--- 1/draft-ietf-radext-rfc3576bis-10.txt 2007-10-17 23:12:07.000000000 +0200 +++ 2/draft-ietf-radext-rfc3576bis-11.txt 2007-10-17 23:12:07.000000000 +0200 @@ -1,24 +1,24 @@ Network Working Group Murtaza S. Chiba INTERNET-DRAFT Gopal Dommety Obsoletes: 3576 Mark Eklund Category: Informational Cisco Systems, Inc. -Expires: April 5, 2008 David Mitton +Expires: April 25, 2008 David Mitton RSA Security, Inc. Bernard Aboba Microsoft Corporation - 4 October 2007 + 17 October 2007 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) - draft-ietf-radext-rfc3576bis-10.txt + draft-ietf-radext-rfc3576bis-11.txt By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. @@ -27,21 +27,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on April 5, 2008. + This Internet-Draft will expire on April 25, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). All Rights Reserved. Abstract This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access @@ -424,24 +424,24 @@ Disconnect-Request packets, given the difference in attribute semantics. This is true even for attributes specified as allowable within Access-Accept packets (such as those defined within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFC4818] and [RFC4849]). 3. Attributes In Disconnect-Request and CoA-Request packets, certain attributes are used to uniquely identify the NAS as well as user session(s) on the - NAS. All NAS and session identification attributes included in a - CoA-Request or Disconnect-Request packet MUST match at least one - session in order for a Request to be successful; otherwise a - Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification + NAS. The combination of NAS and session identification attributes + included in a CoA-Request or Disconnect-Request packet MUST match at + least one session in order for a Request to be successful; otherwise + a Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification attributes match, and more than one session matches all of the session identification attributes, then a CoA-Request or Disconnect- Request MUST apply to all matching sessions. Identification attributes include NAS and session identification attributes, as described below. NAS identification attributes Attribute # Reference Description @@ -582,28 +582,31 @@ Proxy-State attributes. The forwarding proxy MUST NOT change the order of any attributes of the same type, including Proxy-State. Other attributes can be placed before, after or even between the Proxy-State attributes. When the proxy receives a response to a CoA-Request or Disconnect- Request, it MUST remove its own Proxy-State (the last Proxy- State in the packet) Attribute before forwarding the response. Since Disconnect and CoA responses are authenticated on the entire packet contents, the stripping of the Proxy-State Attribute invalidates the - integrity check - so the proxy needs to recompute it. + integrity check - so the proxy MUST recompute it. 3.2. Authorize Only - Support for a CoA-Request including a Service-Type Attribute with - value "Authorize Only" is OPTIONAL on the NAS and Dynamic - Authorization Client. A Service-Type Attribute MUST NOT be included - within a Disconnect-Request. + To simplify translation between RADIUS and Diameter, Dynamic + Authorization Clients can include a Service-Type Attribute with value + "Authorize Only" within a CoA-Request; see Section 4 for details on + Diameter considerations. Support for a CoA-Request including a + Service-Type Attribute with value "Authorize Only" is OPTIONAL on the + NAS and Dynamic Authorization Client. A Service-Type Attribute MUST + NOT be included within a Disconnect-Request. A NAS MUST respond to a CoA-Request including a Service-Type Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be sent. If the NAS does not support a Service-Type value of "Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause value of 405 (Unsupported Service) SHOULD be included. A CoA-Request containing a Service-Type Attribute with value "Authorize Only" MUST in addition contain only NAS or session identification attributes, as well as a State Attribute. If other @@ -685,33 +688,33 @@ silently discard the packet if it does not match the value sent. When a Message-Authenticator Attribute is included within a CoA- Request or Disconnect-Request, it is calculated as follows: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes) When the HMAC-MD5 message integrity check is calculated the Request Authenticator field and Message-Authenticator Attribute - should be considered to be sixteen octets of zero. The Message- - Authenticator Attribute is calculated and inserted in the packet - before the Request Authenticator is calculated. + MUST each be considered to be sixteen octets of zero. The + Message-Authenticator Attribute is calculated and inserted in the + packet before the Request Authenticator is calculated. When a Message-Authenticator Attribute is included within a CoA- ACK, CoA-NAK, Disconnect-ACK or Disconnect-NAK, it is calculated as follows: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes) When the HMAC-MD5 message integrity check is calculated the - Message-Authenticator Attribute should be considered to be sixteen + Message-Authenticator Attribute MUST be considered to be sixteen octets of zero. The Request Authenticator is taken from the corresponding CoA/Disconnect-Request. The Message-Authenticator is calculated and inserted in the packet before the Response Authenticator is calculated. 3.5. Error-Cause Description It is possible that a Dynamic Authorization Server cannot honor @@ -882,25 +886,25 @@ 0-1 0 0 19 Callback-Number [Note 3] 0-1 0 0 20 Callback-Id [Note 3] 0+ 0 0 22 Framed-Route [Note 3] 0-1 0 0 23 Framed-IPX-Network [Note 3] 0-1 0-1 0-1 24 State 0+ 0 0 25 Class [Note 3] 0+ 0 0 26 Vendor-Specific [Note 7] 0-1 0 0 27 Session-Timeout [Note 3] 0-1 0 0 28 Idle-Timeout [Note 3] 0-1 0 0 29 Termination-Action [Note 3] + Request ACK NAK # Attribute + Request ACK NAK # Attribute 0-1 0 0 30 Called-Station-Id [Note 1] 0-1 0 0 31 Calling-Station-Id [Note 1] 0-1 0 0 32 NAS-Identifier [Note 1] - Request ACK NAK # Attribute - Request ACK NAK # Attribute 0+ 0+ 0+ 33 Proxy-State 0-1 0 0 34 Login-LAT-Service [Note 3] 0-1 0 0 35 Login-LAT-Node [Note 3] 0-1 0 0 36 Login-LAT-Group [Note 3] 0-1 0 0 37 Framed-AppleTalk-Link [Note 3] 0+ 0 0 38 Framed-AppleTalk-Network [Note 3] 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3] 0-1 0 0 44 Acct-Session-Id [Note 1] 0-1 0 0 50 Acct-Multi-Session-Id [Note 1] 0-1 0-1 0-1 55 Event-Timestamp @@ -930,24 +934,27 @@ 0-1 0 0 89 Chargeable-User-Identity [Note 1] 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5] 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5] 0-1 0 0 92 NAS-Filter-Rule [Note 3] 0 0 0 94 Originating-Line-Info 0-1 0 0 95 NAS-IPv6-Address [Note 1] 0-1 0 0 96 Framed-Interface-Id [Notes 1,6] 0+ 0 0 97 Framed-IPv6-Prefix [Notes 1,6] 0+ 0 0 98 Login-IPv6-Host [Note 3] 0+ 0 0 99 Framed-IPv6-Route [Note 3] + Request ACK NAK # Attribute + Request ACK NAK # Attribute 0-1 0 0 100 Framed-IPv6-Pool [Note 3] 0 0 0+ 101 Error-Cause 0+ 0 0 123 Delegated-IPv6-Prefix [Note 3] Request ACK NAK # Attribute + Disconnect Messages Request ACK NAK # Attribute 0-1 0 0 1 User-Name [Note 1] 0-1 0 0 4 NAS-IP-Address [Note 1] 0-1 0 0 5 NAS-Port [Note 1] 0 0 0 6 Service-Type 0 0 0 8 Framed-IP-Address [Note 1] 0+ 0 0 18 Reply-Message [Note 2] 0 0 0 24 State @@ -1667,22 +1674,22 @@ Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at ietf- - ipr@ietf.org. + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Open issues Open issues relating to this specification are tracked on the following web site: