idnits 2.17.1 

draft-calhoun-diameter-authent-05.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** Missing expiration date.  The document expiration date should appear on
     the first and last page.

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == The page length should not exceed 58 lines per page, but there was 52
     longer pages, the longest (page 2) being 60 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 53 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There is 1 instance of too long lines in the document, the longest one
     being 1 character in excess of 72.

  == There are 2 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 126: '...    MUST      This word, or the adject...'
     RFC 2119 keyword, line 130: '...    MUST NOT  This phrase means that t...'
     RFC 2119 keyword, line 133: '...    SHOULD    This word, or the adject...'
     RFC 2119 keyword, line 139: '...    MAY       This word, or the adject...'
     RFC 2119 keyword, line 141: '...hich does not include this option MUST...'
     (194 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '4' is defined on line 2369, but no explicit reference
     was found in the text

  == Unused Reference: '11' is defined on line 2395, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865)

  == Outdated reference: A later version (-18) exists of
     draft-calhoun-diameter-08

  -- Possible downref: Normative reference to a draft: ref. '2' 

  ** Obsolete normative reference: RFC 2486 (ref. '3') (Obsoleted by RFC 4282)

  ** Downref: Normative reference to an Informational RFC: RFC 2477 (ref. '4')

  == Outdated reference: A later version (-03) exists of
     draft-calhoun-diameter-eap-01

  -- Possible downref: Normative reference to a draft: ref. '5' 

  -- Possible downref: Normative reference to a draft: ref. '6' 

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  ** Obsolete normative reference: RFC 1717 (ref. '9') (Obsoleted by RFC 1990)

  == Outdated reference: A later version (-08) exists of
     draft-calhoun-diameter-res-mgmt-02

  -- Possible downref: Normative reference to a draft: ref. '10' 

  == Outdated reference: A later version (-09) exists of
     draft-calhoun-diameter-framework-01

  -- Possible downref: Normative reference to a draft: ref. '11' 


     Summary: 14 errors (**), 0 flaws (~~), 9 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	INTERNET DRAFT                                            Pat R. Calhoun
3	Category: Standards Track                          Sun Microsystems, Inc.
4	Title: draft-calhoun-diameter-authent-05.txt              William Bulley
5	Date: February 1999                                  Merit Network, Inc.

7	                                DIAMETER
8	                     User Authentication Extensions

10	Status of this Memo

12	   This document is an individual contribution for consideration by the
13	   AAA Working Group of the Internet Engineering Task Force.  Comments
14	   should be submitted to the diameter@ipass.com mailing list.

16	   Distribution of this memo is unlimited.

18	   This document is an Internet-Draft and is in full conformance with
19	   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
20	   documents of the Internet Engineering Task Force (IETF), its areas,
21	   and its working groups.  Note that other groups may also distribute
22	   working documents as Internet-Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at:

31	      http://www.ietf.org/ietf/1id-abstracts.txt

33	   The list of Internet-Draft Shadow Directories can be accessed at:

35	      http://www.ietf.org/shadow.html.

37	Abstract

39	   DIAMETER is a Policy and AAA protocol which can be used for a variety
40	   of services. This document defines DIAMETER messages that are used
41	   for the authentication, authorization and accounting of users.

43	   A considerable amount of effort was put into the design of this
44	   protocol to ensure that an implementation could support both DIAMETER
45	   and RADIUS concurrently.

47	Table of Contents

49	   1.0 Introduction
50	       1.1 Specification of Requirements
51	   2.0 Command Codes
52	       2.1 AA-Request
53	       2.2 AA-Answer
54	       2.3 AA-Challenge-Ind
55	   3.0 DIAMETER AVPs
56	       3.1 User-Name
57	       3.2 User-Password
58	       3.3 CHAP-Password
59	       3.4 NAS-Port
60	       3.5 Service-Type
61	       3.6 Framed-Protocol
62	       3.7 Framed-IP-Address
63	       3.8 Framed-IP-Netmask
64	       3.9 Framed-Routing
65	       3.10 Filter-Id
66	       3.11 Framed-MTU
67	       3.12 Framed-Compression
68	       3.13 Login-IP-Host
69	       3.14 Login-Service
70	       3.15 Login-TCP-Port
71	       3.16 Reply-Message
72	       3.17 Callback-Number
73	       3.18 Callback-Id
74	       3.19 Framed-Route
75	       3.20 Framed-IPX-Network
76	       3.21 Idle-Timeout
77	       3.22 Called-Station-Id
78	       3.23 Calling-Station-Id
79	       3.24 Login-LAT-Service
80	       3.25 Login-LAT-Node
81	       3.26 Login-LAT-Group
82	       3.27 Framed-AppleTalk-Link
83	       3.28 Framed-AppleTalk-Network
84	       3.29 Framed-AppleTalk-Zone
85	       3.30 CHAP-Challenge
86	       3.31 NAS-Port-Type
87	       3.32 Port-Limit
88	       3.33 Login-LAT-Port
89	       3.34 Filter-Rule
90	       3.35 Framed-Password-Policy
91	       3.36 Table of Attributes
92	   4.0 Protocol Definition
93	       4.1 Feature Advertisement/Discovery
94	       4.2 Authorization Procedure
95	       4.3 Integration with Resource-Management
96	       4.4 RADIUS Proxies
97	       4.5 DIAMETER Proxies
98	       4.6 Domain Discovery
99	   5.0 References
100	   6.0 Acknowledgements
101	   7.0 Authors' Addresses

103	1.0  Introduction

105	   This document describes the DIAMETER User Authentication Extensions
106	   that can be used for a variety of services including Dial-up users
107	   via NAS, WWW User Authentication, Firewall User Authentication[5][6].

109	   This document describes Authentication/Authorization messages as well
110	   as a set of messages which allow DIAMETER hosts to bypass proxies.

112	   Since Most of the AVPs found in this document was copied from the
113	   RADIUS protocol[1], it is possible to have both RADIUS and DIAMETER
114	   servers read the same dictionary and users files. The backward
115	   compatibility that DIAMETER offers is intended to facilitate
116	   deployment.

118	   The Extension number for this draft is one (1). This value is used in
119	   the Extension-Id AVP as defined in [2].

121	1.1  Specification of Requirements

123	    In this document, several words are used to signify the requirements
124	    of the specification.  These words are often capitalized.

126	    MUST      This word, or the adjective "required", means that the
127	              definition is an absolute requirement of the
128	              specification.

130	    MUST NOT  This phrase means that the definition is an absolute
131	              prohibition of the specification.

133	    SHOULD    This word, or the adjective "recommended", means that
134	              there may exist valid reasons in particular circumstances
135	              to ignore this item, but the full implications must be
136	              understood and carefully weighed before choosing a
137	              different course.

139	    MAY       This word, or the adjective "optional", means that this
140	              item is one of an allowed set of alternatives.  An
141	              implementation which does not include this option MUST
142	              be prepared to interoperate with another implementation
143	              which does include the option.

145	2.0  Command Codes

147	   This document defines the following DIAMETER Commands. All DIAMETER
148	   implementations supporting this extension MUST support all of the
149	   following commands:

151	      Command Name          Command Code
152	      -----------------------------------
153	      AA-Request                263
154	      AA-Answer                 264
155	      AA-Challenge-Ind          265

157	2.1  AA-Request (AAR)

159	   Description

161	      The AA-Request message is used in order to request authentication
162	      and authorization for a given user.

164	      If Authentication is requested the User-Name attribute MUST be
165	      present. If only Authorization is required it is possible to
166	      authorize based on DNIS and ANI instead. However, it is not
167	      possible to authenticate using a User-Name AVP and later
168	      requesting authorization based on DNIS using the same Session-Id
169	      (although the inverse is legal).

171	      Note that the flag field MAY be used in this command in order to
172	      indicate that either Authentication-Only or Authorization-Only is
173	      required for the request. If the Authentication-Only bit is set
174	      the response MUST NOT include any authorization information. Both
175	      the Authenticate and Authorize bits MUST NOT be set at the same
176	      time. To ensure that a user is both authenticated and authorized,
177	      neither flag is set.

179	      The AA-Request message MUST include a unique Session-Id AVP. If
180	      The AA-Request is a result of a successful AA-Challenge-Ind the
181	      Session-Id MUST be identical to the one provided in the initial
182	      AA-Request.

184	   Message Format

186	      Section 3.36 contains a complete list of all valid AVPs for this
187	      message.

189	      <AA-Request> ::= <DIAMETER Header>
190	                       <AA-Request Command AVP>
191	                       <Session-Id AVP>
192	                       <Host-IP-Address AVP>
193	                       [<Host-Name AVP>]
194	                       [<Proxy-State AVP>]
195	                       [<Class AVP>]
196	                       [<State AVP>]
197	                       {<User-Name AVP> ||
198	                        <Called-Station-Id AVP }
199	                       <Miscellaneous AVPs>
200	                       <Timestamp AVP>
201	                       <Nonce AVP>
202	                       {<Integrity-Check-Vector AVP> ||
203	                        <Digital-Signature AVP }

205	   AVP Format

207	      A summary of the AA-Request packet format is shown below. The
208	      fields are transmitted from left to right.

