draft-ietf-radext-rfc3576bis-10.txt | draft-ietf-radext-rfc3576bis-11.txt | |||
---|---|---|---|---|
Network Working Group Murtaza S. Chiba | Network Working Group Murtaza S. Chiba | |||
INTERNET-DRAFT Gopal Dommety | INTERNET-DRAFT Gopal Dommety | |||
Obsoletes: 3576 Mark Eklund | Obsoletes: 3576 Mark Eklund | |||
Category: Informational Cisco Systems, Inc. | Category: Informational Cisco Systems, Inc. | |||
Expires: April 5, 2008 David Mitton | Expires: April 25, 2008 David Mitton | |||
RSA Security, Inc. | RSA Security, Inc. | |||
Bernard Aboba | Bernard Aboba | |||
Microsoft Corporation | Microsoft Corporation | |||
4 October 2007 | 17 October 2007 | |||
Dynamic Authorization Extensions to Remote Authentication Dial In User | Dynamic Authorization Extensions to Remote Authentication Dial In User | |||
Service (RADIUS) | Service (RADIUS) | |||
draft-ietf-radext-rfc3576bis-10.txt | draft-ietf-radext-rfc3576bis-11.txt | |||
By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
Drafts. | Drafts. | |||
skipping to change at page 1, line 38 | skipping to change at page 1, line 38 | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
This Internet-Draft will expire on April 5, 2008. | This Internet-Draft will expire on April 25, 2008. | |||
Copyright Notice | Copyright Notice | |||
Copyright (C) The IETF Trust (2007). All Rights Reserved. | Copyright (C) The IETF Trust (2007). All Rights Reserved. | |||
Abstract | Abstract | |||
This document describes a currently deployed extension to the Remote | This document describes a currently deployed extension to the Remote | |||
Authentication Dial In User Service (RADIUS) protocol, allowing | Authentication Dial In User Service (RADIUS) protocol, allowing | |||
dynamic changes to a user session, as implemented by network access | dynamic changes to a user session, as implemented by network access | |||
skipping to change at page 10, line 21 | skipping to change at page 10, line 21 | |||
Disconnect-Request packets, given the difference in attribute | Disconnect-Request packets, given the difference in attribute | |||
semantics. This is true even for attributes specified as | semantics. This is true even for attributes specified as | |||
allowable within Access-Accept packets (such as those defined | allowable within Access-Accept packets (such as those defined | |||
within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], | within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], | |||
[RFC4372], [RFC4675], [RFC4818] and [RFC4849]). | [RFC4372], [RFC4675], [RFC4818] and [RFC4849]). | |||
3. Attributes | 3. Attributes | |||
In Disconnect-Request and CoA-Request packets, certain attributes are | In Disconnect-Request and CoA-Request packets, certain attributes are | |||
used to uniquely identify the NAS as well as user session(s) on the | used to uniquely identify the NAS as well as user session(s) on the | |||
NAS. All NAS and session identification attributes included in a | NAS. The combination of NAS and session identification attributes | |||
CoA-Request or Disconnect-Request packet MUST match at least one | included in a CoA-Request or Disconnect-Request packet MUST match at | |||
session in order for a Request to be successful; otherwise a | least one session in order for a Request to be successful; otherwise | |||
Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification | a Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification | |||
attributes match, and more than one session matches all of the | attributes match, and more than one session matches all of the | |||
session identification attributes, then a CoA-Request or Disconnect- | session identification attributes, then a CoA-Request or Disconnect- | |||
Request MUST apply to all matching sessions. | Request MUST apply to all matching sessions. | |||
Identification attributes include NAS and session identification | Identification attributes include NAS and session identification | |||
attributes, as described below. | attributes, as described below. | |||
NAS identification attributes | NAS identification attributes | |||
Attribute # Reference Description | Attribute # Reference Description | |||
skipping to change at page 13, line 37 | skipping to change at page 13, line 37 | |||
Proxy-State attributes. The forwarding proxy MUST NOT change the | Proxy-State attributes. The forwarding proxy MUST NOT change the | |||
order of any attributes of the same type, including Proxy-State. | order of any attributes of the same type, including Proxy-State. | |||
Other attributes can be placed before, after or even between the | Other attributes can be placed before, after or even between the | |||
Proxy-State attributes. | Proxy-State attributes. | |||
When the proxy receives a response to a CoA-Request or Disconnect- | When the proxy receives a response to a CoA-Request or Disconnect- | |||
Request, it MUST remove its own Proxy-State (the last Proxy- State in | Request, it MUST remove its own Proxy-State (the last Proxy- State in | |||
