[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue 226: RFC 3576bis and Renumbering
Here is the proposed new text of Sections 3, 3.1, 3.2 and 3.5 as well as Appendix A:
"3. Attributes
In Disconnect-Request and CoA-Request packets, certain attributes are
used to uniquely identify the NAS as well as a user session on the
NAS. All NAS identification attributes included in a Request packet
MUST match in order for a Disconnect-Request or CoA-Request to be
successful; otherwise a Disconnect-NAK or CoA-NAK SHOULD be sent.
For session identification attributes, the User-Name and Acct-
Session-Id Attributes, if included, MUST match in order for a
Disconnect-Request or CoA-Request to be successful; other session
identification attributes SHOULD match. Where a mismatch of session
identification attributes is detected, a Disconnect-NAK or CoA-NAK
SHOULD be sent.
The ability to use NAS or session identification attributes to map to
unique/multiple sessions is beyond the scope of this document.
Identification attributes include NAS and session identification
attributes, as described below.
NAS identification attributes
Attribute # Reference Description
--------- --- --------- -----------
NAS-IP-Address 4 [RFC2865] The IPv4 address of the NAS.
NAS-Identifier 32 [RFC2865] String identifying the NAS.
NAS-IPv6-Address 95 [RFC3162] The IPv6 address of the NAS.
Session identification attributes
Attribute # Reference Description
--------- --- --------- -----------
User-Name 1 [RFC2865] The name of the user
associated with the session.
NAS-Port 5 [RFC2865] The port on which the
session is terminated.
Attribute # Reference Description
--------- --- --------- -----------
Called-Station-Id 30 [RFC2865] The link address to which
the session is connected.
Calling-Station-Id 31 [RFC2865] The link address from which
the session is connected.
Acct-Session-Id 44 [RFC2866] The identifier uniquely
identifying the session
on the NAS.
Acct-Multi-Session-Id 50 [RFC2866] The identifier uniquely
identifying related sessions.
NAS-Port-Id 87 [RFC2869] String identifying the port
where the session is.
Chargeable-User- 89 [RFC4372] The CUI associated with the
Identity session. Needed where a
privacy NAI is used, because
the User-Name may not be
unique (e.g. "anonymous").
To address security concerns described in Section 6.1, either the
User-Name or Chargeable-User-Identity attribute SHOULD be present in
Disconnect-Request and CoA-Request packets.
Where a Diameter client utilizes the same Session-Id for both
authorization and accounting, inclusion of an Acct-Session-Id
Attribute in a Disconnect-Request or CoA-Request can assist with
Diameter/RADIUS translation, since Diameter RAR and ASR commands
include a Session-Id AVP. An Acct-Session-Id attribute SHOULD be
included in Disconnect-Request and CoA-Request packets.
Where the Acct-Session-Id or Acct-Multi-Session-Id attributes are not
present in a CoA-Request or Disconnect-Request, it is possible that
the User-Name or Chargeable-User-Identity attributes will not be
sufficient to uniquely identify the session (e.g. if the same user
has multiple sessions on the NAS, or the privacy NAI is used). As a
result, the Called-Station-Id, Calling-Station-Id, NAS-Port and NAS-
Port-Id attributes MAY be used as additional session identification.
To address security concerns described in Section 6.2, one or more of
the NAS-IP-Address or NAS-IPv6-Address Attributes SHOULD be present
in Disconnect-Request and CoA-Request packets; the NAS-Identifier
Attribute MAY be present.
If one or more authorization changes specified in a CoA-Request
cannot be carried out, or if one or more attributes or attribute-
values is unsupported, a CoA-NAK MUST be sent. Similarly, if there
are one or more unsupported attributes or attribute values in a
Disconnect-Request, a Disconnect-NAK MUST be sent.
A Disconnect-Request MUST contain only NAS and session identification
attributes (see Section 3). If other attributes are included in a
Disconnect-Request, implementations MUST send a Disconnect-NAK; an
Error-Cause Attribute with value "Unsupported Attribute" MAY be
included.
3.1. Authorize Only
Support for a CoA-Request including a Service-Type Attribute with
value "Authorize Only" is OPTIONAL on the NAS and RADIUS server. A
Service-Type Attribute MUST NOT be included within a Disconnect-
Request.
