draft-ietf-radext-rfc3576bis-10.txt   draft-ietf-radext-rfc3576bis-11.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
Expires: April 5, 2008 David Mitton Expires: April 25, 2008 David Mitton
RSA Security, Inc. RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
4 October 2007 17 October 2007
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
draft-ietf-radext-rfc3576bis-10.txt draft-ietf-radext-rfc3576bis-11.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 5, 2008. This Internet-Draft will expire on April 25, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document describes a currently deployed extension to the Remote This document describes a currently deployed extension to the Remote
Authentication Dial In User Service (RADIUS) protocol, allowing Authentication Dial In User Service (RADIUS) protocol, allowing
dynamic changes to a user session, as implemented by network access dynamic changes to a user session, as implemented by network access
skipping to change at page 10, line 21 skipping to change at page 10, line 21
Disconnect-Request packets, given the difference in attribute Disconnect-Request packets, given the difference in attribute
semantics. This is true even for attributes specified as semantics. This is true even for attributes specified as
allowable within Access-Accept packets (such as those defined allowable within Access-Accept packets (such as those defined
within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579],
[RFC4372], [RFC4675], [RFC4818] and [RFC4849]). [RFC4372], [RFC4675], [RFC4818] and [RFC4849]).
3. Attributes 3. Attributes
In Disconnect-Request and CoA-Request packets, certain attributes are In Disconnect-Request and CoA-Request packets, certain attributes are
used to uniquely identify the NAS as well as user session(s) on the used to uniquely identify the NAS as well as user session(s) on the
NAS. All NAS and session identification attributes included in a NAS. The combination of NAS and session identification attributes
CoA-Request or Disconnect-Request packet MUST match at least one included in a CoA-Request or Disconnect-Request packet MUST match at
session in order for a Request to be successful; otherwise a least one session in order for a Request to be successful; otherwise
Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification a Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification
attributes match, and more than one session matches all of the attributes match, and more than one session matches all of the
session identification attributes, then a CoA-Request or Disconnect- session identification attributes, then a CoA-Request or Disconnect-
Request MUST apply to all matching sessions. Request MUST apply to all matching sessions.
Identification attributes include NAS and session identification Identification attributes include NAS and session identification
attributes, as described below. attributes, as described below.
NAS identification attributes NAS identification attributes
Attribute # Reference Description Attribute # Reference Description
skipping to change at page 13, line 37 skipping to change at page 13, line 37
Proxy-State attributes. The forwarding proxy MUST NOT change the Proxy-State attributes. The forwarding proxy MUST NOT change the
order of any attributes of the same type, including Proxy-State. order of any attributes of the same type, including Proxy-State.
Other attributes can be placed before, after or even between the Other attributes can be placed before, after or even between the
Proxy-State attributes. Proxy-State attributes.
When the proxy receives a response to a CoA-Request or Disconnect- When the proxy receives a response to a CoA-Request or Disconnect-
Request, it MUST remove its own Proxy-State (the last Proxy- State in Request, it MUST remove its own Proxy-State (the last Proxy- State in
the packet) Attribute before forwarding the response. Since the packet) Attribute before forwarding the response. Since
Disconnect and CoA responses are authenticated on the entire packet Disconnect and CoA responses are authenticated on the entire packet
contents, the stripping of the Proxy-State Attribute invalidates the contents, the stripping of the Proxy-State Attribute invalidates the
integrity check - so the proxy needs to recompute it. integrity check - so the proxy MUST recompute it.
3.2. Authorize Only 3.2. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with To simplify translation between RADIUS and Diameter, Dynamic
value "Authorize Only" is OPTIONAL on the NAS and Dynamic Authorization Clients can include a Service-Type Attribute with value
Authorization Client. A Service-Type Attribute MUST NOT be included "Authorize Only" within a CoA-Request; see Section 4 for details on
within a Disconnect-Request. Diameter considerations. Support for a CoA-Request including a
Service-Type Attribute with value "Authorize Only" is OPTIONAL on the
NAS and Dynamic Authorization Client. A Service-Type Attribute MUST
NOT be included within a Disconnect-Request.
A NAS MUST respond to a CoA-Request including a Service-Type A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included. value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session "Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other identification attributes, as well as a State Attribute. If other
skipping to change at page 15, line 43 skipping to change at page 15, line 47
silently discard the packet if it does not match the value sent. silently discard the packet if it does not match the value sent.
When a Message-Authenticator Attribute is included within a CoA- When a Message-Authenticator Attribute is included within a CoA-
Request or Disconnect-Request, it is calculated as follows: Request or Disconnect-Request, it is calculated as follows:
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes) Request Authenticator, Attributes)
When the HMAC-MD5 message integrity check is calculated the When the HMAC-MD5 message integrity check is calculated the
Request Authenticator field and Message-Authenticator Attribute Request Authenticator field and Message-Authenticator Attribute
should be considered to be sixteen octets of zero. The Message- MUST each be considered to be sixteen octets of zero. The
Authenticator Attribute is calculated and inserted in the packet Message-Authenticator Attribute is calculated and inserted in the
before the Request Authenticator is calculated. packet before the Request Authenticator is calculated.
When a Message-Authenticator Attribute is included within a CoA- When a Message-Authenticator Attribute is included within a CoA-
ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated
as follows: as follows:
Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
Request Authenticator, Attributes) Request Authenticator, Attributes)
When the HMAC-MD5 message integrity check is calculated the When the HMAC-MD5 message integrity check is calculated the
Message-Authenticator Attribute should be considered to be sixteen Message-Authenticator Attribute MUST be considered to be sixteen
octets of zero. The Request Authenticator is taken from the octets of zero. The Request Authenticator is taken from the
corresponding CoA/Disconnect-Request. The Message-Authenticator corresponding CoA/Disconnect-Request. The Message-Authenticator
is calculated and inserted in the packet before the Response is calculated and inserted in the packet before the Response
Authenticator is calculated. Authenticator is calculated.
3.5. Error-Cause 3.5. Error-Cause
Description Description
It is possible that a Dynamic Authorization Server cannot honor It is possible that a Dynamic Authorization Server cannot honor
skipping to change at page 19, line 48 skipping to change at page 19, line 51
0-1 0 0 19 Callback-Number [Note 3] 0-1 0 0 19 Callback-Number [Note 3]
0-1 0 0 20 Callback-Id [Note 3] 0-1 0 0 20 Callback-Id [Note 3]
0+ 0 0 22 Framed-Route [Note 3] 0+ 0 0 22 Framed-Route [Note 3]
0-1 0 0 23 Framed-IPX-Network [Note 3] 0-1 0 0 23 Framed-IPX-Network [Note 3]
0-1 0-1 0-1 24 State 0-1 0-1 0-1 24 State
0+ 0 0 25 Class [Note 3] 0+ 0 0 25 Class [Note 3]
0+ 0 0 26 Vendor-Specific [Note 7] 0+ 0 0 26 Vendor-Specific [Note 7]
0-1 0 0 27 Session-Timeout [Note 3] 0-1 0 0 27 Session-Timeout [Note 3]
0-1 0 0 28 Idle-Timeout [Note 3] 0-1 0 0 28 Idle-Timeout [Note 3]
0-1 0 0 29 Termination-Action [Note 3] 0-1 0 0 29 Termination-Action [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0+ 0+ 33 Proxy-State 0+ 0+ 0+ 33 Proxy-State
0-1 0 0 34 Login-LAT-Service [Note 3] 0-1 0 0 34 Login-LAT-Service [Note 3]
0-1 0 0 35 Login-LAT-Node [Note 3] 0-1 0 0 35 Login-LAT-Node [Note 3]
0-1 0 0 36 Login-LAT-Group [Note 3] 0-1 0 0 36 Login-LAT-Group [Note 3]
0-1 0 0 37 Framed-AppleTalk-Link [Note 3] 0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
0+ 0 0 38 Framed-AppleTalk-Network [Note 3] 0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp 0-1 0-1 0-1 55 Event-Timestamp
skipping to change at page 20, line 48 skipping to change at page 20, line 51
0-1 0 0 89 Chargeable-User-Identity [Note 1] 0-1 0 0 89 Chargeable-User-Identity [Note 1]
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 92 NAS-Filter-Rule [Note 3] 0-1 0 0 92 NAS-Filter-Rule [Note 3]
0 0 0 94 Originating-Line-Info 0 0 0 94 Originating-Line-Info
0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Notes 1,6] 0-1 0 0 96 Framed-Interface-Id [Notes 1,6]
0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] 0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6]
0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 100 Framed-IPv6-Pool [Note 3] 0-1 0 0 100 Framed-IPv6-Pool [Note 3]
0 0 0+ 101 Error-Cause 0 0 0+ 101 Error-Cause
0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3]
Request ACK NAK # Attribute Request ACK NAK # Attribute
Disconnect Messages Disconnect Messages
Request ACK NAK # Attribute Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1] 0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1] 0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type 0 0 0 6 Service-Type
0 0 0 8 Framed-IP-Address [Note 1] 0 0 0 8 Framed-IP-Address [Note 1]
0+ 0 0 18 Reply-Message [Note 2] 0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State 0 0 0 24 State
skipping to change at page 37, line 42 skipping to change at page 37, line 42
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at
ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
Open issues Open issues
Open issues relating to this specification are tracked on the Open issues relating to this specification are tracked on the
following web site: following web site:
 End of changes. 14 change blocks. 
21 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/