draft-ietf-radext-rfc3576bis-05.txt   draft-ietf-radext-rfc3576bis-06.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
<draft-ietf-radext-rfc3576bis-05.txt> David Mitton <draft-ietf-radext-rfc3576bis-06.txt> David Mitton
22 May 2007 RSA Security, Inc. 23 May 2007 RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Applicability ................................... 3 1.1 Applicability ................................... 3
1.2 Requirements Language ........................... 4 1.2 Requirements Language ........................... 4
1.3 Terminology ..................................... 4 1.3 Terminology ..................................... 4
2. Overview ............................................. 5 2. Overview ............................................. 5
2.1 Disconnect Messages (DM) ........................ 5 2.1 Disconnect Messages (DM) ........................ 5
2.2 Change-of-Authorization Messages (CoA) .......... 5 2.2 Change-of-Authorization Messages (CoA) .......... 5
2.3 Packet Format ................................... 6 2.3 Packet Format ................................... 6
3. Attributes ............................................ 10 3. Attributes ............................................ 9
3.1 Authorize Only .................................. 12 3.1 Proxy State ..................................... 11
3.2 State ........................................... 12 3.2 Authorize Only .................................. 12
3.3 Message-Authenticator ........................... 13 3.3 State ........................................... 12
3.4 Error-Cause ..................................... 14 3.4 Message-Authenticator ........................... 13
3.5 Table of Attributes ............................. 17 3.5 Error-Cause ..................................... 14
3.6 Table of Attributes ............................. 17
4. Diameter Considerations ............................... 20 4. Diameter Considerations ............................... 20
5. IANA Considerations ................................... 22 5. IANA Considerations ................................... 22
6. Security Considerations ............................... 22 6. Security Considerations ............................... 23
6.1 Authorization Issues ............................ 22 6.1 Authorization Issues ............................ 23
6.2 Impersonation ................................... 23 6.2 Impersonation ................................... 23
6.3 IPsec Usage Guidelines .......................... 24 6.3 IPsec Usage Guidelines .......................... 24
6.4 Replay Protection ............................... 27 6.4 Replay Protection ............................... 27
7. Example Traces ........................................ 28 7. Example Traces ........................................ 28
8. References ............................................ 28 8. References ............................................ 28
8.1 Normative References ............................ 28 8.1 Normative References ............................ 28
8.2 Informative References .......................... 29 8.2 Informative References .......................... 29
ACKNOWLEDGMENTS .............................................. 30 ACKNOWLEDGMENTS .............................................. 30
AUTHORS' ADDRESSES ........................................... 31 AUTHORS' ADDRESSES ........................................... 31
Appendix A - Changes from RFC 3576 ........................... 32 Appendix A - Changes from RFC 3576 ........................... 32
skipping to change at page 5, line 50 skipping to change at page 5, line 50
in Section 2.3), are the same as that for Disconnect-Request packets. in Section 2.3), are the same as that for Disconnect-Request packets.
The following attributes MAY be sent in a CoA-Request: The following attributes MAY be sent in a CoA-Request:
Filter-ID (11) - Indicates the name of a data filter list Filter-ID (11) - Indicates the name of a data filter list
to be applied for the session that the to be applied for the session that the
identification attributes map to. identification attributes map to.
NAS-Filter-Rule (92) - Provides a filter list to be applied NAS-Filter-Rule (92) - Provides a filter list to be applied
for the session that the identification for the session that the identification
attributes map to [RFCFilter]. attributes map to [RFC4849].
