Internet Draft Pat R. Calhoun Category: Experimental US Robotics Access Corp. expires in six months July 1996 Enhanced Remote Authentication Dial In User Service (RADIUS) Resource Management Extension Status of this Memo Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Abstract This specification defines an extension to the Enhanced RADIUS protocol [1]. This extension provides the ability for a RADIUS server to manage a pool of resources. Calhoun [Page 1] DRAFT Resource Management Extension July 1996 1. Introduction The RADIUS Resource Management extensions are intended to allow the RADIUS server to manage a set of resources. This document does not specify which resources may be managed by a RADIUS server since this is vendor specific. However it is envisioned that the RADIUS server be able to manage IP address Pools in order to make use of the valuable address space. 2. Command Name and Command Code Command Name: Resource-Free-Request Command Code: 261 Command Name: Resource-Free-Response Command Code: 262 Command Name: Query-Resource-Request Command Code: 263 Command Name: Query-Resource-Response Command Code: 264 Command Name: Query-Reclaim-Request Command Code: 265 Command Name: Query-Reclaim-Response Command Code: 266 3. Command Meanings 3.1 Resource-Free-Request Description Resource-Free-Request packets are sent by the NAS to the Radius Server, and provides information on specific resources which have been released. Since a NAS cannot predict what resources will be managed by the RADIUS Server, it is desirable that the NAS return ALL of the attributes which were part of the Access-Accept. This flexibility will allow a RADIUS Server to manage widgets, should that be necessary in the future. Calhoun [Page 2] DRAFT Resource Management Extension July 1996 Upon receipt of an Resource-Free-Request, A RADIUS Server MUST reply with a response. This response MAY be either a Resource-Free-Response if resource management is supported or a Command-Unrecognized packet if it does not. If the RADIUS Server does support Resource Management, it SHOULD then release any resources at this point. The NAS should only return this message to the RADIUS Server if a Terminate-Action attribute was sent in the original Access-Accept with a value of 2. A summary of the Resource-Free-Request packet format is shown below. The fields are transmitted from left to right. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Calhoun [Page 3] DRAFT Resource Management Extension July 1996 Command 261 for Resource-Free-Request. Identifier The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MAY remain unchanged. Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) Attributes The Attribute field is variable in length, and contains a list of zero or more Attributes. 3.2 Resource-Free-Response Description Resource-Free-Response packets are sent by the RADIUS server to the NAS to acknowledge that a specific resource has been freed. The RADIUS server is responsible for releasing any resources which are attached via the attributes. The Resource-Free-Response packets SHOULD NOT include any of the attributes which where included in the request packet. A summary of the Resource-Free-Response packet format is shown below. The fields are transmitted from left to right. Calhoun [Page 4] DRAFT Resource Management Extension July 1996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 262 for Resource-Free-Response. Identifier The Identifier field is a copy of the Identifier field of the Resource-Free-Request which caused this Resource-Free-Response. Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Calhoun [Page 5] DRAFT Resource Management Extension July 1996 Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) 3.3 Query-Resource-Request Description Query-Resource-Request packets are sent by the RADIUS server to the NAS. Although this procedure SHOULD only be done at initialization time, it is certainly possible that an implementation send regular Query-Resource-Requests. Upon receipt of an Query-Resource-Request, A NAS MUST reply with a response. This response MAY be either a Query-Resource-Response if resource management is supported or a Command-Unrecognized packet if it does not. A RADIUS Server MUST support NAS' which do not support Enhanced RADIUS which would simply silently ignore the Query-Resource-Request. The initial Resource-Query-Request MUST contain a Packet-Index attribute with a value of zero (See the attribute definition for more information). However, if a Query-Resource-Response is received with a Packet-Index attribute with a non-zero value, the Server MUST send another Query-Resource-Request with the Packet-Index attribute value set to the value which was received in the response. A response with the Packet-Index attribute value set to zero indicates that the transaction is complete. If the RADIUS Server times out before receiving any responses, it MAY assume that there are no NAS' on the network, or that the NAS' do not support Enhanced RADIUS, at which point it may retry periodically or give up and expect an Access-Request (this is implementation specific). A summary of the Query-Resource-Request packet format is shown below. The fields are transmitted from left to right. Calhoun [Page 6] DRAFT Resource Management Extension July 1996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 263 for Query-Resource-Request. Identifier The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MAY remain unchanged. Calhoun [Page 7] DRAFT Resource Management Extension July 1996 Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) Attributes The Attribute field is variable in length, and contains a list of zero or more Attributes. 