draft-ietf-radext-rfc3576bis-12.txt   draft-ietf-radext-rfc3576bis-13.txt 
Network Working Group Murtaza S. Chiba Network Working Group Murtaza S. Chiba
INTERNET-DRAFT Gopal Dommety INTERNET-DRAFT Gopal Dommety
Obsoletes: 3576 Mark Eklund Obsoletes: 3576 Mark Eklund
Category: Informational Cisco Systems, Inc. Category: Informational Cisco Systems, Inc.
Expires: April 25, 2008 David Mitton Expires: April 21, 2008 David Mitton
RSA Security, Inc. RSA Security, Inc.
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
18 October 2007 20 October 2007
Dynamic Authorization Extensions to Remote Authentication Dial In User Dynamic Authorization Extensions to Remote Authentication Dial In User
Service (RADIUS) Service (RADIUS)
draft-ietf-radext-rfc3576bis-12.txt draft-ietf-radext-rfc3576bis-13.txt
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 25, 2008. This Internet-Draft will expire on April 21, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). All Rights Reserved. Copyright (C) The IETF Trust (2007). All Rights Reserved.
Abstract Abstract
This document describes a currently deployed extension to the Remote This document describes a currently deployed extension to the Remote
Authentication Dial In User Service (RADIUS) protocol, allowing Authentication Dial In User Service (RADIUS) protocol, allowing
dynamic changes to a user session, as implemented by network access dynamic changes to a user session, as implemented by network access
skipping to change at page 2, line 27 skipping to change at page 2, line 27
3.2 Authorize Only .................................. 13 3.2 Authorize Only .................................. 13
3.3 State ........................................... 14 3.3 State ........................................... 14
3.4 Message-Authenticator ........................... 15 3.4 Message-Authenticator ........................... 15
3.5 Error-Cause ..................................... 16 3.5 Error-Cause ..................................... 16
3.6 Table of Attributes ............................. 19 3.6 Table of Attributes ............................. 19
4. Diameter Considerations ............................... 22 4. Diameter Considerations ............................... 22
5. IANA Considerations ................................... 25 5. IANA Considerations ................................... 25
6. Security Considerations ............................... 25 6. Security Considerations ............................... 25
6.1 Authorization Issues ............................ 25 6.1 Authorization Issues ............................ 25
6.2 IPsec Usage Guidelines .......................... 26 6.2 IPsec Usage Guidelines .......................... 26
6.3 Replay Protection ............................... 27 6.3 Replay Protection ............................... 26
7. Example Traces ........................................ 27 7. Example Traces ........................................ 27
8. References ............................................ 28 8. References ............................................ 28
8.1 Normative References ............................ 28 8.1 Normative References ............................ 28
8.2 Informative References .......................... 29 8.2 Informative References .......................... 28
ACKNOWLEDGMENTS .............................................. 29 ACKNOWLEDGMENTS .............................................. 29
AUTHORS' ADDRESSES ........................................... 30 AUTHORS' ADDRESSES ........................................... 30
Appendix A - Changes from RFC 3576 ........................... 31 Appendix A - Changes from RFC 3576 ........................... 31
Full Copyright Statement ..................................... 33 Full Copyright Statement ..................................... 33
Intellectual Property ........................................ 33 Intellectual Property ........................................ 33
1. Introduction 1. Introduction
The RADIUS protocol, defined in [RFC2865], does not support The RADIUS protocol, defined in [RFC2865], does not support
unsolicited messages sent from the RADIUS server to the Network unsolicited messages sent from the RADIUS server to the Network
skipping to change at page 5, line 33 skipping to change at page 5, line 33
Client in order to terminate user session(s) on a NAS and discard all Client in order to terminate user session(s) on a NAS and discard all
associated session context. The Disconnect-Request packet is sent to associated session context. The Disconnect-Request packet is sent to
UDP port 3799, and identifies the NAS as well as the user session(s) UDP port 3799, and identifies the NAS as well as the user session(s)
to be terminated by inclusion of the identification attributes to be terminated by inclusion of the identification attributes
described in Section 3. described in Section 3.
+----------+ +----------+ +----------+ +----------+
| | Disconnect-Request | | | | Disconnect-Request | |
| | <-------------------- | | | | <-------------------- | |
| NAS | | DAC | | NAS | | DAC |
| | Disconnect-Response | | | | Disconnect-ACK/NAK | |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
The NAS responds to a Disconnect-Request packet sent by a Dynamic The NAS responds to a Disconnect-Request packet sent by a Dynamic
Authorization Client with a Disconnect-ACK if all associated session Authorization Client with a Disconnect-ACK if all associated session
context is discarded and the user session(s) are no longer connected, context is discarded and the user session(s) are no longer connected,
or a Disconnect-NAK, if the NAS was unable to disconnect one or more or a Disconnect-NAK, if the NAS was unable to disconnect one or more
sessions and discard all associated session context. A Disconnect- sessions and discard all associated session context. A Disconnect-
ACK MAY contain the Attribute Acct-Terminate-Cause (49) [RFC2866] ACK MAY contain the Attribute Acct-Terminate-Cause (49) [RFC2866]
with the value set to 6 for Admin-Reset. with the value set to 6 for Admin-Reset.
skipping to change at page 6, line 20 skipping to change at page 6, line 20
identification attributes map to. identification attributes map to.
NAS-Filter-Rule (92) - Provides a filter list to be applied NAS-Filter-Rule (92) - Provides a filter list to be applied
for the session(s) that the identification for the session(s) that the identification
attributes map to [RFC4849]. attributes map to [RFC4849].
+----------+ +----------+ +----------+ +----------+
| | CoA-Request | | | | CoA-Request | |
| | <-------------------- | | | | <-------------------- | |
| NAS | | DAC | | NAS | | DAC |
| | CoA-Response | | | | CoA-ACK/NAK | |
| | ---------------------> | | | | ---------------------> | |
+----------+ +----------+ +----------+ +----------+
The NAS responds to a CoA-Request sent by a Dynamic Authorization The NAS responds to a CoA-Request sent by a Dynamic Authorization
Client with a CoA-ACK if the NAS is able to successfully change the Client with a CoA-ACK if the NAS is able to successfully change the
authorizations for the user session(s), or a CoA-NAK if the CoA- authorizations for the user session(s), or a CoA-NAK if the CoA-
Request is unsuccessful. A NAS MUST respond to a CoA-Request Request is unsuccessful. A NAS MUST respond to a CoA-Request
including a Service-Type Attribute with an unsupported value with a including a Service-Type Attribute with an unsupported value with a
CoA-NAK; an Error-Cause Attribute with value "Unsupported Service" CoA-NAK; an Error-Cause Attribute with value "Unsupported Service"
SHOULD be included. SHOULD be included.
skipping to change at page 26, line 48 skipping to change at page 26, line 48
For Dynamic Authorization Clients implementing this specification, For Dynamic Authorization Clients implementing this specification,
the IPsec policy would be "Initiate IPsec, from me to any, the IPsec policy would be "Initiate IPsec, from me to any,
destination port UDP 3799". This causes the Dynamic Authorization destination port UDP 3799". This causes the Dynamic Authorization
Client to initiate IPsec when sending Dynamic Authorization traffic Client to initiate IPsec when sending Dynamic Authorization traffic
to any Dynamic Authorization Server. If some Dynamic Authorization to any Dynamic Authorization Server. If some Dynamic Authorization
Servers contacted by the Dynamic Authorization Client do not support Servers contacted by the Dynamic Authorization Client do not support
IPsec, then a more granular policy will be required, such as IPsec, then a more granular policy will be required, such as
"Initiate IPsec, from me to IPsec-Capable-DAS, destination port UDP "Initiate IPsec, from me to IPsec-Capable-DAS, destination port UDP
3799". 3799".
Where IPsec is used for security, and no RADIUS shared secret is
configured, it is important that the DAC and DAS perform an
authorization check. Before enabling a host to act as a DAS, the DAC
SHOULD check whether the host is authorized to act in that role.
Similarly, before enabling a host to act as a DAC, the DAS SHOULD
check whether the host is authorized for that role, utilizing the
mechanisms described in [RFC3579] Section 4.2.
6.3. Replay Protection 6.3. Replay Protection
Where IPsec replay protection is not used, an Event-Timestamp (55) Where IPsec replay protection is not used, an Event-Timestamp (55)
[RFC2869] Attribute SHOULD be included within CoA-Request and [RFC2869] Attribute SHOULD be included within CoA-Request and
Disconnect-Request packets, and MAY be included within CoA-ACK, CoA- Disconnect-Request packets, and MAY be included within CoA-ACK, CoA-
NAK, Disconnect-ACK and Disconnect-NAK packets. NAK, Disconnect-ACK and Disconnect-NAK packets.
When the Event-Timestamp attribute is present, both the Dynamic When the Event-Timestamp attribute is present, both the Dynamic
Authorization Server and the Dynamic Authorization Client MUST check Authorization Server and the Dynamic Authorization Client MUST check
that the Event-Timestamp Attribute is current within an acceptable that the Event-Timestamp Attribute is current within an acceptable
 End of changes. 9 change blocks. 
17 lines changed or deleted 8 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/