+----------+ CoA-Request +----------+ +----------+ CoA-Request +----------+
| | <-------------------- | | | | <-------------------- | |
| NAS | | RADIUS | | NAS | | RADIUS |
| | CoA-Response | Server | | | CoA-Response | Server |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
The NAS responds to a CoA-Request sent by a RADIUS server with a CoA- The NAS responds to a CoA-Request sent by a RADIUS server with a CoA-
ACK if the NAS is able to successfully change the authorizations for ACK if the NAS is able to successfully change the authorizations for
the user session, or a CoA-NAK if the Request is unsuccessful. A NAS the user session, or a CoA-NAK if the Request is unsuccessful. A NAS
MUST respond to a CoA-Request including a Service-Type Attribute with MUST respond to a CoA-Request including a Service-Type Attribute with
an unsupported value with a CoA-NAK; an Error-Cause Attribute with an unsupported value with a CoA-NAK; an Error-Cause Attribute with
value "Unsupported Service" MAY be included. value "Unsupported Service" SHOULD be included.
2.3. Packet Format 2.3. Packet Format
For either Disconnect-Request or CoA-Request packets UDP port 3799 is For either Disconnect-Request or CoA-Request packets UDP port 3799 is
used as the destination port. For responses, the source and used as the destination port. For responses, the source and
destination ports are reversed. Exactly one RADIUS packet is destination ports are reversed. Exactly one RADIUS packet is
encapsulated in the UDP Data field. encapsulated in the UDP Data field.
A summary of the data format is shown below. The fields are A summary of the data format is shown below. The fields are
transmitted from left to right. transmitted from left to right.
skipping to change at page 8, line 47 skipping to change at page 8, line 47
Administrative note: As noted in [RFC2865] Section 3, the secret Administrative note: As noted in [RFC2865] Section 3, the secret
(password shared between the client and the RADIUS server) SHOULD (password shared between the client and the RADIUS server) SHOULD
be at least as large and unguessable as a well-chosen password. be at least as large and unguessable as a well-chosen password.
RADIUS clients MUST use the source IP address of the RADIUS UDP RADIUS clients MUST use the source IP address of the RADIUS UDP
packet to decide which shared secret to use, so that requests can packet to decide which shared secret to use, so that requests can
be proxied. be proxied.
Attributes Attributes
In Disconnect and CoA-Request packets, all Attributes are treated In Disconnect and CoA-Request packets, all Attributes are treated
as mandatory. A NAS MUST respond to a CoA-Request containing one as mandatory. If one or more authorization changes specified in a
or more unsupported Attributes or Attribute values with a CoA-NAK; CoA-Request cannot be carried out, the NAS MUST send a CoA-NAK. A
a Disconnect-Request containing one or more unsupported Attributes NAS MUST respond to a CoA-Request containing one or more
or Attribute values MUST be answered with a Disconnect-NAK. State unsupported Attributes or Attribute values with a CoA-NAK; an
changes resulting from a CoA-Request MUST be atomic: if the Error-Cause Attribute with value 401 (Unsupported Attribute) or
Request is successful, a CoA-ACK is sent, and all requested 407 (Invalid Attribute Value) MAY be included. A NAS MUST respond
authorization changes MUST be made. If the CoA-Request is to a Disconnect-Request containing one or more unsupported
unsuccessful, a CoA-NAK MUST be sent, and the requested Attributes or Attribute values with a Disconnect-NAK; an Error-
authorization changes MUST NOT be made. Similarly, a state change Cause Attribute with value 401 (Unsupported Attribute) or 407
MUST NOT occur as a result of an unsuccessful Disconnect-Request; (Invalid Attribute Value) MAY be included.
here a Disconnect-NAK MUST be sent.
Within this specification attributes may be used for State changes resulting from a CoA-Request MUST be atomic: if the
identification, authorization or other purposes. RADIUS Attribue Request is successful, a CoA-ACK MUST be sent in reply, and all
requested authorization changes MUST be made. If the CoA-Request
is unsuccessful, a CoA-NAK MUST be sent in reply, and the
requested authorization changes MUST NOT be made. Similarly, a
state change MUST NOT occur as a result of an unsuccessful
Disconnect-Request; a Disconnect-NAK MUST be sent in reply.
