| draft-ietf-radext-rfc3576bis-10.txt | draft-ietf-radext-rfc3576bis-11.txt | |||
|---|---|---|---|---|
| Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
| INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
| Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
| Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
| Expires: April 5, 2008 David Mitton | Expires: April 25, 2008 David Mitton | |||
| RSA Security, Inc. | RSA Security, Inc. | |||
| Bernard Aboba | Bernard Aboba | |||
| Microsoft Corporation | Microsoft Corporation | |||
| 4 October 2007 | 17 October 2007 | |||
| Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
| Service (RADIUS) | Service (RADIUS) | |||
| draft-ietf-radext-rfc3576bis-10.txt | draft-ietf-radext-rfc3576bis-11.txt | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at page 1, line 38 | skipping to change at page 1, line 38 | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on April 5, 2008. | This Internet-Draft will expire on April 25, 2008. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
| Abstract | Abstract | |||
| This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
| Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
| dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
| skipping to change at page 10, line 21 | skipping to change at page 10, line 21 | |||
| Disconnect-Request packets, given the difference in attribute | Disconnect-Request packets, given the difference in attribute | |||
| semantics. This is true even for attributes specified as | semantics. This is true even for attributes specified as | |||
| allowable within Access-Accept packets (such as those defined | allowable within Access-Accept packets (such as those defined | |||
| within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], | within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], | |||
| [RFC4372], [RFC4675], [RFC4818] and [RFC4849]). | [RFC4372], [RFC4675], [RFC4818] and [RFC4849]). | |||
| 3. Attributes | 3. Attributes | |||
| In Disconnect-Request and CoA-Request packets, certain attributes are | In Disconnect-Request and CoA-Request packets, certain attributes are | |||
| used to uniquely identify the NAS as well as user session(s) on the | used to uniquely identify the NAS as well as user session(s) on the | |||
| NAS. All NAS and session identification attributes included in a | NAS. The combination of NAS and session identification attributes | |||
| CoA-Request or Disconnect-Request packet MUST match at least one | included in a CoA-Request or Disconnect-Request packet MUST match at | |||
| session in order for a Request to be successful; otherwise a | least one session in order for a Request to be successful; otherwise | |||
| Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification | a Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification | |||
| attributes match, and more than one session matches all of the | attributes match, and more than one session matches all of the | |||
| session identification attributes, then a CoA-Request or Disconnect- | session identification attributes, then a CoA-Request or Disconnect- | |||
| Request MUST apply to all matching sessions. | Request MUST apply to all matching sessions. | |||
| Identification attributes include NAS and session identification | Identification attributes include NAS and session identification | |||
| attributes, as described below. | attributes, as described below. | |||
| NAS identification attributes | NAS identification attributes | |||
| Attribute # Reference Description | Attribute # Reference Description | |||
| skipping to change at page 13, line 37 | skipping to change at page 13, line 37 | |||
| Proxy-State attributes. The forwarding proxy MUST NOT change the | Proxy-State attributes. The forwarding proxy MUST NOT change the | |||
| order of any attributes of the same type, including Proxy-State. | order of any attributes of the same type, including Proxy-State. | |||
| Other attributes can be placed before, after or even between the | Other attributes can be placed before, after or even between the | |||
| Proxy-State attributes. | Proxy-State attributes. | |||
| When the proxy receives a response to a CoA-Request or Disconnect- | When the proxy receives a response to a CoA-Request or Disconnect- | |||
| Request, it MUST remove its own Proxy-State (the last Proxy- State in | Request, it MUST remove its own Proxy-State (the last Proxy- State in | |||
| the packet) Attribute before forwarding the response. Since | the packet) Attribute before forwarding the response. Since | |||
| Disconnect and CoA responses are authenticated on the entire packet | Disconnect and CoA responses are authenticated on the entire packet | |||
| contents, the stripping of the Proxy-State Attribute invalidates the | contents, the stripping of the Proxy-State Attribute invalidates the | |||
| integrity check - so the proxy needs to recompute it. | integrity check - so the proxy MUST recompute it. | |||
| 3.2. Authorize Only | 3.2. Authorize Only | |||
| Support for a CoA-Request including a Service-Type Attribute with | To simplify translation between RADIUS and Diameter, Dynamic | |||
| value "Authorize Only" is OPTIONAL on the NAS and Dynamic | Authorization Clients can include a Service-Type Attribute with value | |||
| Authorization Client. A Service-Type Attribute MUST NOT be included | "Authorize Only" within a CoA-Request; see Section 4 for details on | |||
| within a Disconnect-Request. | Diameter considerations. Support for a CoA-Request including a | |||
| Service-Type Attribute with value "Authorize Only" is OPTIONAL on the | ||||
| NAS and Dynamic Authorization Client. A Service-Type Attribute MUST | ||||
| NOT be included within a Disconnect-Request. | ||||
| A NAS MUST respond to a CoA-Request including a Service-Type | A NAS MUST respond to a CoA-Request including a Service-Type | |||
| Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | |||
| NOT be sent. If the NAS does not support a Service-Type value of | NOT be sent. If the NAS does not support a Service-Type value of | |||
| "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | |||
| value of 405 (Unsupported Service) SHOULD be included. | value of 405 (Unsupported Service) SHOULD be included. | |||
| A CoA-Request containing a Service-Type Attribute with value | A CoA-Request containing a Service-Type Attribute with value | |||
| "Authorize Only" MUST in addition contain only NAS or session | "Authorize Only" MUST in addition contain only NAS or session | |||
| identification attributes, as well as a State Attribute. If other | identification attributes, as well as a State Attribute. If other | |||
| skipping to change at page 15, line 43 | skipping to change at page 15, line 47 | |||
| silently discard the packet if it does not match the value sent. | silently discard the packet if it does not match the value sent. | |||
| When a Message-Authenticator Attribute is included within a CoA- | When a Message-Authenticator Attribute is included within a CoA- | |||
| Request or Disconnect-Request, it is calculated as follows: | Request or Disconnect-Request, it is calculated as follows: | |||
| Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
| Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
| When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
| Request Authenticator field and Message-Authenticator Attribute | Request Authenticator field and Message-Authenticator Attribute | |||
| should be considered to be sixteen octets of zero. The Message- | MUST each be considered to be sixteen octets of zero. The | |||
| Authenticator Attribute is calculated and inserted in the packet | Message-Authenticator Attribute is calculated and inserted in the | |||
| before the Request Authenticator is calculated. | packet before the Request Authenticator is calculated. | |||
| When a Message-Authenticator Attribute is included within a CoA- | When a Message-Authenticator Attribute is included within a CoA- | |||
| ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated | ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated | |||
| as follows: | as follows: | |||
| Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
| Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
| When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
| Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute MUST be considered to be sixteen | |||
| octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
| corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
| is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
| Authenticator is calculated. | Authenticator is calculated. | |||
| 3.5. Error-Cause | 3.5. Error-Cause | |||
| Description | Description | |||
| It is possible that a Dynamic Authorization Server cannot honor | It is possible that a Dynamic Authorization Server cannot honor | |||
| skipping to change at page 19, line 48 | skipping to change at page 19, line 51 | |||
| 0-1 0 0 19 Callback-Number [Note 3] | 0-1 0 0 19 Callback-Number [Note 3] | |||
| 0-1 0 0 20 Callback-Id [Note 3] | 0-1 0 0 20 Callback-Id [Note 3] | |||
| 0+ 0 0 22 Framed-Route [Note 3] | 0+ 0 0 22 Framed-Route [Note 3] | |||
| 0-1 0 0 23 Framed-IPX-Network [Note 3] | 0-1 0 0 23 Framed-IPX-Network [Note 3] | |||
| 0-1 0-1 0-1 24 State | 0-1 0-1 0-1 24 State | |||
| 0+ 0 0 25 Class [Note 3] | 0+ 0 0 25 Class [Note 3] | |||
| 0+ 0 0 26 Vendor-Specific [Note 7] | 0+ 0 0 26 Vendor-Specific [Note 7] | |||
| 0-1 0 0 27 Session-Timeout [Note 3] | 0-1 0 0 27 Session-Timeout [Note 3] | |||
| 0-1 0 0 28 Idle-Timeout [Note 3] | 0-1 0 0 28 Idle-Timeout [Note 3] | |||
| 0-1 0 0 29 Termination-Action [Note 3] | 0-1 0 0 29 Termination-Action [Note 3] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
| 0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
| 0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
| 0-1 0 0 34 Login-LAT-Service [Note 3] | 0-1 0 0 34 Login-LAT-Service [Note 3] | |||
| 0-1 0 0 35 Login-LAT-Node [Note 3] | 0-1 0 0 35 Login-LAT-Node [Note 3] | |||
| 0-1 0 0 36 Login-LAT-Group [Note 3] | 0-1 0 0 36 Login-LAT-Group [Note 3] | |||
| 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | |||
| 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | |||
| 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | |||
| 0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
| 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
| 0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
| skipping to change at page 20, line 48 | skipping to change at page 20, line 51 | |||
| 0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
| 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
| 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
| 0-1 0 0 92 NAS-Filter-Rule [Note 3] | 0-1 0 0 92 NAS-Filter-Rule [Note 3] | |||
| 0 0 0 94 Originating-Line-Info | 0 0 0 94 Originating-Line-Info | |||
| 0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
| 0-1 0 0 96 Framed-Interface-Id [Notes 1,6] | 0-1 0 0 96 Framed-Interface-Id [Notes 1,6] | |||
| 0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] | 0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] | |||
| 0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
| 0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
| Request ACK NAK # Attribute | ||||
| Request ACK NAK # Attribute | ||||
| 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | |||
| 0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
| 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| Disconnect Messages | Disconnect Messages | |||
| Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
| 0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
| 0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
| 0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
| 0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
| 0 0 0 8 Framed-IP-Address [Note 1] | 0 0 0 8 Framed-IP-Address [Note 1] | |||
| 0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
| 0 0 0 24 State | 0 0 0 24 State | |||
| skipping to change at page 37, line 42 | skipping to change at page 37, line 42 | |||
| Copies of IPR disclosures made to the IETF Secretariat and any | Copies of IPR disclosures made to the IETF Secretariat and any | |||
| assurances of licenses to be made available, or the result of an | assurances of licenses to be made available, or the result of an | |||
| attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
| such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
| specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
| http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
| The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
| copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
| rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
| this standard. Please address the information to the IETF at ietf- | this standard. Please address the information to the IETF at | |||
| ipr@ietf.org. | ietf-ipr@ietf.org. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| Open issues | Open issues | |||
| Open issues relating to this specification are tracked on the | Open issues relating to this specification are tracked on the | |||
| following web site: | following web site: | |||
| End of changes. 14 change blocks. | ||||
| 21 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||