| draft-ietf-radext-rfc3576bis-05.txt | draft-ietf-radext-rfc3576bis-06.txt | |||
|---|---|---|---|---|
| Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
| INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
| Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
| Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
| <draft-ietf-radext-rfc3576bis-05.txt> David Mitton | <draft-ietf-radext-rfc3576bis-06.txt> David Mitton | |||
| 22 May 2007 RSA Security, Inc. | 23 May 2007 RSA Security, Inc. | |||
| Bernard Aboba | Bernard Aboba | |||
| Microsoft Corporation | Microsoft Corporation | |||
| Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
| Service (RADIUS) | Service (RADIUS) | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| skipping to change at page 2, line 15 | skipping to change at page 2, line 15 | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
| 1.1 Applicability ................................... 3 | 1.1 Applicability ................................... 3 | |||
| 1.2 Requirements Language ........................... 4 | 1.2 Requirements Language ........................... 4 | |||
| 1.3 Terminology ..................................... 4 | 1.3 Terminology ..................................... 4 | |||
| 2. Overview ............................................. 5 | 2. Overview ............................................. 5 | |||
| 2.1 Disconnect Messages (DM) ........................ 5 | 2.1 Disconnect Messages (DM) ........................ 5 | |||
| 2.2 Change-of-Authorization Messages (CoA) .......... 5 | 2.2 Change-of-Authorization Messages (CoA) .......... 5 | |||
| 2.3 Packet Format ................................... 6 | 2.3 Packet Format ................................... 6 | |||
| 3. Attributes ............................................ 10 | 3. Attributes ............................................ 9 | |||
| 3.1 Authorize Only .................................. 12 | 3.1 Proxy State ..................................... 11 | |||
| 3.2 State ........................................... 12 | 3.2 Authorize Only .................................. 12 | |||
| 3.3 Message-Authenticator ........................... 13 | 3.3 State ........................................... 12 | |||
| 3.4 Error-Cause ..................................... 14 | 3.4 Message-Authenticator ........................... 13 | |||
| 3.5 Table of Attributes ............................. 17 | 3.5 Error-Cause ..................................... 14 | |||
| 3.6 Table of Attributes ............................. 17 | ||||
| 4. Diameter Considerations ............................... 20 | 4. Diameter Considerations ............................... 20 | |||
| 5. IANA Considerations ................................... 22 | 5. IANA Considerations ................................... 22 | |||
| 6. Security Considerations ............................... 22 | 6. Security Considerations ............................... 23 | |||
| 6.1 Authorization Issues ............................ 22 | 6.1 Authorization Issues ............................ 23 | |||
| 6.2 Impersonation ................................... 23 | 6.2 Impersonation ................................... 23 | |||
| 6.3 IPsec Usage Guidelines .......................... 24 | 6.3 IPsec Usage Guidelines .......................... 24 | |||
| 6.4 Replay Protection ............................... 27 | 6.4 Replay Protection ............................... 27 | |||
| 7. Example Traces ........................................ 28 | 7. Example Traces ........................................ 28 | |||
| 8. References ............................................ 28 | 8. References ............................................ 28 | |||
| 8.1 Normative References ............................ 28 | 8.1 Normative References ............................ 28 | |||
| 8.2 Informative References .......................... 29 | 8.2 Informative References .......................... 29 | |||
| ACKNOWLEDGMENTS .............................................. 30 | ACKNOWLEDGMENTS .............................................. 30 | |||
| AUTHORS' ADDRESSES ........................................... 31 | AUTHORS' ADDRESSES ........................................... 31 | |||
| Appendix A - Changes from RFC 3576 ........................... 32 | Appendix A - Changes from RFC 3576 ........................... 32 | |||
| skipping to change at page 5, line 50 | skipping to change at page 5, line 50 | |||
| in Section 2.3), are the same as that for Disconnect-Request packets. | in Section 2.3), are the same as that for Disconnect-Request packets. | |||
| The following attributes MAY be sent in a CoA-Request: | The following attributes MAY be sent in a CoA-Request: | |||
| Filter-ID (11) - Indicates the name of a data filter list | Filter-ID (11) - Indicates the name of a data filter list | |||
| to be applied for the session that the | to be applied for the session that the | |||
| identification attributes map to. | identification attributes map to. | |||
| NAS-Filter-Rule (92) - Provides a filter list to be applied | NAS-Filter-Rule (92) - Provides a filter list to be applied | |||
| for the session that the identification | for the session that the identification | |||
| attributes map to [RFCFilter]. | attributes map to [RFC4849]. | |||
| +----------+ CoA-Request +----------+ | +----------+ CoA-Request +----------+ | |||
| | | <-------------------- | | | | | <-------------------- | | | |||
| | NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | | ---------------------> | | | | | ---------------------> | | | |||
| +----------+ +----------+ | +----------+ +----------+ | |||
| The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | |||
| ACK if the NAS is able to successfully change the authorizations for | ACK if the NAS is able to successfully change the authorizations for | |||
| the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | |||
| MUST respond to a CoA-Request including a Service-Type Attribute with | MUST respond to a CoA-Request including a Service-Type Attribute with | |||
| an unsupported value with a CoA-NAK; an Error-Cause Attribute with | an unsupported value with a CoA-NAK; an Error-Cause Attribute with | |||
| value "Unsupported Service" MAY be included. | value "Unsupported Service" SHOULD be included. | |||
| 2.3. Packet Format | 2.3. Packet Format | |||
| For either Disconnect-Request or CoA-Request packets UDP port 3799 is | For either Disconnect-Request or CoA-Request packets UDP port 3799 is | |||
| used as the destination port. For responses, the source and | used as the destination port. For responses, the source and | |||
| destination ports are reversed. Exactly one RADIUS packet is | destination ports are reversed. Exactly one RADIUS packet is | |||
| encapsulated in the UDP Data field. | encapsulated in the UDP Data field. | |||
| A summary of the data format is shown below. The fields are | A summary of the data format is shown below. The fields are | |||
| transmitted from left to right. | transmitted from left to right. | |||
| skipping to change at page 8, line 47 | skipping to change at page 8, line 47 | |||
| Administrative note: As noted in [RFC2865] Section 3, the secret | Administrative note: As noted in [RFC2865] Section 3, the secret | |||
| (password shared between the client and the RADIUS server) SHOULD | (password shared between the client and the RADIUS server) SHOULD | |||
| be at least as large and unguessable as a well-chosen password. | be at least as large and unguessable as a well-chosen password. | |||
| RADIUS clients MUST use the source IP address of the RADIUS UDP | RADIUS clients MUST use the source IP address of the RADIUS UDP | |||
| packet to decide which shared secret to use, so that requests can | packet to decide which shared secret to use, so that requests can | |||
| be proxied. | be proxied. | |||
| Attributes | Attributes | |||
| In Disconnect and CoA-Request packets, all Attributes are treated | In Disconnect and CoA-Request packets, all Attributes are treated | |||
| as mandatory. A NAS MUST respond to a CoA-Request containing one | as mandatory. If one or more authorization changes specified in a | |||
| or more unsupported Attributes or Attribute values with a CoA-NAK; | CoA-Request cannot be carried out, the NAS MUST send a CoA-NAK. A | |||
| a Disconnect-Request containing one or more unsupported Attributes | NAS MUST respond to a CoA-Request containing one or more | |||
| or Attribute values MUST be answered with a Disconnect-NAK. State | unsupported Attributes or Attribute values with a CoA-NAK; an | |||
| changes resulting from a CoA-Request MUST be atomic: if the | Error-Cause Attribute with value 401 (Unsupported Attribute) or | |||
| Request is successful, a CoA-ACK is sent, and all requested | 407 (Invalid Attribute Value) MAY be included. A NAS MUST respond | |||
| authorization changes MUST be made. If the CoA-Request is | to a Disconnect-Request containing one or more unsupported | |||
| unsuccessful, a CoA-NAK MUST be sent, and the requested | Attributes or Attribute values with a Disconnect-NAK; an Error- | |||
| authorization changes MUST NOT be made. Similarly, a state change | Cause Attribute with value 401 (Unsupported Attribute) or 407 | |||
| MUST NOT occur as a result of an unsuccessful Disconnect-Request; | (Invalid Attribute Value) MAY be included. | |||
| here a Disconnect-NAK MUST be sent. | ||||
| Within this specification attributes may be used for | State changes resulting from a CoA-Request MUST be atomic: if the | |||
| identification, authorization or other purposes. RADIUS Attribue | Request is successful, a CoA-ACK MUST be sent in reply, and all | |||
| requested authorization changes MUST be made. If the CoA-Request | ||||
| is unsuccessful, a CoA-NAK MUST be sent in reply, and the | ||||
| requested authorization changes MUST NOT be made. Similarly, a | ||||
| state change MUST NOT occur as a result of an unsuccessful | ||||
| Disconnect-Request; a Disconnect-NAK MUST be sent in reply. | ||||
| Within this specification attributes can be used for | ||||
| identification, authorization or other purposes. RADIUS Attribute | ||||
| specifications created after publication of this document SHOULD | specifications created after publication of this document SHOULD | |||
| state whether an Attribute can be included in CoA or Disconnect | state whether an attribute can be included in CoA or Disconnect | |||
| messages and if so, which messages it may be included in and | messages and if so, which messages it can be included in and | |||
| whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
| Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
| authentication and accounting, it is possible that it will not | authentication and accounting, it is possible that it will not | |||
| support inclusion of that attribute within Disconnect-Request or | support inclusion of that attribute within Disconnect-Request or | |||
| CoA-Request packets, given the difference in attribute semantics. | CoA-Request packets, given the difference in attribute semantics. | |||
| This is true even for attributes specified as allowable within | This is true even for attributes specified as allowable within | |||
| Access-Accept packets (such as those defined within [RFC2865], | Access-Accept packets (such as those defined within [RFC2865], | |||
| [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], | [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], | |||
| [RFC4818] and [RFCFilter]). If unsupported attributes are | [RFC4818] and [RFC4849]). | |||
| included within a Disconnect/CoA-Request packet, the RADIUS client | ||||
| will send a Disconnect-NAK/CoA-NAK in response, possibly | ||||
| containing an Error-Cause attribute with value Unsupported | ||||
| Attribute (401). | ||||
| If there are any Proxy-State Attributes in a Disconnect-Request or | ||||
| CoA-Request received from the server, the forwarding proxy or NAS | ||||
| MUST include those Proxy-State Attributes in its response to the | ||||
| server. | ||||
| A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | ||||
| State, or Class Attributes present in the packet. The forwarding | ||||
| proxy or NAS MUST treat any Proxy-State attributes already in the | ||||
| packet as opaque data. Its operation MUST NOT depend on the | ||||
| content of Proxy-State attributes added by previous proxies. The | ||||
| forwarding proxy MUST NOT modify any other Proxy-State Attributes | ||||
| that were in the packet; it may choose not to forward them, but it | ||||
| MUST NOT change their contents. If the forwarding proxy omits the | ||||
| Proxy-State Attributes in the request, it MUST attach them to the | ||||
| response before sending it. | ||||
| When the proxy forwards a Disconnect or CoA-Request, it MAY add a | ||||
| Proxy-State Attribute, but it MUST NOT add more than one. If a | ||||
| Proxy-State Attribute is added to a packet when forwarding the | ||||
| packet, the Proxy-State Attribute MUST be added after any existing | ||||
| Proxy-State attributes. The forwarding proxy MUST NOT change the | ||||
| order of any attributes of the same type, including Proxy-State. | ||||
| Other Attributes can be placed before, after or even between the | ||||
| Proxy-State Attributes. | ||||
| When the proxy receives a response to a CoA-Request or Disconnect- | ||||
| Request, it MUST remove its own Proxy-State (the last Proxy- State | ||||
| in the packet) before forwarding the response. Since Disconnect | ||||
| and CoA responses are authenticated on the entire packet contents, | ||||
| the stripping of the Proxy-State Attribute invalidates the | ||||
| integrity check - so the proxy needs to recompute it. | ||||
| 3. Attributes | 3. Attributes | |||
| In Disconnect-Request and CoA-Request packets, certain attributes are | In Disconnect-Request and CoA-Request packets, certain attributes are | |||
| used to uniquely identify the NAS as well as a user session on the | used to uniquely identify the NAS as well as a user session on the | |||
| NAS. All NAS identification attributes included in a Request packet | NAS. All NAS identification attributes included in a Request packet | |||
| MUST match in order for a Disconnect-Request or CoA-Request to be | MUST match in order for a Disconnect-Request or CoA-Request to be | |||
| successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | |||
| For session identification attributes, the User-Name and Acct- | For session identification attributes, the User-Name and Acct- | |||
| Session-Id Attributes, if included, MUST match in order for a | Session-Id Attributes, if included, MUST match in order for a | |||
| skipping to change at page 11, line 4 | skipping to change at page 10, line 21 | |||
| NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | |||
| Session identification attributes | Session identification attributes | |||
| Attribute # Reference Description | Attribute # Reference Description | |||
| --------- --- --------- ----------- | --------- --- --------- ----------- | |||
| User-Name 1 [RFC2865] The name of the user | User-Name 1 [RFC2865] The name of the user | |||
| associated with the session. | associated with the session. | |||
| NAS-Port 5 [RFC2865] The port on which the | NAS-Port 5 [RFC2865] The port on which the | |||
| session is terminated. | session is terminated. | |||
| Attribute # Reference Description | ||||
| --------- --- --------- ----------- | ||||
| Called-Station-Id 30 [RFC2865] The link address to which | Called-Station-Id 30 [RFC2865] The link address to which | |||
| the session is connected. | the session is connected. | |||
| Calling-Station-Id 31 [RFC2865] The link address from which | Calling-Station-Id 31 [RFC2865] The link address from which | |||
| the session is connected. | the session is connected. | |||
| Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
| identifying the session | identifying the session | |||