the packet) Attribute before forwarding the response. Since | the packet) Attribute before forwarding the response. Since | |||
Disconnect and CoA responses are authenticated on the entire packet | Disconnect and CoA responses are authenticated on the entire packet | |||
contents, the stripping of the Proxy-State Attribute invalidates the | contents, the stripping of the Proxy-State Attribute invalidates the | |||
integrity check - so the proxy needs to recompute it. | integrity check - so the proxy MUST recompute it. | |||
3.2. Authorize Only | 3.2. Authorize Only | |||
Support for a CoA-Request including a Service-Type Attribute with | To simplify translation between RADIUS and Diameter, Dynamic | |||
value "Authorize Only" is OPTIONAL on the NAS and Dynamic | Authorization Clients can include a Service-Type Attribute with value | |||
Authorization Client. A Service-Type Attribute MUST NOT be included | "Authorize Only" within a CoA-Request; see Section 4 for details on | |||
within a Disconnect-Request. | Diameter considerations. Support for a CoA-Request including a | |||
Service-Type Attribute with value "Authorize Only" is OPTIONAL on the | ||||
NAS and Dynamic Authorization Client. A Service-Type Attribute MUST | ||||
NOT be included within a Disconnect-Request. | ||||
A NAS MUST respond to a CoA-Request including a Service-Type | A NAS MUST respond to a CoA-Request including a Service-Type | |||
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST | |||
NOT be sent. If the NAS does not support a Service-Type value of | NOT be sent. If the NAS does not support a Service-Type value of | |||
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause | |||
value of 405 (Unsupported Service) SHOULD be included. | value of 405 (Unsupported Service) SHOULD be included. | |||
A CoA-Request containing a Service-Type Attribute with value | A CoA-Request containing a Service-Type Attribute with value | |||
"Authorize Only" MUST in addition contain only NAS or session | "Authorize Only" MUST in addition contain only NAS or session | |||
identification attributes, as well as a State Attribute. If other | identification attributes, as well as a State Attribute. If other | |||
skipping to change at page 15, line 43 | skipping to change at page 15, line 47 | |||
silently discard the packet if it does not match the value sent. | silently discard the packet if it does not match the value sent. | |||
When a Message-Authenticator Attribute is included within a CoA- | When a Message-Authenticator Attribute is included within a CoA- | |||
Request or Disconnect-Request, it is calculated as follows: | Request or Disconnect-Request, it is calculated as follows: | |||
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
Request Authenticator field and Message-Authenticator Attribute | Request Authenticator field and Message-Authenticator Attribute | |||
should be considered to be sixteen octets of zero. The Message- | MUST each be considered to be sixteen octets of zero. The | |||
Authenticator Attribute is calculated and inserted in the packet | Message-Authenticator Attribute is calculated and inserted in the | |||
before the Request Authenticator is calculated. | packet before the Request Authenticator is calculated. | |||
When a Message-Authenticator Attribute is included within a CoA- | When a Message-Authenticator Attribute is included within a CoA- | |||
ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated | ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated | |||
as follows: | as follows: | |||
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, | |||
Request Authenticator, Attributes) | Request Authenticator, Attributes) | |||
When the HMAC-MD5 message integrity check is calculated the | When the HMAC-MD5 message integrity check is calculated the | |||
Message-Authenticator Attribute should be considered to be sixteen | Message-Authenticator Attribute MUST be considered to be sixteen | |||
octets of zero. The Request Authenticator is taken from the | octets of zero. The Request Authenticator is taken from the | |||
corresponding CoA/Disconnect-Request. The Message-Authenticator | corresponding CoA/Disconnect-Request. The Message-Authenticator | |||
is calculated and inserted in the packet before the Response | is calculated and inserted in the packet before the Response | |||
Authenticator is calculated. | Authenticator is calculated. | |||
3.5. Error-Cause | 3.5. Error-Cause | |||
Description | Description | |||
It is possible that a Dynamic Authorization Server cannot honor | It is possible that a Dynamic Authorization Server cannot honor | |||
skipping to change at page 19, line 48 | skipping to change at page 19, line 51 | |||
0-1 0 0 19 Callback-Number [Note 3] | 0-1 0 0 19 Callback-Number [Note 3] | |||
0-1 0 0 20 Callback-Id [Note 3] | 0-1 0 0 20 Callback-Id [Note 3] | |||
0+ 0 0 22 Framed-Route [Note 3] | 0+ 0 0 22 Framed-Route [Note 3] | |||
0-1 0 0 23 Framed-IPX-Network [Note 3] | 0-1 0 0 23 Framed-IPX-Network [Note 3] | |||
0-1 0-1 0-1 24 State | 0-1 0-1 0-1 24 State | |||
0+ 0 0 25 Class [Note 3] | 0+ 0 0 25 Class [Note 3] | |||
0+ 0 0 26 Vendor-Specific [Note 7] | 0+ 0 0 26 Vendor-Specific [Note 7] | |||
0-1 0 0 27 Session-Timeout [Note 3] | 0-1 0 0 27 Session-Timeout [Note 3] | |||
0-1 0 0 28 Idle-Timeout [Note 3] | 0-1 0 0 28 Idle-Timeout [Note 3] | |||
0-1 0 0 29 Termination-Action [Note 3] | 0-1 0 0 29 Termination-Action [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 30 Called-Station-Id [Note 1] | 0-1 0 0 30 Called-Station-Id [Note 1] | |||
0-1 0 0 31 Calling-Station-Id [Note 1] | 0-1 0 0 31 Calling-Station-Id [Note 1] | |||
0-1 0 0 32 NAS-Identifier [Note 1] | 0-1 0 0 32 NAS-Identifier [Note 1] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0+ 0+ 0+ 33 Proxy-State | 0+ 0+ 0+ 33 Proxy-State | |||
0-1 0 0 34 Login-LAT-Service [Note 3] | 0-1 0 0 34 Login-LAT-Service [Note 3] | |||
0-1 0 0 35 Login-LAT-Node [Note 3] | 0-1 0 0 35 Login-LAT-Node [Note 3] | |||
0-1 0 0 36 Login-LAT-Group [Note 3] | 0-1 0 0 36 Login-LAT-Group [Note 3] | |||
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] | |||
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] | |||
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] | |||
0-1 0 0 44 Acct-Session-Id [Note 1] | 0-1 0 0 44 Acct-Session-Id [Note 1] | |||
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] | |||
0-1 0-1 0-1 55 Event-Timestamp | 0-1 0-1 0-1 55 Event-Timestamp | |||
skipping to change at page 20, line 48 | skipping to change at page 20, line 51 | |||
0-1 0 0 89 Chargeable-User-Identity [Note 1] | 0-1 0 0 89 Chargeable-User-Identity [Note 1] | |||
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] | |||
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] | |||
0-1 0 0 92 NAS-Filter-Rule [Note 3] | 0-1 0 0 92 NAS-Filter-Rule [Note 3] | |||
0 0 0 94 Originating-Line-Info | 0 0 0 94 Originating-Line-Info | |||
0-1 0 0 95 NAS-IPv6-Address [Note 1] | 0-1 0 0 95 NAS-IPv6-Address [Note 1] | |||
0-1 0 0 96 Framed-Interface-Id [Notes 1,6] | 0-1 0 0 96 Framed-Interface-Id [Notes 1,6] | |||
0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] | 0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] | |||
0+ 0 0 98 Login-IPv6-Host [Note 3] | 0+ 0 0 98 Login-IPv6-Host [Note 3] | |||
0+ 0 0 99 Framed-IPv6-Route [Note 3] | 0+ 0 0 99 Framed-IPv6-Route [Note 3] | |||
Request ACK NAK # Attribute | ||||
Request ACK NAK # Attribute | ||||
0-1 0 0 100 Framed-IPv6-Pool [Note 3] | 0-1 0 0 100 Framed-IPv6-Pool [Note 3] | |||
0 0 0+ 101 Error-Cause | 0 0 0+ 101 Error-Cause | |||
0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
Disconnect Messages | Disconnect Messages | |||
Request ACK NAK # Attribute | Request ACK NAK # Attribute | |||
0-1 0 0 1 User-Name [Note 1] | 0-1 0 0 1 User-Name [Note 1] | |||
0-1 0 0 4 NAS-IP-Address [Note 1] | 0-1 0 0 4 NAS-IP-Address [Note 1] | |||
0-1 0 0 5 NAS-Port [Note 1] | 0-1 0 0 5 NAS-Port [Note 1] | |||
0 0 0 6 Service-Type | 0 0 0 6 Service-Type | |||
0 0 0 8 Framed-IP-Address [Note 1] | 0 0 0 8 Framed-IP-Address [Note 1] | |||
0+ 0 0 18 Reply-Message [Note 2] | 0+ 0 0 18 Reply-Message [Note 2] | |||
0 0 0 24 State | 0 0 0 24 State | |||
skipping to change at page 37, line 42 | skipping to change at page 37, line 42 | |||
Copies of IPR disclosures made to the IETF Secretariat and any | Copies of IPR disclosures made to the IETF Secretariat and any | |||
assurances of licenses to be made available, or the result of an | assurances of licenses to be made available, or the result of an | |||
attempt made to obtain a general license or permission for the use of | attempt made to obtain a general license or permission for the use of | |||
such proprietary rights by implementers or users of this | such proprietary rights by implementers or users of this | |||
specification can be obtained from the IETF on-line IPR repository at | specification can be obtained from the IETF on-line IPR repository at | |||
http://www.ietf.org/ipr. | http://www.ietf.org/ipr. | |||
The IETF invites any interested party to bring to its attention any | The IETF invites any interested party to bring to its attention any | |||
copyrights, patents or patent applications, or other proprietary | copyrights, patents or patent applications, or other proprietary | |||
rights that may cover technology that may be required to implement | rights that may cover technology that may be required to implement | |||
this standard. Please address the information to the IETF at ietf- | this standard. Please address the information to the IETF at | |||
ipr@ietf.org. | ietf-ipr@ietf.org. | |||
Acknowledgment | Acknowledgment | |||
Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
Internet Society. | Internet Society. | |||
Open issues | Open issues | |||
Open issues relating to this specification are tracked on the | Open issues relating to this specification are tracked on the | |||
following web site: | following web site: | |||
End of changes. 14 change blocks. | ||||
21 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |