6.2 Impersonation ................................... 24 6.1 Authorization Issues ............................ 22
6.2 Impersonation ................................... 23
6.3 IPsec Usage Guidelines .......................... 24 6.3 IPsec Usage Guidelines .......................... 24
6.4 Replay Protection ............................... 27 6.4 Replay Protection ............................... 27
7. Example Traces ........................................ 28 7. Example Traces ........................................ 28
8. References ............................................ 28 8. References ............................................ 28
8.1 Normative References ............................ 28 8.1 Normative References ............................ 28
8.2 Informative References .......................... 29 8.2 Informative References .......................... 29
ACKNOWLEDGMENTS .............................................. 30 ACKNOWLEDGMENTS .............................................. 30
AUTHORS' ADDRESSES ........................................... 31 AUTHORS' ADDRESSES ........................................... 31
Appendix A - Changes from RFC 3576 ........................... 32 Appendix A - Changes from RFC 3576 ........................... 32
Full Copyright Statement ..................................... 33 Full Copyright Statement ..................................... 33
skipping to change at page 6, line 16 skipping to change at page 6, line 16
| | <-------------------- | | | | <-------------------- | |
| NAS | | RADIUS | | NAS | | RADIUS |
| | CoA-Response | Server | | | CoA-Response | Server |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- The NAS responds to a CoA-Request sent by a RADIUS server with a CoA-
ACK if the NAS is able to successfully change the authorizations for ACK if the NAS is able to successfully change the authorizations for
the user session, or a CoA-NAK if the Request is unsuccessful. A NAS the user session, or a CoA-NAK if the Request is unsuccessful. A NAS
MUST respond to a CoA-Request including a Service-Type Attribute with MUST respond to a CoA-Request including a Service-Type Attribute with
value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be sent. A an unsupported value with a CoA-NAK; an Error-Cause Attribute with
NAS MUST respond to a CoA-Request including a Service-Type Attribute value "Unsupported Service" MAY be included.
with an unsupported value with a CoA-NAK; an Error-Cause Attribute
with value "Unsupported Service" MAY be included.
2.3. Packet Format 2.3. Packet Format
For either Disconnect-Request or CoA-Request packets UDP port 3799 is For either Disconnect-Request or CoA-Request packets UDP port 3799 is
used as the destination port. For responses, the source and used as the destination port. For responses, the source and
destination ports are reversed. Exactly one RADIUS packet is destination ports are reversed. Exactly one RADIUS packet is
encapsulated in the UDP Data field. encapsulated in the UDP Data field.
A summary of the data format is shown below. The fields are A summary of the data format is shown below. The fields are
transmitted from left to right. transmitted from left to right.
skipping to change at page 9, line 21 skipping to change at page 9, line 19
here a Disconnect-NAK MUST be sent. here a Disconnect-NAK MUST be sent.
Within this specification attributes may be used for Within this specification attributes may be used for
identification, authorization or other purposes. RADIUS Attribue identification, authorization or other purposes. RADIUS Attribue
specifications created after publication of this document SHOULD specifications created after publication of this document SHOULD
state whether an Attribute can be included in CoA or Disconnect state whether an Attribute can be included in CoA or Disconnect
messages and if so, which messages it may be included in and messages and if so, which messages it may be included in and
whether it serves as an identification or authorization attribute. whether it serves as an identification or authorization attribute.
Even if a NAS implements an attribute for use with RADIUS Even if a NAS implements an attribute for use with RADIUS
authentication and accounting, it may not support inclusion of authentication and accounting, it is possible that it will not
that attribute within Disconnect-Request or CoA-Request packets, support inclusion of that attribute within Disconnect-Request or
given the difference in attribute semantics. This is true even CoA-Request packets, given the difference in attribute semantics.
for attributes specified as allowable within Access-Accept packets This is true even for attributes specified as allowable within
(such as those defined within [RFC2865], [RFC2868], [RFC2869], Access-Accept packets (such as those defined within [RFC2865],
[RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675],
[RFCFilter]). If unsupported attributes are included within a [RFC4818] and [RFCFilter]). If unsupported attributes are
Disconnect/CoA-Request packet, the RADIUS client will send a included within a Disconnect/CoA-Request packet, the RADIUS client
Disconnect-NAK/CoA-NAK in response, possibly containing an Error- will send a Disconnect-NAK/CoA-NAK in response, possibly
Cause attribute with value Unsupported Attribute (401). containing an Error-Cause attribute with value Unsupported
Attribute (401).
If there are any Proxy-State Attributes in a Disconnect-Request or If there are any Proxy-State Attributes in a Disconnect-Request or
CoA-Request received from the server, the forwarding proxy or NAS CoA-Request received from the server, the forwarding proxy or NAS
MUST include those Proxy-State Attributes in its response to the MUST include those Proxy-State Attributes in its response to the
server. server.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
State, or Class Attributes present in the packet. The forwarding State, or Class Attributes present in the packet. The forwarding
proxy or NAS MUST treat any Proxy-State attributes already in the proxy or NAS MUST treat any Proxy-State attributes already in the
packet as opaque data. Its operation MUST NOT depend on the packet as opaque data. Its operation MUST NOT depend on the
skipping to change at page 11, line 7 skipping to change at page 11, line 7
Attribute # Reference Description Attribute # Reference Description
--------- --- --------- ----------- --------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user User-Name 1 [RFC2865] The name of the user
associated with the session. associated with the session.
NAS-Port 5 [RFC2865] The port on which the NAS-Port 5 [RFC2865] The port on which the
session is terminated. session is terminated.
Attribute # Reference Description Attribute # Reference Description
--------- --- --------- ----------- --------- --- --------- -----------
Framed-IP-Address 8 [RFC2865] The IPv4 address associated
with the session.
Called-Station-Id 30 [RFC2865] The link address to which Called-Station-Id 30 [RFC2865] The link address to which
the session is connected. the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected. the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session identifying the session
on the NAS. on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions. identifying related sessions.
NAS-Port-Type 61 [RFC2865] The type of port used.
NAS-Port-Id 87 [RFC2869] String identifying the port NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is. where the session is.
Chargeable-User- 89 [RFC4372] The CUI associated with the Chargeable-User- 89 [RFC4372] The CUI associated with the
Identity session. Needed where a Identity session. Needed where a
privacy NAI is used, so that privacy NAI is used, because
the User-Name may not be the User-Name may not be
unique (e.g. "anonymous"). unique (e.g. "anonymous").
Originating-Line-Info 94 [RFC4005] Provides information on the
characteristics of the line
from which a session
originated.
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
associated with the session;
always sent with
Framed-IPv6-Prefix.
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
with the session, always sent
with Framed-Interface-Id.
To address security concerns described in Section 6.1, and to enable To address security concerns described in Section 6.1, either the
Diameter/RADIUS translation, the User-Name Attribute SHOULD be User-Name or Chargeable-User-Identity attribute SHOULD be present in
present in Disconnect-Request or CoA-Request packets; one or more Disconnect-Request and CoA-Request packets.
additional session identification attributes MAY also be present.
For example, where a Diameter client utilizes the same Session-Id for Where a Diameter client utilizes the same Session-Id for both
both authorization and accounting, inclusion of an Acct-Session-Id authorization and accounting, inclusion of an Acct-Session-Id
Attribute in a Disconnect-Request or CoA-Request can assist with Attribute in a Disconnect-Request or CoA-Request can assist with
Diameter/RADIUS translation, since Diameter RAR and ASR commands Diameter/RADIUS translation, since Diameter RAR and ASR commands
include a Session-Id AVP. include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be
included in Disconnect-Request and CoA-Request packets.
Where a NAS offers multiple services, confusion may result with Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not
respect to interpretation of a CoA-Request or Disconnect-Request. In present in a CoA-Request or Disconnect-Request, it is possible that
order to prevent confusion a RADIUS Server SHOULD identify the the User-Name or Chargeable-User-Identity attributes will not be
session as specifically as possible. For example, an Acct-Session-Id sufficient to uniquely identify the session (e.g. if the same user
attribute SHOULD be included in Disconnect-Request and CoA-Request has multiple sessions on the NAS, or the privacy NAI is used). As a
packets, rather than just the User-Name attribute. result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS-
Port-Id attributes MAY be used as additional session identification.
