draft-ietf-radext-vlan-02.txt   draft-ietf-radext-vlan-03.txt 
Network Working Group Paul Congdon Network Working Group Paul Congdon
INTERNET-DRAFT Mauricio Sanchez INTERNET-DRAFT Mauricio Sanchez
Category: Proposed Standard Hewlett-Packard Company Category: Proposed Standard Hewlett-Packard Company
<draft-ietf-radext-vlan-02.txt> Bernard Aboba <draft-ietf-radext-vlan-03.txt> Bernard Aboba
26 March 2006 Microsoft Corporation 12 April 2006 Microsoft Corporation
RADIUS Attributes for Virtual LAN and Priority Support RADIUS Attributes for Virtual LAN and Priority Support
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 42 skipping to change at page 1, line 42
This Internet-Draft will expire on October 10, 2006. This Internet-Draft will expire on October 10, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society 2006. Copyright (C) The Internet Society 2006.
Abstract Abstract
This document proposes additional RADIUS (Remote Authentication Dial This document proposes additional RADIUS (Remote Authentication Dial
In User Service) attributes for dynamic Virtual LAN assignment and In User Service) attributes for dynamic Virtual LAN assignment and
prioritization, for use by IEEE 802.1X authenticators. These prioritization, for use in provisioning of access to IEEE 802 local
attributes are usable within either RADIUS or Diameter. area networks. These attributes are usable within either RADIUS or
Diameter.
Table of Contents Table of Contents
1. Introduction .......................................... 3 1. Introduction .......................................... 3
1.1 Terminology ..................................... 3 1.1 Terminology ..................................... 3
1.2 Requirements Language ........................... 3 1.2 Requirements Language ........................... 3
1.3 Attribute Interpretation ........................ 4 1.3 Attribute Interpretation ........................ 3
2. Attributes ............................................ 4 2. Attributes ............................................ 4
2.1 Egress-VLANID ................................... 4 2.1 Egress-VLANID ................................... 4
2.2 Ingress-Filters ................................. 5 2.2 Ingress-Filters ................................. 5
2.3 Egress-VLAN-Name ................................ 6 2.3 Egress-VLAN-Name ................................ 6
2.4 User-Priority-Table ............................. 7 2.4 User-Priority-Table ............................. 7
3. Table of Attributes ................................... 8 3. Table of Attributes ................................... 9
4. Diameter Considerations ............................... 9 4. Diameter Considerations ............................... 9
5. IANA Considerations ................................... 9 5. IANA Considerations ................................... 9
6. Security Considerations ............................... 9 6. Security Considerations ............................... 9
7. References ............................................ 10 7. References ............................................ 10
7.1 Normative References ............................ 10 7.1 Normative References ............................ 10
7.2 Informative References .......................... 10 7.2 Informative References .......................... 11
ACKNOWLEDGMENTS .............................................. 12 ACKNOWLEDGMENTS .............................................. 11
AUTHORS' ADDRESSES ........................................... 12 AUTHORS' ADDRESSES ........................................... 12
Intellectual Property Statement............................... 13 Intellectual Property Statement............................... 12
Disclaimer of Validity........................................ 13 Disclaimer of Validity........................................ 13
Full Copyright Statement ..................................... 13 Full Copyright Statement ..................................... 13
1. Introduction 1. Introduction
IEEE 802.1X [IEEE-802.1X] provides "network port authentication" for
IEEE 802 [IEEE-802] media, including Ethernet [IEEE-802.3], Token
Ring and 802.11 wireless LANs [IEEE-802.11][IEEE-802.11i].
This document describes Virtual LAN (VLAN) and re-prioritization This document describes Virtual LAN (VLAN) and re-prioritization
attributes that may prove useful for provisioning of access to IEEE attributes that may prove useful for provisioning of access to IEEE
802 local area networks with the Remote Authentication Dialin User 802 local area networks [IEEE-802] with the Remote Authentication
Service (RADIUS). Dialin User Service (RADIUS).
