idnits 2.17.1 draft-ietf-dime-rfc4005bis-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 28, 2013) is 3773 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC4005' is mentioned on line 2805, but not defined ** Obsolete undefined reference: RFC 4005 (Obsoleted by RFC 7155) -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 3588 (ref. 'BASE') (Obsoleted by RFC 6733) -- Obsolete informational reference (is this intentional?): RFC 1334 (Obsoleted by RFC 1994) -- Obsolete informational reference (is this intentional?): RFC 3454 (Obsoleted by RFC 7564) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn, Ed. 3 Internet-Draft Network Zen 4 Obsoletes: 4005 (if approved) November 28, 2013 5 Intended status: Standards Track 6 Expires: June 1, 2014 8 Diameter Network Access Server Application 9 draft-ietf-dime-rfc4005bis-14 11 Abstract 13 This document describes the Diameter protocol application used for 14 Authentication, Authorization, and Accounting (AAA) services in the 15 Network Access Server (NAS) environment; it obsoletes RFC 4005. When 16 combined with the Diameter Base protocol, Transport Profile, and 17 Extensible Authentication Protocol specifications, this application 18 specification satisfies typical network access services requirements. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on June 1, 2014. 37 Copyright Notice 39 Copyright (c) 2013 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 55 1.1. Changes from RFC 4005 . . . . . . . . . . . . . . . . . . 5 56 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 57 1.3. Requirements Language . . . . . . . . . . . . . . . . . . 7 58 1.4. Advertising Application Support . . . . . . . . . . . . . 8 59 1.5. Application Identification . . . . . . . . . . . . . . . 8 60 1.6. Accounting Model . . . . . . . . . . . . . . . . . . . . 8 61 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . 8 62 2.1. Diameter Session Establishment . . . . . . . . . . . . . 8 63 2.2. Diameter Session Reauthentication or Reauthorization . . 9 64 2.3. Diameter Session Termination . . . . . . . . . . . . . . 10 65 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 10 66 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . 11 67 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12 68 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14 69 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . 15 70 3.5. Session-Termination-Request (STR) Command . . . . . . . . 16 71 3.6. Session-Termination-Answer (STA) Command . . . . . . . . 17 72 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 73 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . 18 74 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . 19 75 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 76 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 77 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . 22 78 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 79 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . 23 80 4.2.1. Call and Session Information . . . . . . . . . . . . 24 81 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . 24 82 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 83 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 84 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 85 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . 25 86 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . 26 87 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 88 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 89 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 90 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 91 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . 28 92 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . 28 93 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 94 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . 29 95 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . 29 96 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 97 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . 29 98 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 99 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 100 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 101 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . 30 102 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . 30 103 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . 32 104 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 105 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 106 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . 33 107 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . 33 108 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 109 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 110 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 111 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 112 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . 35 113 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . 35 114 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 115 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 116 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 117 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 118 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . 36 119 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . 36 120 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 121 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . 37 122 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . 37 123 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 124 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . 38 125 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 126 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . 38 127 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 128 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . 39 129 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . 39 130 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 131 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . 39 132 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 133 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . 40 134 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 135 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . 40 136 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . 40 137 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . 41 138 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . 41 139 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 140 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 141 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 142 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . 41 143 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 144 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . 43 145 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 146 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . 43 147 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 148 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 149 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . 45 150 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . 45 151 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . 46 152 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 153 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 154 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . 47 155 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 156 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 157 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 158 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 159 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 160 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . 51 161 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . 51 162 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 163 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 164 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . 51 165 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . 52 166 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 167 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 168 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . 53 169 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . 53 170 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 171 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 172 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 173 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . 56 174 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . 58 175 6. Unicode Considerations . . . . . . . . . . . . . . . . . . . 60 176 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 177 8. Security Considerations . . . . . . . . . . . . . . . . . . . 61 178 8.1. Authentication Considerations . . . . . . . . . . . . . . 61 179 8.2. AVP Considerations . . . . . . . . . . . . . . . . . . . 62 180 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 62 181 9.1. Normative References . . . . . . . . . . . . . . . . . . 62 182 9.2. Informative References . . . . . . . . . . . . . . . . . 63 183 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 66 184 A.1. This Document . . . . . . . . . . . . . . . . . . . . . . 66 185 A.2. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . 66 187 1. Introduction 189 This document describes the Diameter protocol application used for 190 AAA in the Network Access Server (NAS) environment. When combined 191 with the Diameter Base protocol [RFC6733], Transport Profile 192 [RFC3539], and EAP [RFC4072] specifications, this specification 193 satisfies the NAS-related requirements defined in Aboba, et 194 al. [RFC2989] and Beadles & Mitton [RFC3169]. 196 First, this document describes the operation of a Diameter NAS 197 application. Then it defines the Diameter message Command-Codes. 198 The following sections list the AVPs used in these messages, grouped 199 by common usage. These are session identification, authentication, 200 authorization, tunneling, and accounting. The authorization AVPs are 201 further broken down by service type. 203 1.1. Changes from RFC 4005 205 This document obsoletes RFC 4005 and is not backward compatible with 206 that document. An overview of some of the major changes is given 207 below. 209 o All of the material regarding RADIUS/Diameter protocol 210 interactions has been removed; however, where AVPs are derived 211 from RADIUS Attributes, the range and format of those Attribute 212 values have been retained for ease of transition. 214 o The Command Code Format (CCF) [RFC6733] for the Accounting-Request 215 and Accounting-Answer messages has been changed to explicitly 216 require the inclusion of the Acct-Application-Id AVP and exclude 217 the Vendor-Specific-Application-Id AVP. Normally, this type of 218 change would require the allocation of a new command code and 219 consequently, a new application-id (See Section 1.3.3 of 220 [RFC6733]). However, the presence of an instance of the Acct- 221 Application-Id AVP was required in RFC 4005, as well: 223 The ACR message [BASE] is sent by the NAS to report its session 224 information to a target server downstream. 226 Either of Acct-Application-Id or Vendor-Specific-Application-Id 227 AVPs MUST be present. If the Vendor-Specific-Application-Id 228 grouped AVP is present, it must have an Acct-Application-Id 229 inside. 231 Thus, though the syntax of the commands has changed, the semantics 232 have not (with the caveat that the Acct-Application-Id AVP can no 233 longer be contained in the Vendor-Specific-Application-Id AVP). 235 o The lists of RADIUS attribute values have been deleted in favor of 236 references to the appropriate IANA registries. 238 o The accounting model to be used is now specified (see 239 Section 1.6). 241 There are many other miscellaneous fixes that have been introduced in 242 this document that may not be considered significant but they are 243 useful nonetheless. Examples are fixes to example IP addresses, 244 addition of clarifying references, etc. All of the errata previously 245 filed against RFC 4005 have been fixed. A comprehensive list of 246 changes is not shown here for practical reasons. 248 1.2. Terminology 250 Section 1.2 of the Diameter base protocol specification [RFC6733] 251 defines most of the terminology used in this document. Additionally, 252 the following terms and acronyms are used in this application: 254 NAS (Network Access Server) 256 A device that provides an access service for a user to a network. 257 The service may be a network connection or a value-added service 258 such as terminal emulation [RFC2881]. 260 PPP (Point-to-Point Protocol) 262 A multiprotocol serial datalink. PPP is the primary IP datalink 263 used for dial-in NAS connection service [RFC1661]. 265 CHAP (Challenge Handshake Authentication Protocol) 267 An authentication process used in PPP [RFC1994]. 269 PAP (Password Authentication Protocol) 271 A deprecated PPP authentication process, but often used for 272 backward compatibility [RFC1334]. 274 SLIP (Serial Line Interface Protocol) 276 A serial datalink that only supports IP. A design prior to PPP. 278 ARAP (Appletalk Remote Access Protocol) 280 A serial datalink for accessing Appletalk networks [ARAP]. 282 IPX (Internet Packet Exchange) 284 The network protocol used by NetWare networks [IPX]. 286 L2TP (Layer Two Tunneling Protocol) 287 L2TP [RFC3931] provides a dynamic mechanism for tunneling Layer 2 288 "circuits" across a packet-oriented data network. 290 LAC (L2TP Access Concentrator) 292 An L2TP Control Connection Endpoint being used to cross-connect an 293 L2TP session directly to a data link [RFC3931]. 295 LAT (Local Area Transport) 297 A Digital Equipment Corp. LAN protocol for terminal services 298 [LAT]. 300 LCP (Link Control Protocol) 302 One of the three major components of PPP [RFC1661]. LCP is used 303 to automatically agree upon encapsulation format options, handle 304 varying limits on sizes of packets, detect a looped-back link and 305 other common misconfiguration errors, and terminate the link. 306 Other optional facilities provided are authentication of the 307 identity of its peer on the link, and determination when a link is 308 functioning properly and when it is failing. 310 PPTP (Point-to-Point Tunneling Protocol) 312 A protocol which allows PPP to be tunneled through an IP network 313 [RFC2637]. 315 VPN (Virtual Private Network) 317 In this document, this term is used to describe access services 318 that use tunneling methods. 320 1.3. Requirements Language 322 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 323 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 324 "OPTIONAL" in this document are to be interpreted as described in RFC 325 2119 [RFC2119]. 327 The use of "MUST" and "MUST NOT" in the AVP Flag rules columns of AVP 328 Tables in this document refers to AVP flags ([RFC6733], Section 4.1) 329 that: 331 o MUST be set to 1 in the AVP Header ("MUST" column) and 333 o MUST NOT be set to 1 ("MUST NOT" column) 335 1.4. Advertising Application Support 337 Diameter nodes conforming to this specification MUST advertise 338 support by including the value of one (1) in the Auth-Application-Id 339 of the Capabilities-Exchange-Request (CER) message [RFC6733]. 341 1.5. Application Identification 343 When used in this application, the Auth-Application-Id AVP MUST be 344 set to the value one (1) in the following messages 346 o AA-Request (Section 3.1) 348 o Re-Auth-Request(Section 3.3) 350 o Session-Termination-Request (Section 3.5) 352 o Abort-Session-Request (Section 3.7) 354 1.6. Accounting Model 356 It is RECOMMENDED that the coupled accounting model (RFC 6733, 357 Section 9.3) be used with this application; therefore, the value of 358 the Acct-Application-Id AVP in the Accounting-Request (Section 3.10) 359 and Accounting-Answer (Section 3.9) messages SHOULD be set to one 360 (1). 362 2. NAS Calls, Ports, and Sessions 364 The arrival of a new call or service connection at a port of a 365 Network Access Server (NAS) starts a Diameter NAS Application message 366 exchange. Information about the call, the identity of the user, and 367 the user's authentication information are packaged into a Diameter 368 AA-Request (AAR) message and sent to a server. 370 The server processes the information and responds with a Diameter AA- 371 Answer (AAA) message that contains authorization information for the 372 NAS, or a failure code (Result-Code AVP). A value of 373 DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication 374 exchange, and several AAR and AAA messages may be exchanged until the 375 transaction completes. 377 2.1. Diameter Session Establishment 379 When the authentication or authorization exchange completes 380 successfully, the NAS application SHOULD start a session context. If 381 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 382 exchange continues until a success or error is returned. 384 If accounting is active, the application MUST also send an Accounting 385 message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent 386 for a new session. If a session fails to start, the EVENT_RECORD 387 message is sent with the reason for the failure described. 389 Note that the return of an unsupportable Accounting-Realtime-Required 390 value [RFC6733] would result in a failure to establish the session. 392 2.2. Diameter Session Reauthentication or Reauthorization 394 The Diameter Base protocol allows users to be periodically 395 reauthenticated and/or reauthorized. In such instances, the Session- 396 Id AVP in the AAR message MUST be the same as the one present in the 397 original authentication/authorization message. 399 A Diameter server informs the NAS of the maximum time allowed before 400 reauthentication or reauthorization via the Authorization-Lifetime 401 AVP [RFC6733]. A NAS MAY reauthenticate and/or reauthorize before 402 the end, but A NAS MUST reauthenticate and/or reauthorize at the end 403 of the period provided by the Authorization-Lifetime AVP. The 404 failure of a reauthentication exchange will terminate the service. 406 Furthermore, it is possible for Diameter servers to issue an 407 unsolicited reauthentication and/or reauthorization request (e.g., 408 Re-Auth-Request (RAR) message [RFC6733]) to the NAS. Upon receipt of 409 such a message, the NAS MUST respond to the request with a Re-Auth- 410 Answer (RAA) message [RFC6733]. 412 If the RAR properly identifies an active session, the NAS will 413 initiate a new local reauthentication or authorization sequence as 414 indicated by the Re-Auth-Request-Type value. This will cause the NAS 415 to send a new AAR message using the existing Session-Id. The server 416 will respond with an AAA message to specify the new service 417 parameters. 419 If accounting is active, every change of authentication or 420 authorization SHOULD generate an accounting message. If the NAS 421 service is a continuation of the prior user context, then an 422 Accounting-Record-Type of INTERIM_RECORD indicating the new session 423 attributes and cumulative status would be appropriate. If a new user 424 or a significant change in authorization is detected by the NAS, then 425 the service may send two messages of the types STOP_RECORD and 426 START_RECORD. Accounting may change the subsession identifiers 427 (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- 428 sessions. A service may also use a different Session-Id value for 429 accounting (see Section 9.6 of [RFC6733]). 431 However, the Diameter Session-ID AVP value used for the initial 432 authorization exchange MUST be used to generate an STR message when 433 the session context is terminated. 435 2.3. Diameter Session Termination 437 When a NAS receives an indication that a user's session is being 438 disconnected by the client (e.g., an LCP Terminate-Request message 439 [RFC1661] is received) or an administrative command, the NAS MUST 440 issue a Session-Termination-Request (STR) [RFC6733] to its Diameter 441 Server. This will ensure that any resources maintained on the 442 servers are freed appropriately. 444 Furthermore, a NAS that receives an Abort-Session-Request (ASR) 445 [RFC6733] MUST issue an Abort-Session-Answer (ASA) if the session 446 identified is active and disconnect the PPP (or tunneling) session. 448 If accounting is active, an Accounting STOP_RECORD message [RFC6733] 449 MUST be sent upon termination of the session context. 451 More information on Diameter Session Termination can be found in 452 Sections 8.4 and 8.5 of [RFC6733]. 454 3. Diameter NAS Application Messages 456 This section defines the Diameter message Command-Code [RFC6733] 457 values that MUST be supported by all Diameter implementations 458 conforming to this specification. The Command Codes are as follows: 460 +-----------------------------+---------+------+--------------+ 461 | Command Name | Abbrev. | Code | Reference | 462 +-----------------------------+---------+------+--------------+ 463 | AA-Request | AAR | 265 | Section 3.1 | 464 | AA-Answer | AAA | 265 | Section 3.2 | 465 | Re-Auth-Request | RAR | 258 | Section 3.3 | 466 | Re-Auth-Answer | RAA | 258 | Section 3.4 | 467 | Session-Termination-Request | STR | 275 | Section 3.5 | 468 | Session-Termination-Answer | STA | 275 | Section 3.6 | 469 | Abort-Session-Request | ASR | 274 | Section 3.7 | 470 | Abort-Session-Answer | ASA | 274 | Section 3.8 | 471 | Accounting-Request | ACR | 271 | Section 3.9 | 472 | Accounting-Answer | ACA | 271 | Section 3.10 | 473 +-----------------------------+---------+------+--------------+ 475 Note that the message formats in the following sub-sections use the 476 standard Diameter Command Code Format ([RFC6733], Section 3.2). 478 3.1. AA-Request (AAR) Command 480 The AA-Request (AAR), which is indicated by setting the Command-Code 481 field to 265 and the 'R' bit in the Command Flags field, is used to 482 request authentication and/or authorization for a given NAS user. 483 The type of request is identified through the Auth-Request-Type AVP 484 [RFC6733]. The recommended value for most situations is 485 AUTHORIZE_AUTHENTICATE. 487 If Authentication is requested, the User-Name attribute SHOULD be 488 present, as well as any additional authentication AVPs that would 489 carry the password information. A request for authorization SHOULD 490 only include the information from which the authorization will be 491 performed, such as the User-Name, Called-Station-Id, or Calling- 492 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 493 identifying the source of the call, such as Origin-Host and NAS-Port. 494 Certain networks MAY use different AVPs for authorization purposes. 495 A request for authorization will include some AVPs defined in 496 Section 4.4. 498 It is possible for a single session to be authorized first and then 499 for an authentication request to follow. 501 This AA-Request message MAY be the result of a multi-round 502 authentication exchange, which occurs when the AA-Answer message is 503 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. 504 A subsequent AAR message SHOULD be sent, with the User-Password AVP 505 that includes the user's response to the prompt, and MUST include any 506 State AVPs that were present in the AAA message. 508 Message Format 510 ::= < Diameter Header: 265, REQ, PXY > 511 < Session-Id > 512 { Auth-Application-Id } 513 { Origin-Host } 514 { Origin-Realm } 515 { Destination-Realm } 516 { Auth-Request-Type } 517 [ Destination-Host ] 518 [ NAS-Identifier ] 519 [ NAS-IP-Address ] 520 [ NAS-IPv6-Address ] 521 [ NAS-Port ] 522 [ NAS-Port-Id ] 523 [ NAS-Port-Type ] 524 [ Origin-AAA-Protocol ] 525 [ Origin-State-Id ] 527 [ Port-Limit ] 528 [ User-Name ] 529 [ User-Password ] 530 [ Service-Type ] 531 [ State ] 532 [ Authorization-Lifetime ] 533 [ Auth-Grace-Period ] 534 [ Auth-Session-State ] 535 [ Callback-Number ] 536 [ Called-Station-Id ] 537 [ Calling-Station-Id ] 538 [ Originating-Line-Info ] 539 [ Connect-Info ] 540 [ CHAP-Auth ] 541 [ CHAP-Challenge ] 542 * [ Framed-Compression ] 543 [ Framed-Interface-Id ] 544 [ Framed-IP-Address ] 545 * [ Framed-IPv6-Prefix ] 546 [ Framed-IP-Netmask ] 547 [ Framed-MTU ] 548 [ Framed-Protocol ] 549 [ ARAP-Password ] 550 [ ARAP-Security ] 551 * [ ARAP-Security-Data ] 552 * [ Login-IP-Host ] 553 * [ Login-IPv6-Host ] 554 [ Login-LAT-Group ] 555 [ Login-LAT-Node ] 556 [ Login-LAT-Port ] 557 [ Login-LAT-Service ] 558 * [ Tunneling ] 559 * [ Proxy-Info ] 560 * [ Route-Record ] 561 * [ AVP ] 563 Figure 1 565 3.2. AA-Answer (AAA) Command 567 The AA-Answer (AAA) message is indicated by setting the Command-Code 568 field to 265 and clearing the 'R' bit in the Command Flags field. It 569 is sent in response to the AA-Request (AAR) message. If 570 authorization was requested, a successful response will include the 571 authorization AVPs appropriate for the service being provided, as 572 defined in Section 4.4. 574 For authentication exchanges requiring more than a single round trip, 575 the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. 576 An AAA message with this result code MAY include one Reply-Message or 577 more and MAY include zero or one State AVPs. 579 If the Reply-Message AVP was present, the network access server 580 SHOULD send the text to the user's client to display to the user, 581 instructing the client to prompt the user for a response. For 582 example, this can be achieved in PPP via PAP. If it is impossible to 583 deliver the text prompt to the user, the Diameter NAS Application 584 client MUST treat the AA-Answer (AAA) with the Reply-Message AVP as 585 an error and deny access. 587 Message Format 589 ::= < Diameter Header: 265, PXY > 590 < Session-Id > 591 { Auth-Application-Id } 592 { Auth-Request-Type } 593 { Result-Code } 594 { Origin-Host } 595 { Origin-Realm } 596 [ User-Name ] 597 [ Service-Type ] 598 * [ Class ] 599 * [ Configuration-Token ] 600 [ Acct-Interim-Interval ] 601 [ Error-Message ] 602 [ Error-Reporting-Host ] 603 * [ Failed-AVP ] 604 [ Idle-Timeout ] 605 [ Authorization-Lifetime ] 606 [ Auth-Grace-Period ] 607 [ Auth-Session-State ] 608 [ Re-Auth-Request-Type ] 609 [ Multi-Round-Time-Out ] 610 [ Session-Timeout ] 611 [ State ] 612 * [ Reply-Message ] 613 [ Origin-AAA-Protocol ] 614 [ Origin-State-Id ] 615 * [ Filter-Id ] 616 [ Password-Retry ] 617 [ Port-Limit ] 618 [ Prompt ] 619 [ ARAP-Challenge-Response ] 620 [ ARAP-Features ] 621 [ ARAP-Security ] 623 * [ ARAP-Security-Data ] 624 [ ARAP-Zone-Access ] 625 [ Callback-Id ] 626 [ Callback-Number ] 627 [ Framed-Appletalk-Link ] 628 * [ Framed-Appletalk-Network ] 629 [ Framed-Appletalk-Zone ] 630 * [ Framed-Compression ] 631 [ Framed-Interface-Id ] 632 [ Framed-IP-Address ] 633 * [ Framed-IPv6-Prefix ] 634 [ Framed-IPv6-Pool ] 635 * [ Framed-IPv6-Route ] 636 [ Framed-IP-Netmask ] 637 * [ Framed-Route ] 638 [ Framed-Pool ] 639 [ Framed-IPX-Network ] 640 [ Framed-MTU ] 641 [ Framed-Protocol ] 642 [ Framed-Routing ] 643 * [ Login-IP-Host ] 644 * [ Login-IPv6-Host ] 645 [ Login-LAT-Group ] 646 [ Login-LAT-Node ] 647 [ Login-LAT-Port ] 648 [ Login-LAT-Service ] 649 [ Login-Service ] 650 [ Login-TCP-Port ] 651 * [ NAS-Filter-Rule ] 652 * [ QoS-Filter-Rule ] 653 * [ Tunneling ] 654 * [ Redirect-Host ] 655 [ Redirect-Host-Usage ] 656 [ Redirect-Max-Cache-Time ] 657 * [ Proxy-Info ] 658 * [ AVP ] 660 Figure 2 662 3.3. Re-Auth-Request (RAR) Command 664 A Diameter server can initiate re-authentication and/or re- 665 authorization for a particular session by issuing a Re-Auth-Request 666 (RAR) message [RFC6733]. 668 For example, for pre-paid services, the Diameter server that 669 originally authorized a session may need some confirmation that the 670 user is still using the services. 672 If a NAS receives an RAR message with Session-Id equal to a currently 673 active session and a Re-Auth-Type that includes authentication, it 674 MUST initiate a re-authentication toward the user, if the service 675 supports this particular feature. 677 Message Format 679 ::= < Diameter Header: 258, REQ, PXY > 680 < Session-Id > 681 { Origin-Host } 682 { Origin-Realm } 683 { Destination-Realm } 684 { Destination-Host } 685 { Auth-Application-Id } 686 { Re-Auth-Request-Type } 687 [ User-Name ] 688 [ Origin-AAA-Protocol ] 689 [ Origin-State-Id ] 690 [ NAS-Identifier ] 691 [ NAS-IP-Address ] 692 [ NAS-IPv6-Address ] 693 [ NAS-Port ] 694 [ NAS-Port-Id ] 695 [ NAS-Port-Type ] 696 [ Service-Type ] 697 [ Framed-IP-Address ] 698 [ Framed-IPv6-Prefix ] 699 [ Framed-Interface-Id ] 700 [ Called-Station-Id ] 701 [ Calling-Station-Id ] 702 [ Originating-Line-Info ] 703 [ Acct-Session-Id ] 704 [ Acct-Multi-Session-Id ] 705 [ State ] 706 * [ Class ] 707 [ Reply-Message ] 708 * [ Proxy-Info ] 709 * [ Route-Record ] 710 * [ AVP ] 712 Figure 3 714 3.4. Re-Auth-Answer (RAA) Command 716 The Re-Auth-Answer (RAA) message [RFC6733] is sent in response to the 717 RAR. The Result-Code AVP MUST be present and indicates the 718 disposition of the request. 720 A successful RAA transaction MUST be followed by an AAR message. 722 Message Format 724 ::= < Diameter Header: 258, PXY > 725 < Session-Id > 726 { Result-Code } 727 { Origin-Host } 728 { Origin-Realm } 729 [ User-Name ] 730 [ Origin-AAA-Protocol ] 731 [ Origin-State-Id ] 732 [ Error-Message ] 733 [ Error-Reporting-Host ] 734 * [ Failed-AVP ] 735 * [ Redirected-Host ] 736 [ Redirected-Host-Usage ] 737 [ Redirected-Host-Cache-Time ] 738 [ Service-Type ] 739 * [ Configuration-Token ] 740 [ Idle-Timeout ] 741 [ Authorization-Lifetime ] 742 [ Auth-Grace-Period ] 743 [ Re-Auth-Request-Type ] 744 [ State ] 745 * [ Class ] 746 * [ Reply-Message ] 747 [ Prompt ] 748 * [ Proxy-Info ] 749 * [ AVP ] 751 Figure 4 753 3.5. Session-Termination-Request (STR) Command 755 The Session-Termination-Request (STR) message [RFC6733] is sent by 756 the NAS to inform the Diameter Server that an authenticated and/or 757 authorized session is being terminated. 759 Message Format 761 ::= < Diameter Header: 275, REQ, PXY > 762 < Session-Id > 763 { Origin-Host } 764 { Origin-Realm } 765 { Destination-Realm } 766 { Auth-Application-Id } 767 { Termination-Cause } 769 [ User-Name ] 770 [ Destination-Host ] 771 * [ Class ] 772 [ Origin-AAA-Protocol ] 773 [ Origin-State-Id ] 774 * [ Proxy-Info ] 775 * [ Route-Record ] 776 * [ AVP ] 778 Figure 5 780 3.6. Session-Termination-Answer (STA) Command 782 The Session-Termination-Answer (STA) message [RFC6733] is sent by the 783 Diameter Server to acknowledge the notification that the session has 784 been terminated. The Result-Code AVP MUST be present and MAY contain 785 an indication that an error occurred while the STR was being 786 serviced. 788 Upon sending the STA, the Diameter Server MUST release all resources 789 for the session indicated by the Session-Id AVP. Any intermediate 790 server in the Proxy-Chain MAY also release any resources, if 791 necessary. 