To address security concerns described in Section 6.2, one or more of To address security concerns described in Section 6.2, one or more of
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present
in Disconnect-Request or CoA-Request packets; the NAS-Identifier in Disconnect-Request and CoA-Request packets; the NAS-Identifier
Attribute MAY be present in addition. Attribute MAY be present.
If one or more authorization changes specified in a CoA-Request If one or more authorization changes specified in a CoA-Request
cannot be carried out, or if one or more attributes or attribute- cannot be carried out, or if one or more attributes or attribute-
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there values is unsupported, a CoA-NAK MUST be sent. Similarly, if there
are one or more unsupported attributes or attribute values in a are one or more unsupported attributes or attribute values in a
Disconnect-Request, a Disconnect-NAK MUST be sent. Disconnect-Request, a Disconnect-NAK MUST be sent.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST contain only NAS or session identification
attributes, as well as Service-Type and State attributes. If other
attributes are included in such a CoA-Request, implementations MUST
send a CoA-NAK; an Error-Cause Attribute with value "Unsupported
Attribute" MAY be included.
A Disconnect-Request MUST contain only NAS and session identification A Disconnect-Request MUST contain only NAS and session identification
attributes (see Section 3). If other attributes are included in a attributes (see Section 3). If other attributes are included in a
Disconnect-Request, implementations MUST send a Disconnect-NAK; an Disconnect-Request, implementations MUST send a Disconnect-NAK; an
Error-Cause Attribute with value "Unsupported Attribute" MAY be Error-Cause Attribute with value "Unsupported Attribute" MAY be
included. included.
3.1. State 3.1. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
Service-Type Attribute MUST NOT be included within a Disconnect-
Request.
A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other
attributes are included in such a CoA-Request, a CoA-NAK MUST be
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
SHOULD be included.
If a CoA-Request packet including a Service-Type value of "Authorize
Only" is successfully processed, the NAS MUST respond with a CoA-NAK
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value 507 (Request Initiated). The NAS
then MUST send an Access-Request to the RADIUS server including a
Service-Type Attribute with value "Authorize Only". This Access-
Request SHOULD contain the NAS identification attributes from the
CoA-Request, as well as the session identification attributes from
the CoA-Request legal for inclusion in an Access-Request as specified
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
included in an Access-Request that does not contain a User-Password,
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS
server then will respond to the Access-Request with an Access-Accept
to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it.
3.2. State
The State Attribute is available to be sent by the RADIUS server to
the NAS in a CoA-Request packet and MUST be sent unmodified from the
NAS to the RADIUS server in a subsequent ACK or NAK packet.
[RFC2865] Section 5.44 states: [RFC2865] Section 5.44 states:
An Access-Request MUST contain either a User-Password or a CHAP- An Access-Request MUST contain either a User-Password or a CHAP-
Password or State. An Access-Request MUST NOT contain both a Password or State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow User-Password and a CHAP-Password. If future extensions allow
other kinds of authentication information to be conveyed, the other kinds of authentication information to be conveyed, the
attribute for that can be used in an Access-Request instead of attribute for that can be used in an Access-Request instead of
User-Password or CHAP-Password. User-Password or CHAP-Password.
In order to satisfy the requirements of [RFC2865] Section 5.44, an In order to satisfy the requirements of [RFC2865] Section 5.44, an
Access-Request with Service-Type="Authorize-Only" MUST contain a Access-Request with Service-Type="Authorize-Only" MUST contain a
State attribute. State attribute.
In order to provide a State attribute to the NAS, a server sending a In order to provide a State attribute to the NAS, a server sending a
CoA-Request with a Service-Type value of "Authorize-Only" MUST CoA-Request with a Service-Type value of "Authorize-Only" MUST
include a State Attribute, and the NAS MUST include the State include a State Attribute, and the NAS MUST send the State Attribute
Attribute unchanged in the Access-Request. A NAS receiving a CoA- unmodified to the RADIUS server in the resulting Access-Request, if
Request containing a Service-Type value of "Authorize-Only" but any. A NAS receiving a CoA-Request containing a Service-Type value
lacking a State attribute MUST send a CoA-NAK and SHOULD include an of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK
Error-Cause attribute with value 402 (Missing Attribute). and SHOULD include an Error-Cause attribute with value 402 (Missing
Attribute).
