summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3576.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3576.txt')
-rw-r--r--doc/rfc/rfc3576.txt1683
1 files changed, 1683 insertions, 0 deletions
diff --git a/doc/rfc/rfc3576.txt b/doc/rfc/rfc3576.txt
new file mode 100644
index 0000000..89fd9eb
--- /dev/null
+++ b/doc/rfc/rfc3576.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Network Working Group M. Chiba
+Request for Comments: 3576 G. Dommety
+Category: Informational M. Eklund
+ Cisco Systems, Inc.
+ D. Mitton
+ Circular Logic, UnLtd.
+ B. Aboba
+ Microsoft Corporation
+ July 2003
+
+
+ Dynamic Authorization Extensions to Remote
+ Authentication Dial In User Service (RADIUS)
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document describes a currently deployed extension to the Remote
+ Authentication Dial In User Service (RADIUS) protocol, allowing
+ dynamic changes to a user session, as implemented by network access
+ server products. This includes support for disconnecting users and
+ changing authorizations applicable to a user session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 1]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Applicability. . . . . . . . . . . . . . . . . . . . . . 3
+ 1.2. Requirements Language . . . . . . . . . . . . . . . . . 5
+ 1.3. Terminology. . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.1. Disconnect Messages (DM) . . . . . . . . . . . . . . . . 5
+ 2.2. Change-of-Authorization Messages (CoA) . . . . . . . . . 6
+ 2.3. Packet Format. . . . . . . . . . . . . . . . . . . . . . 7
+ 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 11
+ 3.1. Error-Cause. . . . . . . . . . . . . . . . . . . . . . . 13
+ 3.2. Table of Attributes. . . . . . . . . . . . . . . . . . . 16
+ 4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 20
+ 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 21
+ 5.1. Authorization Issues . . . . . . . . . . . . . . . . . . 21
+ 5.2. Impersonation. . . . . . . . . . . . . . . . . . . . . . 22
+ 5.3. IPsec Usage Guidelines . . . . . . . . . . . . . . . . . 22
+ 5.4. Replay Protection. . . . . . . . . . . . . . . . . . . . 25
+ 6. Example Traces . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 26
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 27
+ 8. Intellectual Property Statement. . . . . . . . . . . . . . . . 28
+ 9. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 28
+ 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29
+ 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 30
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 2]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+1. Introduction
+
+ The RADIUS protocol, defined in [RFC2865], does not support
+ unsolicited messages sent from the RADIUS server to the Network
+ Access Server (NAS).
+
+ However, there are many instances in which it is desirable for
+ changes to be made to session characteristics, without requiring the
+ NAS to initiate the exchange. For example, it may be desirable for
+ administrators to be able to terminate a user session in progress.
+ Alternatively, if the user changes authorization level, this may
+ require that authorization attributes be added/deleted from a user
+ session.
+
+ To overcome these limitations, several vendors have implemented
+ additional RADIUS commands in order to be able to support unsolicited
+ messages sent from the RADIUS server to the NAS. These extended
+ commands provide support for Disconnect and Change-of-Authorization
+ (CoA) messages. Disconnect messages cause a user session to be
+ terminated immediately, whereas CoA messages modify session
+ authorization attributes such as data filters.
+
+1.1. Applicability
+
+ This protocol is being recommended for publication as an
+ Informational RFC rather than as a standards-track RFC because of
+ problems that cannot be fixed without creating incompatibilities with
+ deployed implementations. This includes security vulnerabilities, as
+ well as semantic ambiguities resulting from the design of the
+ Change-of-Authorization (CoA) commands. While fixes are recommended,
+ they cannot be made mandatory since this would be incompatible with
+ existing implementations.
+
+ Existing implementations of this protocol do not support
+ authorization checks, so that an ISP sharing a NAS with another ISP
+ could disconnect or change authorizations for another ISP's users.
+ In order to remedy this problem, a "Reverse Path Forwarding" check is
+ recommended. See Section 5.1. for details.
+
+ Existing implementations utilize per-packet authentication and
+ integrity protection algorithms with known weaknesses [MD5Attack].
+ To provide stronger per-packet authentication and integrity
+ protection, the use of IPsec is recommended. See Section 5.3. for
+ details.
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 3]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Existing implementations lack replay protection. In order to support
+ replay detection, it is recommended that the Event-Timestamp
+ Attribute be added to all messages in situations where IPsec replay
+ protection is not employed. Implementations should be configurable
+ to silently discard messages lacking the Event-Timestamp Attribute.
+ See Section 5.4. for details.
+
+ The approach taken with CoA commands in existing implementations
+ results in a semantic ambiguity. Existing implementations of the
+ CoA-Request identify the affected session, as well as supply the
+ authorization changes. Since RADIUS Attributes included within
+ existing implementations of the CoA-Request can be used for session
+ identification or authorization change, it may not be clear which
+ function a given attribute is serving.
+
+ The problem does not exist within [Diameter], in which authorization
+ change is requested by a command using Attribute Value Pairs (AVPs)
+ solely for identification, resulting in initiation of a standard
+ Request/Response sequence where authorization changes are supplied.
+ As a result, in no command can Diameter AVPs have multiple potential
+ meanings.
+
+ Due to differences in handling change-of-authorization requests in
+ RADIUS and Diameter, it may be difficult or impossible for a
+ Diameter/RADIUS gateway to successfully translate existing
+ implementations of this specification to equivalent messages in
+ Diameter. For example, a Diameter command changing any attribute
+ used for identification within existing CoA-Request implementations
+ cannot be translated, since such an authorization change is
+ impossible to carry out in existing implementations. Similarly,
+ translation between existing implementations of Disconnect-Request or
+ CoA-Request messages and Diameter is tricky because a Disconnect-
+ Request or CoA-Request message will need to be translated to multiple
+ Diameter commands.
+
+ To simplify translation between RADIUS and Diameter, a Service-Type
+ Attribute with value "Authorize Only" can (optionally) be included
+ within a Disconnect-Request or CoA-Request. Such a Request contains
+ only identification attributes. A NAS supporting the "Authorize
+ Only" Service-Type within a Disconnect-Request or CoA-Request
+ responds with a NAK containing a Service-Type Attribute with value
+ "Authorize Only" and an Error-Cause Attribute with value "Request
+ Initiated". The NAS will then send an Access-Request containing a
+ Service-Type Attribute with a value of "Authorize Only". This usage
+ sequence is akin to what occurs in Diameter and so is more easily
+ translated by a Diameter/RADIUS gateway.
+
+
+
+
+
+Chiba, et al. Informational [Page 4]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+1.2. Requirements Language
+
+ In this document, several words are used to signify the requirements
+ of the specification. These words are often capitalized. The key
+ words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
+ "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
+ are to be interpreted as described in [RFC2119].
+
+1.3. Terminology
+
+ This document frequently uses the following terms:
+
+ Network Access Server (NAS): The device providing access to the
+ network.
+
+ service: The NAS provides a service to the user,
+ such as IEEE 802 or PPP.
