summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2869.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2869.txt')
-rw-r--r--doc/rfc/rfc2869.txt2635
1 files changed, 2635 insertions, 0 deletions
diff --git a/doc/rfc/rfc2869.txt b/doc/rfc/rfc2869.txt
new file mode 100644
index 0000000..74ed7f6
--- /dev/null
+++ b/doc/rfc/rfc2869.txt
@@ -0,0 +1,2635 @@
+
+
+
+
+
+
+Network Working Group C. Rigney
+Request for Comments: 2869 Livingston
+Category: Informational W. Willats
+ Cyno Technologies
+ P. Calhoun
+ Sun Microsystems
+ June 2000
+
+
+ RADIUS Extensions
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+Abstract
+
+ This document describes additional attributes for carrying
+ authentication, authorization and accounting information between a
+ Network Access Server (NAS) and a shared Accounting Server using the
+ Remote Authentication Dial In User Service (RADIUS) protocol
+ described in RFC 2865 [1] and RFC 2866 [2].
+
+Table of Contents
+
+ 1. Introduction .......................................... 2
+ 1.1 Specification of Requirements ................... 3
+ 1.2 Terminology ..................................... 3
+ 2. Operation ............................................. 4
+ 2.1 RADIUS support for Interim Accounting Updates.... 4
+ 2.2 RADIUS support for Apple Remote Access
+ Protocol ........................................ 5
+ 2.3 RADIUS Support for Extensible Authentication
+ Protocol (EAP) .................................. 11
+ 2.3.1 Protocol Overview ............................... 11
+ 2.3.2 Retransmission .................................. 13
+ 2.3.3 Fragmentation ................................... 14
+ 2.3.4 Examples ........................................ 14
+ 2.3.5 Alternative uses ................................ 19
+ 3. Packet Format ......................................... 19
+ 4. Packet Types .......................................... 19
+ 5. Attributes ............................................ 20
+
+
+
+Rigney, et al. Informational [Page 1]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ 5.1 Acct-Input-Gigawords ............................ 22
+ 5.2 Acct-Output-Gigawords ........................... 23
+ 5.3 Event-Timestamp ................................. 23
+ 5.4 ARAP-Password ................................... 24
+ 5.5 ARAP-Features ................................... 25
+ 5.6 ARAP-Zone-Access ................................ 26
+ 5.7 ARAP-Security ................................... 27
+ 5.8 ARAP-Security-Data .............................. 28
+ 5.9 Password-Retry .................................. 28
+ 5.10 Prompt .......................................... 29
+ 5.11 Connect-Info .................................... 30
+ 5.12 Configuration-Token ............................. 31
+ 5.13 EAP-Message ..................................... 32
+ 5.14 Message-Authenticator ........................... 33
+ 5.15 ARAP-Challenge-Response ......................... 35
+ 5.16 Acct-Interim-Interval ........................... 36
+ 5.17 NAS-Port-Id ..................................... 37
+ 5.18 Framed-Pool ..................................... 37
+ 5.19 Table of Attributes ............................. 38
+ 6. IANA Considerations ................................... 39
+ 7. Security Considerations ............................... 39
+ 7.1 Message-Authenticator Security .................. 39
+ 7.2 EAP Security .................................... 39
+ 7.2.1 Separation of EAP server and PPP authenticator .. 40
+ 7.2.2 Connection hijacking ............................ 41
+ 7.2.3 Man in the middle attacks ....................... 41
+ 7.2.4 Multiple databases .............................. 41
+ 7.2.5 Negotiation attacks ............................. 42
+ 8. References ............................................ 43
+ 9. Acknowledgements ...................................... 44
+ 10. Chair's Address ....................................... 44
+ 11. Authors' Addresses .................................... 45
+ 12. Full Copyright Statement .............................. 47
+
+1. Introduction
+
+ RFC 2865 [1] describes the RADIUS Protocol as it is implemented and
+ deployed today, and RFC 2866 [2] describes how Accounting can be
+ performed with RADIUS.
+
+
+
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 2]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ This memo suggests several additional Attributes that can be added to
+ RADIUS to perform various useful functions. These Attributes do not
+ have extensive field experience yet and should therefore be
+ considered experimental.
+
+ The Extensible Authentication Protocol (EAP) [3] is a PPP extension
+ that provides support for additional authentication methods within
+ PPP. This memo describes how the EAP-Message and Message-
+ Authenticator attributes may be used for providing EAP support within
+ RADIUS.
+
+ All attributes are comprised of variable length Type-Length-Value 3-
+ tuples. New attribute values can be added without disturbing
+ existing implementations of the protocol.
+
+1.1. Specification of Requirements
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [4].
+
+ An implementation is not compliant if it fails to satisfy one or more
+ of the must or must not requirements for the protocols it implements.
+ An implementation that satisfies all the must, must not, should and
+ should not requirements for its protocols is said to be
+ "unconditionally compliant"; one that satisfies all the must and must
+ not requirements but not all the should or should not requirements
+ for its protocols is said to be "conditionally compliant."
+
+ A NAS that does not implement a given service MUST NOT implement the
+ RADIUS attributes for that service. For example, a NAS that is
+ unable to offer ARAP service MUST NOT implement the RADIUS attributes
+ for ARAP. A NAS MUST treat a RADIUS access-request requesting an
+ unavailable service as an access-reject instead.
+
+1.2. Terminology
+
+ This document uses the following terms:
+
+ service The NAS provides a service to the dial-in user, such as PPP
+ or Telnet.
+
+ session Each service provided by the NAS to a dial-in user
+ constitutes a session, with the beginning of the session
+ defined as the point where service is first provided and
+ the end of the session defined as the point where service
+
+
+
+
+
+Rigney, et al. Informational [Page 3]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ is ended. A user may have multiple sessions in parallel or
+ series if the NAS supports that, with each session
+ generating a separate start and stop accounting record.
+
+ silently discard
+ This means the implementation discards the packet without
+ further processing. The implementation SHOULD provide the
+ capability of logging the error, including the contents of
+ the silently discarded packet, and SHOULD record the event
+ in a statistics counter.
+
+2. Operation
+
+ Operation is identical to that defined in RFC 2865 [1] and RFC 2866
+ [2].
+
+2.1. RADIUS support for Interim Accounting Updates
+
+ When a user is authenticated, a RADIUS server issues an Access-Accept
+ in response to a successful Access-Request. If the server wishes to
+ receive interim accounting messages for the given user it must
+ include the Acct-Interim-Interval RADIUS attribute in the message,
+ which indicates the interval in seconds between interim messages.
+
+ It is also possible to statically configure an interim value on the
+ NAS itself. Note that a locally configured value on the NAS MUST
+ override the value found in an Access-Accept.
+
+ This scheme does not break backward interoperability since a RADIUS
+ server not supporting this extension will simply not add the new
+ Attribute. NASes not supporting this extension will ignore the
+ Attribute.
+
+ Note that all information in an interim message is cumulative (i.e.
+ number of packets sent is the total since the beginning of the
+ session, not since the last interim message).
+
+ It is envisioned that an Interim Accounting record (with Acct-
+ Status-Type = Interim-Update (3)) would contain all of the attributes
+ normally found in an Accounting Stop message with the exception of
+ the Acct-Term-Cause attribute.
+
+ Since all the information is cumulative, a NAS MUST ensure that only
+ a single generation of an interim Accounting message for a given
+ session is present in the retransmission queue at any given time.
+
+
+
+
+
+
+Rigney, et al. Informational [Page 4]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ A NAS MAY use a fudge factor to add a random delay between Interim
+ Accounting messages for separate sessions. This will ensure that a
+ cycle where all messages are sent at once is prevented, such as might
+ otherwise occur if a primary link was recently restored and many
+ dial-up users were directed to the same NAS at once.
+
+ The Network and NAS CPU load of using Interim Updates should be
+ carefully considered, and appropriate values of Acct-Interim-Interval
+ chosen.
+
+2.2. RADIUS support for Apple Remote Access Protocol
+
+ The RADIUS (Remote Authentication Dial-In User Service) protocol
+ provides a method that allows multiple dial-in Network Access Server
+ (NAS) devices to share a common authentication database.
+
+ The Apple Remote Access Protocol (ARAP) provides a method for sending
+ AppleTalk network traffic over point-to-point links, typically, but
+ not exclusively, asynchronous and ISDN switched-circuit connections.
+ Though Apple is moving toward ATCP on PPP for future remote access
+ services, ARAP is still a common way for the installed base of
+ Macintosh users to make remote network connections, and is likely to
+ remain so for some time.
+
+ ARAP is supported by several NAS vendors who also support PPP, IPX
+ and other protocols in the same NAS. ARAP connections in these
+ multi-protocol devices are often not authenticated with RADIUS, or if
+ they are, each vendor creates an individual solution to the problem.
+
+ This section describes the use of additional RADIUS attributes to
+ support ARAP. RADIUS client and server implementations that implement
+ this specification should be able to authenticate ARAP connections in
+ an interoperable manner.
+
+ This section assumes prior knowledge of RADIUS, and will go into some
+ detail on the operation of ARAP before entering a detailed discussion
+ of the proposed ARAP RADIUS attributes.
+
+ There are two features of ARAP this document does not address:
+
+ 1. User initiated password changing. This is not part of RADIUS,
+ but can be implemented through a software process other than
+ RADIUS.
+
+ 2. Out-of-Band messages. At any time, the NAS can send messages to
+ an ARA client which appear in a dialog box on the dial-in
+ user's screen. These are not part of authentication and do not
+ belong here. However, we note that a Reply-Message attribute in
+
+
+
+Rigney, et al. Informational [Page 5]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ an Access-Accept may be sent down to the user as a sign-on
+ message of the day string using the out-of-band channel.
+
+ We have tried to respect the spirit of the existing RADIUS protocol
+ as much as possible, making design decisions compatible with prior
+ art. Further, we have tried to strike a balance between flooding the
+ RADIUS world with new attributes, and hiding all of ARAP operation
+ within a single multiplexed ARAP attribute string or within Extended
+ Authentication Protocol (EAP) [3] machinery.
+
+ However, we feel ARAP is enough of a departure from PPP to warrant a
+ small set of similarly named attributes of its own.
+
+ We have assumed that an ARAP-aware RADIUS server will be able to do
+ DES encryption and generate security module challenges. This is in
+ keeping with the general RADIUS goal of smart server / simple NAS.
+
+ ARAP authenticates a connection in two phases. The first is a "Two-
+ Way DES" random number exchange, using the user's password as a key.
+ We say "Two-Way" because the ARAP NAS challenges the dial-in client
+ to authenticate itself, and the dial-in client challenges the ARAP
+ NAS to authenticate itself.
+
+ Specifically, ARAP does the following:
+
+ 1. The NAS sends two 32-bit random numbers to the dial-in client
+ in an ARAP msg_auth_challenge packet.
+
+ 2. The dial-in client uses the user's password to DES encrypt the
+ two random numbers sent to it by the NAS. The dial-in client
+ then sends this result, the user's name and two 32-bit random
+ numbers of its own back to the NAS in an ARAP msg_auth_request
+ packet.
+
+ 3. The NAS verifies the encrypted random numbers sent by the
+ dial-in client are what it expected. If so, it encrypts the
+ dial-in client's challenge using the password and sends it back
+ to the dial-in client in an ARAP msg_auth_response packet.
+
+ Note that if the dial-in client's response was wrong, meaning the
+ user has the wrong password, the server can initiate a retry sequence
+ up to the maximum amount of retries allowed by the NAS. In this case,
+ when the dial-in client receives the ARAP msg_auth_response packet it
+ will acknowledge it with an ARAP msg_auth_again packet.
+
+ After this first "DES Phase" the ARAP NAS MAY initiate a secondary
+ authentication phase using what Apple calls "Add-In Security
+ Modules." Security Modules are small pieces of code which run on
+
+
+
+Rigney, et al. Informational [Page 6]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ both the client and server and are allowed to read and write
+ arbitrary data across the communications link to perform additional
+ authentication functions. Various security token vendors use this
+ mechanism to authenticate ARA callers.
+
+ Although ARAP allows security modules to read and write anything they
+ like, all existing security modules use simple challenge and response
+ cycles, with perhaps some overall control information. This document
+ assumes all existing security modules can be supported with one or
+ more challenge/response cycles.
+
+ To complicate RADIUS and ARAP integration, ARAP sends down some
+ profile information after the DES Phase and before the Security
+ Module phase. This means that besides the responses to challenges,
+ this profile information must also be present, at somewhat unusual
+ times. Fortunately the information is only a few pieces of numeric
+ data related to passwords, which this document packs into a single
+ new attribute.
+
+ Presenting an Access-Request to RADIUS on behalf of an ARAP
+ connection is straightforward. The ARAP NAS generates the random
+ number challenge, and then receives the dial-in client's response,
+ the dial-in client's challenge, and the user's name. Assuming the
+ user is not a guest, the following information is forwarded in an
+ Access-Request packet: User-Name (up to 31 characters long),
+ Framed-Protocol (set to 3, ARAP), ARAP-Password, and any additional
+ attributes desired, such as Service-Type, NAS-IP-Address, NAS-Id,
+ NAS-Port-Type, NAS-Port, NAS-Port-Id, Connect-Info, etc.
+
+ The Request Authenticator is a NAS-generated 16 octet random number.
+ The low-order 8 octets of this number are sent to the dial-in user as
+ the two 4 octet random numbers required in the ARAP
+ msg_auth_challenge packet. Octets 0-3 are the first random number and
+ Octets 4-7 are the second random number.
+
+ The ARAP-Password in the Access-Request contains a 16 octet random
+ number field, and is used to carry the dial-in user's response to the
+ NAS challenge and the client's own challenge to the NAS. The high-
+ order octets contain the dial-in user's challenge to the NAS (2 32-
+ bit numbers, 8 octets) and the low-order octets contain the dial-in
+ user's response to the NAS challenge (2 32-bit numbers, 8 octets).
+
+ Only one of User-Password, CHAP-Password, or ARAP-Password needs to
+ be present in an Access-Request, or one or more EAP-Messages.
+
+ If the RADIUS server does not support ARAP it SHOULD return an
+ Access-Reject to the NAS.
+
+
+
+
+Rigney, et al. Informational [Page 7]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ If the RADIUS server does support ARAP, it should verify the user's
+ response using the Challenge (from the lower order 8 octets of the
+ Request Authenticator) and the user's response (from the low order 8
+ octets of the ARAP-Password).
+
+ If that authentication fails, the RADIUS server should return an
+ Access-Reject packet to the NAS, with optional Password-Retry and
+ Reply-Messages attributes. The presence of Password-Retry indicates
+ the ARAP NAS MAY choose to initiate another challenge-response cycle,
+ up to a total number of times equal to the integer value of the
+ Password-Retry attribute.
+
+ If the user is authenticated, the RADIUS server should return an
+ Access-Accept packet (Code 2) to the NAS, with ID and Response
+ Authenticator as usual, and attributes as follows:
+
+ Service-Type of Framed-Protocol.
+
+ Framed-Protocol of ARAP (3).
+
+ Session-Timeout with the maximum connect time for the user in
+ seconds. If the user is to be given unlimited time,
+ Session-Timeout should not be included in the Access-Accept
+ packet, and ARAP will treat that as an unlimited timeout (-1).
+
+ ARAP-Challenge-Response, containing 8 octets with the response to
+ the dial-in client's challenge. The RADIUS server calculates this
+ value by taking the dial-in client's challenge from the high order
+ 8 octets of the ARAP-Password attribute and performing DES
+ encryption on this value with the authenticating user's password
+ as the key. If the user's password is less than 8 octets in
+ length, the password is padded at the end with NULL octets to a
+ length of 8 before using it as a key. If the user's password is
+ greater than 8 octets in length, an Access-Reject MUST be sent
+ instead.
+
+ ARAP-Features, containing information that the NAS should send to
+ the user in an ARAP "feature flags" packet.
+
+ Octet 0: If zero, user cannot change their password. If non-
+ zero user can. (RADIUS does not handle the password changing,
+ just the attribute which indicates whether ARAP indicates they
+ can.)
+
+ Octet 1: Minimum acceptable password length (0-8).
+
+
+
+
+
+
+Rigney, et al. Informational [Page 8]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Octet 2-5: Password creation date in Macintosh format, defined
+ as 32 bits unsigned representing seconds since Midnight GMT
+ January 1, 1904.
+
+ Octet 6-9 Password Expiration Delta from create date in
+ seconds.
+
+ Octet 10-13: Current RADIUS time in Macintosh format
+
+ Optionally, a single Reply-Message with a text string up to 253
+ characters long which MAY be sent down to the user to be displayed
+ in a sign-on/message of the day dialog.
+
+ Framed-AppleTalk-Network may be included.
+
+ Framed-AppleTalk-Zone, up to 32 characters in length, may be
+ included.
+
+ ARAP defines the notion of a list of zones for a user. Along with
+ a list of zone names, a Zone Access Flag is defined (and used by
+ the NAS) which says how to use the list of zone names. That is,
+ the dial-in user may only be allowed to see the Default Zone, or
+ only the zones in the zone list (inclusive) or any zone except
+ those in the zone list (exclusive).
+
+ The ARAP NAS handles this by having a named filter which contains
+ (at least) zone names. This solves the problem where a single
+ RADIUS server is managing disparate NAS clients who may not be
+ able to "see" all of the zone names in a user zone list. Zone
+ names only have meaning "at the NAS." The disadvantage of this
+ approach is that zone filters must be set up on the NAS somehow,
+ then referenced by the RADIUS Filter-Id.