While [RFC3580] enables support for VLAN assignment based on the While [RFC3580] enables support for VLAN assignment based on the
tunnel attributes defined in [RFC2868], it does not provide support tunnel attributes defined in [RFC2868], it does not provide support
for a more complete set of VLAN functionality as defined by for a more complete set of VLAN functionality as defined by
[IEEE-802.1Q]. The attributes defined in this document provide [IEEE-802.1Q]. The attributes defined in this document provide
support within RADIUS analogous to the management variables supported support within RADIUS analogous to the management variables supported
in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition, in [IEEE-802.1Q] and MIB objects defined in [RFC4363]. In addition,
this document enables support for a wider range of [IEEE-802.1X] this document enables support for a wider range of [IEEE-802.1X]
configurations. configurations.
1.1. Terminology 1.1. Terminology
This document uses the following terms: This document uses the following terms:
Authenticator
The end of the link initiating EAP authentication. The term
authenticator is used in [RFC3748] and [IEEE-802.1X], and has the
same meaning in this document.
backend authentication server
A backend authentication server is an entity that provides an
authentication service to an authenticator. When used, this server
typically executes EAP methods for the authenticator. This
terminology is also used in [IEEE-802.1X].
Network Access Server (NAS) Network Access Server (NAS)
A device that provides an access service for a user to a network. A device that provides an access service for a user to a network.
Supplicant
The end of the link that responds to the authenticator in
[IEEE-802.1X].
1.2. Requirements Language 1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
1.3. Attribute Interpretation 1.3. Attribute Interpretation
If a NAS conforming to this specification receives an Access-Accept If a NAS conforming to this specification receives an Access-Accept
packet containing an attribute defined in this document which it packet containing an attribute defined in this document which it
skipping to change at page 4, line 30 skipping to change at page 4, line 15
2. Attributes 2. Attributes
2.1. Egress-VLANID 2.1. Egress-VLANID
Description Description
The Egress-VLANID attribute represents an allowed IEEE 802 Egress The Egress-VLANID attribute represents an allowed IEEE 802 Egress
VLANID for this port, indicating if the VLANID is allowed for VLANID for this port, indicating if the VLANID is allowed for
tagged or untagged packets as well as the VLANID. tagged or untagged packets as well as the VLANID.
Multiple Egress-VLANID attributes MAY be included in an Access- Multiple Egress-VLANID attributes MAY be included in Access-
Request, Access-Accept or CoA-Request packet; this attribute MUST Request, Access-Accept, CoA-Request or Accounting-Request packets;
NOT be sent within an Access-Challenge, Access-Reject, Disconnect- this attribute MUST NOT be sent within an Access-Challenge,
Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK. Access-Reject, Disconnect-Request, Disconnect-ACK, Disconnect-NAK,
Each attribute adds the specified VLAN to the list of allowed CoA-ACK or CoA-NAK. Each attribute adds the specified VLAN to the
egress VLANs for the port. list of allowed egress VLANs for the port.
The Egress-VLANID attribute is shown below. The fields are The Egress-VLANID attribute is shown below. The fields are
transmitted from left to right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Integer | Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Integer | Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
6 6
Integer Value
The Integer field is four octets in length. The format is The Value field is four octets. The format is described below:
described below:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tag Indic. | Pad | VLANID | | Tag Indic. | Pad | VLANID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Tag Indication field is one octet in length, and indicates The Tag Indication field is one octet in length, and indicates
whether the frames on the VLAN are tagged (0x31) or untagged whether the frames on the VLAN are tagged (0x31) or untagged
(0x32). The Pad field is 12-bits in length and MUST be 0 (zero). (0x32). The Pad field is 12-bits in length and MUST be 0 (zero).
The VLANID is 12-bits in length and contains the [IEEE-802.1Q] The VLANID is 12-bits in length and contains the [IEEE-802.1Q]
VLAN VID value. VLAN VID value.
2.2. Ingress-Filters 2.2. Ingress-Filters
Description Description
The Ingress-Filters attribute corresponds to Ingress Filter per- The Ingress-Filters attribute corresponds to the Ingress Filter
port variable defined in [IEEE-802.1Q] clause 8.4.5. When the per-port variable defined in [IEEE-802.1Q] clause 8.4.5. When the
attribute has the value "Enabled", the set of VLANs that are attribute has the value "Enabled", the set of VLANs that are
allowed to ingress a port must match the set of VLANs that are allowed to ingress a port must match the set of VLANs that are
allowed to egress a port. Only a single Ingress-Filters attribute allowed to egress a port. Only a single Ingress-Filters attribute
MAY be sent within an Access-Request, Access-Accept or CoA-Request MAY be sent within an Access-Request, Access-Accept, CoA-Request
packet; this attribute MUST NOT be sent within an Access- or Accounting-Request packet; this attribute MUST NOT be sent
Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK, within an Access-Challenge, Access-Reject, Disconnect-Request,
Disconnect-NAK, CoA-ACK, or CoA-NAK. Disconnect-ACK, Disconnect-NAK, CoA-ACK or CoA-NAK.
The Ingress-Filters attribute is shown below. The fields are The Ingress-Filters attribute is shown below. The fields are
transmitted from left to right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Integer | Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Integer | Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
6 6
Integer Value
Supported values include: The Value field is four octets. Supported values include:
1 - Enabled 1 - Enabled
2 - Disabled 2 - Disabled
2.3. Egress-VLAN-Name 2.3. Egress-VLAN-Name
Description Description
Clause 12.10.2.1.3 (a) in [IEEE-8021.Q] describes the Clause 12.10.2.1.3 (a) in [IEEE-8021.Q] describes the
administratively assigned VLAN Name associated with a VLAN-ID administratively assigned VLAN Name associated with a VLAN-ID
skipping to change at page 6, line 33 skipping to change at page 6, line 23
to the Egress-VLANID attribute, except that the VLAN-ID itself is to the Egress-VLANID attribute, except that the VLAN-ID itself is
not specified or known; rather the VLAN name is used to identify not specified or known; rather the VLAN name is used to identify
the VLAN within the system. the VLAN within the system.
The Egress-VLAN-Name attribute contains two parts; the first part The Egress-VLAN-Name attribute contains two parts; the first part
indicates if frames on the VLAN for this port are to be indicates if frames on the VLAN for this port are to be
represented in tagged or untagged format, the second part is the represented in tagged or untagged format, the second part is the
VLAN name. VLAN name.
Multiple Egress-VLAN-Name attributes MAY be included within an Multiple Egress-VLAN-Name attributes MAY be included within an
Access-Request, Access-Accept or CoA-Request packet; this Access-Request, Access-Accept, CoA-Request or Accounting-Request
attribute MUST NOT be sent within an Access-Challenge, Access- packet; this attribute MUST NOT be sent within an Access-
Reject, Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA- Challenge, Access-Reject, Disconnect-Request, Disconnect-ACK,
ACK, or CoA-NAK. Each attribute adds the named VLAN to the list Disconnect-NAK, CoA-ACK or CoA-NAK. Each attribute adds the named
of allowed egress VLANs for the port. The Egress-VLAN-Name VLAN to the list of allowed egress VLANs for the port. The
attribute is shown below. The fields are transmitted from left to Egress-VLAN-Name attribute is shown below. The fields are
right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag Indic. | String... | Type | Length | Tag Indic. | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
skipping to change at page 7, line 4 skipping to change at page 6, line 40
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag Indic. | String... | Type | Length | Tag Indic. | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type Type
TBD TBD
Length Length
>=4 >=4
Tag Indication Tag Indication
The Tag Indication field is one octet in length, and indicates The Tag Indication field is one octet in length, and indicates
whether the frames on the VLAN are tagged (0x31) or untagged whether the frames on the VLAN are tagged (0x31, ASCII '1') or
(0x32). untagged (0x32, ASCII '2'). These values were chosen so as to
make them easier for users to enter.
