[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

open issue:draft-sterman, use of Access-Challenge



Use of Access-Challenge
Submitter name: Wolfgang Beck
Submitter email address: beckw@t-systems.com
Date first submitted: 25.8.2004
Reference: 
Document: RADIUS Extension for Digest Authentication
Comment type: T
Priority: 2
Section: 1.4, 3.1, 3.2
Rationale/Explanation of issue:
draft-sterman-aaa-sip-03 uses Access-Accept messages with a Digest-Nonce,
but without a Digest-Response parameter. This is a in fact a challenge
message and should use RADIUS Access-Challenge.

Requested change:
1.4 Scenario 2, RADIUS server chooses nonces

   Figure 2 depicts an alternative scenario, where the RADIUS server
   generates nonces.  It shows a generic case where entities A and B
   communicate in the front-end using protocols such as HTTP/SIP, while
   entities B and C communicate in the back-end using RADIUS.

                     HTTP/SIP           RADIUS
   
            +-----+    (1)    +-----+           +-----+
            |     |==========>|     |    (2)    |     |
            |     |           |     |---------->|     |
            |     |           |     |    (3)    |     |
            |     |    (4)    |     |<----------|     |
            |     |<==========|     |           |     | 
            |     |    (5)    |     |           |     |
            |     |==========>|     |           |     |
            |  A  |           |  B  |    (6)    |  C  |
            |     |           |     |---------->|     |
            |     |           |     |    (7)    |     |
            |     |           |     |<----------|     |
            |     |    (8)    |     |           |     |
            |     |<==========|     |           |     |
            +-----+           +-----+           +-----+

            ====> HTTP/SIP
            ----> RADIUS



                 Figure 2: RADIUS server chooses nonces

   The roles played by the entities in this scenario are as follows:

   A: HTTP client / SIP UA

   B:  {HTTP  server / HTTP proxy server / SIP proxy server / SIP UAS}
   acting also as a RADIUS NAS

   C: RADIUS server

   The relevant order of messages sent in this scenario is as follows:

   A sends B an HTTP/SIP request without authorization header (step 1).
   B sends an Access-Request message with the newly defined
   Digest-Method and Digest-URI attributes but without a Digest-Nonce
   attribute to the RADIUS server, C (step 2).  C chooses a nonce and
   responds with an Access-Challenge (step 3).  This Access-Challenge
   contains Digest attributes, from which B takes values to construct a
   HTTP/SIP "(Proxy) Authorization required" response.  The remaining 
   steps are identical with scenario 1 (Section 1.3): B sends this
   response to A (step 4).  A resends its request with its credentials
   (step 5).  B sends an Access-Request to C (step 6).  C checks the
   credentials and replies with Access-Accept or Access-Reject (step 7).
   Dependent on the C's result, B processes A's request or rejects it

3.1  RADIUS Client Behaviour

   [..]
   The RADIUS client has three ways to obtain nonces: it generates them
   locally, it has received one in a Digest-Nonce attribute of a
   previously received Access-Accept message, or it asks the RADIUS
   server for one.  To do the latter, it sends an Access-Request
   containing a Digest-Method and a Digest-URI attribute but without a
   Digest-Nonce attribute.  The RADIUS server chooses a nonce and
   responds with an Access-Challenge containing a Digest-Nonce
   attribute.  If the RADIUS server responds with an Access-Reject, the
   RADIUS client MAY generate a nonce locally.  If the RADIUS client
   does not generate nonces locally, the authentication has failed.  The
   RADIUS server can send Digest-QoP, Digest-Algorithm, Digest-Realm,
   Digest-Domain and Digest-Opaque attributes in the Access-Accept
   carrying the nonce.  If these attributes are present, the client MUST
   use them.

3.2  RADIUS Server Behaviour

   If the RADIUS server receives an Access-Request message with a
   Digest-Method and a Digest-URI attribute but without a Digest-Nonce
   attribute, it chooses a nonce.  It puts the nonce into a Digest-Nonce
   attribute and sends it in an Access-Challenge message to the RADIUS
   client.  The RADIUS server MUST add Digest-Algorithm, Digest-Realm,
   SHOULD add Digest-QoP and MAY add Digest-Domain, Digest-Opaque
   attributes to the Access-Challenge message.  If the server cannot
   choose a nonce, it replies with an Access-Reject message.
    [..]


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>