Within this specification attributes can be used for
identification, authorization or other purposes. RADIUS Attribute
specifications created after publication of this document SHOULD specifications created after publication of this document SHOULD
state whether an Attribute can be included in CoA or Disconnect state whether an attribute can be included in CoA or Disconnect
messages and if so, which messages it may be included in and messages and if so, which messages it can be included in and
whether it serves as an identification or authorization attribute. whether it serves as an identification or authorization attribute.
Even if a NAS implements an attribute for use with RADIUS Even if a NAS implements an attribute for use with RADIUS
authentication and accounting, it is possible that it will not authentication and accounting, it is possible that it will not
support inclusion of that attribute within Disconnect-Request or support inclusion of that attribute within Disconnect-Request or
CoA-Request packets, given the difference in attribute semantics. CoA-Request packets, given the difference in attribute semantics.
This is true even for attributes specified as allowable within This is true even for attributes specified as allowable within
Access-Accept packets (such as those defined within [RFC2865], Access-Accept packets (such as those defined within [RFC2865],
[RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675],
[RFC4818] and [RFCFilter]). If unsupported attributes are [RFC4818] and [RFC4849]).
included within a Disconnect/CoA-Request packet, the RADIUS client
will send a Disconnect-NAK/CoA-NAK in response, possibly
containing an Error-Cause attribute with value Unsupported
Attribute (401).
If there are any Proxy-State Attributes in a Disconnect-Request or
CoA-Request received from the server, the forwarding proxy or NAS
MUST include those Proxy-State Attributes in its response to the
server.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
State, or Class Attributes present in the packet. The forwarding
proxy or NAS MUST treat any Proxy-State attributes already in the
packet as opaque data. Its operation MUST NOT depend on the
content of Proxy-State attributes added by previous proxies. The
forwarding proxy MUST NOT modify any other Proxy-State Attributes
that were in the packet; it may choose not to forward them, but it
MUST NOT change their contents. If the forwarding proxy omits the
Proxy-State Attributes in the request, it MUST attach them to the
response before sending it.
When the proxy forwards a Disconnect or CoA-Request, it MAY add a
Proxy-State Attribute, but it MUST NOT add more than one. If a
Proxy-State Attribute is added to a packet when forwarding the
packet, the Proxy-State Attribute MUST be added after any existing
Proxy-State attributes. The forwarding proxy MUST NOT change the
order of any attributes of the same type, including Proxy-State.
Other Attributes can be placed before, after or even between the
Proxy-State Attributes.
When the proxy receives a response to a CoA-Request or Disconnect-
Request, it MUST remove its own Proxy-State (the last Proxy- State
in the packet) before forwarding the response. Since Disconnect
and CoA responses are authenticated on the entire packet contents,
the stripping of the Proxy-State Attribute invalidates the
integrity check - so the proxy needs to recompute it.
3. Attributes 3. Attributes
In Disconnect-Request and CoA-Request packets, certain attributes are In Disconnect-Request and CoA-Request packets, certain attributes are
used to uniquely identify the NAS as well as a user session on the used to uniquely identify the NAS as well as a user session on the
NAS. All NAS identification attributes included in a Request packet NAS. All NAS identification attributes included in a Request packet
MUST match in order for a Disconnect-Request or CoA-Request to be MUST match in order for a Disconnect-Request or CoA-Request to be
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent.
For session identification attributes, the User-Name and Acct- For session identification attributes, the User-Name and Acct-
Session-Id Attributes, if included, MUST match in order for a Session-Id Attributes, if included, MUST match in order for a
skipping to change at page 11, line 4 skipping to change at page 10, line 21
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
Session identification attributes Session identification attributes
Attribute # Reference Description Attribute # Reference Description
--------- --- --------- ----------- --------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user User-Name 1 [RFC2865] The name of the user
associated with the session. associated with the session.
NAS-Port 5 [RFC2865] The port on which the NAS-Port 5 [RFC2865] The port on which the
session is terminated. session is terminated.