793 Message Format 795 ::= < Diameter Header: 275, PXY > 796 < Session-Id > 797 { Result-Code } 798 { Origin-Host } 799 { Origin-Realm } 800 [ User-Name ] 801 * [ Class ] 802 [ Error-Message ] 803 [ Error-Reporting-Host ] 804 * [ Failed-AVP ] 805 [ Origin-AAA-Protocol ] 806 [ Origin-State-Id ] 807 * [ Redirect-Host ] 808 [ Redirect-Host-Usase ] 809 [ Redirect-Max-Cache-Time ] 810 * [ Proxy-Info ] 811 * [ AVP ] 813 Figure 6 815 3.7. Abort-Session-Request (ASR) Command 816 The Abort-Session-Request (ASR) message [RFC6733] can be sent by any 817 Diameter server to the NAS providing session service to request that 818 the session identified by the Session-Id be stopped. 820 Message Format 822 ::= < Diameter Header: 274, REQ, PXY > 823 < Session-Id > 824 { Origin-Host } 825 { Origin-Realm } 826 { Destination-Realm } 827 { Destination-Host } 828 { Auth-Application-Id } 829 [ User-Name ] 830 [ Origin-AAA-Protocol ] 831 [ Origin-State-Id ] 832 [ NAS-Identifier ] 833 [ NAS-IP-Address ] 834 [ NAS-IPv6-Address ] 835 [ NAS-Port ] 836 [ NAS-Port-Id ] 837 [ NAS-Port-Type ] 838 [ Service-Type ] 839 [ Framed-IP-Address ] 840 [ Framed-IPv6-Prefix ] 841 [ Framed-Interface-Id ] 842 [ Called-Station-Id ] 843 [ Calling-Station-Id ] 844 [ Originating-Line-Info ] 845 [ Acct-Session-Id ] 846 [ Acct-Multi-Session-Id ] 847 [ State ] 848 * [ Class ] 849 * [ Reply-Message ] 850 * [ Proxy-Info ] 851 * [ Route-Record ] 852 * [ AVP ] 854 Figure 7 856 3.8. Abort-Session-Answer (ASA) Command 858 The ASA message [RFC6733] is sent in response to the ASR. The 859 Result-Code AVP MUST be present and indicates the disposition of the 860 request. 862 If the session identified by Session-Id in the ASR was successfully 863 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 864 is not currently active, the Result-Code AVP is set to 865 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 866 session for any other reason, the Result-Code AVP is set to 867 DIAMETER_UNABLE_TO_COMPLY. 869 Message Format 871 ::= < Diameter Header: 274, PXY > 872 < Session-Id > 873 { Result-Code } 874 { Origin-Host } 875 { Origin-Realm } 876 [ User-Name ] 877 [ Origin-AAA-Protocol ] 878 [ Origin-State-Id ] 879 [ State] 880 [ Error-Message ] 881 [ Error-Reporting-Host ] 882 * [ Failed-AVP ] 883 * [ Redirected-Host ] 884 [ Redirected-Host-Usage ] 885 [ Redirected-Max-Cache-Time ] 886 * [ Proxy-Info ] 887 * [ AVP ] 889 Figure 8 891 3.9. Accounting-Request (ACR) Command 893 The ACR message [RFC6733] is sent by the NAS to report its session 894 information to a target server downstream. 896 The Acct-Application-Id AVP MUST be present. 898 The AVPs listed in the Base protocol specification [RFC6733] MUST be 899 assumed to be present, as appropriate. NAS service-specific 900 accounting AVPs SHOULD be present as described in Section 4.6 and the 901 rest of this specification. 903 Message Format 905 ::= < Diameter Header: 271, REQ, PXY > 906 < Session-Id > 907 { Origin-Host } 908 { Origin-Realm } 909 { Destination-Realm } 910 { Accounting-Record-Type } 911 { Accounting-Record-Number } 912 { Acct-Application-Id } 913 [ User-Name ] 914 [ Accounting-Sub-Session-Id ] 915 [ Acct-Session-Id ] 916 [ Acct-Multi-Session-Id ] 917 [ Origin-AAA-Protocol ] 918 [ Origin-State-Id ] 919 [ Destination-Host ] 920 [ Event-Timestamp ] 921 [ Acct-Delay-Time ] 922 [ NAS-Identifier ] 923 [ NAS-IP-Address ] 924 [ NAS-IPv6-Address ] 925 [ NAS-Port ] 926 [ NAS-Port-Id ] 927 [ NAS-Port-Type ] 928 * [ Class ] 929 [ Service-Type ] 930 [ Termination-Cause ] 931 [ Accounting-Input-Octets ] 932 [ Accounting-Input-Packets ] 933 [ Accounting-Output-Octets ] 934 [ Accounting-Output-Packets ] 935 [ Acct-Authentic ] 936 [ Accounting-Auth-Method ] 937 [ Acct-Link-Count ] 938 [ Acct-Session-Time ] 939 [ Acct-Tunnel-Connection ] 940 [ Acct-Tunnel-Packets-Lost ] 941 [ Callback-Id ] 942 [ Callback-Number ] 943 [ Called-Station-Id ] 944 [ Calling-Station-Id ] 945 * [ Connection-Info ] 946 [ Originating-Line-Info ] 947 [ Authorization-Lifetime ] 948 [ Session-Timeout ] 949 [ Idle-Timeout ] 950 [ Port-Limit ] 951 [ Accounting-Realtime-Required ] 952 [ Acct-Interim-Interval ] 953 * [ Filter-Id ] 954 * [ NAS-Filter-Rule ] 955 * [ QoS-Filter-Rule ] 956 [ Framed-AppleTalk-Link ] 957 [ Framed-AppleTalk-Network ] 958 [ Framed-AppleTalk-Zone ] 959 [ Framed-Compression ] 961 [ Framed-Interface-Id ] 962 [ Framed-IP-Address ] 963 [ Framed-IP-Netmask ] 964 * [ Framed-IPv6-Prefix ] 965 [ Framed-IPv6-Pool ] 966 * [ Framed-IPv6-Route ] 967 [ Framed-IPX-Network ] 968 [ Framed-MTU ] 969 [ Framed-Pool ] 970 [ Framed-Protocol ] 971 * [ Framed-Route ] 972 [ Framed-Routing ] 973 * [ Login-IP-Host ] 974 * [ Login-IPv6-Host ] 975 [ Login-LAT-Group ] 976 [ Login-LAT-Node ] 977 [ Login-LAT-Port ] 978 [ Login-LAT-Service ] 979 [ Login-Service ] 980 [ Login-TCP-Port ] 981 * [ Tunneling ] 982 * [ Proxy-Info ] 983 * [ Route-Record ] 984 * [ AVP ] 986 Figure 9 988 3.10. Accounting-Answer (ACA) Command 990 The ACA message [RFC6733] is used to acknowledge an Accounting- 991 Request command. The Accounting-Answer command contains the same 992 Session-Id as the Request. 994 Only the target Diameter Server or home Diameter Server SHOULD 995 respond with the Accounting-Answer command. 997 The Acct-Application-Id AVP MUST be present. 999 The AVPs listed in the Base protocol specification [RFC6733] MUST be 1000 assumed to be present, as appropriate. NAS service-specific 1001 accounting AVPs SHOULD be present as described in Section 4.6 and the 1002 rest of this specification. 1004 Message Format 1006 ::= < Diameter Header: 271, PXY > 1007 < Session-Id > 1008 { Result-Code } 1009 { Origin-Host } 1010 { Origin-Realm } 1011 { Accounting-Record-Type } 1012 { Accounting-Record-Number } 1013 { Acct-Application-Id } 1014 [ User-Name ] 1015 [ Accounting-Sub-Session-Id ] 1016 [ Acct-Session-Id ] 1017 [ Acct-Multi-Session-Id ] 1018 [ Event-Timestamp ] 1019 [ Error-Message ] 1020 [ Error-Reporting-Host ] 1021 * [ Failed-AVP ] 1022 [ Origin-AAA-Protocol ] 1023 [ Origin-State-Id ] 1024 [ NAS-Identifier ] 1025 [ NAS-IP-Address ] 1026 [ NAS-IPv6-Address ] 1027 [ NAS-Port ] 1028 [ NAS-Port-Id ] 1029 [ NAS-Port-Type ] 1030 [ Service-Type ] 1031 [ Termination-Cause ] 1032 [ Accounting-Realtime-Required ] 1033 [ Acct-Interim-Interval ] 1034 * [ Class ] 1035 * [ Proxy-Info ] 1036 * [ AVP ] 1038 Figure 10 1040 4. Diameter NAS Application AVPs 1042 The following sections define a new derived AVP data format, a set of 1043 application-specific AVPs and describe the use of AVPs defined in 1044 other documents by the Diameter NAS Application. 1046 4.1. Derived AVP Data Formats 1048 4.1.1. QoSFilterRule 1050 The QosFilterRule format is derived from the OctetString AVP Base 1051 Format. It uses the ASCII charset. Packets may be marked or metered 1052 based on the following information: 1054 o Direction (in or out) 1056 o Source and destination IP address (possibly masked) 1057 o Protocol 1059 o Source and destination port (lists or ranges) 1061 o DSCP values (no mask or range) 1063 Rules for the appropriate direction are evaluated in order; the first 1064 matched rule terminates the evaluation. Each packet is evaluated 1065 once. If no rule matches, the packet is treated as best effort. An 1066 access device unable to interpret or apply a QoS rule SHOULD NOT 1067 terminate the session. 1069 QoSFilterRule filters MUST follow the following format: 1071 action dir proto from src to dst [options] 1073 where 1075 action 1077 tag Mark packet with a specific DSCP [RFC2474] 1079 meter Meter traffic 1081 dir The format is as described under IPFilterRule 1082 [RFC6733] 1084 proto The format is as described under IPFilterRule 1085 [RFC6733] 1087 src and dst The format is as described under IPFilterRule 1088 [RFC6733] 1090 The options are described in Section 4.4.9. 1092 The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the 1093 ipfw.c code may provide a useful base for implementations. 1095 4.2. NAS Session AVPs 1097 Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that 1098 are implemented in Diameter. 1100 4.2.1. Call and Session Information 1102 This section describes the AVPs specific to Diameter applications 1103 that are needed to identify the call and session context and status 1104 information. On a request, this information allows the server to 1105 qualify the session. 1107 These AVPs are used in addition to the following AVPs from the base 1108 protocol specification [RFC6733]: 1110 Session-Id 1111 Auth-Application-Id 1112 Origin-Host 1113 Origin-Realm 1114 Auth-Request-Type 1115 Termination-Cause 1117 The following table gives the possible flag values for the session 1118 level AVPs. 1120 +-----------+ 1121 | AVP Flag | 1122 | Rules | 1123 |-----+-----+ 1124 |MUST | MUST| 1125 Attribute Name Section Defined | | NOT| 1126 -----------------------------------------|-----+-----| 1127 NAS-Port 4.2.2 | M | V | 1128 NAS-Port-Id 4.2.3 | M | V | 1129 NAS-Port-Type 4.2.4 | M | V | 1130 Called-Station-Id 4.2.5 | M | V | 1131 Calling-Station-Id 4.2.6 | M | V | 1132 Connect-Info 4.2.7 | M | V | 1133 Originating-Line-Info 4.2.8 | M | V | 1134 Reply-Message 4.2.9 | M | V | 1135 -----------------------------------------|-----+-----| 1137 4.2.2. NAS-Port AVP 1139 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1140 physical or virtual port number of the NAS which is authenticating 1141 the user. Note that "port" is meant in its sense as a service 1142 connection on the NAS, not as an IP protocol identifier, and hence 1143 the format and contents of the string that identifies the port are 1144 specific to the NAS implementation. 1146 Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD 1147 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1148 differentiates among its ports. 1150 4.2.3. NAS-Port-Id AVP 1152 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1153 of 7-bit ASCII text identifying the port of the NAS authenticating 1154 the user. Note that "port" is meant in its sense as a service 1155 connection on the NAS, not as an IP protocol identifier. 1157 Either the NAS-Port-Id AVP or the NAS-Port AVP (Section 4.2.2) SHOULD 1158 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1159 differentiates among its ports. NAS-Port-Id is intended for use by 1160 NASes that cannot conveniently number their ports. 1162 4.2.4. NAS-Port-Type AVP 1164 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1165 contains the type of the port on which the NAS is authenticating the 1166 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1167 number ranges for different service types concurrently. 1169 The currently supported values of the NAS-Port-Type AVP are listed in 1170 [RADIUSAttrVals]. 1172 4.2.5. Called-Station-Id AVP 1174 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String 1175 contains a 7-bit ASCII string sent by the NAS to describe the Layer 2 1176 address the user contacted in the request. For dialup access, this 1177 can be a phone number obtained by using the Dialed Number 1178 Identification Service (DNIS) or a similar technology. Note that 1179 this may be different from the phone number the call comes in on. 1180 For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC 1181 address formatted as described in Congdon, et al. [RFC3580]. 1183 If the Called-Station-Id AVP is present in an AAR message, Auth- 1184 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1185 absent, the Diameter Server MAY perform authorization based on this 1186 AVP. This can be used by a NAS to request whether a call should be 1187 answered based on the DNIS result. 1189 Further codification of this field's allowed content and usage is 1190 outside the scope of this specification. 1192 4.2.6. Calling-Station-Id AVP 1193 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 1194 contains a 7-bit ASCII string sent by the NAS to describe the Layer 2 1195 address from which the user connected in the request. For dialup 1196 access, this is the phone number the call came from, using Automatic 1197 Number Identification (ANI) or a similar technology. For use with 1198 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 1199 address, formated as described in RFC 3580. 1201 If the Calling-Station-Id AVP is present in an AAR message, the Auth- 1202 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1203 absent, the Diameter Server MAY perform authorization based on the 1204 value of this AVP. This can be used by a NAS to request whether a 1205 call should be answered based on the Layer 2 address (ANI, MAC 1206 Address, etc.) 1208 Further codification of this field's allowed content and usage is 1209 outside the scope of this specification. 1211 4.2.7. Connect-Info AVP 1213 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1214 in the AA-Request message or an ACR message with the value of the 1215 Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, 1216 it indicates the nature of the user's connection. The connection 1217 speed SHOULD be included at the beginning of the first Connect-Info 1218 AVP in the message. If the transmit and receive connection speeds 1219 differ, both may be included in the first AVP with the transmit speed 1220 listed first (the speed at which the NAS modem transmits), then a 1221 slash (/), then the receive speed, and then other optional 1222 information. 1224 For example: "28800 V42BIS/LAPM" or "52000/31200 V90" 1226 If sent in an ACR message with the value of the Accounting-Record- 1227 Type AVP set to STOP, this attribute may summarize statistics 1228 relating to session quality. For example, in IEEE 802.11, the 1229 Connect-Info AVP may contain information on the number of link layer 1230 retransmissions. The exact format of this attribute is 1231 implementation specific. 1233 4.2.8. Originating-Line-Info AVP 1235 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1236 and is sent by the NAS system to convey information about the origin 1237 of the call from an SS7 system. 1239 The Originating Line Information (OLI) element indicates the nature 1240 and/or characteristics of the line from which a call originated 1241 (e.g., pay phone, hotel, cellular). Telephone companies are starting 1242 to offer OLI to their customers as an option over Primary Rate 1243 Interface (PRI). Internet Service Providers (ISPs) can use OLI in 1244 addition to Called-Station-Id and Calling-Station-Id attributes to 1245 differentiate customer calls and to define different services. 1247 The Value field contains two octets (00 - 99). ANSI T1.113 and 1248 BELLCORE 394 can be used for additional information about these 1249 values and their use. For information on the currently assigned 1250 values, see [ANITypes]. 1252 4.2.9. Reply-Message AVP 1254 The Reply-Message AVP (AVP Code 18) is of type UTF8String and 1255 contains text that MAY be displayed to the user. When used in an AA- 1256 Answer message with a successful Result-Code AVP, it indicates 1257 success. When found in an AAA message with a Result-Code other than 1258 DIAMETER_SUCCESS, the AVP contains a failure message. 1260 The Reply-Message AVP MAY contain text to prompt the user before 1261 another AA-Request attempt. When used in an AA-Answer message 1262 containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH 1263 or in an Re-Auth-Request message, it MAY contain text to prompt the 1264 user for a response. 1266 4.3. NAS Authentication AVPs 1268 This section defines the AVPs necessary to carry the authentication 1269 information in the Diameter protocol. The functionality defined here 1270 provides a RADIUS-like AAA service [RFC2865] over a more reliable and 1271 secure transport, as defined in the base protocol [RFC6733]. 