210	       0                   1                   2                   3
211	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
212	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
213	       |                           AVP Code                            |
214	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
215	       |          AVP Length           |     Reserved      |P|T|V|E|H|M|
216	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
217	       |                         Command Code                          |
218	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

220	      Code

222	         256     DIAMETER Command

224	      AVP Length

226	         The length of this attribute MUST be 12.

228	      AVP Flags

230	         The AVP Flags field MUST have bit one (Mandatory Support) set.
231	         In addition, the following bits may be used (note these bits
232	         are mutually exclusive):

234	            Authenticate-Only       32
235	               The Authentication-Only bit is set to indicate that only
236	               authentication of the user is requested and that no
237	               authorization information should be returned in the
238	               response.

240	            Authorize-Only          64
241	               The Authorization-Only bit is set to indicate that only
242	               authorization of the user is requested and that no
243	               authentication is required.

245	      Command Type

247	         The Command Type field MUST be set to 263 (AA-Request).

249	2.2  AA-Answer (AAA)

251	   Description

253	      The AA-Answer message is used in order to indicate that
254	      Authentication and/or authorization was successful. If
255	      authorization was requested a list of AVPs with the authorization
256	      information MUST be attached to the message (see section 3.42).

258	      The AA-Answer message MUST include the Session-Id AVP that was
259	      present in the AA-Request. The AA-Answer MUST also include the
260	      Host-Name AVP and the Result-Code AVP to indicate the status of
261	      the session. The following error codes are defined for this
262	      message:

264	         DIAMETER_ERROR_UNKNOWN_DOMAIN       1
265	            This error code is used to indicate to the initiator of the
266	            request that the requested domain is unknown and cannot be
267	            resolved.

269	         DIAMETER_ERROR_USER_UNKNOWN         2
270	            This error code is used to indicate to the initiator that
271	            the username request is not valid.

273	         DIAMETER_ERROR_BAD_PASSWORD         3
274	            This error code indicates that the password provided is
275	            invalid.

277	         DIAMETER_ERROR_CANNOT_AUTHORIZE     4
278	            This error code is used to indicate that the user cannot be
279	            authorized due to the fact that the user has expended the
280	            servers local resources.  This could be a result that the
281	            server believes that the user already has an active session,
282	            or that the user has already spent the number of credits in
283	            his/her account, etc.

285	      Note that the flag field MUST be set to the same value that was
286	      found in the AA-Request message.

288	   Message Format

290	      Section 3.36 contains a complete list of all valid AVPs for this
291	      message.

293	      <AA-Answer> ::= <DIAMETER Header>
294	                       <AA-Answer Command AVP>
295	                       <Session-Id AVP>
296	                       <Result-Code AVP>
297	                       [<Error-Code AVP>]
298	                       <Host-IP-Address AVP>
299	                       [<Host-Name AVP>]
300	                       [<Session-Timeout AVP>]
301	                       [<Proxy-State AVP>]
302	                       [<Class AVP>]
303	                       [<State AVP>]
304	                       <Miscellaneous AVPs>
305	                       <Timestamp AVP>
306	                       <Nonce AVP>
307	                       {<Integrity-Check-Vector AVP> ||
308	                        <Digital-Signature AVP }

310	   AVP Format

312	      A summary of the AA-Answer packet format is shown below. The
313	      fields are transmitted from left to right.

315	       0                   1                   2                   3
316	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
317	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
318	       |                           AVP Code                            |
319	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
320	       |          AVP Length           |     Reserved      |P|T|V|E|H|M|
321	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
322	       |                         Command Code                          |
323	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

325	      Code

327	         256     DIAMETER Command

329	      AVP Length
330	         The length of this attribute MUST be 12.

332	      AVP Flags

334	         The AVP Flags field MUST have bit one (Mandatory Support) set.
335	         In addition, the following bits may be used (note these bits
336	         are mutually exclusive):

338	            Authenticate-Only       32
339	               The Authentication-Only bit is set to indicate that only
340	               authentication of the user is requested and that no
341	               authorization information should be returned in the
342	               response.

344	            Authorize-Only          64
345	               The Authorization-Only bit is set to indicate that only
346	               authorization of the user is requested and that no
347	               authentication is required.

349	      Command Type

351	         The Command Type field MUST be set to 264 (AA-Answer).

353	2.3  AA-Challenge-Ind (AACI)

355	   Description

357	      If the DIAMETER server desires to send the user a challenge
358	      requiring a response, then the DIAMETER server MUST respond to the
359	      AA-Request by transmitting a packet with the Code field set to 265
360	      (AA-Challenge-Ind).

362	      The message MAY have one or more Reply-Message AVP, and MAY have a
363	      single State AVP, or none.  No other AVPs are permitted in an AA-
364	      Challenge-Ind other than the Integrity-Check-Vector or Digital-
365	      Signature AVP as defined in [2].

367	      On receipt of an AA-Challenge-Ind, the Identifier field is matched
368	      with a pending AA-Request. Invalid packets are silently discarded.

370	      The receipt of a valid AA-Challenge-Ind indicates that a new AA-
371	      Request SHOULD be sent. The NAS MAY display the text message, if
372	      any, to the user, and then prompt the user for a response.  It
373	      then sends its original Acess-Request with a new request ID, with
374	      the User-Password AVP replaced by the user's response (encrypted),
375	      and including the State AVP from the AA-Challenge-Ind, if any.
376	      Only zero or one instances of the State Attribute can be present
377	      in an AA-Request.

379	      A NAS which supports PAP MAY forward the Reply-Message to the
380	      dialin client and accept a PAP response which it can use as though
381	      the user had entered the response.  If the NAS cannot do so, it
382	      should treat the AA-Challenge-Ind as though it had received an
383	      AA-Answer with a Result-Code AVP set to a value other than
384	      DIAMETER_SUCCESS instead.

386	      It is preferable to use EAP [5] instead of the AA-Challenge-Ind,
387	      yet it has been maintained for backward compatibility.

389	      The AA-Challenge-Ind message MUST include the Session-Id AVP that
390	      was present in the AA-Request and MUST include the same flag value
391	      that was found in the AA-Request.

393	      Section 3.36 contains a complete list of all valid AVPs for this
394	      message.

396	      AA-Challenge-Ind ::= <DIAMETER Header>
397	                           <AA-Challenge-Ind Command AVP>
398	                           <Session-Id AVP>
399	                           <Result-Code AVP>
400	                           [<Error-Code AVP>]
401	                           <Host-IP-Address AVP>
402	                           [<Host-Name AVP>]
403	                           [<Proxy-State AVP>]
404	                           [<Class AVP>]
405	                           [<State AVP>]
406	                           <Reply-Message AVPs>
407	                           <Timestamp AVP>
408	                           <Nonce AVP>
409	                           {<Integrity-Check-Vector AVP> ||
410	                            <Digital-Signature AVP }

412	   AVP Format

414	      A summary of the AA-Challenge-Ind packet format is shown below.
415	      The fields are transmitted from left to right.

417	       0                   1                   2                   3
418	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
419	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
420	       |                           AVP Code                            |
421	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
422	       |          AVP Length           |     Reserved      |P|T|V|E|H|M|
423	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
424	       |                         Command Code                          |
425	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

427	      Code

429	         256     DIAMETER Command

431	      AVP Length

433	         The length of this attribute MUST be 12.

435	      AVP Flags

437	         The AVP Flags field MUST have bit one (Mandatory Support) set.
438	         In addition, following bits may be used (note these bits are
439	         mutually exclusive):

441	            Authenticate-Only       32
442	               The Authentication-Only bit is set to indicate that only
443	               authentication of the user is requested and that no
444	               authorization information should be returned in the
445	               response.

447	            Authorize-Only          64
448	               The Authorization-Only bit is set to indicate that only
449	               authorization of the user is requested and that no
450	               authentication is required.

452	      Command Type

454	         The Command Type field MUST be set to 265 (AA-Challenge-Ind).

456	3.0  DIAMETER AVPs

458	   This section will define the mandatory AVPs which MUST be supported
459	   by all DIAMETER implementations supporting this extension. The
460	   following AVPs are defined in this document:

462	      Attribute Name       Attribute Code
463	      -----------------------------------
464	      User-Name                   1
465	      User-Password               2
466	      CHAP-Password               3
467	      NAS-Port                    5
468	      Service-Type                6
469	      Framed-Protocol             7
470	      Framed-IP-Address           8
471	      Framed-IP-Netmask           9
472	      Framed-Routing             10
473	      Filter-Id                  11
474	      Framed-MTU                 12
475	      Framed-Compression         13
476	      Login-IP-Host              14
477	      Login-Service              15
478	      Login-TCP-Port             16
479	      Reply-Message              18
480	      Callback-Number            19
481	      Callback-Id                20
482	      Framed-Route               22
483	      Framed-IPX-Network         23
484	      Vendor-Specific            26
485	      Idle-Timeout               28
486	      Termination-Action         29
487	      Called-Station-Id          30
488	      Calling-Station-Id         31
489	      Login-LAT-Service          34
490	      Login-LAT-Node             35
491	      Login-LAT-Group            36
492	      Framed-AppleTalk-Link      37
493	      Framed-AppleTalk-Network   38
494	      Framed-AppleTalk-Zone      39
495	      CHAP-Challenge             60
496	      NAS-Port-Type              61
497	      Port-Limit                 62
498	      Login-LAT-Port             63
499	      Filter-Rule               280
500	      Framed-Password-Policy    281

502	3.1  User-Name

504	   Description

506	      This Attribute indicates the name of the user to be authenticated.
507	      It is normally used in AA-Request packets, but MAY be present in
508	      the AA-Answer message.

