draft-ietf-radext-rfc3576bis-07.txt | draft-ietf-radext-rfc3576bis-08.txt | |||
---|---|---|---|---|
Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
<draft-ietf-radext-rfc3576bis-07.txt> David Mitton | <draft-ietf-radext-rfc3576bis-08.txt> David Mitton | |||
27 May 2007 RSA Security, Inc. | 4 June 2007 RSA Security, Inc. | |||
Bernard Aboba | Bernard Aboba | |||
Microsoft Corporation | Microsoft Corporation | |||
Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
Service (RADIUS) | Service (RADIUS) | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
skipping to change at page 2, line 17 | skipping to change at page 2, line 17 | |||
1. Introduction .......................................... 3 | 1. Introduction .......................................... 3 | |||
1.1 Applicability ................................... 3 | 1.1 Applicability ................................... 3 | |||
1.2 Requirements Language ........................... 4 | 1.2 Requirements Language ........................... 4 | |||
1.3 Terminology ..................................... 4 | 1.3 Terminology ..................................... 4 | |||
2. Overview ............................................. 5 | 2. Overview ............................................. 5 | |||
2.1 Disconnect Messages (DM) ........................ 5 | 2.1 Disconnect Messages (DM) ........................ 5 | |||
2.2 Change-of-Authorization Messages (CoA) .......... 5 | 2.2 Change-of-Authorization Messages (CoA) .......... 5 | |||
2.3 Packet Format ................................... 6 | 2.3 Packet Format ................................... 6 | |||
3. Attributes ............................................ 10 | 3. Attributes ............................................ 10 | |||
3.1 Proxy State ..................................... 12 | 3.1 Proxy State ..................................... 12 | |||
3.2 Authorize Only .................................. 12 | 3.2 Authorize Only .................................. 13 | |||
3.3 State ........................................... 13 | 3.3 State ........................................... 13 | |||
3.4 Message-Authenticator ........................... 14 | 3.4 Message-Authenticator ........................... 14 | |||
3.5 Error-Cause ..................................... 15 | 3.5 Error-Cause ..................................... 15 | |||
3.6 Table of Attributes ............................. 18 | 3.6 Table of Attributes ............................. 18 | |||
4. Diameter Considerations ............................... 21 | 4. Diameter Considerations ............................... 22 | |||
5. IANA Considerations ................................... 23 | 5. IANA Considerations ................................... 24 | |||
6. Security Considerations ............................... 24 | 6. Security Considerations ............................... 25 | |||
6.1 Authorization Issues ............................ 24 | 6.1 Authorization Issues ............................ 25 | |||
6.2 Impersonation ................................... 25 | 6.2 Impersonation ................................... 26 | |||
6.3 IPsec Usage Guidelines .......................... 25 | 6.3 IPsec Usage Guidelines .......................... 26 | |||
6.4 Replay Protection ............................... 28 | 6.4 Replay Protection ............................... 29 | |||
7. Example Traces ........................................ 29 | 7. Example Traces ........................................ 30 | |||
8. References ............................................ 29 | 8. References ............................................ 30 | |||
8.1 Normative References ............................ 29 | 8.1 Normative References ............................ 30 | |||
8.2 Informative References .......................... 30 | 8.2 Informative References .......................... 31 | |||
ACKNOWLEDGMENTS .............................................. 31 | ACKNOWLEDGMENTS .............................................. 32 | |||
AUTHORS' ADDRESSES ........................................... 32 | AUTHORS' ADDRESSES ........................................... 33 | |||
Appendix A - Changes from RFC 3576 ........................... 33 | Appendix A - Changes from RFC 3576 ........................... 34 | |||
Full Copyright Statement ..................................... 35 | Full Copyright Statement ..................................... 36 | |||
Intellectual Property ........................................ 35 | Intellectual Property ........................................ 36 | |||
1. Introduction | 1. Introduction | |||
The RADIUS protocol, defined in [RFC2865], does not support | The RADIUS protocol, defined in [RFC2865], does not support | |||
unsolicited messages sent from the RADIUS server to the Network | unsolicited messages sent from the RADIUS server to the Network | |||
Access Server (NAS). | Access Server (NAS). | |||
However, there are many instances in which it is desirable for | However, there are many instances in which it is desirable for | |||
changes to be made to session characteristics, without requiring the | changes to be made to session characteristics, without requiring the | |||
NAS to initiate the exchange. For example, it may be desirable for | NAS to initiate the exchange. For example, it may be desirable for | |||
administrators to be able to terminate a user session in progress. | administrators to be able to terminate user session(s) in progress. | |||
Alternatively, if the user changes authorization level, this may | Alternatively, if the user changes authorization level, this may | |||
require that authorization attributes be added/deleted from a user | require that authorization attributes be added/deleted from user | |||
session. | session(s). | |||
To overcome these limitations, several vendors have implemented | To overcome these limitations, several vendors have implemented | |||
additional RADIUS commands in order to be able to support unsolicited | additional RADIUS commands in order to be able to support unsolicited | |||
messages to be sent to the NAS. These extended commands provide | messages to be sent to the NAS. These extended commands provide | |||
support for Disconnect and Change-of-Authorization (CoA) packets. | support for Disconnect and Change-of-Authorization (CoA) packets. | |||
Disconnect packets cause a user session to be terminated immediately, | Disconnect packets cause user session(s) to be terminated | |||
whereas CoA packets modify session authorization attributes such as | immediately, whereas CoA packets modify session authorization | |||
data filters. | attributes such as data filters. | |||
1.1. Applicability | 1.1. Applicability | |||
This protocol is being recommended for publication as an | This protocol is being recommended for publication as an | |||
Informational RFC rather than as a standards-track RFC because of | Informational RFC rather than as a standards-track RFC because of | |||
problems that cannot be fixed without creating incompatibilities with | problems that cannot be fixed without creating incompatibilities with | |||
deployed implementations. This includes security vulnerabilities, as | deployed implementations. This includes security vulnerabilities, as | |||
well as semantic ambiguities resulting from the design of the Change- | well as semantic ambiguities resulting from the design of the Change- | |||
of-Authorization (CoA) commands. While fixes are recommended, they | of-Authorization (CoA) commands. While fixes are recommended, they | |||
cannot be made mandatory since this would be incompatible with | cannot be made mandatory since this would be incompatible with | |||
skipping to change at page 5, line 23 | skipping to change at page 5, line 23 | |||
packet, and SHOULD record the event in a statistics counter. | packet, and SHOULD record the event in a statistics counter. | |||
2. Overview | 2. Overview | |||
This section describes the most commonly implemented features of | This section describes the most commonly implemented features of | |||
Disconnect and Change-of-Authorization (CoA) packets. | Disconnect and Change-of-Authorization (CoA) packets. | |||
2.1. Disconnect Messages (DM) | 2.1. Disconnect Messages (DM) | |||
A Disconnect-Request packet is sent by the Dynamic Authorization | A Disconnect-Request packet is sent by the Dynamic Authorization | |||
Client in order to terminate a user session on a NAS and discard all | Client in order to terminate user session(s) on a NAS and discard all | |||
associated session context. The Disconnect-Request packet is sent to | associated session context. The Disconnect-Request packet is sent to | |||
UDP port 3799, and identifies the NAS as well as the user session to | UDP port 3799, and identifies the NAS as well as the user session(s) | |||
be terminated by inclusion of the identification attributes described | to be terminated by inclusion of the identification attributes | |||
in Section 3. | described in Section 3. | |||
+----------+ +----------+ | +----------+ +----------+ | |||
| | Disconnect-Request | | | | | Disconnect-Request | | | |||
| | <-------------------- | Dynamic | | | | <-------------------- | Dynamic | | |||
| NAS | | Authz | | | NAS | | Authz | | |||
| | Disconnect-Response | Client | | | | Disconnect-Response | Client | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
The NAS responds to a Disconnect-Request packet sent by a Dynamic | The NAS responds to a Disconnect-Request packet sent by a Dynamic | |||
Authorization Client with a Disconnect-ACK if all associated session | Authorization Client with a Disconnect-ACK if all associated session | |||
context is discarded and the user session is no longer connected, or | context is discarded and the user session(s) are no longer connected, | |||
a Disconnect-NAK, if the NAS was unable to disconnect the session and | or a Disconnect-NAK, if the NAS was unable to disconnect one or more | |||
discard all associated session context. A Disconnect-ACK MAY contain | sessions and discard all associated session context. A Disconnect- | |||
the Attribute Acct-Terminate-Cause (49) [RFC2866] with the value set | ACK MAY contain the Attribute Acct-Terminate-Cause (49) [RFC2866] | |||
to 6 for Admin-Reset. | with the value set to 6 for Admin-Reset. | |||
2.2. Change-of-Authorization Messages (CoA) | 2.2. Change-of-Authorization Messages (CoA) | |||
CoA-Request packets contain information for dynamically changing | CoA-Request packets contain information for dynamically changing | |||
session authorizations. Typically this is used to change data | session authorizations. Typically this is used to change data | |||
filters. The data filters can be of either the ingress or egress | filters. The data filters can be of either the ingress or egress | |||
kind, and are sent in addition to the identification attributes as | kind, and are sent in addition to the identification attributes as | |||
described in section 3. The port used, and packet format (described | described in section 3. The port used, and packet format (described | |||
in Section 2.3), are the same as that for Disconnect-Request packets. | in Section 2.3), are the same as that for Disconnect-Request packets. | |||
The following attributes MAY be sent in a CoA-Request: | The following attributes MAY be sent in a CoA-Request: | |||
Filter-ID (11) - Indicates the name of a data filter list | Filter-ID (11) - Indicates the name of a data filter list | |||
to be applied for the session that the | to be applied for the session(s) that the | |||
identification attributes map to. | identification attributes map to. | |||
NAS-Filter-Rule (92) - Provides a filter list to be applied | NAS-Filter-Rule (92) - Provides a filter list to be applied | |||
for the session that the identification | for the session(s) that the identification | |||
attributes map to [RFC4849]. | attributes map to [RFC4849]. | |||
+----------+ +----------+ | +----------+ +----------+ | |||
| | CoA-Request | | | | | CoA-Request | | | |||
| | <-------------------- | Dynamic | | | | <-------------------- | Dynamic | | |||
| NAS | | Authz | | | NAS | | Authz | | |||
| | CoA-Response | Client | | | | CoA-Response | Client | | |||
| | ---------------------> | | | | | ---------------------> | | | |||
+----------+ +----------+ | +----------+ +----------+ | |||
The NAS responds to a CoA-Request sent by a Dynamic Authorization | The NAS responds to a CoA-Request sent by a Dynamic Authorization | |||
Client with a CoA-ACK if the NAS is able to successfully change the | Client with a CoA-ACK if the NAS is able to successfully change the | |||
authorizations for the user session, or a CoA-NAK if the CoA-Request | authorizations for the user session(s), or a CoA-NAK if the CoA- | |||
is unsuccessful. A NAS MUST respond to a CoA-Request including a | Request is unsuccessful. A NAS MUST respond to a CoA-Request | |||
Service-Type Attribute with an unsupported value with a CoA-NAK; an | including a Service-Type Attribute with an unsupported value with a | |||
Error-Cause Attribute with value "Unsupported Service" SHOULD be | CoA-NAK; an Error-Cause Attribute with value "Unsupported Service" | |||
included. | SHOULD be included. | |||
2.3. Packet Format | 2.3. Packet Format | |||
For either Disconnect-Request or CoA-Request packets UDP port 3799 is | For either Disconnect-Request or CoA-Request packets UDP port 3799 is | |||
used as the destination port. For responses, the source and | used as the destination port. For responses, the source and | |||
destination ports are reversed. Exactly one RADIUS packet is | destination ports are reversed. Exactly one RADIUS packet is | |||
encapsulated in the UDP Data field. | encapsulated in the UDP Data field. | |||
A summary of the data format is shown below. The fields are | A summary of the data format is shown below. The fields are | |||
transmitted from left to right. | transmitted from left to right. | |||
skipping to change at page 9, line 22 | skipping to change at page 9, line 22 | |||
Administrative note: As noted in [RFC2865] Section 3, the secret | Administrative note: As noted in [RFC2865] Section 3, the secret | |||
(password shared between the Dynamic Authorization Client and the | (password shared between the Dynamic Authorization Client and the | |||
Dynamic Authorization Server) SHOULD be at least as large and | Dynamic Authorization Server) SHOULD be at least as large and | |||
unguessable as a well-chosen password. The Dynamic Authorization | unguessable as a well-chosen password. The Dynamic Authorization | |||
Server MUST use the source IP address of the RADIUS UDP packet to | Server MUST use the source IP address of the RADIUS UDP packet to | |||
decide which shared secret to use, so that requests can be | decide which shared secret to use, so that requests can be | |||
proxied. | proxied. | |||
Attributes | Attributes | |||
In Disconnect and CoA-Request packets, all attributes are treated | In CoA-Request and Disconnect-Request packets, all attributes MUST | |||
as mandatory. If one or more authorization changes specified in a | be treated as mandatory. If one or more authorization changes | |||
CoA-Request cannot be carried out, the NAS MUST send a CoA-NAK. A | specified in a CoA-Request cannot be carried out, the NAS MUST | |||
NAS MUST respond to a CoA-Request containing one or more | send a CoA-NAK. A NAS MUST respond to a CoA-Request containing | |||
unsupported Attributes or Attribute values with a CoA-NAK; an | one or more unsupported Attributes or Attribute values with a CoA- | |||
Error-Cause Attribute with value 401 (Unsupported Attribute) or | NAK; an Error-Cause Attribute with value 401 (Unsupported | |||
407 (Invalid Attribute Value) MAY be included. A NAS MUST respond | Attribute) or 407 (Invalid Attribute Value) MAY be included. A | |||
to a Disconnect-Request containing one or more unsupported | NAS MUST respond to a Disconnect-Request containing one or more | |||
Attributes or Attribute values with a Disconnect-NAK; an Error- | unsupported Attributes or Attribute values with a Disconnect-NAK; | |||
Cause Attribute with value 401 (Unsupported Attribute) or 407 | an Error-Cause Attribute with value 401 (Unsupported Attribute) or | |||
