[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 226: RFC 3576bis and Renumbering
In looking at this, it is not clear to me why Framed-IP-Address, Framed-IPv6-Prefix, Framed-Interface-Id, Originating-Line-Info or NAS-Port-Type are listed as identification attributes. As noted earlier, if only an Access-Request is available, then User-Name and either NAS-Port/NAS-Port-Id or Called/Calling-Station-Id should be sufficient; if an Accounting-Request is received, then Acct-Session-Id or maybe Acct-Multi-Session-Id should be sufficient.
As a result, I'd propose that Sections 3 and 3.4 be rewritten as below.
3. Attributes
In Disconnect-Request and CoA-Request packets, certain attributes are
used to uniquely identify the NAS as well as a user session on the
NAS. All NAS identification attributes included in a Request packet
MUST match in order for a Disconnect-Request or CoA-Request to be
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent.
For session identification attributes, the User-Name and Acct-
Session-Id Attributes, if included, MUST match in order for a
Disconnect-Request or CoA-Request to be successful; other session
identification attributes SHOULD match. Where a mismatch of session
identification attributes is detected, a Disconnect-NAK or CoA-NAK
SHOULD be sent.
The ability to use NAS or session identification attributes to map to
unique/multiple sessions is beyond the scope of this document.
Identification attributes include NAS and session identification
attributes, as described below.
NAS identification attributes
Attribute # Reference Description
--------- --- --------- -----------
NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS.
NAS-Identifier 32 [RFC2865] String identifying the NAS.
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
Session identification attributes
Attribute # Reference Description
--------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user
associated with the session.
NAS-Port 5 [RFC2865] The port on which the
session is terminated
Attribute # Reference Description
--------- --- --------- -----------
Called-Station-Id 30 [RFC2865] The link address to which
the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session
on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions.
NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is.
Chargeable-User- 89 [RFC4372] The CUI associated with the
Identity session. Needed where a
privacy NAI is used, so that
the User-Name may not be
unique (e.g. "anonymous").
To address security concerns described in Section 6.1, either the
User-Name or Chargeable-User-Identity attribute SHOULD be present in
Disconnect-Request and CoA-Request packets.
Where a Diameter client utilizes the same Session-Id for both
authorization and accounting, inclusion of an Acct-Session-Id
Attribute in a Disconnect-Request or CoA-Request can assist with
Diameter/RADIUS translation, since Diameter RAR and ASR commands
include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be
included in Disconnect-Request and CoA-Request packets.
Where the Acct-Session-Id attribute is not present in a CoA-Request
or Disconnect-Request, it is possible that the User-Name or
Chargeable-User-Identity attributes will not be sufficient to
uniquely identify the session (e.g. if the same user has multiple
sessions on the NAS). As a result, the Called-Station-Id, Calling-
Station-Id, NAS-Port, NAS-Port-Id and Acct-Multi-Session-Id
attributes MAY be used for session identification in addition.
To address security concerns described in Section 6.2, one or more of
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present
in Disconnect-Request and CoA-Request packets; the NAS-Identifier
Attribute MAY be present.
If one or more authorization changes specified in a CoA-Request
cannot be carried out, or if one or more attributes or attribute-
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there
are one or more unsupported attributes or attribute values in a
Disconnect-Request, a Disconnect-NAK MUST be sent.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST contain only NAS or session identification
attributes, as well as Service-Type and State attributes. If other
attributes are included in such a CoA-Request, implementations MUST
send a CoA-NAK; an Error-Cause Attribute with value "Unsupported
Attribute" MAY be included.
A Disconnect-Request MUST contain only NAS and session identification
attributes (see Section 3). If other attributes are included in a
Disconnect-Request, implementations MUST send a Disconnect-NAK; an
Error-Cause Attribute with value "Unsupported Attribute" MAY be
included.
3.4. Table of Attributes
The following table provides a guide to which attributes may be found
in which packets, and in what quantity.
Change-of-Authorization Messages
Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1]
0-1 0 0-1 6 Service-Type [Note 6]
0-1 0 0 7 Framed-Protocol [Note 3]
0-1 0 0 8 Framed-IP-Address [Note 8]
0-1 0 0 9 Framed-IP-Netmask [Note 8]
0-1 0 0 10 Framed-Routing [Note 3]
0+ 0 0 11 Filter-ID [Note 3]
0-1 0 0 12 Framed-MTU [Note 3]
0+ 0 0 13 Framed-Compression [Note 3]
0+ 0 0 14 Login-IP-Host [Note 3]
0-1 0 0 15 Login-Service [Note 3]
0-1 0 0 16 Login-TCP-Port [Note 3]
0+ 0 0 18 Reply-Message [Note 2]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 19 Callback-Number [Note 3]
0-1 0 0 20 Callback-Id [Note 3]
0+ 0 0 22 Framed-Route [Note 3]
0-1 0 0 23 Framed-IPX-Network [Note 8]
0-1 0-1 0-1 24 State [Note 7]
0+ 0 0 25 Class [Note 3]
0+ 0 0 26 Vendor-Specific [Note 3]
0-1 0 0 27 Session-Timeout [Note 3]
0-1 0 0 28 Idle-Timeout [Note 3]
0-1 0 0 29 Termination-Action [Note 3]
0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State
0-1 0 0 34 Login-LAT-Service [Note 3]
0-1 0 0 35 Login-LAT-Node [Note 3]
0-1 0 0 36 Login-LAT-Group [Note 3]
0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp
0+ 0 0 56 Egress-VLANID [Note 3]
0-1 0 0 57 Ingress-Filters [Note 3]
0+ 0 0 58 Egress-VLAN-Name [Note 3]
0-1 0 0 59 User-Priority-Table [Note 3]
0-1 0 0 61 NAS-Port-Type [Note 3]
0-1 0 0 62 Port-Limit [Note 3]
0-1 0 0 63 Login-LAT-Port [Note 3]
0+ 0 0 64 Tunnel-Type [Note 5]
0+ 0 0 65 Tunnel-Medium-Type [Note 5]
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
0+ 0 0 69 Tunnel-Password [Note 5]
0-1 0 0 71 ARAP-Features [Note 3]
0-1 0 0 72 ARAP-Zone-Access [Note 3]
0+ 0 0 78 Configuration-Token [Note 3]
0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 8]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0-1 0 0 89 Chargeable-User-Identity [Note 1]
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 92 NAS-Filter-Rule [Note 3]
0 0 0 94 Originating-Line-Info
0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 8]
0+ 0 0 97 Framed-IPv6-Prefix [Note 8]
0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3]
0-1 0 0 100 Framed-IPv6-Pool [Note 8]
0 0 0+ 101 Error-Cause
0+ 0 0 123 Delegated-IPv6-Prefix [Note 8]
Request ACK NAK # Attribute
Disconnect Messages
Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type
0 0 0 8 Framed-IP-Address [Note 8]
0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State
0+ 0 0 25 Class [Note 4]
0+ 0 0 26 Vendor-Specific
0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State
0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0-1 0 49 Acct-Terminate-Cause
0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp
0 0 0 61 NAS-Port-Type
0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator
0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 89 Chargeable-User-Identity [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1]
0 0 0 96 Framed-Interface-Id [Note 8]
0 0 0 97 Framed-IPv6-Prefix [Note 8]
0 0 0 100 Framed-IPv6-Pool [Note 8]
0 0 0+ 101 Error-Cause
Request ACK NAK # Attribute
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
1 Exactly one instance of this attribute MUST be present in packet.
[Note 1] Where NAS or session identification attributes are included
in Disconnect-Request or CoA-Request packets, they are used for
identification purposes only. These attributes MUST NOT be used for
purposes other than identification (e.g. within CoA-Request packets
to request authorization changes).
[Note 2] The Reply-Message Attribute is used to present a displayable
message to the user. The message is only displayed as a result of a
successful Disconnect-Request or CoA-Request (where a Disconnect-ACK
or CoA-ACK is subsequently sent). Where EAP is used for
authentication, an EAP-Message/Notification-Request Attribute is sent
instead, and Disconnect-ACK or CoA-ACK packets contain an EAP-
Message/Notification-Response Attribute.
[Note 3] When included within a CoA-Request, these attributes
represent an authorization change request. When one of these
attributes is omitted from a CoA-Request, the NAS assumes that the
attribute value is to remain unchanged. Attributes included in a
CoA-Request replace all existing value(s) of the same attribute(s).
[Note 4] When included within a successful Disconnect-Request (where
a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be
sent unmodified by the client to the accounting server in the
Accounting Stop packet. If the Disconnect-Request is unsuccessful,
then the Class Attribute is not processed.
[Note 5] When included within a CoA-Request, these attributes
represent an authorization change request. Where tunnel attribute(s)
are included within a successful CoA-Request, all existing tunnel
attributes are removed and replaced by the new attribute(s).
[Note 6] Support for the Service-Type of "Authorize Only" is OPTIONAL
on the NAS and RADIUS server. A NAS supporting the "Authorize Only"
Service-Type value within a CoA-Request packet MUST respond with a
CoA-NAK containing a Service-Type Attribute with value "Authorize
Only", and an Error-Cause Attribute with value "Request Initiated".
The NAS then sends an Access-Request to the RADIUS server with a
Service-Type Attribute with value "Authorize Only". This Access-
Request SHOULD contain the NAS attributes from the CoA-Request, as
well as the session attributes from the CoA-Request legal for
inclusion in an Access-Request as specified in [RFC2865], [RFC2868],
[RFC2869] and [RFC3162]. As noted in [RFC2869] Section 5.19, a
Message-Authenticator attribute SHOULD be included in an Access-
Request that does not contain a User-Password, CHAP-Password, ARAP-
Password or EAP-Message Attribute. The RADIUS server should send
back an Access-Accept to (re-)authorize the session or an Access-
Reject to refuse to (re-)authorize it.
A NAS that does not support the Service-Type Attribute with the value
"Authorize Only" within a CoA-Request MUST respond with a CoA-NAK
including no Service-Type Attribute; an Error-Cause Attribute with
value "Unsupported Service" MAY be included.
[Note 7] The State Attribute is available to be sent by the RADIUS
server to the NAS in a CoA-Request packet and MUST be sent unmodified
from the NAS to the RADIUS server in a subsequent ACK or NAK packet.
If a Service-Type Attribute with value "Authorize Only" is included
in a CoA-Request then a State Attribute MUST be present, and MUST be
sent unmodified from the NAS to the RADIUS server in the resulting
Access-Request sent to the RADIUS server, if any. The State
Attribute is also available to be sent by the RADIUS server to the
NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent.
[Note 8] Where included within a CoA-Request, these attributes
represent a renumbering request. Since these attributes are not used
for session identification, they MUST NOT be included within a
Disconnect-Request. Note that renumbering may not be possible in all
situations. For example, in order to change an IP address on receipt
of a changed Framed-IP-Address address, IPCP re-negotiation could be
required, which is not supported by all PPP implementations.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>