+
+ session: Each service provided by the NAS to a
+ user constitutes a session, with the
+ beginning of the session defined as the
+ point where service is first provided
+ and the end of the session defined as
+ the point where service is ended. A
+ user may have multiple sessions in
+ parallel or series if the NAS supports
+ that.
+
+ silently discard: This means the implementation discards
+ the packet without further processing.
+ The implementation SHOULD provide the
+ capability of logging the error,
+ including the contents of the silently
+ discarded packet, and SHOULD record the
+ event in a statistics counter.
+
+2. Overview
+
+ This section describes the most commonly implemented features of
+ Disconnect and Change-of-Authorization messages.
+
+2.1. Disconnect Messages (DM)
+
+ A Disconnect-Request packet is sent by the RADIUS server in order to
+ terminate a user session on a NAS and discard all associated session
+ context. The Disconnect-Request packet is sent to UDP port 3799, and
+ identifies the NAS as well as the user session to be terminated by
+ inclusion of the identification attributes described in Section 3.
+
+
+
+Chiba, et al. Informational [Page 5]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ +----------+ Disconnect-Request +----------+
+ | | <-------------------- | |
+ | NAS | | RADIUS |
+ | | Disconnect-Response | Server |
+ | | ---------------------> | |
+ +----------+ +----------+
+
+ The NAS responds to a Disconnect-Request packet sent by a RADIUS
+ server with a Disconnect-ACK if all associated session context is
+ discarded and the user session is no longer connected, or a
+ Disconnect-NAK, if the NAS was unable to disconnect the session and
+ discard all associated session context. A NAS MUST respond to a
+ Disconnect-Request including a Service-Type Attribute with value
+ "Authorize Only" with a Disconnect-NAK; a Disconnect-ACK MUST NOT be
+ sent. A NAS MUST respond to a Disconnect-Request including a
+ Service-Type Attribute with an unsupported value with a Disconnect-
+ NAK; an Error-Cause Attribute with value "Unsupported Service" MAY be
+ included. A Disconnect-ACK MAY contain the Attribute
+ Acct-Terminate-Cause (49) [RFC2866] with the value set to 6 for
+ Admin-Reset.
+
+2.2. Change-of-Authorization Messages (CoA)
+
+ CoA-Request packets contain information for dynamically changing
+ session authorizations. This is typically used to change data
+ filters. The data filters can be of either the ingress or egress
+ kind, and are sent in addition to the identification attributes as
+ described in section 3. The port used, and packet format (described
+ in Section 2.3.), are the same as that for Disconnect-Request
+ Messages.
+
+ The following attribute MAY be sent in a CoA-Request:
+
+ Filter-ID (11) - Indicates the name of a data filter list to be
+ applied for the session that the identification
+ attributes map to.
+
+ +----------+ CoA-Request +----------+
+ | | <-------------------- | |
+ | NAS | | RADIUS |
+ | | CoA-Response | Server |
+ | | ---------------------> | |
+ +----------+ +----------+
+
+ The NAS responds to a CoA-Request sent by a RADIUS server with a
+ CoA-ACK if the NAS is able to successfully change the authorizations
+ for the user session, or a CoA-NAK if the Request is unsuccessful. A
+ NAS MUST respond to a CoA-Request including a Service-Type Attribute
+
+
+
+Chiba, et al. Informational [Page 6]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST NOT be
+ sent. A NAS MUST respond to a CoA-Request including a Service-Type
+ Attribute with an unsupported value with a CoA-NAK; an Error-Cause
+ Attribute with value "Unsupported Service" MAY be included.
+
+2.3. Packet Format
+
+ For either Disconnect-Request or CoA-Request messages UDP port 3799
+ is used as the destination port. For responses, the source and
+ destination ports are reversed. Exactly one RADIUS packet is
+ encapsulated in the UDP Data field.
+
+ A summary of the data format is shown below. The fields are
+ transmitted from left to right.
+
+ The packet format consists of the fields: Code, Identifier, Length,
+ Authenticator, and Attributes in Type:Length:Value (TLV) format. All
+ fields hold the same meaning as those described in RADIUS [RFC2865].
+ The Authenticator field MUST be calculated in the same way as is
+ specified for an Accounting-Request in [RFC2866].
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Code | Identifier | Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Authenticator |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Attributes ...
+ +-+-+-+-+-+-+-+-+-+-+-+-+-
+
+ Code
+
+ The Code field is one octet, and identifies the type of RADIUS
+ packet. Packets received with an invalid Code field MUST be
+ silently discarded. RADIUS codes (decimal) for this extension are
+ assigned as follows:
+
+ 40 - Disconnect-Request [RFC2882]
+ 41 - Disconnect-ACK [RFC2882]
+ 42 - Disconnect-NAK [RFC2882]
+ 43 - CoA-Request [RFC2882]
+ 44 - CoA-ACK [RFC2882]
+ 45 - CoA-NAK [RFC2882]
+
+
+
+
+Chiba, et al. Informational [Page 7]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Identifier
+
+ The Identifier field is one octet, and aids in matching requests
+ and replies. The RADIUS client can detect a duplicate request if
+ it has the same server source IP address and source UDP port and
+ Identifier within a short span of time.
+
+ Unlike RADIUS as defined in [RFC2865], the responsibility for
+ retransmission of Disconnect-Request and CoA-Request messages lies
+ with the RADIUS server. If after sending these messages, the
+ RADIUS server does not receive a response, it will retransmit.
+
+ The Identifier field MUST be changed whenever the content of the
+ Attributes field changes, or whenever a valid reply has been
+ received for a previous request. For retransmissions where the
+ contents are identical, the Identifier MUST remain unchanged.
+
+ If the RADIUS server is retransmitting a Disconnect-Request or
+ CoA-Request to the same client as before, and the Attributes have
+ not changed, the same Request Authenticator, Identifier and source
+ port MUST be used. If any Attributes have changed, a new
+ Authenticator and Identifier MUST be used.
+
+ Note that if the Event-Timestamp Attribute is included, it will be
+ updated when the packet is retransmitted, changing the content of
+ the Attributes field and requiring a new Identifier and Request
+ Authenticator.
+
+ If the Request to a primary proxy fails, a secondary proxy must be
+ queried, if available. Issues relating to failover algorithms are
+ described in [AAATransport]. Since this represents a new request,
+ a new Request Authenticator and Identifier MUST be used. However,
+ where the RADIUS server is sending directly to the client,
+ failover typically does not make sense, since Disconnect or CoA
+ messages need to be delivered to the NAS where the session
+ resides.
+
+ Length
+
+ The Length field is two octets. It indicates the length of the
+ packet including the Code, Identifier, Length, Authenticator and
+ Attribute fields. Octets outside the range of the Length field
+ MUST be treated as padding and ignored on reception. If the
+ packet is shorter than the Length field indicates, it MUST be
+ silently discarded. The minimum length is 20 and the maximum
+ length is 4096.
+
+
+
+
+
+Chiba, et al. Informational [Page 8]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Authenticator
+
+ The Authenticator field is sixteen (16) octets. The most
+ significant octet is transmitted first. This value is used to
+ authenticate the messages between the RADIUS server and client.
