draft-ietf-radext-rfc3576bis-05.txt | draft-ietf-radext-rfc3576bis-06.txt | |||
---|---|---|---|---|
Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
<draft-ietf-radext-rfc3576bis-05.txt> David Mitton | <draft-ietf-radext-rfc3576bis-06.txt> David Mitton | |||
22 May 2007 RSA Security, Inc. | 23 May 2007 RSA Security, Inc. | |||
Bernard Aboba | Bernard Aboba | |||
Microsoft Corporation | Microsoft Corporation | |||
Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
Service (RADIUS) | Service (RADIUS) | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
skipping to change at page 2, line 15 | skipping to change at page 2, line 15 | |||
Table of Contents | Table of Contents | |||
1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
1.1 Applicability ................................... 3 | 1.1 Applicability ................................... 3 | |||
1.2 Requirements Language ........................... 4 | 1.2 Requirements Language ........................... 4 | |||
1.3 Terminology ..................................... 4 | 1.3 Terminology ..................................... 4 | |||
2. Overview ............................................. 5 | 2. Overview ............................................. 5 | |||
2.1 Disconnect Messages (DM) ........................ 5 | 2.1 Disconnect Messages (DM) ........................ 5 | |||
2.2 Change-of-Authorization Messages (CoA) .......... 5 | 2.2 Change-of-Authorization Messages (CoA) .......... 5 | |||
2.3 Packet Format ................................... 6 | 2.3 Packet Format ................................... 6 | |||
3. Attributes ............................................ 10 | 3. Attributes ............................................ 9 | |||
3.1 Authorize Only .................................. 12 | 3.1 Proxy State ..................................... 11 | |||
3.2 State ........................................... 12 | 3.2 Authorize Only .................................. 12 | |||
3.3 Message-Authenticator ........................... 13 | 3.3 State ........................................... 12 | |||
3.4 Error-Cause ..................................... 14 | 3.4 Message-Authenticator ........................... 13 | |||
3.5 Table of Attributes ............................. 17 | 3.5 Error-Cause ..................................... 14 | |||
3.6 Table of Attributes ............................. 17 | ||||
4. Diameter Considerations ............................... 20 | 4. Diameter Considerations ............................... 20 | |||
5. IANA Considerations ................................... 22 | 5. IANA Considerations ................................... 22 | |||
6. Security Considerations ............................... 22 | 6. Security Considerations ............................... 23 | |||
6.1 Authorization Issues ............................ 22 | 6.1 Authorization Issues ............................ 23 | |||
6.2 Impersonation ................................... 23 | 6.2 Impersonation ................................... 23 | |||
6.3 IPsec Usage Guidelines .......................... 24 | 6.3 IPsec Usage Guidelines .......................... 24 | |||
6.4 Replay Protection ............................... 27 | 6.4 Replay Protection ............................... 27 | |||
7. Example Traces ........................................ 28 | 7. Example Traces ........................................ 28 | |||
8. References ............................................ 28 | 8. References ............................................ 28 | |||
8.1 Normative References ............................ 28 | 8.1 Normative References ............................ 28 | |||
8.2 Informative References .......................... 29 | 8.2 Informative References .......................... 29 | |||
ACKNOWLEDGMENTS .............................................. 30 | ACKNOWLEDGMENTS .............................................. 30 | |||
AUTHORS' ADDRESSES ........................................... 31 | AUTHORS' ADDRESSES ........................................... 31 | |||
Appendix A - Changes from RFC 3576 ........................... 32 | Appendix A - Changes from RFC 3576 ........................... 32 | |||
skipping to change at page 5, line 50 | skipping to change at page 5, line 50 | |||
in Section 2.3), are the same as that for Disconnect-Request packets. | in Section 2.3), are the same as that for Disconnect-Request packets. | |||
The following attributes MAY be sent in a CoA-Request: | The following attributes MAY be sent in a CoA-Request: | |||
Filter-ID (11) - Indicates the name of a data filter list | Filter-ID (11) - Indicates the name of a data filter list | |||
to be applied for the session that the | to be applied for the session that the | |||
identification attributes map to. | identification attributes map to. | |||
NAS-Filter-Rule (92) - Provides a filter list to be applied | NAS-Filter-Rule (92) - Provides a filter list to be applied | |||
for the session that the identification | for the session that the identification | |||
attributes map to [RFCFilter]. | attributes map to [RFC4849]. | |||
+----------+ CoA-Request +----------+ | +----------+ CoA-Request +----------+ | |||
| | <-------------------- | | | | | <-------------------- | | | |||
| NAS | | RADIUS | | | NAS | | RADIUS | | |||
| | CoA-Response | Server | | | | CoA-Response | Server | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- | |||
ACK if the NAS is able to successfully change the authorizations for | ACK if the NAS is able to successfully change the authorizations for | |||
the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | the user session, or a CoA-NAK if the Request is unsuccessful. A NAS | |||
MUST respond to a CoA-Request including a Service-Type Attribute with | MUST respond to a CoA-Request including a Service-Type Attribute with | |||
an unsupported value with a CoA-NAK; an Error-Cause Attribute with | an unsupported value with a CoA-NAK; an Error-Cause Attribute with | |||
value "Unsupported Service" MAY be included. | value "Unsupported Service" SHOULD be included. | |||
2.3. Packet Format | 2.3. Packet Format | |||
For either Disconnect-Request or CoA-Request packets UDP port 3799 is | For either Disconnect-Request or CoA-Request packets UDP port 3799 is | |||
used as the destination port. For responses, the source and | used as the destination port. For responses, the source and | |||
destination ports are reversed. Exactly one RADIUS packet is | destination ports are reversed. Exactly one RADIUS packet is | |||
encapsulated in the UDP Data field. | encapsulated in the UDP Data field. | |||
A summary of the data format is shown below. The fields are | A summary of the data format is shown below. The fields are | |||
transmitted from left to right. | transmitted from left to right. | |||
skipping to change at page 8, line 47 | skipping to change at page 8, line 47 | |||
Administrative note: As noted in [RFC2865] Section 3, the secret | Administrative note: As noted in [RFC2865] Section 3, the secret | |||
(password shared between the client and the RADIUS server) SHOULD | (password shared between the client and the RADIUS server) SHOULD | |||
be at least as large and unguessable as a well-chosen password. | be at least as large and unguessable as a well-chosen password. | |||
RADIUS clients MUST use the source IP address of the RADIUS UDP | RADIUS clients MUST use the source IP address of the RADIUS UDP | |||
packet to decide which shared secret to use, so that requests can | packet to decide which shared secret to use, so that requests can | |||
be proxied. | be proxied. | |||
Attributes | Attributes | |||
In Disconnect and CoA-Request packets, all Attributes are treated | In Disconnect and CoA-Request packets, all Attributes are treated | |||
as mandatory. A NAS MUST respond to a CoA-Request containing one | as mandatory. If one or more authorization changes specified in a | |||
or more unsupported Attributes or Attribute values with a CoA-NAK; | CoA-Request cannot be carried out, the NAS MUST send a CoA-NAK. A | |||
a Disconnect-Request containing one or more unsupported Attributes | NAS MUST respond to a CoA-Request containing one or more | |||
or Attribute values MUST be answered with a Disconnect-NAK. State | unsupported Attributes or Attribute values with a CoA-NAK; an | |||
changes resulting from a CoA-Request MUST be atomic: if the | Error-Cause Attribute with value 401 (Unsupported Attribute) or | |||
Request is successful, a CoA-ACK is sent, and all requested | 407 (Invalid Attribute Value) MAY be included. A NAS MUST respond | |||
authorization changes MUST be made. If the CoA-Request is | to a Disconnect-Request containing one or more unsupported | |||
unsuccessful, a CoA-NAK MUST be sent, and the requested | Attributes or Attribute values with a Disconnect-NAK; an Error- | |||
authorization changes MUST NOT be made. Similarly, a state change | Cause Attribute with value 401 (Unsupported Attribute) or 407 | |||
MUST NOT occur as a result of an unsuccessful Disconnect-Request; | (Invalid Attribute Value) MAY be included. | |||
here a Disconnect-NAK MUST be sent. | ||||
Within this specification attributes may be used for | State changes resulting from a CoA-Request MUST be atomic: if the | |||
identification, authorization or other purposes. RADIUS Attribue | Request is successful, a CoA-ACK MUST be sent in reply, and all | |||
requested authorization changes MUST be made. If the CoA-Request | ||||
is unsuccessful, a CoA-NAK MUST be sent in reply, and the | ||||
requested authorization changes MUST NOT be made. Similarly, a | ||||
state change MUST NOT occur as a result of an unsuccessful | ||||
Disconnect-Request; a Disconnect-NAK MUST be sent in reply. | ||||
Within this specification attributes can be used for | ||||
identification, authorization or other purposes. RADIUS Attribute | ||||
specifications created after publication of this document SHOULD | specifications created after publication of this document SHOULD | |||
state whether an Attribute can be included in CoA or Disconnect | state whether an attribute can be included in CoA or Disconnect | |||
messages and if so, which messages it may be included in and | messages and if so, which messages it can be included in and | |||
whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
authentication and accounting, it is possible that it will not | authentication and accounting, it is possible that it will not | |||
support inclusion of that attribute within Disconnect-Request or | support inclusion of that attribute within Disconnect-Request or | |||
CoA-Request packets, given the difference in attribute semantics. | CoA-Request packets, given the difference in attribute semantics. | |||
This is true even for attributes specified as allowable within | This is true even for attributes specified as allowable within | |||
Access-Accept packets (such as those defined within [RFC2865], | Access-Accept packets (such as those defined within [RFC2865], | |||
[RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], | [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], | |||
[RFC4818] and [RFCFilter]). If unsupported attributes are | [RFC4818] and [RFC4849]). | |||
included within a Disconnect/CoA-Request packet, the RADIUS client | ||||
will send a Disconnect-NAK/CoA-NAK in response, possibly | ||||
containing an Error-Cause attribute with value Unsupported | ||||
Attribute (401). | ||||
If there are any Proxy-State Attributes in a Disconnect-Request or | ||||
CoA-Request received from the server, the forwarding proxy or NAS | ||||
MUST include those Proxy-State Attributes in its response to the | ||||
server. | ||||
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | ||||
State, or Class Attributes present in the packet. The forwarding | ||||
proxy or NAS MUST treat any Proxy-State attributes already in the | ||||
packet as opaque data. Its operation MUST NOT depend on the | ||||
content of Proxy-State attributes added by previous proxies. The | ||||
forwarding proxy MUST NOT modify any other Proxy-State Attributes | ||||
that were in the packet; it may choose not to forward them, but it | ||||
MUST NOT change their contents. If the forwarding proxy omits the | ||||
Proxy-State Attributes in the request, it MUST attach them to the | ||||
response before sending it. | ||||
When the proxy forwards a Disconnect or CoA-Request, it MAY add a | ||||
Proxy-State Attribute, but it MUST NOT add more than one. If a | ||||
Proxy-State Attribute is added to a packet when forwarding the | ||||
packet, the Proxy-State Attribute MUST be added after any existing | ||||
Proxy-State attributes. The forwarding proxy MUST NOT change the | ||||
order of any attributes of the same type, including Proxy-State. | ||||
Other Attributes can be placed before, after or even between the | ||||
Proxy-State Attributes. | ||||
When the proxy receives a response to a CoA-Request or Disconnect- | ||||
Request, it MUST remove its own Proxy-State (the last Proxy- State | ||||
in the packet) before forwarding the response. Since Disconnect | ||||
and CoA responses are authenticated on the entire packet contents, | ||||
the stripping of the Proxy-State Attribute invalidates the | ||||
integrity check - so the proxy needs to recompute it. | ||||
3. Attributes | 3. Attributes | |||
In Disconnect-Request and CoA-Request packets, certain attributes are | In Disconnect-Request and CoA-Request packets, certain attributes are | |||
used to uniquely identify the NAS as well as a user session on the | used to uniquely identify the NAS as well as a user session on the | |||
NAS. All NAS identification attributes included in a Request packet | NAS. All NAS identification attributes included in a Request packet | |||
MUST match in order for a Disconnect-Request or CoA-Request to be | MUST match in order for a Disconnect-Request or CoA-Request to be | |||
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | |||
For session identification attributes, the User-Name and Acct- | For session identification attributes, the User-Name and Acct- | |||
Session-Id Attributes, if included, MUST match in order for a | Session-Id Attributes, if included, MUST match in order for a | |||
skipping to change at page 11, line 4 | skipping to change at page 10, line 21 | |||
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | |||
Session identification attributes | Session identification attributes | |||
Attribute # Reference Description | Attribute # Reference Description | |||
--------- --- --------- ----------- | --------- --- --------- ----------- | |||
User-Name 1 [RFC2865] The name of the user | User-Name 1 [RFC2865] The name of the user | |||
associated with the session. | associated with the session. | |||
NAS-Port 5 [RFC2865] The port on which the | NAS-Port 5 [RFC2865] The port on which the | |||
session is terminated. | session is terminated. | |||
Attribute # Reference Description | ||||
--------- --- --------- ----------- | ||||
Called-Station-Id 30 [RFC2865] The link address to which | Called-Station-Id 30 [RFC2865] The link address to which | |||
the session is connected. | the session is connected. | |||
Calling-Station-Id 31 [RFC2865] The link address from which | Calling-Station-Id 31 [RFC2865] The link address from which | |||
the session is connected. | the session is connected. | |||
Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
identifying the session | identifying the session | |||
on the NAS. | on the NAS. | |||
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
identifying related sessions. | identifying related sessions. | |||
NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
skipping to change at page 11, line 35 | skipping to change at page 10, line 49 | |||
User-Name or Chargeable-User-Identity attribute SHOULD be present in | User-Name or Chargeable-User-Identity attribute SHOULD be present in | |||
Disconnect-Request and CoA-Request packets. | Disconnect-Request and CoA-Request packets. | |||
Where a Diameter client utilizes the same Session-Id for both | Where a Diameter client utilizes the same Session-Id for both | |||
authorization and accounting, inclusion of an Acct-Session-Id | authorization and accounting, inclusion of an Acct-Session-Id | |||
Attribute in a Disconnect-Request or CoA-Request can assist with | Attribute in a Disconnect-Request or CoA-Request can assist with | |||
Diameter/RADIUS translation, since Diameter RAR and ASR commands | Diameter/RADIUS translation, since Diameter RAR and ASR commands | |||
include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be | include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be | |||
included in Disconnect-Request and CoA-Request packets. | included in Disconnect-Request and CoA-Request packets. | |||
Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not | Where the Acct-Session-Id Attribute is not present in a CoA-Request | |||
present in a CoA-Request or Disconnect-Request, it is possible that | or Disconnect-Request, it is possible that the User-Name or | |||
the User-Name or Chargeable-User-Identity attributes will not be | Chargeable-User-Identity attributes will not be sufficient to | |||
sufficient to uniquely identify the session (e.g. if the same user | uniquely identify the session (e.g. if the same user has multiple | |||
has multiple sessions on the NAS, or the privacy NAI is used). As a | sessions on the NAS, or the privacy NAI is used). As a result, one | |||
result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS- | or more of the Acct-Multi-Session-Id, Called-Station-Id, Calling- | |||
Port-Id attributes MAY be used as additional session identification. | Station-Id, NAS-Port and NAS-Port-Id attributes MAY be used as | |||
additional session identification. | ||||
To address security concerns described in Section 6.2, one or more of | To address security concerns described in Section 6.2, one or more of | |||
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | |||
in Disconnect-Request and CoA-Request packets; the NAS-Identifier | in Disconnect-Request and CoA-Request packets; the NAS-Identifier | |||
Attribute MAY be present. | Attribute MAY be present. | |||
If one or more authorization changes specified in a CoA-Request | ||||
cannot be carried out, or if one or more attributes or attribute- | ||||
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there | ||||
are one or more unsupported attributes or attribute values in a | ||||
Disconnect-Request, a Disconnect-NAK MUST be sent. | ||||
A Disconnect-Request MUST contain only NAS and session identification | A Disconnect-Request MUST contain only NAS and session identification | |||
attributes (see Section 3). If other attributes are included in a | attributes. If other attributes are included in a Disconnect- | |||
Disconnect-Request, implementations MUST send a Disconnect-NAK; an | Request, implementations MUST send a Disconnect-NAK; an Error-Cause | |||
Error-Cause Attribute with value "Unsupported Attribute" MAY be | Attribute with value "Unsupported Attribute" MAY be included. | |||
included. | ||||
3.1. Authorize Only | 3.1. Proxy State | |||
If there are any Proxy-State attributes in a Disconnect-Request or | ||||
CoA-Request received from the server, the forwarding proxy or NAS | ||||
MUST include those Proxy-State attributes in its response to the | ||||
server. | ||||
A forwarding proxy or NAS MUST NOT modify existing Proxy-State, | ||||
State, or Class attributes present in the packet. The forwarding | ||||
proxy or NAS MUST treat any Proxy-State attributes already in the | ||||
packet as opaque data. Its operation MUST NOT depend on the content | ||||
of Proxy-State attributes added by previous proxies. The forwarding | ||||
proxy MUST NOT modify any other Proxy-State attributes that were in | ||||
the packet; it may choose not to forward them, but it MUST NOT change | ||||
their contents. If the forwarding proxy omits the Proxy-State | ||||
attributes in the request, it MUST attach them to the response before | ||||
sending it. | ||||
When the proxy forwards a Disconnect or CoA-Request, it MAY add a | ||||
Proxy-State Attribute, but it MUST NOT add more than one. If a | ||||
Proxy-State Attribute is added to a packet when forwarding the | ||||
packet, the Proxy-State Attribute MUST be added after any existing | ||||
Proxy-State attributes. The forwarding proxy MUST NOT change the | ||||
order of any attributes of the same type, including Proxy-State. | ||||
Other attributes can be placed before, after or even between the | ||||
Proxy-State attributes. | ||||
When the proxy receives a response to a CoA-Request or Disconnect- | ||||
Request, it MUST remove its own Proxy-State (the last Proxy- State in | ||||
the packet) Attribute before forwarding the response. Since | ||||
Disconnect and CoA responses are authenticated on the entire packet | ||||
contents, the stripping of the Proxy-State Attribute invalidates the | ||||
integrity check - so the proxy needs to recompute it. | ||||
3.2. Authorize Only | ||||
Support for a CoA-Request including a Service-Type Attribute with | Support for a CoA-Request including a Service-Type Attribute with | |||
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A | value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A | |||
Service-Type Attribute MUST NOT be included within a Disconnect- | Service-Type Attribute MUST NOT be included within a Disconnect- | |||
Request. | Request. | |||
A NAS MUST respond to a CoA-Request including a Service-Type | A NAS MUST respond to a CoA-Request including a Service-Type | |||
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | |||
NOT be sent. If the NAS does not support a Service-Type value of | NOT be sent. If the NAS does not support a Service-Type value of | |||
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | |||
skipping to change at page 12, line 48 | skipping to change at page 12, line 42 | |||
CoA-Request, as well as the session identification attributes from | CoA-Request, as well as the session identification attributes from | |||
the CoA-Request legal for inclusion in an Access-Request as specified | the CoA-Request legal for inclusion in an Access-Request as specified | |||
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in | in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in | |||
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be | [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be | |||
included in an Access-Request that does not contain a User-Password, | included in an Access-Request that does not contain a User-Password, | |||
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS | CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS | |||
server then will respond to the Access-Request with an Access-Accept | server then will respond to the Access-Request with an Access-Accept | |||
to (re-)authorize the session or an Access-Reject to refuse to | to (re-)authorize the session or an Access-Reject to refuse to | |||
(re-)authorize it. | (re-)authorize it. | |||
3.2. State | 3.3. State | |||
The State Attribute is available to be sent by the RADIUS server to | The State Attribute is available to be sent by the RADIUS server to | |||
the NAS in a CoA-Request packet and MUST be sent unmodified from the | the NAS in a CoA-Request packet and MUST be sent unmodified from the | |||
NAS to the RADIUS server in a subsequent ACK or NAK packet. | NAS to the RADIUS server in a subsequent ACK or NAK packet. | |||
[RFC2865] Section 5.44 states: | [RFC2865] Section 5.44 states: | |||
An Access-Request MUST contain either a User-Password or a CHAP- | An Access-Request MUST contain either a User-Password or a CHAP- | |||
Password or State. An Access-Request MUST NOT contain both a | Password or State. An Access-Request MUST NOT contain both a | |||
User-Password and a CHAP-Password. If future extensions allow | User-Password and a CHAP-Password. If future extensions allow | |||
skipping to change at page 13, line 37 | skipping to change at page 13, line 31 | |||
The State Attribute is also available to be sent by the RADIUS server | The State Attribute is also available to be sent by the RADIUS server | |||
to the NAS in a CoA-Request that also includes a Termination-Action | to the NAS in a CoA-Request that also includes a Termination-Action | |||
Attribute with the value of RADIUS-Request. If the client performs | Attribute with the value of RADIUS-Request. If the client performs | |||
the Termination-Action by sending a new Access-Request upon | the Termination-Action by sending a new Access-Request upon | |||
termination of the current session, it MUST include the State | termination of the current session, it MUST include the State | |||
Attribute unchanged in that Access-Request. In either usage, the | Attribute unchanged in that Access-Request. In either usage, the | |||
client MUST NOT interpret the Attribute locally. A CoA-Request | client MUST NOT interpret the Attribute locally. A CoA-Request | |||
packet must have only zero or one State Attribute. Usage of the | packet must have only zero or one State Attribute. Usage of the | |||
State Attribute is implementation dependent. | State Attribute is implementation dependent. | |||
3.3. Message-Authenticator | 3.4. Message-Authenticator | |||
The Message-Authenticator Attribute MAY be used to authenticate and | The Message-Authenticator Attribute MAY be used to authenticate and | |||
integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, | |||
Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. | |||
A RADIUS client receiving a CoA-Request or Disconnect-Request with a | A RADIUS client receiving a CoA-Request or Disconnect-Request with a | |||
Message-Authenticator Attribute present MUST calculate the correct | Message-Authenticator Attribute present MUST calculate the correct | |||
value of the Message-Authenticator and silently discard the packet if | value of the Message-Authenticator and silently discard the packet if | |||
it does not match the value sent. A RADIUS server receiving a | it does not match the value sent. A RADIUS server receiving a | |||
CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator | |||
skipping to change at page 14, line 29 | skipping to change at page 14, line 24 | |||
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute should be considered to be sixteen | |||
octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
Authenticator is calculated. | Authenticator is calculated. | |||
3.4. Error-Cause | 3.5. Error-Cause | |||
Description | Description | |||
It is possible that the NAS cannot honor Disconnect-Request or | It is possible that the NAS cannot honor Disconnect-Request or | |||
CoA-Request packets for some reason. The Error-Cause Attribute | CoA-Request packets for some reason. The Error-Cause Attribute | |||
provides more detail on the cause of the problem. It MAY be | provides more detail on the cause of the problem. It MAY be | |||
included within Disconnect-NAK and CoA-NAK packets. | included within Disconnect-NAK and CoA-NAK packets. | |||
A summary of the Error-Cause Attribute format is shown below. The | A summary of the Error-Cause Attribute format is shown below. The | |||
fields are transmitted from left to right. | fields are transmitted from left to right. | |||
skipping to change at page 15, line 34 | skipping to change at page 15, line 30 | |||
# Value | # Value | |||
--- ----- | --- ----- | |||
201 Residual Session Context Removed | 201 Residual Session Context Removed | |||
202 Invalid EAP Packet (Ignored) | 202 Invalid EAP Packet (Ignored) | |||
401 Unsupported Attribute | 401 Unsupported Attribute | |||
402 Missing Attribute | 402 Missing Attribute | |||
403 NAS Identification Mismatch | 403 NAS Identification Mismatch | |||
404 Invalid Request | 404 Invalid Request | |||
405 Unsupported Service | 405 Unsupported Service | |||
406 Unsupported Extension | 406 Unsupported Extension | |||
407 Invalid Attribute Value | ||||
501 Administratively Prohibited | 501 Administratively Prohibited | |||
502 Request Not Routable (Proxy) | 502 Request Not Routable (Proxy) | |||
503 Session Context Not Found | 503 Session Context Not Found | |||
504 Session Context Not Removable | 504 Session Context Not Removable | |||
505 Other Proxy Processing Error | 505 Other Proxy Processing Error | |||
506 Resources Unavailable | 506 Resources Unavailable | |||
507 Request Initiated | 507 Request Initiated | |||
"Residual Session Context Removed" is sent in response to a | "Residual Session Context Removed" is sent in response to a | |||
Disconnect-Request if the user session is no longer active, but | Disconnect-Request if the user session is no longer active, but | |||
skipping to change at page 16, line 30 | skipping to change at page 16, line 28 | |||
Attribute included with the Request is sent with an invalid or | Attribute included with the Request is sent with an invalid or | |||
unsupported value. This error cannot be sent in response to a | unsupported value. This error cannot be sent in response to a | |||
Disconnect-Request. | Disconnect-Request. | |||
"Unsupported Extension" is a fatal error sent due to lack of | "Unsupported Extension" is a fatal error sent due to lack of | |||
support for an extension such as Disconnect and/or CoA packets. | support for an extension such as Disconnect and/or CoA packets. | |||
This will typically be sent by a proxy receiving an ICMP port | This will typically be sent by a proxy receiving an ICMP port | |||
unreachable message after attempting to forward a Request to the | unreachable message after attempting to forward a Request to the | |||
NAS. | NAS. | |||
"Unsupported Attribute Value" is a fatal error sent if a Request | ||||
contains an attribute with an unsupported value. | ||||
"Administratively Prohibited" is a fatal error sent if the NAS is | "Administratively Prohibited" is a fatal error sent if the NAS is | |||
configured to prohibit honoring of Request packets for the | configured to prohibit honoring of Request packets for the | |||
specified session. | specified session. | |||
"Request Not Routable" is a fatal error which MAY be sent by a | "Request Not Routable" is a fatal error which MAY be sent by a | |||
RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the | RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the | |||
RADIUS proxy was unable to determine how to route the Request to | RADIUS proxy was unable to determine how to route the Request to | |||
the NAS. For example, this can occur if the required entries are | the NAS. For example, this can occur if the required entries are | |||
not present in the proxy's realm routing table. | not present in the proxy's realm routing table. | |||
