draft-ietf-radext-rfc3576bis-08.txt   draft-ietf-radext-rfc3576bis-09.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
<draft-ietf-radext-rfc3576bis-08.txt> David Mitton Expires: January 25, 2008 David Mitton
4 June 2007 RSA Security, Inc. RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
draft-ietf-radext-rfc3576bis-09.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 36 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 25, 2007. This Internet-Draft will expire on January 25, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document describes a currently deployed extension to the Remote This document describes a currently deployed extension to the Remote
Authentication Dial In User Service (RADIUS) protocol, allowing Authentication Dial In User Service (RADIUS) protocol, allowing
dynamic changes to a user session, as implemented by network access dynamic changes to a user session, as implemented by network access
skipping to change at page 34, line 13 skipping to change at page 34, line 13
Fax: +1 425 936 7329 Fax: +1 425 936 7329
Appendix A - Changes from RFC 3576 Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here. editorial changes are not mentioned here.
o The term "Dynamic Authorization Client" is used instead of RADIUS o The term "Dynamic Authorization Client" is used instead of RADIUS
server where it applies to the originator of CoA and Disconnect- server where it applies to the originator of CoA and Disconnect-
Request packets. Similarly, the term "Dynamic Authorizatin Server" Request packets. The term "Dynamic Authorization Server" is used
is used instead of NAS where it applies to the receiver of CoA and instead of NAS where it applies to the receiver of CoA and
Disconnect-Request packets. Definitions of these terms have been Disconnect-Request packets. Definitions of these terms have been
added (Section 1.3). added (Section 1.3).
o Added requirement for duplicate detection on the Dynamic o Added requirement for duplicate detection on the Dynamic
Authorization Server (Section 2.3). Authorization Server (Section 2.3).
o Clarified expected behavior when session identification attributes o Clarified expected behavior when session identification attributes
match more than one session (Sections 2.3, 3, 3.5, 4). match more than one session (Sections 2.3, 3, 3.5, 4).
o Added Chargeable-User-Identity as a session identification o Added Chargeable-User-Identity as a session identification
attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed- attribute. Removed NAS-Port-Type as a session identification
Interface-Id and NAS-Port-Type attributes as session identification attribute (Section 3).
attributes. Recommended inclusion of Acct-Session-Id or Acct-Multi-
Session-Id attributes in an Access-Request (Section 3).
o Added recommendation that an Acct-Session-Id or Acct-Mult-Session- o Added recommendation that an Acct-Session-Id or Acct-Mult-Session-
Id Attribute be included in an Access-Request (Section 3). Id Attribute be included in an Access-Request (Section 3).
o Added details relating to handling of the Proxy-State Attribute o Added details relating to handling of the Proxy-State Attribute
(Section 3.1). (Section 3.1).
o Added clarification that support for a Service-Type Attribute with o Added clarification that support for a Service-Type Attribute with
value "Authorize Only" is optional on both the NAS and Dynamic value "Authorize Only" is optional on both the NAS and Dynamic
Authorization Client (Section 3.2). Authorization Client (Section 3.2). Use of the Service-Type
Attribute within a Disconnect-Request is prohibited (Sections 3.2,
3.6).
o Added requirement for inclusion of the State Attribute in CoA- o Added requirement for inclusion of the State Attribute in CoA-
Request packets including a Service-Type Attribute with a value of Request packets including a Service-Type Attribute with a value of
"Authorize Only" (Section 3.3). "Authorize Only" (Section 3.3).
o Added clarification on the calculation of the Message-Authenticator o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.4). Attribute (Section 3.4).
o Additional Error-Cause Attribute values are allocated for Invalid o Additional Error-Cause Attribute values are allocated for Invalid
Attribute Value (407) and Multiple Session Identification Unsupported Attribute Value (407) and Multiple Session Identification Unsupported
(508) (Sections 3.5, 4). (508) (Sections 3.5, 4).
o Updated the CoA-Request Attribute Table to include Filter-Rule, o Updated the CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN- Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.6). Name and User-Priority attributes (Section 3.6).
o Added the Chargeable-User-Identity Attribute to both the CoA- o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute table (Section 3.6). Request and Disconnect-Request Attribute table (Section 3.6).
o The use of Vendor-Specific Attributes (VSAs) for session o Use of Vendor-Specific Attributes (VSAs) for session identification
identification and authorization change has been clarified (Section and authorization change has been clarified (Section 3.6).
3.6).
o Added Note 6 on the use of the CoA-Request for renumbering (Section o Added Note 6 on the use of the CoA-Request for renumbering (Section
3.6). 3.6).
o Use of the Service-Type Attribute within a Disconnect-Request is
prohibited (Sections 3.2, 3.6).
o Added Diameter Considerations (Section 4). o Added Diameter Considerations (Section 4).
o Changed the text to indicate that the Event-Timestamp Attribute o Event-Timestamp Attribute should not be recalculated on
should not be recalculated on retransmission. The implications for retransmission. The implications for replay and duplicate detection
replay and duplicate detection are discussed (Section 6.4). are discussed (Section 6.4).
o Operation of the RPF check has been clarified. Use of the RPF o Operation of the Reverse Path Forwarding (RPF) check has been
check is optional rather than recommended by default (Section 6.1). clarified. Use of the RPF check is optional rather than recommended
by default (Section 6.1).
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
 End of changes. 10 change blocks. 
21 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/