Internet Draft Pat R. Calhoun Category: Experimental US Robotics Access Corp. expires in six months Allan Rubens Merit Network Inc. June 1996 Enhanced Remote Authentication Dial In User Service (RADIUS) Status of this Memo Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Abstract This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. This enhanced protocol is a backward compatible protocol which attempts to solve many deficiencies with the existing protocol. Calhoun expires in six months [Page 1] DRAFT Enhanced RADIUS June 1996 1. Introduction Enhanced RADIUS is an extension to the existing RADIUS specification [1]. This document in itself is not complete and should be used with the RADIUS Version 1 specification [1]. Since RADIUS Version 1 has a very limited number of available commands and attributes, the intent of the Enhanced RADIUS protocol is to allow for future protocol enhancements. This document will describe the packet headers for the Enhanced RADIUS protocol as well as any commands and attributes which MUST be supported. An accompanying document will describe the documentation required in order to standardize any protocol extensions. 1.1. Specification of Requirements In this document, several words are used to signify the requirements of the specification. These words are often capitalized. MUST This word, or the adjective "required", means that the definition is an absolute requirement of the specification. MUST NOT This phrase means that the definition is an absolute prohibition of the specification. SHOULD This word, or the adjective "recommended", means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications must be understood and carefully weighed before choosing a different course. MAY This word, or the adjective "optional", means that this item is one of an allowed set of alternatives. An implementation which does not include this option MUST be prepared to interoperate with another implementation which does include the option. Calhoun expires in six months [Page 2] DRAFT Enhanced RADIUS June 1996 1.2. Terminology This document frequently uses the following terms: silently discard This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter. 2. Packet Format Exactly one RADIUS packet is encapsulated in the UDP Data field [3], where the UDP Destination Port field indicates 1645. When a reply is generated, the source and destination ports are reversed. A summary of the Enhanced RADIUS data format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Calhoun expires in six months [Page 3] DRAFT Enhanced RADIUS June 1996 Code The Code field is one octet, and identifies the type of RADIUS packet. When a valid code is received, the packet format to use is as defined in the RADIUS V1 specification [1]. When a packet is received with an invalid Code field, it is silently discarded. When a code of 0xFE (254) is received, it identifies an Enhanced RADIUS packet as shown above, in which case the Command field is to be checked. In this case the RADIUS Codes wich follow (with the exception of 254) are passed in the Command field instead. RADIUS Codes (decimal) are assigned as follows: 1 Access-Request 2 Access-Accept 3 Access-Reject 4 Accounting-Request 5 Accounting-Response 11 Access-Challenge 12 Status-Server (experimental) 13 Status-Client (experimental) 254 Enhanced RADIUS packet Flags The Flags field is five bits, and is used in order to identify any options. This field MUST be set to zero unless any options are used. The following flags are defined globally for all commands: 0x1 - (Bit 12) TimeStamp is included in the Authenticator Field. Note that additional options in the Flag field may be defined per Command (see individual commands). Version The Version field is three bits, and indicates the version number which is associated with the packet received. This field MUST be set to 2. Command The Command field is two octet, and identifies the type of RADIUS packet. When a packet is received with an invalid Code field, a Command-Unrecognized message SHOULD be returned. Calhoun expires in six months [Page 4] DRAFT Enhanced RADIUS June 1996 RADIUS Commands (decimal), in addition to those shown above, are assigned as follows: 256 Command-Unrecognized 267 NAS-Reboot-Indication 268 NAS-Reboot-Ack Identifier The Identifier field is two octets, and aids in matching requests and replies. Length The Length field is two octets. It indicates the length of the packet including the header fields. Octets outside the range of the Length field should be treated as padding and should be ignored on reception. Authenticator The Authenticator field is a random 16 octet value. This field adds randomness to the packets and makes the guessing of the shared secret much more diffcult to the malicious user. If the Timestamp option is supported, the first four octets contains a timestamp of when the packet was sent from the peer. This allows the protocol to detect replay attacks. The Timestamp value is the current time relative to a base of 0:0:0 GMT January 1, 1900. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) When creating a message, the MIC must be set to all zeros before calculating the MD5 hash. When receiving a message, the receiver must save the MIC, set the field to all zeroes and perform the hash function. The resulting value MUST be identical to the value which was in the message. 3. Command Name and Command Code Command Name: Command-Unrecognized Command Code: 256 Calhoun expires in six months [Page 5] DRAFT Enhanced RADIUS June 1996 Command Name: NAS-Reboot-Indicationr Command Code: 267 Command Name: NAS-Reboot-Ack Command Code: 268 4. Command Meanings The Enhanced RADIUS Packet type is determined by the Command Code field in the second and third octets of the Packet. This section will not describe the RADIUS packets already defined in [1]. 4.1. Command-Unrecognized Description Command-Unrecognized packets are sent by the NAS or the RADIUS server to inform its peer that a previous packet received is unrecognized. Since there certainly will exist a case where an existing device does not support a new extension to the Enhanced RADIUS protocol, a device which receives a packet with an unrecognized Command code SHOULD return a Command-Unrecognized packet. For backward compatibility with RADIUS Version 1, a device MUST support the fact that its peer may silently discard the packet. A summary of the Command-Unrecognized packet format is shown below. The fields are transmitted from left to right. Calhoun expires in six months [Page 6] DRAFT Enhanced RADIUS June 1996 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 254 for Enhanced RADIUS. Flags The Flag field is used as described above. Version MUST be set to 2 Command 256 for Command-Unrecognized. Identifier The Identifier field is a copy of the Identifier field of the packet which caused this event. Length The total length of the message, including the this header. Calhoun expires in six months [Page 7] DRAFT Enhanced RADIUS June 1996 Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contains a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) 4.2. NAS-Reboot-Indication Description The NAS-Reboot-Indication message is sent from the NAS to the RADIUS Server in order for the NAS to inform the local server that it has rebooted. The server MUST respond to the message with a successful acknowledge, indicating its version. This message is used by both the NAS and the RADIUS Server in order to exchange protocol version numbers which it supports. The NAS MUST insert the highest version number which it supports. The RADIUS Server must respond with the highest version which it supports, but may not be higher than the version number requested by the NAS. In the case of a proxy server, the proxy is responsible for inserting the highest version number which it supports in the version field before sending the proxy request to the remote RADIUS server. The proxy server may then retain the version number of the remote server as received in the response, and must insert its highest version number (with the limitations described above) in the response to the NAS. The Server may discard this information if it wishes to do so, however it is envisioned that the Server would retain the NAS' and remote RADIUS server's version numbers to retain backward and forward protocol compatibility. Calhoun expires in six months [Page 8] DRAFT Enhanced RADIUS June 1996 A NAS MUST support the fact that it may not receive an acknowledge to this message if the RADIUS Server does not support this version of the protocol. In this case, if no acknowledge was receive, it must default to version 1 messages as described in [1]. If a NAS is configured to communicate with more than one RADIUS server it MUST issue NAS-Reboot-Indications to each such server. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 254 for Enhanced RADIUS Flags The Flag field is used as described above. Version The version field is used by the NAS to indicate the highest supported version of the RADIUS protocol. This will allow the NAS and RADIUS Server to be able to negotiate a version of the protocol to use between both peers. Calhoun expires in six months [Page 9] DRAFT Enhanced RADIUS June 1996 Command 267 for NAS-Reboot-Indication. Identifier The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MAY remain unchanged. Length The total length of the message, including this header. Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) 5.3. NAS-Reboot-Ack Description The NAS-Reboot-Ack message is sent from the RADIUS Server to the NAS to acknowledge the receipt of the NAS-Reboot message. The Server MUST replace the version value in the version field with the highest version number which it supports, up to and including the version which was included in the NAS-Reboot's version field. The NAS may wish to ignore the version number contained in the Flag field, however it is envisioned that the NAS would retain this information to remove any backward compatibility problems with any future versions of the protocol. Calhoun expires in six months [Page 10] DRAFT Enhanced RADIUS June 1996 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 254 for Enhanced RADIUS. Flags The Flag field is used as described above. Version The Version field is used by the RADIUS Server to inform the NAS the highest version which it supports. The Server MUST not insert a version which is higher than requested by the NAS. The client MUST use the version which is reported by the Server. If the NAS does not support the version returned by the Server, it should default to RADIUS V1. Command 268 for NAS-Reboot-Ack. Identifier The Identifier field is a copy of the Identifier field of the packet which caused this event. Length The total length of the message, including this header. Calhoun expires in six months [Page 11] DRAFT Enhanced RADIUS June 1996 Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) 6. Attributes RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply. Some Attributes MAY be listed more than once. The effect of this is Attribute specific, and is specified by each such Attribute description. The end of the list of Attributes is indicated by the length of the RADIUS packet. A summary of the Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Flags | Vendor ID (optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Vendor ID (opt)| Value ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type The Type field is two octets. RADIUS Version 1 reserves the lowest 256 attribute numbers. Up-to-date values of the RADIUS Type field are specified in the most recent "Assigned Numbers" RFC [2]. Calhoun [Page 12] DRAFT Resource Management Extension Specifications February 1996 Enhanced RADIUS Versions will use attribute numbers 257 and above. Vendor Specific attributes reside within this space when the Vendor Specific bit is set (see flags). This will allow up to 65535 trouble-free vendor specific attributes (per vendor). Length The Length field is two octets, and indicates the length of this Attribute including the Type, Length, Flag, Vendor ID is present and Value fields. If a packet is received with an Invalid length, the packet SHOULD be rejected. Flags The Flags field indicates how the NAS or RADIUS Server MUST react to the attribute. The following values are currently supported: 1 - The Device MUST support this attribute. If the attribute is NOT supported, the device MUST reject the Command. If this flag is not set, then the device MAY accept the command regardless of whether or not the particular attribute is recognized. 128 - If this bit is set, the optional Vendor ID field will be present. When set, the attribute is a vendor specific attribute Value The Value field is zero or more octets and contains information specific to the Attribute. The format and length of the Value field is determined by the Type and Length fields. The format of the value field is one of five data types. string 0-65526 octets. address 32 bit value, most significant octet first. extended address Address Length is determined from the Length field, most significant octet first. This is required in order to support protocols which require an address length greater than 32 bits (i.e. IPNG). Note that this type is differentiated from the previous type by the value of length. Calhoun expires in six months [Page 13] DRAFT Enhanced RADIUS June 1996 integer 32 bit value, most significant octet first. time 32 bit value, most significant octet first -- seconds since 00:00:00 GMT, January 1, 1970. References [1] Rigney, et alia, "RADIUS Authentication", Internet-Draft, Livingston, May 1995. [2] Reynolds, J., and J. Postel, "Assigned Numbers", RFC 1700, USC/Information Sciences Institute, October 1994. [3] Postel, J., "User Datagram Protocol", RFC 768, USC/Information Sciences Institute, August 1980. [4] Calhoun, "Enhanced RADIUS Protocol Extension Specifications", Internet-Draft, US Robotics Access Corp., May 1996. Calhoun expires in six months [Page 14]