3.2. Message-Authenticator The State Attribute is also available to be sent by the RADIUS server
to the NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent.
3.3. Message-Authenticator
The Message-Authenticator Attribute MAY be used to authenticate and The Message-Authenticator Attribute MAY be used to authenticate and
integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request,
Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing.
A RADIUS client receiving a CoA-Request or Disconnect-Request with a A RADIUS client receiving a CoA-Request or Disconnect-Request with a
Message-Authenticator Attribute present MUST calculate the correct Message-Authenticator Attribute present MUST calculate the correct
value of the Message-Authenticator and silently discard the packet if value of the Message-Authenticator and silently discard the packet if
it does not match the value sent. A RADIUS server receiving a it does not match the value sent. A RADIUS server receiving a
CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator
skipping to change at page 13, line 46 skipping to change at page 14, line 29
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes) Request Authenticator, Attributes)
When the HMAC-MD5 message integrity check is calculated the When the HMAC-MD5 message integrity check is calculated the
Message-Authenticator Attribute should be considered to be sixteen Message-Authenticator Attribute should be considered to be sixteen
octets of zero. The Request Authenticator is taken from the octets of zero. The Request Authenticator is taken from the
corresponding CoA/Disconnect-Request. The Message-Authenticator corresponding CoA/Disconnect-Request. The Message-Authenticator
is calculated and inserted in the packet before the Response is calculated and inserted in the packet before the Response
Authenticator is calculated. Authenticator is calculated.
3.3. Error-Cause 3.4. Error-Cause
Description Description
It is possible that the NAS cannot honor Disconnect-Request or It is possible that the NAS cannot honor Disconnect-Request or
CoA-Request packets for some reason. The Error-Cause Attribute CoA-Request packets for some reason. The Error-Cause Attribute
provides more detail on the cause of the problem. It MAY be provides more detail on the cause of the problem. It MAY be
included within Disconnect-ACK, Disconnect-NAK and CoA-NAK included within Disconnect-NAK and CoA-NAK packets.
packets.
A summary of the Error-Cause Attribute format is shown below. The A summary of the Error-Cause Attribute format is shown below. The
fields are transmitted from left to right. fields are transmitted from left to right.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value | Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) | Value (cont) |
skipping to change at page 16, line 35 skipping to change at page 17, line 16
not be honored due to lack of available NAS resources (memory, not be honored due to lack of available NAS resources (memory,
non- volatile storage, etc.). non- volatile storage, etc.).
"Request Initiated" is a fatal error sent in response to a CoA- "Request Initiated" is a fatal error sent in response to a CoA-
Request including a Service-Type Attribute with a value of Request including a Service-Type Attribute with a value of
"Authorize Only". It indicates that the CoA-Request has not been "Authorize Only". It indicates that the CoA-Request has not been
honored, but that a RADIUS Access-Request including a Service-Type honored, but that a RADIUS Access-Request including a Service-Type
Attribute with value "Authorize Only" is being sent to the RADIUS Attribute with value "Authorize Only" is being sent to the RADIUS
server. server.
3.4. Table of Attributes 3.5. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which packets, and in what quantity. in which packets, and in what quantity.
Change-of-Authorization Messages Change-of-Authorization Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0-1 0 0-1 6 Service-Type [Note 6] 0-1 0 0-1 6 Service-Type
0-1 0 0 7 Framed-Protocol [Note 3] 0-1 0 0 7 Framed-Protocol [Note 3]
0-1 0 0 8 Framed-IP-Address [Note 1][Note 8] 0-1 0 0 8 Framed-IP-Address [Note 6]
0-1 0 0 9 Framed-IP-Netmask [Note 3] 0-1 0 0 9 Framed-IP-Netmask [Note 6]
0-1 0 0 10 Framed-Routing [Note 3] 0-1 0 0 10 Framed-Routing [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0 0 11 Filter-ID [Note 3] 0+ 0 0 11 Filter-ID [Note 3]
0-1 0 0 12 Framed-MTU [Note 3] 0-1 0 0 12 Framed-MTU [Note 3]
0+ 0 0 13 Framed-Compression [Note 3] 0+ 0 0 13 Framed-Compression [Note 3]
0+ 0 0 14 Login-IP-Host [Note 3] 0+ 0 0 14 Login-IP-Host [Note 3]
0-1 0 0 15 Login-Service [Note 3] 0-1 0 0 15 Login-Service [Note 3]
0-1 0 0 16 Login-TCP-Port [Note 3] 0-1 0 0 16 Login-TCP-Port [Note 3]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0-1 0 0 19 Callback-Number [Note 3] 0-1 0 0 19 Callback-Number [Note 3]
0-1 0 0 20 Callback-Id [Note 3] 0-1 0 0 20 Callback-Id [Note 3]
0+ 0 0 22 Framed-Route [Note 3] 0+ 0 0 22 Framed-Route [Note 3]
0-1 0 0 23 Framed-IPX-Network [Note 3] 0-1 0 0 23 Framed-IPX-Network [Note 6]
0-1 0-1 0-1 24 State [Note 7] 0-1 0-1 0-1 24 State
0+ 0 0 25 Class [Note 3] 0+ 0 0 25 Class [Note 3]
0+ 0 0 26 Vendor-Specific [Note 3] 0+ 0 0 26 Vendor-Specific [Note 3]
0-1 0 0 27 Session-Timeout [Note 3] 0-1 0 0 27 Session-Timeout [Note 3]
0-1 0 0 28 Idle-Timeout [Note 3] 0-1 0 0 28 Idle-Timeout [Note 3]
0-1 0 0 29 Termination-Action [Note 3] 0-1 0 0 29 Termination-Action [Note 3]
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 34 Login-LAT-Service [Note 3] 0-1 0 0 34 Login-LAT-Service [Note 3]
0-1 0 0 35 Login-LAT-Node [Note 3] 0-1 0 0 35 Login-LAT-Node [Note 3]
0-1 0 0 36 Login-LAT-Group [Note 3] 0-1 0 0 36 Login-LAT-Group [Note 3]
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] 0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] 0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
0+ 0 0 56 Egress-VLANID [Note 3] 0+ 0 0 56 Egress-VLANID [Note 3]
0-1 0 0 57 Ingress-Filters [Note 3] 0-1 0 0 57 Ingress-Filters [Note 3]
0+ 0 0 58 Egress-VLAN-Name [Note 3] 0+ 0 0 58 Egress-VLAN-Name [Note 3]
0-1 0 0 59 User-Priority-Table [Note 3] 0-1 0 0 59 User-Priority-Table [Note 3]
0-1 0 0 61 NAS-Port-Type [Note 1] 0-1 0 0 61 NAS-Port-Type [Note 3]
0-1 0 0 62 Port-Limit [Note 3] 0-1 0 0 62 Port-Limit [Note 3]
0-1 0 0 63 Login-LAT-Port [Note 3] 0-1 0 0 63 Login-LAT-Port [Note 3]
0+ 0 0 64 Tunnel-Type [Note 5] 0+ 0 0 64 Tunnel-Type [Note 5]
0+ 0 0 65 Tunnel-Medium-Type [Note 5] 0+ 0 0 65 Tunnel-Medium-Type [Note 5]
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
0+ 0 0 69 Tunnel-Password [Note 5] 0+ 0 0 69 Tunnel-Password [Note 5]
0-1 0 0 71 ARAP-Features [Note 3] 0-1 0 0 71 ARAP-Features [Note 3]
0-1 0 0 72 ARAP-Zone-Access [Note 3] 0-1 0 0 72 ARAP-Zone-Access [Note 3]
0+ 0 0 78 Configuration-Token [Note 3] 0+ 0 0 78 Configuration-Token [Note 3]
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5] 0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3] 0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 3] 0-1 0 0 88 Framed-Pool [Note 6]
0-1 0 0 89 Chargeable-User-Identity [Note 1] 0-1 0 0 89 Chargeable-User-Identity [Note 1]
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 92 NAS-Filter-Rule [Note 3] 0-1 0 0 92 NAS-Filter-Rule [Note 3]
0-1 0 0 94 Originating-Line-Info [Note 1] 0 0 0 94 Originating-Line-Info
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 1][Note 8] 0-1 0 0 96 Framed-Interface-Id [Note 6]
0+ 0 0 97 Framed-IPv6-Prefix [Note 1][Note 8] 0+ 0 0 97 Framed-IPv6-Prefix [Note 6]
0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3]
0-1 0 0 100 Framed-IPv6-Pool [Note 3] 0-1 0 0 100 Framed-IPv6-Pool [Note 6]
0 0 0+ 101 Error-Cause 0 0 0+ 101 Error-Cause
0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] 0+ 0 0 123 Delegated-IPv6-Prefix [Note 6]
Request ACK NAK # Attribute Request ACK NAK # Attribute
Disconnect Messages Disconnect Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type 0 0 0 6 Service-Type