String String
The String field is at least one octet in length, and contains the The String field is at least one octet in length, and contains the
the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a). the VLAN Name as defined in [IEEE-802.1Q] clause 12.10.2.1.3 (a).
[RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a [RFC3629] UTF-8 encoded 10646 characters are RECOMMENDED, but a
robust implementation SHOULD support the field as undistinguished robust implementation SHOULD support the field as undistinguished
octets. octets.
2.4. User-Priority-Table 2.4. User-Priority-Table
Description Description
[IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map) [IEEE-802.1D] clause 7.5.1 discusses how to regenerate (or re-map)
user priority on frames received at a port. This per-port user priority on frames received at a port. This per-port
configuration enables a bridge to cause the priority of received configuration enables a bridge to cause the priority of received
traffic at a port to be mapped to a particular priority. The traffic at a port to be mapped to a particular priority.
management variables are described in clause 14.6.2.2. [IEEE-802.1D] clause 6.3.9 describes the use of remapping:
The ability to signal user priority in IEEE 802 LANs allows
user priority to be carried with end-to-end significance across
a Bridged Local Area Network. This, coupled with a consistent
approach to the mapping of user priority to traffic classes and
of user priority to access_priority, allows consistent use of
priority information, according to the capabilities of the
Bridges and MACs in the transmission path...
Under normal circumstances, user priority is not modified in
transit through the relay function of a Bridge; however,
network management can control how user priority is propagated.
Table 7-1 provides the ability to map incoming user priority
values on a per-Port basis. By default, the regenerated user
priority is identical to the incoming user priority.
This attribute represents the IEEE 802 prioritization that will be This attribute represents the IEEE 802 prioritization that will be
applied to packets arriving at this port. There are eight applied to packets arriving at this port. There are eight
possible user priorities, according to the [IEEE-802] standard. A possible user priorities, according to the [IEEE-802] standard.
single User-Priority-Table attribute MAY be included in an Access- [IEEE-802.1D] clause 14.6.2.3.3 specifies the regeneration table
Request, Access-Accept or CoA-Request packet; this attribute MUST as 8 values, each an integer in the range 0-7. The management
NOT be sent within an Access-Challenge, Access-Reject, Disconnect- variables are described in clause 14.6.2.2.
Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK.
A single User-Priority-Table attribute MAY be included in an
Access-Accept or CoA-Request packet; this attribute MUST NOT be
sent within an Access-Request, Access-Challenge, Access-Reject,
Disconnect-Request, Disconnect-ACK, Disconnect-NAK, CoA-ACK, CoA-
NAK or Accounting-Request. Since the regeneration table is only
maintained by a bridge conforming to [IEEE-802.1D], this attribute
should only be sent to a RADIUS client supporting that
specification.
The User-Priority-Table attribute is shown below. The fields are The User-Priority-Table attribute is shown below. The fields are
transmitted from left to right: transmitted from left to right:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String | Type | Length | String
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
String String
skipping to change at page 8, line 15 skipping to change at page 8, line 29
TBD TBD
Length Length
10 10
String String
The String field is 8 octets in length, and includes a table which The String field is 8 octets in length, and includes a table which
maps the incoming priority (if one exists - the default is 0) into maps the incoming priority (if it is set - the default is 0) into
one of eight regenerated priorities. The first octet maps to one of eight regenerated priorities. The first octet maps to
incoming priority 0, the second octet to incoming priority 1, etc. incoming priority 0, the second octet to incoming priority 1, etc.
The values in each octet represent the regenerated priority of the The values in each octet represent the regenerated priority of the
packet. packet.