+
+ Request Authenticator
+
+ In Request packets, the Authenticator value is a 16 octet MD5
+ [RFC1321] checksum, called the Request Authenticator. The Request
+ Authenticator is calculated the same way as for an Accounting-
+ Request, specified in [RFC2866].
+
+ Note that the Request Authenticator of a Disconnect or CoA-Request
+ cannot be done the same way as the Request Authenticator of a
+ RADIUS Access-Request, because there is no User-Password Attribute
+ in a Disconnect-Request or CoA-Request.
+
+ Response Authenticator
+
+ The Authenticator field in a Response packet (e.g. Disconnect-ACK,
+ Disconnect-NAK, CoA-ACK, or CoA-NAK) is called the Response
+ Authenticator, and contains a one-way MD5 hash calculated over a
+ stream of octets consisting of the Code, Identifier, Length, the
+ Request Authenticator field from the packet being replied to, and
+ the response Attributes if any, followed by the shared secret.
+ The resulting 16 octet MD5 hash value is stored in the
+ Authenticator field of the Response packet.
+
+ Administrative note: As noted in [RFC2865] Section 3, the secret
+ (password shared between the client and the RADIUS server) SHOULD be
+ at least as large and unguessable as a well-chosen password. RADIUS
+ clients MUST use the source IP address of the RADIUS UDP packet to
+ decide which shared secret to use, so that requests can be proxied.
+
+ Attributes
+
+ In Disconnect and CoA-Request messages, all Attributes are treated
+ as mandatory. A NAS MUST respond to a CoA-Request containing one
+ or more unsupported Attributes or Attribute values with a CoA-NAK;
+ a Disconnect-Request containing one or more unsupported Attributes
+ or Attribute values MUST be answered with a Disconnect-NAK. State
+ changes resulting from a CoA-Request MUST be atomic: if the
+ Request is successful, a CoA-ACK is sent, and all requested
+ authorization changes MUST be made. If the CoA-Request is
+ unsuccessful, a CoA-NAK MUST be sent, and the requested
+
+
+
+
+
+Chiba, et al. Informational [Page 9]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ authorization changes MUST NOT be made. Similarly, a state change
+ MUST NOT occur as a result of an unsuccessful Disconnect-Request;
+ here a Disconnect-NAK MUST be sent.
+
+ Since within this specification attributes may be used for
+ identification, authorization or other purposes, even if a NAS
+ implements an attribute for use with RADIUS authentication and
+ accounting, it may not support inclusion of that attribute within
+ Disconnect-Request or CoA-Request messages, given the difference
+ in attribute semantics. This is true even for attributes
+ specified within [RFC2865], [RFC2868], [RFC2869] or [RFC3162] as
+ allowable within Access-Accept messages.
+
+ As a result, attributes beyond those specified in Section 3.2.
+ SHOULD NOT be included within Disconnect or CoA messages since
+ this could produce unpredictable results.
+
+ When using a forwarding proxy, the proxy must be able to alter the
+ packet as it passes through in each direction. When the proxy
+ forwards a Disconnect or CoA-Request, it MAY add a Proxy-State
+ Attribute, and when the proxy forwards a response, it MUST remove
+ its Proxy-State Attribute if it added one. Proxy-State is always
+ added or removed after any other Proxy-States, but no other
+ assumptions regarding its location within the list of Attributes
+ can be made. Since Disconnect and CoA responses are authenticated
+ on the entire packet contents, the stripping of the Proxy-State
+ Attribute invalidates the integrity check - so the proxy needs to
+ recompute it. A forwarding proxy MUST NOT modify existing Proxy-
+ State, State, or Class Attributes present in the packet.
+
+ If there are any Proxy-State Attributes in a Disconnect-Request or
+ CoA-Request received from the server, the forwarding proxy MUST
+ include those Proxy-State Attributes in its response to the
+ server. The forwarding proxy MAY include the Proxy-State
+ Attributes in the Disconnect-Request or CoA-Request when it
+ forwards the request, or it MAY omit them in the forwarded
+ request. If the forwarding proxy omits the Proxy-State Attributes
+ in the request, it MUST attach them to the response before sending
+ it to the server.
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 10]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+3. Attributes
+
+ In Disconnect-Request and CoA-Request packets, certain attributes are
+ used to uniquely identify the NAS as well as a user session on the
+ NAS. All NAS identification attributes included in a Request message
+ MUST match in order for a Disconnect-Request or CoA-Request to be
+ successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent.
+ For session identification attributes, the User-Name and Acct-
+ Session-Id Attributes, if included, MUST match in order for a
+ Disconnect-Request or CoA-Request to be successful; other session
+ identification attributes SHOULD match. Where a mismatch of session
+ identification attributes is detected, a Disconnect-NAK or CoA-NAK
+ SHOULD be sent. The ability to use NAS or session identification
+ attributes to map to unique/multiple sessions is beyond the scope of
+ this document. Identification attributes include NAS and session
+ identification attributes, as described below.
+
+ NAS identification attributes
+
+ Attribute # Reference Description
+ --------- --- --------- -----------
+ NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS.
+ NAS-Identifier 32 [RFC2865] String identifying the NAS.
+ NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 11]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Session identification attributes
+
+ Attribute # Reference Description
+ --------- --- --------- -----------
+ User-Name 1 [RFC2865] The name of the user
+ associated with the session.
+ NAS-Port 5 [RFC2865] The port on which the
+ session is terminated.
+ Framed-IP-Address 8 [RFC2865] The IPv4 address associated
+ with the session.
+ Called-Station-Id 30 [RFC2865] The link address to which
+ the session is connected.
+ Calling-Station-Id 31 [RFC2865] The link address from which
+ the session is connected.
+ Acct-Session-Id 44 [RFC2866] The identifier uniquely
+ identifying the session
+ on the NAS.
+ Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
+ identifying related sessions.
+ NAS-Port-Type 61 [RFC2865] The type of port used.
+ NAS-Port-Id 87 [RFC2869] String identifying the port
+ where the session is.
+ Originating-Line-Info 94 [NASREQ] Provides information on the
+ characteristics of the line
+ from which a session
+ originated.
+ Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
+ associated with the session;
+ always sent with
+ Framed-IPv6-Prefix.
+ Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
+ with the session, always sent
+ with Framed-Interface-Id.
+
+ To address security concerns described in Section 5.1., the User-Name
+ Attribute SHOULD be present in Disconnect-Request or CoA-Request
+ packets; one or more additional session identification attributes MAY
+ also be present. To address security concerns described in Section
+ 5.2., one or more of the NAS-IP-Address or NAS-IPv6-Address
+ Attributes SHOULD be present in Disconnect-Request or CoA-Request
+ packets; the NAS-Identifier Attribute MAY be present in addition.
+
+ If one or more authorization changes specified in a CoA-Request
+ cannot be carried out, or if one or more attributes or attribute-
+ values is unsupported, a CoA-NAK MUST be sent. Similarly, if there
+ are one or more unsupported attributes or attribute values in a
+ Disconnect-Request, a Disconnect-NAK MUST be sent.