1273 The following table gives the possible flag values for the session 1274 level AVPs. 1276 +----------+ 1277 | AVP Flag | 1278 | rules | 1279 |----+-----| 1280 |MUST| MUST| 1281 Attribute Name Section Defined | | NOT| 1282 -----------------------------------------|----+-----| 1283 User-Password 4.3.1 | M | V | 1284 Password-Retry 4.3.2 | M | V | 1285 Prompt 4.3.3 | M | V | 1286 CHAP-Auth 4.3.4 | M | V | 1287 CHAP-Algorithm 4.3.5 | M | V | 1288 CHAP-Ident 4.3.6 | M | V | 1289 CHAP-Response 4.3.7 | M | V | 1290 CHAP-Challenge 4.3.8 | M | V | 1291 ARAP-Password 4.3.9 | M | V | 1292 ARAP-Challenge-Response 4.3.10 | M | V | 1293 ARAP-Security 4.3.11 | M | V | 1294 ARAP-Security-Data 4.3.12 | M | V | 1295 -----------------------------------------|----+-----| 1297 4.3.1. User-Password AVP 1299 The User-Password AVP (AVP Code 2) is of type OctetString and 1300 contains the password of the user to be authenticated, or the user's 1301 input in a multi-round authentication exchange. 1303 The User-Password AVP contains a user password or one-time password 1304 and therefore represents sensitive information. As required by 1305 Fajardo, et al. [RFC6733], Diameter messages are encrypted by using 1306 IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one- 1307 time passwords, the User-Password AVP SHOULD NOT be used in untrusted 1308 proxy environments without encrypting it by using end-to-end security 1309 techniques. 1311 The clear-text password (prior to encryption) MUST NOT be longer than 1312 128 bytes in length. 1314 4.3.2. Password-Retry AVP 1316 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1317 included in the AA-Answer if the Result-Code indicates an 1318 authentication failure. The value of this AVP indicates how many 1319 authentication attempts a user is permitted before being 1320 disconnected. This AVP is primarily intended for use when the 1321 Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. 1323 4.3.3. Prompt AVP 1325 The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present 1326 in the AA-Answer message. When present, it is used by the NAS to 1327 determine whether the user's response, when entered, should be 1328 echoed. 1330 The supported values are listed in [RADIUSAttrVals] 1332 4.3.4. CHAP-Auth AVP 1334 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1335 information necessary to authenticate a user using the PPP Challenge- 1336 Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth 1337 AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8) 1338 MUST be present as well. The optional AVPs containing the CHAP 1339 response depend upon the value of the CHAP-Algorithm AVP 1340 (Section 4.3.8). The grouped AVP has the following ABNF grammar: 1342 CHAP-Auth ::= < AVP Header: 402 > 1343 { CHAP-Algorithm } 1344 { CHAP-Ident } 1345 [ CHAP-Response ] 1346 * [ AVP ] 1348 4.3.5. CHAP-Algorithm AVP 1350 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1351 contains the algorithm identifier used in the computation of the CHAP 1352 response [RFC1994]. The following values are currently supported: 1354 CHAP with MD5 5 1356 The CHAP response is computed by using the procedure described in 1357 [RFC1994] This algorithm requires that the CHAP-Response AVP 1358 (Section 4.3.7) MUST be present in the CHAP-Auth AVP 1359 (Section 4.3.4). 1361 4.3.6. CHAP-Ident AVP 1363 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1364 the 1 octet CHAP Identifier used in the computation of the CHAP 1365 response [RFC1994] 1367 4.3.7. CHAP-Response AVP 1369 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1370 contains the 16 octet authentication data provided by the user in 1371 response to the CHAP challenge [RFC1994]. 1373 4.3.8. CHAP-Challenge AVP 1375 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1376 contains the CHAP Challenge sent by the NAS to the CHAP peer 1377 [RFC1994]. 1379 4.3.9. ARAP-Password AVP 1381 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1382 only present when the Framed-Protocol AVP (Section 4.4.10.1) is 1383 included in the message and is set to ARAP. This AVP MUST NOT be 1384 present if either the User-Password or the CHAP-Auth AVP is present. 1385 See Rigney, et al. [RFC2869] for more information on the contents of 1386 this AVP. 1388 4.3.10. ARAP-Challenge-Response AVP 1390 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1391 and is only present when the Framed-Protocol AVP (Section 4.4.10.1) 1392 is included in the message and is set to ARAP. This AVP contains an 1393 8 octet response to the dial-in client's challenge. The Diameter 1394 server calculates this value by taking the dial-in client's challenge 1395 from the high-order 8 octets of the ARAP-Password AVP and performing 1396 DES encryption on this value with the authenticating user's password 1397 as the key. If the user's password is fewer than 8 octets in length, 1398 the password is padded at the end with NULL octets to a length of 8 1399 before it is used as a key. 1401 4.3.11. ARAP-Security AVP 1403 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be 1404 present in the AA-Answer message if the Framed-Protocol AVP 1405 (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code 1406 AVP ([RFC6733], Section 7.1) is set to DIAMETER_MULTI_ROUND_AUTH. 1407 See RFC 2869 for more information on the contents of this AVP. 1409 4.3.12. ARAP-Security-Data AVP 1411 The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and 1412 MAY be present in the AA-Request or AA-Answer message if the Framed- 1413 Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the 1414 Result-Code AVP ([RFC6733], Section 7.1) is set to 1415 DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module 1416 challenge or response associated with the ARAP Security Module 1417 specified in the ARAP-Security AVP (Section 4.3.11). 1419 4.4. NAS Authorization AVPs 1421 This section contains the authorization AVPs supported in the NAS 1422 Application. The Service-Type AVP SHOULD be present in all messages 1423 and, based on its value, additional AVPs defined in this section and 1424 Section 4.5 MAY be present. 1426 The following table gives the possible flag values for the session- 1427 level AVPs. 1429 +----------+ 1430 | AVP Flag | 1431 | rules | 1432 |----+-----| 1433 |MUST| MUST| 1434 Attribute Name Section Defined | | NOT| 1435 -----------------------------------------|----+-----| 1436 Service-Type 4.4.1 | M | V | 1437 Callback-Number 4.4.2 | M | V | 1438 Callback-Id 4.4.3 | M | V | 1439 Idle-Timeout 4.4.4 | M | V | 1440 Port-Limit 4.4.5 | M | V | 1441 NAS-Filter-Rule 4.4.6 | M | V | 1442 Filter-Id 4.4.7 | M | V | 1443 Configuration-Token 4.4.8 | M | V | 1444 QoS-Filter-Rule 4.4.9 | | | 1445 Framed-Protocol 4.4.10.1 | M | V | 1446 Framed-Routing 4.4.10.2 | M | V | 1447 Framed-MTU 4.4.10.3 | M | V | 1448 Framed-Compression 4.4.10.4 | M | V | 1449 Framed-IP-Address 4.4.10.5.1 | M | V | 1450 Framed-IP-Netmask 4.4.10.5.2 | M | V | 1451 Framed-Route 4.4.10.5.3 | M | V | 1452 Framed-Pool 4.4.10.5.4 | M | V | 1453 Framed-Interface-Id 4.4.10.5.5 | M | V | 1454 Framed-IPv6-Prefix 4.4.10.5.6 | M | V | 1455 Framed-IPv6-Route 4.4.10.5.7 | M | V | 1456 Framed-IPv6-Pool 4.4.10.5.8 | M | V | 1457 Framed-IPX-Network 4.4.10.6.1 | M | V | 1458 Framed-Appletalk-Link 4.4.10.7.1 | M | V | 1459 Framed-Appletalk-Network 4.4.10.7.2 | M | V | 1460 Framed-Appletalk-Zone 4.4.10.7.3 | M | V | 1461 ARAP-Features 4.4.10.8.1 | M | V | 1462 ARAP-Zone-Access 4.4.10.8.2 | M | V | 1463 Login-IP-Host 4.4.11.1 | M | V | 1464 Login-IPv6-Host 4.4.11.2 | M | V | 1465 Login-Service 4.4.11.3 | M | V | 1466 Login-TCP-Port 4.4.11.4.1 | M | V | 1467 Login-LAT-Service 4.4.11.5.1 | M | V | 1468 Login-LAT-Node 4.4.11.5.2 | M | V | 1469 Login-LAT-Group 4.4.11.5.3 | M | V | 1470 Login-LAT-Port 4.4.11.5.4 | M | V | 1471 -----------------------------------------|----+-----| 1473 4.4.1. Service-Type AVP 1475 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1476 the type of service the user has requested or the type of service to 1477 be provided. One such AVP MAY be present in an authentication and/or 1478 authorization request or response. A NAS is not required to 1479 implement all of these service types. It MUST treat unknown or 1480 unsupported Service-Types received in a response as a failure and end 1481 the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1483 When used in a request, the Service-Type AVP SHOULD be considered a 1484 hint to the server that the NAS believes the user would prefer the 1485 kind of service indicated. The server is not required to honor the 1486 hint. Furthermore, if the service specified by the server is 1487 supported, but not compatible with the current mode of access, the 1488 NAS MUST fail to start the session. The NAS MUST also generate the 1489 appropriate error message(s). 1491 The complete list of defined values that the Service-Type AVP can 1492 take can be found in Rigney, et al. [RFC2865] and and the relevant 1493 IANA registry [RADIUSAttrVals], but the following values require 1494 further qualification here: 1496 Login (1) 1498 The user should be connected to a host. The message MAY 1499 include additional AVPs as defined in Section 4.4.11.4 or 1500 Section 4.4.11.5. 1502 Framed (2) 1504 A Framed Protocol, such as PPP or SLIP, should be started 1505 for the User. The message MAY include additional AVPs 1506 defined in Section 4.4.10, or Section 4.5 for tunneling 1507 services. 1509 Callback Login (3) 1511 The user should be disconnected and called back, then 1512 connected to a host. The message MAY include additional 1513 AVPs defined in this Section. 1515 Callback Framed (4) 1517 The user should be disconnected and called back, and then a 1518 Framed Protocol, such as PPP or SLIP, should be started for 1519 the user. The message MAY include additional AVPs defined 1520 in Section 4.4.10, or Section 4.5 for tunneling services. 1522 4.4.2. Callback-Number AVP 1524 The Callback-Number AVP (AVP Code 19) is of type UTF8String and 1525 contains a dialing string to be used for callback, the format of 1526 which is deployment-specific. The Callback-Number AVP MAY be used in 1527 an authentication and/or authorization request as a hint to the 1528 server that a callback service is desired, but the server is not 1529 required to honor the hint in the corresponding response. 1531 Any further codification of this field's allowed usage range is 1532 outside the scope of this specification. 1534 4.4.3. Callback-Id AVP 1536 The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains 1537 the name of a place to be called, to be interpreted by the NAS. This 1538 AVP MAY be present in an authentication and/or authorization 1539 response. 1541 This AVP is not roaming-friendly as it assumes that the Callback-Id 1542 is configured on the NAS. Using the Callback-Number AVP 1543 (Section 4.4.2) is therefore RECOMMENDED. 1545 4.4.4. Idle-Timeout AVP 1547 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1548 maximum number of consecutive seconds of idle connection allowable to 1549 the user before termination of the session or before a prompt is 1550 issued. The default is none, or system specific. 1552 4.4.5. Port-Limit AVP 1554 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1555 maximum number of ports the NAS provides to the user. It MAY be used 1556 in an authentication and/or authorization request as a hint to the 1557 server that multilink PPP [RFC1990] service is desired, but the 1558 server is not required to honor the hint in the corresponding 1559 response. 1561 4.4.6. NAS-Filter-Rule AVP 1562 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule and 1563 provides filter rules that need to be configured on the NAS for the 1564 user. One or more of these AVPs MAY be present in an authorization 1565 response. 1567 4.4.7. Filter-Id AVP 1569 The Filter-Id AVP (AVP Code 11) is of type UTF8String and contains 1570 the name of the filter list for this user. It is intended to be 1571 human-readable. Zero or more Filter-Id AVPs MAY be sent in an 1572 authorization answer message. 1574 Identifying a filter list by name allows the filter to be used on 1575 different NASes without regard to filter-list implementation details. 1576 However, this AVP is not roaming-friendly, as filter naming differs 1577 from one service provider to another. 1579 In environments where backward compatibility with RADIUS is not 1580 required, it is RECOMMENDED that the NAS-Filter-Rule AVP 1581 (Section 4.4.6) be used instead. 1583 4.4.8. Configuration-Token AVP 1585 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1586 is sent by a Diameter Server to a Diameter Proxy Agent in an AA- 1587 Answer command to indicate a type of user profile to be used. It 1588 should not be sent to a Diameter Client (NAS). 1590 The format of the Data field of this AVP is site specific. 1592 4.4.9. QoS-Filter-Rule AVP 1594 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule 1595 (Section 4.1.1) and provides QoS filter rules that need to be 1596 configured on the NAS for the user. One or more such AVPs MAY be 1597 present in an authorization response. 1599 The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, 1600 et al. [RFC5777] SHOULD be used instead. 1602 The following options are defined for the QoSFilterRule filters: 1604 DSCP 1606 If action is set to tag (Section 4.1.1) this option MUST be 1607 included in the rule. 1609 Color values are defined in Nichols, et al. [RFC2474]. Exact 1610 matching of DSCP values is required (no masks or ranges). 1612 metering 1614 The metering option provides Assured Forwarding, as defined in 1615 Heinanen, et al. [RFC2597]. and MUST be present if the action 1616 is set to meter (Section 4.1.1) The rate option is the 1617 throughput, in bits per second, used by the access device to 1618 mark packets. Traffic over the rate is marked with the 1619 color_over codepoint, and traffic under the rate is marked with 1620 the color_under codepoint. The color_under and color_over 1621 options contain the drop preferences and MUST conform to the 1622 recommended codepoint keywords described in RFC 2597 (e.g., 1623 AF13). 1625 The metering option also supports the strict limit on traffic 1626 required by Expedited Forwarding, as defined in Davie, et 1627 al. [RFC3246]. The color_over option may contain the keyword 1628 "drop" to prevent forwarding of traffic that exceeds the rate 1629 parameter. 1631 4.4.10. Framed Access Authorization AVPs 1633 This section lists the authorization AVPs necessary to support framed 1634 access, such as PPP and SLIP. AVPs defined in this section MAY be 1635 present in a message if the Service-Type AVP was set to "Framed" or 1636 "Callback Framed". 1638 4.4.10.1. Framed-Protocol AVP 1640 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1641 contains the framing to be used for framed access. This AVP MAY be 1642 present in both requests and responses. The supported values are 1643 listed in [RADIUSAttrVals]. 1645 4.4.10.2. Framed-Routing AVP 1647 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1648 contains the routing method for the user when the user is a router to 1649 a network. This AVP SHOULD only be present in authorization 1650 responses. The supported values are listed in [RADIUSAttrVals]. 1652 4.4.10.3. Framed-MTU AVP 1654 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1655 the Maximum Transmission Unit (MTU) to be configured for the user, 1656 when it is not negotiated by some other means (such as PPP). This 1657 AVP SHOULD only be present in authorization responses. The MTU value 1658 MUST be in the range from 64 to 65535. 1660 4.4.10.4. Framed-Compression AVP 1662 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1663 contains the compression protocol to be used for the link. It MAY be 1664 used in an authorization request as a hint to the server that a 1665 specific compression type is desired, but the server is not required 1666 to honor the hint in the corresponding response. 1668 More than one compression protocol AVP MAY be sent. The NAS is 1669 responsible for applying the proper compression protocol to the 1670 appropriate link traffic. 1672 The supported values are listed in [RADIUSAttrVals]. 1674 4.4.10.5. IP Access Authorization AVPs 1676 The AVPs defined in this section are used when the user requests, or 1677 is being granted, access service to IP. 1679 4.4.10.5.1. Framed-IP-Address AVP 1681 The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type 1682 OctetString and contains an IPv4 address of the type specified in the 1683 attribute value to be configured for the user. It MAY be used in an 1684 authorization request as a hint to the server that a specific address 1685 is desired, but the server is not required to honor the hint in the 1686 corresponding response. 1688 Two values have special significance: 0xFFFFFFFF and 0xFFFFFFFE. The 1689 value 0xFFFFFFFF indicates that the NAS should allow the user to 1690 select an address (i.e., negotiated). The value 0xFFFFFFFE indicates 1691 that the NAS should select an address for the user (e.g., assigned 1692 from a pool of addresses kept by the NAS). 1694 4.4.10.5.2. Framed-IP-Netmask AVP 1696 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1697 contains the four octets of the IPv4 netmask to be configured for the 1698 user when the user is a router to a network. It MAY be used in an 1699 authorization request as a hint to the server that a specific netmask 1700 is desired, but the server is not required to honor the hint in the 1701 corresponding response. This AVP MUST be present in a response if 1702 the request included this AVP with a value of 0xFFFFFFFF. 1704 4.4.10.5.3. Framed-Route AVP 1706 The Framed-Route AVP (AVP Code 22) is of type UTF8String and contains 1707 the 7-bit ASCII routing information to be configured for the user on 1708 the NAS. Zero or more of these AVPs MAY be present in an 1709 authorization response. 1711 The string MUST contain a destination prefix in dotted quad form 1712 optionally followed by a slash and a decimal length specifier stating 1713 how many high-order bits of the prefix should be used. This is 1714 followed by a space, a gateway address in dotted quad form, a space, 1715 and one or more metrics separated by spaces; for example, 1717 "192.0.2.0/24 192.0.2.1 1" 1719 The length specifier may be omitted, in which case it should default 1720 to 8 bits for class A prefixes, to 16 bits for class B prefixes, and 1721 to 24 bits for class C prefixes; for example, 1723 "192.0.2.0 192.0.2.1 1" 1725 Whenever the gateway address is specified as "0.0.0.0" the IP address 1726 of the user SHOULD be used as the gateway address. 1728 4.4.10.5.4. Framed-Pool AVP 1730 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1731 the name of an assigned address pool that SHOULD be used to assign an 1732 address for the user. If a NAS does not support multiple address 1733 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1734 used for IP addresses but can be used for other protocols if the NAS 1735 supports pools for those protocols. 1737 Although specified as type OctetString for compatibility with RADIUS 1738 [RFC2869], the encoding of the Data field SHOULD also conform to the 1739 rules for the UTF8String Data Format. 1741 4.4.10.5.5. Framed-Interface-Id AVP 1743 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1744 contains the IPv6 interface identifier to be configured for the user. 1745 It MAY be used in authorization requests as a hint to the server that 1746 a specific interface id is desired, but the server is not required to 1747 honor the hint in the corresponding response. 1749 4.4.10.5.6. Framed-IPv6-Prefix AVP 1751 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1752 contains the IPv6 prefix to be configured for the user. One or more 1753 AVPs MAY be used in authorization requests as a hint to the server 1754 that specific IPv6 prefixes are desired, but the server is not 1755 required to honor the hint in the corresponding response. 1757 4.4.10.5.7. Framed-IPv6-Route AVP 1759 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String and 1760 contains the ASCII routing information to be configured for the user 1761 on the NAS. Zero or more of these AVPs MAY be present in an 1762 authorization response. 1764 The string MUST contain an IPv6 address prefix followed by a slash 1765 and a decimal length specifier stating how many high order bits of 1766 the prefix should be used. This is followed by a space, a gateway 1767 address in hexadecimal notation, a space, and one or more metrics 1768 separated by spaces; for example, 1770 "2001:db8::/32 2001:db8:106:a00:20ff:fe99:a998 1" 1772 Whenever the gateway address is the IPv6 unspecified address, the IP 1773 address of the user SHOULD be used as the gateway address, such as 1774 in: 1776 "2001:db8::/32 :: 1" 1778 4.4.10.5.8. Framed-IPv6-Pool AVP 1780 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and 1781 contains the name of an assigned pool that SHOULD be used to assign 1782 an IPv6 prefix for the user. If the access device does not support 1783 multiple prefix pools, it MUST ignore this AVP. 1785 Although specified as type OctetString for compatibility with RADIUS 1786 [RFC3162], the encoding of the Data field SHOULD also conform to the 1787 rules for the UTF8String Data Format. 1789 4.4.10.6. IPX Access AVPs 1791 The AVPs defined in this section are used when the user requests, or 1792 is being granted, access to an IPX network service [IPX]. 1794 4.4.10.6.1. Framed-IPX-Network AVP 1795 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32 and 1796 contains the IPX Network number to be configured for the user. It 1797 MAY be used in an authorization request as a hint to the server that 1798 a specific address is desired, but the server is not required to 1799 honor the hint in the corresponding response. 1801 Two addresses have special significance: 0xFFFFFFFF and 0xFFFFFFFE. 1802 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1803 select an address (i.e., Negotiated). The value 0xFFFFFFFE indicates 1804 that the NAS should select an address for the user (e.g., assign it 1805 from a pool of one or more IPX networks kept by the NAS). 1807 4.4.10.7. AppleTalk Network Access AVPs 1809 The AVPs defined in this section are used when the user requests, or 1810 is being granted, access to an AppleTalk network [AppleTalk]. 1812 4.4.10.7.1. Framed-AppleTalk-Link AVP 1814 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1815 contains the AppleTalk network number that should be used for the 1816 serial link to the user, which is another AppleTalk router. This AVP 1817 MUST only be present in an authorization response and is never used 1818 when the user is not another router. 1820 Despite the size of the field, values range from 0 to 65,535. The 1821 special value of 0 indicates an unnumbered serial link. A value of 1 1822 to 65,535 means that the serial line between the NAS and the user 1823 should be assigned that value as an AppleTalk network number. 1825 4.4.10.7.2. Framed-AppleTalk-Network AVP 1827 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1828 and contains the AppleTalk Network number that the NAS should probe 1829 to allocate an AppleTalk node for the user. This AVP MUST only be 1830 present in an authorization response and is never used when the user 1831 is not another router. Multiple instances of this AVP indicate that 1832 the NAS may probe, using any of the network numbers specified. 1834 Despite the size of the field, values range from 0 to 65,535. The 1835 special value 0 indicates that the NAS should assign a network for 1836 the user, using its default cable range. A value between 1 and 1837 65,535 (inclusive) indicates to the AppleTalk Network that the NAS 1838 should probe to find an address for the user. 1840 4.4.10.7.3. Framed-AppleTalk-Zone AVP 1841 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1842 and contains the AppleTalk Default Zone to be used for this user. 1843 This AVP MUST only be present in an authorization response. Multiple 1844 instances of this AVP in the same message are not allowed. 1846 The codification of this field's allowed range is outside the scope 1847 of this specification. 1849 4.4.10.8. AppleTalk Remote Access AVPs 1851 The AVPs defined in this section are used when the user requests, or 1852 is being granted, access to the AppleTalk network via the AppleTalk 1853 Remote Access Protocol [ARAP]. They are only present if the Framed- 1854 Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC 1855 2869 describes the operational use of these attributes. 1857 4.4.10.8.1. ARAP-Features AVP 1859 The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be 1860 present in the AA-Accept message if the Framed-Protocol AVP is set to 1861 the value of ARAP. See RFC 2869 for more information about the 1862 format of this AVP. 1864 4.4.10.8.2. ARAP-Zone-Access AVP 1866 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY 1867 be present in the AA-Accept message if the Framed-Protocol AVP is set 1868 to the value of ARAP. 1870 The supported values are listed in [RADIUSAttrVals] and defined in 1871 RFC 2869. 1873 4.4.11. Non-Framed Access Authorization AVPs 1875 This section contains the authorization AVPs that are needed to 1876 support terminal server functionality. AVPs defined in this section 1877 MAY be present in a message if the Service-Type AVP was set to 1878 "Login" or "Callback Login". 1880 4.4.11.1. Login-IP-Host AVP 1882 The Login-IP-Host AVP (AVP Code 14) [RFC2865] is of type OctetString 1883 and contains the IPv4 address of a host with which to connect the 1884 user when the Login-Service AVP is included. It MAY be used in an 1885 AA-Request command as a hint to the Diameter Server that a specific 1886 host is desired, but the Diameter Server is not required to honor the 1887 hint in the AA-Answer. 1889 Two addresses have special significance: all ones and 0. The value 1890 of all ones indicates that the NAS SHOULD allow the user to select an 1891 address. The value 0 indicates that the NAS SHOULD select a host to 1892 connect the user to. 1894 4.4.11.2. Login-IPv6-Host AVP 1896 The Login-IPv6-Host AVP (AVP Code 98) [RFC3162] is of type 1897 OctetString and contains the IPv6 address of a host with which to 1898 connect the user when the Login-Service AVP is included. It MAY be 1899 used in an AA-Request command as a hint to the Diameter Server that a 1900 specific host is desired, but the Diameter Server is not required to 1901 honor the hint in the AA-Answer. 1903 Two addresses have special significance, 1904 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1905 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1906 allow the user to select an address. The value 0 indicates that the 1907 NAS SHOULD select a host to connect the user to. 1909 4.4.11.3. Login-Service AVP 1911 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1912 contains the service that should be used to connect the user to the 1913 login host. This AVP SHOULD only be present in authorization 1914 responses. The supported values are listed in RFC 2869. 1916 4.4.11.4. TCP Services 1918 The AVP described in the following section MAY be present if the 1919 Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear 1920 Quiet. 1922 4.4.11.4.1. Login-TCP-Port AVP 1924 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1925 contains the TCP port with which the user is to be connected when the 1926 Login-Service AVP is also present. This AVP SHOULD only be present 1927 in authorization responses. The value MUST NOT be greater than 1928 65,535. 1930 4.4.11.5. LAT Services 1932 The AVPs described in this section MAY be present if the Login- 1933 Service AVP is set to LAT [LAT]. 1935 4.4.11.5.1. Login-LAT-Service AVP 1936 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1937 contains the system with which the user is to be connected by LAT. 1938 It MAY be used in an authorization request as a hint to the server 1939 that a specific service is desired, but the server is not required to 1940 honor the hint in the corresponding response. This AVP MUST only be 1941 present in the response if the Login-Service AVP states that LAT is 1942 desired. 1944 Administrators use this service attribute when dealing with clustered 1945 systems. In these environments, several different time-sharing hosts 1946 share the same resources (disks, printers, etc.), and administrators 1947 often configure each host to offer access (service) to each of the 1948 shared resources. In this case, each host in the cluster advertises 1949 its services through LAT broadcasts. 1951 Sophisticated users often know which service providers (machines) are 1952 faster and tend to use a node name when initiating a LAT connection. 1953 Some administrators want particular users to use certain machines as 1954 a primitive form of load balancing (although LAT knows how to do load 1955 balancing itself). 1957 The String field contains the identity of the LAT service to use. 1958 The LAT Architecture allows this string to contain $ (dollar), - 1959 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1960 alphabetics, and the ISO Latin-1 character set extension 1961 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1963 4.4.11.5.2. Login-LAT-Node AVP 1965 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1966 contains the Node with which the user is to be automatically 1967 connected by LAT. It MAY be used in an authorization request as a 1968 hint to the server that a specific LAT node is desired, but the 1969 server is not required to honor the hint in the corresponding 1970 response. This AVP MUST only be present in a response if the Login- 1971 Service-Type AVP is set to LAT. 1973 The String field contains the identity of the LAT service to use. 1974 The LAT Architecture allows this string to contain $ (dollar), - 1975 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1976 alphabetics, and the ISO Latin-1 character set extension 1977 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1979 4.4.11.5.3. Login-LAT-Group AVP 1981 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1982 contains a string identifying the LAT group codes this user is 1983 authorized to use. It MAY be used in an authorization request as a 1984 hint to the server that a specific group is desired, but the server 1985 is not required to honor the hint in the corresponding response. 1986 This AVP MUST only be present in a response if the Login-Service-Type 1987 AVP is set to LAT. 1989 LAT supports 256 different group codes, which LAT uses as a form of 1990 access rights. LAT encodes the group codes as a 256-bit bitmap. 1992 Administrators can assign one or more of the group code bits at the 1993 LAT service provider; it will only accept LAT connections that have 1994 these group codes set in the bitmap. The administrators assign a 1995 bitmap of authorized group codes to each user. LAT gets these from 1996 the operating system and uses them in its requests to the service 1997 providers. 1999 The codification of the range of allowed usage of this field is 2000 outside the scope of this specification. 2002 4.4.11.5.4. Login-LAT-Port AVP 2004 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 2005 contains the Port with which the user is to be connected by LAT. It 2006 MAY be used in an authorization request as a hint to the server that 2007 a specific port is desired, but the server is not required to honor 2008 the hint in the corresponding response. This AVP MUST only be 2009 present in a response if the Login-Service-Type AVP is set to LAT. 2011 The String field contains the identity of the LAT service to use. 2012 The LAT Architecture allows this string to contain $ (dollar), - 2013 (hyphen), . (period), _ (underscore), numerics, upper- and lower-case 2014 alphabetics, and the ISO Latin-1 character set extension 2015 [ISO.8859-1.1987]. 2017 All LAT string comparisons are case insensitive. 2019 4.5. NAS Tunneling AVPs 2021 Some NASes support compulsory tunnel services in which the incoming 2022 connection data is conveyed by an encapsulation method to a gateway 2023 elsewhere in the network. This is typically transparent to the 2024 service user, and the tunnel characteristics may be described by the 2025 remote AAA server, based on the user's authorization information. 2026 Several tunnel characteristics may be returned, and the NAS 2027 implementation may choose one. See Zorn, et al. [RFC2868] and Zorn, 2028 Aboba & Mitton [RFC2867] for further information. 2030 The following table gives the possible flag values for the session 2031 level AVPs and specifies whether the AVP MAY be encrypted. 2033 +----------+ 2034 | AVP Flag | 2035 | rules | 2036 |----+-----| 2037 |MUST| MUST| 2038 Attribute Name Section Defined | | NOT | 2039 -----------------------------------------|----+-----| 2040 Tunneling 4.5.1 | M | V | 2041 Tunnel-Type 4.5.2 | M | V | 2042 Tunnel-Medium-Type 4.5.3 | M | V | 2043 Tunnel-Client-Endpoint 4.5.4 | M | V | 2044 Tunnel-Server-Endpoint 4.5.5 | M | V | 2045 Tunnel-Password 4.5.6 | M | V | 2046 Tunnel-Private-Group-Id 4.5.7 | M | V | 2047 Tunnel-Assignment-Id 4.5.8 | M | V | 2048 Tunnel-Preference 4.5.9 | M | V | 2049 Tunnel-Client-Auth-Id 4.5.10 | M | V | 2050 Tunnel-Server-Auth-Id 4.5.11 | M | V | 2051 -----------------------------------------|----+-----| 2053 4.5.1. Tunneling AVP 2055 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 2056 following AVPs, used to describe a compulsory tunnel service 2057 ([RFC2868], [RFC2867]). Its data field has the following ABNF 2058 grammar: 2060 Tunneling ::= < AVP Header: 401 > 2061 { Tunnel-Type } 2062 { Tunnel-Medium-Type } 2063 { Tunnel-Client-Endpoint } 2064 { Tunnel-Server-Endpoint } 2065 [ Tunnel-Preference ] 2066 [ Tunnel-Client-Auth-Id ] 2067 [ Tunnel-Server-Auth-Id ] 2068 [ Tunnel-Assignment-Id ] 2069 [ Tunnel-Password ] 2070 [ Tunnel-Private-Group-Id ] 2072 4.5.2. Tunnel-Type AVP 2073 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 2074 the tunneling protocol(s) to be used (in the case of a tunnel 2075 initiator) or in use (in the case of a tunnel terminator). It MAY be 2076 used in an authorization request as a hint to the server that a 2077 specific tunnel type is desired, but the server is not required to 2078 honor the hint in the corresponding response. 2080 The Tunnel-Type AVP SHOULD also be included in ACR messages. 2082 A tunnel initiator is not required to implement any of these tunnel 2083 types. If a tunnel initiator receives a response that contains only 2084 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 2085 as though a response were received with the Result-Code indicating a 2086 failure. 2088 The supported values are listed in [RADIUSAttrVals]. 2090 4.5.3. Tunnel-Medium-Type AVP 2092 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 2093 contains the transport medium to use when creating a tunnel for 2094 protocols (such as L2TP [RFC3931]) that can operate over multiple 2095 transports. It MAY be used in an authorization request as a hint to 2096 the server that a specific medium is desired, but the server is not 2097 required to honor the hint in the corresponding response. 2099 The supported values are listed in [RADIUSAttrVals]. 2101 4.5.4. Tunnel-Client-Endpoint AVP 2103 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String 2104 and contains the address of the initiator end of the tunnel. It MAY 2105 be used in an authorization request as a hint to the server that a 2106 specific endpoint is desired, but the server is not required to honor 2107 the hint in the corresponding response. This AVP SHOULD be included 2108 in the corresponding ACR messages, in which case it indicates the 2109 address from which the tunnel was initiated. This AVP, along with 2110 the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs 2111 ([RFC6733], Section 8.8), can be used to provide a globally unique 2112 means to identify a tunnel for accounting and auditingpurposes. 2114 If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 2115 (1), then this string is either the fully qualified domain name 2116 (FQDN) of the tunnel client machine, or a "dotted-decimal" IP 2117 address. Implementations MUST support the dotted-decimal format and 2118 SHOULD support the FQDN format for IP addresses. 2120 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2121 FQDN of the tunnel client machine, or a text representation of the 2122 address in either the preferred or alternate form [RFC3516]. 2123 Conforming implementations MUST support the preferred form and SHOULD 2124 support both the alternate text form and the FQDN format for IPv6 2125 addresses. 2127 If Tunnel-Medium-Type is neither IPv4 nor IPv6, then this string is a 2128 tag referring to configuration data local to the Diameter client that 2129 describes the interface or medium-specific client address to use. 2131 Note that this application handles internationalized domain names in 2132 the same way as the Diameter base protocol (see Appendix D of RFC 2133 6733 for details). 2135 4.5.5. Tunnel-Server-Endpoint AVP 2137 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String 2138 and contains the address of the server end of the tunnel. It MAY be 2139 used in an authorization request as a hint to the server that a 2140 specific endpoint is desired, but the server is not required to honor 2141 the hint in the corresponding response. 2143 This AVP SHOULD be included in the corresponding ACR messages, in 2144 which case it indicates the address from which the tunnel was 2145 initiated. This AVP, along with the Tunnel-Client-Endpoint 2146 (Section 4.5.4) and Session-Id AVP ([RFC6733], Section 8.8), can be 2147 used to provide a globally unique means to identify a tunnel for 2148 accounting and auditing purposes. 2150 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2151 fully qualified domain name (FQDN) of the tunnel server machine, or a 2152 "dotted-decimal" IP address. Implementations MUST support the 2153 dotted-decimal format and SHOULD support the FQDN format for IP 2154 addresses. 2156 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2157 FQDN of the tunnel server machine, or a text representation of the 2158 address in either the preferred or alternate form [RFC3516]. 2159 Implementations MUST support the preferred form and SHOULD support 2160 both the alternate text form and the FQDN format for IPv6 addresses. 2162 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2163 referring to configuration data local to the Diameter client that 2164 describes the interface or medium-specific server address to use. 2166 Note that this application handles internationalized domain names in 2167 the same way as the Diameter base protocol (see Appendix D of RFC 2168 6733 for details). 2170 4.5.6. Tunnel-Password AVP 2172 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2173 contain a password to be used to authenticate to a remote server. 2175 The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2176 environments without encrypting it by using end-to-end security 2177 techniques. 2179 4.5.7. Tunnel-Private-Group-Id AVP 2181 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString 2182 and contains the group Id for a particular tunneled session. The 2183 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2184 request if the tunnel initiator can predetermine the group resulting 2185 from a particular connection. It SHOULD be included in the 2186 authorization response if this tunnel session is to be treated as 2187 belonging to a particular private group. Private groups may be used 2188 to associate a tunneled session with a particular group of users. 2189 For example, it MAY be used to facilitate routing of unregistered IP 2190 addresses through a particular interface. This AVP SHOULD be 2191 included in the ACR messages that pertain to the tunneled session. 2193 4.5.8. Tunnel-Assignment-Id AVP 2195 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2196 is used to indicate to the tunnel initiator the particular tunnel to 2197 which a session is to be assigned. Some tunneling protocols, such as 2198 PPTP [RFC2637] and L2TP [RFC3931], allow for sessions between the 2199 same two tunnel endpoints to be multiplexed over the same tunnel and 2200 also for a given session to use its own dedicated tunnel. This 2201 attribute provides a mechanism for Diameter to inform the tunnel 2202 initiator (for example, a LAC) whether to assign the session to a 2203 multiplexed tunnel or to a separate tunnel. Furthermore, it allows 2204 for sessions sharing multiplexed tunnels to be assigned to different 2205 multiplexed tunnels. 2207 A particular tunneling implementation may assign differing 2208 characteristics to particular tunnels. For example, different 2209 tunnels may be assigned different QoS parameters. Such tunnels may 2210 be used to carry either individual or multiple sessions. The Tunnel- 2211 Assignment-Id attribute thus allows the Diameter server to indicate 2212 that a particular session is to be assigned to a tunnel providing an 2213 appropriate level of service. It is expected that any QoS-related 2214 Diameter tunneling attributes defined in the future accompanying this 2215 one will be associated by the tunnel initiator with the Id given by 2216 this attribute. In the meantime, any semantic given to a particular 2217 Id string is a matter left to local configuration in the tunnel 2218 initiator. 2220 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2221 the tunnel initiator. The Id it specifies is only intended to be of 2222 local use to Diameter and the tunnel initiator. The Id assigned by 2223 the tunnel initiator is not conveyed to the tunnel peer. 2225 This attribute MAY be included in authorization responses. The 2226 tunnel initiator receiving this attribute MAY choose to ignore it and 2227 to assign the session to an arbitrary multiplexed or non-multiplexed 2228 tunnel between the desired endpoints. This AVP SHOULD also be 2229 included in the Accounting-Request messages pertaining to the 2230 tunneled session. 2232 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2233 should assign a session to a tunnel in the following manner: 2235 o If this AVP is present and a tunnel exists between the specified 2236 endpoints with the specified Id, then the session should be 2237 assigned to that tunnel. 2239 o If this AVP is present and no tunnel exists between the specified 2240 endpoints with the specified Id, then a new tunnel should be 2241 established for the session and the specified Id should be 2242 associated with the new tunnel. 2244 o If this AVP is not present, then the session is assigned to an 2245 unnamed tunnel. If an unnamed tunnel does not yet exist between 2246 the specified endpoints, then it is established and used for this 2247 session and for subsequent ones established without the Tunnel- 2248 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2249 session for which a Tunnel-Assignment-Id AVP was not specified to 2250 a named tunnel (i.e., one that was initiated by a session 2251 specifying this AVP). 2253 Note that the same Id may be used to name different tunnels if these 2254 tunnels are between different endpoints. 2256 4.5.9. Tunnel-Preference AVP 2258 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2259 used to identify the relative preference assigned to each tunnel when 2260 more than one set of tunneling AVPs is returned within separate 2261 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2262 hint to the server that a specific preference is desired, but the 2263 server is not required to honor the hint in the corresponding 2264 response. 2266 For example, suppose that AVPs describing two tunnels are returned by 2267 the server, one with a Tunnel-Type of PPTP and the other with a 2268 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2269 the Tunnel-Types returned, it will initiate a tunnel of that type. 2270 If, however, it supports both tunnel protocols, it SHOULD use the 2271 value of the Tunnel-Preference AVP to decide which tunnel should be 2272 started. The tunnel with the lowest numerical value in the Value 2273 field of this AVP SHOULD be given the highest preference. The values 2274 assigned to two or more instances of the Tunnel-Preference AVP within 2275 a given authorization response MAY be identical. In this case, the 2276 tunnel initiator SHOULD use locally configured metrics to decide 2277 which set of AVPs to use. 2279 4.5.10. Tunnel-Client-Auth-Id AVP 2281 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2282 specifies the 7-bit US-ASCII name used by the tunnel initiator during 2283 the authentication phase of tunnel establishment. It MAY be used in 2284 an authorization request as a hint to the server that a specific 2285 preference is desired, but the server is not required to honor the 2286 hint in the corresponding response. This AVP MUST be present in the 2287 authorization response if an authentication name other than the 2288 default is desired. This AVP SHOULD be included in the ACR messages 2289 pertaining to the tunneled session. 2291 4.5.11. Tunnel-Server-Auth-Id AVP 2293 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2294 specifies the 7-bit US-ASCII name used by the tunnel terminator 2295 during the authentication phase of tunnel establishment. It MAY be 2296 used in an authorization request as a hint to the server that a 2297 specific preference is desired, but the server is not required to 2298 honor the hint in the corresponding response. This AVP MUST be 2299 present in the authorization response if an authentication name other 2300 than the default is desired. This AVP SHOULD be included in the ACR 2301 messages pertaining to the tunneled session. 2303 4.6. NAS Accounting AVPs 2305 Applications implementing this specification use Diameter Accounting 2306 (as defined in [RFC6733]) and the AVPs in the following section. 2307 Service-specific AVP usage is defined in the tables in Section 5. 2309 If accounting is active, Accounting Request (ACR) messages SHOULD be 2310 sent after the completion of any Authentication or Authorization 2311 transaction and at the end of a Session. The value of the 2312 Accounting-Record-Type AVP [RFC6733] indicates the type of event. 2313 All other AVPs identify the session and provide additional 2314 information relevant to the event. 2316 The successful completion of the first Authentication or 2317 Authorization transaction SHOULD cause a START_RECORD to be sent. If 2318 additional Authentications or Authorizations occur in later 2319 transactions, the first exchange should generate a START_RECORD, and 2320 the later an INTERIM_RECORD. For a given session, there MUST only be 2321 one set of matching START and STOP records, with any number of 2322 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2323 a session wasn't started. 2325 The following table gives the possible flag values for the session 2326 level AVPs and specifies whether the AVP MAY be encrypted. 2328 +----------+ 2329 | AVP Flag | 2330 | rules | 2331 |----+-----| 2332 Section |MUST| MUST| 2333 Attribute Name Defined | | NOT| 2334 -----------------------------------------|----+-----| 2335 Accounting-Input-Octets 4.6.1 | M | V | 2336 Accounting-Output-Octets 4.6.2 | M | V | 2337 Accounting-Input-Packets 4.6.3 | M | V | 2338 Accounting-Output-Packets 4.6.4 | M | V | 2339 Acct-Session-Time 4.6.5 | M | V | 2340 Acct-Authentic 4.6.6 | M | V | 2341 Accounting-Auth-Method 4.6.7 | M | V | 2342 Acct-Delay-Time 4.6.8 | M | V | 2343 Acct-Link-Count 4.6.9 | M | V | 2344 Acct-Tunnel-Connection 4.6.10 | M | V | 2345 Acct-Tunnel-Packets-Lost 4.6.11 | M | V | 2346 -----------------------------------------|----+-----| 2348 4.6.1. Accounting-Input-Octets AVP 2350 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 2351 and contains the number of octets received from the user. 2353 For NAS usage, this AVP indicates how many octets have been received 2354 from the port in the course of this session. It can only be present 2355 in ACR messages with an Accounting-Record-Type [RFC6733] of 2356 INTERIM_RECORD or STOP_RECORD. 2358 4.6.2. Accounting-Output-Octets AVP 2360 The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 2361 and contains the number of octets sent to the user. 2363 For NAS usage, this AVP indicates how many octets have been sent to 2364 the port in the course of this session. It can only be present in 2365 ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2366 STOP_RECORD. 2368 4.6.3. Accounting-Input-Packets AVP 2370 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and 2371 contains the number of packets received from the user. 2373 For NAS usage, this AVP indicates how many packets have been received 2374 from the port over the course of a session being provided to a Framed 2375 User. It can only be present in ACR messages with an Accounting- 2376 Record-Type of INTERIM_RECORD or STOP_RECORD. 2378 4.6.4. Accounting-Output-Packets AVP 2380 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 2381 and contains the number of IP packets sent to the user. 2383 For NAS usage, this AVP indicates how many packets have been sent to 2384 the port over the course of a session being provided to a Framed 2385 User. It can only be present in ACR messages with an Accounting- 2386 Record-Type of INTERIM_RECORD or STOP_RECORD. 2388 4.6.5. Acct-Session-Time AVP 2390 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and 2391 indicates the length of the current session in seconds. It can only 2392 be present in ACR messages with an Accounting-Record-Type of 2393 INTERIM_RECORD or STOP_RECORD. 2395 4.6.6. Acct-Authentic AVP 2397 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and 2398 specifies how the user was authenticated. The supported values are 2399 listed in [RADIUSAttrVals]. 2401 4.6.7. Accounting-Auth-Method AVP 2403 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2404 A NAS MAY include this AVP in an Accounting-Request message to 2405 indicate the method used to authenticate the user. (Note that this 2406 AVP is semantically equivalent, and the supported values are 2407 identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS 2408 attribute [RFC2548]). 2410 4.6.8. Acct-Delay-Time AVP 2412 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2413 indicates the number of seconds the Diameter client has been trying 2414 to send the Accounting-Request (ACR). The accounting server may 2415 subtract this value from the time when the ACR arrives at the server 2416 to calculate the approximate time of the event that caused the ACR to 2417 be generated. 2419 This AVP is not used for retransmissions at the transport level (TCP 2420 or SCTP). Rather, it may be used when an ACR command cannot be 2421 transmitted because there is no appropriate peer to transmit it to or 2422 was rejected because it could not be delivered. In these cases, the 2423 command MAY be buffered and transmitted later, when an appropriate 2424 peer-connection is available or after sufficient time has passed that 2425 the destination-host may be reachable and operational. If the ACR is 2426 re-sent in this way, the Acct-Delay-Time AVP SHOULD be included. The 2427 value of this AVP indicates the number of seconds that elapsed 2428 between the time of the first attempt at transmission and the current 2429 attempt. 2431 4.6.9. Acct-Link-Count AVP 2433 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2434 indicates the total number of links that have been active (current or 2435 closed) in a given multilink session at the time the accounting 2436 record is generated. This AVP MAY be included in Accounting-Requests 2437 for any session that may be part of a multilink service. 2439 The Acct-Link-Count AVP may be used to make it easier for an 2440 accounting server to know when it has all the records for a given 2441 multilink service. When the number of Accounting-Requests received 2442 with Accounting-Record-Type = STOP_RECORD and with the same Acct- 2443 Multi-Session-Id and unique Session-Ids equals the largest value of 2444 Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD 2445 Accounting-Requests for that multilink service have been received. 2447 The following example, showing eight Accounting-Requests, illustrates 2448 how the Acct-Link-Count AVP is used. In the table below, only the 2449 relevant AVPs are shown, although additional AVPs containing 2450 accounting information will be present in the Accounting-Requests. 2452 Acct-Multi- Accounting- Acct- 2453 Session-Id Session-Id Record-Type Link-Count 2454 -------------------------------------------------------- 2455 "...10" "...10" START_RECORD 1 2456 "...10" "...11" START_RECORD 2 2457 "...10" "...11" STOP_RECORD 2 2458 "...10" "...12" START_RECORD 3 2459 "...10" "...13" START_RECORD 4 2460 "...10" "...12" STOP_RECORD 4 2461 "...10" "...13" STOP_RECORD 4 2462 "...10" "...10" STOP_RECORD 4 2464 4.6.10. Acct-Tunnel-Connection AVP 2466 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString 2467 and contains the identifier assigned to the tunnel session. This 2468 AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and 2469 Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a 2470 means to uniquely identify a tunnel session for auditing purposes. 2472 The format of the identifier in this AVP depends upon the value of 2473 the Tunnel-Type AVP (Section 4.5.2). For example, to identify an 2474 L2TP tunnel connection fully, the L2TP Tunnel Id and Call Id might be 2475 encoded in this field. The exact encoding of this field is 2476 implementation dependent. 2478 4.6.11. Acct-Tunnel-Packets-Lost AVP 2480 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2481 and contains the number of packets lost on a given tunnel. 2483 5. AVP Occurrence Tables 2485 The following tables present the AVPs used by NAS applications in NAS 2486 messages and specify in which Diameter messages they may or may not 2487 be present. Messages and AVPs defined in the base Diameter protocol 2488 [RFC6733] are not described in this document. Note that AVPs that 2489 can only be present within a Grouped AVP are not represented in this 2490 table. 2492 The tables use the following symbols: 2494 0 The AVP MUST NOT be present in the message. 2496 0+ Zero or more instances of the AVP MAY be present in the 2497 message. 2499 0-1 Zero or one instance of the AVP MAY be present in the 2500 message. 2502 1 Exactly one instance of the AVP MUST be present in the 2503 message. 2505 5.1. AA-Request/Answer AVP Table 2507 The table in this section is limited to the Command Codes defined in 2508 this specification. 2510 +-----------+ 2511 | Command | 2512 |-----+-----+ 2513 AVP Name | AAR | AAA | 2514 ------------------------------|-----+-----+ 2515 Acct-Interim-Interval | 0 | 0-1 | 2516 ARAP-Challenge-Response | 0 | 0-1 | 2517 ARAP-Features | 0 | 0-1 | 2518 ARAP-Password | 0-1 | 0 | 2519 ARAP-Security | 0-1 | 0-1 | 2520 ARAP-Security-Data | 0+ | 0+ | 2521 ARAP-Zone-Access | 0 | 0-1 | 2522 Auth-Application-Id | 1 | 1 | 2523 Auth-Grace-Period | 0-1 | 0-1 | 2524 Auth-Request-Type | 1 | 1 | 2525 Auth-Session-State | 0-1 | 0-1 | 2526 Authorization-Lifetime | 0-1 | 0-1 | 2527 ------------------------------|-----+-----+ 2529 +-----------+ 2530 | Command | 2531 |-----+-----+ 2532 Attribute Name | AAR | AAA | 2533 ------------------------------|-----+-----+ 2534 Callback-Id | 0 | 0-1 | 2535 Callback-Number | 0-1 | 0-1 | 2536 Called-Station-Id | 0-1 | 0 | 2537 Calling-Station-Id | 0-1 | 0 | 2538 CHAP-Auth | 0-1 | 0 | 2539 CHAP-Challenge | 0-1 | 0 | 2540 Class | 0 | 0+ | 2541 Configuration-Token | 0 | 0+ | 2542 Connect-Info | 0+ | 0 | 2543 Destination-Host | 0-1 | 0 | 2544 Destination-Realm | 1 | 0 | 2545 Error-Message | 0 | 0-1 | 2546 Error-Reporting-Host | 0 | 0-1 | 2547 Failed-AVP | 0+ | 0+ | 2548 Filter-Id | 0 | 0+ | 2549 Framed-Appletalk-Link | 0 | 0-1 | 2550 Framed-Appletalk-Network | 0 | 0+ | 2551 Framed-Appletalk-Zone | 0 | 0-1 | 2552 Framed-Compression | 0+ | 0+ | 2553 Framed-Interface-Id | 0-1 | 0-1 | 2554 Framed-IP-Address | 0-1 | 0-1 | 2555 Framed-IP-Netmask | 0-1 | 0-1 | 2556 Framed-IPv6-Prefix | 0+ | 0+ | 2557 Framed-IPv6-Pool | 0 | 0-1 | 2558 Framed-IPv6-Route | 0 | 0+ | 2559 Framed-IPX-Network | 0 | 0-1 | 2560 Framed-MTU | 0-1 | 0-1 | 2561 Framed-Pool | 0 | 0-1 | 2562 Framed-Protocol | 0-1 | 0-1 | 2563 Framed-Route | 0 | 0+ | 2564 Framed-Routing | 0 | 0-1 | 2565 Idle-Timeout | 0 | 0-1 | 2566 Login-IP-Host | 0+ | 0+ | 2567 Login-IPv6-Host | 0+ | 0+ | 2568 Login-LAT-Group | 0-1 | 0-1 | 2569 Login-LAT-Node | 0-1 | 0-1 | 2570 Login-LAT-Port | 0-1 | 0-1 | 2571 Login-LAT-Service | 0-1 | 0-1 | 2572 Login-Service | 0 | 0-1 | 2573 Login-TCP-Port | 0 | 0-1 | 2574 Multi-Round-Time-Out | 0 | 0-1 | 2575 ------------------------------|-----+-----+ 2577 +-----------+ 2578 | Command | 2579 |-----+-----+ 2580 Attribute Name | AAR | AAA | 2581 ------------------------------|-----+-----+ 2582 NAS-Filter-Rule | 0 | 0+ | 2583 NAS-Identifier | 0-1 | 0 | 2584 NAS-IP-Address | 0-1 | 0 | 2585 NAS-IPv6-Address | 0-1 | 0 | 2586 NAS-Port | 0-1 | 0 | 2587 NAS-Port-Id | 0-1 | 0 | 2588 NAS-Port-Type | 0-1 | 0 | 2589 Origin-AAA-Protocol | 0-1 | 0-1 | 2590 Origin-Host | 1 | 1 | 2591 Origin-Realm | 1 | 1 | 2592 Origin-State-Id | 0-1 | 0-1 | 2593 Originating-Line-Info | 0-1 | 0 | 2594 Password-Retry | 0 | 0-1 | 2595 Port-Limit | 0-1 | 0-1 | 2596 Prompt | 0 | 0-1 | 2597 Proxy-Info | 0+ | 0+ | 2598 QoS-Filter-Rule | 0 | 0+ | 2599 Re-Auth-Request-Type | 0 | 0-1 | 2600 Redirect-Host | 0 | 0+ | 2601 Redirect-Host-Usage | 0 | 0-1 | 2602 Redirect-Max-Cache-Time | 0 | 0-1 | 2603 Reply-Message | 0 | 0+ | 2604 Result-Code | 0 | 1 | 2605 Route-Record | 0+ | 0 | 2606 Service-Type | 0-1 | 0-1 | 2607 Session-Id | 1 | 1 | 2608 Session-Timeout | 0 | 0-1 | 2609 State | 0-1 | 0-1 | 2610 Tunneling | 0+ | 0+ | 2611 User-Name | 0-1 | 0-1 | 2612 User-Password | 0-1 | 0 | 2613 ------------------------------|-----+-----+ 2615 5.2. Accounting AVP Tables 2617 The tables in this section are used to show which AVPs defined in 2618 this document are to be present and used in NAS application 2619 Accounting messages. These AVPs are defined in this document, as 2620 well as in [RFC6733] and [RFC2866]. 2622 5.2.1. Framed Access Accounting AVP Table 2624 The table in this section is used when the Service-Type AVP 2625 (Section 4.4.1) specifies Framed Access. 2627 +-----------+ 2628 | Command | 2629 |-----+-----+ 2630 Attribute Name | ACR | ACA | 2631 ---------------------------------------|-----+-----+ 2632 Accounting-Auth-Method | 0-1 | 0 | 2633 Accounting-Input-Octets | 1 | 0 | 2634 Accounting-Input-Packets | 1 | 0 | 2635 Accounting-Output-Octets | 1 | 0 | 2636 Accounting-Output-Packets | 1 | 0 | 2637 Accounting-Record-Number | 0-1 | 0-1 | 2638 Accounting-Record-Type | 1 | 1 | 2639 Accounting-Realtime-Required | 0-1 | 0-1 | 2640 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2641 Acct-Application-Id | 0-1 | 0-1 | 2642 Acct-Session-Id | 1 | 0-1 | 2643 Acct-Multi-Session-Id | 0-1 | 0-1 | 2644 Acct-Authentic | 1 | 0 | 2645 Acct-Delay-Time | 0-1 | 0 | 2646 Acct-Interim-Interval | 0-1 | 0-1 | 2647 Acct-Link-Count | 0-1 | 0 | 2648 Acct-Session-Time | 1 | 0 | 2649 Acct-Tunnel-Connection | 0-1 | 0 | 2650 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2651 Authorization-Lifetime | 0-1 | 0 | 2652 Callback-Id | 0-1 | 0 | 2653 Callback-Number | 0-1 | 0 | 2654 Called-Station-Id | 0-1 | 0 | 2655 Calling-Station-Id | 0-1 | 0 | 2656 Class | 0+ | 0+ | 2657 Connection-Info | 0+ | 0 | 2658 Destination-Host | 0-1 | 0 | 2659 Destination-Realm | 1 | 0 | 2660 Event-Timestamp | 0-1 | 0-1 | 2661 Error-Message | 0 | 0-1 | 2662 Error-Reporting-Host | 0 | 0-1 | 2663 Failed-AVP | 0 | 0+ | 2664 ---------------------------------------|-----+-----+ 2666 +-----------+ 2667 | Command | 2668 |-----+-----+ 2669 Attribute Name | ACR | ACA | 2670 ---------------------------------------|-----+-----+ 2671 Framed-AppleTalk-Link | 0-1 | 0 | 2672 Framed-AppleTalk-Network | 0-1 | 0 | 2673 Framed-AppleTalk-Zone | 0-1 | 0 | 2674 Framed-Compression | 0-1 | 0 | 2675 Framed-IP-Address | 0-1 | 0 | 2676 Framed-IP-Netmask | 0-1 | 0 | 2677 Framed-IPv6-Prefix | 0+ | 0 | 2678 Framed-IPv6-Pool | 0-1 | 0 | 2679 Framed-IPX-Network | 0-1 | 0 | 2680 Framed-MTU | 0-1 | 0 | 2681 Framed-Pool | 0-1 | 0 | 2682 Framed-Protocol | 0-1 | 0 | 2683 Framed-Route | 0-1 | 0 | 2684 Framed-Routing | 0-1 | 0 | 2685 NAS-Filter-Rule | 0+ | 0 | 2686 NAS-Identifier | 0-1 | 0-1 | 2687 NAS-IP-Address | 0-1 | 0-1 | 2688 NAS-IPv6-Address | 0-1 | 0-1 | 2689 NAS-Port | 0-1 | 0-1 | 2690 NAS-Port-Id | 0-1 | 0-1 | 2691 NAS-Port-Type | 0-1 | 0-1 | 2692 Origin-AAA-Protocol | 0-1 | 0-1 | 2693 Origin-Host | 1 | 1 | 2694 Origin-Realm | 1 | 1 | 2695 Origin-State-Id | 0-1 | 0-1 | 2696 Originating-Line-Info | 0-1 | 0 | 2697 Proxy-Info | 0+ | 0+ | 2698 QoS-Filter-Rule | 0+ | 0 | 2699 Route-Record | 0+ | 0 | 2700 Result-Code | 0 | 1 | 2701 Service-Type | 0-1 | 0-1 | 2702 Session-Id | 1 | 1 | 2703 Termination-Cause | 0-1 | 0-1 | 2704 Tunnel-Assignment-Id | 0-1 | 0 | 2705 Tunnel-Client-Endpoint | 0-1 | 0 | 2706 Tunnel-Medium-Type | 0-1 | 0 | 2707 Tunnel-Private-Group-Id | 0-1 | 0 | 2708 Tunnel-Server-Endpoint | 0-1 | 0 | 2709 Tunnel-Type | 0-1 | 0 | 2710 User-Name | 0-1 | 0-1 | 2711 ---------------------------------------|-----+-----+ 2713 5.2.2. Non-Framed Access Accounting AVP Table 2715 The table in this section is used when the Service-Type AVP 2716 (Section 4.4.1) specifies Non-Framed Access. 2718 +-----------+ 2719 | Command | 2720 |-----+-----+ 2721 Attribute Name | ACR | ACA | 2722 ---------------------------------------|-----+-----+ 2723 Accounting-Auth-Method | 0-1 | 0 | 2724 Accounting-Input-Octets | 1 | 0 | 2725 Accounting-Output-Octets | 1 | 0 | 2726 Accounting-Record-Type | 1 | 1 | 2727 Accounting-Record-Number | 0-1 | 0-1 | 2728 Accounting-Realtime-Required | 0-1 | 0-1 | 2729 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2730 Acct-Application-Id | 0-1 | 0-1 | 2731 Acct-Session-Id | 1 | 0-1 | 2732 Acct-Multi-Session-Id | 0-1 | 0-1 | 2733 Acct-Authentic | 1 | 0 | 2734 Acct-Delay-Time | 0-1 | 0 | 2735 Acct-Interim-Interval | 0-1 | 0-1 | 2736 Acct-Link-Count | 0-1 | 0 | 2737 Acct-Session-Time | 1 | 0 | 2738 Authorization-Lifetime | 0-1 | 0 | 2739 Callback-Id | 0-1 | 0 | 2740 Callback-Number | 0-1 | 0 | 2741 Called-Station-Id | 0-1 | 0 | 2742 Calling-Station-Id | 0-1 | 0 | 2743 Class | 0+ | 0+ | 2744 Connection-Info | 0+ | 0 | 2745 Destination-Host | 0-1 | 0 | 2746 Destination-Realm | 1 | 0 | 2747 Event-Timestamp | 0-1 | 0-1 | 2748 Error-Message | 0 | 0-1 | 2749 Error-Reporting-Host | 0 | 0-1 | 2750 Failed-AVP | 0 | 0+ | 2751 Login-IP-Host | 0+ | 0 | 2752 Login-IPv6-Host | 0+ | 0 | 2753 Login-LAT-Service | 0-1 | 0 | 2754 Login-LAT-Node | 0-1 | 0 | 2755 Login-LAT-Group | 0-1 | 0 | 2756 Login-LAT-Port | 0-1 | 0 | 2757 Login-Service | 0-1 | 0 | 2758 Login-TCP-Port | 0-1 | 0 | 2759 ---------------------------------------|-----+-----+ 2761 +-----------+ 2762 | Command | 2763 |-----+-----+ 2764 Attribute Name | ACR | ACA | 2765 ---------------------------------------|-----+-----+ 2766 NAS-Identifier | 0-1 | 0-1 | 2767 NAS-IP-Address | 0-1 | 0-1 | 2768 NAS-IPv6-Address | 0-1 | 0-1 | 2769 NAS-Port | 0-1 | 0-1 | 2770 NAS-Port-Id | 0-1 | 0-1 | 2771 NAS-Port-Type | 0-1 | 0-1 | 2772 Origin-AAA-Protocol | 0-1 | 0-1 | 2773 Origin-Host | 1 | 1 | 2774 Origin-Realm | 1 | 1 | 2775 Origin-State-Id | 0-1 | 0-1 | 2776 Originating-Line-Info | 0-1 | 0 | 2777 Proxy-Info | 0+ | 0+ | 2778 QoS-Filter-Rule | 0+ | 0 | 2779 Route-Record | 0+ | 0 | 2780 Result-Code | 0 | 1 | 2781 Session-Id | 1 | 1 | 2782 Service-Type | 0-1 | 0-1 | 2783 Termination-Cause | 0-1 | 0-1 | 2784 User-Name | 0-1 | 0-1 | 2785 ---------------------------------------|-----+-----+ 2787 6. Unicode Considerations 2789 A number of the AVPs in this RFC use the UTF8String type specified in 2790 the Diameter Base protocol [RFC6733]. Implementation differences in 2791 Unicode input processing may result in the same Unicode input 2792 characters generating different UTF-8 strings that fail to match when 2793 compared for equality. This may result in interoperability problems 2794 between a network access server and a Diameter server when a UTF-8 2795 string entered locally is compared with one received via Diameter. 2796 Many of the uses of UTF8String in this RFC are limited to the 7-bit 2797 ASCII-compatible subset of UTF-8 where this class of Unicode string 2798 comparison problems does not arise. 2800 Careful preparation of Unicode strings can increase the likelihood 2801 that string comparison will work in ways that make sense for typical 2802 users throughout the world; [RFC3454] is an example a framework for 2803 such Unicode string preparation. The Diameter application specified 2804 in this RFC has been deployed with use of Unicode in accordance with 2805 [RFC4005], which does not require any Unicode string preparation. As 2806 a result, additional requirements for Unicode string preparation in 2807 this RFC would not be backwards compatible with existing usage. 2809 The Diameter server and the network access servers that it serves can 2810 be assumed to be under common administrative control, and all of the 2811 UTF-8 strings involved are part of the configuration of these 2812 servers. Therefore administrative interfaces for implementations of 2813 this RFC: 2815 a. SHOULD accept direct UTF-8 input of all configuration strings for 2816 AVPs that allow Unicode characters beyond the 7-bit ASCII- 2817 compatible subset of Unicode (in addition to any provisions for 2818 accepting Unicode characters for processing into UTF-8), and 2820 b. SHOULD make all such configuration strings available as UTF-8 2821 strings 2823 This functionality enables an administrator who encounters Unicode 2824 string comparison problems to copy one instance of aproblematic UTF-8 2825 string from one server to the other, after which the two (now 2826 identical) copies should compare as expected. 2828 7. IANA Considerations 2830 Several of the namespaces used in this document are managed by the 2831 Internet Assigned Numbers Authority [IANA], including the AVP Codes 2833 [AVP-Codes], AVP Specific Values [AVP-Vals], Application IDs 2834 [App-Ids], Command Codes [Command-Codes] and RADIUS Attribute Values 2835 [RADIUSAttrVals]. 2837 For the current values allocated, and the policies governing 2838 allocation in those namespaces, please see the above-referenced 2839 registries. 2841 IANA Note: Please change all the references in the registries listed 2842 above that are currently pointing to RFC 4005 to point to this 2843 document instead; please change the reference for for the value '1' 2844 in the "Application IDs" sub-registry of the "Authentication, 2845 Authorization, and Accounting (AAA) Parameters" registry to point to 2846 this document, as well. 2848 RFC Editor: Please remove both this note and the IANA note above 2849 before publication. 2851 8. Security Considerations 2853 This document describes the extension of Diameter for the NAS 2854 application. Security considerations regarding the Diameter protocol 2855 itself are discussed in [RFC6733]. Use of this application of 2856 Diameter MUST take into consideration the security issues and 2857 requirements of the Base protocol. 2859 8.1. Authentication Considerations 2861 This document does not contain a security protocol but does discuss 2862 how PPP authentication protocols can be carried within the Diameter 2863 protocol. The PPP authentication protocols described are PAP and 2864 CHAP. 2866 The use of PAP SHOULD be discouraged, as it exposes users' passwords 2867 to possibly non-trusted entities. However, PAP is also frequently 2868 used for use with One-Time Passwords, which do not expose a security 2869 risk. 2871 This document also describes how CHAP can be carried within the 2872 Diameter protocol, which is required for RADIUS backward 2873 compatibility. The CHAP protocol, as used in a RADIUS environment, 2874 facilitates authentication replay attacks. 2876 The use of the EAP authentication protocols [RFC4072] can offer 2877 better security, given a method suitable for the circumstances. 2879 Depending on the value of the Auth-Request-Type AVP, the Diameter 2880 protocol allows authorization-only requests that contain no 2881 authentication information from the client. This capability goes 2882 beyond the Call Check capabilities provided by RADIUS (Section 5.6 of 2883 [RFC2865]) in that no access decision is requested. As a result, a 2884 new session cannot be started as a result of a response to an 2885 authorization-only request without introducing a significant security 2886 vulnerability. 2888 8.2. AVP Considerations 2890 Diameter AVPs often contain security-sensitive data; for example, 2891 user passwords and location data, network addresses and cryptographic 2892 keys. With the exception of the Configuration-Token (Section 4.4.8), 2893 QoS-Filter-Rule (Section 4.4.9) and Tunneling (Section 4.5.1) AVPs, 2894 all of the AVPs defined in this document are considered to be 2895 security-sensitive. 2897 Diameter messages containing any AVPs considered to be security- 2898 sensitive MUST only be sent protected via mutually authenticated TLS 2899 or IPsec. In addition, those messages MUST NOT be sent via 2900 intermediate nodes unless there is end-to-end security between the 2901 originator and recipient or the originator has locally trusted 2902 configuration that indicates that end-to-end security is not needed. 2903 For example, end-to-end security may not be required in the case 2904 where an intermediary node is known to be operated as part of the 2905 same administrative domain as the endpoints so that an ability to 2906 successfully compromise the intermediary would imply a high 2907 probability of being able to compromise the endpoints as well. Note 2908 that no end-to-end security mechanism is specified in this document. 2910 9. References 2912 9.1. Normative References 2914 [ANITypes] 2915 NANPA Number Resource Info, "ANI Assignments", . 2919 [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication 2920 Protocol (CHAP)", RFC 1994, August 1996. 2922 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2923 Requirement Levels", BCP 14, RFC 2119, March 1997. 2925 [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, 2926 "Remote Authentication Dial In User Service (RADIUS)", RFC 2927 2865, June 2000. 2929 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, "RADIUS and IPv6", RFC 2930 3162, August 2001. 2932 [RFC3516] Nerenberg, L., "IMAP4 Binary Content Extension", RFC 3516, 2933 April 2003. 2935 [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and 2936 Accounting (AAA) Transport Profile", RFC 3539, June 2003. 2938 [RFC5777] Korhonen, J., Tschofenig, H., Arumaithurai, M., Jones, M., 2939 and A. Lior, "Traffic Classification and Quality of 2940 Service (QoS) Attributes for Diameter", RFC 5777, February 2941 2010. 2943 [RFC6733] Fajardo, V., Arkko, J., Loughney, J., and G. Zorn, 2944 "Diameter Base Protocol", RFC 6733, October 2012. 2946 9.2. Informative References 2948 [ARAP] Apple Computer, "Apple Remote Access Protocol (ARAP) 2949 Version 2.0 External Reference Specification", R0612LL/B , 2950 September 1994. 2952 [AVP-Codes] 2953 IANA, "IANA AAA AVP Codes Registry", . 2957 [AVP-Vals] 2958 IANA, "IANA AAA AVP Specific Values", . 2962 [App-Ids] IANA, "IANA AAA Application IDs Registry", . 2966 [AppleTalk] 2967 Sidhu, G., Andrews, R., and A. Oppenheimer, "Inside 2968 AppleTalk", Second Edition Apple Computer, 1990. 2970 [BASE] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. 2971 Arkko, "Diameter Base Protocol", RFC 3588, September 2003. 2973 [Command-Codes] 2974 IANA, "IANA AAA Command Codes Registry", . 2978 [IANA] IANA, "Internet Assigned Numbers Authority", 2979 . 2981 [IPX] Novell, Inc., "NetWare System Technical Interface 2982 Overview", #883-000780-001, June 1989. 2984 [ISO.8859-1.1987] 2985 International Organization for Standardization, 2986 "Information technology - 8-bit single byte coded graphic 2987 - character sets - Part 1: Latin alphabet No. 1, JTC1/ 2988 SC2", ISO Standard 8859-1, 1987. 2990 [LAT] Digital Equipment Corp., "Local Area Transport (LAT) 2991 Specification V5.0", AA-NL26A-TE, June 1989. 2993 [RADIUSAttrVals] 2994 IANA, "IANA Radius Attribute Values Registry", . 2998 [RFC1334] Lloyd, B. and W. Simpson, "PPP Authentication Protocols", 2999 RFC 1334, October 1992. 3001 [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, 3002 RFC 1661, July 1994. 3004 [RFC1990] Sklower, K., Lloyd, B., McGregor, G., Carr, D., and T. 3005 Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990, 3006 August 1996. 3008 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 3009 "Definition of the Differentiated Services Field (DS 3010 Field) in the IPv4 and IPv6 Headers", RFC 2474, December 3011 1998. 3013 [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", 3014 RFC 2548, March 1999. 3016 [RFC2597] Heinanen, J., Baker, F., Weiss, W., and J. Wroclawski, 3017 "Assured Forwarding PHB Group", RFC 2597, June 1999. 3019 [RFC2637] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, 3020 W., and G. Zorn, "Point-to-Point Tunneling Protocol", RFC 3021 2637, July 1999. 3023 [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. 3025 [RFC2867] Zorn, G., Aboba, B., and D. Mitton, "RADIUS Accounting 3026 Modifications for Tunnel Protocol Support", RFC 2867, June 3027 2000. 3029 [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, 3030 M., and I. Goyret, "RADIUS Attributes for Tunnel Protocol 3031 Support", RFC 2868, June 2000. 3033 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, "RADIUS 3034 Extensions", RFC 2869, June 2000. 3036 [RFC2881] Mitton, D. and M. Beadles, "Network Access Server 3037 Requirements Next Generation (NASREQNG) NAS Model", RFC 3038 2881, July 2000. 3040 [RFC2989] Aboba, B., Calhoun, P., Glass, S., Hiller, T., McCann, P., 3041 Shiino, H., Walsh, P., Zorn, G., Dommety, G., Perkins, C., 3042 Patil, B., Mitton, D., Manning, S., Beadles, M., Chen, X., 3043 Sivalingham, S., Hameed, A., Munson, M., Jacobs, S., Lim, 3044 B., Hirschman, B., Hsu, R., Koo, H., Lipford, M., 3045 Campbell, E., Xu, Y., Baba, S., and E. Jaques, "Criteria 3046 for Evaluating AAA Protocols for Network Access", RFC 3047 2989, November 2000. 3049 [RFC3169] Beadles, M. and D. Mitton, "Criteria for Evaluating 3050 Network Access Server Protocols", RFC 3169, September 3051 2001. 3053 [RFC3246] Davie, B., Charny, A., Bennet, J., Benson, K., Le Boudec, 3054 J., Courtney, W., Davari, S., Firoiu, V., and D. 3055 Stiliadis, "An Expedited Forwarding PHB (Per-Hop 3056 Behavior)", RFC 3246, March 2002. 3058 [RFC3454] , . 3060 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, 3061 "IEEE 802.1X Remote Authentication Dial In User Service 3062 (RADIUS) Usage Guidelines", RFC 3580, September 2003. 3064 [RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling 3065 Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005. 3067 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible 3068 Authentication Protocol (EAP) Application", RFC 4072, 3069 August 2005. 3071 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 3072 Internet Protocol", RFC 4301, December 2005. 3074 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 3075 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 3077 Appendix A. Acknowledgements 3079 A.1. This Document 3081 The vast majority of the text in this document was taken directly 3082 from RFC 4005; the editor owes a debt of gratitude to the authors 3083 thereof (especially Dave Mitton, who somehow managed to make nroff 3084 paginate the AVP Occurance Tables correctly!). 3086 Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien 3087 Decugis, Jouni Korhonen, Mark Jones, Hannes Tschofenig, Dave Crocker, 3088 David Black, Barry Leiba, Peter Saint-Andre, Stefan Winter and Lionel 3089 Morand for their useful reviews and helpful comments. 3091 A.2. RFC 4005 3093 The authors would like to thank Carl Rigney, Allan C. Rubens, William 3094 Allen Simpson, and Steve Willens for their work on the original 3095 RADIUS protocol, from which many of the concepts in this 3096 specification were derived. Thanks, also, to Carl Rigney for 3097 [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, 3098 Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory 3099 Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and 3100 Ignacio Goyret for their work on [RFC2868]. This document stole text 3101 and concepts from both [RFC2868] and [RFC2869]. Thanks go to Carl 3102 Williams for providing IPv6-specific text. 3104 The authors would also like to acknowledge the following people for 3105 their contributions in the development of the Diameter protocol: 3106 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 3107 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 3108 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 3109 Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. 3111 Finally, Pat Calhoun would like to thank Sun Microsystems, as most of 3112 the effort put into this document was done while he was in their 3113 employ. 3115 Author's Address 3116 Glen Zorn (editor) 3117 Network Zen 3118 227/358 Thanon Sanphawut 3119 Bang Na, Bangkok 10260 3120 Thailand 3122 Phone: +66 (0)8-1000-4155 3123 EMail: glenzorn@gmail.com