3.4 Query-Resource-Response Description Upon receipt of a request, each NAS is responsible to respond with all Access-Accept packets which were previously received and which the session is still active. In order to attach the packets, the use of the Resource-Attached attribute MUST be used (see below). Since many Access-Accept packets may be returned within one Resource-Query-Response, it is likely that the total packet length exceed the interface's MTU. The NAS MUST not send packets which exceed the MTU, therefore once the maximum packet length has been reached, the Packet-Index attribute's value MUST be set to a value which the NAS could use on a further request to return the rest of the information. When the RADIUS Server receives a response with the Packet-Index set to a non-zero value, it must sent another Query-Resource-Request with the Packet-Index set to the value which was set in the response. When the RADIUS Server receives a Query-Resource-Response from the NAS with a Packet-Index attribute with a value of zero, it MUST assume that the NAS has no data left and should NOT send another Query-Resource-Request. A summary of the Query-Resource-Response packet format is shown below. The fields are transmitted from left to right. Calhoun [Page 8] DRAFT Resource Management Extension July 1996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 264 for Query-Resource-Response. Identifier The Identifier field is a copy of the Identifier field of the Query-Resource-Request which caused this Query-Resource-Response. Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Calhoun [Page 9] DRAFT Resource Management Extension July 1996 Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) Attributes The Attribute field is variable in length, and contains a list of zero or more Attributes. 3.5 Resource-Reclaim-Request Description Resource-Reclaim-Request packets are sent by the RADIUS server to the NAS to request that a previously allocated resource be freed immediately. This allows an administrator to free used resources from the RADIUS server without any manual intervention on the NAS. The Resource-Reclaim-Request message should include all previously allocated resources, including the NAS-IP-Address and NAS-Port-Id attributes which where included in the request packet. It is assumed that if all of the attributes which were in the Access-Accept are present in this packet, then the RADIUS Server is requesting that the NAS disconnect the user. A summary of the Resource-Reclaim-Request packet format is shown below. The fields are transmitted from left to right. Calhoun [Page 10] DRAFT Resource Management Extension July 1996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 265 for Resource-Reclaim-Request. Identifier The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MAY remain unchanged. Calhoun [Page 11] DRAFT Resource Management Extension July 1996 Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) Attributes The Attribute field is variable in length, and contains a list of zero or more Attributes. 3.5 Resource-Reclaim-Response Description Resource-Reclaim-Response packets are sent by the NAS to the RADIUS server to acknowledge the reception of the Resource-Reclaim-Request. The RADIUS Server MUST however wait for a Resource-Free-Request from the NAS before flagging the resources as available. The Resource-Reclaim-Response message should include the NAS-IP-Address and NAS-Port-Id attributes which where included in the request packet. A summary of the Resource-Reclaim-Response packet format is shown below. The fields are transmitted from left to right. Calhoun [Page 12] DRAFT Resource Management Extension July 1996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 266 for Resource-Reclaim-Response. Identifier The Identifier field is a copy of the Identifier field of the Resource-Reclaim-Request which caused this Resource-Reclaim-Response. Calhoun [Page 13] DRAFT Resource Management Extension July 1996 Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) Attributes The Attribute field is variable in length, and contains a list of zero or more Attributes. 4. Attribute Name and Attribute Code Attribute Name: Number-Of-Sessions Attribute Code: 260 Attribute Name: Packet-Index Attribute Code: 261 Attribute Name: Resource-Attached Attribute Code: 262 5. Attribute Meanings 5.1 Number-Of-Sessions Description This Attribute is available for internal RADIUS server use only. This attribute indicates to the RADIUS server the number of active sessions a user may have at any given time. This attribute should not be added to the Access-Accept message. It is assumed that if this field is not present in the user definition, the number of active sessions is set to 1. Calhoun [Page 14] DRAFT Resource Management Extension July 1996 5.2 Packet-Index Description This attribute is used in conjunction with the Resource Query mechanism and allows for packets greater than the MTU size. In the original Resource-Query-Request, this attribute should be present with a value of zero. Upon receipt of a Resource Query Response command, the RADIUS server must check if the attribute is still set to zero. If the value is a non-zero, the RADIUS server MUST return a Resource Query Request with a Packet-Index value equal to the value which was set in the response. Upon receipt of a zero, the RADIUS Server MUST assume that this is the last packet. The value of the Packet-Index attribute is NAS specific and is not discussed further. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Flags | Value ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 261 for Packet-Index Length >= 3 Flags The Flags field SHOULD be set to 1 (The attribute MUST be supported by the receiving device). Of course, the attribute would only be supported if the implementation supported resource management. Value The integer contains a value which is set by the NAS in order to keep track of which Access-Accepts have already been sent to the RADIUS server. Calhoun [Page 15] DRAFT Resource Management Extension July 1996 5.2 Resource-Attached Description This attribute indicates that the value attached is a previously received Access-Accept. This attribute is used with the Resource Query Response in order for the NAS to return the previously allocated resources. It is likely that more than one of these attributes exist in a Resource Query Response. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Flags | Value ... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 262 for Resource-Attached Length >= 3 Flags The Flags field SHOULD be set to 1 (The attribute MUST be supported by the receiving device). Of course, the attribute would only be supported if the implementation supported resource management. String The String field is one or more octets. The value is an Access-Accept packet. 6. Motivation With the large demand for the leasing of dial-up ports and access to corporate backbone networks, it is necessary for a central registry to maintain an address pool. In the past, this was mostly Calhoun [Page 16] DRAFT Resource Management Extension July 1996 done by the NAS, but with the above scenarios there are now multiple pools to deal with. One way would be to pre-configure in the NAS' all of the possible address pools. However, this is not only very wasteful but is a deployment nightmare for service providers. Since the protocol can manage any resource, another possible pool would be a user's simultaneous logins. This would allow service providers the ability to limit the number of concurrent logins based of the user's service profile (i.e. more than one if Multi-Link is enabled for the user). This also resolves the problem with service providers who charge a flat fee for unlimited usage, where a user can distribute his/her username and password and end up tying up dial-up ports. The method which is most commonly used today is for the RADIUS server to make use of the STOP accounting record in order to determine when the user has been disconnected. This solution is unfortunately not suitable in installations where the accounting and operations departments are physically separate and so are the accounting and authentication RADIUS servers. This solution will allow for the authentication server to determine when a session has been released. Since it is quite likely that a RADIUS server would loose it's internal database of allocated resources should a crash occur (or power outage), a mechanism should exist which would allow the RADIUS server to rebuild the information. The Resource Query mechanism described in this document will allow the RADIUS server to poll all of it's clients in order to determine what has already been allocated. Note that for large networks with resilient Enhanced RADIUS Servers, it is required that a distributed database be used as a back-end to the RADIUS Server. 7. Description (or Implementation Rules) Upon a call termination, a Resource-Free Message is generated by the NAS to the Radius Server and MUST contain all of the attributes which were attached in the Access-Accept. In order to support the fact that a NAS may reboot, if a Radius Server receives a NAS-Reboot message it MUST assume that all resources currently allocated to that NAS MUST be freed. Calhoun [Page 17] DRAFT Resource Management Extension July 1996 The RADIUS Server now requires a special state for each of it's configured clients. This state will indicate whether the client has responded to the Resource-Query-Request which was sent out when the RADIUS Server rebooted. If the RADIUS Server receives an Access-Request from a client which did NOT respond the the Query message, the RADIUS server MAY send a Resource-Query-Request to the client in order to retrieve any resources that may have been already allocated. If it is determined that the NAS supports Enhanced RADIUS and the resource management extension, then the RADIUS server should only respond to Access-Requests if it has received a Resource-Query-Response from the requesting NAS. If the Access-Request received is in the version 1 format, the RADIUS Server SHOULD NOT send the Query message. A NAS MUST respond to a Resource-Query-Request with all of the resources which were allocated to it via the RADIUS Server. In order to do this, the NAS SHOULD return all Access-Accept messages in the response. Since response packets may be greater than the MTU, the Packet-Index attribute allow the protocol to send multiple request response pairs. This will allow a RADIUS Server, which may have crashed, to recover and to be able to identify what resources have been allocated. 8. References [1] Rigney, et alia, "RADIUS Authentication", Internet-Draft, draft-ietf-radius-radius-02.txt, Livingston, May 1996. [2] Calhoun, Rubens, "Enhanced RADIUS", Internet-Draft, draft-calhoun-enh-radius-00.txt, US Robotics Access Corp., June 1996. [3] Calhoun, "Enhanced RADIUS Protocol Extension Specifications", draft-calhoun-radius-ext-00.txt, Internet-Draft, US Robotics Access Corp., June 1996. Calhoun [Page 18]