| on the NAS. | on the NAS. | |||
| Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
| identifying related sessions. | identifying related sessions. | |||
| NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
| skipping to change at page 11, line 35 | skipping to change at page 10, line 49 | |||
| User-Name or Chargeable-User-Identity attribute SHOULD be present in | User-Name or Chargeable-User-Identity attribute SHOULD be present in | |||
| Disconnect-Request and CoA-Request packets. | Disconnect-Request and CoA-Request packets. | |||
| Where a Diameter client utilizes the same Session-Id for both | Where a Diameter client utilizes the same Session-Id for both | |||
| authorization and accounting, inclusion of an Acct-Session-Id | authorization and accounting, inclusion of an Acct-Session-Id | |||
| Attribute in a Disconnect-Request or CoA-Request can assist with | Attribute in a Disconnect-Request or CoA-Request can assist with | |||
| Diameter/RADIUS translation, since Diameter RAR and ASR commands | Diameter/RADIUS translation, since Diameter RAR and ASR commands | |||
| include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be | include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be | |||
| included in Disconnect-Request and CoA-Request packets. | included in Disconnect-Request and CoA-Request packets. | |||
| Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not | Where the Acct-Session-Id Attribute is not present in a CoA-Request | |||
| present in a CoA-Request or Disconnect-Request, it is possible that | or Disconnect-Request, it is possible that the User-Name or | |||
| the User-Name or Chargeable-User-Identity attributes will not be | Chargeable-User-Identity attributes will not be sufficient to | |||
| sufficient to uniquely identify the session (e.g. if the same user | uniquely identify the session (e.g. if the same user has multiple | |||
| has multiple sessions on the NAS, or the privacy NAI is used). As a | sessions on the NAS, or the privacy NAI is used). As a result, one | |||
| result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS- | or more of the Acct-Multi-Session-Id, Called-Station-Id, Calling- | |||
| Port-Id attributes MAY be used as additional session identification. | Station-Id, NAS-Port and NAS-Port-Id attributes MAY be used as | |||
| additional session identification. | ||||
| To address security concerns described in Section 6.2, one or more of | To address security concerns described in Section 6.2, one or more of | |||
| the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | |||
| in Disconnect-Request and CoA-Request packets; the NAS-Identifier | in Disconnect-Request and CoA-Request packets; the NAS-Identifier | |||
| Attribute MAY be present. | Attribute MAY be present. | |||
| If one or more authorization changes specified in a CoA-Request | ||||
| cannot be carried out, or if one or more attributes or attribute- | ||||
| values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | ||||
| are one or more unsupported attributes or attribute values in a | ||||
| Disconnect-Request, a Disconnect-NAK MUST be sent. | ||||
| A Disconnect-Request MUST contain only NAS and session identification | A Disconnect-Request MUST contain only NAS and session identification | |||
| attributes (see Section 3). If other attributes are included in a | attributes. If other attributes are included in a Disconnect- | |||
| Disconnect-Request, implementations MUST send a Disconnect-NAK; an | Request, implementations MUST send a Disconnect-NAK; an Error-Cause | |||
| Error-Cause Attribute with value "Unsupported Attribute" MAY be | Attribute with value "Unsupported Attribute" MAY be included. | |||
| included. | ||||
| 3.1. Authorize Only | 3.1. Proxy State | |||
| If there are any Proxy-State attributes in a Disconnect-Request or | ||||
| CoA-Request received from the server, the forwarding proxy or NAS | ||||
| MUST include those Proxy-State attributes in its response to the | ||||
| server. | ||||
| A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | ||||
| State, or Class attributes present in the packet. The forwarding | ||||
| proxy or NAS MUST treat any Proxy-State attributes already in the | ||||
| packet as opaque data. Its operation MUST NOT depend on the content | ||||
| of Proxy-State attributes added by previous proxies. The forwarding | ||||
| proxy MUST NOT modify any other Proxy-State attributes that were in | ||||
| the packet; it may choose not to forward them, but it MUST NOT change | ||||
| their contents. If the forwarding proxy omits the Proxy-State | ||||
| attributes in the request, it MUST attach them to the response before | ||||
| sending it. | ||||
| When the proxy forwards a Disconnect or CoA-Request, it MAY add a | ||||
| Proxy-State Attribute, but it MUST NOT add more than one. If a | ||||
| Proxy-State Attribute is added to a packet when forwarding the | ||||
| packet, the Proxy-State Attribute MUST be added after any existing | ||||
| Proxy-State attributes. The forwarding proxy MUST NOT change the | ||||
| order of any attributes of the same type, including Proxy-State. | ||||
| Other attributes can be placed before, after or even between the | ||||
| Proxy-State attributes. | ||||
| When the proxy receives a response to a CoA-Request or Disconnect- | ||||
| Request, it MUST remove its own Proxy-State (the last Proxy- State in | ||||
| the packet) Attribute before forwarding the response. Since | ||||
| Disconnect and CoA responses are authenticated on the entire packet | ||||
| contents, the stripping of the Proxy-State Attribute invalidates the | ||||
| integrity check - so the proxy needs to recompute it. | ||||
| 3.2. Authorize Only | ||||
| Support for a CoA-Request including a Service-Type Attribute with | Support for a CoA-Request including a Service-Type Attribute with | |||
| value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A | value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A | |||
| Service-Type Attribute MUST NOT be included within a Disconnect- | Service-Type Attribute MUST NOT be included within a Disconnect- | |||
| Request. | Request. | |||
| A NAS MUST respond to a CoA-Request including a Service-Type | A NAS MUST respond to a CoA-Request including a Service-Type | |||
| Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | |||
| NOT be sent. If the NAS does not support a Service-Type value of | NOT be sent. If the NAS does not support a Service-Type value of | |||
| "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | |||
| skipping to change at page 12, line 48 | skipping to change at page 12, line 42 | |||
| CoA-Request, as well as the session identification attributes from | CoA-Request, as well as the session identification attributes from | |||
| the CoA-Request legal for inclusion in an Access-Request as specified | the CoA-Request legal for inclusion in an Access-Request as specified | |||
| in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in | in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in | |||
| [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be | [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be | |||
| included in an Access-Request that does not contain a User-Password, | included in an Access-Request that does not contain a User-Password, | |||
| CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS | CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS | |||
| server then will respond to the Access-Request with an Access-Accept | server then will respond to the Access-Request with an Access-Accept | |||
| to (re-)authorize the session or an Access-Reject to refuse to | to (re-)authorize the session or an Access-Reject to refuse to | |||
| (re-)authorize it. | (re-)authorize it. | |||
| 3.2. State | 3.3. State | |||
| The State Attribute is available to be sent by the RADIUS server to | The State Attribute is available to be sent by the RADIUS server to | |||
| the NAS in a CoA-Request packet and MUST be sent unmodified from the | the NAS in a CoA-Request packet and MUST be sent unmodified from the | |||
| NAS to the RADIUS server in a subsequent ACK or NAK packet. | NAS to the RADIUS server in a subsequent ACK or NAK packet. | |||
| [RFC2865] Section 5.44 states: | [RFC2865] Section 5.44 states: | |||
| An Access-Request MUST contain either a User-Password or a CHAP- | An Access-Request MUST contain either a User-Password or a CHAP- | |||
| Password or State. An Access-Request MUST NOT contain both a | Password or State. An Access-Request MUST NOT contain both a | |||
| User-Password and a CHAP-Password. If future extensions allow | User-Password and a CHAP-Password. If future extensions allow | |||
| skipping to change at page 13, line 37 | skipping to change at page 13, line 31 | |||
| The State Attribute is also available to be sent by the RADIUS server | The State Attribute is also available to be sent by the RADIUS server | |||
| to the NAS in a CoA-Request that also includes a Termination-Action | to the NAS in a CoA-Request that also includes a Termination-Action | |||
| Attribute with the value of RADIUS-Request. If the client performs | Attribute with the value of RADIUS-Request. If the client performs | |||
| the Termination-Action by sending a new Access-Request upon | the Termination-Action by sending a new Access-Request upon | |||
| termination of the current session, it MUST include the State | termination of the current session, it MUST include the State | |||
| Attribute unchanged in that Access-Request. In either usage, the | Attribute unchanged in that Access-Request. In either usage, the | |||
| client MUST NOT interpret the Attribute locally. A CoA-Request | client MUST NOT interpret the Attribute locally. A CoA-Request | |||
| packet must have only zero or one State Attribute. Usage of the | packet must have only zero or one State Attribute. Usage of the | |||
| State Attribute is implementation dependent. | State Attribute is implementation dependent. | |||
| 3.3. Message-Authenticator | 3.4. Message-Authenticator | |||
| The Message-Authenticator Attribute MAY be used to authenticate and | The Message-Authenticator Attribute MAY be used to authenticate and | |||
| integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | |||
| Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | |||
| A RADIUS client receiving a CoA-Request or Disconnect-Request with a | A RADIUS client receiving a CoA-Request or Disconnect-Request with a | |||
| Message-Authenticator Attribute present MUST calculate the correct | Message-Authenticator Attribute present MUST calculate the correct | |||