510	      A summary of the User-Name Attribute format is shown below. The
511	      fields are transmitted from left to right.

513	   AVP Format

515	      0                   1                   2                   3
516	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
517	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
518	      |                           AVP Code                            |
519	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
520	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
521	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
522	      |   String ...
523	      +-+-+-+-+-+-+-+-+

525	      Type

527	         1 for User-Name.

529	      AVP Length

531	         The length of this attribute MUST be at least 9.

533	      AVP Flags

535	         The 'M' bit MUST be set. The 'H' MAY be set, but the 'E' bit
536	         MUST NOT be set since proxy servers would have no knowledge of
537	         the user's domain. The 'V', 'T' and the 'P' bits MUST NOT be
538	         set.

540	      String

542	         The String field is one or more octets. All DIAMETER systems
543	         SHOULD support User-Name lengths of at least 63 octets. The
544	         format of the User-Name SHOULD follow the format defined in
545	         [3].

547	3.2  User-Password

549	   Description

551	      This Attribute indicates the password of the user to be
552	      authenticated, or the user's input following an AA-Challenge.  It
553	      is only used in AA-Request packets.

555	      This AVP MUST be encrypted using one of the methods described in
556	      [2]. The use of this AVP with shared secret encryption is strongly
557	      discouraged by the author due to the security implications in a
558	      proxy environment, yet the support of this attribute has been
559	      retained for RADIUS backward compability.

561	      A summary of the User-Password Attribute format is shown below.
562	      The fields are transmitted from left to right.

564	   AVP Format

566	      0                   1                   2                   3
567	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
568	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
569	      |                           AVP Code                            |
570	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
571	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
572	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
573	      |    Data ...
574	      +-+-+-+-+-+-+-+-+
575	      Type

577	         2 for User-Password.

579	      AVP Length

581	         The length of this attribute MUST be at least 24 and MUST be no
582	         larger than 136.

584	      AVP Flags

586	         The 'M' bit MUST be set. Either the 'H' or the 'E' bit MUST be
587	         set depending upon the security model used. The 'V', 'T' and
588	         the 'P' bits MUST NOT be set.

590	         The AVP Flags field MUST have bit one (Mandatory Support) set.
591	         One of the AVP Encryption bits MUST be set.

593	      Data

595	         The Data field is between 16 and 128 octets long, inclusive.

597	3.3  CHAP-Password

599	   Description

601	      This Attribute indicates the response value provided by a PPP
602	      Challenge-Handshake Authentication Protocol (CHAP) user in
603	      response to the challenge. It is only used in AA-Request packets.

605	      If the CHAP-Password Attribute is found in a message, the CHAP-
606	      Challenge Attribute (60) MUST be present as well.

608	      A summary of the CHAP-Password Attribute format is shown below.
609	      The fields are transmitted from left to right.

611	   AVP Format

613	      0                   1                   2                   3
614	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
615	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
616	      |                           AVP Code                            |
617	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
618	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
619	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
620	      |  CHAP Ident   |    Data ...
621	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

623	      Type

625	         3 for CHAP-Password.

627	      AVP Length

629	         The length of this attribute MUST be 25.

631	      AVP Flags

633	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
634	         upon the security model used. The 'V', 'T' and the 'P' bits
635	         MUST NOT be set.

637	      CHAP Ident

639	         This field is one octet, and contains the CHAP Identifier from
640	         the user's CHAP Response.

642	      Data

644	         The Data field is 16 octets, and contains the CHAP Response
645	         from the user.

647	3.4  NAS-Port

649	   Description

651	      This Attribute indicates the physical port number of the NAS which
652	      is authenticating the user. It is normally only used in AA-Request
653	      messages (see section x for more info). Note that this is using
654	      "port" in its sense of a physical connection on the NAS, not in
655	      the sense of a TCP or UDP port number. Either NAS-Port or NAS-
656	      Port-Type (61) or both SHOULD be present in an AA-Request packet,
657	      if the NAS differentiates among its ports.

659	      A summary of the NAS-Port Attribute format is shown below. The
660	      fields are transmitted from left to right.

662	   AVP Format

664	      0                   1                   2                   3
665	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
666	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
667	      |                           AVP Code                            |
668	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
669	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
670	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
671	      |                           Integer32                           |
672	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

674	      Type

676	         5 for NAS-Port.

678	      AVP Length

680	         The length of this attribute MUST be 12.

682	      AVP Flags

684	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
685	         upon the security model used. The 'V', 'T' and the 'P' bits
686	         MUST NOT be set.

688	      Integer32

690	         The Integer32 field is four octets.

692	3.5  Service-Type

694	   Description

696	      This Attribute indicates the type of service the user has
697	      requested, or the type of service to be provided. It MAY be used
698	      in both AA-Request and AA-Answer messages. A NAS is not required
699	      to implement all of these service types, and MUST treat unknown or
700	      unsupported Service-Types as though an AA-Answer with a Result-
701	      Code other than DIAMETER-SUCCESS had been received instead.

703	      A summary of the Service-Type Attribute format is shown below. The
704	      fields are transmitted from left to right.

706	   AVP Format

708	      0                   1                   2                   3
709	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
710	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
711	      |                           AVP Code                            |
712	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
713	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
714	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
715	      |                           Integer32                           |
716	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

718	      Type

720	         6 for Service-Type.

722	      AVP Flags

724	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
725	         upon the security model used. The 'V', 'T' and the 'P' bits
726	         MUST NOT be set.

728	      AVP Length

730	         The length of this attribute MUST be 12.

732	      Integer32

734	         The Integer32 field is four octets.

736	            1      Login
737	            2      Framed
738	            3      Callback Login
739	            4      Callback Framed
740	            5      Outbound
741	            6      Administrative
742	            7      NAS Prompt
743	            8      Authenticate Only
744	            9      Callback NAS Prompt

746	            The service types are defined as follows when used in an
747	            AA-Answer. When used in an AA-Request, they should be
748	            considered to be a hint to the DIAMETER server that the NAS
749	            has reason to believe the user would prefer the kind of
750	            service indicated, but the server is not required to honor
751	            the hint.

753	            Login               The user should be connected to a host.

755	            Framed              A Framed Protocol should be started for
756	                                the User, such as PPP or SLIP.

758	            Callback Login      The user should be disconnected and
759	                                calledback, then connected to a host.

761	            Callback Framed     The user should be disconnected and
762	                                called back, then a Framed Protocol
763	                                should be started for the User, such as
764	                                PPP or SLIP.

766	            Outbound            The user should be granted access to
767	                                outgoing devices.

769	            Administrative      The user should be granted access to the
770	                                administrative interface to the NAS from
771	                                which privileged commands can be
772	                                executed.

774	            NAS Prompt          The user should be provided a command
775	                                prompt on the NAS from which non-
776	                                privileged commands can be executed.

778	            Authenticate Only   Only Authentication is requested, and no
779	                                authorization information needs to be
780	                                returned in the AA-Answer (typically
781	                                used by proxy servers rather than the
782	                                NAS itself).This SHOULD NOT be used in
783	                                DIAMETER, yet it is maintained for
784	                                backward compatibility.

786	            Callback NAS Prompt The user should be disconnected and
787	                                called back, then provided a command
788	                                prompt on the NAS from which non-
789	                                privileged commands can be executed.

791	3.6  Framed-Protocol

793	   Description
794	      This Attribute indicates the framing to be used for framed access.
795	      It MAY be used in both AA-Request and AA-Answer messages.

797	      A summary of the Framed-Protocol Attribute format is shown below.
798	      The fields are transmitted from left to right.

800	   AVP Format

802	      0                   1                   2                   3
803	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
804	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
805	      |                           AVP Code                            |
806	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
807	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
808	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
809	      |                           Integer32                           |
810	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

812	      Type

814	         7 for Framed-Protocol.

816	      AVP Length

818	         The length of this attribute MUST be 12.

820	      AVP Flags

822	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
823	         upon the security model used. The 'V', 'T' and the 'P' bits
824	         MUST NOT be set.