0-1 0 0 8 Framed-IP-Address [Note 1] 0 0 0 8 Framed-IP-Address [Note 6]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State 0 0 0 24 State
0+ 0 0 25 Class [Note 4] 0+ 0 0 25 Class [Note 4]
0+ 0 0 26 Vendor-Specific 0+ 0 0 26 Vendor-Specific
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0-1 0 49 Acct-Terminate-Cause 0-1 0-1 0 49 Acct-Terminate-Cause
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
0-1 0 0 61 NAS-Port-Type [Note 1] 0 0 0 61 NAS-Port-Type
0+ 0-1 0 79 EAP-Message [Note 2] 0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator 0-1 0-1 0-1 80 Message-Authenticator
0-1 0 0 87 NAS-Port-Id [Note 1] 0-1 0 0 87 NAS-Port-Id [Note 1]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 89 Chargeable-User-Identity [Note 1] 0-1 0 0 89 Chargeable-User-Identity [Note 1]
0-1 0 0 94 Orginating-Line-Info [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 1] 0 0 0 96 Framed-Interface-Id [Note 6]
0+ 0 0 97 Framed-IPv6-Prefix [Note 1] 0 0 0 97 Framed-IPv6-Prefix [Note 6]
0 0+ 0+ 101 Error-Cause 0 0 0 100 Framed-IPv6-Pool [Note 6]
0 0 0+ 101 Error-Cause
Request ACK NAK # Attribute Request ACK NAK # Attribute
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet. 0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet. 0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet. 0-1 Zero or one instance of this attribute MAY be present in packet.
1 Exactly one instance of this attribute MUST be present in packet. 1 Exactly one instance of this attribute MUST be present in packet.
[Note 1] Where NAS or session identification attributes are included [Note 1] Where NAS or session identification attributes are included
skipping to change at page 19, line 51 skipping to change at page 20, line 26
a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be
sent unmodified by the client to the accounting server in the sent unmodified by the client to the accounting server in the
Accounting Stop packet. If the Disconnect-Request is unsuccessful, Accounting Stop packet. If the Disconnect-Request is unsuccessful,
then the Class Attribute is not processed. then the Class Attribute is not processed.
[Note 5] When included within a CoA-Request, these attributes [Note 5] When included within a CoA-Request, these attributes
represent an authorization change request. Where tunnel attribute(s) represent an authorization change request. Where tunnel attribute(s)
are included within a successful CoA-Request, all existing tunnel are included within a successful CoA-Request, all existing tunnel
attributes are removed and replaced by the new attribute(s). attributes are removed and replaced by the new attribute(s).
[Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL [Note 6] Where included within a CoA-Request, these attributes
on the NAS and RADIUS server. A NAS supporting the "Authorize Only" represent a renumbering request. Since these attributes are not used
Service-Type value within a CoA-Request packet MUST respond with a for session identification, they MUST NOT be included within a
CoA-NAK containing a Service-Type Attribute with value "Authorize Disconnect-Request. Note that renumbering may not be possible in all
Only", and an Error-Cause Attribute with value "Request Initiated". situations. For example, in order to change an IP address on receipt
The NAS then sends an Access-Request to the RADIUS server with a of a changed Framed-IP-Address address, IPCP re-negotiation could be
Service-Type Attribute with value "Authorize Only". This Access- required, which is not supported by all PPP implementations.
Request SHOULD contain the NAS attributes from the CoA-Request, as
well as the session attributes from the CoA-Request legal for
inclusion in an Access-Request as specified in [RFC2865], [RFC2868],
[RFC2869] and [RFC3162]. As noted in [RFC2869] Section 5.19, a
Message-Authenticator attribute SHOULD be included in an Access-
Request that does not contain a User-Password, CHAP-Password, ARAP-
Password or EAP-Message Attribute. The RADIUS server should send
back an Access-Accept to (re-)authorize the session or an Access-
Reject to refuse to (re-)authorize it.