| value of the Message-Authenticator and silently discard the packet if | value of the Message-Authenticator and silently discard the packet if | |||
| it does not match the value sent. A RADIUS server receiving a | it does not match the value sent. A RADIUS server receiving a | |||
| CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | |||
| skipping to change at page 14, line 29 | skipping to change at page 14, line 24 | |||
| Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
| Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
| When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
| Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute should be considered to be sixteen | |||
| octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
| corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
| is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
| Authenticator is calculated. | Authenticator is calculated. | |||
| 3.4. Error-Cause | 3.5. Error-Cause | |||
| Description | Description | |||
| It is possible that the NAS cannot honor Disconnect-Request or | It is possible that the NAS cannot honor Disconnect-Request or | |||
| CoA-Request packets for some reason. The Error-Cause Attribute | CoA-Request packets for some reason. The Error-Cause Attribute | |||
| provides more detail on the cause of the problem. It MAY be | provides more detail on the cause of the problem. It MAY be | |||
| included within Disconnect-NAK and CoA-NAK packets. | included within Disconnect-NAK and CoA-NAK packets. | |||
| A summary of the Error-Cause Attribute format is shown below. The | A summary of the Error-Cause Attribute format is shown below. The | |||
| fields are transmitted from left to right. | fields are transmitted from left to right. | |||
| skipping to change at page 15, line 34 | skipping to change at page 15, line 30 | |||
| # Value | # Value | |||
| --- ----- | --- ----- | |||
| 201 Residual Session Context Removed | 201 Residual Session Context Removed | |||
| 202 Invalid EAP Packet (Ignored) | 202 Invalid EAP Packet (Ignored) | |||
| 401 Unsupported Attribute | 401 Unsupported Attribute | |||
| 402 Missing Attribute | 402 Missing Attribute | |||
| 403 NAS Identification Mismatch | 403 NAS Identification Mismatch | |||
| 404 Invalid Request | 404 Invalid Request | |||
| 405 Unsupported Service | 405 Unsupported Service | |||
| 406 Unsupported Extension | 406 Unsupported Extension | |||
| 407 Invalid Attribute Value | ||||
| 501 Administratively Prohibited | 501 Administratively Prohibited | |||
| 502 Request Not Routable (Proxy) | 502 Request Not Routable (Proxy) | |||
| 503 Session Context Not Found | 503 Session Context Not Found | |||
| 504 Session Context Not Removable | 504 Session Context Not Removable | |||
| 505 Other Proxy Processing Error | 505 Other Proxy Processing Error | |||
| 506 Resources Unavailable | 506 Resources Unavailable | |||
| 507 Request Initiated | 507 Request Initiated | |||
| "Residual Session Context Removed" is sent in response to a | "Residual Session Context Removed" is sent in response to a | |||
| Disconnect-Request if the user session is no longer active, but | Disconnect-Request if the user session is no longer active, but | |||
| skipping to change at page 16, line 30 | skipping to change at page 16, line 28 | |||
| Attribute included with the Request is sent with an invalid or | Attribute included with the Request is sent with an invalid or | |||
| unsupported value. This error cannot be sent in response to a | unsupported value. This error cannot be sent in response to a | |||
| Disconnect-Request. | Disconnect-Request. | |||
| "Unsupported Extension" is a fatal error sent due to lack of | "Unsupported Extension" is a fatal error sent due to lack of | |||
| support for an extension such as Disconnect and/or CoA packets. | support for an extension such as Disconnect and/or CoA packets. | |||
| This will typically be sent by a proxy receiving an ICMP port | This will typically be sent by a proxy receiving an ICMP port | |||
| unreachable message after attempting to forward a Request to the | unreachable message after attempting to forward a Request to the | |||
| NAS. | NAS. | |||
| "Unsupported Attribute Value" is a fatal error sent if a Request | ||||
| contains an attribute with an unsupported value. | ||||
| "Administratively Prohibited" is a fatal error sent if the NAS is | "Administratively Prohibited" is a fatal error sent if the NAS is | |||
| configured to prohibit honoring of Request packets for the | configured to prohibit honoring of Request packets for the | |||
| specified session. | specified session. | |||
| "Request Not Routable" is a fatal error which MAY be sent by a | "Request Not Routable" is a fatal error which MAY be sent by a | |||
| RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the | RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the | |||
| RADIUS proxy was unable to determine how to route the Request to | RADIUS proxy was unable to determine how to route the Request to | |||
| the NAS. For example, this can occur if the required entries are | the NAS. For example, this can occur if the required entries are | |||
| not present in the proxy's realm routing table. | not present in the proxy's realm routing table. | |||
| skipping to change at page 17, line 16 | skipping to change at page 17, line 16 | |||