826	      Integer32

828	         The Integer32 field is four octets.

830	            1      PPP
831	            2      SLIP
832	            3      AppleTalk Remote Access Protocol (ARAP)
833	            4      Gandalf proprietary SingleLink/MultiLink protocol
834	            5      Xylogics proprietary IPX/SLIP

836	3.7  Framed-IP-Address

838	   Description

840	      This Attribute indicates the address to be configured for the
841	      user. It MAY be used in AA-Request messages as a hint by the NAS
842	      to the server that it would prefer that address, but the server is
843	      not required to honor the hint.

845	      A summary of the Framed-IP-Address Attribute format is shown
846	      below.  The fields are transmitted from left to right.

848	   AVP Format

850	      0                   1                   2                   3
851	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
852	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
853	      |                           AVP Code                            |
854	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
855	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
856	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
857	      |                            Address                            |
858	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

860	      Type

862	         8 for Framed-IP-Address.

864	      AVP Length

866	         The length of this attribute MUST be 12.

868	      AVP Flags

870	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
871	         upon the security model used. The 'V', 'T' and the 'P' bits
872	         MUST NOT be set.

874	      Address

876	         The Address field is four octets. The value 0xFFFFFFFF
877	         indicates that the NAS should allow the user to select an
878	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
879	         the NAS should select an address for the user (e.g. Assigned
880	         from a pool of addresses kept by the NAS). Other valid values
881	         indicate that the NAS should use that value as the user's IP
882	         address.

884	3.8  Framed-IP-Netmask

886	   Description
887	      This Attribute indicates the IP netmask to be configured for the
888	      user when the user is a router to a network. It MUST be used in
889	      AA-Answer messages if the Framed-IP-Address AVP was returned with
890	      a value other than 0xFFFFFFFF. It MAY be used in an AA-Request
891	      message as a hint by the NAS to the server that it would prefer
892	      that netmask, but the server is not required to honor the hint.

894	      A summary of the Framed-IP-Netmask Attribute format is shown
895	      below.  The fields are transmitted from left to right.

897	   AVP Format

899	      0                   1                   2                   3
900	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
901	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
902	      |                           AVP Code                            |
903	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
904	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
905	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
906	      |                            Address                            |
907	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

909	      Type

911	         9 for Framed-IP-Netmask.

913	      AVP Length

915	         The length of this attribute MUST be 12.

917	      AVP Flags

919	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
920	         upon the security model used. The 'V', 'T' and the 'P' bits
921	         MUST NOT be set.

923	      Address

925	         The Address field is four octets specifying the IP netmask of
926	         the user.

928	3.9  Framed-Routing

930	   Description

932	      This Attribute indicates the routing method for the user, when the
933	      user is a router to a network. It is only used in AA-Answer
934	      messages.

936	      A summary of the Framed-Routing Attribute format is shown below.
937	      The fields are transmitted from left to right.

939	   AVP Format

941	      0                   1                   2                   3
942	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
943	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
944	      |                           AVP Code                            |
945	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
946	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
947	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
948	      |                            Integer32                          |
949	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

951	      Type

953	         10 for Framed-Routing.

955	      AVP Length

957	         The length of this attribute MUST be 12.

959	      AVP Flags

961	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
962	         upon the security model used. The 'V', 'T' and the 'P' bits
963	         MUST NOT be set.

965	      Integer32

967	         The Integer32 field is four octets.

969	            0      None
970	            1      Send routing packets
971	            2      Listen for routing packets
972	            3      Send and Listen

974	3.10  Filter-Id

976	   Description

978	      This Attribute indicates the name of the filter list for this
979	      user. Zero or more Filter-Id attributes MAY be sent in an AA-
980	      Answer message.

982	      Identifying a filter list by name allows the filter to be used on
983	      different NASes without regard to filter-list implementation
984	      details. However, this AVP is not roaming friendly since filter
985	      naming differs from one service provider to another.

987	      It is strongly encouraged to support the Filter-Rule AVP instead.

989	      A summary of the Filter-Id Attribute format is shown below. The
990	      fields are transmitted from left to right.

992	   AVP Format

994	      0                   1                   2                   3
995	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
996	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
997	      |                           AVP Code                            |
998	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
999	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1000	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1001	      |   String ...
1002	      +-+-+-+-+-+-+-+-+

1004	      Type

1006	         11 for Filter-Id.

1008	      AVP Length

1010	         The length of this attribute MUST be at least 9.

1012	      AVP Flags

1014	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1015	         upon the security model used. The 'V', 'T' and the 'P' bits
1016	         MUST NOT be set.

1018	      String

1020	         The String field is one or more octets, and its contents are
1021	         implementation dependent. It is intended to be human readable
1022	         and MUST NOT affect operation of the protocol. It is
1023	         recommended that the message contain displayable ASCII
1024	         characters from the range 32 through 126 decimal.

1026	3.11  Framed-MTU

1028	   Description
1029	      This Attribute indicates the Maximum Transmission Unit to be
1030	      configured for the user, when it is not negotiated by some other
1031	      means (such as PPP). It is only used in AA-Answer messages.

1033	      A summary of the Framed-MTU Attribute format is shown below. The
1034	      fields are transmitted from left to right.

1036	   AVP Format

1038	      0                   1                   2                   3
1039	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1040	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1041	      |                           AVP Code                            |
1042	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1043	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1044	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1045	      |                           Integer32                           |
1046	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1048	      Type

1050	         12 for Framed-MTU.

1052	      AVP Length

1054	         The length of this attribute MUST be 12.

1056	      AVP Flags

1058	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1059	         upon the security model used. The 'V', 'T' and the 'P' bits
1060	         MUST NOT be set.

1062	      Integer32

1064	         The Integer32 field is four octets. Despite the size of the
1065	         field, values range from 64 to 65535.

1067	3.12  Framed-Compression

1069	   Description

1071	      This Attribute indicates a compression protocol to be used for the
1072	      link. It MAY be used in AA-Answer packets. It MAY be used in an
1073	      AA-Request packet as a hint to the server that the NAS would
1074	      prefer to use that compression, but the server is not required to
1075	      honor the hint.

1077	      More than one compression protocol Attribute MAY be sent. It is
1078	      the responsibility of the NAS to apply the proper compression
1079	      protocol to appropriate link traffic.

1081	      A summary of the Framed-Compression Attribute format is shown
1082	      below.  The fields are transmitted from left to right.

1084	   AVP Format

1086	      0                   1                   2                   3
1087	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1088	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1089	      |                           AVP Code                            |
1090	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1091	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1092	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1093	      |                           Integer32                           |
1094	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1096	      Type

1098	         13 for Framed-Compression.

1100	      AVP Length

1102	         The length of this attribute MUST be 12.

1104	      AVP Flags

1106	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1107	         upon the security model used. The 'V', 'T' and the 'P' bits
1108	         MUST NOT be set.

1110	      Integer32

1112	         The Integer32 field is four octets.

1114	            0      None
1115	            1      VJ TCP/IP header compression [7]
1116	            2      IPX header compression

1118	3.13  Login-IP-Host

1120	   Description

1122	      This Attribute indicates the system with which to connect the
1123	      user, when the Login-Service Attribute is included. It MAY be used
1124	      in AA-Answer messages. It MAY be used in an AA-Request message as
1125	      a hint to the server that the NAS would prefer to use that host,
1126	      but the server is not required to honor the hint.

1128	      A summary of the Login-IP-Host Attribute format is shown below.
1129	      The fields are transmitted from left to right.

1131	   AVP Format

1133	      0                   1                   2                   3
1134	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1135	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1136	      |                           AVP Code                            |
1137	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1138	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1139	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1140	      |                            Address                            |
1141	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1143	      Type

1145	         14 for Login-IP-Host.

1147	      AVP Length

1149	         The length of this attribute MUST be 12.

1151	      AVP Flags

1153	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1154	         upon the security model used. The 'V', 'T' and the 'P' bits
1155	         MUST NOT be set.

1157	      Address

1159	         The Address field is four octets. The value 0xFFFFFFFF
1160	         indicates that the NAS SHOULD allow the user to select an
1161	         address. The value zero indicates that the NAS SHOULD select a
1162	         host to connect the user to. Other values indicate the address
1163	         the NAS SHOULD connect the user to.

1165	3.14  Login-Service

1167	   Description

1169	      This Attribute indicates the service which should be used to
1170	      connect the user to the login host. It is only used in AA-Answer
1171	      messages.

1173	      A summary of the Login-Service Attribute format is shown below.
1174	      The fields are transmitted from left to right.

1176	   AVP Format

1178	      0                   1                   2                   3
1179	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1180	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1181	      |                           AVP Code                            |
1182	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1183	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1184	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1185	      |                           Integer32                           |
1186	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1188	      Type

1190	         15 for Login-Service.

1192	      AVP Length

1194	         The length of this attribute MUST be 12.

1196	      AVP Flags

1198	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1199	         upon the security model used. The 'V', 'T' and the 'P' bits
1200	         MUST NOT be set.

1202	      Integer32

1204	         The Integer32 field is four octets.

1206	            0      Telnet
1207	            1      Rlogin
1208	            2      TCP Clear
1209	            3      PortMaster (proprietary)
1210	            4      LAT

1212	3.15  Login-TCP-Port

1214	   Description

1216	      This Attribute indicates the TCP port with which the user is to be
1217	      connected, when the Login-Service Attribute is also present. It is
1218	      only used in AA-Answer packets.

1220	      A summary of the Login-TCP-Port Attribute format is shown below.
1221	      The fields are transmitted from left to right.

1223	   AVP Format

1225	      0                   1                   2                   3
1226	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1227	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1228	      |                           AVP Code                            |
1229	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1230	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1231	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1232	      |                           Integer32                           |
1233	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1235	      Type

1237	         16 for Login-TCP-Port.

1239	      AVP Length

1241	         The length of this attribute MUST be 12.

1243	      AVP Flags

1245	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1246	         upon the security model used. The 'V', 'T' and the 'P' bits
1247	         MUST NOT be set.

1249	      Integer32

1251	         The Integer32 field is four octets. Despite the size of the
1252	         field, values range from zero to 65535.

1254	3.16  Reply-Message

1256	   Description

1258	      This Attribute indicates text which MAY be displayed to the user.

1260	      When used in an AA-Answer message with a successful Result-Code
1261	      AVP it indicates the success message. When found in the same
1262	      message with a Result-Code other than DIAMETER-SUCCESS it contains
1263	      the failure message.

1265	      It MAY indicate a dialog message to prompt the user before another
1266	      AA-Request attempt.

1268	      When used in an AA-Challenge, it MAY indicate a dialog message to
1269	      prompt the user for a response.

1271	      Multiple Reply-Message's MAY be included and if any are displayed,
1272	      they MUST be displayed in the same order as they appear in the
1273	      packet.

1275	      A summary of the Reply-Message Attribute format is shown below.
1276	      The fields are transmitted from left to right.

1278	   AVP Format

1280	      0                   1                   2                   3
1281	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1282	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1283	      |                           AVP Code                            |
1284	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1285	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1286	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1287	      |   String ...
1288	      +-+-+-+-+-+-+-+-+

1290	      Type

1292	         18 for Reply-Message.

1294	      AVP Length

1296	         The length of this attribute MUST be at least 9.

1298	      AVP Flags

1300	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1301	         upon the security model used. The 'V', 'T' and the 'P' bits
1302	         MUST NOT be set.

1304	      String

1306	         The String field is one or more octets, and its contents are
1307	         implementation dependent. It is intended to be human readable,
1308	         and MUST NOT affect operation of the protocol. It is
1309	         recommended that the message contain displayable ASCII
1310	         characters from the range 10, 13, and 32 through 126 decimal.
1311	         Mechanisms for extension to other character sets are beyond the
1312	         scope of this specification.

1314	3.17  Callback-Number

1316	   Description

1318	      This Attribute indicates a dialing string to be used for callback.
1319	      It MAY be used in AA-Answer packets. It MAY be used in an AA-
1320	      Request packet as a hint to the server that a Callback service is
1321	      desired, but the server is not required to honor the hint.

1323	      A summary of the Callback-Number Attribute format is shown below.
1324	      The fields are transmitted from left to right.

1326	   AVP Format

1328	      0                   1                   2                   3
1329	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1330	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1331	      |                           AVP Code                            |
1332	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1333	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1334	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1335	      |   String ...
1336	      +-+-+-+-+-+-+-+-+

1338	      Type

1340	         19 for Callback-Number.

1342	      AVP Length

1344	         The length of this attribute MUST be at least 9.

1346	      AVP Flags

1348	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1349	         upon the security model used. The 'V', 'T' and the 'P' bits
1350	         MUST NOT be set.

1352	      String

1354	         The String field is one or more octets. The actual format of
1355	         the information is site or application specific, and a robust
1356	         implementation SHOULD support the field as undistinguished
1357	         octets.

1359	         The codification of the range of allowed usage of this field is
1360	         outside the scope of this specification.

1362	3.18  Callback-Id

1364	   Description

1366	      This Attribute indicates the name of a place to be called, to be
1367	      interpreted by the NAS. It MAY be used in AA-Answer messages.

1369	      This AVP is not roaming friendly since it assumes that the
1370	      Callback-Id is configured on the NAS. It is therefore preferable
1371	      to use the Callback-Number AVP instead.

1373	      A summary of the Callback-Id Attribute format is shown below. The
1374	      fields are transmitted from left to right.

1376	   AVP Format

1378	      0                   1                   2                   3
1379	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1380	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1381	      |                           AVP Code                            |
1382	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1383	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1384	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1385	      |   String ...
1386	      +-+-+-+-+-+-+-+-+

1388	      Type

1390	         20 for Callback-Id.

1392	      AVP Length

1394	         The length of this attribute MUST be at least 9.

1396	      AVP Flags

1398	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1399	         upon the security model used. The 'V', 'T' and the 'P' bits
1400	         MUST NOT be set.

1402	      String

1404	         The String field is one or more octets. The actual format of
1405	         the information is site or application specific, and a robust
1406	         implementation SHOULD support the field as undistinguished
1407	         octets.  The codification of the range of allowed usage of this
1408	         field is outside the scope of this specification.

1410	3.19  Framed-IP-Route

1412	   Description

1414	      This Attribute provides routing information to be configured for
1415	      the user on the NAS. It is used in the AA-Answer message and can
1416	      appear multiple times.

1418	      A summary of the Framed-Route Attribute format is shown below. The
1419	      fields are transmitted from left to right.

1421	   AVP Format

1423	      0                   1                   2                   3
1424	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1425	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1426	      |                           AVP Code                            |
1427	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1428	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1429	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1430	      |   String ...
1431	      +-+-+-+-+-+-+-+-+

1433	      Type

1435	         22 for Framed-IP-Route.

1437	      AVP Length

1439	         The length of this attribute MUST be at least 9.

1441	      AVP Flags

1443	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1444	         upon the security model used. The 'V', 'T' and the 'P' bits
1445	         MUST NOT be set.

1447	      String

1449	         It MUST contain a destination prefix in dotted quad form
1450	         optionally followed by a slash and a decimal length specifier
1451	         stating how many high order bits of the prefix should be used.
1452	         That is followed by a space, a gateway address in dotted quad
1453	         form, a space, and one or more metrics separated by spaces. For
1454	         example, "192.168.1.0/24 192.168.1.1 1".

1456	         The length specifier may be omitted in which case it should
1457	         default to 8 bits for class A prefixes, 16 bits for class B
1458	         prefixes, and 24 bits for class C prefixes. For example,
1459	         "192.168.1.0 192.168.1.1 1".

1461	         Whenever the gateway address is specified as "0.0.0.0" the IP
1462	         address of the user SHOULD be used as the gateway address.

1464	3.20  Framed-IPX-Network

1466	   Description

1468	      This Attribute indicates the IPX Network number to be configured
1469	      for the user. It is used in AA-Answer messages.

1471	      A summary of the Framed-IPX-Network Attribute format is shown
1472	      below.  The fields are transmitted from left to right.

1474	   AVP Format

1476	      0                   1                   2                   3
1477	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1478	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1479	      |                           AVP Code                            |
1480	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1481	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1482	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1483	      |                           Integer32                           |
1484	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1486	      Type

1488	         23 for Framed-IPX-Network.

1490	      AVP Length

1492	         The length of this attribute MUST be 12.

1494	      AVP Flags

1496	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1497	         upon the security model used. The 'V', 'T' and the 'P' bits
1498	         MUST NOT be set.

1500	      Integer32

1502	         The Integer32 field is four octets. The value 0xFFFFFFFF
1503	         indicates that the NAS should allow the user to select an
1504	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
1505	         the NAS should select an address for the user (e.g. assigned
1506	         from a pool of one or more IPX networks kept by the NAS). Other
1507	         values should be used as the IPX network for the link to the
1508	         user.

1510	3.21  Idle-Timeout

1512	   Description

1514	      This Attribute sets the maximum number of consecutive seconds of
1515	      idle connection allowed to the user before termination of the
1516	      session or prompt. This Attribute is available to be sent by the
1517	      server to the client in an AA-Answer or AA-Challenge.

1519	      A summary of the Idle-Timeout Attribute format is shown below. The
1520	      fields are transmitted from left to right.

1522	   AVP Format

1524	      0                   1                   2                   3
1525	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1526	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1527	      |                           AVP Code                            |
1528	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1529	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1530	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1531	      |                           Integer32                           |
1532	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1534	      Type

1536	         28 for Idle-Timeout.

1538	      AVP Length

1540	         The length of this attribute MUST be 12.

1542	      AVP Flags

1544	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1545	         upon the security model used. The 'V', 'T' and the 'P' bits
1546	         MUST NOT be set.

1548	      Integer32

1550	         The Integer32 field is 4 octets, containing a 32-bit unsigned
1551	         integer with the maximum number of consecutive seconds of idle
1552	         time this user should be permitted before being disconnected by
1553	         the NAS.

1555	3.22  Called-Station-Id

1557	   Description

1559	      This Attribute allows the NAS to send in the AA-Request message
1560	      the phone number that the user called, using Dialed Number
1561	      Identification (DNIS) or similar technology. Note that this may be
1562	      different from the phone number the call comes in on. It is only
1563	      used in AA-Request packets.

1565	      If the Authorization-Only flag is set in the message and the
1566	      User-Name AVP is absent, the DIAMETER Server MUST perform
1567	      authorization based on this field. This can be used by a NAS to
1568	      request whether a call should be answered based on the DNIS.

1570	      A summary of the Called-Station-Id Attribute format is shown
1571	      below.  The fields are transmitted from left to right.

1573	   AVP Format

1575	      0                   1                   2                   3
1576	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1577	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1578	      |                           AVP Code                            |
1579	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1580	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1581	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1582	      |   String ...
1583	      +-+-+-+-+-+-+-+-+

1585	      Type

1587	         30 for Called-Station-Id.

1589	      AVP Length

1591	         The length of this attribute MUST be at least 9.

1593	      AVP Flags

1595	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1596	         upon the security model used. The 'V', 'T' and the 'P' bits
1597	         MUST NOT be set.

1599	      String

1601	         The String field is one or more octets, containing the phone
1602	         number that the user's call came in on.

1604	         The actual format of the information is site or application
1605	         specific. Printable ASCII is recommended, but a robust
1606	         implementation SHOULD support the field as undistinguished
1607	         octets.

1609	         The codification of the range of allowed usage of this field is
1610	         outside the scope of this specification.

1612	3.23  Calling-Station-Id

1614	   Description

1616	      This Attribute allows the NAS to send in the AA-Request packet the
1617	      phone number that the call came from, using Automatic Number
1618	      Identification (ANI) or similar technology. It is only used in
1619	      AA-Request packets.

1621	      If the Authorization-Only flag is set in the message and the
1622	      User-Name AVP is absent, the DIAMETER Server must perform
1623	      authorization based on this field. This can be used by a NAS to
1624	      request whether a call should be answered based on the ANI.

1626	      A summary of the Calling-Station-Id Attribute format is shown
1627	      below.  The fields are transmitted from left to right.

1629	   AVP Format

1631	      0                   1                   2                   3
1632	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1633	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1634	      |                           AVP Code                            |
1635	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1636	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1637	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1638	      |   String ...
1639	      +-+-+-+-+-+-+-+-+

1641	      Type

1643	         31 for Calling-Station-Id.

1645	      AVP Length
1646	         The length of this attribute MUST be at least 9.

1648	      AVP Flags

1650	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1651	         upon the security model used. The 'V', 'T' and the 'P' bits
1652	         MUST NOT be set.

1654	      String

1656	         The String field is one or more octets, containing the phone
1657	         number that the user placed the call from.

1659	         The actual format of the information is site or application
1660	         specific. Printable ASCII is recommended, but a robust
1661	         implementation SHOULD support the field as undistinguished
1662	         octets.

1664	         The codification of the range of allowed usage of this field is
1665	         outside the scope of this specification.

1667	3.24  Login-LAT-Service

1669	   Description

1671	      This Attribute indicates the system with which the user is to be
1672	      connected by LAT. It MAY be used in AA-Answer packets, but only
1673	      when LAT is specified as the Login-Service. It MAY be used in an
1674	      AA-Request packet as a hint to the server, but the server is not
1675	      required to honor the hint.

1677	      Administrators use the service attribute when dealing with
1678	      clustered systems, such as a VAX or Alpha cluster. In such an
1679	      environment several different time sharing hosts share the same
1680	      resources (disks, printers, etc.), and administrators often
1681	      configure each to offer access (service) to each of the shared
1682	      resources. In this case, each host in the cluster advertises its
1683	      services through LAT broadcasts.

1685	      Sophisticated users often know which service providers (machines)
1686	      are faster and tend to use a node name when initiating a LAT
1687	      connection. Alternately, some administrators want particular users
1688	      to use certain machines as a primitive form of load balancing
1689	      (although LAT knows how to do load balancing itself).

1691	      A summary of the Login-LAT-Service Attribute format is shown
1692	      below.  The fields are transmitted from left to right.

1694	   AVP Format

1696	      0                   1                   2                   3
1697	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1698	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1699	      |                           AVP Code                            |
1700	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1701	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1702	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1703	      |   String ...
1704	      +-+-+-+-+-+-+-+-+

1706	      Type

1708	         34 for Login-LAT-Service.

1710	      AVP Length

1712	         The length of this attribute MUST be at least 9.

1714	      AVP Flags

1716	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1717	         upon the security model used. The 'V', 'T' and the 'P' bits
1718	         MUST NOT be set.

1720	      String

1722	         The String field is one or more octets, and contains the
1723	         identity of the LAT service to use. The LAT Architecture allows
1724	         this string to contain $ (dollar), - (hyphen), . (period), _
1725	         (underscore), numerics, upper and lower case alphabetics, and
1726	         the ISO Latin-1 character set extension [8]. All LAT string
1727	         comparisons are case insensitive.

1729	3.25  Login-LAT-Node

1731	   Description

1733	      This Attribute indicates the Node with which the user is to be
1734	      automatically connected by LAT. It MAY be used in AA-Answer
1735	      packets, but only when LAT is specified as the Login-Service. It
1736	      MAY be used in an AA-Request packet as a hint to the server, but
1737	      the server is not required to honor the hint.

1739	      A summary of the Login-LAT-Node Attribute format is shown below.
1740	      The fields are transmitted from left to right.

1742	   AVP Format

1744	      0                   1                   2                   3
1745	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1746	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1747	      |                           AVP Code                            |
1748	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1749	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1750	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1751	      |   String ...
1752	      +-+-+-+-+-+-+-+-+

1754	      Type

1756	         35 for Login-LAT-Node.

1758	      AVP Length

1760	         The length of this attribute MUST be at least 9.

1762	      AVP Flags

1764	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1765	         upon the security model used. The 'V', 'T' and the 'P' bits
1766	         MUST NOT be set.

1768	      String

1770	         The String field is one or more octets, and contains the
1771	         identity of the LAT Node to connect the user to. The LAT
1772	         Architecture allows this string to contain $ (dollar), -
1773	         (hyphen), . (period), _ (underscore), numerics, upper and lower
1774	         case alphabetics, and the ISO Latin-1 character set extension.
1775	         All LAT string comparisons are case insensitive.

1777	3.26  Login-LAT-Group

1779	   Description

1781	      This Attribute contains a string identifying the LAT group codes
1782	      which this user is authorized to use. It MAY be used in AA-Answer
1783	      packets, but only when LAT is specified as the Login-Service. It
1784	      MAY be used in an AA-Request packet as a hint to the server, but
1785	      the server is not required to honor the hint.

1787	      LAT supports 256 different group codes, which LAT uses as a form
1788	      of access rights. LAT encodes the group codes as a 256 bit bitmap.

1790	      Administrators can assign one or more of the group code bits at
1791	      the LAT service provider; it will only accept LAT connections that
1792	      have these group codes set in the bit map. The administrators
1793	      assign a bitmap of authorized group codes to each user; LAT gets
1794	      these from the operating system, and uses these in its requests to
1795	      the service providers.

1797	      A summary of the Login-LAT-Group Attribute format is shown below.
1798	      The fields are transmitted from left to right.

1800	   AVP Format

1802	      0                   1                   2                   3
1803	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1804	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1805	      |                           AVP Code                            |
1806	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1807	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1808	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1809	      |    Data ...
1810	      +-+-+-+-+-+-+-+-+

1812	      Type

1814	         36 for Login-LAT-Group.

1816	      AVP Length

1818	         The length of this attribute MUST be 40.

1820	      AVP Flags

1822	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1823	         upon the security model used. The 'V', 'T' and the 'P' bits
1824	         MUST NOT be set.

1826	      Data

1828	         The Data field is a 32 octet bit map, most significant octet
1829	         first. A robust implementation SHOULD support the field as
1830	         undistinguished octets.

1832	         The codification of the range of allowed usage of this field is
1833	         outside the scope of this specification.

1835	3.27  Framed-AppleTalk-Link
1836	   Description

1838	      This Attribute indicates the AppleTalk network number which should
1839	      be used for the serial link to the user, which is another
1840	      AppleTalk router. It is only used in AA-Answer packets. It is
1841	      never used when the user is not another router.

1843	      A summary of the Framed-AppleTalk-Link Attribute format is shown
1844	      below. The fields are transmitted from left to right.

1846	   AVP Format

1848	      0                   1                   2                   3
1849	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1850	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1851	      |                           AVP Code                            |
1852	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1853	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1854	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1855	      |                           Integer32                           |
1856	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1858	      Type

1860	         37 for Framed-AppleTalk-Link.

1862	      AVP Length

1864	         The length of this attribute MUST be 12.

1866	      AVP Flags

1868	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1869	         upon the security model used. The 'V', 'T' and the 'P' bits
1870	         MUST NOT be set.

1872	      Integer32

1874	         The Integer32 field is four octets. Despite the size of the
1875	         field, values range from zero to 65535. The special value of
1876	         zero indicates that this is an unnumbered serial link. A value
1877	         of one to 65535 means that the serial line between the NAS and
1878	         the user should be assigned that value as an AppleTalk network
1879	         number.

1881	3.28  Framed-AppleTalk-Network
1882	   Description

1884	      This Attribute indicates the AppleTalk Network number which the
1885	      NAS should probe to allocate an AppleTalk node for the user. It is
1886	      only used in AA-Answer packets. It is never used when the user is
1887	      another router. Multiple instances of this Attribute indicate that
1888	      the NAS may probe using any of the network numbers specified.

1890	      A summary of the Framed-AppleTalk-Network Attribute format is
1891	      shown below. The fields are transmitted from left to right.

1893	   AVP Format

1895	      0                   1                   2                   3
1896	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1897	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1898	      |                           AVP Code                            |
1899	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1900	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1901	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1902	      |                           Integer32                           |
1903	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1905	      Type

1907	         38 for Framed-AppleTalk-Network.

1909	      AVP Length

1911	         The length of this attribute MUST be 12.

1913	      AVP Flags

1915	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1916	         upon the security model used. The 'V', 'T' and the 'P' bits
1917	         MUST NOT be set.

1919	      Integer32

1921	         The Integer32 field is four octets. Despite the size of the
1922	         field, values range from zero to 65535. The special value zero
1923	         indicates that the NAS should assign a network for the user,
1924	         using its default cable range. A value between one and 65535
1925	         (inclusive) indicates the AppleTalk Network the NAS should
1926	         probe to find an address for the user.

1928	3.29  Framed-AppleTalk-Zone
1929	   Description

1931	      This Attribute indicates the AppleTalk Default Zone to be used for
1932	      this user. It is only used in AA-Answer packets. Multiple
1933	      instances of this attribute in the same packet are not allowed.

1935	      A summary of the Framed-AppleTalk-Zone Attribute format is shown
1936	      below. The fields are transmitted from left to right.

1938	   AVP Format

1940	      0                   1                   2                   3
1941	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1942	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1943	      |                           AVP Code                            |
1944	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1945	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1946	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1947	      |    Data ...
1948	      +-+-+-+-+-+-+-+-+

1950	      Type

1952	         39 for Framed-AppleTalk-Zone.

1954	      AVP Length

1956	         The length of this attribute MUST be at least 9.

1958	      AVP Flags

1960	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1961	         upon the security model used. The 'V', 'T' and the 'P' bits
1962	         MUST NOT be set.

1964	      String

1966	         The name of the Default AppleTalk Zone to be used for this
1967	         user.  A robust implementation SHOULD support the field as
1968	         undistinguished octets.

1970	         The codification of the range of allowed usage of this field is
1971	         outside the scope of this specification.

1973	3.30  CHAP-Challenge

1975	   Description
1976	      This Attribute contains the CHAP Challenge sent by the NAS to a
1977	      PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is
1978	      only used in AA-Request packets.

1980	      A summary of the CHAP-Challenge Attribute format is shown below.
1981	      The fields are transmitted from left to right.

1983	   AVP Format

1985	      0                   1                   2                   3
1986	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1987	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1988	      |                           AVP Code                            |
1989	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1990	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
1991	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1992	      |    Data ...
1993	      +-+-+-+-+-+-+-+-+

1995	      Type

1997	         60 for CHAP-Challenge.

1999	      AVP Length

2001	         The length of this attribute MUST be at least 24.

2003	      AVP Flags

2005	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2006	         upon the security model used. The 'V', 'T' and the 'P' bits
2007	         MUST NOT be set.

2009	      Data

2011	         The Data field contains the CHAP Challenge.

2013	3.31  NAS-Port-Type

2015	   Description

2017	      This Attribute indicates the type of the physical port of the NAS
2018	      which is authenticating the user. It can be used instead of or in
2019	      addition to the NAS-Port (5) attribute. It is only used in AA-
2020	      Request packets. Either NAS-Port (5) or NAS-Port-Type or both
2021	      SHOULD be present in an AA-Request packet, if the NAS
2022	      differentiates among its ports.

2024	      A summary of the NAS-Port-Type Attribute format is shown below.
2025	      The fields are transmitted from left to right.

2027	   AVP Format

2029	      0                   1                   2                   3
2030	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2031	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2032	      |                           AVP Code                            |
2033	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2034	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
2035	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2036	      |                           Integer32                           |
2037	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2039	      Type

2041	         61 for NAS-Port-Type.

2043	      AVP Length

2045	         The length of this attribute MUST be 12.

2047	      AVP Flags

2049	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2050	         upon the security model used. The 'V', 'T' and the 'P' bits
2051	         MUST NOT be set.

2053	      Integer32

2055	         The Integer32 field is four octets. "Virtual" refers to a
2056	         connection to the NAS via some transport protocol, instead of
2057	         through a physical port. For example, if a user telnetted into
2058	         a NAS to authenticate himself as an Outbound-User, the AA-
2059	         Request might include NAS-Port-Type = Virtual as a hint to the
2060	         RADIUS server that the user was not on a physical port.

2062	            0       Async
2063	            1       Sync
2064	            2       ISDN Sync
2065	            3       ISDN Async V.120
2066	            4       ISDN Async V.110
2067	            5       Virtual

2069	3.32  Port-Limit
2070	   Description

2072	      This Attribute sets the maximum number of ports to be provided to
2073	      the user by the NAS. This Attribute MAY be sent by the server to
2074	      the client in an AA-Answer packet. It is intended for use in
2075	      conjunction with Multilink PPP [9] or similar uses. It MAY also be
2076	      sent by the NAS to the server as a hint that that many ports are
2077	      desired for use, but the server is not required to honor the hint.

2079	      A summary of the Port-Limit Attribute format is shown below. The
2080	      fields are transmitted from left to right.

2082	   AVP Format

2084	      0                   1                   2                   3
2085	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2086	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2087	      |                           AVP Code                            |
2088	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2089	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
2090	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2091	      |                           Integer32                           |
2092	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2094	      Type

2096	         62 for Port-Limit.

2098	      AVP Length

2100	         The length of this attribute MUST be 12.

2102	      AVP Flags

2104	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2105	         upon the security model used. The 'V', 'T' and the 'P' bits
2106	         MUST NOT be set.

2108	      Integer32

2110	         The Integer32 field is four octets, containing a 32-bit
2111	         unsigned integer with the maximum number of ports this user
2112	         should be allowed to connect to on the NAS.

2114	3.33  Login-LAT-Port

2116	   Description
2117	      This Attribute indicates the Port with which the user is to be
2118	      connected by LAT. It MAY be used in AA-Answer packets, but only
2119	      when LAT is specified as the Login-Service. It MAY be used in an
2120	      AA-Request packet as a hint to the server, but the server is not
2121	      required to honor the hint.

2123	      A summary of the Login-LAT-Port Attribute format is shown below.
2124	      The fields are transmitted from left to right.

2126	   AVP Format

2128	      0                   1                   2                   3
2129	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2130	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2131	      |                           AVP Code                            |
2132	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2133	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
2134	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2135	      |   String ...
2136	      +-+-+-+-+-+-+-+-+

2138	      Type

2140	         63 for Login-LAT-Port.

2142	      AVP Length

2144	         The length of this attribute MUST be at least 9.

2146	      AVP Flags

2148	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2149	         upon the security model used. The 'V', 'T' and the 'P' bits
2150	         MUST NOT be set.

2152	      String

2154	         The String field is one or more octets, and contains the
2155	         identity of the LAT port to use. The LAT Architecture allows
2156	         this string to contain $ (dollar), - (hyphen), . (period), _
2157	         (underscore), numerics, upper and lower case alphabetics, and
2158	         the ISO Latin-1 character set extension. All LAT string
2159	         comparisons are case insensitive.

2161	3.34  Filter-Rule

2163	   Description
2164	      This Attribute provides filter rules that need to be configured on
2165	      the NAS for the user. It is used in the AA-Answer message and can
2166	      appear multiple times.

2168	      A summary of the Filter-Rule Attribute format is shown below. The
2169	      fields are transmitted from left to right.

2171	   AVP Format

2173	      0                   1                   2                   3
2174	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2175	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2176	      |                           AVP Code                            |
2177	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2178	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
2179	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2180	      |   String ...
2181	      +-+-+-+-+-+-+-+-+

2183	      Type

2185	         280 for Filter-Rule.

2187	      AVP Length

2189	         The length of this attribute MUST be at least 9.

2191	      AVP Flags

2193	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2194	         upon the security model used. The 'V', 'T' and the 'P' bits
2195	         MUST NOT be set.

2197	      String

2199	         The String field MUST contain a filter rule in the following
2200	         format:  "permit (offset=value AND offset=value) OR
2201	         offset=value" or "deny (offset=value AND offset=value) OR
2202	         offset=value".

2204	3.35  Framed-Password-Policy

2206	   Description

2208	      This Attribute is used to indicate to a peer what types of
2209	      authentication are supported by the issuing DIAMETER peer. More
2210	      than one Framed-Password-Policy AVP MAY be present in the Domain-
2211	      Discovery-Answer message.

2213	      A summary of the User-Name Attribute format is shown below. The
2214	      fields are transmitted from left to right.

2216	   AVP Format

2218	      0                   1                   2                   3
2219	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2220	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2221	      |                           AVP Code                            |
2222	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2223	      |          AVP Length           |     Reserved      |P|T|V|E|H|M|
2224	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2225	      |                           Integer32                           |
2226	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2228	      Type

2230	         281 for Framed-Password-Policy.

2232	      AVP Length

2234	         The length of this attribute MUST be 12.

2236	      AVP Flags

2238	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2239	         upon the security model used. The 'V', 'T' and the 'P' bits
2240	         MUST NOT be set.

2242	      Integer32

2244	         The Integer32 field contains the supported authentication
2245	         schemes supported. The following values are supported:

2247	            PAP         1
2248	            CHAP        2
2249	            MS-CHAP     3
2250	            EAP         4
2251	            SPAP        5

2253	3.36  Table of Attributes

2255	   The following table provides a guide to which attributes may be found
2256	   in which kinds of packets, and in what quantity.

2258	              Success  Failed  AA-Chal  #    Attribute
2259	      AA-Req  AA-Answ  AA-Answ  Req
2260	       0-1      0-1       0      0      1   User-Name
2261	       0-1      0         0      0      2   User-Password [*1]
2262	       0-1      0         0      0      3   CHAP-Password [*1]
2263	       0-1      0         0      0      5   NAS-Port
2264	       0-1      0-1       0      0      6   Service-Type
2265	       0-1      0-1       0      0      7   Framed-Protocol
2266	       0-1      0-1       0      0      8   Framed-IP-Address
2267	       0-1      0-1       0      0      9   Framed-IP-Netmask
2268	       0        0-1       0      0     10   Framed-Routing
2269	       0        0+        0      0     11   Filter-Id
2270	       0        0-1       0      0     12   Framed-MTU
2271	       0+       0+        0      0     13   Framed-Compression
2272	       0+       0+        0      0     14   Login-IP-Host
2273	       0        0-1       0      0     15   Login-Service
2274	       0        0-1       0      0     16   Login-TCP-Port
2275	       0        0+        0+     0+    18   Reply-Message
2276	       0-1      0-1       0      0     19   Callback-Number
2277	       0        0-1       0      0     20   Callback-Id
2278	       0        0+        0      0     22   Framed-Route
2279	       0        0-1       0      0     23   Framed-IPX-Network
2280	       0        0-1       0      0-1   28   Idle-Timeout
2281	       0        0-1       0      0     29   Termination-Action
2282	       0-1      0         0      0     30   Called-Station-Id
2283	       0-1      0         0      0     31   Calling-Station-Id
2284	       0-1      0-1       0      0     34   Login-LAT-Service
2285	       0-1      0-1       0      0     35   Login-LAT-Node
2286	       0-1      0-1       0      0     36   Login-LAT-Group
2287	       0        0-1       0      0     37   Framed-AppleTalk-Link
2288	       0        0+        0      0     38   Framed-AppleTalk-Net.
2289	       0        0-1       0      0     39   Framed-AppleTalk-Zone
2290	       0-1      0         0      0     60   CHAP-Challenge
2291	       0-1      0         0      0     61   NAS-Port-Type
2292	       0-1      0-1       0      0     62   Port-Limit
2293	       0-1      0-1       0      0     63   Login-LAT-Port
2294	       0        0+        0      0    280   Filter-Rule
2295	       0        0         0      0    281   Framed-Password-Policy
2296	              Success  Failed  AA-Chal  #    Attribute
2297	      AA-Req  AA-Answ  AA-Answ  Req

2299	      [*1] An AA-Request MUST NOT contain both a User-Password and a
2300	      CHAP-Password AVP.

2302	      The following table defines the meaning of the above table
2303	      entries.

2305	          0     This attribute MUST NOT be present in packet.

2307	          0+    Zero or more instances of this attribute MAY be present
2308	                in packet.
2309	          0-1   Zero or one instance of this attribute MAY be present
2310	                in packet.
2311	          1     Exactly one instance of this attribute MUST be present
2312	         in
2313	                packet.

2315	4.0  Protocol Definition

2317	   This section will outline how the DIAMETER Authentication Extension
2318	   can be used.

2320	4.1  Feature Advertisement/Discovery

2322	   As defined in [2], the Reboot-Ind and Device-Feature-Query messages
2323	   can be used to inform a peer about locally supported DIAMETER
2324	   Extensions. In order to advertise support of this extension, the
2325	   Extension-Id AVP must be transmitted with a value of one (1).

2327	4.2  Authorization Procedure

2329	   This specification allows two different types of Authorization
2330	   procedures.  The first method is identical to the way RADIUS works
2331	   today and requires the AA-Request to contain the UserName as well as
2332	   either the Password or the CHAP-Password AVPs.

2334	   The second method is used by NASes that send AA-Request whenever they
2335	   receive an incoming call and want to get authorization from the
2336	   DIAMETER Server to answer the call. In this case the AA-Request
2337	   contains the NAS-IP-Address, the Calling-Station-Id and the Called-
2338	   Station-Id AVPs.

2340	   In this case the DIAMETER Server can lookup the combination of the
2341	   Calling-Station-Id and the Called-Station-Id in order to ensure that
2342	   the pair are authorized as per the local policy.

2344	4.3  Integration with Resource-Management

2346	   Document [10] specifies the Resource-Token AVP that is used to carry
2347	   information required for a DIAMETER server to rebuild its state
2348	   information in the event of a crash or some other event that would
2349	   cause the server to loose its state information.

2351	   When creating the Resource-Token AVP, the following AVPs MUST be
2352	   present, in addition to the AVPs listed in [10]; the UserName AVP,
2353	   the NAS-IP- Address, the NAS-Port. Any additional AVP MAY be included
2354	   if the AVP is a resource that is being managed (i.e. Framed-IP-
2355	   Address in the case where the DIAMETER Server is allocating IP
2356	   Addresses out of a centrally managed address pool).

2358	5.0  References

2360	    [1] Rigney, et alia, "RADIUS", RFC-2138, Livingston, April 1997

2362	    [2] Calhoun, Rubens, "DIAMETER Base Protocol",
2363	        draft-calhoun-diameter-08.txt, Work in Progress,
2364	        February 1999.

2366	    [3]  Aboba, Beadles "The Network Access Identifier." RFC 2486.
2367	         January 1999.

2369	    [4]  Aboba, Zorn, "Criteria for Evaluating Roaming Protocols",
2370	         RFC 2477, January 1999.

2372	    [5] Calhoun, Rubens, Aboba, "DIAMETER Extensible Authentication
2373	        Protocol Extensions", draft-calhoun-diameter-eap-01.txt,
2374	        Work in Progress, March 1998.

2376	    [6] Calhoun, Haag, Zorn, "EAP Authentication for SOCKS
2377	        Version 5", draft-ietf-aft-socks-eap-00.txt, Work in
2378	        Progress, March 1998.

2380	    [7] Jacobson, "Compressing TCP/IP headers for low-speed serial
2381	        links", RFC 1144, February 1990.

2383	    [8] ISO 8859. International Standard -- Information Processing --
2384	        8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin
2385	        Alphabet No. 1, ISO 8859-1:1987.
2386	        <URL:http://www.iso.ch/cate/d16338.html>

2388	    [9] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink Protocol
2389	        (MP)", RFC 1717, November 1994.

2391	    [10] Calhoun, Greene, "DIAMETER Resource Management Extension",
2392	         draft-calhoun-diameter-res-mgmt-02.txt, Work in Progress,
2393	         February 1999.

2395	    [11] Calhoun, Zorn, Pan, "DIAMETER Framework",
2396	         draft-calhoun-diameter-framework-01.txt, Work in Progress,
2397	         December 1998.

2399	6.0  Acknowledgements

2401	   The Author wishes to thank Carl Rigney since much of the text in the
2402	   document was shamefully copied from [1] as well as the following
2403	   people for their help in the development of this protocol:

2405	   Nancy Greene, Ryan Moats

2407	7.0  Authors' Addresses

2409	   Questions about this memo can be directed to:

2411	      Pat R. Calhoun
2412	      Network and Security Research Center, Sun Labs
2413	      Sun Microsystems, Inc.
2414	      15 Network Circle
2415	      Menlo Park, California, 94025
2416	      USA

2418	       Phone:  1-650-786-7733
2419	         Fax:  1-650-786-6445
2420	      E-mail:  pcalhoun@eng.sun.com

2422	      William Bulley
2423	      Merit Network, Inc.
2424	      4251 Plymouth Road, Suite C
2425	      Ann Arbor, Michigan, 48105-2785
2426	      USA

2428	       Phone:  1-734-764-9993
2429	         Fax:  1-734-647-3185
2430	      E-mail:  web@merit.edu