+
+
+
+
+Chiba, et al. Informational [Page 12]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Where a Service-Type Attribute with value "Authorize Only" is
+ included within a CoA-Request or Disconnect-Request, attributes
+ representing an authorization change MUST NOT be included; only
+ identification attributes are permitted. If attributes other than
+ NAS or session identification attributes are included in such a CoA-
+ Request, implementations MUST send a CoA-NAK; an Error-Cause
+ Attribute with value "Unsupported Attribute" MAY be included.
+ Similarly, if attributes other than NAS or session identification
+ attributes are included in such a Disconnect-Request, implementations
+ MUST send a Disconnect-NAK; an Error-Cause Attribute with value
+ "Unsupported Attribute" MAY be included.
+
+3.1. Error-Cause
+
+ Description
+
+ It is possible that the NAS cannot honor Disconnect-Request or
+ CoA-Request messages for some reason. The Error-Cause Attribute
+ provides more detail on the cause of the problem. It MAY be
+ included within Disconnect-ACK, Disconnect-NAK and CoA-NAK
+ messages.
+
+ A summary of the Error-Cause Attribute format is shown below. The
+ fields are transmitted from left to right.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Type | Length | Value
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Value (cont) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Type
+
+ 101 for Error-Cause
+
+ Length
+
+ 6
+
+ Value
+
+ The Value field is four octets, containing an integer specifying
+ the cause of the error. Values 0-199 and 300-399 are reserved.
+ Values 200-299 represent successful completion, so that these
+ values may only be sent within Disconnect-ACK or CoA-ACK message
+ and MUST NOT be sent within a Disconnect-NAK or CoA-NAK. Values
+
+
+
+Chiba, et al. Informational [Page 13]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ 400-499 represent fatal errors committed by the RADIUS server, so
+ that they MAY be sent within CoA-NAK or Disconnect-NAK messages,
+ and MUST NOT be sent within CoA-ACK or Disconnect-ACK messages.
+ Values 500-599 represent fatal errors occurring on a NAS or RADIUS
+ proxy, so that they MAY be sent within CoA-NAK and Disconnect-NAK
+ messages, and MUST NOT be sent within CoA-ACK or Disconnect-ACK
+ messages. Error-Cause values SHOULD be logged by the RADIUS
+ server. Error-Code values (expressed in decimal) include:
+
+ # Value
+ --- -----
+ 201 Residual Session Context Removed
+ 202 Invalid EAP Packet (Ignored)
+ 401 Unsupported Attribute
+ 402 Missing Attribute
+ 403 NAS Identification Mismatch
+ 404 Invalid Request
+ 405 Unsupported Service
+ 406 Unsupported Extension
+ 501 Administratively Prohibited
+ 502 Request Not Routable (Proxy)
+ 503 Session Context Not Found
+ 504 Session Context Not Removable
+ 505 Other Proxy Processing Error
+ 506 Resources Unavailable
+ 507 Request Initiated
+
+ "Residual Session Context Removed" is sent in response to a
+ Disconnect-Request if the user session is no longer active, but
+ residual session context was found and successfully removed. This
+ value is only sent within a Disconnect-ACK and MUST NOT be sent
+ within a CoA-ACK, Disconnect-NAK or CoA-NAK.
+
+ "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT be
+ sent by implementations of this specification.
+
+ "Unsupported Attribute" is a fatal error sent if a Request contains
+ an attribute (such as a Vendor-Specific or EAP-Message Attribute)
+ that is not supported.
+
+ "Missing Attribute" is a fatal error sent if critical attributes
+ (such as NAS or session identification attributes) are missing from a
+ Request.
+
+ "NAS Identification Mismatch" is a fatal error sent if one or more
+ NAS identification attributes (see Section 3.) do not match the
+ identity of the NAS receiving the Request.
+
+
+
+
+Chiba, et al. Informational [Page 14]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ "Invalid Request" is a fatal error sent if some other aspect of the
+ Request is invalid, such as if one or more attributes (such as EAP-
+ Message Attribute(s)) are not formatted properly.
+
+ "Unsupported Service" is a fatal error sent if a Service-Type
+ Attribute included with the Request is sent with an invalid or
+ unsupported value.
+
+ "Unsupported Extension" is a fatal error sent due to lack of support
+ for an extension such as Disconnect and/or CoA messages. This will
+ typically be sent by a proxy receiving an ICMP port unreachable
+ message after attempting to forward a Request to the NAS.
+
+ "Administratively Prohibited" is a fatal error sent if the NAS is
+ configured to prohibit honoring of Request messages for the specified
+ session.
+
+ "Request Not Routable" is a fatal error which MAY be sent by a RADIUS
+ proxy and MUST NOT be sent by a NAS. It indicates that the RADIUS
+ proxy was unable to determine how to route the Request to the NAS.
+ For example, this can occur if the required entries are not present
+ in the proxy's realm routing table.
+
+ "Session Context Not Found" is a fatal error sent if the session
+ context identified in the Request does not exist on the NAS.
+
+ "Session Context Not Removable" is a fatal error sent in response to
+ a Disconnect-Request if the NAS was able to locate the session
+ context, but could not remove it for some reason. It MUST NOT be
+ sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a
+ Disconnect-NAK.
+
+ "Other Proxy Processing Error" is a fatal error sent in response to a
+ Request that could not be processed by a proxy, for reasons other
+ than routing.
+
+ "Resources Unavailable" is a fatal error sent when a Request could
+ not be honored due to lack of available NAS resources (memory, non-
+ volatile storage, etc.).
+
+ "Request Initiated" is a fatal error sent in response to a Request
+ including a Service-Type Attribute with a value of "Authorize Only".
+ It indicates that the Disconnect-Request or CoA-Request has not been
+ honored, but that a RADIUS Access-Request including a Service-Type
+ Attribute with value "Authorize Only" is being sent to the RADIUS
+ server.
+
+
+
+
+
+Chiba, et al. Informational [Page 15]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+3.2. Table of Attributes
+
+ The following table provides a guide to which attributes may be found
+ in which packets, and in what quantity.
+
+ Change-of-Authorization Messages
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 1 User-Name [Note 1]
+ 0-1 0 0 4 NAS-IP-Address [Note 1]
+ 0-1 0 0 5 NAS-Port [Note 1]
+ 0-1 0 0-1 6 Service-Type [Note 6]
+ 0-1 0 0 7 Framed-Protocol [Note 3]
+ 0-1 0 0 8 Framed-IP-Address [Note 1]
+ 0-1 0 0 9 Framed-IP-Netmask [Note 3]
+ 0-1 0 0 10 Framed-Routing [Note 3]
+ 0+ 0 0 11 Filter-ID [Note 3]
+ 0-1 0 0 12 Framed-MTU [Note 3]
+ 0+ 0 0 13 Framed-Compression [Note 3]
+ 0+ 0 0 14 Login-IP-Host [Note 3]
+ 0-1 0 0 15 Login-Service [Note 3]
+ 0-1 0 0 16 Login-TCP-Port [Note 3]
+ 0+ 0 0 18 Reply-Message [Note 2]
+ 0-1 0 0 19 Callback-Number [Note 3]
+ 0-1 0 0 20 Callback-Id [Note 3]
+ 0+ 0 0 22 Framed-Route [Note 3]
+ 0-1 0 0 23 Framed-IPX-Network [Note 3]
+ 0-1 0-1 0-1 24 State [Note 7]
+ 0+ 0 0 25 Class [Note 3]
+ 0+ 0 0 26 Vendor-Specific [Note 3]
+ 0-1 0 0 27 Session-Timeout [Note 3]
+ 0-1 0 0 28 Idle-Timeout [Note 3]
+ 0-1 0 0 29 Termination-Action [Note 3]
+ 0-1 0 0 30 Called-Station-Id [Note 1]
+ 0-1 0 0 31 Calling-Station-Id [Note 1]
+ 0-1 0 0 32 NAS-Identifier [Note 1]
+ 0+ 0+ 0+ 33 Proxy-State
+ 0-1 0 0 34 Login-LAT-Service [Note 3]
+ 0-1 0 0 35 Login-LAT-Node [Note 3]
+ 0-1 0 0 36 Login-LAT-Group [Note 3]
+ 0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
+ 0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
+ 0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
+ 0-1 0 0 44 Acct-Session-Id [Note 1]
+ 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
+ 0-1 0-1 0-1 55 Event-Timestamp
+ 0-1 0 0 61 NAS-Port-Type [Note 1]
+ Request ACK NAK # Attribute
+
+
+
+Chiba, et al. Informational [Page 16]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 62 Port-Limit [Note 3]
+ 0-1 0 0 63 Login-LAT-Port [Note 3]
+ 0+ 0 0 64 Tunnel-Type [Note 5]
+ 0+ 0 0 65 Tunnel-Medium-Type [Note 5]
+ 0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
+ 0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
+ 0+ 0 0 69 Tunnel-Password [Note 5]
+ 0-1 0 0 71 ARAP-Features [Note 3]
+ 0-1 0 0 72 ARAP-Zone-Access [Note 3]
+ 0+ 0 0 78 Configuration-Token [Note 3]
+ 0+ 0-1 0 79 EAP-Message [Note 2]
+ 0-1 0-1 0-1 80 Message-Authenticator
+ 0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
+ 0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
+ 0+ 0 0 83 Tunnel-Preference [Note 5]
+ 0-1 0 0 85 Acct-Interim-Interval [Note 3]
+ 0-1 0 0 87 NAS-Port-Id [Note 1]
+ 0-1 0 0 88 Framed-Pool [Note 3]
+ 0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
+ 0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
+ 0-1 0 0 94 Originating-Line-Info [Note 1]
+ 0-1 0 0 95 NAS-IPv6-Address [Note 1]
+ 0-1 0 0 96 Framed-Interface-Id [Note 1]
+ 0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
+ 0+ 0 0 98 Login-IPv6-Host [Note 3]
+ 0+ 0 0 99 Framed-IPv6-Route [Note 3]
+ 0-1 0 0 100 Framed-IPv6-Pool [Note 3]
+ 0 0 0+ 101 Error-Cause
+ Request ACK NAK # Attribute
+
+ Disconnect Messages
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 1 User-Name [Note 1]
+ 0-1 0 0 4 NAS-IP-Address [Note 1]
+ 0-1 0 0 5 NAS-Port [Note 1]
+ 0-1 0 0-1 6 Service-Type [Note 6]
+ 0-1 0 0 8 Framed-IP-Address [Note 1]
+ 0+ 0 0 18 Reply-Message [Note 2]
+ 0-1 0-1 0-1 24 State [Note 7]
+ 0+ 0 0 25 Class [Note 4]
+ 0+ 0 0 26 Vendor-Specific
+ 0-1 0 0 30 Called-Station-Id [Note 1]
+ 0-1 0 0 31 Calling-Station-Id [Note 1]
+ 0-1 0 0 32 NAS-Identifier [Note 1]
+ 0+ 0+ 0+ 33 Proxy-State
+ Request ACK NAK # Attribute
+
+
+
+Chiba, et al. Informational [Page 17]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Request ACK NAK # Attribute
+ 0-1 0 0 44 Acct-Session-Id [Note 1]
+ 0-1 0-1 0 49 Acct-Terminate-Cause
+ 0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
+ 0-1 0-1 0-1 55 Event-Timestamp
+ 0-1 0 0 61 NAS-Port-Type [Note 1]
+ 0+ 0-1 0 79 EAP-Message [Note 2]
+ 0-1 0-1 0-1 80 Message-Authenticator
+ 0-1 0 0 87 NAS-Port-Id [Note 1]
+ 0-1 0 0 94 Originating-Line-Info [Note 1]
+ 0-1 0 0 95 NAS-IPv6-Address [Note 1]
+ 0-1 0 0 96 Framed-Interface-Id [Note 1]
+ 0+ 0 0 97 Framed-IPv6-Prefix [Note 1]
+ 0 0+ 0+ 101 Error-Cause
+ Request ACK NAK # Attribute
+
+ [Note 1] Where NAS or session identification attributes are included
+ in Disconnect-Request or CoA-Request messages, they are used for
+ identification purposes only. These attributes MUST NOT be used for
+ purposes other than identification (e.g. within CoA-Request messages
+ to request authorization changes).
+
+ [Note 2] The Reply-Message Attribute is used to present a displayable
+ message to the user. The message is only displayed as a result of a
+ successful Disconnect-Request or CoA-Request (where a Disconnect-ACK
+ or CoA-ACK is subsequently sent). Where EAP is used for
+ authentication, an EAP-Message/Notification-Request Attribute is sent
+ instead, and Disconnect-ACK or CoA-ACK messages contain an EAP-
+ Message/Notification-Response Attribute.
+
+ [Note 3] When included within a CoA-Request, these attributes
+ represent an authorization change request. When one of these
+ attributes is omitted from a CoA-Request, the NAS assumes that the
+ attribute value is to remain unchanged. Attributes included in a
+ CoA-Request replace all existing value(s) of the same attribute(s).
+
+ [Note 4] When included within a successful Disconnect-Request (where
+ a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be
+ sent unmodified by the client to the accounting server in the
+ Accounting Stop packet. If the Disconnect-Request is unsuccessful,
+ then the Class Attribute is not processed.
+
+ [Note 5] When included within a CoA-Request, these attributes
+ represent an authorization change request. Where tunnel attribute(s)
+ are sent within a successful CoA-Request, all existing tunnel
+ attributes are removed and replaced by the new attribute(s).
+
+
+
+
+
+Chiba, et al. Informational [Page 18]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ [Note 6] When included within a Disconnect-Request or CoA-Request, a
+ Service-Type Attribute with value "Authorize Only" indicates that the
+ Request only contains NAS and session identification attributes, and
+ that the NAS should attempt reauthorization by sending an Access-
+ Request with a Service-Type Attribute with value "Authorize Only".
+ This enables a usage model akin to that supported in Diameter, thus
+ easing translation between the two protocols. Support for the
+ Service-Type Attribute is optional within CoA-Request and
+ Disconnect-Request messages; where it is not included, the Request
+ message may contain both identification and authorization attributes.
+ A NAS that does not support the Service-Type Attribute with the value
+ "Authorize Only" within a Disconnect-Request MUST respond with a
+ Disconnect-NAK including no Service-Type Attribute; an Error-Cause
+ Attribute with value "Unsupported Service" MAY be included. A NAS
+ that does not support the Service-Type Attribute with the value
+ "Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
+ including no Service-Type Attribute; an Error-Cause Attribute with
+ value "Unsupported Service" MAY be included.
+
+ A NAS supporting the "Authorize Only" Service-Type value within
+ Disconnect-Request or CoA-Request messages MUST respond with a
+ Disconnect-NAK or CoA-NAK respectively, containing a Service-Type
+ Attribute with value "Authorize Only", and an Error-Cause Attribute
+ with value "Request Initiated". The NAS then sends an Access-Request
+ to the RADIUS server with a Service-Type Attribute with value
+ "Authorize Only". This Access-Request SHOULD contain the NAS
+ attributes from the Disconnect or CoA-Request, as well as the session
+ attributes from the Request legal for inclusion in an Access-Request
+ as specified in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As
+ noted in [RFC2869] Section 5.19, a Message-Authenticator attribute
+ SHOULD be included in an Access-Request that does not contain a
+ User-Password, CHAP-Password, ARAP-Password or EAP-Message Attribute.
+ The RADIUS server should send back an Access-Accept to (re-)authorize
+ the session or an Access-Reject to refuse to (re-)authorize it.
+
+ [Note 7] The State Attribute is available to be sent by the RADIUS
+ server to the NAS in a Disconnect-Request or CoA-Request message and
+ MUST be sent unmodified from the NAS to the RADIUS server in a
+ subsequent ACK or NAK message. If a Service-Type Attribute with
+ value "Authorize Only" is included in a Disconnect-Request or CoA-
+ Request along with a State Attribute, then the State Attribute MUST
+ be sent unmodified from the NAS to the RADIUS server in the resulting
+ Access-Request sent to the RADIUS server, if any. The State
+ Attribute is also available to be sent by the RADIUS server to the
+ NAS in a CoA-Request that also includes a Termination-Action
+ Attribute with the value of RADIUS-Request. If the client performs
+ the Termination-Action by sending a new Access-Request upon
+ termination of the current session, it MUST include the State
+
+
+
+Chiba, et al. Informational [Page 19]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Attribute unchanged in that Access-Request. In either usage, the
+ client MUST NOT interpret the Attribute locally. A Disconnect-
+ Request or CoA-Request packet must have only zero or one State
+ Attribute. Usage of the State Attribute is implementation dependent.
+ If the RADIUS server does not recognize the State Attribute in the
+ Access-Request, then it MUST send an Access-Reject.
+
+ The following table defines the meaning of the above table entries.
+
+ 0 This attribute MUST NOT be present in packet.
+ 0+ Zero or more instances of this attribute MAY be present in
+ packet.
+ 0-1 Zero or one instance of this attribute MAY be present in packet.
+ 1 Exactly one instance of this attribute MUST be present in packet.
+
+4. IANA Considerations
+
+ This document uses the RADIUS [RFC2865] namespace, see
+ <http://www.iana.org/assignments/radius-types>. There are six
+ updates for the section: RADIUS Packet Type Codes. These Packet
+ Types are allocated in [RADIANA]:
+
+ 40 - Disconnect-Request
+ 41 - Disconnect-ACK
+ 42 - Disconnect-NAK
+ 43 - CoA-Request
+ 44 - CoA-ACK
+ 45 - CoA-NAK
+
+ Allocation of a new Service-Type value for "Authorize Only" is
+ requested. This document also uses the UDP [RFC768] namespace, see
+ <http://www.iana.org/assignments/port-numbers>. The authors request
+ a port assignment from the Registered ports range. Finally, this
+ specification allocates the Error-Cause Attribute (101) with the
+ following decimal values:
+
+ # Value
+ --- -----
+ 201 Residual Session Context Removed
+ 202 Invalid EAP Packet (Ignored)
+ 401 Unsupported Attribute
+ 402 Missing Attribute
+ 403 NAS Identification Mismatch
+ 404 Invalid Request
+ 405 Unsupported Service
+ 406 Unsupported Extension
+ 501 Administratively Prohibited
+ 502 Request Not Routable (Proxy)
+
+
+
+Chiba, et al. Informational [Page 20]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ 503 Session Context Not Found
+ 504 Session Context Not Removable
+ 505 Other Proxy Processing Error
+ 506 Resources Unavailable
+ 507 Request Initiated
+
+5. Security Considerations
+
+5.1. Authorization Issues
+
+ Where a NAS is shared by multiple providers, it is undesirable for
+ one provider to be able to send Disconnect-Request or CoA-Requests
+ affecting the sessions of another provider.
+
+ A NAS or RADIUS proxy MUST silently discard Disconnect-Request or
+ CoA-Request messages from untrusted sources. By default, a RADIUS
+ proxy SHOULD perform a "reverse path forwarding" (RPF) check to
+ verify that a Disconnect-Request or CoA-Request originates from an
+ authorized RADIUS server. In addition, it SHOULD be possible to
+ explicitly authorize additional sources of Disconnect-Request or
+ CoA-Request packets relating to certain classes of sessions. For
+ example, a particular source can be explicitly authorized to send
+ CoA-Request messages relating to users within a set of realms.
+
+ To perform the RPF check, the proxy uses the session identification
+ attributes included in Disconnect-Request or CoA-Request messages, in
+ order to determine the RADIUS server(s) to which an equivalent
+ Access-Request could be routed. If the source address of the
+ Disconnect-Request or CoA-Request is within this set, then the
+ Request is forwarded; otherwise it MUST be silently discarded.
+
+ Typically the proxy will extract the realm from the Network Access
+ Identifier [RFC2486] included within the User-Name Attribute, and
+ determine the corresponding RADIUS servers in the proxy routing
+ tables. The RADIUS servers for that realm are then compared against
+ the source address of the packet. Where no RADIUS proxy is present,
+ the RPF check will need to be performed by the NAS itself.
+
+ Since authorization to send a Disconnect-Request or CoA-Request is
+ determined based on the source address and the corresponding shared
+ secret, the NASes or proxies SHOULD configure a different shared
+ secret for each RADIUS server.
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 21]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+5.2. Impersonation
+
+ [RFC2865] Section 3 states:
+
+ A RADIUS server MUST use the source IP address of the RADIUS UDP
+ packet to decide which shared secret to use, so that RADIUS
+ requests can be proxied.
+
+ When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or
+ NAS-IPv6-Address Attributes will typically not match the source
+ address observed by the RADIUS server. Since the NAS-Identifier
+ Attribute need not contain an FQDN, this attribute may not be
+ resolvable to the source address observed by the RADIUS server, even
+ when no proxy is present.