+
+ ARAP-Zone-Access contains an integer which specifies how the "zone
+ list" for this user should be used. If this attribute is present
+ and the value is 2 or 4 then a Filter-Id must also be present to
+ name a zone list filter to apply the access flag to.
+
+ The inclusion of a Callback-Number or Callback-Id attribute in the
+ Access-Accept MAY cause the ARAP NAS to disconnect after sending
+ the Feature Flags to begin callback processing in an ARAP specific
+ way.
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 9]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Other attributes may be present in the Access-Accept packet as well.
+
+ An ARAP NAS will need other information to finish bringing up the
+ connection to the dial in client, but this information can be
+ provided by the ARAP NAS without any help from RADIUS, either through
+ configuration by SNMP, a NAS administration program, or deduced by
+ the AppleTalk stack in the NAS. Specifically:
+
+ 1. AppearAsNet and AppearAsNode values, sent to the client to tell
+ it what network and node numbers it should use in its datagram
+ packets. AppearAsNet can be taken from the Framed-AppleTalk-
+ Network attribute or from the configuration or AppleTalk stack
+ onthe NAS.
+
+ 2. The "default" zone - that is the name of the AppleTalk zone in
+ which the dial-in client will appear. (Or can be specified
+ with the Framed-AppleTalk-Zone attribute.)
+
+ 3. Other very NAS specific stuff such as the name of the NAS, and
+ smartbuffering information. (Smartbuffering is an ARAP
+ mechanism for replacing common AppleTalk datagrams with small
+ tokens, to improve slow link performance in a few common
+ traffic situations.)
+
+ 4. "Zone List" information for this user. The ARAP specification
+ defines a "zone count" field which is actually unused.
+
+ RADIUS supports ARAP Security Modules in the following manner.
+
+ After DES authentication has been completed, the RADIUS server may
+ instruct the ARAP NAS to run one or more security modules for the
+ dial-in user. Although the underlying protocol supports executing
+ multiple security modules in series, in practice all current
+ implementations only allow executing one. Through the use of
+ multiple Access-Challenge requests, multiple modules can be
+ supported, but this facility will probably never be used.
+
+ We also assume that, even though ARAP allows a free-form dialog
+ between security modules on each end of the point-to-point link, in
+ actual practice all security modules can be reduced to a simple
+ challenge/response cycle.
+
+ If the RADIUS server wishes to instruct the ARAP NAS to run a
+ security module, it should send an Access-Challenge packet to the NAS
+ with (optionally) the State attribute, plus the ARAP-Challenge-
+ Response, ARAP-Features, and two more attributes:
+
+
+
+
+
+Rigney, et al. Informational [Page 10]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ ARAP-Security: a four octet security module signature, containing a
+ Macintosh OSType.
+
+ ARAP-Security-Data, a string to carry the actual security module
+ challenge and response.
+
+ When the security module finishes executing, the security module
+ response is passed in an ARAP-Security-Data attribute from the NAS
+ to the RADIUS server in a second Access-Request, also including the
+ State from the Access-Challenge. The authenticator field contains no
+ special information in this case, and this can be discerned by the
+ presence of the State attribute.
+
+2.3. RADIUS Support for Extensible Authentication Protocol (EAP)
+
+ The Extensible Authentication Protocol (EAP), described in [3],
+ provides a standard mechanism for support of additional
+ authentication methods within PPP. Through the use of EAP, support
+ for a number of authentication schemes may be added, including smart
+ cards, Kerberos, Public Key, One Time Passwords, and others. In
+ order to provide for support of EAP within RADIUS, two new
+ attributes, EAP-Message and Message-Authenticator, are introduced in
+ this document. This section describes how these new attributes may be
+ used for providing EAP support within RADIUS.
+
+ In the proposed scheme, the RADIUS server is used to shuttle RADIUS-
+ encapsulated EAP Packets between the NAS and a backend security
+ server. While the conversation between the RADIUS server and the
+ backend security server will typically occur using a proprietary
+ protocol developed by the backend security server vendor, it is also
+ possible to use RADIUS-encapsulated EAP via the EAP-Message
+ attribute. This has the advantage of allowing the RADIUS server to
+ support EAP without the need for authentication-specific code, which
+ can instead reside on the backend security server.
+
+2.3.1. Protocol Overview
+
+ The EAP conversation between the authenticating peer (dial-in user)
+ and the NAS begins with the negotiation of EAP within LCP. Once EAP
+ has been negotiated, the NAS MUST send an EAP-Request/Identity
+ message to the authenticating peer, unless identity is determined via
+ some other means such as Called-Station-Id or Calling-Station-Id.
+ The peer will then respond with an EAP-Response/Identity which the
+ the NAS will then forward to the RADIUS server in the EAP-Message
+ attribute of a RADIUS Access-Request packet. The RADIUS Server will
+ typically use the EAP-Response/Identity to determine which EAP type
+ is to be applied to the user.
+
+
+
+
+Rigney, et al. Informational [Page 11]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ In order to permit non-EAP aware RADIUS proxies to forward the
+ Access-Request packet, if the NAS sends the EAP-Request/Identity, the
+ NAS MUST copy the contents of the EAP-Response/Identity into the
+ User-Name attribute and MUST include the EAP-Response/Identity in the
+ User-Name attribute in every subsequent Access-Request. NAS-Port or
+ NAS-Port-Id SHOULD be included in the attributes issued by the NAS in
+ the Access-Request packet, and either NAS-Identifier or NAS-IP-
+ Address MUST be included. In order to permit forwarding of the
+ Access-Reply by EAP-unaware proxies, if a User-Name attribute was
+ included in an Access-Request, the RADIUS Server MUST include the
+ User-Name attribute in subsequent Access-Accept packets. Without the
+ User-Name attribute, accounting and billing becomes very difficult to
+ manage.
+
+ If identity is determined via another means such as Called-Station-Id
+ or Calling-Station-Id, the NAS MUST include these identifying
+ attributes in every Access-Request.
+
+ While this approach will save a round-trip, it cannot be universally
+ employed. There are circumstances in which the user's identity may
+ not be needed (such as when authentication and accounting is handled
+ based on Called-Station-Id or Calling-Station-Id), and therefore an
+ EAP-Request/Identity packet may not necessarily be issued by the NAS
+ to the authenticating peer. In cases where an EAP-Request/Identity
+ packet will not be sent, the NAS will send to the RADIUS server a
+ RADIUS Access-Request packet containing an EAP-Message attribute
+ signifying EAP-Start. EAP-Start is indicated by sending an EAP-
+ Message attribute with a length of 2 (no data). However, it should be
+ noted that since no User-Name attribute is included in the Access-
+ Request, this approach is not compatible with RADIUS as specified in
+ [1], nor can it easily be applied in situations where proxies are
+ deployed, such as roaming or shared use networks.
+
+ If the RADIUS server supports EAP, it MUST respond with an Access-
+ Challenge packet containing an EAP-Message attribute. If the RADIUS
+ server does not support EAP, it MUST respond with an Access-Reject.
+ The EAP-Message attribute includes an encapsulated EAP packet which
+ is then passed on to the authenticating peer. In the case where the
+ NAS does not initially send an EAP-Request/Identity message to the
+ peer, the Access-Challenge typically will contain an EAP-Message
+ attribute encapsulating an EAP-Request/Identity message, requesting
+ the dial-in user to identify themself. The NAS will then respond with
+ a RADIUS Access-Request packet containing an EAP-Message attribute
+ encapsulating an EAP-Response. The conversation continues until
+ either a RADIUS Access-Reject or Access-Accept packet is received.
+
+
+
+
+
+
+Rigney, et al. Informational [Page 12]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Reception of a RADIUS Access-Reject packet, with or without an EAP-
+ Message attribute encapsulating EAP-Failure, MUST result in the NAS
+ issuing an LCP Terminate Request to the authenticating peer. A
+ RADIUS Access-Accept packet with an EAP-Message attribute
+ encapsulating EAP-Success successfully ends the authentication phase.
+ The RADIUS Access-Accept/EAP-Message/EAP-Success packet MUST contain
+ all of the expected attributes which are currently returned in an
+ Access-Accept packet.
+
+ The above scenario creates a situation in which the NAS never needs
+ to manipulate an EAP packet. An alternative may be used in
+ situations where an EAP-Request/Identity message will always be sent
+ by the NAS to the authenticating peer.
+
+ For proxied RADIUS requests there are two methods of processing. If
+ the domain is determined based on the Called-Station-Id, the RADIUS
+ Server may proxy the initial RADIUS Access-Request/EAP-Start. If the
+ domain is determined based on the user's identity, the local RADIUS
+ Server MUST respond with a RADIUS Access-Challenge/EAP-Identity
+ packet. The response from the authenticating peer MUST be proxied to
+ the final authentication server.
+
+ For proxied RADIUS requests, the NAS may receive an Access-Reject
+ packet in response to its Access-Request/EAP-Identity packet. This
+ would occur if the message was proxied to a RADIUS Server which does
+ not support the EAP-Message extension. On receiving an Access-Reject,
+ the NAS MUST send an LCP Terminate Request to the authenticating
+ peer, and disconnect.
+
+2.3.2. Retransmission
+
+ As noted in [3], the EAP authenticator (NAS) is responsible for
+ retransmission of packets between the authenticating peer and the
+ NAS. Thus if an EAP packet is lost in transit between the
+ authenticating peer and the NAS (or vice versa), the NAS will
+ retransmit. As in RADIUS [1], the RADIUS client is responsible for
+ retransmission of packets between the RADIUS client and the RADIUS
+ server.
+
+ Note that it may be necessary to adjust retransmission strategies and
+ authentication timeouts in certain cases. For example, when a token
+ card is used additional time may be required to allow the user to
+ find the card and enter the token. Since the NAS will typically not
+ have knowledge of the required parameters, these need to be provided
+ by the RADIUS server. This can be accomplished by inclusion of
+ Session-Timeout and Password-Retry attributes within the Access-
+ Challenge packet.
+
+
+
+
+Rigney, et al. Informational [Page 13]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ If Session-Timeout is present in an Access-Challenge packet that also
+ contains an EAP-Message, the value of the Session-Timeout provides
+ the NAS with the maximum number of seconds the NAS should wait for an
+ EAP-Response before retransmitting the EAP-Message to the dial-in
+ user.
+
+2.3.3. Fragmentation
+
+ Using the EAP-Message attribute, it is possible for the RADIUS server
+ to encapsulate an EAP packet that is larger than the MTU on the link
+ between the NAS and the peer. Since it is not possible for the RADIUS
+ server to use MTU discovery to ascertain the link MTU, the Framed-MTU
+ attribute may be included in an Access-Request packet containing an
+ EAP-Message attribute so as to provide the RADIUS server with this
+ information.
+
+2.3.4. Examples
+
+ The example below shows the conversation between the authenticating
+ peer, NAS, and RADIUS server, for the case of a One Time Password
+ (OTP) authentication. OTP is used only for illustrative purposes;
+ other authentication protocols could also have been used, although
+ they might show somewhat different behavior.
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-EAP
+ auth
+PPP LCP ACK-EAP
+auth ->
+ <- PPP EAP-Request/
+ Identity
+PPP EAP-Response/
+Identity (MyID) ->
+ RADIUS
+ Access-Request/
+ EAP-Message/
+ EAP-Response/
+ (MyID) ->
+ <- RADIUS
+ Access-Challenge/
+ EAP-Message/EAP-Request
+ OTP/OTP Challenge
+ <- PPP EAP-Request/
+ OTP/OTP Challenge
+PPP EAP-Response/
+OTP, OTPpw ->
+
+
+
+Rigney, et al. Informational [Page 14]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ RADIUS
+ Access-Request/
+ EAP-Message/
+ EAP-Response/
+ OTP, OTPpw ->
+ <- RADIUS
+ Access-Accept/
+ EAP-Message/EAP-Success
+ (other attributes)
+ <- PPP EAP-Success
+PPP Authentication
+Phase complete,
+NCP Phase starts
+
+In the case where the NAS first sends an EAP-Start packet to the
+RADIUS server, the conversation would appear as follows:
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-EAP
+ auth
+PPP LCP ACK-EAP
+auth ->
+ RADIUS
+ Access-Request/
+ EAP-Message/Start ->
+ <- RADIUS
+ Access-Challenge/
+ EAP-Message/Identity
+ <- PPP EA-Request/
+ Identity
+PPP EAP-Response/
+Identity (MyID) ->
+ RADIUS
+ Access-Request/
+ EAP-Message/
+ EAP-Response/
+ (MyID) ->
+ <- RADIUS
+ Access-Challenge/
+ EAP-Message/EAP-Request
+ OTP/OTP Challenge
+ <- PPP EAP-Request/
+ OTP/OTP Challenge
+PPP EAP-Response/
+OTP, OTPpw ->
+
+
+
+
+Rigney, et al. Informational [Page 15]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ RADIUS
+ Access-Request/
+ EAP-Message/
+ EAP-Response/
+ OTP, OTPpw ->
+ <- RADIUS
+ Access-Accept/
+ EAP-Message/EAP-Success
+ (other attributes)
+ <- PPP EAP-Success
+PPP Authentication
+Phase complete,
+NCP Phase starts
+
+In the case where the client fails EAP authentication, the
+conversation would appear as follows:
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-EAP
+ auth
+PPP LCP ACK-EAP
+auth ->
+ Access-Request/
+ EAP-Message/Start ->
+ <- RADIUS
+ Access-Challenge/
+ EAP-Message/Identity
+ <- PPP EAP-Request/
+ Identity
+PPP EAP-Response/
+Identity (MyID) ->
+ RADIUS
+ Access-Request/
+ EAP-Message/
+ EAP-Response/
+ (MyID) ->
+ <- RADIUS
+ Access-Challenge/
+ EAP-Message/EAP-Request
+ OTP/OTP Challenge
+ <- PPP EAP-Request/
+ OTP/OTP Challenge
+PPP EAP-Response/
+OTP, OTPpw ->
+ RADIUS
+ Access-Request/
+
+
+
+Rigney, et al. Informational [Page 16]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ EAP-Message/
+ EAP-Response/
+ OTP, OTPpw ->
+ <- RADIUS
+ Access-Reject/
+ EAP-Message/EAP-Failure
+
+ <- PPP EAP-Failure
+ (client disconnected)
+
+In the case that the RADIUS server or proxy does not support
+EAP-Message, the conversation would appear as follows:
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-EAP
+ auth
+PPP LCP ACK-EAP
+auth ->
+ RADIUS
+ Access-Request/
+ EAP-Message/Start ->
+ <- RADIUS
+ Access-Reject
+ <- PPP LCP Terminate
+ (User Disconnected)
+
+In the case where the local RADIUS Server does support EAP-Message,
+but the remote RADIUS Server does not, the conversation would appear
+as follows:
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-EAP
+ auth
+PPP LCP ACK-EAP
+auth ->
+ RADIUS
+ Access-Request/
+ EAP-Message/Start ->
+ <- RADIUS
+ Access-Challenge/
+ EAP-Message/Identity
+ <- PPP EAP-Request/
+ Identity
+
+
+
+
+Rigney, et al. Informational [Page 17]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+PPP EAP-Response/
+Identity
+(MyID) ->
+ RADIUS
+ Access-Request/
+ EAP-Message/EAP-Response/
+ (MyID) ->
+ <- RADIUS
+ Access-Reject
+ (proxied from remote
+ RADIUS Server)
+ <- PPP LCP Terminate
+ (User Disconnected)
+
+In the case where the authenticating peer does not support EAP, but
+where EAP is required for that user, the conversation would appear as
+follows:
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-EAP
+ auth
+PPP LCP NAK-EAP
+auth ->
+ <- PPP LCP Request-CHAP
+ auth
+PPP LCP ACK-CHAP
+auth ->
+ <- PPP CHAP Challenge
+PPP CHAP Response ->
+ RADIUS
+ Access-Request/
+ User-Name,
+ CHAP-Password ->
+ <- RADIUS
+ Access-Reject
+ <- PPP LCP Terminate
+ (User Disconnected)
+
+In the case where the NAS does not support EAP, but where EAP is
+required for that user, the conversation would appear as follows:
+
+Authenticating Peer NAS RADIUS Server
+------------------- --- -------------
+
+ <- PPP LCP Request-CHAP
+ auth
+
+
+
+Rigney, et al. Informational [Page 18]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+PP LCP ACK-CHAP
+auth ->
+ <- PPP CHAP Challenge
+PPP CHAP Response ->
+ RADIUS
+ Access-Request/
+ User-Name,
+ CHAP-Password ->
+
+ <- RADIUS
+ Access-Reject
+ <- PPP LCP Terminate
+ (User Disconnected)
+
+2.3.5. Alternative uses
+
+ Currently the conversation between the backend security server and
+ the RADIUS server is proprietary because of lack of standardization.
+ In order to increase standardization and provide interoperability
+ between Radius vendors and backend security vendors, it is
+ recommended that RADIUS-encapsulated EAP be used for this
+ conversation.
+
+ This has the advantage of allowing the RADIUS server to support EAP
+ without the need for authentication-specific code within the RADIUS
+ server. Authentication-specific code can then reside on a backend
+ security server instead.
+
+ In the case where RADIUS-encapsulated EAP is used in a conversation
+ between a RADIUS server and a backend security server, the security
+ server will typically return an Access-Accept/EAP-Success message
+ without inclusion of the expected attributes currently returned in an
+ Access-Accept. This means that the RADIUS server MUST add these
+ attributes prior to sending an Access-Accept/EAP-Success message to
+ the NAS.