It is thus possible to either remap incoming priorities to more It is thus possible to either remap incoming priorities to more
appropriate values; or to honor the incoming priorities; or to appropriate values; to honor the incoming priorities; or to
override any incoming priorities, forcing them to all map to a override any incoming priorities, forcing them to all map to a
single chosen priority. single chosen priority.
The [IEEE-8021.D] specification, Annex G, provides a useful The [IEEE-8021.D] specification, Annex G, provides a useful
description of traffic type - traffic class mappings. description of traffic type - traffic class mappings.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access- Access- Access- Access- CoA- Access- Access- Access- Access- CoA- Acct-
Request Accept Reject Challenge Req # Attribute Request Accept Reject Challenge Req Req # Attribute
0+ 0+ 0 0 0+ TBD Egress-VLANID 0+ 0+ 0 0 0+ 0+ TBD Egress-VLANID
0-1 0-1 0 0 0-1 TBD Ingress-Filters 0-1 0-1 0 0 0-1 0-1 TBD Ingress-Filters
0+ 0+ 0 0 0+ TBD Egress-VLAN-Name 0+ 0+ 0 0 0+ 0+ TBD Egress-VLAN-Name
0-1 0-1 0 0 0-1 TBD User-Priority-Table 0 0-1 0 0 0-1 0 TBD User-Priority-Table
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in the packet. 0 This attribute MUST NOT be present in the packet.
0+ Zero or more instances of this attribute MAY be 0+ Zero or more instances of this attribute MAY be
present in the packet. present in the packet.
0-1 Zero or one instance of this attribute MAY be 0-1 Zero or one instance of this attribute MAY be
present in the packet. present in the packet.
4. Diameter Considerations 4. Diameter Considerations
skipping to change at page 9, line 29 skipping to change at page 9, line 49
RADIUS attributes for which values are requested are: RADIUS attributes for which values are requested are:
TBD - Egress-VLANID TBD - Egress-VLANID
TBD - Ingress-Filters TBD - Ingress-Filters
TBD - Egress-VLAN-Name TBD - Egress-VLAN-Name
TBD - User-Priority-Table TBD - User-Priority-Table
6. Security Considerations 6. Security Considerations
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication, authorization and accounting in networks supporting authentication, authorization and accounting in IEEE 802 local area
[IEEE 802.1X]. Threats and security issues for this application are networks. Threats and security issues for this application are
described in [RFC3579] and [RFC3580]; security issues encountered in described in [RFC3579] and [RFC3580]; security issues encountered in
roaming are described in [RFC2607]. roaming are described in [RFC2607].
This document specifies new attributes that can be included in This document specifies new attributes that can be included in
existing RADIUS packets, which are protected as described in existing RADIUS packets, which are protected as described in
[RFC3579] and [RFC3576]. See those documents for a more detailed [RFC3579] and [RFC3576]. See those documents for a more detailed
description. description.
The security mechanisms described in [RFC3579] and [RFC3576] are The security mechanisms described in [RFC3579] and [RFC3576] are
focused on preventing an attacker from spoofing packets or modifying focused on preventing an attacker from spoofing packets or modifying
skipping to change at page 10, line 19 skipping to change at page 10, line 39
7.1. Normative references 7.1. Normative references
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March, 1997. Requirement Levels", RFC 2119, March, 1997.
[RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000. 2000.
[RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, July [RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 3629,
2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation of ISO 10646", RFC 2607,
November 2003. November 2003.
[RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects [RFC4363] Levi, D. and D. Harrington, "Definitions of Managed Objects
for Bridges with Traffic Classes, Multicast Filtering and for Bridges with Traffic Classes, Multicast Filtering and
Virtual LAN Extensions", RFC 4363, January 2006. Virtual LAN Extensions", RFC 4363, January 2006.
