From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc5176.txt | 1907 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1907 insertions(+) create mode 100644 doc/rfc/rfc5176.txt (limited to 'doc/rfc/rfc5176.txt') diff --git a/doc/rfc/rfc5176.txt b/doc/rfc/rfc5176.txt new file mode 100644 index 0000000..8d6e8e8 --- /dev/null +++ b/doc/rfc/rfc5176.txt @@ -0,0 +1,1907 @@ + + + + + + +Network Working Group M. Chiba +Request for Comments: 5176 G. Dommety +Obsoletes: 3576 M. Eklund +Category: Informational Cisco Systems, Inc. + D. Mitton + RSA, Security Division of EMC + B. Aboba + Microsoft Corporation + January 2008 + + + Dynamic Authorization Extensions to + Remote Authentication Dial In User Service (RADIUS) + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Abstract + + This document describes a currently deployed extension to the Remote + Authentication Dial In User Service (RADIUS) protocol, allowing + dynamic changes to a user session, as implemented by network access + server products. This includes support for disconnecting users and + changing authorizations applicable to a user session. + + + + + + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 1] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +Table of Contents + + 1. Introduction ....................................................2 + 1.1. Applicability ..............................................3 + 1.2. Requirements Language ......................................4 + 1.3. Terminology ................................................4 + 2. Overview ........................................................4 + 2.1. Disconnect Messages (DMs) ..................................5 + 2.2. Change-of-Authorization (CoA) Messages .....................5 + 2.3. Packet Format ..............................................6 + 3. Attributes .....................................................10 + 3.1. Proxy State ...............................................12 + 3.2. Authorize Only ............................................13 + 3.3. State .....................................................14 + 3.4. Message-Authenticator .....................................15 + 3.5. Error-Cause ...............................................16 + 3.6. Table of Attributes .......................................20 + 4. Diameter Considerations ........................................24 + 5. IANA Considerations ............................................26 + 6. Security Considerations ........................................26 + 6.1. Authorization Issues ......................................26 + 6.2. IPsec Usage Guidelines ....................................27 + 6.3. Replay Protection .........................................28 + 7. Example Traces .................................................28 + 8. References .....................................................29 + 8.1. Normative References ......................................29 + 8.2. Informative References ....................................30 + 9. Acknowledgments ................................................30 + Appendix A ........................................................31 + +1. Introduction + + The RADIUS protocol, defined in [RFC2865], does not support + unsolicited messages sent from the RADIUS server to the Network + Access Server (NAS). + + However, there are many instances in which it is desirable for + changes to be made to session characteristics, without requiring the + NAS to initiate the exchange. For example, it may be desirable for + administrators to be able to terminate user session(s) in progress. + Alternatively, if the user changes authorization level, this may + require that authorization attributes be added/deleted from user + session(s). + + To overcome these limitations, several vendors have implemented + additional RADIUS commands in order to enable unsolicited messages to + be sent to the NAS. These extended commands provide support for + Disconnect and Change-of-Authorization (CoA) packets. Disconnect + + + +Chiba, et al. Informational [Page 2] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + packets cause user session(s) to be terminated immediately, whereas + CoA packets modify session authorization attributes such as data + filters. + +1.1. Applicability + + This protocol is being recommended for publication as an + Informational RFC rather than as a standards-track RFC because of + problems that cannot be fixed without creating incompatibilities with + deployed implementations. This includes security vulnerabilities, as + well as semantic ambiguities resulting from the design of the + Change-of-Authorization (CoA) commands. While fixes are recommended, + they cannot be made mandatory since this would be incompatible with + existing implementations. + + Existing implementations of this protocol do not support + authorization checks, so that an ISP sharing a NAS with another ISP + could disconnect or change authorizations for another ISP's users. + In order to remedy this problem, a "Reverse Path Forwarding" check is + described; see Section 6.1 for details. + + Existing implementations utilize per-packet authentication and + integrity protection algorithms with known weaknesses [MD5Attack]. + To provide stronger per-packet authentication and integrity + protection, the use of IPsec is recommended. See Section 6.2 for + details. + + Existing implementations lack replay protection. In order to support + replay detection, it is recommended that an Event-Timestamp Attribute + be added to all packets in situations where IPsec replay protection + is not employed. See Section 6.3 for details. + + The approach taken with CoA commands in existing implementations + results in a semantic ambiguity. Existing implementations of the + CoA-Request identify the affected session, as well as supply the + authorization changes. Since RADIUS Attributes included within + existing implementations of the CoA-Request can be used for session + identification or authorization change, it may not be clear which + function a given attribute is serving. + + The problem does not exist within the Diameter protocol [RFC3588], in + which server-initiated authorization change is initiated using a + Re-Auth-Request (RAR) command identifying the session via User-Name + and Session-Id Attribute Value Pairs (AVPs) and containing a + Re-Auth-Request-Type AVP with value "AUTHORIZE_ONLY". This results + in initiation of a standard Request/Response sequence where + authorization changes are supplied. As a result, in no command can + Diameter AVPs have multiple potential meanings. + + + +Chiba, et al. Informational [Page 3] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +1.2. Requirements Language + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +1.3. Terminology + + This document frequently uses the following terms: + + Dynamic Authorization Client (DAC) + The entity originating Change of Authorization (CoA) Requests or + Disconnect-Requests. While it is possible that the DAC is + co-resident with a RADIUS authentication or accounting server, + this need not necessarily be the case. + + Dynamic Authorization Server (DAS) + The entity receiving CoA-Request or Disconnect-Request packets. + The DAS may be a NAS or a RADIUS proxy. + + Network Access Server (NAS) + The device providing access to the network. + + service + The NAS provides a service to the user, such as IEEE 802 or + Point-to-Point Protocol (PPP). + + session + Each service provided by the NAS to a user constitutes a + session, with the beginning of the session defined as the point + where service is first provided and the end of the session + defined as the point where service is ended. A user may have + multiple sessions in parallel or series if the NAS supports + that. + + silently discard + This means the implementation discards the packet without + further processing. The implementation SHOULD provide the + capability of logging the error, including the contents of the + silently discarded packet, and SHOULD record the event in a + statistics counter. + +2. Overview + + This section describes the most commonly implemented features of + Disconnect and Change-of-Authorization (CoA) packets. + + + + + +Chiba, et al. Informational [Page 4] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +2.1. Disconnect Messages (DMs) + + A Disconnect-Request packet is sent by the Dynamic Authorization + Client in order to terminate user session(s) on a NAS and discard all + associated session context. The Disconnect-Request packet is sent to + UDP port 3799, and identifies the NAS as well as the user session(s) + to be terminated by inclusion of the identification attributes + described in Section 3. + + +----------+ +----------+ + | | Disconnect-Request | | + | | <-------------------- | | + | NAS | | DAC | + | | Disconnect-ACK/NAK | | + | | ---------------------> | | + +----------+ +----------+ + + The NAS responds to a Disconnect-Request packet sent by a Dynamic + Authorization Client with a Disconnect-ACK if all associated session + context is discarded and the user session(s) are no longer connected, + or a Disconnect-NAK, if the NAS was unable to disconnect one or more + sessions and discard all associated session context. A Disconnect- + ACK MAY contain the Acct-Terminate-Cause (49) Attribute [RFC2866] + with the value set to 6 for Admin-Reset. + +2.2. Change-of-Authorization (CoA) Messages + + CoA-Request packets contain information for dynamically changing + session authorizations. Typically, this is used to change data + filters. The data filters can be of either the ingress or egress + kind, and are sent in addition to the identification attributes as + described in Section 3. The port used and packet format (described + in Section 2.3) are the same as those for Disconnect-Request packets. + + The following attributes MAY be sent in a CoA-Request: + + Filter-ID (11) - Indicates the name of a data filter list + to be applied for the session(s) that the + identification attributes map to. + + NAS-Filter-Rule (92) - Provides a filter list to be applied for + the session(s) that the identification + attributes map to [RFC4849]. + + + + + + + + +Chiba, et al. Informational [Page 5] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + +----------+ +----------+ + | | CoA-Request | | + | | <-------------------- | | + | NAS | | DAC | + | | CoA-ACK/NAK | | + | | ---------------------> | | + +----------+ +----------+ + + The NAS responds to a CoA-Request sent by a Dynamic Authorization + Client with a CoA-ACK if the NAS is able to successfully change the + authorizations for the user session(s), or a CoA-NAK if the CoA- + Request is unsuccessful. A NAS MUST respond to a CoA-Request + including a Service-Type Attribute with an unsupported value with a + CoA-NAK; an Error-Cause Attribute with value "Unsupported Service" + SHOULD be included. + +2.3. Packet Format + + For either Disconnect-Request or CoA-Request packets UDP port 3799 is + used as the destination port. For responses, the source and + destination ports are reversed. Exactly one RADIUS packet is + encapsulated in the UDP Data field. + + A summary of the data format is shown below. The fields are + transmitted from left to right. + + The packet format consists of the following fields: Code, Identifier, + Length, Authenticator, and Attributes in Type-Length-Value (TLV) + format. All fields hold the same meaning as those described in + RADIUS [RFC2865]. The Authenticator field MUST be calculated in the + same way as is specified for an Accounting-Request in [RFC2866]. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + + + + + + +Chiba, et al. Informational [Page 6] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Code + + The Code field is one octet, and identifies the type of RADIUS + packet. Packets received with an invalid Code field MUST be + silently discarded. RADIUS codes (decimal) for this extension are + assigned as follows: + + 40 - Disconnect-Request [RFC3575] + 41 - Disconnect-ACK [RFC3575] + 42 - Disconnect-NAK [RFC3575] + 43 - CoA-Request [RFC3575] + 44 - CoA-ACK [RFC3575] + 45 - CoA-NAK [RFC3575] + + Identifier + + The Identifier field is one octet, and aids in matching requests + and replies. A Dynamic Authorization Server implementing this + specification MUST be capable of detecting a duplicate request if + it has the same source IP address, source UDP port, and Identifier + within a short span of time. + + The responsibility for retransmission of Disconnect-Request and + CoA-Request packets lies with the Dynamic Authorization Client. + If after sending these packets, the Dynamic Authorization Client + does not receive a response, it will retransmit. + + The Identifier field MUST be changed whenever the content of the + Attributes field changes, or whenever a valid reply has been + received for a previous request. For retransmissions where the + contents are identical, the Identifier MUST remain unchanged. + + If the Dynamic Authorization Client is retransmitting a + Disconnect-Request or CoA-Request to the same Dynamic + Authorization Server as before, and the attributes haven't + changed, the same Request Authenticator, Identifier, and source + port MUST be used. If any attributes have changed, a new + Authenticator and Identifier MUST be used. + + If the Request to a primary Dynamic Authorization Server fails, a + secondary Dynamic Authorization Server must be queried, if + available; issues relating to failover algorithms are described in + [RFC3539]. Since this represents a new request, a new Request + Authenticator and Identifier MUST be used. However, where the + Dynamic Authorization Client is sending directly to the NAS, + failover typically does not make sense, since CoA-Request or + Disconnect-Request packets need to be delivered to the NAS where + the session resides. + + + +Chiba, et al. Informational [Page 7] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Length + + The Length field is two octets. It indicates the length of the + packet including the Code, Identifier, Length, Authenticator, and + Attribute fields. Octets outside the range of the Length field + MUST be treated as padding and ignored on reception. If the + packet is shorter than the Length field indicates, it MUST be + silently discarded. The minimum length is 20 and maximum length + is 4096. + + Authenticator + + The Authenticator field is sixteen (16) octets. The most + significant octet is transmitted first. This value is used to + authenticate packets between the Dynamic Authorization Client and + the Dynamic Authorization Server. + + Request Authenticator + + In Request packets, the Authenticator value is a 16-octet MD5 + [RFC1321] checksum, called the Request Authenticator. The + Request Authenticator is calculated the same way as for an + Accounting-Request, specified in [RFC2866]. + + Note that the Request Authenticator of a CoA-Request or + Disconnect-Request cannot be computed the same way as the + Request Authenticator of a RADIUS Access-Request, because there + is no User-Password Attribute in a CoA-Request or Disconnect- + Request. + + Response Authenticator + + The Authenticator field in a Response packet (e.g., + Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK) is called + the Response Authenticator, and contains a one-way MD5 hash + calculated over a stream of octets consisting of the Code, + Identifier, Length, the Request Authenticator field from the + packet being replied to, and the response attributes if any, + followed by the shared secret. The resulting 16-octet MD5 hash + value is stored in the Authenticator field of the Response + packet. + + Administrative note: As noted in [RFC2865], Section 3, the secret + (password shared between the Dynamic Authorization Client and the + Dynamic Authorization Server) SHOULD be at least as large and + unguessable as a well-chosen password. The Dynamic Authorization + + + + + +Chiba, et al. Informational [Page 8] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Server MUST use the source IP address of the RADIUS UDP packet to + decide which shared secret to use, so that requests can be + proxied. + + Attributes + + In CoA-Request and Disconnect-Request packets, all attributes MUST + be treated as mandatory. If one or more authorization changes + specified in a CoA-Request cannot be carried out, the NAS MUST + send a CoA-NAK. A NAS MUST respond to a CoA-Request containing + one or more unsupported attributes or Attribute values with a + CoA-NAK; an Error-Cause Attribute with value 401 (Unsupported + Attribute) or 407 (Invalid Attribute Value) MAY be included. A + NAS MUST respond to a Disconnect-Request containing one or more + unsupported attributes or Attribute values with a Disconnect-NAK; + an Error-Cause Attribute with value 401 (Unsupported Attribute) or + 407 (Invalid Attribute Value) MAY be included. + + State changes resulting from a CoA-Request MUST be atomic: if the + CoA-Request is successful for all matching sessions, the NAS MUST + send a CoA-ACK in reply, and all requested authorization changes + MUST be made. If the CoA-Request is unsuccessful for any matching + sessions, the NAS MUST send a CoA-NAK in reply, and the requested + authorization changes MUST NOT be made for any of the matching + sessions. Similarly, a state change MUST NOT occur as a result of + a Disconnect-Request that is unsuccessful with respect to any of + the matching sessions; a NAS MUST send a Disconnect-NAK in reply + if any of the matching sessions cannot be successfully terminated. + A NAS that does not support dynamic authorization changes applying + to multiple sessions MUST send a CoA-NAK or Disconnect-NAK in + reply; an Error-Cause Attribute with value 508 (Multiple Session + Selection Unsupported) SHOULD be included. + + Within this specification, attributes can be used for + identification, authorization, or other purposes. RADIUS + Attribute specifications created after publication of this + document SHOULD state whether an attribute can be included in CoA + or Disconnect messages, and if so, which messages it can be + included in and whether it serves as an identification or + authorization attribute. + + Even if a NAS implements an attribute for use with RADIUS + authentication and accounting, it is possible that it will not + support inclusion of that attribute within CoA-Request and + Disconnect-Request packets, given the difference in attribute + semantics. This is true even for attributes specified as + + + + + +Chiba, et al. Informational [Page 9] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + allowable within Access-Accept packets (such as those defined + within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579], + [RFC4372], [RFC4675], [RFC4818], and [RFC4849]). + +3. Attributes + + In Disconnect-Request and CoA-Request packets, certain attributes are + used to uniquely identify the NAS as well as user session(s) on the + NAS. The combination of NAS and session identification attributes + included in a CoA-Request or Disconnect-Request packet MUST match at + least one session in order for a Request to be successful; otherwise + a Disconnect-NAK or CoA-NAK MUST be sent. If all NAS identification + attributes match, and more than one session matches all of the + session identification attributes, then a CoA-Request or Disconnect- + Request MUST apply to all matching sessions. + + Identification attributes include NAS and session identification + attributes, as described below. + + NAS identification attributes + + Attribute # Reference Description + --------- --- --------- ----------- + NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS. + NAS-Identifier 32 [RFC2865] String identifying the NAS. + NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS. + + Session identification attributes + + Attribute # Reference Description + --------- --- --------- ----------- + User-Name 1 [RFC2865] The name of the user + associated with one or + more sessions. + NAS-Port 5 [RFC2865] The port on which a + session is terminated. + Framed-IP-Address 8 [RFC2865] The IPv4 address associated + with a session. + Vendor-Specific 26 [RFC2865] One or more vendor-specific + identification attributes. + Called-Station-Id 30 [RFC2865] The link address to which + a session is connected. + Calling-Station-Id 31 [RFC2865] The link address from which + one or more sessions are + connected. + Acct-Session-Id 44 [RFC2866] The identifier uniquely + identifying a session + on the NAS. + + + +Chiba, et al. Informational [Page 10] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely + identifying related sessions. + NAS-Port-Id 87 [RFC2869] String identifying the port + where a session is. + Chargeable-User- 89 [RFC4372] The CUI associated with one + Identity or more sessions. Needed + where a privacy Network + Access Identifier (NAI) is + used, since in this case the + User-Name (e.g., "anonymous") + may not identify sessions + belonging to a given user. + Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier + associated with a session, + always sent with + Framed-IPv6-Prefix. + Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated + with a session, always sent + with Framed-Interface-Id. + + To address security concerns described in Section 6.1, either the + User-Name or Chargeable-User-Identity attribute SHOULD be present in + Disconnect-Request and CoA-Request packets. + + Where a Diameter client utilizes the same Session-Id for both + authorization and accounting, inclusion of an Acct-Session-Id + Attribute in a Disconnect-Request or CoA-Request can assist with + Diameter/RADIUS translation, since Diameter RAR and ASR commands + include a Session-Id AVP. An Acct-Session-Id Attribute SHOULD be + included in Disconnect-Request and CoA-Request packets. + + A NAS implementing this specification SHOULD send an Acct-Session-Id + or Acct-Multi-Session-Id Attribute within an Access-Request. Where + an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not included + within an Access-Request, the Dynamic Authorization Client will not + know the Acct-Session-Id or Acct-Multi-Session-Id of the session it + is attempting to target, unless it also has access to the accounting + data for that session. + + Where an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not + present in a CoA-Request or Disconnect-Request, it is possible that + the User-Name or Chargeable-User-Identity attributes will not be + sufficient to uniquely identify a single session (e.g., if the same + user has multiple sessions on the NAS, or if the privacy NAI is + used). In this case, if it is desired to identify a single session, + session identification MAY be performed by using one or more of the + Framed-IP-Address, Framed-IPv6-Prefix/Framed-Interface-Id, Called- + Station-Id, Calling-Station-Id, NAS-Port, and NAS-Port-Id attributes. + + + +Chiba, et al. Informational [Page 11] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + To assist RADIUS proxies in routing Request packets to their + destination, one or more of the NAS-IP-Address or NAS-IPv6-Address + attributes SHOULD be present in CoA-Request and Disconnect-Request + packets; the NAS-Identifier Attribute MAY be present. Impersonation + issues with NAS Identification attributes are discussed in [RFC3579], + Section 4.3.7. + + A Disconnect-Request MUST contain only NAS and session identification + attributes. If other attributes are included in a Disconnect- + Request, implementations MUST send a Disconnect-NAK; an Error-Cause + Attribute with value "Unsupported Attribute" MAY be included. + + The DAC may require access to data from RADIUS authentication or + accounting packets. It uses this data to compose compliant CoA- + Request or Disconnect-Request packets. For example, as described in + Section 3.3, a CoA-Request packet containing a Service-Type Attribute + with a value of "Authorize Only" is required to contain a State + Attribute. The NAS will subsequently transmit this attribute to the + RADIUS server in an Access-Request. In order for the DAC to include + a State Attribute that the RADIUS server will subsequently accept, + some coordination between the two parties may be required. + + This coordination can be achieved in multiple ways. The DAC may be + co-located with a RADIUS server, in which case it is presumed to have + access to the necessary data. The RADIUS server may also store that + information in a common database. The DAC can then be separated from + the RADIUS server, so long as it has access to that common database. + + Where the DAC is not co-located with a RADIUS server, and does not + have access to a common database, the DAC SHOULD send CoA-Request or + Disconnect-Request packets to a RADIUS server acting as a proxy, + rather than sending them directly to the NAS. + + A RADIUS server receiving a CoA-Request or Disconnect-Request packet + from the DAC MAY then add or update attributes (such as adding NAS or + session identification attributes or appending a State Attribute), + prior to forwarding the packet. Having CoA/Disconnect-Requests + forwarded by a RADIUS server can also enable upstream RADIUS proxies + to perform a Reverse Path Forwarding (RPF) check (see Section 6.1). + +3.1. Proxy State + + If there are any Proxy-State attributes in a Disconnect-Request or + CoA-Request received from the Dynamic Authorization Client, the + Dynamic Authorization Server MUST include those Proxy-State + attributes in its response to the Dynamic Authorization Client. + + + + + +Chiba, et al. Informational [Page 12] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + A forwarding proxy or NAS MUST NOT modify existing Proxy-State, + State, or Class attributes present in the packet. The forwarding + proxy or NAS MUST treat any Proxy-State attributes already in the + packet as opaque data. Its operation MUST NOT depend on the content + of Proxy-State attributes added by previous proxies. The forwarding + proxy MUST NOT modify any other Proxy-State attributes that were in + the packet; it may choose not to forward them, but it MUST NOT change + their contents. If the forwarding proxy omits the Proxy-State + attributes in the request, it MUST attach them to the response before + sending it. + + When the proxy forwards a Disconnect-Request or CoA-Request, it MAY + add a Proxy-State Attribute, but it MUST NOT add more than one. If a + Proxy-State Attribute is added to a packet when forwarding the + packet, the Proxy-State Attribute MUST be added after any existing + Proxy-State attributes. The forwarding proxy MUST NOT change the + order of any attributes of the same type, including Proxy-State. + Other attributes can be placed before, after, or even between the + Proxy-State attributes. + + When the proxy receives a response to a CoA-Request or Disconnect- + Request, it MUST remove its own Proxy-State Attribute (the last + Proxy-State in the packet) before forwarding the response. Since + Disconnect and CoA responses are authenticated on the entire packet + contents, the stripping of the Proxy-State Attribute invalidates the + integrity check, so the proxy MUST recompute it. + +3.2. Authorize Only + + To simplify translation between RADIUS and Diameter, Dynamic + Authorization Clients can include a Service-Type Attribute with value + "Authorize Only" within a CoA-Request; see Section 4 for details on + Diameter considerations. Support for a CoA-Request including a + Service-Type Attribute with value "Authorize Only" is OPTIONAL on the + NAS and Dynamic Authorization Client. A Service-Type Attribute MUST + NOT be included within a Disconnect-Request. + + A NAS MUST respond to a CoA-Request including a Service-Type + Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST + NOT be sent. If the NAS does not support a Service-Type value of + "Authorize Only", then it MUST respond with a CoA-NAK; an Error-Cause + Attribute with a value of 405 (Unsupported Service) SHOULD be + included. + + A CoA-Request containing a Service-Type Attribute with value + "Authorize Only" MUST in addition contain only NAS or session + identification attributes, as well as a State Attribute. If other + + + + +Chiba, et al. Informational [Page 13] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + attributes are included in such a CoA-Request, a CoA-NAK MUST be + sent; an Error-Cause Attribute with value 401 (Unsupported Attribute) + SHOULD be included. + + If a CoA-Request packet including a Service-Type value of "Authorize + Only" is successfully processed, the NAS MUST respond with a CoA-NAK + containing a Service-Type Attribute with value "Authorize Only", and + an Error-Cause Attribute with value 507 (Request Initiated). The NAS + then MUST send an Access-Request to the RADIUS server including a + Service-Type Attribute with value "Authorize Only", along with a + State Attribute. This Access-Request SHOULD contain the NAS + identification attributes from the CoA-Request, as well as the + session identification attributes from the CoA-Request permitted in + an Access-Request; it also MAY contain other attributes permitted in + an Access-Request. + + As noted in [RFC2869], Section 5.19, a Message-Authenticator + attribute SHOULD be included in an Access-Request that does not + contain a User-Password, CHAP-Password, ARAP-Password, or EAP-Message + Attribute. The RADIUS server then will respond to the Access-Request + with an Access-Accept to (re-)authorize the session or an Access- + Reject to refuse to (re-)authorize it. + +3.3. State + + The State Attribute is available to be sent by the Dynamic + Authorization Client to the NAS in a CoA-Request packet and MUST be + sent unmodified from the NAS to the Dynamic Authorization Client in a + subsequent ACK or NAK packet. + + [RFC2865], Section 5.44 states: + + An Access-Request MUST contain either a User-Password or a + CHAP-Password or State. An Access-Request MUST NOT contain both a + User-Password and a CHAP-Password. If future extensions allow + other kinds of authentication information to be conveyed, the + attribute for that can be used in an Access-Request instead of + User-Password or CHAP-Password. + + In order to satisfy the requirements of [RFC2865], Section 5.44, an + Access-Request with Service-Type Attribute with value "Authorize + Only" MUST contain a State Attribute. + + In order to provide a State Attribute to the NAS, a Dynamic + Authorization Client sending a CoA-Request with a Service-Type + Attribute with a value of "Authorize Only" MUST include a State + Attribute, and the NAS MUST send the State Attribute unmodified to + the RADIUS server in the resulting Access-Request, if any. A NAS + + + +Chiba, et al. Informational [Page 14] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + receiving a CoA-Request containing a Service-Type Attribute with a + value of "Authorize Only" but lacking a State Attribute MUST send a + CoA-NAK and SHOULD include an Error-Cause Attribute with a value of + 402 (Missing Attribute). + + The State Attribute is also available to be sent by the Dynamic + Authorization Client to the NAS in a CoA-Request that also includes a + Termination-Action Attribute with the value of RADIUS-Request. If + the NAS performs the Termination-Action by sending a new Access- + Request upon termination of the current session, it MUST include the + State Attribute unchanged in that Access-Request. In either usage, + the Dynamic Authorization Server MUST NOT interpret the Attribute + locally. A CoA-Request packet MUST have only zero or one State + Attribute. Usage of the State Attribute is implementation dependent. + +3.4. Message-Authenticator + + The Message-Authenticator Attribute MAY be used to authenticate and + integrity-protect CoA-Request, CoA-ACK, CoA-NAK, Disconnect-Request, + Disconnect-ACK, and Disconnect-NAK packets in order to prevent + spoofing. + + A Dynamic Authorization Server receiving a CoA-Request or + Disconnect-Request with a Message-Authenticator Attribute present + MUST calculate the correct value of the Message-Authenticator and + silently discard the packet if it does not match the value sent. A + Dynamic Authorization Client receiving a CoA/Disconnect-ACK or + CoA/Disconnect-NAK with a Message-Authenticator Attribute present + MUST calculate the correct value of the Message-Authenticator and + silently discard the packet if it does not match the value sent. + + When a Message-Authenticator Attribute is included within a CoA- + Request or Disconnect-Request, it is calculated as follows: + + Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, + Request Authenticator, Attributes) + + When the HMAC-MD5 message integrity check is calculated the + Request Authenticator field and Message-Authenticator Attribute + MUST each be considered to be sixteen octets of zero. The + Message-Authenticator Attribute is calculated and inserted in the + packet before the Request Authenticator is calculated. + + + + + + + + + +Chiba, et al. Informational [Page 15] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + When a Message-Authenticator Attribute is included within a CoA- + ACK, CoA-NAK, Disconnect-ACK, or Disconnect-NAK, it is calculated + as follows: + + Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, + Request Authenticator, Attributes) + + When the HMAC-MD5 message integrity check is calculated, the + Message-Authenticator Attribute MUST be considered to be sixteen + octets of zero. The Request Authenticator is taken from the + corresponding CoA/Disconnect-Request. The Message-Authenticator + is calculated and inserted in the packet before the Response + Authenticator is calculated. + +3.5. Error-Cause + + Description + + It is possible that a Dynamic Authorization Server cannot honor + Disconnect-Request or CoA-Request packets for some reason. The + Error-Cause Attribute provides more detail on the cause of the + problem. It MAY be included within CoA-NAK and Disconnect-NAK + packets. + + A summary of the Error-Cause Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 101 for Error-Cause + + Length + + 6 + + Value + + The Value field is four octets, containing an integer specifying + the cause of the error. Values 0-199 and 300-399 are reserved. + Values 200-299 represent successful completion, so that these + + + +Chiba, et al. Informational [Page 16] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + values may only be sent within CoA-ACK or Disconnect-ACK packets + and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet. + Values 400-499 represent fatal errors committed by the Dynamic + Authorization Client, so that they MAY be sent within CoA-NAK or + Disconnect-NAK packets, and MUST NOT be sent within CoA-ACK or + Disconnect-ACK packets. Values 500-599 represent fatal errors + occurring on a Dynamic Authorization Server, so that they MAY be + sent within CoA-NAK and Disconnect-NAK packets, and MUST NOT be + sent within CoA-ACK or Disconnect-ACK packets. Error-Cause values + SHOULD be logged by the Dynamic Authorization Client. Error-Code + values (expressed in decimal) include: + + # Value + --- ----- + 201 Residual Session Context Removed + 202 Invalid EAP Packet (Ignored) + 401 Unsupported Attribute + 402 Missing Attribute + 403 NAS Identification Mismatch + 404 Invalid Request + 405 Unsupported Service + 406 Unsupported Extension + 407 Invalid Attribute Value + 501 Administratively Prohibited + 502 Request Not Routable (Proxy) + 503 Session Context Not Found + 504 Session Context Not Removable + 505 Other Proxy Processing Error + 506 Resources Unavailable + 507 Request Initiated + 508 Multiple Session Selection Unsupported + + "Residual Session Context Removed" is sent in response to a + Disconnect-Request if one or more user sessions are no longer + active, but residual session context was found and successfully + removed. This value is only sent within a Disconnect-ACK and MUST + NOT be sent within a CoA-ACK, Disconnect-NAK, or CoA-NAK. + + "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT + be sent by implementations of this specification. + + "Unsupported Attribute" is a fatal error sent if a Request + contains an attribute (such as a Vendor-Specific or EAP-Message + Attribute) that is not supported. + + "Missing Attribute" is a fatal error sent if critical attributes + (such as NAS or session identification attributes) are missing + from a Request. + + + +Chiba, et al. Informational [Page 17] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + "NAS Identification Mismatch" is a fatal error sent if one or more + NAS identification attributes (see Section 3) do not match the + identity of the NAS receiving the Request. + + "Invalid Request" is a fatal error sent if some other aspect of + the Request is invalid, such as if one or more attributes (such as + EAP-Message Attribute(s)) are not formatted properly. + + "Unsupported Service" is a fatal error sent if a Service-Type + Attribute included with the Request is sent with an invalid or + unsupported value. This error cannot be sent in response to a + Disconnect-Request. + + "Unsupported Extension" is a fatal error sent due to lack of + support for an extension such as Disconnect and/or CoA packets. + This will typically be sent by a proxy receiving an ICMP port + unreachable message after attempting to forward a CoA-Request or + Disconnect-Request to the NAS. + + "Invalid Attribute Value" is a fatal error sent if a CoA-Request + or Disconnect-Request contains an attribute with an unsupported + value. + + "Administratively Prohibited" is a fatal error sent if the NAS is + configured to prohibit honoring of CoA-Request or Disconnect- + Request packets for the specified session. + + "Request Not Routable" is a fatal error that MAY be sent by a + proxy and MUST NOT be sent by a NAS. It indicates that the proxy + was unable to determine how to route a CoA-Request or Disconnect- + Request to the NAS. For example, this can occur if the required + entries are not present in the proxy's realm routing table. + + "Session Context Not Found" is a fatal error sent if the session + context identified in the CoA-Request or Disconnect-Request does + not exist on the NAS. + + "Session Context Not Removable" is a fatal error sent in response + to a Disconnect-Request if the NAS was able to locate the session + context, but could not remove it for some reason. It MUST NOT be + sent within a CoA-ACK, CoA-NAK, or Disconnect-ACK, only within a + Disconnect-NAK. + + "Other Proxy Processing Error" is a fatal error sent in response + to a CoA or Disconnect-Request that could not be processed by a + proxy, for reasons other than routing. + + + + + +Chiba, et al. Informational [Page 18] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + "Resources Unavailable" is a fatal error sent when a CoA or + Disconnect-Request could not be honored due to lack of available + NAS resources (memory, non-volatile storage, etc.). + + "Request Initiated" is a fatal error sent by a NAS in response to + a CoA-Request including a Service-Type Attribute with a value of + "Authorize Only". It indicates that the CoA-Request has not been + honored, but that the NAS is sending one or more RADIUS Access- + Requests including a Service-Type Attribute with value "Authorize + Only" to the RADIUS server. + + "Multiple Session Selection Unsupported" is a fatal error sent by + a NAS in response to a CoA-Request or Disconnect-Request whose + session identification attributes match multiple sessions, where + the NAS does not support Requests applying to multiple sessions. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 19] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +3.6. Table of Attributes + + The following table provides a guide to which attributes may be found + in which packets, and in what quantity. + + Change-of-Authorization Messages + + Request ACK NAK # Attribute + 0-1 0 0 1 User-Name (Note 1) + 0-1 0 0 4 NAS-IP-Address (Note 1) + 0-1 0 0 5 NAS-Port (Note 1) + 0-1 0 0-1 6 Service-Type + 0-1 0 0 7 Framed-Protocol (Note 3) + 0-1 0 0 8 Framed-IP-Address (Notes 1, 6) + 0-1 0 0 9 Framed-IP-Netmask (Note 3) + 0-1 0 0 10 Framed-Routing (Note 3) + 0+ 0 0 11 Filter-ID (Note 3) + 0-1 0 0 12 Framed-MTU (Note 3) + 0+ 0 0 13 Framed-Compression (Note 3) + 0+ 0 0 14 Login-IP-Host (Note 3) + 0-1 0 0 15 Login-Service (Note 3) + 0-1 0 0 16 Login-TCP-Port (Note 3) + 0+ 0 0 18 Reply-Message (Note 2) + 0-1 0 0 19 Callback-Number (Note 3) + 0-1 0 0 20 Callback-Id (Note 3) + 0+ 0 0 22 Framed-Route (Note 3) + 0-1 0 0 23 Framed-IPX-Network (Note 3) + 0-1 0-1 0-1 24 State + 0+ 0 0 25 Class (Note 3) + 0+ 0 0 26 Vendor-Specific (Note 7) + 0-1 0 0 27 Session-Timeout (Note 3) + 0-1 0 0 28 Idle-Timeout (Note 3) + 0-1 0 0 29 Termination-Action (Note 3) + Request ACK NAK # Attribute + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 20] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Request ACK NAK # Attribute + 0-1 0 0 30 Called-Station-Id (Note 1) + 0-1 0 0 31 Calling-Station-Id (Note 1) + 0-1 0 0 32 NAS-Identifier (Note 1) + 0+ 0+ 0+ 33 Proxy-State + 0-1 0 0 34 Login-LAT-Service (Note 3) + 0-1 0 0 35 Login-LAT-Node (Note 3) + 0-1 0 0 36 Login-LAT-Group (Note 3) + 0-1 0 0 37 Framed-AppleTalk-Link (Note 3) + 0+ 0 0 38 Framed-AppleTalk-Network (Note 3) + 0-1 0 0 39 Framed-AppleTalk-Zone (Note 3) + 0-1 0 0 44 Acct-Session-Id (Note 1) + 0-1 0 0 50 Acct-Multi-Session-Id (Note 1) + 0-1 0-1 0-1 55 Event-Timestamp + 0+ 0 0 56 Egress-VLANID (Note 3) + 0-1 0 0 57 Ingress-Filters (Note 3) + 0+ 0 0 58 Egress-VLAN-Name (Note 3) + 0-1 0 0 59 User-Priority-Table (Note 3) + 0-1 0 0 61 NAS-Port-Type (Note 3) + 0-1 0 0 62 Port-Limit (Note 3) + 0-1 0 0 63 Login-LAT-Port (Note 3) + 0+ 0 0 64 Tunnel-Type (Note 5) + 0+ 0 0 65 Tunnel-Medium-Type (Note 5) + 0+ 0 0 66 Tunnel-Client-Endpoint (Note 5) + 0+ 0 0 67 Tunnel-Server-Endpoint (Note 5) + 0+ 0 0 69 Tunnel-Password (Note 5) + 0-1 0 0 71 ARAP-Features (Note 3) + 0-1 0 0 72 ARAP-Zone-Access (Note 3) + 0+ 0 0 78 Configuration-Token (Note 3) + 0+ 0-1 0 79 EAP-Message (Note 2) + 0-1 0-1 0-1 80 Message-Authenticator + 0+ 0 0 81 Tunnel-Private-Group-ID (Note 5) + 0+ 0 0 82 Tunnel-Assignment-ID (Note 5) + 0+ 0 0 83 Tunnel-Preference (Note 5) + 0-1 0 0 85 Acct-Interim-Interval (Note 3) + 0-1 0 0 87 NAS-Port-Id (Note 1) + 0-1 0 0 88 Framed-Pool (Note 3) + 0-1 0 0 89 Chargeable-User-Identity (Note 1) + 0+ 0 0 90 Tunnel-Client-Auth-ID (Note 5) + 0+ 0 0 91 Tunnel-Server-Auth-ID (Note 5) + 0-1 0 0 92 NAS-Filter-Rule (Note 3) + 0 0 0 94 Originating-Line-Info + 0-1 0 0 95 NAS-IPv6-Address (Note 1) + 0-1 0 0 96 Framed-Interface-Id (Notes 1, 6) + 0+ 0 0 97 Framed-IPv6-Prefix (Notes 1, 6) + 0+ 0 0 98 Login-IPv6-Host (Note 3) + 0+ 0 0 99 Framed-IPv6-Route (Note 3) + Request ACK NAK # Attribute + + + +Chiba, et al. Informational [Page 21] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Request ACK NAK # Attribute + 0-1 0 0 100 Framed-IPv6-Pool (Note 3) + 0 0 0+ 101 Error-Cause + 0+ 0 0 123 Delegated-IPv6-Prefix (Note 3) + Request ACK NAK # Attribute + + Disconnect Messages + + Request ACK NAK # Attribute + 0-1 0 0 1 User-Name (Note 1) + 0-1 0 0 4 NAS-IP-Address (Note 1) + 0-1 0 0 5 NAS-Port (Note 1) + 0 0 0 6 Service-Type + 0 0 0 8 Framed-IP-Address (Note 1) + 0+ 0 0 18 Reply-Message (Note 2) + 0 0 0 24 State + 0+ 0 0 25 Class (Note 4) + 0+ 0 0 26 Vendor-Specific (Note 7) + 0-1 0 0 30 Called-Station-Id (Note 1) + 0-1 0 0 31 Calling-Station-Id (Note 1) + 0-1 0 0 32 NAS-Identifier (Note 1) + 0+ 0+ 0+ 33 Proxy-State + 0-1 0 0 44 Acct-Session-Id (Note 1) + 0-1 0-1 0 49 Acct-Terminate-Cause + 0-1 0 0 50 Acct-Multi-Session-Id (Note 1) + 0-1 0-1 0-1 55 Event-Timestamp + 0 0 0 61 NAS-Port-Type + 0+ 0-1 0 79 EAP-Message (Note 2) + 0-1 0-1 0-1 80 Message-Authenticator + 0-1 0 0 87 NAS-Port-Id (Note 1) + 0-1 0 0 89 Chargeable-User-Identity (Note 1) + 0-1 0 0 95 NAS-IPv6-Address (Note 1) + 0 0 0 96 Framed-Interface-Id (Note 1) + 0 0 0 97 Framed-IPv6-Prefix (Note 1) + 0 0 0+ 101 Error-Cause + Request ACK NAK # Attribute + + The following defines the meaning of the above table entries: + + 0 This attribute MUST NOT be present in packet. + 0+ Zero or more instances of this attribute MAY be present in + packet. + 0-1 Zero or one instance of this attribute MAY be present in packet. + 1 Exactly one instance of this attribute MUST be present in + packet. + + + + + + +Chiba, et al. Informational [Page 22] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + (Note 1) Where NAS or session identification attributes are included + in Disconnect-Request or CoA-Request packets, they are used for + identification purposes only. These attributes MUST NOT be used for + purposes other than identification (e.g., within CoA-Request packets + to request authorization changes). + + (Note 2) The Reply-Message Attribute is used to present a displayable + message to the user. The message is only displayed as a result of a + successful Disconnect-Request or CoA-Request (where a Disconnect-ACK + or CoA-ACK is subsequently sent). Where Extension Authentication + Protocol (EAP) is used for authentication, an EAP- + Message/Notification-Request Attribute is sent instead, and + Disconnect-ACK or CoA-ACK packets contain an EAP- + Message/Notification-Response Attribute. + + (Note 3) When included within a CoA-Request, these attributes + represent an authorization change request. When one of these + attributes is omitted from a CoA-Request, the NAS assumes that the + attribute value is to remain unchanged. Attributes included in a + CoA-Request replace all existing values of the same attribute(s). + + (Note 4) When included within a successful Disconnect-Request (where + a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be + sent unmodified by the NAS to the RADIUS accounting server in the + Accounting Stop packet. If the Disconnect-Request is unsuccessful, + then the Class Attribute is not processed. + + (Note 5) When included within a CoA-Request, these attributes + represent an authorization change request. Where tunnel attributes + are included within a successful CoA-Request, all existing tunnel + attributes are removed and replaced by the new attribute(s). + + (Note 6) Since the Framed-IP-Address, Framed-IPv6-Prefix, and + Framed-Interface-Id attributes are used for session identification, + renumbering cannot be accomplished by including values of these + attributes within a CoA-Request. Instead, a CoA-Request including a + Service-Type Attribute with a value of "Authorize Only" is sent; new + values can be supplied in an Access-Accept sent in response to the + ensuing Access-Request. Note that renumbering will not be possible + in all situations. For example, in order to change an IP address, + IPCP or IPv6CP re-negotiation could be required, which is not + supported by all PPP implementations. + + (Note 7) Within Disconnect-Request packets, Vendor-Specific + Attributes (VSAs) MAY be used for session identification. Within + CoA-Request packets, VSAs MAY be used for either session + identification or authorization change. However, the same Attribute + MUST NOT be used for both purposes simultaneously. + + + +Chiba, et al. Informational [Page 23] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +4. Diameter Considerations + + Due to differences in handling change-of-authorization requests in + RADIUS and Diameter, it may be difficult or impossible for a + Diameter/RADIUS gateway to successfully translate a Diameter + Re-Auth-Request (RAR) to a CoA-Request and vice versa. For example, + since a CoA-Request only initiates an authorization change but does + not initiate re-authentication, a RAR command containing a + Re-Auth-Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot + be directly translated to a CoA-Request. A Diameter/RADIUS gateway + receiving a CoA-Request containing authorization changes will need to + translate this into two Diameter exchanges. First, the + Diameter/RADIUS gateway will issue a RAR command including a + Session-Id AVP and a Re-Auth-Request-Type AVP with value "AUTHORIZE + ONLY". Then the Diameter/RADIUS gateway will respond to the ensuing + access request with a response including the authorization attributes + gleaned from the CoA-Request. To enable translation, the CoA-Request + SHOULD include a Acct-Session-Id Attribute. If the Diameter client + uses the same Session-Id for both authorization and accounting, then + the Diameter/RADIUS gateway can copy the contents of the Acct- + Session-Id Attribute into the Session-Id AVP; otherwise, it will + need to map the Acct-Session-Id value to an equivalent Session-Id for + use within a RAR command. + + Where an Acct-Session-Id Attribute is not present in a CoA-Request or + Disconnect-Request, a Diameter/RADIUS gateway will either need to + determine the appropriate Acct-Session-Id or, if it cannot do so, it + can send a CoA-NAK or Disconnect-NAK in reply, possibly including an + Error-Cause Attribute with a value of 508 (Multiple Session Selection + Unsupported). + + To simplify translation between RADIUS and Diameter, Dynamic + Authorization Clients can include a Service-Type Attribute with value + "Authorize Only" within a CoA-Request, as described in Section 3.2. + A Diameter/RADIUS gateway receiving a CoA-Request containing a + Service-Type Attribute with a value "Authorize Only" translates this + to a RAR with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY". + The received RAA is then translated to a CoA-NAK with a Service-Type + Attribute with value "Authorize Only". If the Result-Code AVP in the + RAA has a value in the success category, then an Error-Cause + Attribute with value "Request Initiated" is included in the CoA-NAK. + If the Result-Code AVP in the RAA has a value indicating a Protocol + Error or a Transient or Permanent Failure, then an alternate Error- + Cause Attribute is returned as suggested below. + + Within Diameter, a server can request that a session be aborted by + sending an Abort-Session-Request (ASR), identifying the session to be + terminated using Session-ID and User-Name AVPs. The ASR command is + + + +Chiba, et al. Informational [Page 24] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + translated to a Disconnect-Request containing Acct-Session-Id and + User-Name attributes. If the Diameter client utilizes the same + Session-Id in both authorization and accounting, then the value of + the Session-ID AVP may be placed in the Acct-Session-Id Attribute; + otherwise the value of the Session-ID AVP will need to be mapped to + an appropriate Acct-Session-Id Attribute. To enable translation of a + Disconnect-Request to an ASR, an Acct-Session-Id Attribute SHOULD be + present. + + If the Diameter client utilizes the same Session-Id in both + authorization and accounting, then the value of the Acct-Session-Id + Attribute may be placed into the Session-ID AVP within the ASR; + otherwise the value of the Acct-Session-Id Attribute will need to be + mapped to an appropriate Session-ID AVP. + + An Abort-Session-Answer (ASA) command is sent in response to an ASR + in order to indicate the disposition of the request. A + Diameter/RADIUS gateway receiving a Disconnect-ACK translates this to + an ASA command with a Result-Code AVP of "DIAMETER_SUCCESS". A + Disconnect-NAK received from the NAS is translated to an ASA command + with a Result-Code AVP that depends on the value of the Error-Cause + Attribute. Suggested translations between Error-Cause Attribute + values and Result-Code AVP values are included below: + + # Error-Cause Attribute Value Result-Code AVP + --- --------------------------- ------------------------ + 201 Residual Session Context DIAMETER_SUCCESS + Removed + 202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS + (Ignored) + 401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED + 402 Missing Attribute DIAMETER_MISSING_AVP + 403 NAS Identification DIAMETER_REALM_NOT_SERVED + Mismatch + 404 Invalid Request DIAMETER_UNABLE_TO_COMPLY + 405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED + 406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED + 407 Invalid Attribute Value DIAMETER_INVALID_AVP_VALUE + 501 Administratively DIAMETER_AUTHORIZATION_REJECTED + Prohibited + 502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER + 503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID + 504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED + Removable + 505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY + Error + 506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED + 507 Request Initiated DIAMETER_SUCCESS + + + +Chiba, et al. Informational [Page 25] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Since both the ASR/ASA and Disconnect-Request/Disconnect- + NAK/Disconnect-ACK exchanges involve just a request and response, + inclusion of an "Authorize Only" Service-Type within a Disconnect- + Request is not needed to assist in Diameter/RADIUS translation, and + may make translation more difficult. As a result, as noted in + Section 3.2, the Service-Type Attribute MUST NOT be used within a + Disconnect-Request. + +5. IANA Considerations + + This document uses the RADIUS [RFC2865] namespace; see + . In addition to the + allocations already made in [RFC3575] and [RFC3576], this + specification allocates additional values of the Error-Cause + Attribute (101): + + # Value + --- ----- + 407 Invalid Attribute Value + 508 Multiple Session Selection Unsupported + +6. Security Considerations + +6.1. Authorization Issues + + Where a NAS is shared by multiple providers, it is undesirable for + one provider to be able to send Disconnect-Requests or CoA-Requests + affecting the sessions of another provider. + + A Dynamic Authorization Server MUST silently discard Disconnect- + Request or CoA-Request packets from untrusted sources. In situations + where the Dynamic Authorization Client is co-resident with a RADIUS + authentication or accounting server, a proxy MAY perform a "reverse + path forwarding" (RPF) check to verify that a Disconnect-Request or + CoA-Request originates from an authorized Dynamic Authorization + Client. In addition, it SHOULD be possible to explicitly authorize + additional sources of Disconnect-Request or CoA-Request packets + relating to certain classes of sessions. For example, a particular + source can be explicitly authorized to send CoA-Request packets + relating to users within a set of realms. + + To perform the RPF check, the Dynamic Authorization Server uses the + session identification attributes included in Disconnect-Request or + CoA-Request packets, in order to determine the RADIUS server(s) to + which an equivalent Access-Request could be routed. If the source + address of the Disconnect-Request or CoA-Request is within this set, + then the CoA-Request or Disconnect-Request is forwarded; otherwise it + MUST be silently discarded. + + + +Chiba, et al. Informational [Page 26] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Typically, the Dynamic Authorization Server will extract the realm + from the Network Access Identifier [RFC4282] included within the + User-Name or Chargeable-User-Identity Attribute, and determine the + corresponding RADIUS servers in the realm routing tables. If the + Dynamic Authorization Server maintains long-term session state, it + MAY perform the authorization check based on the session + identification attributes in the CoA-Request. The session + identification attributes can be used to tie a session to a + particular proxy or set of proxies, as with the NAI realm. + + Where no proxy is present, the RPF check can only be performed by the + NAS if it maintains its own a realm routing table. If the NAS does + not maintain a realm routing table (e.g., it selects forwarding + proxies based on primary/secondary configuration and/or liveness + checks), then an RPF check cannot be performed. + + Since authorization to send a Disconnect-Request or CoA-Request is + determined based on the source address and the corresponding shared + secret, the Dynamic Authorization Server SHOULD configure a different + shared secret for each Dynamic Authorization Client. + +6.2. IPsec Usage Guidelines + + In addition to security vulnerabilities unique to Disconnect or CoA + packets, the protocol exchanges described in this document are + susceptible to the same vulnerabilities as RADIUS [RFC2865]. It is + RECOMMENDED that IPsec be employed to afford better security, + utilizing the profile described in [RFC3579], Section 4.2. + + For Dynamic Authorization Servers implementing this specification, + the IPsec policy would be "Require IPsec, from any to me, destination + port UDP 3799". This causes the Dynamic Authorization Server to + require use of IPsec. If some Dynamic Authorization Clients do not + support IPsec, then a more granular policy will be required: "Require + IPsec, from IPsec-Capable-DAC to me". + + For Dynamic Authorization Clients implementing this specification, + the IPsec policy would be "Initiate IPsec, from me to any, + destination port UDP 3799". This causes the Dynamic Authorization + Client to initiate IPsec when sending Dynamic Authorization traffic + to any Dynamic Authorization Server. If some Dynamic Authorization + Servers contacted by the Dynamic Authorization Client do not support + IPsec, then a more granular policy will be required, such as + "Initiate IPsec, from me to IPsec-Capable-DAS, destination port UDP + 3799". + + + + + + +Chiba, et al. Informational [Page 27] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +6.3. Replay Protection + + Where IPsec replay protection is not used, an Event-Timestamp (55) + [RFC2869] Attribute SHOULD be included within CoA-Request and + Disconnect-Request packets, and MAY be included within CoA-ACK, CoA- + NAK, Disconnect-ACK, and Disconnect-NAK packets. + + When the Event-Timestamp Attribute is present, both the Dynamic + Authorization Server and the Dynamic Authorization Client MUST check + that the Event-Timestamp Attribute is current within an acceptable + time window. If the Event-Timestamp Attribute is not current, then + the packet MUST be silently discarded. This implies the need for + loose time synchronization within the network, which can be achieved + by a variety of means, including Simple Network Time Protocol (SNTP), + as described in [RFC4330]. Implementations SHOULD be configurable to + discard CoA-Request or Disconnect-Request packets not containing an + Event-Timestamp Attribute. + + If the Event-Timestamp Attribute is included, it represents the time + at which the original packet was sent, and therefore it SHOULD NOT be + updated when the packet is retransmitted. If the Event-Timestamp + Attribute is not updated, this implies that the Identifier is not + changed in retransmitted packets. As a result, the ability to detect + replay within the time window is dependent on support for duplicate + detection within that same window. As noted in Section 2.3, + duplicate detection is REQUIRED for Dynamic Authorization Servers + implementing this specification. + + The time window used for duplicate detection MUST be the same as the + window used to detect a stale Event-Timestamp Attribute. Since the + RADIUS Identifier cannot be repeated within the selected time window, + no more than 256 Requests can be accepted within the time window. As + a result, the chosen time window will depend on the expected maximum + volume of CoA/Disconnect-Requests, so that unnecessary discards can + be avoided. A default time window of 300 seconds should be adequate + in many circumstances. + +7. Example Traces + + Disconnect Request with User-Name: + + 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....# + 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^.. + 32: 6d63 6869 6261 + + + + + + + +Chiba, et al. Informational [Page 28] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + Disconnect Request with Acct-Session-ID: + + 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(..... + 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,. + 32: 3930 3233 3435 3637 90234567 + + Disconnect Request with Framed-IP-Address: + + 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(..... + 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ... + 32: 0a00 0203 + +8. References + +8.1. Normative References + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, + April 1992. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", RFC 2119, March 1997. + + [RFC2865] Rigney, C., Rubens, A., Simpson, W. and S. Willens, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. + + [RFC2869] Rigney, C., Willats W. and P. Calhoun, "RADIUS + Extensions", RFC 2869, June 2000. + + [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6", RFC + 3162, August 2001. + + [RFC3575] Aboba, B., "IANA Considerations for RADIUS", RFC 3575, + July 2003. + + [RFC3579] Aboba, B. and P. Calhoun, "RADIUS Support for Extensible + Authentication Protocol (EAP)", RFC 3579, September 2003. + + [RFC4282] Aboba, B., Beadles, M., Arkko, J. and P. Eronen, "The + Network Access Identifier", RFC 4282, December 2005. + + + + + + + + + +Chiba, et al. Informational [Page 29] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +8.2. Informative References + + [MD5Attack] Dobbertin, H., "The Status of MD5 After a Recent Attack", + CryptoBytes Vol.2 No.2, Summer 1996. + + [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, + M. and I. Goyret, "RADIUS Attributes for Tunnel Protocol + Support", RFC 2868, June 2000. + + [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization + and Accounting Transport Profile", RFC 3539, June 2003. + + [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. + Aboba, "Dynamic Authorization Extensions to Remote + Authentication Dial In User Service (RADIUS)", RFC 3576, + July 2003. + + [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. + Arkko, "Diameter Base Protocol", RFC 3588, September + 2003. + + [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 + for IPv4, IPv6 and OSI", RFC 4330, January 2006. + + [RFC4372] Adrangi, F., Lior, A., Korhonen, J. and J. Loughney, + "Chargeable User Identity", RFC 4372, January 2006. + + [RFC4675] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Attributes + for Virtual LAN and Priority Support", RFC 4675, + September 2006. + + [RFC4818] Salowey, J. and R. Droms, "RADIUS Delegated-IPv6-Prefix + Attribute", RFC 4818, April 2007. + + [RFC4849] Congdon, P., Sanchez, M. and B. Aboba, "RADIUS Filter + Rule Attribute", RFC 4849, April 2007. + +9. Acknowledgments + + This protocol was first developed and distributed by Ascend + Communications. Example code was distributed in their free server + kit. + + The authors would like to acknowledge valuable suggestions and + feedback from Avi Lior, Randy Bush, Steve Bellovin, Glen Zorn, Mark + Jones, Claudio Lapidus, Anurag Batta, Kuntal Chowdhury, Tim Moore, + Russ Housley, Joe Salowey, Alan DeKok, and David Nelson. + + + + +Chiba, et al. Informational [Page 30] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +Appendix A. Changes from RFC 3576 + + This Appendix lists the major changes between [RFC3576] and this + document. Minor changes, including style, grammar, spelling, and + editorial changes, are not mentioned here. + + o The term "Dynamic Authorization Client" is used instead of RADIUS + server where it applies to the originator of CoA-Request and + Disconnect-Request packets. The term "Dynamic Authorization Server" + is used instead of NAS where it applies to the receiver of CoA- + Request and Disconnect-Request packets. Definitions of these terms + have been added (Section 1.3). + + o Added requirement for duplicate detection on the Dynamic + Authorization Server (Section 2.3). + + o Clarified expected behavior when session identification attributes + match more than one session (Sections 2.3, 3, 3.5, 4). + + o Added Chargeable-User-Identity as a session identification + attribute. Removed NAS-Port-Type as a session identification + attribute (Section 3). + + o Added recommendation that an Acct-Session-Id or Acct-Multi- + Session-Id Attribute be included in an Access-Request (Section 3). + + o Added discussion of scenarios in which the "Dynamic Authorization + Client" and RADIUS server are not co-located (Section 3). + + o Added details relating to handling of the Proxy-State Attribute + (Section 3.1). + + o Added clarification that support for a Service-Type Attribute with + value "Authorize Only" is optional on both the NAS and Dynamic + Authorization Client (Section 3.2). Use of the Service-Type + Attribute within a Disconnect-Request is prohibited (Sections 3.2, + 3.6). + + o Added requirement for inclusion of the State Attribute in CoA- + Request packets including a Service-Type Attribute with a value of + "Authorize Only" (Section 3.3). + + o Added clarification on the calculation of the Message- + Authenticator Attribute (Section 3.4). + + o Additional Error-Cause Attribute values are allocated for Invalid + Attribute Value (407) and Multiple Session Selection + Identification (508) (Sections 3.5, 4). + + + +Chiba, et al. Informational [Page 31] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + + o Updated the CoA-Request Attribute Table to include Filter-Rule, + Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress- + VLAN-Name, and User-Priority attributes (Section 3.6). + + o Added the Chargeable-User-Identity Attribute to both the CoA- + Request and Disconnect-Request Attribute table (Section 3.6). + + o Use of Vendor-Specific Attributes (VSAs) for session + identification and authorization change has been clarified + (Section 3.6). + + o Added Note 6 on the use of the CoA-Request for renumbering, and + Note 7 on the use of Vendor-Specific attributes (Section 3.6). + + o Added Diameter Considerations (Section 4). + + o Event-Timestamp Attribute should not be recalculated on + retransmission. The implications for replay and duplicate + detection are discussed (Section 6.3). + + o Operation of the Reverse Path Forwarding (RPF) check has been + clarified. Use of the RPF check is optional rather than + recommended by default (Section 6.1). + + o Text on impersonation (included in [RFC3579], Section 4.3.7) and + IPsec operation (included in [RFC3579], Section 4.2) has been + removed, and is now referenced. + + + + + + + + + + + + + + + + + + + + + + + + +Chiba, et al. Informational [Page 32] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +Authors' Addresses + + Murtaza Chiba + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose CA, 95134 + + EMail: mchiba@cisco.com + Phone: +1 408 525 7198 + + + Gopal Dommety + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose, CA 95134 + + EMail: gdommety@cisco.com + Phone: +1 408 525 1404 + + + Mark Eklund + Cisco Systems, Inc. + 170 West Tasman Dr. + San Jose, CA 95134 + + EMail: meklund@cisco.com + Phone: +1 865 671 6255 + + + David Mitton + RSA, Security Division of EMC + 174 Middlesex Turnpike + Bedford, MA 01730 + + EMail: david@mitton.com + + + Bernard Aboba + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + + EMail: bernarda@microsoft.com + Phone: +1 425 706 6605 + Fax: +1 425 936 7329 + + + + + + +Chiba, et al. Informational [Page 33] + +RFC 5176 Dynamic Authorization Extensions to RADIUS January 2008 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2008). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Chiba, et al. Informational [Page 34] + -- cgit v1.2.3