+
+3. Packet Format
+
+ Packet Format is identical to that defined in RFC 2865 [1] and 2866
+ [2].
+
+4. Packet Types
+
+ Packet types are identical to those defined in RFC 2865 [1] and 2866
+ [2].
+
+ See "Table of Attributes" below to determine which types of packets
+ can contain which attributes defined here.
+
+
+
+Rigney, et al. Informational [Page 19]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+5. Attributes
+
+ RADIUS Attributes carry the specific authentication, authorization
+ and accounting details for the request and response.
+
+ Some attributes MAY be included more than once. The effect of this
+ is attribute specific, and is specified in each attribute
+ description. The order of attributes of the same type SHOULD be
+ preserved. The order of attributes of different types is not
+ required to be preserved.
+
+ The end of the list of attributes is indicated by the Length of the
+ RADIUS packet.
+
+ A summary of the attribute format is the same as in RFC 2865 [1] but
+ is included here for ease of reference. The fields are transmitted
+ from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+ Type
+
+ The Type field is one octet. Up-to-date values of the RADIUS Type
+ field are specified in the most recent "Assigned Numbers" RFC [5].
+ Values 192-223 are reserved for experimental use, values 224-240
+ are reserved for implementation-specific use, and values 241-255
+ are reserved and should not be used. This specification concerns
+ the following values:
+
+ 1-39 (refer to RFC 2865 [1], "RADIUS")
+ 40-51 (refer to RFC 2866 [2], "RADIUS Accounting")
+ 52 Acct-Input-Gigawords
+ 53 Acct-Output-Gigawords
+ 54 Unused
+ 55 Event-Timestamp
+ 56-59 Unused
+ 60-63 (refer to RFC 2865 [1], "RADIUS")
+ 64-67 (refer to [6])
+ 68 (refer to [7])
+ 69 (refer to [6])
+ 70 ARAP-Password
+ 71 ARAP-Features
+ 72 ARAP-Zone-Access
+
+
+
+Rigney, et al. Informational [Page 20]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ 73 ARAP-Security
+ 74 ARAP-Security-Data
+ 75 Password-Retry
+ 76 Prompt
+ 77 Connect-Info
+ 78 Configuration-Token
+ 79 EAP-Message
+ 80 Message-Authenticator
+ 81-83 (refer to [6])
+ 84 ARAP-Challenge-Response
+ 85 Acct-Interim-Interval
+ 86 (refer to [7])
+ 87 NAS-Port-Id
+ 88 Framed-Pool
+ 89 Unused
+ 90-91 (refer to [6])
+ 92-191 Unused
+
+ Length
+
+ The Length field is one octet, and indicates the length of this
+ attribute including the Type, Length and Value fields. If an
+ attribute is received in a packet with an invalid Length, the
+ entire request should be silently discarded.
+
+ Value
+
+ The Value field is zero or more octets and contains information
+ specific to the attribute. The format and length of the Value
+ field is determined by the Type and Length fields.
+
+ Note that none of the types in RADIUS terminate with a NUL (hex
+ 00). In particular, types "text" and "string" in RADIUS do not
+ terminate with a NUL (hex 00). The Attribute has a length field
+ and does not use a terminator. Text contains UTF-8 encoded 10646
+ [8] characters and String contains 8-bit binary data. Servers and
+ servers and clients MUST be able to deal with embedded nulls.
+ RADIUS implementers using C are cautioned not to use strcpy() when
+ handling strings.
+
+ The format of the value field is one of five data types. Note
+ that type "text" is a subset of type "string."
+
+ text 1-253 octets containing UTF-8 encoded 10646 [8]
+ characters. Text of length zero (0) MUST NOT be sent;
+ omit the entire attribute instead.
+
+
+
+
+
+Rigney, et al. Informational [Page 21]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ string 1-253 octets containing binary data (values 0 through
+ 255 decimal, inclusive). Strings of length zero (0) MUST
+ NOT be sent; omit the entire attribute instead.
+
+ address 32 bit unsigned value, most significant octet first.
+
+ integer 32 bit unsigned value, most significant octet first.
+
+ time 32 bit unsigned value, most significant octet first --
+ seconds since 00:00:00 UTC, January 1, 1970.
+
+5.1. Acct-Input-Gigawords
+
+ Description
+
+ This attribute indicates how many times the Acct-Input-Octets
+ counter has wrapped around 2^32 over the course of this service
+ being provided, and can only be present in Accounting-Request
+ records where the Acct-Status-Type is set to Stop or Interim-
+ Update.
+
+ A summary of the Acct-Input-Gigawords attribute format is shown
+ below. The fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 52 for Acct-Input-Gigawords.
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets.
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 22]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+5.2. Acct-Output-Gigawords
+
+ Description
+
+ This attribute indicates how many times the Acct-Output-Octets
+ counter has wrapped around 2^32 in the course of delivering this
+ service, and can only be present in Accounting-Request records
+ where the Acct-Status-Type is set to Stop or Interim-Update.
+
+ A summary of the Acct-Output-Gigawords attribute format is shown
+ below. The fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 53 for Acct-Output-Gigawords.
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets.
+
+5.3. Event-Timestamp
+
+ Description
+
+ This attribute is included in an Accounting-Request packet to
+ record the time that this event occurred on the NAS, in seconds
+ since January 1, 1970 00:00 UTC.
+
+ A summary of the Event-Timestamp attribute format is shown below.
+ The fields are transmitted from left to right.
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 23]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 55 for Event-Timestamp
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets encoding an unsigned integer with
+ the number of seconds since January 1, 1970 00:00 UTC.
+
+5.4. ARAP-Password
+
+ Description
+
+ This attribute is only present in an Access-Request packet
+ containing a Framed-Protocol of ARAP.
+
+ Only one of User-Password, CHAP-Password, or ARAP-Password needs
+ to be present in an Access-Request, or one or more EAP-Messages.
+
+ A summary of the ARAP-Password attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value2
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value4
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+Rigney, et al. Informational [Page 24]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Type
+
+ 70 for ARAP-Password.
+
+ Length
+
+ 18
+
+ Value
+
+ This attribute contains a 16 octet string, used to carry the
+ dial-in user's response to the NAS challenge and the client's own
+ challenge to the NAS. The high-order octets (Value1 and Value2)
+ contain the dial-in user's challenge to the NAS (2 32-bit numbers,
+ 8 octets) and the low-order octets (Value3 and Value4) contain the
+ dial-in user's response to the NAS challenge (2 32-bit numbers, 8
+ octets).
+
+5.5. ARAP-Features
+
+ Description
+
+ This attribute is sent in an Access-Accept packet with Framed-
+ Protocol of ARAP, and includes password information that the NAS
+ should sent to the user in an ARAP "feature flags" packet.
+
+ A summary of the ARAP-Features attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value1 | Value2 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value3 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value4 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value5 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 71 for ARAP-Features.
+
+ Length
+
+ 16
+
+
+
+Rigney, et al. Informational [Page 25]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Value
+
+ The Value field is a compound string containing information the
+ NAS should send to the user in the ARAP "feature flags" packet.
+
+ Value1: If zero, user cannot change their password. If non-zero
+ user can. (RADIUS does not handle the password changing, just
+ the attribute which indicates whether ARAP indicates they can.)
+
+ Value2: Minimum acceptable password length, from 0 to 8.
+
+ Value3: Password creation date in Macintosh format, defined as
+ 32 unsigned bits representing seconds since Midnight GMT
+ January 1, 1904.
+
+ Value4: Password Expiration Delta from create date in seconds.
+
+ Value5: Current RADIUS time in Macintosh format.
+
+5.6. ARAP-Zone-Access
+
+ Description
+
+ This attribute is included in an Access-Accept packet with
+ Framed-Protocol of ARAP to indicate how the ARAP zone list for the
+ user should be used.
+
+ A summary of the ARAP-Zone-Access attribute format is shown below.
+ The fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+ Type
+
+ 72 for ARAP-Zone-Access.
+
+ Length
+
+ 6
+
+
+
+
+
+Rigney, et al. Informational [Page 26]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Value
+
+ The Value field is four octets encoding an integer with one of the
+ following values:
+
+ 1 Only allow access to default zone
+ 2 Use zone filter inclusively
+ 4 Use zone filter exclusively
+
+
+ The value 3 is skipped, not because these are bit flags, but
+ because 3 in some ARAP implementations means "all zones" which is
+ the same as not specifying a list at all under RADIUS.
+
+ If this attribute is present and the value is 2 or 4 then a
+ Filter-Id must also be present to name a zone list filter to apply
+ the access flag to.
+
+5.7. ARAP-Security
+
+ Description
+
+ This attribute identifies the ARAP Security Module to be used in
+ an Access-Challenge packet.
+
+ A summary of the ARAP-Security attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 73 for ARAP-Security.
+
+ Length
+
+ 6
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 27]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Value
+
+ The Value field is four octets, containing an integer specifying
+ the security module signature, which is a Macintosh OSType.