A NAS that does not support the Service-Type Attribute with the value
"Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
including no Service-Type Attribute; an Error-Cause Attribute with
value "Unsupported Service" MAY be included.
[Note 7] The State Attribute is available to be sent by the RADIUS
server to the NAS in a CoA-Request packet and MUST be sent unmodified
from the NAS to the RADIUS server in a subsequent ACK or NAK packet.
If a Service-Type Attribute with value "Authorize Only" is included
in a CoA-Request then a State Attribute MUST be present, and MUST be
sent unmodified from the NAS to the RADIUS server in the resulting
Access-Request sent to the RADIUS server, if any. The State
Attribute is also available to be sent by the RADIUS server to the
NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent.
[Note 8] Since the Framed-IP-Address, Framed-IPv6-Prefix and Framed-
Interface-Id attributes are used for identification, these attributes
cannot be updated by including new values within a CoA-Request.
Instead, a CoA-Request with Service-Type="Authorize Only" is used,
and the new values can be supplied in response to the ensuing Access-
Request.
4. Diameter Considerations 4. Diameter Considerations
Due to differences in handling change-of-authorization requests in Due to differences in handling change-of-authorization requests in
RADIUS and Diameter, it may be difficult or impossible for a RADIUS and Diameter, it may be difficult or impossible for a
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth-
Request (RAR) to a CoA-Request and vice versa. For example, since a Request (RAR) to a CoA-Request and vice versa. For example, since a
CoA-Request only initiates an authorization change but does not CoA-Request only initiates an authorization change but does not
initiate re-authentication, a RAR command containing a Re-Auth- initiate re-authentication, a RAR command containing a Re-Auth-
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be
skipping to change at page 32, line 16 skipping to change at page 32, line 16
This Appendix lists the major changes between [RFC3576] and this This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
o Added details relating to handling of the Proxy-State Attribute. o Added details relating to handling of the Proxy-State Attribute.
Added requirement for duplicate detection on the RADIUS client Added requirement for duplicate detection on the RADIUS client
(Section 2.3). (Section 2.3).
o Added Chargeable-User-Identity as a session identification o Added Chargeable-User-Identity as a session identification
attribute (Section 3). attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed-
Interface-Id and NAS-Port-Type attributes as session identification
attributes (Section 3).
o Added requirements for inclusion of the State Attribute in CoA- o Added requirements for inclusion of the State Attribute in CoA-
Request packets with a Service-Type of "Authorize Only" (Section Request packets with a Service-Type of "Authorize Only" (Section
3.1). 3.2).
o Added clarification on the calculation of the Message-Authenticator o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.2). Attribute (Section 3.3).
o Added statement that support for "Authorize Only" Service-Type is o Added statement that support for "Authorize Only" Service-Type is
optional (Section 3.4). optional (Section 3.5).
o Updated CoA-Request Attribute Table to include Filter-Rule, o Updated CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.4). Name and User-Priority attributes (Section 3.5).
o Added the Chargeable-User-Identity Attribute to both the CoA- o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute Table (Section 3.4). Request and Disconnect-Request Attribute table (Section 3.5).
o Added note relating to use of Service-Type="Authorize Only" for o Added note on the use of the CoA-Request for renumbering (Section
renumbering (Section 3.4). 3.5).
o Use of a Service-Type Attribute within a Disconnect-Request is o Use of Service-Type and Error-Cause attributes within a Disconnect-
prohibited (Sections 3.4, 4). Request is prohibited (Sections 3.5).
o Added Diameter Considerations (Section 5). o Added Diameter Considerations (Section 4).
o Changed the text to indicate that the Event-Timestamp Attribute o Changed the text to indicate that the Event-Timestamp Attribute
should not be recalculated on retransmission. The implications for should not be recalculated on retransmission. The implications for
replay and duplicate detection are discussed (Section 6.4). replay and duplicate detection are discussed (Section 6.4).
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
 End of changes. 48 change blocks. 
155 lines changed or deleted 146 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/