[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Issue: Error-Cause Attribute in Disconnect-ACK?
In going over the Error-Cause Attribute values, I noticed that there was no value for "Invalid Attribute Value" even though such an error is mentioned in the text. Here is a revised version of Sections 3.5, 4 and 5 taking that into account.
3.5. Error-Cause
Description
It is possible that the NAS cannot honor Disconnect-Request or
CoA-Request packets for some reason. The Error-Cause Attribute
provides more detail on the cause of the problem. It MAY be
included within Disconnect-NAK and CoA-NAK packets.
A summary of the Error-Cause Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
101 for Error-Cause
Length
6
Value
The Value field is four octets, containing an integer specifying
the cause of the error. Values 0-199 and 300-399 are reserved.
Values 200-299 represent successful completion, so that these
values may only be sent within Disconnect-ACK or CoA-ACK packets
and MUST NOT be sent within a Disconnect-NAK or CoA-NAK. Values
400-499 represent fatal errors committed by the RADIUS server, so
that they MAY be sent within CoA-NAK or Disconnect-NAK packets,
and MUST NOT be sent within CoA-ACK or Disconnect-ACK packets.
Values 500-599 represent fatal errors occurring on a NAS or RADIUS
proxy, so that they MAY be sent within CoA-NAK and Disconnect-NAK
packets, and MUST NOT be sent within CoA-ACK or Disconnect-ACK
packets. Error-Cause values SHOULD be logged by the RADIUS
server. Error-Code values (expressed in decimal) include:
# Value
--- -----
201 Residual Session Context Removed
202 Invalid EAP Packet (Ignored)
401 Unsupported Attribute
402 Missing Attribute
403 NAS Identification Mismatch
404 Invalid Request
405 Unsupported Service
406 Unsupported Extension
407 Invalid Attribute Value
501 Administratively Prohibited
502 Request Not Routable (Proxy)
503 Session Context Not Found
504 Session Context Not Removable
505 Other Proxy Processing Error
506 Resources Unavailable
507 Request Initiated
"Residual Session Context Removed" is sent in response to a
Disconnect-Request if the user session is no longer active, but
residual session context was found and successfully removed. This
value is only sent within a Disconnect-ACK and MUST NOT be sent
within a CoA-ACK, Disconnect-NAK or CoA-NAK.
"Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT
be sent by implementations of this specification.
"Unsupported Attribute" is a fatal error sent if a Request
contains an attribute (such as a Vendor-Specific or EAP-Message
Attribute) that is not supported.
"Missing Attribute" is a fatal error sent if critical attributes
(such as NAS or session identification attributes) are missing
from a Request.
"NAS Identification Mismatch" is a fatal error sent if one or more
NAS identification attributes (see Section 3) do not match the
identity of the NAS receiving the Request.
"Invalid Request" is a fatal error sent if some other aspect of
the Request is invalid, such as if one or more attributes (such as
EAP- Message Attribute(s)) are not formatted properly.
"Unsupported Service" is a fatal error sent if a Service-Type
Attribute included with the Request is sent with an invalid or
unsupported value. This error cannot be sent in response to a
Disconnect-Request.
"Unsupported Extension" is a fatal error sent due to lack of
support for an extension such as Disconnect and/or CoA packets.
This will typically be sent by a proxy receiving an ICMP port
unreachable message after attempting to forward a Request to the
NAS.
"Unsupported Attribute Value" is a fatal error sent if a Request
contains an attribute with an unsupported value.
"Administratively Prohibited" is a fatal error sent if the NAS is
configured to prohibit honoring of Request packets for the
specified session.
"Request Not Routable" is a fatal error which MAY be sent by a
RADIUS proxy and MUST NOT be sent by a NAS. It indicates that the
RADIUS proxy was unable to determine how to route the Request to
the NAS. For example, this can occur if the required entries are
not present in the proxy's realm routing table.
"Session Context Not Found" is a fatal error sent if the session
context identified in the Request does not exist on the NAS.
"Session Context Not Removable" is a fatal error sent in response
to a Disconnect-Request if the NAS was able to locate the session
context, but could not remove it for some reason. It MUST NOT be
sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a
Disconnect-NAK.
"Other Proxy Processing Error" is a fatal error sent in response
to a Request that could not be processed by a proxy, for reasons
other than routing.
"Resources Unavailable" is a fatal error sent when a Request could
not be honored due to lack of available NAS resources (memory,
non- volatile storage, etc.).
"Request Initiated" is a fatal error sent in response to a CoA-
Request including a Service-Type Attribute with a value of
"Authorize Only". It indicates that the CoA-Request has not been
honored, but that a RADIUS Access-Request including a Service-Type
Attribute with value "Authorize Only" is being sent to the RADIUS
server.
4. Diameter Considerations
Due to differences in handling change-of-authorization requests in
RADIUS and Diameter, it may be difficult or impossible for a
Diameter/RADIUS gateway to successfully translate a Diameter Re-Auth-
Request (RAR) to a CoA-Request and vice versa. For example, since a
CoA-Request only initiates an authorization change but does not
initiate re-authentication, a RAR command containing a Re-Auth-
Request-Type AVP with value "AUTHORIZE_AUTHENTICATE" cannot be
directly translated to a CoA-Request. A Diameter/RADIUS gateway
receiving a CoA-Request containing authorization changes will need to
translate this into two Diameter exchange. First, the
Diameter/RADIUS gateway will issue a RAR command including a Session-
Id AVP and a Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY".
Then the Diameter/RADIUS gateway will respond to the ensuing access
request with a response including the authorization attributes
gleaned from the CoA-Request. For the translation to be possible,
the CoA-Request MUST include a Acct-Session-Id Attribute. If the
Diameter client uses the same Session-Id for both authorization and
accounting, then the Diameter/RADIUS gateway can copy the contents of
the Acct-Session-Id Attribute into the Session-Id AVP; otherwise, it
will need to map the Acct-Session-Id value to an equivalent Session-
Id for use within a RAR command.
To simplify translation between RADIUS and Diameter, a server
compliant with this specification MAY include a Service-Type
Attribute with value "Authorize Only" within a CoA-Request. Such a
CoA-Request MUST contain a State Attribute. A NAS supporting the
"Authorize Only" Service-Type within a CoA-Request responds with a
CoA-NAK containing a Service-Type Attribute with value "Authorize
Only", and an Error-Cause Attribute with value "Request Initiated".
The NAS will then send an Access-Request containing a Service-Type
Attribute with a value of "Authorize Only", along with a State
Attribute. A Diameter/RADIUS gateway receiving a CoA-Request
containing a Service-Type with value "Authorize Only" translates this
to a RAR with Re-Auth-Request-Type AVP with value "AUTHORIZE ONLY".
The received RAA is then translated to a CoA-NAK with a Service-Type
value of "Authorize Only". If the Result-Code AVP in the RAA has a
value in the success category, then an Error-Cause Attribute with
value "Request Initiated" is included in the CoA-NAK. If the
Result-Code AVP in the RAA has a value indicating a Protocol Error or
a Transient or Permanent Failure, then an alternate Error-Cause
Attribute is returned as suggested below.
Within Diameter, a server can request that a session be aborted by
sending an Abort-Session-Request (ASR), identifying the session to be
terminated using Session-ID and User-Name AVPs. The ASR command is
translated to a Disconnect-Request containing an Acct-Session-Id and
User-Name attribute. If the Diameter client utilizes the same
Session-Id in both authorization and accounting, then the value of
the Session-ID AVP may be placed in the Acct-Session-Id attribute;
otherwise the value of the Session-ID AVP will need to be mapped to
an appropriate Acct-Session-Id value. For a Disconnect-Request to
be translatable to an ASR, an Acct-Session-Id attribute MUST be
present. If the Diameter client utilizes the same Session-Id in both
authorization and accounting, then the value of the Acct-Session-Id
may be placed into the Session-ID AVP within the ASR; otherwise the
value of the Acct-Session-Id will need to be mapped to an appropriate
Session-ID value.
An Abort-Session-Answer (ASA) command is sent in response to an ASR
in order to indicate the disposition of the request. A
Diameter/RADIUS gateway receiving a Disconnect-ACK translates this to
an ASA command with a Result-Code AVP of "DIAMETER_SUCCESS". A
Disconnect-NAK received from the server is translated to an ASA
command with a Result-Code AVP which depends on the value of the
Error-Cause Attribute. Suggested translations between Error-Cause
Attribute values and Result-Code AVP values are included below:
# Error-Cause Attribute Value Result-Code AVP
--- --------------------------- ------------------------
201 Residual Session Context DIAMETER_SUCCESS
Removed
202 Invalid EAP Packet DIAMETER_LIMITED_SUCCESS
(Ignored)
401 Unsupported Attribute DIAMETER_AVP_UNSUPPORTED
402 Missing Attribute DIAMETER_MISSING_AVP
403 NAS Identification DIAMETER_REALM_NOT_SERVED
Mismatch
404 Invalid Request DIAMETER_UNABLE_TO_COMPLY
405 Unsupported Service DIAMETER_COMMAND_UNSUPPORTED
406 Unsupported Extension DIAMETER_APPLICATION_UNSUPPORTED
407 Invalid Attribute Value DIAMETER_INVALID_AVP_VALUE
501 Administratively DIAMETER_AUTHORIZATION_REJECTED
Prohibited
502 Request Not Routable (Proxy) DIAMETER_UNABLE_TO_DELIVER
503 Session Context Not Found DIAMETER_UNKNOWN_SESSION_ID
504 Session Context Not DIAMETER_AUTHORIZATION_REJECTED
Removable
505 Other Proxy Processing DIAMETER_UNABLE_TO_COMPLY
Error
506 Resources Unavailable DIAMETER_RESOURCES_EXCEEDED
507 Request Initiated DIAMETER_SUCCESS
Since both the ASR/ASA and Disconnect-Request/Disconnect-
NAK/Disconnect-ACK exchanges involve just a request and response,
inclusion of an "Authorize Only" Service-Type within a Disconnect-
Request is not needed to assist in Diameter/RADIUS translation, and
may make translation more difficult. As a result, the Service-Type
Attribute MUST NOT be used within a Disconnect-Request.
5. IANA Considerations
This document uses the RADIUS [RFC2865] namespace, see
<http://www.iana.org/assignments/radius-types>. In addition to the
allocations already made in [RFC3576], this specification requests
allocation of an additional value of the Error-Cause Attribute (101):
# Value
--- -----
407 Invalid Attribute Value
From: bernard_aboba@hotmail.com
To: radiusext@ops.ietf.org
Subject: RE: Issue: Error-Cause Attribute in Disconnect-ACK?
Date: Tue, 22 May 2007 12:57:11 -0700
I also noticed another oddity in usage of the Error-Cause Attribute.
It is stated that a CoA-NAK MUST always be sent in response to a CoA-Request including a Service-Type Attribute with value "Authorize Only". If the CoA-Request can be processed, then sending an Error-Cause Attribute with value 507 (Request Initiated) is required. However, if the CoA-Request cannot be processed, sending an Error-Cause attribute is optional. Given that NAS implementations supporting a Service-Type attribute with value "Authorize Only" have to be able to send the Error-Cause Attribute in the event that the Request can be processed, why isn't sending an Error-Cause attribute a SHOULD in the event of an error?
> From: bernard_aboba@hotmail.com
> To: radiusext@ops.ietf.org
> Subject: Issue: Error-Cause Attribute in Disconnect-ACK?
> Date: Tue, 22 May 2007 10:31:40 -0700
>
>
> Issue: Error-Cause Attribute in Disconnect-ACK?
> Submitter name: Bernard Aboba
> Submitter email address: aboba@internaut.com
> Date first submitted: May 22, 2007
> Reference:
> Document: RFC3576bis-05
> Comment type: Technical
> Priority: S
> Section: 3.4
> Rationale/Explanation of issue:
>
> In the process of editing the attribute table to address Issue 226, I noticed an oddity.
>
> RFC 3576 Section 3.1 states the following:
>
> It is possible that the NAS cannot honor Disconnect-Request or
> CoA-Request messages for some reason. The Error-Cause Attribute
> provides more detail on the cause of the problem. It MAY be
> included within Disconnect-ACK, Disconnect-NAK and CoA-NAK
> messages.
>
> Why would an Error-Cause Attribute be included in a Disconnect-ACK? It is not allowed in a CoA-ACK, for example.
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>