Attribute # Reference Description
--------- --- --------- -----------
Called-Station-Id 30 [RFC2865] The link address to which Called-Station-Id 30 [RFC2865] The link address to which
the session is connected. the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected. the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session identifying the session
on the NAS. on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions. identifying related sessions.
NAS-Port-Id 87 [RFC2869] String identifying the port NAS-Port-Id 87 [RFC2869] String identifying the port
skipping to change at page 11, line 35 skipping to change at page 10, line 49
User-Name or Chargeable-User-Identity attribute SHOULD be present in User-Name or Chargeable-User-Identity attribute SHOULD be present in
Disconnect-Request and CoA-Request packets. Disconnect-Request and CoA-Request packets.
Where a Diameter client utilizes the same Session-Id for both Where a Diameter client utilizes the same Session-Id for both
authorization and accounting, inclusion of an Acct-Session-Id authorization and accounting, inclusion of an Acct-Session-Id
Attribute in a Disconnect-Request or CoA-Request can assist with Attribute in a Disconnect-Request or CoA-Request can assist with
Diameter/RADIUS translation, since Diameter RAR and ASR commands Diameter/RADIUS translation, since Diameter RAR and ASR commands
include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be
included in Disconnect-Request and CoA-Request packets. included in Disconnect-Request and CoA-Request packets.
Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not Where the Acct-Session-Id Attribute is not present in a CoA-Request
present in a CoA-Request or Disconnect-Request, it is possible that or Disconnect-Request, it is possible that the User-Name or
the User-Name or Chargeable-User-Identity attributes will not be Chargeable-User-Identity attributes will not be sufficient to
sufficient to uniquely identify the session (e.g. if the same user uniquely identify the session (e.g. if the same user has multiple
has multiple sessions on the NAS, or the privacy NAI is used). As a sessions on the NAS, or the privacy NAI is used). As a result, one
result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS- or more of the Acct-Multi-Session-Id, Called-Station-Id, Calling-
Port-Id attributes MAY be used as additional session identification. Station-Id, NAS-Port and NAS-Port-Id attributes MAY be used as
additional session identification.
To address security concerns described in Section 6.2, one or more of To address security concerns described in Section 6.2, one or more of
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present
in Disconnect-Request and CoA-Request packets; the NAS-Identifier in Disconnect-Request and CoA-Request packets; the NAS-Identifier
Attribute MAY be present. Attribute MAY be present.
If one or more authorization changes specified in a CoA-Request
cannot be carried out, or if one or more attributes or attribute-
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there
are one or more unsupported attributes or attribute values in a
Disconnect-Request, a Disconnect-NAK MUST be sent.
A Disconnect-Request MUST contain only NAS and session identification A Disconnect-Request MUST contain only NAS and session identification
attributes (see Section 3). If other attributes are included in a attributes. If other attributes are included in a Disconnect-
Disconnect-Request, implementations MUST send a Disconnect-NAK; an Request, implementations MUST send a Disconnect-NAK; an Error-Cause
Error-Cause Attribute with value "Unsupported Attribute" MAY be Attribute with value "Unsupported Attribute" MAY be included.
included.
3.1. Authorize Only 3.1. Proxy State
If there are any Proxy-State attributes in a Disconnect-Request or
CoA-Request received from the server, the forwarding proxy or NAS
MUST include those Proxy-State attributes in its response to the
server.
A forwarding proxy or NAS MUST NOT modify existing Proxy-State,
State, or Class attributes present in the packet. The forwarding
proxy or NAS MUST treat any Proxy-State attributes already in the
packet as opaque data. Its operation MUST NOT depend on the content
of Proxy-State attributes added by previous proxies. The forwarding
proxy MUST NOT modify any other Proxy-State attributes that were in
the packet; it may choose not to forward them, but it MUST NOT change
their contents. If the forwarding proxy omits the Proxy-State
attributes in the request, it MUST attach them to the response before
sending it.
When the proxy forwards a Disconnect or CoA-Request, it MAY add a
Proxy-State Attribute, but it MUST NOT add more than one. If a
Proxy-State Attribute is added to a packet when forwarding the
packet, the Proxy-State Attribute MUST be added after any existing
Proxy-State attributes. The forwarding proxy MUST NOT change the
order of any attributes of the same type, including Proxy-State.
Other attributes can be placed before, after or even between the
Proxy-State attributes.
When the proxy receives a response to a CoA-Request or Disconnect-
Request, it MUST remove its own Proxy-State (the last Proxy- State in
the packet) Attribute before forwarding the response. Since
Disconnect and CoA responses are authenticated on the entire packet
contents, the stripping of the Proxy-State Attribute invalidates the
integrity check - so the proxy needs to recompute it.
3.2. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
Service-Type Attribute MUST NOT be included within a Disconnect- Service-Type Attribute MUST NOT be included within a Disconnect-
Request. Request.
A NAS MUST respond to a CoA-Request including a Service-Type A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
skipping to change at page 12, line 48 skipping to change at page 12, line 42
CoA-Request, as well as the session identification attributes from CoA-Request, as well as the session identification attributes from
the CoA-Request legal for inclusion in an Access-Request as specified the CoA-Request legal for inclusion in an Access-Request as specified
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be [RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
included in an Access-Request that does not contain a User-Password, included in an Access-Request that does not contain a User-Password,
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS
server then will respond to the Access-Request with an Access-Accept server then will respond to the Access-Request with an Access-Accept
to (re-)authorize the session or an Access-Reject to refuse to to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it. (re-)authorize it.
3.2. State 3.3. State
The State Attribute is available to be sent by the RADIUS server to The State Attribute is available to be sent by the RADIUS server to
the NAS in a CoA-Request packet and MUST be sent unmodified from the the NAS in a CoA-Request packet and MUST be sent unmodified from the
NAS to the RADIUS server in a subsequent ACK or NAK packet. NAS to the RADIUS server in a subsequent ACK or NAK packet.
[RFC2865] Section 5.44 states: [RFC2865] Section 5.44 states:
An Access-Request MUST contain either a User-Password or a CHAP- An Access-Request MUST contain either a User-Password or a CHAP-
Password or State. An Access-Request MUST NOT contain both a Password or State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow User-Password and a CHAP-Password. If future extensions allow
skipping to change at page 13, line 37 skipping to change at page 13, line 31
The State Attribute is also available to be sent by the RADIUS server The State Attribute is also available to be sent by the RADIUS server
to the NAS in a CoA-Request that also includes a Termination-Action to the NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent. State Attribute is implementation dependent.
3.3. Message-Authenticator 3.4. Message-Authenticator
The Message-Authenticator Attribute MAY be used to authenticate and The Message-Authenticator Attribute MAY be used to authenticate and
integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request,
Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing. Disconnect-ACK and Disconnect-NAK packets order to prevent spoofing.
A RADIUS client receiving a CoA-Request or Disconnect-Request with a A RADIUS client receiving a CoA-Request or Disconnect-Request with a
Message-Authenticator Attribute present MUST calculate the correct Message-Authenticator Attribute present MUST calculate the correct
value of the Message-Authenticator and silently discard the packet if value of the Message-Authenticator and silently discard the packet if
it does not match the value sent. A RADIUS server receiving a it does not match the value sent. A RADIUS server receiving a
CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator CoA/Disconnect-ACK or CoA/Disconnect-NAK with a Message-Authenticator
skipping to change at page 14, line 29 skipping to change at page 14, line 24
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes) Request Authenticator, Attributes)
When the HMAC-MD5 message integrity check is calculated the When the HMAC-MD5 message integrity check is calculated the
Message-Authenticator Attribute should be considered to be sixteen Message-Authenticator Attribute should be considered to be sixteen
octets of zero. The Request Authenticator is taken from the octets of zero. The Request Authenticator is taken from the
corresponding CoA/Disconnect-Request. The Message-Authenticator corresponding CoA/Disconnect-Request. The Message-Authenticator
is calculated and inserted in the packet before the Response is calculated and inserted in the packet before the Response
Authenticator is calculated. Authenticator is calculated.
3.4. Error-Cause 3.5. Error-Cause
Description Description
It is possible that the NAS cannot honor Disconnect-Request or It is possible that the NAS cannot honor Disconnect-Request or
CoA-Request packets for some reason. The Error-Cause Attribute CoA-Request packets for some reason. The Error-Cause Attribute
provides more detail on the cause of the problem. It MAY be provides more detail on the cause of the problem. It MAY be
included within Disconnect-NAK and CoA-NAK packets. included within Disconnect-NAK and CoA-NAK packets.
A summary of the Error-Cause Attribute format is shown below. The A summary of the Error-Cause Attribute format is shown below. The
fields are transmitted from left to right. fields are transmitted from left to right.
skipping to change at page 15, line 34 skipping to change at page 15, line 30
# Value # Value
--- ----- --- -----
201 Residual Session Context Removed 201 Residual Session Context Removed
202 Invalid EAP Packet (Ignored) 202 Invalid EAP Packet (Ignored)
401 Unsupported Attribute 401 Unsupported Attribute
402 Missing Attribute 402 Missing Attribute
403 NAS Identification Mismatch 403 NAS Identification Mismatch
404 Invalid Request 404 Invalid Request
405 Unsupported Service 405 Unsupported Service
406 Unsupported Extension 406 Unsupported Extension
407 Invalid Attribute Value
501 Administratively Prohibited 501 Administratively Prohibited
502 Request Not Routable (Proxy) 502 Request Not Routable (Proxy)
503 Session Context Not Found 503 Session Context Not Found
504 Session Context Not Removable 504 Session Context Not Removable
505 Other Proxy Processing Error 505 Other Proxy Processing Error
506 Resources Unavailable 506 Resources Unavailable
507 Request Initiated 507 Request Initiated
"Residual Session Context Removed" is sent in response to a "Residual Session Context Removed" is sent in response to a
Disconnect-Request if the user session is no longer active, but Disconnect-Request if the user session is no longer active, but
skipping to change at page 16, line 30 skipping to change at page 16, line 28
Attribute included with the Request is sent with an invalid or Attribute included with the Request is sent with an invalid or
unsupported value. This error cannot be sent in response to a unsupported value. This error cannot be sent in response to a
Disconnect-Request. Disconnect-Request.
"Unsupported Extension" is a fatal error sent due to lack of "Unsupported Extension" is a fatal error sent due to lack of
support for an extension such as Disconnect and/or CoA packets. support for an extension such as Disconnect and/or CoA packets.
This will typically be sent by a proxy receiving an ICMP port This will typically be sent by a proxy receiving an ICMP port
unreachable message after attempting to forward a Request to the unreachable message after attempting to forward a Request to the
NAS. NAS.
"Unsupported Attribute Value" is a fatal error sent if a Request
contains an attribute with an unsupported value.
"Administratively Prohibited" is a fatal error sent if the NAS is "Administratively Prohibited" is a fatal error sent if the NAS is
configured to prohibit honoring of Request packets for the configured to prohibit honoring of Request packets for the
specified session. specified session.
"Request Not Routable" is a fatal error which MAY be sent by a "Request Not Routable" is a fatal error which MAY be sent by a
RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the
RADIUS proxy was unable to determine how to route the Request to RADIUS proxy was unable to determine how to route the Request to
the NAS. For example, this can occur if the required entries are the NAS. For example, this can occur if the required entries are
not present in the proxy's realm routing table. not present in the proxy's realm routing table.
skipping to change at page 17, line 16 skipping to change at page 17, line 16
not be honored due to lack of available NAS resources (memory, not be honored due to lack of available NAS resources (memory,
non- volatile storage, etc.). non- volatile storage, etc.).
"Request Initiated" is a fatal error sent in response to a CoA- "Request Initiated" is a fatal error sent in response to a CoA-
Request including a Service-Type Attribute with a value of Request including a Service-Type Attribute with a value of
"Authorize Only". It indicates that the CoA-Request has not been "Authorize Only". It indicates that the CoA-Request has not been
honored, but that a RADIUS Access-Request including a Service-Type honored, but that a RADIUS Access-Request including a Service-Type
Attribute with value "Authorize Only" is being sent to the RADIUS Attribute with value "Authorize Only" is being sent to the RADIUS
server. server.
3.5. Table of Attributes 3.6. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which packets, and in what quantity. in which packets, and in what quantity.
Change-of-Authorization Messages Change-of-Authorization Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
skipping to change at page 22, line 20 skipping to change at page 22, line 20
Removed Removed
202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS 202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS
(Ignored) (Ignored)
401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED 401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED
402 Missing Attribute DIAMETER_MISSING_AVP 402 Missing Attribute DIAMETER_MISSING_AVP
403 NAS Identification DIAMETER_REALM_NOT_SERVED 403 NAS Identification DIAMETER_REALM_NOT_SERVED
Mismatch Mismatch
404 Invalid Request DIAMETER_UNABLE_TO_COMPLY 404 Invalid Request DIAMETER_UNABLE_TO_COMPLY
405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED 405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED
406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED 406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED
407 Invalid Attribute Value DIAMETER_INVALID_AVP_VALUE
501 Administratively DIAMETER_AUTHORIZATION_REJECTED 501 Administratively DIAMETER_AUTHORIZATION_REJECTED
Prohibited Prohibited
502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER 502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER
503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID 503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID
504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED 504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED
Removable Removable
505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY 505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY
Error Error
506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED 506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED
507 Request Initiated DIAMETER_SUCCESS 507 Request Initiated DIAMETER_SUCCESS
Since both the ASR/ASA and Disconnect-Request/Disconnect- Since both the ASR/ASA and Disconnect-Request/Disconnect-
NAK/Disconnect-ACK exchanges involve just a request and response, NAK/Disconnect-ACK exchanges involve just a request and response,
inclusion of an "Authorize Only" Service-Type within a Disconnect- inclusion of an "Authorize Only" Service-Type within a Disconnect-
Request is not needed to assist in Diameter/RADIUS translation, and Request is not needed to assist in Diameter/RADIUS translation, and
may make translation more difficult. As a result, the Service-Type may make translation more difficult. As a result, the Service-Type
Attribute MUST NOT be used within a Disconnect-Request. Attribute MUST NOT be used within a Disconnect-Request.
5. IANA Considerations 5. IANA Considerations
This specification contains no actions for IANA. All protocol This document uses the RADIUS [RFC2865] namespace, see
parameters required for this document were previously approved as <http://www.iana.org/assignments/radius-types>. In addition to the
part of the publication of [RFC3576]. allocations already made in [RFC3576], this specification requests
allocation of an additional value of the Error-Cause Attribute (101):
# Value
--- -----
407 Invalid Attribute Value
6. Security Considerations 6. Security Considerations
6.1. Authorization Issues 6.1. Authorization Issues
Where a NAS is shared by multiple providers, it is undesirable for Where a NAS is shared by multiple providers, it is undesirable for
one provider to be able to send Disconnect-Request or CoA-Requests one provider to be able to send Disconnect-Request or CoA-Requests
affecting the sessions of another provider. affecting the sessions of another provider.
A NAS or RADIUS proxy MUST silently discard Disconnect-Request or A NAS or RADIUS proxy MUST silently discard Disconnect-Request or
skipping to change at page 30, line 5 skipping to change at page 30, line 11
[RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney,
"Chargeable User Identity", RFC 4372, January 2006. "Chargeable User Identity", RFC 4372, January 2006.
[RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes for
Virtual LAN and Priority Support", RFC 4675, September 2006. Virtual LAN and Priority Support", RFC 4675, September 2006.
[RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix
Attribute", RFC 4818, April 2007. Attribute", RFC 4818, April 2007.
[RFCFilter] [RFC4849] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule
Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter Rule Attribute", RFC 4849, April 2007.
Attribute", draft-ietf-radext-filter-08.txt, Internet draft
(work in progress), January 2007.
[MD5Attack] [MD5Attack]
Dobbertin, H., "The Status of MD5 After a Recent Attack", Dobbertin, H., "The Status of MD5 After a Recent Attack",
CryptoBytes Vol.2 No.2, Summer 1996. CryptoBytes Vol.2 No.2, Summer 1996.
Acknowledgments Acknowledgments
This protocol was first developed and distributed by Ascend This protocol was first developed and distributed by Ascend
Communications. Example code was distributed in their free server Communications. Example code was distributed in their free server
kit. kit.
skipping to change at page 32, line 11 skipping to change at page 32, line 11
EMail: bernarda@microsoft.com EMail: bernarda@microsoft.com
Phone: +1 425 706 6605 Phone: +1 425 706 6605
Fax: +1 425 936 7329 Fax: +1 425 936 7329
Appendix A - Changes from RFC 3576 Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
o Added details relating to handling of the Proxy-State Attribute. o Added requirement for duplicate detection on the RADIUS client
Added requirement for duplicate detection on the RADIUS client
(Section 2.3). (Section 2.3).
o Added Chargeable-User-Identity as a session identification o Added Chargeable-User-Identity as a session identification
attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed-
Interface-Id and NAS-Port-Type attributes as session identification Interface-Id and NAS-Port-Type attributes as session identification
attributes (Section 3). attributes (Section 3).
o Added details relating to handling of the Proxy-State Attribute
(Section 3.1).
o Added statement that support for "Authorize Only" Service-Type is
optional (Section 3.2).
o Added requirements for inclusion of the State Attribute in CoA- o Added requirements for inclusion of the State Attribute in CoA-
Request packets with a Service-Type of "Authorize Only" (Section Request packets with a Service-Type of "Authorize Only" (Section
3.2). 3.3).
o Added clarification on the calculation of the Message-Authenticator o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.3). Attribute (Section 3.4).
o Added statement that support for "Authorize Only" Service-Type is o An additional Error-Cause Attribute value (407) is allocated for
optional (Section 3.5). Invalid Attribute Value (Sections 3.5, 4).
o Updated CoA-Request Attribute Table to include Filter-Rule, o Updated CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.5). Name and User-Priority attributes (Section 3.6).
o Added the Chargeable-User-Identity Attribute to both the CoA- o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute table (Section 3.5). Request and Disconnect-Request Attribute table (Section 3.6).
o Added note on the use of the CoA-Request for renumbering (Section o Added note on the use of the CoA-Request for renumbering (Section
3.5). 3.6).
o Use of Service-Type and Error-Cause attributes within a Disconnect- o Use of Service-Type Attribute within a Disconnect-Request is
Request is prohibited (Sections 3.5). prohibited (Sections 3.2, 3.6, 4).
o Added Diameter Considerations (Section 4). o Added Diameter Considerations (Section 4).
o Changed the text to indicate that the Event-Timestamp Attribute o Changed the text to indicate that the Event-Timestamp Attribute
should not be recalculated on retransmission. The implications for should not be recalculated on retransmission. The implications for
replay and duplicate detection are discussed (Section 6.4). replay and duplicate detection are discussed (Section 6.4).
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
 End of changes. 32 change blocks. 
107 lines changed or deleted 117 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/