| not be honored due to lack of available NAS resources (memory, | not be honored due to lack of available NAS resources (memory, | |||
| non- volatile storage, etc.). | non- volatile storage, etc.). | |||
| "Request Initiated" is a fatal error sent in response to a CoA- | "Request Initiated" is a fatal error sent in response to a CoA- | |||
| Request including a Service-Type Attribute with a value of | Request including a Service-Type Attribute with a value of | |||
| "Authorize Only". It indicates that the CoA-Request has not been | "Authorize Only". It indicates that the CoA-Request has not been | |||
| honored, but that a RADIUS Access-Request including a Service-Type | honored, but that a RADIUS Access-Request including a Service-Type | |||
| Attribute with value "Authorize Only" is being sent to the RADIUS | Attribute with value "Authorize Only" is being sent to the RADIUS | |||
| server. | server. | |||
| 3.5. Table of Attributes | 3.6. Table of Attributes | |||
| The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
| in which packets, and in what quantity. | in which packets, and in what quantity. | |||
| Change-of-Authorization Messages | Change-of-Authorization Messages | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| 0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
| 0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
| 0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
| skipping to change at page 22, line 20 | skipping to change at page 22, line 20 | |||
| Removed | Removed | |||
| 202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS | 202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS | |||
| (Ignored) | (Ignored) | |||
| 401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED | 401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED | |||
| 402 Missing Attribute DIAMETER_MISSING_AVP | 402 Missing Attribute DIAMETER_MISSING_AVP | |||
| 403 NAS Identification DIAMETER_REALM_NOT_SERVED | 403 NAS Identification DIAMETER_REALM_NOT_SERVED | |||
| Mismatch | Mismatch | |||
| 404 Invalid Request DIAMETER_UNABLE_TO_COMPLY | 404 Invalid Request DIAMETER_UNABLE_TO_COMPLY | |||
| 405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED | 405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED | |||
| 406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED | 406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED | |||
| 407 Invalid Attribute Value DIAMETER_INVALID_AVP_VALUE | ||||
| 501 Administratively DIAMETER_AUTHORIZATION_REJECTED | 501 Administratively DIAMETER_AUTHORIZATION_REJECTED | |||
| Prohibited | Prohibited | |||
| 502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER | 502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER | |||
| 503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID | 503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID | |||
| 504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED | 504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED | |||
| Removable | Removable | |||
| 505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY | 505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY | |||
| Error | Error | |||
| 506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED | 506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED | |||
| 507 Request Initiated DIAMETER_SUCCESS | 507 Request Initiated DIAMETER_SUCCESS | |||
| Since both the ASR/ASA and Disconnect-Request/Disconnect- | Since both the ASR/ASA and Disconnect-Request/Disconnect- | |||
| NAK/Disconnect-ACK exchanges involve just a request and response, | NAK/Disconnect-ACK exchanges involve just a request and response, | |||
| inclusion of an "Authorize Only" Service-Type within a Disconnect- | inclusion of an "Authorize Only" Service-Type within a Disconnect- | |||
| Request is not needed to assist in Diameter/RADIUS translation, and | Request is not needed to assist in Diameter/RADIUS translation, and | |||
| may make translation more difficult. As a result, the Service-Type | may make translation more difficult. As a result, the Service-Type | |||
| Attribute MUST NOT be used within a Disconnect-Request. | Attribute MUST NOT be used within a Disconnect-Request. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This specification contains no actions for IANA. All protocol | This document uses the RADIUS [RFC2865] namespace, see | |||
| parameters required for this document were previously approved as | <http://www.iana.org/assignments/radius-types>. In addition to the | |||
| part of the publication of [RFC3576]. | allocations already made in [RFC3576], this specification requests | |||
| allocation of an additional value of the Error-Cause Attribute (101): | ||||
| # Value | ||||
| --- ----- | ||||
| 407 Invalid Attribute Value | ||||
| 6. Security Considerations | 6. Security Considerations | |||
| 6.1. Authorization Issues | 6.1. Authorization Issues | |||
| Where a NAS is shared by multiple providers, it is undesirable for | Where a NAS is shared by multiple providers, it is undesirable for | |||
| one provider to be able to send Disconnect-Request or CoA-Requests | one provider to be able to send Disconnect-Request or CoA-Requests | |||
| affecting the sessions of another provider. | affecting the sessions of another provider. | |||
| A NAS or RADIUS proxy MUST silently discard Disconnect-Request or | A NAS or RADIUS proxy MUST silently discard Disconnect-Request or | |||
| skipping to change at page 30, line 5 | skipping to change at page 30, line 11 | |||
| [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | |||
| "Chargeable User Identity", RFC 4372, January 2006. | "Chargeable User Identity", RFC 4372, January 2006. | |||
| [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | |||
| Virtual LAN and Priority Support", RFC 4675, September 2006. | Virtual LAN and Priority Support", RFC 4675, September 2006. | |||
| [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | |||
| Attribute", RFC 4818, April 2007. | Attribute", RFC 4818, April 2007. | |||
| [RFCFilter] | [RFC4849] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | |||
| Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | Attribute", RFC 4849, April 2007. | |||
| Attribute", draft-ietf-radext-filter-08.txt, Internet draft | ||||
| (work in progress), January 2007. | ||||
| [MD5Attack] | [MD5Attack] | |||
| Dobbertin, H., "The Status of MD5 After a Recent Attack", | Dobbertin, H., "The Status of MD5 After a Recent Attack", | |||
| CryptoBytes Vol.2 No.2, Summer 1996. | CryptoBytes Vol.2 No.2, Summer 1996. | |||
| Acknowledgments | Acknowledgments | |||
| This protocol was first developed and distributed by Ascend | This protocol was first developed and distributed by Ascend | |||
| Communications. Example code was distributed in their free server | Communications. Example code was distributed in their free server | |||
| kit. | kit. | |||
| skipping to change at page 32, line 11 | skipping to change at page 32, line 11 | |||
| EMail: bernarda@microsoft.com | EMail: bernarda@microsoft.com | |||
| Phone: +1 425 706 6605 | Phone: +1 425 706 6605 | |||
| Fax: +1 425 936 7329 | Fax: +1 425 936 7329 | |||
| Appendix A - Changes from RFC 3576 | Appendix A - Changes from RFC 3576 | |||
| This Appendix lists the major changes between [RFC3576] and this | This Appendix lists the major changes between [RFC3576] and this | |||
| document. Minor changes, including style, grammar, spelling, and | document. Minor changes, including style, grammar, spelling, and | |||
| editorial changes are not mentioned here. | editorial changes are not mentioned here. | |||
| o Added details relating to handling of the Proxy-State Attribute. | o Added requirement for duplicate detection on the RADIUS client | |||
| Added requirement for duplicate detection on the RADIUS client | ||||
| (Section 2.3). | (Section 2.3). | |||
| o Added Chargeable-User-Identity as a session identification | o Added Chargeable-User-Identity as a session identification | |||
| attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | |||
| Interface-Id and NAS-Port-Type attributes as session identification | Interface-Id and NAS-Port-Type attributes as session identification | |||
| attributes (Section 3). | attributes (Section 3). | |||
| o Added details relating to handling of the Proxy-State Attribute | ||||
| (Section 3.1). | ||||
| o Added statement that support for "Authorize Only" Service-Type is | ||||
| optional (Section 3.2). | ||||
| o Added requirements for inclusion of the State Attribute in CoA- | o Added requirements for inclusion of the State Attribute in CoA- | |||
| Request packets with a Service-Type of "Authorize Only" (Section | Request packets with a Service-Type of "Authorize Only" (Section | |||
| 3.2). | 3.3). | |||
| o Added clarification on the calculation of the Message-Authenticator | o Added clarification on the calculation of the Message-Authenticator | |||
| Attribute (Section 3.3). | Attribute (Section 3.4). | |||
| o Added statement that support for "Authorize Only" Service-Type is | o An additional Error-Cause Attribute value (407) is allocated for | |||
| optional (Section 3.5). | Invalid Attribute Value (Sections 3.5, 4). | |||
| o Updated CoA-Request Attribute Table to include Filter-Rule, | o Updated CoA-Request Attribute Table to include Filter-Rule, | |||
| Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
| Name and User-Priority attributes (Section 3.5). | Name and User-Priority attributes (Section 3.6). | |||
| o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
| Request and Disconnect-Request Attribute table (Section 3.5). | Request and Disconnect-Request Attribute table (Section 3.6). | |||
| o Added note on the use of the CoA-Request for renumbering (Section | o Added note on the use of the CoA-Request for renumbering (Section | |||
| 3.5). | 3.6). | |||
| o Use of Service-Type and Error-Cause attributes within a Disconnect- | o Use of Service-Type Attribute within a Disconnect-Request is | |||
| Request is prohibited (Sections 3.5). | prohibited (Sections 3.2, 3.6, 4). | |||
| o Added Diameter Considerations (Section 4). | o Added Diameter Considerations (Section 4). | |||
| o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
| should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
| replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
| Full Copyright Statement | Full Copyright Statement | |||
| Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
| End of changes. 32 change blocks. | ||||
| 107 lines changed or deleted | 117 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||