(Invalid Attribute Value) MAY be included. | 407 (Invalid Attribute Value) MAY be included. | |||
State changes resulting from a CoA-Request MUST be atomic: if the | State changes resulting from a CoA-Request MUST be atomic: if the | |||
CoA-Request is successful, the Dynamic Authorization Server MUST | CoA-Request is successful for all matching sessions, the NAS MUST | |||
send a CoA-ACK in reply, and all requested authorization changes | send a CoA-ACK in reply, and all requested authorization changes | |||
MUST be made. If the CoA-Request is unsuccessful, a CoA-NAK MUST | MUST be made. If the CoA-Request is unsuccessful for any matching | |||
be sent in reply, and the requested authorization changes MUST NOT | sessions, the NAS MUST send as CoA-NAK in reply, and the requested | |||
be made. Similarly, a state change MUST NOT occur as a result of | authorization changes MUST NOT be made for any of the matching | |||
an unsuccessful Disconnect-Request; the Dynamic Authorization | sessions. Similarly, a state change MUST NOT occur as a result of | |||
Server MUST send a Disconnect-NAK in reply. | a Disconnect-Request that is unsuccessful with respect to any of | |||
the matching sessions; a NAS MUST send a Disconnect-NAK in reply | ||||
if any of the matching sessions cannot be successfully terminated. | ||||
A NAS which does not support dynamic authorization changes | ||||
applying to multiple sessions MUST send a CoA-NAK or Disconnect- | ||||
NAK in reply; an Error-Cause Attribute with value 508 (Multiple | ||||
Session Selection Unsupported) SHOULD be included. | ||||
Within this specification attributes can be used for | Within this specification attributes can be used for | |||
identification, authorization or other purposes. RADIUS Attribute | identification, authorization or other purposes. RADIUS Attribute | |||
specifications created after publication of this document SHOULD | specifications created after publication of this document SHOULD | |||
state whether an attribute can be included in CoA or Disconnect | state whether an attribute can be included in CoA or Disconnect | |||
messages and if so, which messages it can be included in and | messages and if so, which messages it can be included in and | |||
whether it serves as an identification or authorization attribute. | whether it serves as an identification or authorization attribute. | |||
Even if a NAS implements an attribute for use with RADIUS | Even if a NAS implements an attribute for use with RADIUS | |||
authentication and accounting, it is possible that it will not | authentication and accounting, it is possible that it will not | |||
support inclusion of that attribute within CoA-Request and | support inclusion of that attribute within CoA-Request and | |||
Disconnect-Request packets, given the difference in attribute | Disconnect-Request packets, given the difference in attribute | |||
semantics. This is true even for attributes specified as | semantics. This is true even for attributes specified as | |||
allowable within Access-Accept packets (such as those defined | allowable within Access-Accept packets (such as those defined | |||
within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], | within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], | |||
[RFC4372], [RFC4675], [RFC4818] and [RFC4849]). | [RFC4372], [RFC4675], [RFC4818] and [RFC4849]). | |||
3. Attributes | 3. Attributes | |||
In Disconnect-Request and CoA-Request packets, certain attributes are | In Disconnect-Request and CoA-Request packets, certain attributes are | |||
used to uniquely identify the NAS as well as a user session on the | used to uniquely identify the NAS as well as user session(s) on the | |||
NAS. All NAS identification attributes included in a Request packet | NAS. All NAS and session identification attributes included in a | |||
MUST match in order for a Disconnect-Request or CoA-Request to be | CoA-Request or Disconnect-Request packet MUST match at least one | |||
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent. | session in order for a Request to be successful; otherwise a | |||
For session identification attributes, the User-Name and Acct- | Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification | |||
Session-Id Attributes, if included, MUST match in order for a | attributes match, and more than one session matches all of the | |||
Disconnect-Request or CoA-Request to be successful; other session | session identification attributes, then a CoA-Request or Disconnect- | |||
identification attributes SHOULD match. Where a mismatch of session | Request MUST apply to all matching sessions. | |||
identification attributes is detected, a Disconnect-NAK or CoA-NAK | ||||
SHOULD be sent. | ||||
The ability to use NAS or session identification attributes to map to | ||||
unique/multiple sessions is beyond the scope of this document. | ||||
Identification attributes include NAS and session identification | Identification attributes include NAS and session identification | |||
attributes, as described below. | attributes, as described below. | |||
NAS identification attributes | NAS identification attributes | |||
Attribute # Reference Description | Attribute # Reference Description | |||
--------- --- --------- ----------- | --------- --- --------- ----------- | |||
NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS. | NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS. | |||
NAS-Identifier 32 [RFC2865] String identifying the NAS. | NAS-Identifier 32 [RFC2865] String identifying the NAS. | |||
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. | |||
Session identification attributes | Session identification attributes | |||
Attribute # Reference Description | Attribute # Reference Description | |||
--------- --- --------- ----------- | --------- --- --------- ----------- | |||
User-Name 1 [RFC2865] The name of the user | User-Name 1 [RFC2865] The name of the user | |||
associated with the session. | associated with one or | |||
NAS-Port 5 [RFC2865] The port on which the | more sessions. | |||
NAS-Port 5 [RFC2865] The port on which a | ||||
session is terminated. | session is terminated. | |||
Framed-IP-Address 8 [RFC2865] The IPv4 address associated | ||||
with a session. | ||||
Vendor-Specific 26 [RFC2865] One or more vendor-specific | ||||
identification attributes. | ||||
Called-Station-Id 30 [RFC2865] The link address to which | Called-Station-Id 30 [RFC2865] The link address to which | |||
the session is connected. | a session is connected. | |||
Calling-Station-Id 31 [RFC2865] The link address from which | Calling-Station-Id 31 [RFC2865] The link address from which | |||
the session is connected. | one or more sessions are | |||
connected. | ||||
Acct-Session-Id 44 [RFC2866] The identifier uniquely | Acct-Session-Id 44 [RFC2866] The identifier uniquely | |||
identifying the session | identifying a session | |||
on the NAS. | on the NAS. | |||
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely | |||
identifying related sessions. | identifying related sessions. | |||
NAS-Port-Id 87 [RFC2869] String identifying the port | NAS-Port-Id 87 [RFC2869] String identifying the port | |||
where the session is. | where a session is. | |||
Chargeable-User- 89 [RFC4372] The CUI associated with the | Chargeable-User- 89 [RFC4372] The CUI associated with one | |||
Identity session. Needed where a | Identity or more sessions. Needed | |||
privacy NAI is used, because | where a privacy NAI is used, | |||
the User-Name may not be | since in this case the | |||
unique (e.g. "anonymous"). | User-Name (e.g. "anonymous") | |||
may not identify sessions | ||||
belonging to a given user. | ||||
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier | ||||
associated with a session; | ||||
always sent with | ||||
Framed-IPv6-Prefix. | ||||
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated | ||||
with a session, always sent | ||||
with Framed-Interface-Id. | ||||
To address security concerns described in Section 6.1, either the | To address security concerns described in Section 6.1, either the | |||
User-Name or Chargeable-User-Identity attribute SHOULD be present in | User-Name or Chargeable-User-Identity attribute SHOULD be present in | |||
Disconnect-Request and CoA-Request packets. | Disconnect-Request and CoA-Request packets. | |||
Where a Diameter client utilizes the same Session-Id for both | Where a Diameter client utilizes the same Session-Id for both | |||
authorization and accounting, inclusion of an Acct-Session-Id | authorization and accounting, inclusion of an Acct-Session-Id | |||
Attribute in a Disconnect-Request or CoA-Request can assist with | Attribute in a Disconnect-Request or CoA-Request can assist with | |||
Diameter/RADIUS translation, since Diameter RAR and ASR commands | Diameter/RADIUS translation, since Diameter RAR and ASR commands | |||
include a Session-Id AVP. An Acct-Session-Id Attribute SHOULD be | include a Session-Id AVP. An Acct-Session-Id Attribute SHOULD be | |||
included in Disconnect-Request and CoA-Request packets. | included in Disconnect-Request and CoA-Request packets. | |||
A NAS implementing this specification SHOULD send an Acct-Session-Id | A NAS implementing this specification SHOULD send an Acct-Session-Id | |||
or Acct-Multi-Session-Id Attribute within an Access-Request. Where | or Acct-Multi-Session-Id Attribute within an Access-Request. Where | |||
an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not included | an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not included | |||
within an Access-Request, the Dynamic Authorizatoin Client will not | within an Access-Request, the Dynamic Authorization Client will not | |||
know the Acct-Session-Id or Acct-Multi-Session-Id of the session it | know the Acct-Session-Id or Acct-Multi-Session-Id of the session it | |||
is attempting to target, unless it also has access to the accounting | is attempting to target, unless it also has access to the accounting | |||
data for that session. | data for that session. | |||
Where an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not | Where an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not | |||
present in a CoA-Request or Disconnect-Request, it is possible that | present in a CoA-Request or Disconnect-Request, it is possible that | |||
the the User-Name or Chargeable-User-Identity attributes will not be | the the User-Name or Chargeable-User-Identity attributes will not be | |||
sufficient to uniquely identify the session (e.g. if the same user | sufficient to uniquely identify a single session (e.g. if the same | |||
has multiple sessions on the NAS, or if the privacy NAI is used). In | user has multiple sessions on the NAS, or if the privacy NAI is | |||
this case, session identification MAY be performed by using one or | used). In this case if it is desired to identify a single session, | |||
more of the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS- | session identification MAY be performed by using one or more of the | |||
Port-Id attributes. | Framed-IP-Address, Framed-IPv6-Prefix/Framed-Interface-Id, Called- | |||
Station-Id, Calling-Station-Id, NAS-Port and NAS-Port-Id attributes. | ||||
To address security concerns described in Section 6.2, one or more of | To address security concerns described in Section 6.2, one or more of | |||
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present | |||
in CoA-Request and Disconnect-Request packets; the NAS-Identifier | in CoA-Request and Disconnect-Request packets; the NAS-Identifier | |||
Attribute MAY be present. | Attribute MAY be present. | |||
A Disconnect-Request MUST contain only NAS and session identification | A Disconnect-Request MUST contain only NAS and session identification | |||
attributes. If other attributes are included in a Disconnect- | attributes. If other attributes are included in a Disconnect- | |||
Request, implementations MUST send a Disconnect-NAK; an Error-Cause | Request, implementations MUST send a Disconnect-NAK; an Error-Cause | |||
Attribute with value "Unsupported Attribute" MAY be included. | Attribute with value "Unsupported Attribute" MAY be included. | |||
skipping to change at page 13, line 19 | skipping to change at page 13, line 38 | |||
If a CoA-Request packet including a Service-Type value of "Authorize | If a CoA-Request packet including a Service-Type value of "Authorize | |||
Only" is successfully processed, the NAS MUST respond with a CoA-NAK | Only" is successfully processed, the NAS MUST respond with a CoA-NAK | |||
containing a Service-Type Attribute with value "Authorize Only", and | containing a Service-Type Attribute with value "Authorize Only", and | |||
an Error-Cause Attribute with value 507 (Request Initiated). The NAS | an Error-Cause Attribute with value 507 (Request Initiated). The NAS | |||
then MUST send an Access-Request to the RADIUS server including a | then MUST send an Access-Request to the RADIUS server including a | |||
Service-Type Attribute with value "Authorize Only", along with a | Service-Type Attribute with value "Authorize Only", along with a | |||
State Attribute. This Access-Request SHOULD contain the NAS | State Attribute. This Access-Request SHOULD contain the NAS | |||
identification attributes from the CoA-Request, as well as the | identification attributes from the CoA-Request, as well as the | |||
session identification attributes from the CoA-Request permitted in | session identification attributes from the CoA-Request permitted in | |||
an Access-Request. As noted in [RFC2869] Section 5.19, a Message- | an Access-Request; it also MAY contain other attributes permitted in | |||
Authenticator attribute SHOULD be included in an Access-Request that | an Access-Request. | |||
does not contain a User-Password, CHAP-Password, ARAP-Password or | ||||
EAP-Message Attribute. The RADIUS server then will respond to the | As noted in [RFC2869] Section 5.19, a Message-Authenticator attribute | |||
Access-Request with an Access-Accept to (re-)authorize the session or | SHOULD be included in an Access-Request that does not contain a User- | |||
an Access-Reject to refuse to (re-)authorize it. | Password, CHAP-Password, ARAP-Password or EAP-Message Attribute. The | |||
RADIUS server then will respond to the Access-Request with an Access- | ||||
Accept to (re-)authorize the session or an Access-Reject to refuse to | ||||
(re-)authorize it. | ||||
3.3. State | 3.3. State | |||
The State Attribute is available to be sent by the Dynamic | The State Attribute is available to be sent by the Dynamic | |||
Authorization Client to the NAS in a CoA-Request packet and MUST be | Authorization Client to the NAS in a CoA-Request packet and MUST be | |||
sent unmodified from the NAS to the Dynamic Authorization Client in a | sent unmodified from the NAS to the Dynamic Authorization Client in a | |||
subsequent ACK or NAK packet. | subsequent ACK or NAK packet. | |||
[RFC2865] Section 5.44 states: | [RFC2865] Section 5.44 states: | |||
skipping to change at page 16, line 26 | skipping to change at page 16, line 47 | |||
405 Unsupported Service | 405 Unsupported Service | |||
406 Unsupported Extension | 406 Unsupported Extension | |||
407 Invalid Attribute Value | 407 Invalid Attribute Value | |||
501 Administratively Prohibited | 501 Administratively Prohibited | |||
502 Request Not Routable (Proxy) | 502 Request Not Routable (Proxy) | |||
503 Session Context Not Found | 503 Session Context Not Found | |||
504 Session Context Not Removable | 504 Session Context Not Removable | |||
505 Other Proxy Processing Error | 505 Other Proxy Processing Error | |||
506 Resources Unavailable | 506 Resources Unavailable | |||
507 Request Initiated | 507 Request Initiated | |||
508 Multiple Session Selection Unsupported | ||||
"Residual Session Context Removed" is sent in response to a | "Residual Session Context Removed" is sent in response to a | |||
Disconnect-Request if the user session is no longer active, but | Disconnect-Request if one or more user session(s) are no longer | |||
residual session context was found and successfully removed. This | active, but residual session context was found and successfully | |||
value is only sent within a Disconnect-ACK and MUST NOT be sent | removed. This value is only sent within a Disconnect-ACK and MUST | |||
within a CoA-ACK, Disconnect-NAK or CoA-NAK. | NOT be sent within a CoA-ACK, Disconnect-NAK or CoA-NAK. | |||
"Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT | "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT | |||
be sent by implementations of this specification. | be sent by implementations of this specification. | |||
"Unsupported Attribute" is a fatal error sent if a Request | "Unsupported Attribute" is a fatal error sent if a Request | |||
contains an attribute (such as a Vendor-Specific or EAP-Message | contains an attribute (such as a Vendor-Specific or EAP-Message | |||
Attribute) that is not supported. | Attribute) that is not supported. | |||
"Missing Attribute" is a fatal error sent if critical attributes | "Missing Attribute" is a fatal error sent if critical attributes | |||
(such as NAS or session identification attributes) are missing | (such as NAS or session identification attributes) are missing | |||
skipping to change at page 17, line 13 | skipping to change at page 17, line 34 | |||
EAP- Message Attribute(s)) are not formatted properly. | EAP- Message Attribute(s)) are not formatted properly. | |||
"Unsupported Service" is a fatal error sent if a Service-Type | "Unsupported Service" is a fatal error sent if a Service-Type | |||
Attribute included with the Request is sent with an invalid or | Attribute included with the Request is sent with an invalid or | |||
unsupported value. This error cannot be sent in response to a | unsupported value. This error cannot be sent in response to a | |||
Disconnect-Request. | Disconnect-Request. | |||
"Unsupported Extension" is a fatal error sent due to lack of | "Unsupported Extension" is a fatal error sent due to lack of | |||
support for an extension such as Disconnect and/or CoA packets. | support for an extension such as Disconnect and/or CoA packets. | |||
This will typically be sent by a proxy receiving an ICMP port | This will typically be sent by a proxy receiving an ICMP port | |||
unreachable message after attempting to forward a CoA or | unreachable message after attempting to forward a CoA-Request or | |||
Disconnect-Request to the NAS. | Disconnect-Request to the NAS. | |||
"Invalid Attribute Value" is a fatal error sent if a CoA-Request | "Invalid Attribute Value" is a fatal error sent if a CoA-Request | |||
or Disconnect-Request contains an attribute with an unsupported | or Disconnect-Request contains an attribute with an unsupported | |||
value. | value. | |||
"Administratively Prohibited" is a fatal error sent if the NAS is | "Administratively Prohibited" is a fatal error sent if the NAS is | |||
configured to prohibit honoring of CoA-Request or Disconnect- | configured to prohibit honoring of CoA-Request or Disconnect- | |||
Request packets for the specified session. | Request packets for the specified session. | |||
"Request Not Routable" is a fatal error which MAY be sent by a | "Request Not Routable" is a fatal error which MAY be sent by a | |||
proxy and MUST NOT be sent by a NAS. It indicates that the proxy | proxy and MUST NOT be sent by a NAS. It indicates that the proxy | |||
was unable to determine how to route a CoA or Disconnect-Request | was unable to determine how to route a CoA-Request or Disconnect- | |||
to the NAS. For example, this can occur if the required entries | Request to the NAS. For example, this can occur if the required | |||
are not present in the proxy's realm routing table. | entries are not present in the proxy's realm routing table. | |||
"Session Context Not Found" is a fatal error sent if the session | "Session Context Not Found" is a fatal error sent if the session | |||
context identified in the CoA-Request or Disconnect-Request does | context identified in the CoA-Request or Disconnect-Request does | |||
not exist on the NAS. | not exist on the NAS. | |||
"Session Context Not Removable" is a fatal error sent in response | "Session Context Not Removable" is a fatal error sent in response | |||
to a Disconnect-Request if the NAS was able to locate the session | to a Disconnect-Request if the NAS was able to locate the session | |||
context, but could not remove it for some reason. It MUST NOT be | context, but could not remove it for some reason. It MUST NOT be | |||
sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a | sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a | |||
Disconnect-NAK. | Disconnect-NAK. | |||
skipping to change at page 17, line 51 | skipping to change at page 18, line 24 | |||
to a CoA or Disconnect-Request that could not be processed by a | to a CoA or Disconnect-Request that could not be processed by a | |||
proxy, for reasons other than routing. | proxy, for reasons other than routing. | |||
"Resources Unavailable" is a fatal error sent when a CoA or | "Resources Unavailable" is a fatal error sent when a CoA or | |||
Disconnect-Request could not be honored due to lack of available | Disconnect-Request could not be honored due to lack of available | |||
NAS resources (memory, non- volatile storage, etc.). | NAS resources (memory, non- volatile storage, etc.). | |||
"Request Initiated" is a fatal error sent by a NAS in response to | "Request Initiated" is a fatal error sent by a NAS in response to | |||
a CoA-Request including a Service-Type Attribute with a value of | a CoA-Request including a Service-Type Attribute with a value of | |||
"Authorize Only". It indicates that the CoA-Request has not been | "Authorize Only". It indicates that the CoA-Request has not been | |||
honored, but that the NAS is sending a RADIUS Access-Request | honored, but that the NAS is sending one or more RADIUS Access- | |||
including a Service-Type Attribute with value "Authorize Only" to | Request(s) including a Service-Type Attribute with value | |||
the RADIUS server. | "Authorize Only" to the RADIUS server. | |||
"Multiple Session Selection Unsupported" is a fatal error sent by | ||||
a NAS in response to a CoA-Request or Disconnect-Request whose | ||||
session identification attributes match multiple sessions, where | ||||
the NAS does not support Requests applying to multiple sessions. | ||||
3.6. Table of Attributes | 3.6. Table of Attributes | |||
The following table provides a guide to which attributes may be found | The following table provides a guide to which attributes may be found | |||
in which packets, and in what quantity. | in which packets, and in what quantity. | |||
Change-of-Authorization Messages | Change-of-Authorization Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0-1 0 0-1 6 Service-Type | 0-1 0 0-1 6 Service-Type | |||
0-1 0 0 7 Framed-Protocol [Note 3] | 0-1 0 0 7 Framed-Protocol [Note 3] | |||
0-1 0 0 8 Framed-IP-Address [Note 6] | 0-1 0 0 8 Framed-IP-Address [Notes 1,6] | |||
0-1 0 0 9 Framed-IP-Netmask [Note 6] | 0-1 0 0 9 Framed-IP-Netmask [Note 3] | |||
0-1 0 0 10 Framed-Routing [Note 3] | 0-1 0 0 10 Framed-Routing [Note 3] | |||
0+ 0 0 11 Filter-ID [Note 3] | 0+ 0 0 11 Filter-ID [Note 3] | |||
0-1 0 0 12 Framed-MTU [Note 3] | 0-1 0 0 12 Framed-MTU [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0+ 0 0 13 Framed-Compression [Note 3] | 0+ 0 0 13 Framed-Compression [Note 3] | |||
0+ 0 0 14 Login-IP-Host [Note 3] | 0+ 0 0 14 Login-IP-Host [Note 3] | |||
0-1 0 0 15 Login-Service [Note 3] | 0-1 0 0 15 Login-Service [Note 3] | |||
0-1 0 0 16 Login-TCP-Port [Note 3] | 0-1 0 0 16 Login-TCP-Port [Note 3] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
0-1 0 0 19 Callback-Number [Note 3] | 0-1 0 0 19 Callback-Number [Note 3] | |||
0-1 0 0 20 Callback-Id [Note 3] | 0-1 0 0 20 Callback-Id [Note 3] | |||
0+ 0 0 22 Framed-Route [Note 3] | 0+ 0 0 22 Framed-Route [Note 3] | |||
0-1 0 0 23 Framed-IPX-Network [Note 6] | 0-1 0 0 23 Framed-IPX-Network [Note 3] | |||
0-1 0-1 0-1 24 State | 0-1 0-1 0-1 24 State | |||
0+ 0 0 25 Class [Note 3] | 0+ 0 0 25 Class [Note 3] | |||
0+ 0 0 26 Vendor-Specific [Note 3] | 0+ 0 0 26 Vendor-Specific [Note 7] | |||
0-1 0 0 27 Session-Timeout [Note 3] | 0-1 0 0 27 Session-Timeout [Note 3] | |||
0-1 0 0 28 Idle-Timeout [Note 3] | 0-1 0 0 28 Idle-Timeout [Note 3] | |||
0-1 0 0 29 Termination-Action [Note 3] | 0-1 0 0 29 Termination-Action [Note 3] | |||
0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
0-1 0 0 34 Login-LAT-Service [Note 3] | 0-1 0 0 34 Login-LAT-Service [Note 3] | |||
0-1 0 0 35 Login-LAT-Node [Note 3] | 0-1 0 0 35 Login-LAT-Node [Note 3] | |||
0-1 0 0 36 Login-LAT-Group [Note 3] | 0-1 0 0 36 Login-LAT-Group [Note 3] | |||
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | |||
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | |||
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | |||
0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
0+ 0 0 56 Egress-VLANID [Note 3] | 0+ 0 0 56 Egress-VLANID [Note 3] | |||
0-1 0 0 57 Ingress-Filters [Note 3] | 0-1 0 0 57 Ingress-Filters [Note 3] | |||
0+ 0 0 58 Egress-VLAN-Name [Note 3] | 0+ 0 0 58 Egress-VLAN-Name [Note 3] | |||
0-1 0 0 59 User-Priority-Table [Note 3] | 0-1 0 0 59 User-Priority-Table [Note 3] | |||
0-1 0 0 61 NAS-Port-Type [Note 3] | 0-1 0 0 61 NAS-Port-Type [Note 3] | |||
0-1 0 0 62 Port-Limit [Note 3] | 0-1 0 0 62 Port-Limit [Note 3] | |||
0-1 0 0 63 Login-LAT-Port [Note 3] | 0-1 0 0 63 Login-LAT-Port [Note 3] | |||
0+ 0 0 64 Tunnel-Type [Note 5] | 0+ 0 0 64 Tunnel-Type [Note 5] | |||
0+ 0 0 65 Tunnel-Medium-Type [Note 5] | 0+ 0 0 65 Tunnel-Medium-Type [Note 5] | |||
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] | 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5] | |||
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] | 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5] | |||
0+ 0 0 69 Tunnel-Password [Note 5] | 0+ 0 0 69 Tunnel-Password [Note 5] | |||
0-1 0 0 71 ARAP-Features [Note 3] | 0-1 0 0 71 ARAP-Features [Note 3] | |||
0-1 0 0 72 ARAP-Zone-Access [Note 3] | 0-1 0 0 72 ARAP-Zone-Access [Note 3] | |||
0+ 0 0 78 Configuration-Token [Note 3] | 0+ 0 0 78 Configuration-Token [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5] | |||
0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | 0+ 0 0 82 Tunnel-Assignment-ID [Note 5] | |||
0+ 0 0 83 Tunnel-Preference [Note 5] | 0+ 0 0 83 Tunnel-Preference [Note 5] | |||
0-1 0 0 85 Acct-Interim-Interval [Note 3] | 0-1 0 0 85 Acct-Interim-Interval [Note 3] | |||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
0-1 0 0 88 Framed-Pool [Note 6] | 0-1 0 0 88 Framed-Pool [Note 3] | |||
0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
0-1 0 0 92 NAS-Filter-Rule [Note 3] | 0-1 0 0 92 NAS-Filter-Rule [Note 3] | |||
0 0 0 94 Originating-Line-Info | 0 0 0 94 Originating-Line-Info | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0-1 0 0 96 Framed-Interface-Id [Note 6] | 0-1 0 0 96 Framed-Interface-Id [Notes 1,6] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Note 6] | 0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] | |||
0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
0-1 0 0 100 Framed-IPv6-Pool [Note 6] | 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | |||
0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
0+ 0 0 123 Delegated-IPv6-Prefix [Note 6] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
Disconnect Messages | Disconnect Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
0 0 0 8 Framed-IP-Address [Note 6] | 0 0 0 8 Framed-IP-Address [Note 1] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
0 0 0 24 State | 0 0 0 24 State | |||
0+ 0 0 25 Class [Note 4] | 0+ 0 0 25 Class [Note 4] | |||
0+ 0 0 26 Vendor-Specific | 0+ 0 0 26 Vendor-Specific [Note 1] | |||
0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
0-1 0-1 0 49 Acct-Terminate-Cause | 0-1 0-1 0 49 Acct-Terminate-Cause | |||
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
0 0 0 61 NAS-Port-Type | 0 0 0 61 NAS-Port-Type | |||
0+ 0-1 0 79 EAP-Message [Note 2] | 0+ 0-1 0 79 EAP-Message [Note 2] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0-1 0-1 80 Message-Authenticator | 0-1 0-1 0-1 80 Message-Authenticator | |||
0-1 0 0 87 NAS-Port-Id [Note 1] | 0-1 0 0 87 NAS-Port-Id [Note 1] | |||
0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0 0 0 96 Framed-Interface-Id [Note 6] | 0 0 0 96 Framed-Interface-Id [Note 1] | |||
0 0 0 97 Framed-IPv6-Prefix [Note 6] | 0 0 0 97 Framed-IPv6-Prefix [Note 1] | |||
0 0 0 100 Framed-IPv6-Pool [Note 6] | ||||
0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
The following table defines the meaning of the above table entries. | The following table defines the meaning of the above table entries. | |||
0 This attribute MUST NOT be present in packet. | 0 This attribute MUST NOT be present in packet. | |||
0+ Zero or more instances of this attribute MAY be present in packet. | 0+ Zero or more instances of this attribute MAY be present in packet. | |||
0-1 Zero or one instance of this attribute MAY be present in packet. | 0-1 Zero or one instance of this attribute MAY be present in packet. | |||
1 Exactly one instance of this attribute MUST be present in packet. | 1 Exactly one instance of this attribute MUST be present in packet. | |||
skipping to change at page 21, line 26 | skipping to change at page 22, line 5 | |||
a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be | a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be | |||
sent unmodified by the NAS to the RADIUS accounting server in the | sent unmodified by the NAS to the RADIUS accounting server in the | |||
Accounting Stop packet. If the Disconnect-Request is unsuccessful, | Accounting Stop packet. If the Disconnect-Request is unsuccessful, | |||
then the Class Attribute is not processed. | then the Class Attribute is not processed. | |||
[Note 5] When included within a CoA-Request, these attributes | [Note 5] When included within a CoA-Request, these attributes | |||
represent an authorization change request. Where tunnel attribute(s) | represent an authorization change request. Where tunnel attribute(s) | |||
are included within a successful CoA-Request, all existing tunnel | are included within a successful CoA-Request, all existing tunnel | |||
attributes are removed and replaced by the new attribute(s). | attributes are removed and replaced by the new attribute(s). | |||
[Note 6] Where included within a CoA-Request, these attributes | [Note 6] Since the Framed-IP-Address, Framed-IPv6-Prefix and Framed- | |||
represent a renumbering request. Since these attributes are not used | Interface-Id attributes are used for session identification, | |||
for session identification, they MUST NOT be included within a | renumbering cannot be accomplished by including values of these | |||
Disconnect-Request. Note that renumbering may not be possible in all | attributes within a CoA-Request. Instead, a CoA-Request including a | |||
situations. For example, in order to change an IP address on receipt | Service-Type Attribute with a value of "Authorize Only" is sent; new | |||
of a changed Framed-IP-Address address, IPCP re-negotiation could be | values can be supplied in an Access-Accept sent in response to the | |||
required, which is not supported by all PPP implementations. | ensuing Access-Request. Note that renumbering will not be possible | |||
in all situations. For example, in order to change an IP address, | ||||
IPCP or IPv6CP re-negotiation could be required, which is not | ||||
supported by all PPP implementations. | ||||
[Note 7] Within CoA-Request packets, Vendor-Specific Attributes | ||||
(VSAs) MAY be used for either session identification or authorization | ||||
change. However, the same Attribute MUST NOT be used for both | ||||
purposes simultaneously. | ||||
4. Diameter Considerations | 4. Diameter Considerations | |||
Due to differences in handling change-of-authorization requests in | Due to differences in handling change-of-authorization requests in | |||
RADIUS and Diameter, it may be difficult or impossible for a | RADIUS and Diameter, it may be difficult or impossible for a | |||
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth- | |||
Request (RAR) to a CoA-Request and vice versa. For example, since a | Request (RAR) to a CoA-Request and vice versa. For example, since a | |||
CoA-Request only initiates an authorization change but does not | CoA-Request only initiates an authorization change but does not | |||
initiate re-authentication, a RAR command containing a Re-Auth- | initiate re-authentication, a RAR command containing a Re-Auth- | |||
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be | |||
directly translated to a CoA-Request. A Diameter/RADIUS gateway | directly translated to a CoA-Request. A Diameter/RADIUS gateway | |||
receiving a CoA-Request containing authorization changes will need to | receiving a CoA-Request containing authorization changes will need to | |||
translate this into two Diameter exchanges. First, the | translate this into two Diameter exchanges. First, the | |||
Diameter/RADIUS gateway will issue a RAR command including a Session- | Diameter/RADIUS gateway will issue a RAR command including a Session- | |||
Id AVP and a Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY". | Id AVP and a Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY". | |||
Then the Diameter/RADIUS gateway will respond to the ensuing access | Then the Diameter/RADIUS gateway will respond to the ensuing access | |||
request with a response including the authorization attributes | request with a response including the authorization attributes | |||
gleaned from the CoA-Request. For the translation to be possible, | gleaned from the CoA-Request. To enable translation, the CoA-Request | |||
the CoA-Request MUST include a Acct-Session-Id Attribute. If the | SHOULD include a Acct-Session-Id Attribute. If the Diameter client | |||
Diameter client uses the same Session-Id for both authorization and | uses the same Session-Id for both authorization and accounting, then | |||
accounting, then the Diameter/RADIUS gateway can copy the contents of | the Diameter/RADIUS gateway can copy the contents of the Acct- | |||
the Acct-Session-Id Attribute into the Session-Id AVP; otherwise, it | Session-Id Attribute into the Session-Id AVP; otherwise, it will | |||
will need to map the Acct-Session-Id value to an equivalent Session- | need to map the Acct-Session-Id value to an equivalent Session-Id for | |||
Id for use within a RAR command. | use within a RAR command. | |||
Where an Acct-Session-Id attribute is not present in a CoA-Request or | ||||
Disconnect-Request, a Diameter/RADIUS gateway will either need to | ||||
determine the appropriate Acct-Session-Id, or if it cannot do so, it | ||||
can send a CoA-NAK or Disconnect-NAK in reply, possibly including an | ||||
Error-Cause Attribute with value 508 (Multiple Session Identification | ||||
Unsupported). | ||||
To simplify translation between RADIUS and Diameter, Dynamic | To simplify translation between RADIUS and Diameter, Dynamic | |||
Authorization Clients can include a Service-Type Attribute with value | Authorization Clients can include a Service-Type Attribute with value | |||
"Authorize Only" within a CoA-Request, as described in Section 3.2. | "Authorize Only" within a CoA-Request, as described in Section 3.2. | |||
A Diameter/RADIUS gateway receiving a CoA-Request containing a | A Diameter/RADIUS gateway receiving a CoA-Request containing a | |||
Service-Type with value "Authorize Only" translates this to a RAR | Service-Type with value "Authorize Only" translates this to a RAR | |||
with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY". The | with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY". The | |||
received RAA is then translated to a CoA-NAK with a Service-Type | received RAA is then translated to a CoA-NAK with a Service-Type | |||
value of "Authorize Only". If the Result-Code AVP in the RAA has a | value of "Authorize Only". If the Result-Code AVP in the RAA has a | |||
value in the success category, then an Error-Cause Attribute with | value in the success category, then an Error-Cause Attribute with | |||
skipping to change at page 22, line 32 | skipping to change at page 23, line 25 | |||
Attribute is returned as suggested below. | Attribute is returned as suggested below. | |||
Within Diameter, a server can request that a session be aborted by | Within Diameter, a server can request that a session be aborted by | |||
sending an Abort-Session-Request (ASR), identifying the session to be | sending an Abort-Session-Request (ASR), identifying the session to be | |||
terminated using Session-ID and User-Name AVPs. The ASR command is | terminated using Session-ID and User-Name AVPs. The ASR command is | |||
translated to a Disconnect-Request containing Acct-Session-Id and | translated to a Disconnect-Request containing Acct-Session-Id and | |||
User-Name attributes. If the Diameter client utilizes the same | User-Name attributes. If the Diameter client utilizes the same | |||
Session-Id in both authorization and accounting, then the value of | Session-Id in both authorization and accounting, then the value of | |||
the Session-ID AVP may be placed in the Acct-Session-Id attribute; | the Session-ID AVP may be placed in the Acct-Session-Id attribute; | |||
otherwise the value of the Session-ID AVP will need to be mapped to | otherwise the value of the Session-ID AVP will need to be mapped to | |||
an appropriate Acct-Session-Id value. For a Disconnect-Request to | an appropriate Acct-Session-Id value. To enable translation of a | |||
be translatable to an ASR, an Acct-Session-Id attribute MUST be | Disconnect-Request to an ASR, an Acct-Session-Id attribute SHOULD be | |||
present. If the Diameter client utilizes the same Session-Id in both | present. | |||
If the Diameter client utilizes the same Session-Id in both | ||||
authorization and accounting, then the value of the Acct-Session-Id | authorization and accounting, then the value of the Acct-Session-Id | |||
may be placed into the Session-ID AVP within the ASR; otherwise the | may be placed into the Session-ID AVP within the ASR; otherwise the | |||
value of the Acct-Session-Id will need to be mapped to an appropriate | value of the Acct-Session-Id will need to be mapped to an appropriate | |||
Session-ID value. | Session-ID value. | |||
An Abort-Session-Answer (ASA) command is sent in response to an ASR | An Abort-Session-Answer (ASA) command is sent in response to an ASR | |||
in order to indicate the disposition of the request. A | in order to indicate the disposition of the request. A | |||
Diameter/RADIUS gateway receiving a Disconnect-ACK translates this to | Diameter/RADIUS gateway receiving a Disconnect-ACK translates this to | |||
an ASA command with a Result-Code AVP of "DIAMETER_SUCCESS". A | an ASA command with a Result-Code AVP of "DIAMETER_SUCCESS". A | |||
Disconnect-NAK received from the NAS is translated to an ASA command | Disconnect-NAK received from the NAS is translated to an ASA command | |||
skipping to change at page 23, line 43 | skipping to change at page 24, line 43 | |||
Request is not needed to assist in Diameter/RADIUS translation, and | Request is not needed to assist in Diameter/RADIUS translation, and | |||
may make translation more difficult. As a result, as noted in | may make translation more difficult. As a result, as noted in | |||
Section 3.2, the Service-Type Attribute MUST NOT be used within a | Section 3.2, the Service-Type Attribute MUST NOT be used within a | |||
Disconnect-Request. | Disconnect-Request. | |||
5. IANA Considerations | 5. IANA Considerations | |||
This document uses the RADIUS [RFC2865] namespace, see | This document uses the RADIUS [RFC2865] namespace, see | |||
<http://www.iana.org/assignments/radius-types>. In addition to the | <http://www.iana.org/assignments/radius-types>. In addition to the | |||
allocations already made in [RFC3575] and [RFC3576], this | allocations already made in [RFC3575] and [RFC3576], this | |||
specification requests allocation of an additional value of the | specification requests allocation of additional values of the Error- | |||
Error-Cause Attribute (101): | Cause Attribute (101): | |||
# Value | # Value | |||
--- ----- | --- ----- | |||
407 Invalid Attribute Value | 407 Invalid Attribute Value | |||
508 Multiple Session Selection Unsupported | ||||
6. Security Considerations | 6. Security Considerations | |||
6.1. Authorization Issues | 6.1. Authorization Issues | |||
Where a NAS is shared by multiple providers, it is undesirable for | Where a NAS is shared by multiple providers, it is undesirable for | |||
one provider to be able to send Disconnect-Request or CoA-Requests | one provider to be able to send Disconnect-Request or CoA-Requests | |||
affecting the sessions of another provider. | affecting the sessions of another provider. | |||
A Dynamic Authorization Server MUST silently discard Disconnect- | A Dynamic Authorization Server MUST silently discard Disconnect- | |||
skipping to change at page 24, line 35 | skipping to change at page 25, line 35 | |||
To perform the RPF check, the Dynamic Authorization Server uses the | To perform the RPF check, the Dynamic Authorization Server uses the | |||
session identification attributes included in Disconnect-Request or | session identification attributes included in Disconnect-Request or | |||
CoA-Request packets, in order to determine the RADIUS server(s) to | CoA-Request packets, in order to determine the RADIUS server(s) to | |||
which an equivalent Access-Request could be routed. If the source | which an equivalent Access-Request could be routed. If the source | |||
address of the Disconnect-Request or CoA-Request is within this set, | address of the Disconnect-Request or CoA-Request is within this set, | |||
then the CoA-Request or Disconnect-Request is forwarded; otherwise it | then the CoA-Request or Disconnect-Request is forwarded; otherwise it | |||
MUST be silently discarded. | MUST be silently discarded. | |||
Typically the Dynamic Authorization Server will extract the realm | Typically the Dynamic Authorization Server will extract the realm | |||
from the Network Access Identifier [RFC4282] included within the | from the Network Access Identifier [RFC4282] included within the | |||
User-Name or Chargeble-User-Identity Attribute, and determine the | User-Name or Chargeable-User-Identity Attribute, and determine the | |||
corresponding RADIUS servers in the realm routing tables. If the | corresponding RADIUS servers in the realm routing tables. If the | |||
Dynamic Authorization Server maintains long-term session state, it | Dynamic Authorization Server maintains long-term session state, it | |||
MAY perform the authorization check based on the session | MAY perform the authorization check based on the session | |||
identification attributes in the CoA-Request. The session | identification attributes in the CoA-Request. The session | |||
identification attributes can be used to tie a session to a | identification attributes can be used to tie a session to a | |||
particular proxy or set of proxies, as with the NAI realm. | particular proxy or set of proxies, as with the NAI realm. | |||
Where no proxy is present, the RPF check can only be performed by the | Where no proxy is present, the RPF check can only be performed by the | |||
NAS if it maintains its own a realm routing table. If the NAS does | NAS if it maintains its own a realm routing table. If the NAS does | |||
not maintain a realm routing table (e.g. it selects forwarding | not maintain a realm routing table (e.g. it selects forwarding | |||
skipping to change at page 33, line 21 | skipping to change at page 34, line 21 | |||
o The term "Dynamic Authorization Client" is used instead of RADIUS | o The term "Dynamic Authorization Client" is used instead of RADIUS | |||
server where it applies to the originator of CoA and Disconnect- | server where it applies to the originator of CoA and Disconnect- | |||
Request packets. Similarly, the term "Dynamic Authorizatin Server" | Request packets. Similarly, the term "Dynamic Authorizatin Server" | |||
is used instead of NAS where it applies to the receiver of CoA and | is used instead of NAS where it applies to the receiver of CoA and | |||
Disconnect-Request packets. Definitions of these terms have been | Disconnect-Request packets. Definitions of these terms have been | |||
added (Section 1.3). | added (Section 1.3). | |||
o Added requirement for duplicate detection on the Dynamic | o Added requirement for duplicate detection on the Dynamic | |||
Authorization Server (Section 2.3). | Authorization Server (Section 2.3). | |||
o Clarified expected behavior when session identification attributes | ||||
match more than one session (Sections 2.3, 3, 3.5, 4). | ||||
o Added Chargeable-User-Identity as a session identification | o Added Chargeable-User-Identity as a session identification | |||
attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- | |||
Interface-Id and NAS-Port-Type attributes as session identification | Interface-Id and NAS-Port-Type attributes as session identification | |||
attributes. Recommended inclusion of Acct-Session-Id or Acct-Multi- | attributes. Recommended inclusion of Acct-Session-Id or Acct-Multi- | |||
Session-Id attributes in an Access-Request (Section 3). | Session-Id attributes in an Access-Request (Section 3). | |||
o Added recommendation that an Acct-Session-Id or Acct-Mult-Session- | o Added recommendation that an Acct-Session-Id or Acct-Mult-Session- | |||
Id Attribute be included in an Access-Request (Section 3). | Id Attribute be included in an Access-Request (Section 3). | |||
o Added details relating to handling of the Proxy-State Attribute | o Added details relating to handling of the Proxy-State Attribute | |||
skipping to change at page 33, line 44 | skipping to change at page 34, line 47 | |||
value "Authorize Only" is optional on both the NAS and Dynamic | value "Authorize Only" is optional on both the NAS and Dynamic | |||
Authorization Client (Section 3.2). | Authorization Client (Section 3.2). | |||
o Added requirement for inclusion of the State Attribute in CoA- | o Added requirement for inclusion of the State Attribute in CoA- | |||
Request packets including a Service-Type Attribute with a value of | Request packets including a Service-Type Attribute with a value of | |||
"Authorize Only" (Section 3.3). | "Authorize Only" (Section 3.3). | |||
o Added clarification on the calculation of the Message-Authenticator | o Added clarification on the calculation of the Message-Authenticator | |||
Attribute (Section 3.4). | Attribute (Section 3.4). | |||
o An additional Error-Cause Attribute value (407) is allocated for | o Additional Error-Cause Attribute values are allocated for Invalid | |||
Invalid Attribute Value (Sections 3.5, 4). | Attribute Value (407) and Multiple Session Identification Unsupported | |||
(508) (Sections 3.5, 4). | ||||
o Updated the CoA-Request Attribute Table to include Filter-Rule, | o Updated the CoA-Request Attribute Table to include Filter-Rule, | |||
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- | |||
Name and User-Priority attributes (Section 3.6). | Name and User-Priority attributes (Section 3.6). | |||
o Added the Chargeable-User-Identity Attribute to both the CoA- | o Added the Chargeable-User-Identity Attribute to both the CoA- | |||
Request and Disconnect-Request Attribute table (Section 3.6). | Request and Disconnect-Request Attribute table (Section 3.6). | |||
o Added note on the use of the CoA-Request for renumbering (Section | o The use of Vendor-Specific Attributes (VSAs) for session | |||
identification and authorization change has been clarified (Section | ||||
3.6). | ||||
o Added Note 6 on the use of the CoA-Request for renumbering (Section | ||||
3.6). | 3.6). | |||
o Use of the Service-Type Attribute within a Disconnect-Request is | o Use of the Service-Type Attribute within a Disconnect-Request is | |||
prohibited (Sections 3.2, 3.6). | prohibited (Sections 3.2, 3.6). | |||
o Added Diameter Considerations (Section 4). | o Added Diameter Considerations (Section 4). | |||
o Changed the text to indicate that the Event-Timestamp Attribute | o Changed the text to indicate that the Event-Timestamp Attribute | |||
should not be recalculated on retransmission. The implications for | should not be recalculated on retransmission. The implications for | |||
replay and duplicate detection are discussed (Section 6.4). | replay and duplicate detection are discussed (Section 6.4). | |||
End of changes. 55 change blocks. | ||||
143 lines changed or deleted | 200 lines changed or added | |||
This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |