[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 224: RFC 3576bis and Renumbering
Based on Avi's comments, the list of session identification attributes now
looks like this:
Session identification attributes
Attribute # Reference Description
--------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user
associated with the session.
NAS-Port 5 [RFC2865] The port on which the
session is terminated.
Framed-IP-Address 8 [RFC2865] The IPv4 address associated
with the session.
Called-Station-Id 30 [RFC2865] The link address to which
the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session
on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions.
NAS-Port-Type 61 [RFC2865] The type of port used.
NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is.
Chargeable-User- 89 [RFC4372] The CUI associated with the
Identity session. Needed in situations
where a privacy NAI is used,
so that User-Name may not be
unique (e.g. "anonymous").
Originating-Line-Info 94 [RFC4005] Provides information on the
characteristics of the line
from which a session
originated.
Framed-Interface-Id 96 [RFC3162] The IPv6 Interface Identifier
associated with the session;
always sent with
Framed-IPv6-Prefix.
Framed-IPv6-Prefix 97 [RFC3162] The IPv6 prefix associated
with the session, always sent
with Framed-Interface-Id.
The following text is proposed for Section 2.3, to address the issue of new
attribute support for RFC 3576bis:
" Within this specification attributes may be used for
identification, authorization or other purposes. RADIUS Attribue
specifications created after publication of this document SHOULD
state whether an Attribute can be included in CoA or Disconnect
messages and if so, which messages it may be included in and
whether it serves as an identification or authorization attribute.
Even if a NAS implements an attribute for use with RADIUS
authentication and accounting, it may not support inclusion of
that attribute within Disconnect-Request or CoA-Request packets,
given the difference in attribute semantics. This is true even
for attributes specified as allowable within Access-Accept packets
(such as those defined within [RFC2865], [RFC2868], [RFC2869],
[RFC3162], [RFC3579], [RFC4372], [RFC4675], [RFCFilter] and
[RFCDelegated]). If unsupported attributes are included within a
Disconnect/CoA-Request packet, the RADIUS client will send a
Disconnect-NAK/CoA-NAK in response, possibly containing an Error-
Cause attribute with value Unsupported Attribute (401)."
I have added the following entry to the CoA and Disconnect Attribute tables:
0-1 0 0 89 Chargeable-User-Identity [Note 1]
I have added a [Note 8] entry for Framed-IP-Address, Framed-IPv6-Prefix and
Framed-Interface-Id. The text for Note 8 reads as follows:
[Note 8] Since the Framed-IP-Address, Framed-IPv6-Prefix and Framed-
Interface-Id attributes are used for identification, these attributes
cannot be updated by including new values within a CoA-Request.
Instead, a CoA-Request with Service-Type="Authorize Only" is used,
and the new values can be supplied in response to the ensuing Access-
Request.
Here is the new text for Appendix A:
Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here.
o Added details relating to handling of the Proxy-State Attribute.
Added requirement for duplicate detection on the RADIUS client
(Section 2.3).
o Added Chargeable-User-Identity as a session identification
attribute (Section 3).
o Added requirements for inclusion of the State Attribute in CoA-
Request packets with a Service-Type of "Authorize Only" (Section
3.1).
o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.2).
o Added statement that support for "Authorize Only" Service-Type is
optional (Section 3.4).
o Updated CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.4).
o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute Table (Section 3.4).
o Added note relating to use of Service-Type="Authorize Only" for
renumbering (Section 3.4).
o Use of a Service-Type Attribute within a Disconnect-Request is
prohibited (Section 3.4,4).
o Added Diameter Considerations (Section 5).
o Changed the text to indicate that the Event-Timestamp Attribute
should not be recalculated on retransmission. The implications for
replay and duplicate detection are discussed (Section 6.4).
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>