+ (Macintosh OSTypes are 4 ascii characters cast as a 32-bit
+ integer)
+
+5.8. ARAP-Security-Data
+
+ Description
+
+ This attribute contains the actual security module challenge or
+ response, and can be found in Access-Challenge and Access-Request
+ packets.
+
+ A summary of the ARAP-Security-Data attribute format is shown below.
+ The fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | String...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 74 for ARAP-Security-Data.
+
+ Length
+
+ >=3
+
+ String
+
+ The String field contains the security module challenge or
+ response associated with the ARAP Security Module specified in
+ ARAP-Security.
+
+5.9. Password-Retry
+
+ Description
+
+ This attribute MAY be included in an Access-Reject to indicate how
+ many authentication attempts a user may be allowed to attempt
+ before being disconnected.
+
+ It is primarily intended for use with ARAP authentication.
+
+
+
+
+Rigney, et al. Informational [Page 28]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ A summary of the Password-Retry attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 75 for Password-Retry.
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets, containing an integer specifying
+ the number of password retry attempts to permit the user.
+
+5.10. Prompt
+
+ Description
+
+ This attribute is used only in Access-Challenge packets, and
+ indicates to the NAS whether it should echo the user's response as
+ it is entered, or not echo it.
+
+
+ A summary of the Prompt attribute format is shown below. The fields
+ are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 76 for Prompt.
+
+
+
+
+Rigney, et al. Informational [Page 29]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets.
+
+ 0 No Echo
+ 1 Echo
+
+5.11. Connect-Info
+
+ Description
+
+ This attribute is sent from the NAS to indicate the nature of the
+ user's connection.
+
+ The NAS MAY send this attribute in an Access-Request or
+ Accounting-Request to indicate the nature of the user's
+ connection.
+
+ A summary of the Connect-Info attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Text...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 77 for Connect-Info.
+
+ Length
+
+ >= 3
+
+ Text
+
+ The Text field consists of UTF-8 encoded 10646 [8] characters.
+ The connection speed SHOULD be included at the beginning of the
+ first Connect-Info attribute in the packet. If the transmit and
+ receive connection speeds differ, they may both be included in the
+ first attribute with the transmit speed first (the speed the NAS
+ modem transmits at), a slash (/), the receive speed, then
+ optionally other information.
+
+
+
+Rigney, et al. Informational [Page 30]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ For example, "28800 V42BIS/LAPM" or "52000/31200 V90"
+
+ More than one Connect-Info attribute may be present in an
+ Accounting-Request packet to accommodate expected efforts by ITU
+ to have modems report more connection information in a standard
+ format that might exceed 252 octets.
+
+5.12. Configuration-Token
+
+ Description
+
+ This attribute is for use in large distributed authentication
+ networks based on proxy. It is sent from a RADIUS Proxy Server to
+ a RADIUS Proxy Client in an Access-Accept to indicate a type of
+ user profile to be used. It should not be sent to a NAS.
+
+ A summary of the Configuration-Token attribute format is shown below.
+ The fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | String ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 78 for Configuration-Token.
+
+ Length
+
+ >= 3
+
+ String
+
+ The String field is one or more octets. The actual format of the
+ information is site or application specific, and a robust
+ implementation SHOULD support the field as undistinguished octets.
+
+ The codification of the range of allowed usage of this field is
+ outside the scope of this specification.
+
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 31]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+5.13. EAP-Message
+
+ Description
+
+ This attribute encapsulates Extended Access Protocol [3] packets
+ so as to allow the NAS to authenticate dial-in users via EAP
+ without having to understand the EAP protocol.
+
+ The NAS places any EAP messages received from the user into one or
+ more EAP attributes and forwards them to the RADIUS Server as part
+ of the Access-Request, which can return EAP messages in Access-
+ Challenge, Access-Accept and Access-Reject packets.
+
+ A RADIUS Server receiving EAP messages that it does not understand
+ SHOULD return an Access-Reject.
+
+ The NAS places EAP messages received from the authenticating peer
+ into one or more EAP-Message attributes and forwards them to the
+ RADIUS Server within an Access-Request message. If multiple EAP-
+ Messages are contained within an Access-Request or Access-
+ Challenge packet, they MUST be in order and they MUST be
+ consecutive attributes in the Access-Request or Access-Challenge
+ packet. Access-Accept and Access-Reject packets SHOULD only have
+ ONE EAP-Message attribute in them, containing EAP-Success or EAP-
+ Failure.
+
+ It is expected that EAP will be used to implement a variety of
+ authentication methods, including methods involving strong
+ cryptography. In order to prevent attackers from subverting EAP by
+ attacking RADIUS/EAP, (for example, by modifying the EAP-Success
+ or EAP-Failure packets) it is necessary that RADIUS/EAP provide
+ integrity protection at least as strong as those used in the EAP
+ methods themselves.
+
+ Therefore the Message-Authenticator attribute MUST be used to
+ protect all Access-Request, Access-Challenge, Access-Accept, and
+ Access-Reject packets containing an EAP-Message attribute.
+
+ Access-Request packets including an EAP-Message attribute without
+ a Message-Authenticator attribute SHOULD be silently discarded by
+ the RADIUS server. A RADIUS Server supporting EAP-Message MUST
+ calculate the correct value of the Message-Authenticator and
+ silently discard the packet if it does not match the value sent.
+ A RADIUS Server not supporting EAP-Message MUST return an Access-
+ Reject if it receives an Access-Request containing an EAP-Message
+ attribute. A RADIUS Server receiving an EAP-Message attribute that
+ it does not understand MUST return an Access-Reject.
+
+
+
+
+Rigney, et al. Informational [Page 32]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Access-Challenge, Access-Accept, or Access-Reject packets
+ including an EAP-Message attribute without a Message-Authenticator
+ attribute SHOULD be silently discarded by the NAS. A NAS
+ supporting EAP-Message MUST calculate the correct value of the
+ Message-Authenticator and silently discard the packet if it does
+ not match the value sent.
+
+ A summary of the EAP-Message attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | String...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 79 for EAP-Message.
+
+ Length
+
+ >= 3
+
+ String
+
+ The String field contains EAP packets, as defined in [3]. If
+ multiple EAP-Message attributes are present in a packet their
+ values should be concatenated; this allows EAP packets longer than
+ 253 octets to be passed by RADIUS.
+
+5.14. Message-Authenticator
+
+ Description
+
+ This attribute MAY be used to sign Access-Requests to prevent
+ spoofing Access-Requests using CHAP, ARAP or EAP authentication
+ methods. It MAY be used in any Access-Request. It MUST be used
+ in any Access-Request, Access-Accept, Access-Reject or Access-
+ Challenge that includes an EAP-Message attribute.
+
+ A RADIUS Server receiving an Access-Request with a Message-
+ Authenticator Attribute present MUST calculate the correct value
+ of the Message-Authenticator and silently discard the packet if it
+ does not match the value sent.
+
+
+
+
+
+
+Rigney, et al. Informational [Page 33]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ A RADIUS Client receiving an Access-Accept, Access-Reject or
+ Access-Challenge with a Message-Authenticator Attribute present
+ MUST calculate the correct value of the Message-Authenticator and
+ silently discard the packet if it does not match the value sent.
+
+ Earlier drafts of this memo used "Signature" as the name of this
+ attribute, but Message-Authenticator is more precise. Its
+ operation has not changed, just the name.
+
+ A summary of the Message-Authenticator attribute format is shown
+ below. The fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | String...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 80 for Message-Authenticator
+
+ Length
+
+ 18
+
+ String
+
+ When present in an Access-Request packet, Message-Authenticator is
+ an HMAC-MD5 [9] checksum of the entire Access-Request packet,
+ including Type, ID, Length and authenticator, using the shared
+ secret as the key, as follows.
+
+ Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
+ Request Authenticator, Attributes)
+
+ When the checksum is calculated the signature string should be
+ considered to be sixteen octets of zero.
+
+ For Access-Challenge, Access-Accept, and Access-Reject packets,
+ the Message-Authenticator is calculated as follows, using the
+ Request-Authenticator from the Access-Request this packet is in
+ reply to:
+
+ Message-Authenticator = HMAC-MD5 (Type, Identifier, Length,
+ Request Authenticator, Attributes)
+
+
+
+
+
+Rigney, et al. Informational [Page 34]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ When the checksum is calculated the signature string should be
+ considered to be sixteen octets of zero. The shared secret is
+ used as the key for the HMAC-MD5 hash. The is calculated and
+ inserted in the packet before the Response Authenticator is
+ calculated.
+
+ This attribute is not needed if the User-Password attribute is
+ present, but is useful for preventing attacks on other types of
+ authentication. This attribute is intended to thwart attempts by
+ an attacker to setup a "rogue" NAS, and perform online dictionary
+ attacks against the RADIUS server. It does not afford protection
+ against "offline" attacks where the attacker intercepts packets
+ containing (for example) CHAP challenge and response, and performs
+ a dictionary attack against those packets offline.
+
+ IP Security will eventually make this attribute unnecessary, so it
+ should be considered an interim measure.
+
+5.15. ARAP-Challenge-Response
+
+ Description
+
+ This attribute is sent in an Access-Accept packet with Framed-
+ Protocol of ARAP, and contains the response to the dial-in
+ client's challenge.
+
+ A summary of the ARAP-Challenge-Response attribute format is shown
+ below. The fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 84 for ARAP-Challenge-Response.
+
+ Length
+
+ 10
+
+
+
+
+
+Rigney, et al. Informational [Page 35]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Value
+
+ The Value field contains an 8 octet response to the dial-in
+ client's challenge. The RADIUS server calculates this value by
+ taking the dial-in client's challenge from the high order 8 octets
+ of the ARAP-Password attribute and performing DES encryption on
+ this value with the authenticating user's password as the key. If
+ the user's password is less than 8 octets in length, the password
+ is padded at the end with NULL octets to a length of 8 before
+ using it as a key.
+
+5.16. Acct-Interim-Interval
+
+ Description
+
+ This attribute indicates the number of seconds between each
+ interim update in seconds for this specific session. This value
+ can only appear in the Access-Accept message.
+
+ A summary of the Acct-Interim-Interval attribute format is shown
+ below. The fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 85 for Acct-Interim-Interval.
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field contains the number of seconds between each
+ interim update to be sent from the NAS for this session. The value
+ MUST NOT be smaller than 60. The value SHOULD NOT be smaller than
+ 600, and careful consideration should be given to its impact on
+ network traffic.
+
+
+
+
+
+
+Rigney, et al. Informational [Page 36]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+5.17. NAS-Port-Id
+
+ Description
+
+ This Attribute contains a text string which identifies the port of
+ the NAS which is authenticating the user. It is only used in
+ Access-Request and Accounting-Request packets. Note that this is
+ using "port" in its sense of a physical connection on the NAS, not
+ in the sense of a TCP or UDP port number.
+
+ Either NAS-Port or NAS-Port-Id SHOULD be present in an Access-
+ Request packet, if the NAS differentiates among its ports. NAS-
+ Port-Id is intended for use by NASes which cannot conveniently
+ number their ports.
+
+ A summary of the NAS-Port-Id Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Text...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+ Type
+
+ 87 for NAS-Port-Id.
+
+ Length
+
+ >= 3
+
+ Text
+
+ The Text field contains the name of the port using UTF-8 encoded
+ 10646 [8] characters.
+
+5.18. Framed-Pool
+
+ Description
+
+ This Attribute contains the name of an assigned address pool that
+ SHOULD be used to assign an address for the user. If a NAS does
+ not support multiple address pools, the NAS should ignore this
+ Attribute. Address pools are usually used for IP addresses, but
+ can be used for other protocols if the NAS supports pools for
+ those protocols.
+
+
+
+Rigney, et al. Informational [Page 37]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ A summary of the Framed-Pool Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | String...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 88 for Framed-Pool
+
+ Length
+
+ >= 3
+
+ String
+
+ The string field contains the name of an assigned address pool
+ configured on the NAS.
+
+5.19. Table of Attributes
+
+ The following table provides a guide to which attributes may be found
+ in which kind of packets. Acct-Input-Gigawords, Acct-Output-
+ Gigawords, Event-Timestamp, and NAS-Port-Id may have 0-1 instances in
+ an Accounting-Request packet. Connect-Info may have 0+ instances in
+ an Accounting-Request packet. The other attributes added in this
+ document must not be present in an Accounting-Request.
+
+Request Accept Reject Challenge # Attribute
+0-1 0 0 0 70 ARAP-Password [Note 1]
+0 0-1 0 0-1 71 ARAP-Features
+0 0-1 0 0 72 ARAP-Zone-Access
+0-1 0 0 0-1 73 ARAP-Security
+0+ 0 0 0+ 74 ARAP-Security-Data
+0 0 0-1 0 75 Password-Retry
+0 0 0 0-1 76 Prompt
+0-1 0 0 0 77 Connect-Info
+0 0+ 0 0 78 Configuration-Token
+0+ 0+ 0+ 0+ 79 EAP-Message [Note 1]
+0-1 0-1 0-1 0-1 80 Message-Authenticator [Note 1]
+0 0-1 0 0-1 84 ARAP-Challenge-Response
+0 0-1 0 0 85 Acct-Interim-Interval
+0-1 0 0 0 87 NAS-Port-Id
+0 0-1 0 0 88 Framed-Pool
+Request Accept Reject Challenge # Attribute
+
+
+
+Rigney, et al. Informational [Page 38]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ [Note 1] An Access-Request that contains either a User-Password or
+ CHAP-Password or ARAP-Password or one or more EAP-Message attributes
+ MUST NOT contain more than one type of those four attributes. If it
+ does not contain any of those four attributes, it SHOULD contain a
+ Message-Authenticator. If any packet type contains an EAP-Message
+ attribute it MUST also contain a Message-Authenticator.
+
+ The following table defines the above table entries.
+
+ 0 This attribute MUST NOT be present
+ 0+ Zero or more instances of this attribute MAY be present.
+ 0-1 Zero or one instance of this attribute MAY be present.
+ 1 Exactly one instance of this attribute MUST be present.
+
+6. IANA Considerations
+
+ The Packet Type Codes, Attribute Types, and Attribute Values defined
+ in this document are registered by the Internet Assigned Numbers
+ Authority (IANA) from the RADIUS name spaces as described in the
+ "IANA Considerations" section of [1], in accordance with BCP 26 [10].
+
+7. Security Considerations
+
+ The attributes other than Message-Authenticator and EAP-Message in
+ this document have no additional security considerations beyond those
+ already identified in [1].
+
+7.1. Message-Authenticator Security
+
+ Access-Request packets with a User-Password establish the identity of
+ both the user and the NAS sending the Access-Request, because of the
+ way the shared secret between NAS and RADIUS server is used.
+ Access-Request packets with CHAP-Password or EAP-Message do not have
+ a User-Password attribute, so the Message-Authenticator attribute
+ should be used in access-request packets that do not have a User-
+ Password, in order to establish the identity of the NAS sending the
+ request.
+
+7.2. EAP Security
+
+ Since the purpose of EAP is to provide enhanced security for PPP
+ authentication, it is critical that RADIUS support for EAP be secure.
+ In particular, the following issues must be addressed:
+
+ Separation of EAP server and PPP authenticator
+ Connection hijacking
+ Man in the middle attacks
+ Multiple databases
+
+
+
+Rigney, et al. Informational [Page 39]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Negotiation attacks
+
+7.2.1. Separation of EAP server and PPP authenticator
+
+ It is possible for the EAP endpoints to mutually authenticate,
+ negotiate a ciphersuite, and derive a session key for subsequent use
+ in PPP encryption.
+
+ This does not present an issue on the peer, since the peer and EAP
+ client reside on the same machine; all that is required is for the
+ EAP client module to pass the session key to the PPP encryption
+ module.
+
+ The situation is more complex when EAP is used with RADIUS, since the
+ PPP authenticator will typically not reside on the same machine as
+ the EAP server. For example, the EAP server may be a backend security
+ server, or a module residing on the RADIUS server.
+
+ In the case where the EAP server and PPP authenticator reside on
+ different machines, there are several implications for security.
+ Firstly, mutual authentication will occur between the peer and the
+ EAP server, not between the peer and the authenticator. This means
+ that it is not possible for the peer to validate the identity of the
+ NAS or tunnel server that it is speaking to.
+
+ As described earlier, when EAP/RADIUS is used to encapsulate EAP
+ packets, the Message-Authenticator attribute is required in
+ EAP/RADIUS Access-Requests sent from the NAS or tunnel server to the
+ RADIUS server. Since the Message-Authenticator attribute involves a
+ HMAC-MD5 hash, it is possible for the RADIUS server to verify the
+ integrity of the Access-Request as well as the NAS or tunnel server's
+ identity. Similarly, Access-Challenge packets sent from the RADIUS
+ server to the NAS are also authenticated and integrity protected
+ using an HMAC-MD5 hash, enabling the NAS or tunnel server to
+ determine the integrity of the packet and verify the identity of the
+ RADIUS server. Moreover, EAP packets sent via methods that contain
+ their own integrity protection cannot be successfully modified by a
+ rogue NAS or tunnel server.
+
+ The second issue that arises in the case of an EAP server and PPP
+ authenticator residing on different machines is that the session key
+ negotiated between the peer and EAP server will need to be
+ transmitted to the authenticator. Therefore a mechanism needs to be
+ provided to transmit the session key from the EAP server to the
+ authenticator or tunnel server that needs to use the key. The
+ specification of this transit mechanism is outside the scope of this
+ document.
+
+
+
+
+Rigney, et al. Informational [Page 40]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+7.2.2. Connection hijacking
+
+ In this form of attack, the attacker attempts to inject packets into
+ the conversation between the NAS and the RADIUS server, or between
+ the RADIUS server and the backend security server. RADIUS does not
+ support encryption, and as described in [1], only Access-Reply and
+ Access-Challenge packets are integrity protected. Moreover, the
+ integrity protection mechanism described in [1] is weaker than that
+ likely to be used by some EAP methods, making it possible to subvert
+ those methods by attacking EAP/RADIUS.
+
+ In order to provide for authentication of all packets in the EAP
+ exchange, all EAP/RADIUS packets MUST be authenticated using the
+ Message-Authenticator attribute, as described previously.
+
+7.2.3. Man in the middle attacks
+
+ Since RADIUS security is based on shared secrets, end-to-end security
+ is not provided in the case where authentication or accounting
+ packets are forwarded along a proxy chain. As a result, attackers
+ gaining control of a RADIUS proxy will be able to modify EAP packets
+ in transit.
+
+7.2.4. Multiple databases
+
+ In many cases a backend security server will be deployed along with a
+ RADIUS server in order to provide EAP services. Unless the backend
+ security server also functions as a RADIUS server, two separate user
+ databases will exist, each containing information about the security
+ requirements for the user. This represents a weakness, since security
+ may be compromised by a successful attack on either of the servers,
+ or their backend databases. With multiple user databases, adding a
+ new user may require multiple operations, increasing the chances for
+ error. The problems are further magnified in the case where user
+ information is also being kept in an LDAP server. In this case, three
+ stores of user information may exist.
+
+ In order to address these threats, consolidation of databases is
+ recommended. This can be achieved by having both the RADIUS server
+ and backend security server store information in the same backend
+ database; by having the backend security server provide a full RADIUS
+ implementation; or by consolidating both the backend security server
+ and the RADIUS server onto the same machine.
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 41]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+7.2.5. Negotiation attacks
+
+ In a negotiation attack, a rogue NAS, tunnel server, RADIUS proxy or
+ RADIUS server causes the authenticating peer to choose a less secure
+ authentication method so as to make it easier to obtain the user's
+ password. For example, a session that would normally be authenticated
+ with EAP would instead authenticated via CHAP or PAP; alternatively,
+ a connection that would normally be authenticated via one EAP type
+ occurs via a less secure EAP type, such as MD5. The threat posed by
+ rogue devices, once thought to be remote, has gained currency given
+ compromises of telephone company switching systems, such as those
+ described in [11].
+
+ Protection against negotiation attacks requires the elimination of
+ downward negotiations. This can be achieved via implementation of
+ per-connection policy on the part of the authenticating peer, and
+ per-user policy on the part of the RADIUS server.
+
+ For the authenticating peer, authentication policy should be set on a
+ per-connection basis. Per-connection policy allows an authenticating
+ peer to negotiate EAP when calling one service, while negotiating
+ CHAP for another service, even if both services are accessible via
+ the same phone number.
+
+ With per-connection policy, an authenticating peer will only attempt
+ to negotiate EAP for a session in which EAP support is expected. As a
+ result, there is a presumption that an authenticating peer selecting
+ EAP requires that level of security. If it cannot be provided, it is
+ likely that there is some kind of misconfiguration, or even that the
+ authenticating peer is contacting the wrong server. Should the NAS
+ not be able to negotiate EAP, or should the EAP-Request sent by the
+ NAS be of a different EAP type than what is expected, the
+ authenticating peer MUST disconnect. An authenticating peer expecting
+ EAP to be negotiated for a session MUST NOT negotiate CHAP or PAP.
+
+ For a NAS, it may not be possible to determine whether a user is
+ required to authenticate with EAP until the user's identity is known.
+ For example, for shared-uses NASes it is possible for one reseller to
+ implement EAP while another does not. In such cases, if any users of
+ the NAS MUST do EAP, then the NAS MUST attempt to negotiate EAP for
+ every call. This avoids forcing an EAP-capable client to do more than
+ one authentication, which weakens security.
+
+ If CHAP is negotiated, the NAS will pass the User-Name and CHAP-
+ Password attributes to the RADIUS Server in an Access-Request packet.
+ If the user is not required to use EAP, then the RADIUS Server will
+ respond with an Access-Accept or Access-Reject packet as appropriate.
+ However, if CHAP has been negotiated but EAP is required, the RADIUS
+
+
+
+Rigney, et al. Informational [Page 42]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ server MUST respond with an Access-Reject, rather than an Access-
+ Challenge/EAP-Message/EAP-Request packet. The authenticating peer
+ MUST refuse to renegotiate authentication, even if the renegotiation
+ is from CHAP to EAP.
+
+ If EAP is negotiated but is not supported by the RADIUS proxy or
+ server, then the server or proxy MUST respond with an Access-Reject.
+ In these cases, the NAS MUST send an LCP-Terminate and disconnect the
+ user. This is the correct behavior since the authenticating peer is
+ expecting EAP to be negotiated, and that expectation cannot be
+ fulfilled. An EAP-capable authenticating peer MUST refuse to
+ renegotiate the authentication protocol if EAP had initially been
+ negotiated. Note that problems with a non-EAP capable RADIUS proxy
+ could prove difficult to diagnose, since a user dialing in from one
+ location (with an EAP-capable proxy) might be able to successfully
+ authenticate via EAP, while the same user dialing into another
+ location (and encountering an EAP-incapable proxy) might be
+ consistently disconnected.
+
+8. References
+
+ [1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote
+ Authentication Dial In User Service (RADIUS)", RFC 2865, June
+ 2000.
+
+ [2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [3] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication
+ Protocol (EAP)", RFC 2284, March 1998.
+
+ [4] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March, 1997.
+
+ [5] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700,
+ October 1994.
+
+ [6] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and
+ I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC
+ 2868, June 2000.
+
+ [7] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting
+ Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
+
+ [8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
+ 2279, January 1998.
+
+
+
+
+
+
+Rigney, et al. Informational [Page 43]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ [9] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
+ for Message Authentication", RFC 2104, February 1997.
+
+ [10] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
+ Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+ [11] Slatalla, M., and Quittner, J., "Masters of Deception."
+ HarperCollins, New York, 1995.
+
+9. Acknowledgements
+
+ RADIUS and RADIUS Accounting were originally developed by Livingston
+ Enterprises (now part of Lucent Technologies) for their PortMaster
+ series of Network Access Servers.
+
+ The section on ARAP is adopted with permission from "Using RADIUS to
+ Authenticate Apple Remote Access Connections" by Ward Willats of Cyno
+ Technologies (ward@cyno.com).
+
+ The section on Acct-Interim-Interval is adopted with permission from
+ an earlier work in progress by Pat Calhoun of Sun Microsystems, Mark
+ Beadles of Compuserve, and Alex Ratcliffe of UUNET Technologies.
+
+ The section on EAP is adopted with permission from an earlier work in
+ progress by Pat Calhoun of Sun Microsystems, Allan Rubens of Merit
+ Network, and Bernard Aboba of Microsoft. Thanks also to Dave Dawson
+ and Karl Fox of Ascend, and Glen Zorn and Narendra Gidwani of
+ Microsoft for useful discussions of this problem space.
+
+10. Chair's Address
+
+ The RADIUS working group can be contacted via the current chair:
+
+ Carl Rigney
+ Livingston Enterprises
+ 4464 Willow Road
+ Pleasanton, California 94588
+
+ Phone: +1 925 737 2100
+ EMail: cdr@telemancy.com
+
+
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 44]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+11. Authors' Addresses
+
+ Questions about this memo can also be directed to:
+
+ Carl Rigney
+ Livingston Enterprises
+ 4464 Willow Road
+ Pleasanton, California 94588
+
+ EMail: cdr@telemancy.com
+
+ Questions on ARAP and RADIUS may be directed to:
+
+ Ward Willats
+ Cyno Technologies
+ 1082 Glen Echo Ave
+ San Jose, CA 95125
+
+ Phone: +1 408 297 7766
+ EMail: ward@cyno.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 45]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+ Questions on EAP and RADIUS may be directed to any of the following:
+
+ Pat R. Calhoun
+ Network and Security Research Center
+ Sun Microsystems, Inc.
+ 15 Network Circle
+ Menlo Park, CA 94025
+
+ Phone: +1 650 786 7733
+ EMail: pcalhoun@eng.sun.com
+
+
+ Allan C. Rubens
+ Tut Systems, Inc.
+ 220 E. Huron, Suite 260
+ Ann Arbor, MI 48104
+
+ Phone: +1 734 995 1697
+ EMail: arubens@tutsys.com
+
+
+ Bernard Aboba
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ Phone: +1 425 936 6605
+ EMail: bernarda@microsoft.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 46]
+
+RFC 2869 RADIUS Extensions June 2000
+
+
+12. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rigney, et al. Informational [Page 47]
+