+
+ As a result, the authenticity check performed by a RADIUS server or
+ proxy does not verify the correctness of NAS identification
+ attributes. This makes it possible for a rogue NAS to forge NAS-IP-
+ Address, NAS-IPv6-Address or NAS-Identifier Attributes within a
+ RADIUS Access-Request in order to impersonate another NAS. It is
+ also possible for a rogue NAS to forge session identification
+ attributes such as the Called-Station-Id, Calling-Station-Id, or
+ Originating-Line-Info [NASREQ]. This could fool the RADIUS server
+ into sending Disconnect-Request or CoA-Request messages containing
+ forged session identification attributes to a NAS targeted by an
+ attacker.
+
+ To address these vulnerabilities RADIUS proxies SHOULD check whether
+ NAS identification attributes (see Section 3.) match the source
+ address of packets originating from the NAS. Where one or more
+ attributes do not match, Disconnect-Request or CoA-Request messages
+ SHOULD be silently discarded.
+
+ Such a check may not always be possible. Since the NAS-Identifier
+ Attribute need not correspond to an FQDN, it may not be resolvable to
+ an IP address to be matched against the source address. Also, where
+ a NAT exists between the RADIUS client and proxy, checking the NAS-
+ IP-Address or NAS-IPv6-Address Attributes may not be feasible.
+
+5.3. IPsec Usage Guidelines
+
+ In addition to security vulnerabilities unique to Disconnect or CoA
+ messages, the protocol exchanges described in this document are
+ susceptible to the same vulnerabilities as RADIUS [RFC2865]. It is
+ RECOMMENDED that IPsec be employed to afford better security.
+
+
+
+
+
+
+Chiba, et al. Informational [Page 22]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ Implementations of this specification SHOULD support IPsec [RFC2401]
+ along with IKE [RFC2409] for key management. IPsec ESP [RFC2406]
+ with a non-null transform SHOULD be supported, and IPsec ESP with a
+ non-null encryption transform and authentication support SHOULD be
+ used to provide per-packet confidentiality, authentication, integrity
+ and replay protection. IKE SHOULD be used for key management.
+
+ Within RADIUS [RFC2865], a shared secret is used for hiding
+ Attributes such as User-Password, as well as used in computation of
+ the Response Authenticator. In RADIUS accounting [RFC2866], the
+ shared secret is used in computation of both the Request
+ Authenticator and the Response Authenticator.
+
+ Since in RADIUS a shared secret is used to provide confidentiality as
+ well as integrity protection and authentication, only use of IPsec
+ ESP with a non-null transform can provide security services
+ sufficient to substitute for RADIUS application-layer security.
+ Therefore, where IPsec AH or ESP null is used, it will typically
+ still be necessary to configure a RADIUS shared secret.
+
+ Where RADIUS is run over IPsec ESP with a non-null transform, the
+ secret shared between the NAS and the RADIUS server MAY NOT be
+ configured. In this case, a shared secret of zero length MUST be
+ assumed. However, a RADIUS server that cannot know whether incoming
+ traffic is IPsec-protected MUST be configured with a non-null RADIUS
+ shared secret.
+
+ When IPsec ESP is used with RADIUS, per-packet authentication,
+ integrity and replay protection MUST be used. 3DES-CBC MUST be
+ supported as an encryption transform and AES-CBC SHOULD be supported.
+ AES-CBC SHOULD be offered as a preferred encryption transform if
+ supported. HMAC-SHA1-96 MUST be supported as an authentication
+ transform. DES-CBC SHOULD NOT be used as the encryption transform.
+
+ A typical IPsec policy for an IPsec-capable RADIUS client is
+ "Initiate IPsec, from me to any destination port UDP 1812". This
+ IPsec policy causes an IPsec SA to be set up by the RADIUS client
+ prior to sending RADIUS traffic. If some RADIUS servers contacted by
+ the client do not support IPsec, then a more granular policy will be
+ required: "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server,
+ destination port UDP 1812."
+
+ For a client implementing this specification, the policy would be
+ "Accept IPsec, from any to me, destination port UDP 3799". This
+ causes the RADIUS client to accept (but not require) use of IPsec.
+ It may not be appropriate to require IPsec for all RADIUS servers
+ connecting to an IPsec-enabled RADIUS client, since some RADIUS
+ servers may not support IPsec.
+
+
+
+Chiba, et al. Informational [Page 23]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept
+ IPsec, from any to me, destination port 1812". This causes the
+ RADIUS server to accept (but not require) use of IPsec. It may not
+ be appropriate to require IPsec for all RADIUS clients connecting to
+ an IPsec-enabled RADIUS server, since some RADIUS clients may not
+ support IPsec.
+
+ For servers implementing this specification, the policy would be
+ "Initiate IPsec, from me to any, destination port UDP 3799". This
+ causes the RADIUS server to initiate IPsec when sending RADIUS
+ extension traffic to any RADIUS client. If some RADIUS clients
+ contacted by the server do not support IPsec, then a more granular
+ policy will be required, such as "Initiate IPsec, from me to IPsec-
+ capable-RADIUS-client, destination port UDP 3799".
+
+ Where IPsec is used for security, and no RADIUS shared secret is
+ configured, it is important that the RADIUS client and server perform
+ an authorization check. Before enabling a host to act as a RADIUS
+ client, the RADIUS server SHOULD check whether the host is authorized
+ to provide network access. Similarly, before enabling a host to act
+ as a RADIUS server, the RADIUS client SHOULD check whether the host
+ is authorized for that role.
+
+ RADIUS servers can be configured with the IP addresses (for IKE
+ Aggressive Mode with pre-shared keys) or FQDNs (for certificate
+ authentication) of RADIUS clients. Alternatively, if a separate
+ Certification Authority (CA) exists for RADIUS clients, then the
+ RADIUS server can configure this CA as a trust anchor [RFC3280] for
+ use with IPsec.
+
+ Similarly, RADIUS clients can be configured with the IP addresses
+ (for IKE Aggressive Mode with pre-shared keys) or FQDNs (for
+ certificate authentication) of RADIUS servers. Alternatively, if a
+ separate CA exists for RADIUS servers, then the RADIUS client can
+ configure this CA as a trust anchor for use with IPsec.
+
+ Since unlike SSL/TLS, IKE does not permit certificate policies to be
+ set on a per-port basis, certificate policies need to apply to all
+ uses of IPsec on RADIUS clients and servers. In IPsec deployment
+ supporting only certificate authentication, a management station
+ initiating an IPsec-protected telnet session to the RADIUS server
+ would need to obtain a certificate chaining to the RADIUS client CA.
+ Issuing such a certificate might not be appropriate if the management
+ station was not authorized as a RADIUS client.
+
+ Where RADIUS clients may obtain their IP address dynamically (such as
+ an Access Point supporting DHCP), Main Mode with pre-shared keys
+ [RFC2409] SHOULD NOT be used, since this requires use of a group
+
+
+
+Chiba, et al. Informational [Page 24]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ pre-shared key; instead, Aggressive Mode SHOULD be used. Where
+ RADIUS client addresses are statically assigned, either Aggressive
+ Mode or Main Mode MAY be used. With certificate authentication, Main
+ Mode SHOULD be used.
