2.4.14 RADIUS EXTensions (radext)

NOTE: This charter is a snapshot of the 72nd IETF Meeting in Dublin, Ireland. It may now be out-of-date.
In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       Additional RADEXT Web Page

Last Modified: 2007-11-02


David Nelson <d.b.nelson@comcast.net>
Bernard Aboba <Bernard_Aboba@hotmail.com>

Operations and Management Area Director(s):

Dan Romascanu <dromasca@avaya.com>
Ronald Bonica <rbonica@juniper.net>

Operations and Management Area Advisor:

Dan Romascanu <dromasca@avaya.com>

Technical Advisor(s):

Paul Congdon <paul.congdon@hp.com>

Mailing Lists:

General Discussion: radiusext@ops.ietf.org
To Subscribe: radiusext-request@ops.ietf.org
In Body: In Body: subscribe
Archive: https://ops.ietf.org/lists/radiusext

Description of Working Group:

The RADIUS Extensions Working Group will focus on extensions to the
RADIUS protocol required to define extensions to the standard
attribute space as well as to address cryptographic algorithm
agility and use over new transports. In addition, RADEXT will
work on RADIUS Design Guidelines and define new attributes for
particular applications of authentication, authorization and
accounting such as NAS management and local area network (LAN) usage.

In order to enable interoperation of heterogeneous RADIUS/Diameter
deployments, all RADEXT WG work items MUST contain a Diameter
compatibility section, outlining how interoperability with
Diameter will be maintained.

Furthermore, to ensure backward compatibility with existing RADIUS
implementations, as well as compatibility between RADIUS and Diameter,
the following restrictions are imposed on extensions considered by the

- All documents produced MUST specify means of interoperation with
legacy RADIUS and, if possible, be backward
compatible with existing RADIUS RFCs, including RFCs 2865-2869,
3162, 3575, 3579, 3580, 4668-4673,4675, 5080, 5090 and 5176.
Transport profiles should, if possible, be compatible with RFC 3539.

- All RADIUS work MUST be compatible with equivalent facilities in
Diameter. Where possible, new attributes should be defined so that
the same attribute can be used in both RADIUS and Diameter without
translation. In other cases a translation considerations
section should be included in the specification.

Work Items

The immediate goals of the RADEXT working group are to address the
following issues:

- RADIUS design guidelines. This document will provide guidelines for
design of RADIUS attributes. It will specifically consider how
complex data types may be introduced in a robust manner, maintaining
backwards compatibility with existing RADIUS RFCs, across all the
classes of attributes: Standard, Vendor-Specific and SDO-Specific.
In addition, it will review RADIUS data types and associated
backwards compatibility issues.

- RADIUS Management authorization. This document will define the
use of RADIUS for NAS management over IP.

-RADIUS attribute space extension. The standard RADIUS attribute
space is currently being depleted. This document will provide
additional standard attribute space, while maintaining backward
compatibility with existing attributes.

-RADIUS Cryptographic Algorithm Agility. RADIUS has traditionally
relied on MD5 for both per-packet integrity and authentication as well
as attribute confidentiality. Given the increasingly successful
attacks being mounted against MD5, the ability to support
alternative algorithms is required. This work item will
include documentation of RADIUS crypto-agility requirements,
as well as development of one or more Experimental RFCs providing
support for negotiation of alternative cryptographic algorithms
to protect RADIUS.

- IEEE 802 attributes. New attributes have been proposed to
support IEEE 802 standards for wired and wireless LANs. This
work item will support authentication, authorization and
accounting attributes needed by IEEE 802 groups including
IEEE 802.1, IEEE 802.11 and IEEE 802.16.

- New RADIUS transports. A reliable transport profile for
RADIUS will be developed, as well as specifications for
Secure transports, including TCP/TLS (RADSEC) and UDP/DTLS.

- Documentation of Status-Server usage. A document
describing usage of the Status-Server facility will be

Goals and Milestones:

Done  Updates to RFC 2618-2621 RADIUS MIBs submitted for publication
Done  SIP RADIUS authentication draft submitted as a Proposed Standard RFC
Done  RFC 2486bis submitted as a Proposed Standard RFC
Done  RFC 3576 MIBs submitted as an Informational RFC
Done  RADIUS VLAN and Priority Attributes draft submitted as a Proposed Standard RFC (reduced in scope)
Jun 2006  RADIUS Design Guidelines and Extended Attributes drafts WGLC
Jun 2006  WLAN Attributes draft submitted as a Proposed Standard RFC
Done  RADIUS Implementation Issues and Fixes draft submitted as an Informational RFC
Oct 2006  RADIUS Design Guidelines submitted as a Best Current Practice RFC
Oct 2006  RADIUS Extended Attributes submitted as a Proposed Standard RFC (split out from Design Guidelines draft)
Done  RADIUS Filtering Attributes draft submitted as a Proposed Standard RFC (split out from VLAN & Priority draft)
Done  RFC 3576bis submitted as an Informational RFC (split out from Issues & Fixes draft)
Dec 2006  RADIUS Crypto-agility draft (e.g. FIPS 140-2 compliance for RADIUS) submitted as a Proposed Standard RFC (split out from WLAN attributes draft)
Dec 2006  RADIUS Prepaid draft submitted as a Proposed Standard RFC
Done  RADIUS Redirection Attributes draft submitted as a Proposed Standard RFC (split out from VLAN & Priority draft)


  • draft-ietf-radext-management-authorization-02.txt
  • draft-ietf-radext-design-02.txt
  • draft-ietf-radext-extended-attributes-03.txt

    Request For Comments:

    RFC4282 Standard The Network Access Identifier
    RFC4372 Standard Chargeable User Identity
    RFC4590 PS RADIUS Extension for Digest Authentication
    RFC4668 PS RADIUS Authentication Client MIB for IPV6
    RFC4669 PS RADIUS Authentication Server MIB for IPv6
    RFC4670 I RADIUS Accounting Client MIB for IPv6
    RFC4671 I RADIUS Accounting Server MIB for IPv6
    RFC4672 I RADIUS Dynamic Authorization Client MIB
    RFC4673 I RADIUS Dynamic Authorization Server MIB
    RFC4675 PS RADIUS Attributes for Virtual LAN and Priority Support
    RFC4818 PS RADIUS Delegated-IPv6-Prefix Attribute
    RFC4849 PS RADIUS Filter Rule Attribute
    RFC5080 PS Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes
    RFC5090 PS RADIUS Extension for Digest Authentication
    RFC5176 I Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)

    Meeting Minutes


    RADEXT IETF72 Agenda
    RADIUS Design Guidelines
    RADIUS over TCP
    RADIUS over DTLS
    RADIUS Status Server
    RADIUS IEEE 802 Attributes (Status Update)
    RADIUS Attributes for IEEE 802
    RADIUS Crypto-agility Requirements
    Transmitting Confidential Data in RADIUS
    Problem Statement and Requirements for Prefix Authorization
    IPv6 RADIUS Attributes for DHCP