[IEEE-802] [IEEE-802]
IEEE Standards for Local and Metropolitan Area Networks: IEEE Standards for Local and Metropolitan Area Networks:
Overview and Architecture, ANSI/IEEE Std 802, 1990. Overview and Architecture, ANSI/IEEE Std 802, 1990.
[IEEE-802.1D] [IEEE-802.1D]
IEEE Standards for Local and Metropolitan Area Networks: Media IEEE Standards for Local and Metropolitan Area Networks: Media
Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004. Access Control (MAC) Bridges, IEEE Std 802.1D-2004, June 2004.
[IEEE-802.1Q] [IEEE-802.1Q]
IEEE Standards for Local and Metropolitan Area Networks: Draft IEEE Standards for Local and Metropolitan Area Networks: Draft
Standard for Virtual Bridged Local Area Networks, Standard for Virtual Bridged Local Area Networks,
P802.1Q-2003, January 2003. P802.1Q-2003, January 2003.
7.2. Informative references
[IEEE802.1X] [IEEE802.1X]
IEEE Standards for Local and Metropolitan Area Networks: Port IEEE Standards for Local and Metropolitan Area Networks: Port
based Network Access Control, IEEE Std 802.1X-2004, December based Network Access Control, IEEE Std 802.1X-2004, December
2004. 2004.
7.2. Informative references
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999. Implementation in Roaming", RFC 2607, June 1999.
[RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M.
and I. Goyret, "RADIUS Attributes for Tunnel Protocol and I. Goyret, "RADIUS Attributes for Tunnel Protocol
Support", RFC 2868, June 2000. Support", RFC 2868, June 2000.
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba,
"Dynamic Authorization Extensions to Remote Authentication "Dynamic Authorization Extensions to Remote Authentication
Dial In User Service (RADIUS)", RFC 3576, July 2003. Dial In User Service (RADIUS)", RFC 3576, July 2003.
skipping to change at page 11, line 31 skipping to change at page 11, line 46
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004. 3748, June 2004.
[RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter [RFC4005] Calhoun, P., Zorn, G., Spence, D. and D. Mitton, "Diameter
Network Access Server Application", RFC 4005, August 2005. Network Access Server Application", RFC 4005, August 2005.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072, August Authentication Protocol (EAP) Application", RFC 4072, August
2005. 2005.
[IEEE-802.3]
ISO/IEC 8802-3 Information technology - Telecommunications and
information exchange between systems - Local and metropolitan
area networks - Common specifications - Part 3: Carrier Sense
Multiple Access with Collision Detection (CSMA/CD) Access
Method and Physical Layer Specifications, (also ANSI/IEEE Std
802.3- 1996), 1996.
[IEEE-802.11]
Information technology - Telecommunications and information
exchange between systems - Local and metropolitan area
networks - Specific Requirements Part 11: Wireless LAN Medium
Access Control (MAC) and Physical Layer (PHY) Specifications,
IEEE Std. 802.11- 2003, 2003.
[IEEE802.11i]
Institute of Electrical and Electronics Engineers, "Supplement
to Standard for Telecommunications and Information Exchange
Between Systems - LAN/MAN Specific Requirements - Part 11:
Wireless LAN Medium Access Control (MAC) and Physical Layer
(PHY) Specifications: Specification for Enhanced Security",
IEEE 802.11i, July 2004.
Acknowledgments Acknowledgments
The authors would like to acknowledge Joseph Salowey of Cisco, David The authors would like to acknowledge Joseph Salowey of Cisco, David
Nelson of Enterasys, Chuck Black of Hewlett Packard, and Ashwin Nelson of Enterasys, Chuck Black of Hewlett Packard, and Ashwin
Palekar of Microsoft. Palekar of Microsoft.
Authors' Addresses Authors' Addresses
Paul Congdon Paul Congdon
Hewlett Packard Company Hewlett Packard Company
 End of changes. 36 change blocks. 
106 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/