+
+ Care needs to be taken with IKE Phase 1 Identity Payload selection in
+ order to enable mapping of identities to pre-shared keys, even with
+ Aggressive Mode. Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity
+ Payloads are used and addresses are dynamically assigned, mapping of
+ identities to keys is not possible, so that group pre-shared keys are
+ still a practical necessity. As a result, the ID_FQDN identity
+ payload SHOULD be employed in situations where Aggressive mode is
+ utilized along with pre-shared keys and IP addresses are dynamically
+ assigned. This approach also has other advantages, since it allows
+ the RADIUS server and client to configure themselves based on the
+ fully qualified domain name of their peers.
+
+ Note that with IPsec, security services are negotiated at the
+ granularity of an IPsec SA, so that RADIUS exchanges requiring a set
+ of security services different from those negotiated with existing
+ IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs
+ are also advisable where quality of service considerations dictate
+ different handling RADIUS conversations. Attempting to apply
+ different quality of service to connections handled by the same IPsec
+ SA can result in reordering, and falling outside the replay window.
+ For a discussion of the issues, see [RFC2983].
+
+5.4. Replay Protection
+
+ Where IPsec replay protection is not used, the Event-Timestamp (55)
+ Attribute [RFC2869] SHOULD be included within all messages. When
+ this attribute is present, both the NAS and the RADIUS server MUST
+ check that the Event-Timestamp Attribute is current within an
+ acceptable time window. If the Event-Timestamp Attribute is not
+ current, then the message MUST be silently discarded. This implies
+ the need for time synchronization within the network, which can be
+ achieved by a variety of means, including secure NTP, as described in
+ [NTPAUTH].
+
+ Both the NAS and the RADIUS server SHOULD be configurable to silently
+ discard messages lacking an Event-Timestamp Attribute. A default
+ time window of 300 seconds is recommended.
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 25]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+6. Example Traces
+
+ Disconnect Request with User-Name:
+
+ 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....#
+ 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^..
+ 32: 6d63 6869 6261
+
+ Disconnect Request with Acct-Session-ID:
+
+ 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(.....
+ 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,.
+ 32: 3930 3233 3435 3637 90234567
+
+ Disconnect Request with Framed-IP-Address:
+
+ 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(.....
+ 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ...
+ 32: 0a00 0203
+
+7. References
+
+7.1. Normative References
+
+ [RFC1305] Mills, D., "Network Time Protocol (version 3)
+ Specification, Implementation and Analysis", RFC 1305,
+ March 1992.
+
+ [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC
+ 1321, April 1992.
+
+ [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
+ Keyed-Hashing for Message Authentication", RFC 2104,
+ February 1997.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for
+ the Internet Protocol", RFC 2401, November 1998.
+
+ [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, November 1998.
+
+ [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+
+
+
+
+Chiba, et al. Informational [Page 26]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing
+ an IANA Considerations Section in RFCs", BCP 26, RFC
+ 2434, October 1998.
+
+ [RFC2486] Aboba, B. and M. Beadles, "The Network Access
+ Identifier", RFC 2486, January 1999.
+
+ [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson,
+ "Remote Authentication Dial In User Service (RADIUS)",
+ RFC 2865, June 2000.
+
+ [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
+
+ [RFC2869] Rigney, C., Willats, W. and P. Calhoun, "RADIUS
+ Extensions", RFC 2869, June 2000.
+
+ [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6",
+ RFC 3162, August 2001.
+
+ [RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
+ X.509 Public Key Infrastructure Certificate and
+ Certificate Revocation List (CRL) Profile", RFC 3280,
+ April 2002.
+
+ [RADIANA] Aboba, B., "IANA Considerations for RADIUS (Remote
+ Authentication Dial In User Service)", RFC 3575, July
+ 2003.
+
+7.2. Informative References
+
+ [RFC2882] Mitton, D., "Network Access Server Requirements:
+ Extended RADIUS Practices", RFC 2882, July 2000.
+
+ [RFC2983] Black, D. "Differentiated Services and Tunnels", RFC
+ 2983, October 2000.
+
+ [AAATransport] Aboba, B. and J. Wood, "Authentication, Authorization
+ and Accounting (AAA) Transport Profile", RFC 3539,
+ June 2003.
+
+ [Diameter] Calhoun, P., et al., "Diameter Base Protocol", Work in
+ Progress.
+
+ [MD5Attack] Dobbertin, H., "The Status of MD5 After a Recent
+ Attack", CryptoBytes Vol.2 No.2, Summer 1996.
+
+ [NASREQ] Calhoun, P., et al., "Diameter Network Access Server
+ Application", Work in Progress.
+
+
+
+Chiba, et al. Informational [Page 27]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+ [NTPAUTH] Mills, D., "Public Key Cryptography for the Network
+ Time Protocol", Work in Progress.
+
+8. Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards- related documentation can be found in BCP-11. Copies of
+ claims of rights made available for publication and any assurances of
+ licenses to be made available, or the result of an attempt made to
+ obtain a general license or permission for the use of such
+ proprietary rights by implementers or users of this specification can
+ be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+9. Acknowledgments
+
+ This protocol was first developed and distributed by Ascend
+ Communications. Example code was distributed in their free server
+ kit.
+
+ The authors would like to acknowledge the valuable suggestions and
+ feedback from the following people:
+
+ Avi Lior <avi@bridgewatersystems.com>,
+ Randy Bush <randy@psg.net>,
+ Steve Bellovin <smb@research.att.com>
+ Glen Zorn <gwz@cisco.com>,
+ Mark Jones <mjones@bridgewatersystems.com>,
+ Claudio Lapidus <clapidus@hotmail.com>,
+ Anurag Batta <Anurag_Batta@3com.com>,
+ Kuntal Chowdhury <chowdury@nortelnetworks.com>, and
+ Tim Moore <timmoore@microsoft.com>.
+ Russ Housley <housley@vigilsec.com>
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 28]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+10. Authors' Addresses
+
+ Murtaza Chiba
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose CA, 95134
+
+ EMail: mchiba@cisco.com
+ Phone: +1 408 525 7198
+
+ Gopal Dommety
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose, CA 95134
+
+ EMail: gdommety@cisco.com
+ Phone: +1 408 525 1404
+
+ Mark Eklund
+ Cisco Systems, Inc.
+ 170 West Tasman Dr.
+ San Jose, CA 95134
+
+ EMail: meklund@cisco.com
+ Phone: +1 865 671 6255
+
+ David Mitton
+ Circular Logic UnLtd.
+ 733 Turnpike Street #154
+ North Andover, MA 01845
+
+ EMail: david@mitton.com
+ Phone: +1 978 683 1814
+
+ Bernard Aboba
+ Microsoft Corporation
+ One Microsoft Way
+ Redmond, WA 98052
+
+ EMail: bernarda@microsoft.com
+ Phone: +1 425 706 6605
+ Fax: +1 425 936 7329
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 29]
+
+RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003
+
+
+11. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assignees.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Chiba, et al. Informational [Page 30]
+