A NAS MUST respond to a CoA-Request including a Service-Type
Attribute with value "Authorize Only" with a CoA-NAK; a CoA-ACK MUST
NOT be sent. If the NAS does not support a Service-Type value of
"Authorize Only" then it MUST respond with a CoA-NAK; an Error-Cause
value of 405 (Unsupported Service) SHOULD be included.
A CoA-Request containing a Service-Type Attribute with value
"Authorize Only" MUST in addition contain only NAS or session
identification attributes, as well as a State Attribute. If other
attributes are included in such a CoA-Request, a CoA-NAK MUST be
sent; an Error-Cause Attribute with value 401 (Unsupported Attribute)
SHOULD be included.
If a CoA-Request packet including a Service-Type value of "Authorize
Only" is successfully processed, the NAS MUST respond with a CoA-NAK
containing a Service-Type Attribute with value "Authorize Only", and
an Error-Cause Attribute with value 507 (Request Initiated). The NAS
then MUST send an Access-Request to the RADIUS server including a
Service-Type Attribute with value "Authorize Only". This Access-
Request SHOULD contain the NAS identification attributes from the
CoA-Request, as well as the session identification attributes from
the CoA-Request legal for inclusion in an Access-Request as specified
in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As noted in
[RFC2869] Section 5.19, a Message-Authenticator attribute SHOULD be
included in an Access-Request that does not contain a User-Password,
CHAP-Password, ARAP-Password or EAP-Message Attribute. The RADIUS
server then will respond to the Access-Request with an Access-Accept
to (re-)authorize the session or an Access-Reject to refuse to
(re-)authorize it.
3.2. State
The State Attribute is available to be sent by the RADIUS server to
the NAS in a CoA-Request packet and MUST be sent unmodified from the
NAS to the RADIUS server in a subsequent ACK or NAK packet.
[RFC2865] Section 5.44 states:
An Access-Request MUST contain either a User-Password or a CHAP-
Password or State. An Access-Request MUST NOT contain both a
User-Password and a CHAP-Password. If future extensions allow
other kinds of authentication information to be conveyed, the
attribute for that can be used in an Access-Request instead of
User-Password or CHAP-Password.
In order to satisfy the requirements of [RFC2865] Section 5.44, an
Access-Request with Service-Type="Authorize-Only" MUST contain a
State attribute.
In order to provide a State attribute to the NAS, a server sending a
CoA-Request with a Service-Type value of "Authorize-Only" MUST
include a State Attribute, and the NAS MUST send the State Attribute
unmodified to the RADIUS server in the resulting Access-Request, if
any. A NAS receiving a CoA-Request containing a Service-Type value
of "Authorize-Only" but lacking a State attribute MUST send a CoA-NAK
and SHOULD include an Error-Cause attribute with value 402 (Missing
Attribute).
The State Attribute is also available to be sent by the RADIUS server
to the NAS in a CoA-Request that also includes a Termination-Action
Attribute with the value of RADIUS-Request. If the client performs
the Termination-Action by sending a new Access-Request upon
termination of the current session, it MUST include the State
Attribute unchanged in that Access-Request. In either usage, the
client MUST NOT interpret the Attribute locally. A CoA-Request
packet must have only zero or one State Attribute. Usage of the
State Attribute is implementation dependent.
3.5. Table of Attributes
The following table provides a guide to which attributes may be found
in which packets, and in what quantity.
Change-of-Authorization Messages
Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1]
0-1 0 0-1 6 Service-Type
0-1 0 0 7 Framed-Protocol [Note 3]
0-1 0 0 8 Framed-IP-Address [Note 6]
0-1 0 0 9 Framed-IP-Netmask [Note 6]
0-1 0 0 10 Framed-Routing [Note 3]
0+ 0 0 11 Filter-ID [Note 3]
0-1 0 0 12 Framed-MTU [Note 3]
0+ 0 0 13 Framed-Compression [Note 3]
0+ 0 0 14 Login-IP-Host [Note 3]
0-1 0 0 15 Login-Service [Note 3]
0-1 0 0 16 Login-TCP-Port [Note 3]
0+ 0 0 18 Reply-Message [Note 2]
0-1 0 0 19 Callback-Number [Note 3]
0-1 0 0 20 Callback-Id [Note 3]
0+ 0 0 22 Framed-Route [Note 3]
0-1 0 0 23 Framed-IPX-Network [Note 6]
0-1 0-1 0-1 24 State
0+ 0 0 25 Class [Note 3]
0+ 0 0 26 Vendor-Specific [Note 3]
0-1 0 0 27 Session-Timeout [Note 3]
0-1 0 0 28 Idle-Timeout [Note 3]
0-1 0 0 29 Termination-Action [Note 3]
0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1]
Request ACK NAK # Attribute
Request ACK NAK # Attribute
0+ 0+ 0+ 33 Proxy-State
0-1 0 0 34 Login-LAT-Service [Note 3]
0-1 0 0 35 Login-LAT-Node [Note 3]
0-1 0 0 36 Login-LAT-Group [Note 3]
0-1 0 0 37 Framed-AppleTalk-Link [Note 3]
0+ 0 0 38 Framed-AppleTalk-Network [Note 3]
0-1 0 0 39 Framed-AppleTalk-Zone [Note 3]
0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp
0+ 0 0 56 Egress-VLANID [Note 3]
0-1 0 0 57 Ingress-Filters [Note 3]
0+ 0 0 58 Egress-VLAN-Name [Note 3]
0-1 0 0 59 User-Priority-Table [Note 3]
0-1 0 0 61 NAS-Port-Type [Note 3]
0-1 0 0 62 Port-Limit [Note 3]
0-1 0 0 63 Login-LAT-Port [Note 3]
0+ 0 0 64 Tunnel-Type [Note 5]
0+ 0 0 65 Tunnel-Medium-Type [Note 5]
0+ 0 0 66 Tunnel-Client-Endpoint [Note 5]
0+ 0 0 67 Tunnel-Server-Endpoint [Note 5]
0+ 0 0 69 Tunnel-Password [Note 5]
0-1 0 0 71 ARAP-Features [Note 3]
0-1 0 0 72 ARAP-Zone-Access [Note 3]
0+ 0 0 78 Configuration-Token [Note 3]
0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator
0+ 0 0 81 Tunnel-Private-Group-ID [Note 5]
0+ 0 0 82 Tunnel-Assignment-ID [Note 5]
0+ 0 0 83 Tunnel-Preference [Note 5]
0-1 0 0 85 Acct-Interim-Interval [Note 3]
0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 88 Framed-Pool [Note 6]
0-1 0 0 89 Chargeable-User-Identity [Note 1]
0+ 0 0 90 Tunnel-Client-Auth-ID [Note 5]
0+ 0 0 91 Tunnel-Server-Auth-ID [Note 5]
0-1 0 0 92 NAS-Filter-Rule [Note 3]
0 0 0 94 Originating-Line-Info
0-1 0 0 95 NAS-IPv6-Address [Note 1]
0-1 0 0 96 Framed-Interface-Id [Note 6]
0+ 0 0 97 Framed-IPv6-Prefix [Note 6]
0+ 0 0 98 Login-IPv6-Host [Note 3]
0+ 0 0 99 Framed-IPv6-Route [Note 3]
0-1 0 0 100 Framed-IPv6-Pool [Note 6]
0 0 0+ 101 Error-Cause
0+ 0 0 123 Delegated-IPv6-Prefix [Note 6]
Request ACK NAK # Attribute
Disconnect Messages
Request ACK NAK # Attribute
0-1 0 0 1 User-Name [Note 1]
0-1 0 0 4 NAS-IP-Address [Note 1]
0-1 0 0 5 NAS-Port [Note 1]
0 0 0 6 Service-Type
0 0 0 8 Framed-IP-Address [Note 6]
0+ 0 0 18 Reply-Message [Note 2]
0 0 0 24 State
0+ 0 0 25 Class [Note 4]
0+ 0 0 26 Vendor-Specific
0-1 0 0 30 Called-Station-Id [Note 1]
0-1 0 0 31 Calling-Station-Id [Note 1]
0-1 0 0 32 NAS-Identifier [Note 1]
0+ 0+ 0+ 33 Proxy-State
0-1 0 0 44 Acct-Session-Id [Note 1]
0-1 0-1 0 49 Acct-Terminate-Cause
0-1 0 0 50 Acct-Multi-Session-Id [Note 1]
0-1 0-1 0-1 55 Event-Timestamp
0 0 0 61 NAS-Port-Type
0+ 0-1 0 79 EAP-Message [Note 2]
0-1 0-1 0-1 80 Message-Authenticator
0-1 0 0 87 NAS-Port-Id [Note 1]
0-1 0 0 89 Chargeable-User-Identity [Note 1]
0-1 0 0 95 NAS-IPv6-Address [Note 1]
0 0 0 96 Framed-Interface-Id [Note 6]
0 0 0 97 Framed-IPv6-Prefix [Note 6]
0 0 0 100 Framed-IPv6-Pool [Note 6]
0 0 0+ 101 Error-Cause
Request ACK NAK # Attribute
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in packet.
0+ Zero or more instances of this attribute MAY be present in packet.
0-1 Zero or one instance of this attribute MAY be present in packet.
1 Exactly one instance of this attribute MUST be present in packet.
[Note 1] Where NAS or session identification attributes are included
in Disconnect-Request or CoA-Request packets, they are used for
identification purposes only. These attributes MUST NOT be used for
purposes other than identification (e.g. within CoA-Request packets
to request authorization changes).
[Note 2] The Reply-Message Attribute is used to present a displayable
message to the user. The message is only displayed as a result of a
successful Disconnect-Request or CoA-Request (where a Disconnect-ACK
or CoA-ACK is subsequently sent). Where EAP is used for
authentication, an EAP-Message/Notification-Request Attribute is sent
instead, and Disconnect-ACK or CoA-ACK packets contain an EAP-
Message/Notification-Response Attribute.
[Note 3] When included within a CoA-Request, these attributes
represent an authorization change request. When one of these
attributes is omitted from a CoA-Request, the NAS assumes that the
attribute value is to remain unchanged. Attributes included in a
CoA-Request replace all existing value(s) of the same attribute(s).
[Note 4] When included within a successful Disconnect-Request (where
a Disconnect-ACK is subsequently sent), the Class Attribute SHOULD be
sent unmodified by the client to the accounting server in the
Accounting Stop packet. If the Disconnect-Request is unsuccessful,
then the Class Attribute is not processed.
[Note 5] When included within a CoA-Request, these attributes
represent an authorization change request. Where tunnel attribute(s)
are included within a successful CoA-Request, all existing tunnel
attributes are removed and replaced by the new attribute(s).
[Note 6] Where included within a CoA-Request, these attributes
represent a renumbering request. Since these attributes are not used
for session identification, they MUST NOT be included within a
Disconnect-Request. Note that renumbering may not be possible in all
situations. For example, in order to change an IP address on receipt
of a changed Framed-IP-Address address, IPCP re-negotiation could be
required, which is not supported by all PPP implementations.
Appendix A - Changes from RFC 3576
This Appendix lists the major changes between [RFC3576] and this
document. Minor changes, including style, grammar, spelling, and
editorial changes are not mentioned here.
o Added details relating to handling of the Proxy-State Attribute.
Added requirement for duplicate detection on the RADIUS client
(Section 2.3).
o Added Chargeable-User-Identity as a session identification
attribute. Removed Framed-IP-Address, Framed-IPv6-Prefix, Framed-
Interface-Id and NAS-Port-Type attributes as session identification
attributes (Section 3).
o Added requirements for inclusion of the State Attribute in CoA-
Request packets with a Service-Type of "Authorize Only" (Section
3.2).
o Added clarification on the calculation of the Message-Authenticator
Attribute (Section 3.3).
o Added statement that support for "Authorize Only" Service-Type is
optional (Section 3.5).
o Updated CoA-Request Attribute Table to include Filter-Rule,
Delegated-IPv6-Prefix, Egress-VLANID, Ingress-Filters, Egress-VLAN-
Name and User-Priority attributes (Section 3.5).
o Added the Chargeable-User-Identity Attribute to both the CoA-
Request and Disconnect-Request Attribute table (Section 3.5).
o Added note on the use of the CoA-Request for renumbering (Section
3.5).
o Use of Service-Type and Error-Cause attributes within a Disconnect-
Request is prohibited (Sections 3.5).
o Added Diameter Considerations (Section 4).
o Changed the text to indicate that the Event-Timestamp Attribute
should not be recalculated on retransmission. The implications for
replay and duplicate detection are discussed (Section 6.4)."