skipping to change at page 17, line 16 | skipping to change at page 17, line 16 | |||
not be honored due to lack of available NAS resources (memory, | not be honored due to lack of available NAS resources (memory, | |||
non- volatile storage, etc.). | non- volatile storage, etc.). | |||
"Request Initiated" is a fatal error sent in response to a CoA- | "Request Initiated" is a fatal error sent in response to a CoA- | |||
Request including a Service-Type Attribute with a value of | Request including a Service-Type Attribute with a value of | |||
"Authorize Only". It indicates that the CoA-Request has not been | "Authorize Only". It indicates that the CoA-Request has not been | |||
honored, but that a RADIUS Access-Request including a Service-Type | honored, but that a RADIUS Access-Request including a Service-Type | |||
Attribute with value "Authorize Only" is being sent to the RADIUS | Attribute with value "Authorize Only" is being sent to the RADIUS | |||
server. | server. | |||
3.5. Table of Attributes | 3.6. Table of Attributes | |||
The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
in which packets, and in what quantity. | in which packets, and in what quantity. | |||
Change-of-Authorization Messages | Change-of-Authorization Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
skipping to change at page 22, line 20 | skipping to change at page 22, line 20 | |||
Removed | Removed | |||
202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS | 202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS | |||
(Ignored) | (Ignored) | |||
401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED | 401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED | |||
402 Missing Attribute DIAMETER_MISSING_AVP | 402 Missing Attribute DIAMETER_MISSING_AVP | |||
403 NAS Identification DIAMETER_REALM_NOT_SERVED | 403 NAS Identification DIAMETER_REALM_NOT_SERVED | |||
Mismatch | Mismatch | |||
404 Invalid Request DIAMETER_UNABLE_TO_COMPLY | 404 Invalid Request DIAMETER_UNABLE_TO_COMPLY | |||
405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED | 405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED | |||
406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED | 406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED | |||
407 Invalid Attribute Value DIAMETER_INVALID_AVP_VALUE | ||||
501 Administratively DIAMETER_AUTHORIZATION_REJECTED | 501 Administratively DIAMETER_AUTHORIZATION_REJECTED | |||
Prohibited | Prohibited | |||
502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER | 502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER | |||
503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID | 503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID | |||
504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED | 504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED | |||
Removable | Removable | |||
505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY | 505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY | |||
Error | Error | |||
506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED | 506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED | |||
507 Request Initiated DIAMETER_SUCCESS | 507 Request Initiated DIAMETER_SUCCESS | |||
Since both the ASR/ASA and Disconnect-Request/Disconnect- | Since both the ASR/ASA and Disconnect-Request/Disconnect- | |||
NAK/Disconnect-ACK exchanges involve just a request and response, | NAK/Disconnect-ACK exchanges involve just a request and response, | |||
inclusion of an "Authorize Only" Service-Type within a Disconnect- | inclusion of an "Authorize Only" Service-Type within a Disconnect- | |||
Request is not needed to assist in Diameter/RADIUS translation, and | Request is not needed to assist in Diameter/RADIUS translation, and | |||
may make translation more difficult. As a result, the Service-Type | may make translation more difficult. As a result, the Service-Type | |||
Attribute MUST NOT be used within a Disconnect-Request. | Attribute MUST NOT be used within a Disconnect-Request. | |||
5. IANA Considerations | 5. IANA Considerations | |||
This specification contains no actions for IANA. All protocol | This document uses the RADIUS [RFC2865] namespace, see | |||
parameters required for this document were previously approved as | <http://www.iana.org/assignments/radius-types>. In addition to the | |||
part of the publication of [RFC3576]. | allocations already made in [RFC3576], this specification requests | |||
allocation of an additional value of the Error-Cause Attribute (101): | ||||
# Value | ||||
--- ----- | ||||
407 Invalid Attribute Value | ||||
6. Security Considerations | 6. Security Considerations | |||
6.1. Authorization Issues | 6.1. Authorization Issues | |||
Where a NAS is shared by multiple providers, it is undesirable for | Where a NAS is shared by multiple providers, it is undesirable for | |||
one provider to be able to send Disconnect-Request or CoA-Requests | one provider to be able to send Disconnect-Request or CoA-Requests | |||
affecting the sessions of another provider. | affecting the sessions of another provider. | |||
A NAS or RADIUS proxy MUST silently discard Disconnect-Request or | A NAS or RADIUS proxy MUST silently discard Disconnect-Request or | |||
skipping to change at page 30, line 5 | skipping to change at page 30, line 11 | |||
[RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, | |||
"Chargeable User Identity", RFC 4372, January 2006. | "Chargeable User Identity", RFC 4372, January 2006. | |||
[RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for | |||
Virtual LAN and Priority Support", RFC 4675, September 2006. | Virtual LAN and Priority Support", RFC 4675, September 2006. | |||
[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix | |||
Attribute", RFC 4818, April 2007. | Attribute", RFC 4818, April 2007. | |||
[RFCFilter] | [RFC4849] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | |||
Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule | Attribute", RFC 4849, April 2007. | |||
Attribute", draft-ietf-radext-filter-08.txt, Internet draft | ||||
(work in progress), January 2007. | ||||
[MD5Attack] | [MD5Attack] | |||
Dobbertin, H., "The Status of MD5 After a Recent Attack", | Dobbertin, H., "The Status of MD5 After a Recent Attack", | |||
CryptoBytes Vol.2 No.2, Summer 1996. | CryptoBytes Vol.2 No.2, Summer 1996. | |||
Acknowledgments | Acknowledgments | |||
This protocol was first developed and distributed by Ascend | This protocol was first developed and distributed by Ascend | |||
Communications. Example code was distributed in their free server | Communications. Example code was distributed in their free server | |||
kit. | kit. | |||
skipping to change at page 32, line 11 | skipping to change at page 32, line 11 | |||
EMail: bernarda@microsoft.com | EMail: bernarda@microsoft.com | |||
Phone: +1 425 706 6605 | Phone: +1 425 706 6605 | |||
Fax: +1 425 936 7329 | Fax: +1 425 936 7329 | |||
Appendix A - Changes from RFC 3576 | Appendix A - Changes from RFC 3576 | |||
This Appendix lists the major changes between [RFC3576] and this | This Appendix lists the major changes between [RFC3576] and this | |||
document. Minor changes, including style, grammar, spelling, and | document. Minor changes, including style, grammar, spelling, and | |||
editorial changes are not mentioned here. | editorial changes are not mentioned here. | |||
o Added details relating to handling of the Proxy-State Attribute. | o Added requirement for duplicate detection on the RADIUS client | |||
Added requirement for duplicate detection on the RADIUS client | ||||
(Section 2.3). | (Section 2.3). | |||
o Added Chargeable-User-Identity as a session identification | o Added Chargeable-User-Identity as a session identification | |||
attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | |||
Interface-Id and NAS-Port-Type attributes as session identification | Interface-Id and NAS-Port-Type attributes as session identification | |||
attributes (Section 3). | attributes (Section 3). | |||
o Added details relating to handling of the Proxy-State Attribute | ||||
(Section 3.1). | ||||
o Added statement that support for "Authorize Only" Service-Type is | ||||
optional (Section 3.2). | ||||
o Added requirements for inclusion of the State Attribute in CoA- | o Added requirements for inclusion of the State Attribute in CoA- | |||
Request packets with a Service-Type of "Authorize Only" (Section | Request packets with a Service-Type of "Authorize Only" (Section | |||
3.2). | 3.3). | |||
o Added clarification on the calculation of the Message-Authenticator | o Added clarification on the calculation of the Message-Authenticator | |||
Attribute (Section 3.3). | Attribute (Section 3.4). | |||
o Added statement that support for "Authorize Only" Service-Type is | o An additional Error-Cause Attribute value (407) is allocated for | |||
optional (Section 3.5). | Invalid Attribute Value (Sections 3.5, 4). | |||
o Updated CoA-Request Attribute Table to include Filter-Rule, | o Updated CoA-Request Attribute Table to include Filter-Rule, | |||
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
Name and User-Priority attributes (Section 3.5). | Name and User-Priority attributes (Section 3.6). | |||
o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
Request and Disconnect-Request Attribute table (Section 3.5). | Request and Disconnect-Request Attribute table (Section 3.6). | |||
o Added note on the use of the CoA-Request for renumbering (Section | o Added note on the use of the CoA-Request for renumbering (Section | |||
3.5). | 3.6). | |||
o Use of Service-Type and Error-Cause attributes within a Disconnect- | o Use of Service-Type Attribute within a Disconnect-Request is | |||
Request is prohibited (Sections 3.5). | prohibited (Sections 3.2, 3.6, 4). | |||
o Added Diameter Considerations (Section 4). | o Added Diameter Considerations (Section 4). | |||
o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
Full Copyright Statement | Full Copyright Statement | |||
Copyright (C) The IETF Trust (2007). | Copyright (C) The IETF Trust (2007). | |||
End of changes. 32 change blocks. | ||||
107 lines changed or deleted | 117 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |