idnits 2.17.1 

draft-calhoun-diameter-authent-06.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == The page length should not exceed 58 lines per page, but there was 53
     longer pages, the longest (page 2) being 60 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 54 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There are 20 instances of too long lines in the document, the longest
     one being 1 character in excess of 72.

  ** The abstract seems to contain references ([4], [1]), which it shouldn't.
      Please replace those with straight textual mentions of the documents in
     question.

  == There are 2 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 2432 has weird spacing: '... copied  and  ...'

  == Line 2433 has weird spacing: '...s,  and  deriv...'

  == Line 2434 has weird spacing: '...blished  and...'

  == Line 2435 has weird spacing: '...ed,  in  whole...'

  == Line 2436 has weird spacing: '...hat the  above...'

  == (5 more instances...)

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '11' is defined on line 2386, but no explicit
     reference was found in the text

  == Unused Reference: '13' is defined on line 2391, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865)

  == Outdated reference: A later version (-18) exists of
     draft-calhoun-diameter-08

  -- Possible downref: Normative reference to a draft: ref. '2' 

  ** Obsolete normative reference: RFC 2486 (ref. '3') (Obsoleted by RFC 4282)

  ** Downref: Normative reference to an Informational RFC: RFC 2477 (ref. '4')

  -- Possible downref: Normative reference to a draft: ref. '5' 

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  ** Obsolete normative reference: RFC 1717 (ref. '9') (Obsoleted by RFC 1990)

  == Outdated reference: A later version (-08) exists of
     draft-calhoun-diameter-res-mgmt-02

  -- Possible downref: Normative reference to a draft: ref. '10' 

  == Outdated reference: A later version (-09) exists of
     draft-calhoun-diameter-framework-02

  -- Possible downref: Normative reference to a draft: ref. '11' 

  == Outdated reference: A later version (-04) exists of
     draft-calhoun-diameter-proxy-02

  -- Possible downref: Normative reference to a draft: ref. '13' 


     Summary: 13 errors (**), 0 flaws (~~), 17 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET DRAFT                                            Pat R. Calhoun
2	Category: Standards Track                          Sun Microsystems, Inc.
3	Title: draft-calhoun-diameter-authent-06.txt              William Bulley
4	Date: August 1999                                    Merit Network, Inc.

6	                                DIAMETER
7	                      Dial-Up (ROAMOPS) Extensions

9	Status of this Memo

11	   This document is an individual contribution for consideration by the
12	   AAA Working Group of the Internet Engineering Task Force.  Comments
13	   should be submitted to the diameter@ipass.com mailing list.

15	   Distribution of this memo is unlimited.

17	   This document is an Internet-Draft and is in full conformance with
18	   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
19	   documents of the Internet Engineering Task Force (IETF), its areas,
20	   and its working groups.  Note that other groups may also distribute
21	   working documents as Internet-Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at:

30	      http://www.ietf.org/ietf/1id-abstracts.txt

32	   The list of Internet-Draft Shadow Directories can be accessed at:

34	      http://www.ietf.org/shadow.html.

36	Abstract

38	   This document describes the DIAMETER Dial-up User Authentication
39	   Extension that is used for ROAMOPS [4] purposes. This specification
40	   was carefully designed to ease the burden of servers that must act as
41	   RADIUS/DIAMETER gateways, by re-using the same address space that
42	   RADIUS has defined [1]. Further, by re-using the same address space,
43	   it allows a single server to read the same dictiionary for both
44	   DIAMETER and RADIUS. This backward compatibility will hopefully
45	   facilitate deployment of DIAMETER.

47	Table of Contents

49	      1.0  Introduction
50	            1.1  Requirements language
51	            1.2  Changes in version -06
52	      2.0  Command Codes
53	            2.1  AA-Request (AAR)
54	            2.2  AA-Answer (AAA)
55	            2.3  AA-Challenge-Ind (ACI)
56	      3.0  DIAMETER AVPs
57	            3.1  User-Name
58	            3.2  User-Password
59	            3.3  CHAP-Password
60	            3.4  NAS-Port
61	            3.5  Service-Type
62	            3.6  Framed-Protocol
63	            3.7  Framed-IP-Address
64	            3.8  Framed-IP-Netmask
65	            3.9  Framed-Routing
66	            3.10 Filter-Id
67	            3.11 Framed-MTU
68	            3.12 Framed-Compression
69	            3.13 Login-IP-Host
70	            3.14 Login-Service
71	            3.15 Login-TCP-Port
72	            3.16 Reply-Message
73	            3.17 Callback-Number
74	            3.18 Callback-Id
75	            3.19 Framed-Route
76	            3.20 Framed-IPX-Network
77	            3.21 Idle-Timeout
78	            3.22 Called-Station-Id
79	            3.23 Calling-Station-Id
80	            3.24 Login-LAT-Service
81	            3.25 Login-LAT-Node
82	            3.26 Login-LAT-Group
83	            3.27 Framed-AppleTalk-Link
84	            3.28 Framed-AppleTalk-Network
85	            3.29 Framed-AppleTalk-Zone
86	            3.30 CHAP-Challenge
87	            3.31 NAS-Port-Type
88	            3.32 Port-Limit
89	            3.33 Login-LAT-Port
90	            3.34 Filter-Rule
91	            3.35 Framed-Password-Policy
92	            3.36 Table of Attributes
93	      4.0  Protocol Definition
94	            4.1  Feature Advertisement/Discovery
95	            4.2  Authorization Procedure
96	            4.3  Integration with Resource-Management
97	      5.0  References
98	      6.0  Acknowledgements
99	      7.0  Authors' Addresses
100	      8.0  Full Copyright Statement

102	1.0  Introduction

104	   This document describes the DIAMETER Dial-up User Authentication
105	   Extension that is used for ROAMOPS [4] purposes. This specification
106	   was carefully designed to ease the burden of servers that must act as
107	   RADIUS/DIAMETER gateways, by re-using the same address space that
108	   RADIUS has defined [1]. Further, by re-using the same address space,
109	   it allows a single server to read the same dictiionary for both
110	   DIAMETER and RADIUS. This backward compatibility will hopefully
111	   facilitate deployment of DIAMETER.

113	   The Extension number for this draft is one (1). This value is used in
114	   the Extension-Id AVP as defined in [2].

116	1.1  Copyright Statement

118	   Copyright   (C) The Internet Society 1999.  All Rights Reserved.

120	1.2  Requirements language

122	   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
123	   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
124	   described in [12].

126	1.3  Changes in version -06

128	   The following changes have been made to version 06:

130	      - Changes to AVP Header Flags

132	      - Change to the document title

134	      - Changed the Command-Specific AVP Flags in all command codes
135	      defined.

137	      - Added a reference to RFC 1994 (CHAP)

139	2.0  Command Codes

141	   This document defines the following DIAMETER Commands. All DIAMETER
142	   implementations supporting this extension MUST support all of the
143	   following commands:

145	      Command Name          Command Code
146	      -----------------------------------
147	      AA-Request                263
148	      AA-Answer                 264
149	      AA-Challenge-Ind          265

151	2.1  AA-Request (AAR)

153	   Description

155	      The AA-Request message is used in order to request authentication
156	      and authorization for a given user.

158	      If Authentication is requested the User-Name attribute MUST be
159	      present. If only Authorization is required it is possible to
160	      authorize based on DNIS and ANI instead. However, it is not
161	      possible to authenticate using a User-Name AVP and later
162	      requesting authorization based on DNIS using the same Session-Id
163	      (although the inverse is legal).

165	      Note that the flag field MAY be used in this command in order to
166	      indicate that either Authentication-Only or Authorization-Only is
167	      required for the request. If the Authentication-Only bit is set
168	      the response MUST NOT include any authorization information. Both
169	      the Authenticate and Authorize bits MUST NOT be set at the same
170	      time. To ensure that a user is both authenticated and authorized,
171	      neither flag is set.

173	      The AA-Request message MUST include a unique Session-Id AVP. If
174	      The AA-Request is a result of a successful AA-Challenge-Ind the
175	      Session-Id MUST be identical to the one provided in the initial
176	      AA-Request.

178	   Message Format

180	      Section 3.36 contains a complete list of all valid AVPs for this
181	      message.

183	      <AA-Request> ::= <DIAMETER Header>
184	                       <AA-Request Command AVP>
185	                       <Session-Id AVP>
186	                       <Host-IP-Address AVP>
187	                       [<Host-Name AVP>]
188	                       [<Proxy-State AVP>]
189	                       [<Class AVP>]
190	                       [<State AVP>]
191	                       {<User-Name AVP> ||
192	                        <Called-Station-Id AVP }
193	                       <Miscellaneous AVPs>
194	                       <Timestamp AVP>
195	                       <Nonce AVP>
196	                       {<Integrity-Check-Vector AVP> ||
197	                        <Digital-Signature AVP }

199	   AVP Format

201	      A summary of the AA-Request packet format is shown below. The
202	      fields are transmitted from left to right.

204	       0                   1                   2                   3
205	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
206	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
207	       |                           AVP Code                            |
208	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
209	       |          AVP Length           |CFlags |C|Z|Reservd|P|E|T|V|H|M|
210	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
211	       |                         Command Code                          |
212	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

214	      Code

216	         256     DIAMETER Command

218	      AVP Length

220	         The length of this attribute MUST be 12.

222	      Command Flags

224	         The following Command-specific flag bits may be set in the AA-
225	         Request command:

227	            The 'C' (Authentication-only) bit may be set to indicate
228	            that only authentication of the user is required, and that
229	            no authorization should be performed. Additionally, no
230	            authorization information is expected in the AA-Response
231	            command.

233	            The 'Z' (Authorization-Only) bit may be set to indicate that
234	            only authorization of the user is requested and that no
235	            authentication is required. When this bit is set, no user
236	            authentication AVPs (i.e.  User-Password, etc.) will be
237	            present in the request.

239	      AVP Flags

241	         The AVP Flags field MUST have the 'M' bit set, and MAY have the
242	         'P' bit set if end-to-end message integrity is required.
243	         Furthermore, the 'H', E', 'T' and 'V' bits MUST NOT be set.

245	      Command Type

247	         The Command Type field MUST be set to 263 (AA-Request).

249	2.2  AA-Answer (AAA)

251	   Description

253	      The AA-Answer message is used in order to indicate that
254	      Authentication and/or authorization was successful. If
255	      authorization was requested a list of AVPs with the authorization
256	      information MUST be attached to the message (see section 3.42).

258	      The AA-Answer message MUST include the Session-Id AVP that was
259	      present in the AA-Request. The AA-Answer MUST also include the
260	      Host-Name AVP and the Result-Code AVP to indicate the status of
261	      the session. The following error codes are defined for this
262	      message:

264	         DIAMETER_ERROR_UNKNOWN_DOMAIN       1
265	            This error code is used to indicate to the initiator of the
266	            request that the requested domain is unknown and cannot be
267	            resolved.

269	         DIAMETER_ERROR_USER_UNKNOWN         2
270	            This error code is used to indicate to the initiator that
271	            the username request is not valid..

273	         DIAMETER_ERROR_BAD_PASSWORD         3
274	            This error code indicates that the password provided is
275	            invalid.

277	         DIAMETER_ERROR_CANNOT_AUTHORIZE     4
278	            This error code is used to indicate that the user cannot be
279	            authorized due to the fact that the user has expended the
280	            servers local resources.  This could be a result that the
281	            server believes that the user already has an active session,
282	            or that the user has already spent the number of credits in
283	            his/her account, etc.

285	      Note that the flag field MUST be set to the same value that was
286	      found in the AA-Request message.

288	   Message Format

290	      Section 3.36 contains a complete list of all valid AVPs for this
291	      message.

293	      <AA-Answer> ::= <DIAMETER Header>
294	                       <AA-Answer Command AVP>
295	                       <Session-Id AVP>
296	                       <Result-Code AVP>
297	                       [<Error-Code AVP>]
298	                       <Host-IP-Address AVP>
299	                       [<Host-Name AVP>]
300	                       [<Session-Timeout AVP>]
301	                       [<Proxy-State AVP>]
302	                       [<Class AVP>]
303	                       [<State AVP>]
304	                       <Miscellaneous AVPs>
305	                       <Timestamp AVP>
306	                       <Nonce AVP>
307	                       {<Integrity-Check-Vector AVP> ||
308	                        <Digital-Signature AVP }

310	   AVP Format

312	      A summary of the AA-Answer packet format is shown below. The
313	      fields are transmitted from left to right.

315	       0                   1                   2                   3
316	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
317	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
318	       |                           AVP Code                            |
319	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
320	       |          AVP Length           | Cmd Flags |Reservd|P|E|T|V|H|M|
321	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
322	       |                         Command Code                          |
323	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

325	      Code
326	         256     DIAMETER Command

328	      AVP Length

330	         The length of this attribute MUST be 12.

332	      Command Flags

334	         The Command Flag bits set in the AA-Response MUST match the
335	         setting of the bits in the corresponding AA-Request. The
336	         following Command-specific flag bits may be set in the AA-
337	         Response command:

339	            The 'C' (Authentication-Only) bit indicates that only user
340	            authentication was performed, as requested. No additional
341	            authorization information is present in the AA-Response.

343	            The 'Z' (Authorization-Only) bit indicates that only
344	            authorization of the user was performed, and that no
345	            authentication was done.

347	      AVP Flags

349	         The AVP Flags field MUST have the 'M' bit set, and MAY have the
350	         'P' bit set if end-to-end message integrity is required.
351	         Furthermore, the 'H', E', 'T' and 'V' bits MUST NOT be set.

353	      Command Type

355	         The Command Type field MUST be set to 264 (AA-Answer).

357	2.3  AA-Challenge-Ind (AACI)

359	   Description

361	      If the DIAMETER server desires to send the user a challenge
362	      requiring a response, then the DIAMETER server MUST respond to the
363	      AA-Request by transmitting a packet with the Code field set to 265
364	      (AA-Challenge-Ind).

366	      The message MAY have one or more Reply-Message AVP, and MAY have a
367	      single State AVP, or none.  No other AVPs are permitted in an AA-
368	      Challenge-Ind other than the Integrity-Check-Vector or Digital-
369	      Signature AVP as defined in [2].

371	      On receipt of an AA-Challenge-Ind, the Identifier field is matched
372	      with a pending AA-Request. Invalid packets are silently discarded.

374	      The receipt of a valid AA-Challenge-Ind indicates that a new AA-
375	      Request SHOULD be sent. The NAS MAY display the text message, if
376	      any, to the user, and then prompt the user for a response.  It
377	      then sends its original Acess-Request with a new request ID, with
378	      the User-Password AVP replaced by the user's response (encrypted),
379	      and including the State AVP from the AA-Challenge-Ind, if any.
380	      Only zero or one instances of the State Attribute can be present
381	      in an AA-Request.

383	      A NAS which supports PAP MAY forward the Reply-Message to the
384	      dialin client and accept a PAP response which it can use as though
385	      the user had entered the response.  If the NAS cannot do so, it
386	      should treat the AA-Challenge-Ind as though it had received an AA-
387	      Answer with a Result-Code AVP set to a value other than
388	      DIAMETER_SUCCESS instead.

390	      It is preferable to use EAP [5] instead of the AA-Challenge-Ind,
391	      yet it has been maintained for backward compatibility.

393	      The AA-Challenge-Ind message MUST include the Session-Id AVP that
394	      was present in the AA-Request and MUST include the same flag value
395	      that was found in the AA-Request.

397	      Section 3.36 contains a complete list of all valid AVPs for this
398	      message.

400	      AA-Challenge-Ind ::= <DIAMETER Header>
401	                           <AA-Challenge-Ind Command AVP>
402	                           <Session-Id AVP>
403	                           <Result-Code AVP>
404	                           [<Error-Code AVP>]
405	                           <Host-IP-Address AVP>
406	                           [<Host-Name AVP>]
407	                           [<Proxy-State AVP>]
408	                           [<Class AVP>]
409	                           [<State AVP>]
410	                           <Reply-Message AVPs>
411	                           <Timestamp AVP>
412	                           <Nonce AVP>
413	                           {<Integrity-Check-Vector AVP> ||
414	                            <Digital-Signature AVP }

416	   AVP Format

418	      A summary of the AA-Challenge-Ind packet format is shown below.
419	      The fields are transmitted from left to right.

421	       0                   1                   2                   3
422	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
423	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
424	       |                           AVP Code                            |
425	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
426	       |          AVP Length           | Cmd Flags |Reservd|P|E|T|V|H|M|
427	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
428	       |                         Command Code                          |
429	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

431	      Code

433	         256     DIAMETER Command

435	      AVP Length

437	         The length of this attribute MUST be 12.

439	      Command Flags

441	         The Command Flag bits set in the AA-Challenge MUST match the
442	         setting of the bits in the corresponding AA-Request. The
443	         following Command-specific flag bits may be set in the AA-
444	         Challenge command:

446	            The 'C' (Authentication-Only) bit indicates that the user is
447	            being authentication, but that further information is
448	            required from the user.

450	      AVP Flags

452	         The AVP Flags field MUST have the 'M' bit set, and MAY have the
453	         'P' bit set if end-to-end message integrity is required.
454	         Furthermore, the 'H', E', 'T' and 'V' bits MUST NOT be set.

456	      Command Type

458	         The Command Type field MUST be set to 265 (AA-Challenge-Ind).

460	3.0  DIAMETER AVPs

462	   This section will define the mandatory AVPs which MUST be supported
463	   by all DIAMETER implementations supporting this extension. The
464	   following AVPs are defined in this document:

466	      Attribute Name       Attribute Code
467	      -----------------------------------
468	      User-Name                   1
469	      User-Password               2
470	      CHAP-Password               3
471	      NAS-Port                    5
472	      Service-Type                6
473	      Framed-Protocol             7
474	      Framed-IP-Address           8
475	      Framed-IP-Netmask           9
476	      Framed-Routing             10
477	      Filter-Id                  11
478	      Framed-MTU                 12
479	      Framed-Compression         13
480	      Login-IP-Host              14
481	      Login-Service              15
482	      Login-TCP-Port             16
483	      Reply-Message              18
484	      Callback-Number            19
485	      Callback-Id                20
486	      Framed-Route               22
487	      Framed-IPX-Network         23
488	      Vendor-Specific            26
489	      Idle-Timeout               28
490	      Termination-Action         29
491	      Called-Station-Id          30
492	      Calling-Station-Id         31
493	      Login-LAT-Service          34
494	      Login-LAT-Node             35
495	      Login-LAT-Group            36
496	      Framed-AppleTalk-Link      37
497	      Framed-AppleTalk-Network   38
498	      Framed-AppleTalk-Zone      39
499	      CHAP-Challenge             60
500	      NAS-Port-Type              61
501	      Port-Limit                 62
502	      Login-LAT-Port             63
503	      Filter-Rule               280
504	      Framed-Password-Policy    281

506	3.1  User-Name

508	   Description

510	      This Attribute indicates the name of the user to be authenticated.
511	      It is normally used in AA-Request packets, but MAY be present in
512	      the AA-Answer message.

514	      A summary of the User-Name Attribute format is shown below. The
515	      fields are transmitted from left to right.

517	   AVP Format

519	      0                   1                   2                   3
520	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
521	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
522	      |                           AVP Code                            |
523	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
524	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
525	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
526	      |   String ...
527	      +-+-+-+-+-+-+-+-+

529	      Type

531	         1 for User-Name.

533	      AVP Length

535	         The length of this attribute MUST be at least 9.

537	      AVP Flags

539	         The 'M' bit MUST be set. The 'H' MAY be set, but the 'E' bit
540	         MUST NOT be set since proxy servers would have no knowledge of
541	         the user's domain. The 'V', 'T' and the 'P' bits MUST NOT be
542	         set.

544	      String

546	         The String field is one or more octets. All DIAMETER systems
547	         SHOULD support User-Name lengths of at least 63 octets. The
548	         format of the User-Name SHOULD follow the format defined in
549	         [3].

551	3.2  User-Password

553	   Description

555	      This Attribute indicates the password of the user to be
556	      authenticated, or the user's input following an AA-Challenge.  It
557	      is only used in AA-Request packets.

559	      This AVP MUST be encrypted using one of the methods described in
560	      [2]. The use of this AVP with shared secret encryption is strongly
561	      discouraged by the author due to the security implications in a
562	      proxy environment, yet the support of this attribute has been
563	      retained for RADIUS backward compability.

565	      A summary of the User-Password Attribute format is shown below.
566	      The fields are transmitted from left to right.

568	   AVP Format

570	      0                   1                   2                   3
571	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
572	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
573	      |                           AVP Code                            |
574	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
575	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
576	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
577	      |    Data ...
578	      +-+-+-+-+-+-+-+-+
579	      Type

581	         2 for User-Password.

583	      AVP Length

585	         The length of this attribute MUST be at least 24 and MUST be no
586	         larger than 136.

588	      AVP Flags

590	         The 'M' bit MUST be set. Either the 'H' or the 'E' bit MUST be
591	         set depending upon the security model used. The 'V', 'T' and
592	         the 'P' bits MUST NOT be set.

594	         The AVP Flags field MUST have bit one (Mandatory Support) set.
595	         One of the AVP Encryption bits MUST be set.

597	      Data

599	         The Data field is between 16 and 128 octets long, inclusive.

601	3.3  CHAP-Password

603	   Description

605	      This Attribute indicates the response value provided by a PPP
606	      Challenge-Handshake Authentication Protocol (CHAP) user in
607	      response to the challenge. It is only used in AA-Request packets.

609	      If the CHAP-Password Attribute is found in a message, the CHAP-
610	      Challenge Attribute (60) MUST be present as well.

612	      A summary of the CHAP-Password Attribute format is shown below.
613	      The fields are transmitted from left to right.

615	   AVP Format

617	      0                   1                   2                   3
618	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
619	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
620	      |                           AVP Code                            |
621	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
622	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
623	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
624	      |  CHAP Ident   |    Data ...
625	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

627	      Type

629	         3 for CHAP-Password.

631	      AVP Length

633	         The length of this attribute MUST be 25.

635	      AVP Flags

637	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
638	         upon the security model used. The 'V', 'T' and the 'P' bits
639	         MUST NOT be set.

641	      CHAP Ident

643	         This field is one octet, and contains the CHAP Identifier from
644	         the user's CHAP Response.

646	      Data

648	         The Data field is 16 octets, and contains the CHAP Response
649	         from the user. The actual computation of the CHAP challenge can
650	         be found in [6].

652	3.4  NAS-Port

654	   Description
655	      This Attribute indicates the physical port number of the NAS which
656	      is authenticating the user. It is normally only used in AA-Request
657	      messages (see section 2.2 for more info). Note that this is using
658	      "port" in its sense of a physical connection on the NAS, not in
659	      the sense of a TCP or UDP port number. Either NAS-Port or NAS-
660	      Port-Type (61) or both SHOULD be present in an AA-Request packet,
661	      if the NAS differentiates among its ports.

663	      A summary of the NAS-Port Attribute format is shown below. The
664	      fields are transmitted from left to right.

666	   AVP Format

668	      0                   1                   2                   3
669	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
670	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
671	      |                           AVP Code                            |
672	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
673	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
674	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
675	      |                           Integer32                           |
676	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

678	      Type

680	         5 for NAS-Port.

682	      AVP Length

684	         The length of this attribute MUST be 12.

686	      AVP Flags

688	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
689	         upon the security model used. The 'V', 'T' and the 'P' bits
690	         MUST NOT be set.

692	      Integer32

694	         The Integer32 field is four octets.

696	3.5  Service-Type

698	   Description

700	      This Attribute indicates the type of service the user has
701	      requested, or the type of service to be provided. It MAY be used
702	      in both AA-Request and AA-Answer messages. A NAS is not required
703	      to implement all of these service types, and MUST treat unknown or
704	      unsupported Service-Types as though an AA-Answer with a Result-
705	      Code other than DIAMETER-SUCCESS had been received instead.

707	      A summary of the Service-Type Attribute format is shown below. The
708	      fields are transmitted from left to right.

710	   AVP Format

712	      0                   1                   2                   3
713	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
714	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
715	      |                           AVP Code                            |
716	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
717	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
718	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
719	      |                           Integer32                           |
720	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

722	      Type

724	         6 for Service-Type.

726	      AVP Flags

728	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
729	         upon the security model used. The 'V', 'T' and the 'P' bits
730	         MUST NOT be set.

732	      AVP Length

734	         The length of this attribute MUST be 12.

736	      Integer32

738	         The Integer32 field is four octets.

740	            1      Login
741	            2      Framed
742	            3      Callback Login
743	            4      Callback Framed
744	            5      Outbound
745	            6      Administrative
746	            7      NAS Prompt
747	            8      Authenticate Only
748	            9      Callback NAS Prompt
749	            The service types are defined as follows when used in an AA-
750	            Answer. When used in an AA-Request, they should be
751	            considered to be a hint to the DIAMETER server that the NAS
752	            has reason to believe the user would prefer the kind of
753	            service indicated, but the server is not required to honor
754	            the hint.

756	            Login               The user should be connected to a host.

758	            Framed              A Framed Protocol should be started for
759	                                the User, such as PPP or SLIP.

761	            Callback Login      The user should be disconnected and
762	                                calledback, then connected to a host.

764	            Callback Framed     The user should be disconnected and
765	                                called back, then a Framed Protocol
766	                                should be started for the User, such as
767	                                PPP or SLIP.

769	            Outbound            The user should be granted access to
770	                                outgoing devices.

772	            Administrative      The user should be granted access to the
773	                                administrative interface to the NAS from
774	                                which privileged commands can be
775	                                executed.

777	            NAS Prompt          The user should be provided a command
778	                                prompt on the NAS from which non-
779	                                privileged commands can be executed.

781	            Authenticate Only   Only Authentication is requested, and no
782	                                authorization information needs to be
783	                                returned in the AA-Answer (typically
784	                                used by proxy servers rather than the
785	                                NAS itself).This SHOULD NOT be used in
786	                                DIAMETER, yet it is maintained for
787	                                backward compatibility.

789	            Callback NAS Prompt The user should be disconnected and
790	                                called back, then provided a command
791	                                prompt on the NAS from which non-
792	                                privileged commands can be executed.

794	3.6  Framed-Protocol
795	   Description

797	      This Attribute indicates the framing to be used for framed access.
798	      It MAY be used in both AA-Request and AA-Answer messages.

800	      A summary of the Framed-Protocol Attribute format is shown below.
801	      The fields are transmitted from left to right.

803	   AVP Format

805	      0                   1                   2                   3
806	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
807	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
808	      |                           AVP Code                            |
809	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
810	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
811	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
812	      |                           Integer32                           |
813	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

815	      Type

817	         7 for Framed-Protocol.

819	      AVP Length

821	         The length of this attribute MUST be 12.

823	      AVP Flags

825	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
826	         upon the security model used. The 'V', 'T' and the 'P' bits
827	         MUST NOT be set.

829	      Integer32

831	         The Integer32 field is four octets.

833	            1      PPP
834	            2      SLIP
835	            3      AppleTalk Remote Access Protocol (ARAP)
836	            4      Gandalf proprietary SingleLink/MultiLink protocol
837	            5      Xylogics proprietary IPX/SLIP

839	3.7  Framed-IP-Address

841	   Description
842	      This Attribute indicates the address to be configured for the
843	      user. It MAY be used in AA-Request messages as a hint by the NAS
844	      to the server that it would prefer that address, but the server is
845	      not required to honor the hint.

847	      A summary of the Framed-IP-Address Attribute format is shown
848	      below.  The fields are transmitted from left to right.

850	   AVP Format

852	      0                   1                   2                   3
853	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
854	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
855	      |                           AVP Code                            |
856	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
857	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
858	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
859	      |                            Address                            |
860	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

862	      Type

864	         8 for Framed-IP-Address.

866	      AVP Length

868	         The length of this attribute MUST be 12.

870	      AVP Flags

872	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
873	         upon the security model used. The 'V', 'T' and the 'P' bits
874	         MUST NOT be set.

876	      Address

878	         The Address field is four octets. The value 0xFFFFFFFF
879	         indicates that the NAS should allow the user to select an
880	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
881	         the NAS should select an address for the user (e.g. Assigned
882	         from a pool of addresses kept by the NAS). Other valid values
883	         indicate that the NAS should use that value as the user's IP
884	         address.

886	3.8  Framed-IP-Netmask

888	   Description
889	      This Attribute indicates the IP netmask to be configured for the
890	      user when the user is a router to a network. It MUST be used in
891	      AA-Answer messages if the Framed-IP-Address AVP was returned with
892	      a value other than 0xFFFFFFFF. It MAY be used in an AA-Request
893	      message as a hint by the NAS to the server that it would prefer
894	      that netmask, but the server is not required to honor the hint.

896	      A summary of the Framed-IP-Netmask Attribute format is shown
897	      below.  The fields are transmitted from left to right.

899	   AVP Format

901	      0                   1                   2                   3
902	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
903	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
904	      |                           AVP Code                            |
905	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
906	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
907	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
908	      |                            Address                            |
909	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

911	      Type

913	         9 for Framed-IP-Netmask.

915	      AVP Length

917	         The length of this attribute MUST be 12.

919	      AVP Flags

921	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
922	         upon the security model used. The 'V', 'T' and the 'P' bits
923	         MUST NOT be set.

925	      Address

927	         The Address field is four octets specifying the IP netmask of
928	         the user.

930	3.9  Framed-Routing

932	   Description

934	      This Attribute indicates the routing method for the user, when the
935	      user is a router to a network. It is only used in AA-Answer
936	      messages..

938	      A summary of the Framed-Routing Attribute format is shown below.
939	      The fields are transmitted from left to right.

941	   AVP Format

943	      0                   1                   2                   3
944	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
945	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
946	      |                           AVP Code                            |
947	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
948	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
949	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
950	      |                            Integer32                          |
951	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

953	      Type

955	         10 for Framed-Routing.

957	      AVP Length

959	         The length of this attribute MUST be 12.

961	      AVP Flags

963	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
964	         upon the security model used. The 'V', 'T' and the 'P' bits
965	         MUST NOT be set.

967	      Integer32

969	         The Integer32 field is four octets.

971	            0      None
972	            1      Send routing packets
973	            2      Listen for routing packets
974	            3      Send and Listen

976	3.10  Filter-Id

978	   Description

980	      This Attribute indicates the name of the filter list for this
981	      user. Zero or more Filter-Id attributes MAY be sent in an AA-
982	      Answer message.

984	      Identifying a filter list by name allows the filter to be used on
985	      different NASes without regard to filter-list implementation
986	      details. However, this AVP is not roaming friendly since filter
987	      naming differs from one service provider to another.

989	      It is strongly encouraged to support the Filter-Rule AVP instead.

991	      A summary of the Filter-Id Attribute format is shown below. The
992	      fields are transmitted from left to right.

994	   AVP Format

996	      0                   1                   2                   3
997	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
998	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
999	      |                           AVP Code                            |
1000	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1001	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1002	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1003	      |   String ...
1004	      +-+-+-+-+-+-+-+-+

1006	      Type

1008	         11 for Filter-Id.

1010	      AVP Length

1012	         The length of this attribute MUST be at least 9.

1014	      AVP Flags

1016	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1017	         upon the security model used. The 'V', 'T' and the 'P' bits
1018	         MUST NOT be set.

1020	      String

1022	         The String field is one or more octets, and its contents are
1023	         implementation dependent. It is intended to be human readable
1024	         and MUST NOT affect operation of the protocol. It is
1025	         recommended that the message contain displayable ASCII
1026	         characters from the range 32 through 126 decimal.

1028	3.11  Framed-MTU

1030	   Description
1031	      This Attribute indicates the Maximum Transmission Unit to be
1032	      configured for the user, when it is not negotiated by some other
1033	      means (such as PPP). It is only used in AA-Answer messages.

1035	      A summary of the Framed-MTU Attribute format is shown below. The
1036	      fields are transmitted from left to right.

1038	   AVP Format

1040	      0                   1                   2                   3
1041	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1042	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1043	      |                           AVP Code                            |
1044	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1045	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1046	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1047	      |                           Integer32                           |
1048	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1050	      Type

1052	         12 for Framed-MTU.

1054	      AVP Length

1056	         The length of this attribute MUST be 12.

1058	      AVP Flags

1060	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1061	         upon the security model used. The 'V', 'T' and the 'P' bits
1062	         MUST NOT be set.

1064	      Integer32

1066	         The Integer32 field is four octets. Despite the size of the
1067	         field, values range from 64 to 65535.

1069	3.12  Framed-Compression

1071	   Description

1073	      This Attribute indicates a compression protocol to be used for the
1074	      link. It MAY be used in AA-Answer packets. It MAY be used in an
1075	      AA-Request packet as a hint to the server that the NAS would
1076	      prefer to use that compression, but the server is not required to
1077	      honor the hint.

1079	      More than one compression protocol Attribute MAY be sent. It is
1080	      the responsibility of the NAS to apply the proper compression
1081	      protocol to appropriate link traffic.

1083	      A summary of the Framed-Compression Attribute format is shown
1084	      below.  The fields are transmitted from left to right.

1086	   AVP Format

1088	      0                   1                   2                   3
1089	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1090	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1091	      |                           AVP Code                            |
1092	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1093	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1094	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1095	      |                           Integer32                           |
1096	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1098	      Type

1100	         13 for Framed-Compression.

1102	      AVP Length

1104	         The length of this attribute MUST be 12.

1106	      AVP Flags

1108	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1109	         upon the security model used. The 'V', 'T' and the 'P' bits
1110	         MUST NOT be set.

1112	      Integer32

1114	         The Integer32 field is four octets.

1116	            0      None
1117	            1      VJ TCP/IP header compression [7]
1118	            2      IPX header compression

1120	3.13  Login-IP-Host

1122	   Description

1124	      This Attribute indicates the system with which to connect the
1125	      user, when the Login-Service Attribute is included. It MAY be used
1126	      in AA-Answer messages. It MAY be used in an AA-Request message as
1127	      a hint to the server that the NAS would prefer to use that host,
1128	      but the server is not required to honor the hint.

1130	      A summary of the Login-IP-Host Attribute format is shown below.
1131	      The fields are transmitted from left to right.

1133	   AVP Format

1135	      0                   1                   2                   3
1136	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1137	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1138	      |                           AVP Code                            |
1139	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1140	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1141	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1142	      |                            Address                            |
1143	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1145	      Type

1147	         14 for Login-IP-Host.

1149	      AVP Length

1151	         The length of this attribute MUST be 12.

1153	      AVP Flags

1155	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1156	         upon the security model used. The 'V', 'T' and the 'P' bits
1157	         MUST NOT be set.

1159	      Address

1161	         The Address field is four octets. The value 0xFFFFFFFF
1162	         indicates that the NAS SHOULD allow the user to select an
1163	         address. The value zero indicates that the NAS SHOULD select a
1164	         host to connect the user to. Other values indicate the address
1165	         the NAS SHOULD connect the user to.

1167	3.14  Login-Service

1169	   Description

1171	      This Attribute indicates the service which should be used to
1172	      connect the user to the login host. It is only used in AA-Answer
1173	      messages.

1175	      A summary of the Login-Service Attribute format is shown below.
1176	      The fields are transmitted from left to right.

1178	   AVP Format

1180	      0                   1                   2                   3
1181	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1182	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1183	      |                           AVP Code                            |
1184	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1185	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1186	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1187	      |                           Integer32                           |
1188	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1190	      Type

1192	         15 for Login-Service.

1194	      AVP Length

1196	         The length of this attribute MUST be 12.

1198	      AVP Flags

1200	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1201	         upon the security model used. The 'V', 'T' and the 'P' bits
1202	         MUST NOT be set.

1204	      Integer32

1206	         The Integer32 field is four octets.

1208	            0      Telnet
1209	            1      Rlogin
1210	            2      TCP Clear
1211	            3      PortMaster (proprietary)
1212	            4      LAT

1214	3.15  Login-TCP-Port

1216	   Description

1218	      This Attribute indicates the TCP port with which the user is to be
1219	      connected, when the Login-Service Attribute is also present. It is
1220	      only used in AA-Answer packets.

1222	      A summary of the Login-TCP-Port Attribute format is shown below.
1223	      The fields are transmitted from left to right.

1225	   AVP Format

1227	      0                   1                   2                   3
1228	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1229	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1230	      |                           AVP Code                            |
1231	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1232	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1233	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1234	      |                           Integer32                           |
1235	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1237	      Type

1239	         16 for Login-TCP-Port.

1241	      AVP Length

1243	         The length of this attribute MUST be 12.

1245	      AVP Flags

1247	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1248	         upon the security model used. The 'V', 'T' and the 'P' bits
1249	         MUST NOT be set.

1251	      Integer32

1253	         The Integer32 field is four octets. Despite the size of the
1254	         field, values range from zero to 65535.

1256	3.16  Reply-Message

1258	   Description

1260	      This Attribute indicates text which MAY be displayed to the user.

1262	      When used in an AA-Answer message with a successful Result-Code
1263	      AVP it indicates the success message. When found in the same
1264	      message with a Result-Code other than DIAMETER-SUCCESS it contains
1265	      the failure message.

1267	      It MAY indicate a dialog message to prompt the user before another
1268	      AA-Request attempt.

1270	      When used in an AA-Challenge, it MAY indicate a dialog message to
1271	      prompt the user for a response.

1273	      Multiple Reply-Message's MAY be included and if any are displayed,
1274	      they MUST be displayed in the same order as they appear in the
1275	      packet.

1277	      A summary of the Reply-Message Attribute format is shown below.
1278	      The fields are transmitted from left to right.

1280	   AVP Format

1282	      0                   1                   2                   3
1283	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1284	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1285	      |                           AVP Code                            |
1286	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1287	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1288	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1289	      |   String ...
1290	      +-+-+-+-+-+-+-+-+

1292	      Type

1294	         18 for Reply-Message.

1296	      AVP Length

1298	         The length of this attribute MUST be at least 9.

1300	      AVP Flags

1302	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1303	         upon the security model used. The 'V', 'T' and the 'P' bits
1304	         MUST NOT be set.

1306	      String

1308	         The String field is one or more octets, and its contents are
1309	         implementation dependent. It is intended to be human readable,
1310	         and MUST NOT affect operation of the protocol. It is
1311	         recommended that the message contain displayable ASCII
1312	         characters from the range 10, 13, and 32 through 126 decimal.
1313	         Mechanisms for extension to other character sets are beyond the
1314	         scope of this specification.

1316	3.17  Callback-Number

1318	   Description

1320	      This Attribute indicates a dialing string to be used for callback.
1321	      It MAY be used in AA-Answer packets. It MAY be used in an AA-
1322	      Request packet as a hint to the server that a Callback service is
1323	      desired, but the server is not required to honor the hint.

1325	      A summary of the Callback-Number Attribute format is shown below.
1326	      The fields are transmitted from left to right.

1328	   AVP Format

1330	      0                   1                   2                   3
1331	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1332	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1333	      |                           AVP Code                            |
1334	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1335	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1336	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1337	      |   String ...
1338	      +-+-+-+-+-+-+-+-+

1340	      Type

1342	         19 for Callback-Number.

1344	      AVP Length

1346	         The length of this attribute MUST be at least 9.

1348	      AVP Flags

1350	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1351	         upon the security model used. The 'V', 'T' and the 'P' bits
1352	         MUST NOT be set.

1354	      String

1356	         The String field is one or more octets. The actual format of
1357	         the information is site or application specific, and a robust
1358	         implementation SHOULD support the field as undistinguished
1359	         octets.

1361	         The codification of the range of allowed usage of this field is
1362	         outside the scope of this specification.

1364	3.18  Callback-Id

1366	   Description

1368	      This Attribute indicates the name of a place to be called, to be
1369	      interpreted by the NAS. It MAY be used in AA-Answer messages.

1371	      This AVP is not roaming friendly since it assumes that the
1372	      Callback-Id is configured on the NAS. It is therefore preferable
1373	      to use the Callback-Number AVP instead.

1375	      A summary of the Callback-Id Attribute format is shown below. The
1376	      fields are transmitted from left to right.

1378	   AVP Format

1380	      0                   1                   2                   3
1381	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1382	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1383	      |                           AVP Code                            |
1384	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1385	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1386	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1387	      |   String ...
1388	      +-+-+-+-+-+-+-+-+

1390	      Type

1392	         20 for Callback-Id.

1394	      AVP Length

1396	         The length of this attribute MUST be at least 9.

1398	      AVP Flags

1400	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1401	         upon the security model used. The 'V', 'T' and the 'P' bits
1402	         MUST NOT be set.

1404	      String

1406	         The String field is one or more octets. The actual format of
1407	         the information is site or application specific, and a robust
1408	         implementation SHOULD support the field as undistinguished
1409	         octets.  The codification of the range of allowed usage of this
1410	         field is outside the scope of this specification.

1412	3.19  Framed-IP-Route

1414	   Description

1416	      This Attribute provides routing information to be configured for
1417	      the user on the NAS. It is used in the AA-Answer message and can
1418	      appear multiple times.

1420	      A summary of the Framed-Route Attribute format is shown below. The
1421	      fields are transmitted from left to right.

1423	   AVP Format

1425	      0                   1                   2                   3
1426	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1427	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1428	      |                           AVP Code                            |
1429	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1430	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1431	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1432	      |   String ...
1433	      +-+-+-+-+-+-+-+-+

1435	      Type

1437	         22 for Framed-IP-Route.

1439	      AVP Length

1441	         The length of this attribute MUST be at least 9.

1443	      AVP Flags

1445	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1446	         upon the security model used. The 'V', 'T' and the 'P' bits
1447	         MUST NOT be set.

1449	      String

1451	         It MUST contain a destination prefix in dotted quad form
1452	         optionally followed by a slash and a decimal length specifier
1453	         stating how many high order bits of the prefix should be used.
1454	         That is followed by a space, a gateway address in dotted quad
1455	         form, a space, and one or more metrics separated by spaces. For
1456	         example, "192.168.1.0/24 192.168.1.1 1".

1458	         The length specifier may be omitted in which case it should
1459	         default to 8 bits for class A prefixes, 16 bits for class B
1460	         prefixes, and 24 bits for class C prefixes. For example,
1461	         "192.168.1.0 192.168.1.1 1".

1463	         Whenever the gateway address is specified as "0.0.0.0" the IP
1464	         address of the user SHOULD be used as the gateway address.

1466	3.20  Framed-IPX-Network

1468	   Description

1470	      This Attribute indicates the IPX Network number to be configured
1471	      for the user. It is used in AA-Answer messages.

1473	      A summary of the Framed-IPX-Network Attribute format is shown
1474	      below.  The fields are transmitted from left to right.

1476	   AVP Format

1478	      0                   1                   2                   3
1479	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1480	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1481	      |                           AVP Code                            |
1482	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1483	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1484	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1485	      |                           Integer32                           |
1486	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1488	      Type

1490	         23 for Framed-IPX-Network.

1492	      AVP Length

1494	         The length of this attribute MUST be 12.

1496	      AVP Flags

1498	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1499	         upon the security model used. The 'V', 'T' and the 'P' bits
1500	         MUST NOT be set.

1502	      Integer32

1504	         The Integer32 field is four octets. The value 0xFFFFFFFF
1505	         indicates that the NAS should allow the user to select an
1506	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
1507	         the NAS should select an address for the user (e.g. assigned
1508	         from a pool of one or more IPX networks kept by the NAS). Other
1509	         values should be used as the IPX network for the link to the
1510	         user.

1512	3.21  Idle-Timeout

1514	   Description

1516	      This Attribute sets the maximum number of consecutive seconds of
1517	      idle connection allowed to the user before termination of the
1518	      session or prompt. This Attribute is available to be sent by the
1519	      server to the client in an AA-Answer or AA-Challenge.

1521	      A summary of the Idle-Timeout Attribute format is shown below. The
1522	      fields are transmitted from left to right.

1524	   AVP Format

1526	      0                   1                   2                   3
1527	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1528	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1529	      |                           AVP Code                            |
1530	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1531	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1532	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1533	      |                           Integer32                           |
1534	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1536	      Type

1538	         28 for Idle-Timeout.

1540	      AVP Length

1542	         The length of this attribute MUST be 12.

1544	      AVP Flags

1546	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1547	         upon the security model used. The 'V', 'T' and the 'P' bits
1548	         MUST NOT be set.

1550	      Integer32

1552	         The Integer32 field is 4 octets, containing a 32-bit unsigned
1553	         integer with the maximum number of consecutive seconds of idle
1554	         time this user should be permitted before being disconnected by
1555	         the NAS.

1557	3.22  Called-Station-Id

1559	   Description

1561	      This Attribute allows the NAS to send in the AA-Request message
1562	      the phone number that the user called, using Dialed Number
1563	      Identification (DNIS) or similar technology. Note that this may be
1564	      different from the phone number the call comes in on. It is only
1565	      used in AA-Request packets.

1567	      If the Authorization-Only flag is set in the message and the User-
1568	      Name AVP is absent, the DIAMETER Server MUST perform authorization
1569	      based on this field. This can be used by a NAS to request whether
1570	      a call should be answered based on the DNIS.

1572	      A summary of the Called-Station-Id Attribute format is shown
1573	      below.  The fields are transmitted from left to right.

1575	   AVP Format

1577	      0                   1                   2                   3
1578	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1579	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1580	      |                           AVP Code                            |
1581	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1582	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1583	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1584	      |   String ...
1585	      +-+-+-+-+-+-+-+-+

1587	      Type

1589	         30 for Called-Station-Id.

1591	      AVP Length

1593	         The length of this attribute MUST be at least 9.

1595	      AVP Flags

1597	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1598	         upon the security model used. The 'V', 'T' and the 'P' bits
1599	         MUST NOT be set.

1601	      String

1603	         The String field is one or more octets, containing the phone
1604	         number that the user's call came in on.

1606	         The actual format of the information is site or application
1607	         specific. Printable ASCII is recommended, but a robust
1608	         implementation SHOULD support the field as undistinguished
1609	         octets.

1611	         The codification of the range of allowed usage of this field is
1612	         outside the scope of this specification.

1614	3.23  Calling-Station-Id

1616	   Description

1618	      This Attribute allows the NAS to send in the AA-Request packet the
1619	      phone number that the call came from, using Automatic Number
1620	      Identification (ANI) or similar technology. It is only used in AA-
1621	      Request packets.

1623	      If the Authorization-Only flag is set in the message and the User-
1624	      Name AVP is absent, the DIAMETER Server must perform authorization
1625	      based on this field. This can be used by a NAS to request whether
1626	      a call should be answered based on the ANI.

1628	      A summary of the Calling-Station-Id Attribute format is shown
1629	      below.  The fields are transmitted from left to right.

1631	   AVP Format

1633	      0                   1                   2                   3
1634	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1635	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1636	      |                           AVP Code                            |
1637	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1638	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1639	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1640	      |   String ...
1641	      +-+-+-+-+-+-+-+-+

1643	      Type

1645	         31 for Calling-Station-Id.

1647	      AVP Length
1648	         The length of this attribute MUST be at least 9.

1650	      AVP Flags

1652	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1653	         upon the security model used. The 'V', 'T' and the 'P' bits
1654	         MUST NOT be set.

1656	      String

1658	         The String field is one or more octets, containing the phone
1659	         number that the user placed the call from.

1661	         The actual format of the information is site or application
1662	         specific. Printable ASCII is recommended, but a robust
1663	         implementation SHOULD support the field as undistinguished
1664	         octets.

1666	         The codification of the range of allowed usage of this field is
1667	         outside the scope of this specification.

1669	3.24  Login-LAT-Service

1671	   Description

1673	      This Attribute indicates the system with which the user is to be
1674	      connected by LAT. It MAY be used in AA-Answer packets, but only
1675	      when LAT is specified as the Login-Service. It MAY be used in an
1676	      AA-Request packet as a hint to the server, but the server is not
1677	      required to honor the hint.

1679	      Administrators use the service attribute when dealing with
1680	      clustered systems, such as a VAX or Alpha cluster. In such an
1681	      environment several different time sharing hosts share the same
1682	      resources (disks, printers, etc.), and administrators often
1683	      configure each to offer access (service) to each of the shared
1684	      resources. In this case, each host in the cluster advertises its
1685	      services through LAT broadcasts.

1687	      Sophisticated users often know which service providers (machines)
1688	      are faster and tend to use a node name when initiating a LAT
1689	      connection. Alternately, some administrators want particular users
1690	      to use certain machines as a primitive form of load balancing
1691	      (although LAT knows how to do load balancing itself).

1693	      A summary of the Login-LAT-Service Attribute format is shown
1694	      below.  The fields are transmitted from left to right.

1696	   AVP Format

1698	      0                   1                   2                   3
1699	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1700	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1701	      |                           AVP Code                            |
1702	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1703	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1704	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1705	      |   String ...
1706	      +-+-+-+-+-+-+-+-+

1708	      Type

1710	         34 for Login-LAT-Service.

1712	      AVP Length

1714	         The length of this attribute MUST be at least 9.

1716	      AVP Flags

1718	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1719	         upon the security model used. The 'V', 'T' and the 'P' bits
1720	         MUST NOT be set.

1722	      String

1724	         The String field is one or more octets, and contains the
1725	         identity of the LAT service to use. The LAT Architecture allows
1726	         this string to contain $ (dollar), - (hyphen), . (period), _
1727	         (underscore), numerics, upper and lower case alphabetics, and
1728	         the ISO Latin-1 character set extension [8]. All LAT string
1729	         comparisons are case insensitive.

1731	3.25  Login-LAT-Node

1733	   Description

1735	      This Attribute indicates the Node with which the user is to be
1736	      automatically connected by LAT. It MAY be used in AA-Answer
1737	      packets, but only when LAT is specified as the Login-Service. It
1738	      MAY be used in an AA-Request packet as a hint to the server, but
1739	      the server is not required to honor the hint.

1741	      A summary of the Login-LAT-Node Attribute format is shown below.
1742	      The fields are transmitted from left to right.

1744	   AVP Format

1746	      0                   1                   2                   3
1747	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1748	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1749	      |                           AVP Code                            |
1750	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1751	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1752	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1753	      |   String ...
1754	      +-+-+-+-+-+-+-+-+

1756	      Type

1758	         35 for Login-LAT-Node.

1760	      AVP Length

1762	         The length of this attribute MUST be at least 9.

1764	      AVP Flags

1766	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1767	         upon the security model used. The 'V', 'T' and the 'P' bits
1768	         MUST NOT be set.

1770	      String

1772	         The String field is one or more octets, and contains the
1773	         identity of the LAT Node to connect the user to. The LAT
1774	         Architecture allows this string to contain $ (dollar), -
1775	         (hyphen), . (period), _ (underscore), numerics, upper and lower
1776	         case alphabetics, and the ISO Latin-1 character set extension.
1777	         All LAT string comparisons are case insensitive.

1779	3.26  Login-LAT-Group

1781	   Description

1783	      This Attribute contains a string identifying the LAT group codes
1784	      which this user is authorized to use. It MAY be used in AA-Answer
1785	      packets, but only when LAT is specified as the Login-Service. It
1786	      MAY be used in an AA-Request packet as a hint to the server, but
1787	      the server is not required to honor the hint.

1789	      LAT supports 256 different group codes, which LAT uses as a form
1790	      of access rights. LAT encodes the group codes as a 256 bit bitmap.

1792	      Administrators can assign one or more of the group code bits at
1793	      the LAT service provider; it will only accept LAT connections that
1794	      have these group codes set in the bit map. The administrators
1795	      assign a bitmap of authorized group codes to each user; LAT gets
1796	      these from the operating system, and uses these in its requests to
1797	      the service providers.

1799	      A summary of the Login-LAT-Group Attribute format is shown below.
1800	      The fields are transmitted from left to right.

1802	   AVP Format

1804	      0                   1                   2                   3
1805	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1806	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1807	      |                           AVP Code                            |
1808	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1809	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1810	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1811	      |    Data ...
1812	      +-+-+-+-+-+-+-+-+

1814	      Type

1816	         36 for Login-LAT-Group.

1818	      AVP Length

1820	         The length of this attribute MUST be 40.

1822	      AVP Flags

1824	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1825	         upon the security model used. The 'V', 'T' and the 'P' bits
1826	         MUST NOT be set.

1828	      Data

1830	         The Data field is a 32 octet bit map, most significant octet
1831	         first. A robust implementation SHOULD support the field as
1832	         undistinguished octets.

1834	         The codification of the range of allowed usage of this field is
1835	         outside the scope of this specification.

1837	3.27  Framed-AppleTalk-Link
1838	   Description

1840	      This Attribute indicates the AppleTalk network number which should
1841	      be used for the serial link to the user, which is another
1842	      AppleTalk router. It is only used in AA-Answer packets.  It is
1843	      never used when the user is not another router.

1845	      A summary of the Framed-AppleTalk-Link Attribute format is shown
1846	      below. The fields are transmitted from left to right.

1848	   AVP Format

1850	      0                   1                   2                   3
1851	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1852	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1853	      |                           AVP Code                            |
1854	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1855	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1856	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1857	      |                           Integer32                           |
1858	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1860	      Type

1862	         37 for Framed-AppleTalk-Link.

1864	      AVP Length

1866	         The length of this attribute MUST be 12.

1868	      AVP Flags

1870	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1871	         upon the security model used. The 'V', 'T' and the 'P' bits
1872	         MUST NOT be set.

1874	      Integer32

1876	         The Integer32 field is four octets. Despite the size of the
1877	         field, values range from zero to 65535. The special value of
1878	         zero indicates that this is an unnumbered serial link. A value
1879	         of one to 65535 means that the serial line between the NAS and
1880	         the user should be assigned that value as an AppleTalk network
1881	         number.

1883	3.28  Framed-AppleTalk-Network
1884	   Description

1886	      This Attribute indicates the AppleTalk Network number which the
1887	      NAS should probe to allocate an AppleTalk node for the user. It is
1888	      only used in AA-Answer packets. It is never used when the user is
1889	      another router. Multiple instances of this Attribute indicate that
1890	      the NAS may probe using any of the network numbers specified.

1892	      A summary of the Framed-AppleTalk-Network Attribute format is
1893	      shown below. The fields are transmitted from left to right.

1895	   AVP Format

1897	      0                   1                   2                   3
1898	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1899	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1900	      |                           AVP Code                            |
1901	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1902	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1903	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1904	      |                           Integer32                           |
1905	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1907	      Type

1909	         38 for Framed-AppleTalk-Network.

1911	      AVP Length

1913	         The length of this attribute MUST be 12.

1915	      AVP Flags

1917	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1918	         upon the security model used. The 'V', 'T' and the 'P' bits
1919	         MUST NOT be set.

1921	      Integer32

1923	         The Integer32 field is four octets. Despite the size of the
1924	         field, values range from zero to 65535. The special value zero
1925	         indicates that the NAS should assign a network for the user,
1926	         using its default cable range. A value between one and 65535
1927	         (inclusive) indicates the AppleTalk Network the NAS should
1928	         probe to find an address for the user.

1930	3.29  Framed-AppleTalk-Zone
1931	   Description

1933	      This Attribute indicates the AppleTalk Default Zone to be used for
1934	      this user. It is only used in AA-Answer packets.  Multiple
1935	      instances of this attribute in the same packet are not allowed.

1937	      A summary of the Framed-AppleTalk-Zone Attribute format is shown
1938	      below. The fields are transmitted from left to right.

1940	   AVP Format

1942	      0                   1                   2                   3
1943	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1944	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1945	      |                           AVP Code                            |
1946	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1947	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1948	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1949	      |    Data ...
1950	      +-+-+-+-+-+-+-+-+

1952	      Type

1954	         39 for Framed-AppleTalk-Zone.

1956	      AVP Length

1958	         The length of this attribute MUST be at least 9.

1960	      AVP Flags

1962	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1963	         upon the security model used. The 'V', 'T' and the 'P' bits
1964	         MUST NOT be set.

1966	      String

1968	         The name of the Default AppleTalk Zone to be used for this
1969	         user.  A robust implementation SHOULD support the field as
1970	         undistinguished octets.

1972	         The codification of the range of allowed usage of this field is
1973	         outside the scope of this specification.

1975	3.30  CHAP-Challenge

1977	   Description
1978	      This Attribute contains the CHAP Challenge sent by the NAS to a
1979	      PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is
1980	      only used in AA-Request packets.

1982	      A summary of the CHAP-Challenge Attribute format is shown below.
1983	      The fields are transmitted from left to right.

1985	   AVP Format

1987	      0                   1                   2                   3
1988	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1989	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1990	      |                           AVP Code                            |
1991	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1992	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1993	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1994	      |    Data ...
1995	      +-+-+-+-+-+-+-+-+

1997	      Type

1999	         60 for CHAP-Challenge.

2001	      AVP Length

2003	         The length of this attribute MUST be at least 24.

2005	      AVP Flags

2007	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2008	         upon the security model used. The 'V', 'T' and the 'P' bits
2009	         MUST NOT be set.

2011	      Data

2013	         The Data field contains the CHAP Challenge.

2015	3.31  NAS-Port-Type

2017	   Description

2019	      This Attribute indicates the type of the physical port of the NAS
2020	      which is authenticating the user. It can be used instead of or in
2021	      addition to the NAS-Port (5) attribute. It is only used in AA-
2022	      Request packets. Either NAS-Port (5) or NAS-Port-Type or both
2023	      SHOULD be present in an AA-Request packet, if the NAS
2024	      differentiates among its ports.

2026	      A summary of the NAS-Port-Type Attribute format is shown below.
2027	      The fields are transmitted from left to right.

2029	   AVP Format

2031	      0                   1                   2                   3
2032	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2033	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2034	      |                           AVP Code                            |
2035	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2036	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2037	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2038	      |                           Integer32                           |
2039	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2041	      Type

2043	         61 for NAS-Port-Type.

2045	      AVP Length

2047	         The length of this attribute MUST be 12.

2049	      AVP Flags

2051	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2052	         upon the security model used. The 'V', 'T' and the 'P' bits
2053	         MUST NOT be set.

2055	      Integer32

2057	         The Integer32 field is four octets. "Virtual" refers to a
2058	         connection to the NAS via some transport protocol, instead of
2059	         through a physical port. For example, if a user telnetted into
2060	         a NAS to authenticate himself as an Outbound-User, the AA-
2061	         Request might include NAS-Port-Type = Virtual as a hint to the
2062	         RADIUS server that the user was not on a physical port.

2064	            0       Async
2065	            1       Sync
2066	            2       ISDN Sync
2067	            3       ISDN Async V.120
2068	            4       ISDN Async V.110
2069	            5       Virtual

2071	3.32  Port-Limit
2072	   Description

2074	      This Attribute sets the maximum number of ports to be provided to
2075	      the user by the NAS. This Attribute MAY be sent by the server to
2076	      the client in an AA-Answer packet. It is intended for use in
2077	      conjunction with Multilink PPP [9] or similar uses. It MAY also be
2078	      sent by the NAS to the server as a hint that that many ports are
2079	      desired for use, but the server is not required to honor the hint.

2081	      A summary of the Port-Limit Attribute format is shown below. The
2082	      fields are transmitted from left to right.

2084	   AVP Format

2086	      0                   1                   2                   3
2087	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2088	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2089	      |                           AVP Code                            |
2090	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2091	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2092	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2093	      |                           Integer32                           |
2094	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2096	      Type

2098	         62 for Port-Limit.

2100	      AVP Length

2102	         The length of this attribute MUST be 12.

2104	      AVP Flags

2106	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2107	         upon the security model used. The 'V', 'T' and the 'P' bits
2108	         MUST NOT be set.

2110	      Integer32

2112	         The Integer32 field is four octets, containing a 32-bit
2113	         unsigned integer with the maximum number of ports this user
2114	         should be allowed to connect to on the NAS.

2116	3.33  Login-LAT-Port

2118	   Description
2119	      This Attribute indicates the Port with which the user is to be
2120	      connected by LAT. It MAY be used in AA-Answer packets, but only
2121	      when LAT is specified as the Login-Service. It MAY be used in an
2122	      AA-Request packet as a hint to the server, but the server is not
2123	      required to honor the hint.

2125	      A summary of the Login-LAT-Port Attribute format is shown below.
2126	      The fields are transmitted from left to right.

2128	   AVP Format

2130	      0                   1                   2                   3
2131	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2132	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2133	      |                           AVP Code                            |
2134	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2135	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2136	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2137	      |   String ...
2138	      +-+-+-+-+-+-+-+-+

2140	      Type

2142	         63 for Login-LAT-Port.

2144	      AVP Length

2146	         The length of this attribute MUST be at least 9.

2148	      AVP Flags

2150	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2151	         upon the security model used. The 'V', 'T' and the 'P' bits
2152	         MUST NOT be set.

2154	      String

2156	         The String field is one or more octets, and contains the
2157	         identity of the LAT port to use. The LAT Architecture allows
2158	         this string to contain $ (dollar), - (hyphen), . (period), _
2159	         (underscore), numerics, upper and lower case alphabetics, and
2160	         the ISO Latin-1 character set extension. All LAT string
2161	         comparisons are case insensitive.

2163	3.34  Filter-Rule

2165	   Description
2166	      This Attribute provides filter rules that need to be configured on
2167	      the NAS for the user. It is used in the AA-Answer message and can
2168	      appear multiple times.

2170	      A summary of the Filter-Rule Attribute format is shown below. The
2171	      fields are transmitted from left to right.

2173	   AVP Format

2175	      0                   1                   2                   3
2176	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2177	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2178	      |                           AVP Code                            |
2179	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2180	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2181	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2182	      |   String ...
2183	      +-+-+-+-+-+-+-+-+

2185	      Type

2187	         280 for Filter-Rule.

2189	      AVP Length

2191	         The length of this attribute MUST be at least 9.

2193	      AVP Flags

2195	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2196	         upon the security model used. The 'V', 'T' and the 'P' bits
2197	         MUST NOT be set.

2199	      String

2201	         The String field MUST contain a filter rule in the following
2202	         format: "permit (offset=value AND offset=value) OR
2203	         offset=value" or "deny (offset=value AND offset=value) OR
2204	         offset=value".

2206	3.35  Framed-Password-Policy

2208	   Description

2210	      This Attribute is used to indicate to a peer what types of
2211	      authentication are supported by the issuing DIAMETER peer. More
2212	      than one Framed-Password-Policy AVP MAY be present in the Domain-
2213	      Discovery-Answer message.

2215	      A summary of the User-Name Attribute format is shown below. The
2216	      fields are transmitted from left to right.

2218	   AVP Format

2220	      0                   1                   2                   3
2221	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2222	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2223	      |                           AVP Code                            |
2224	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2225	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2226	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2227	      |                           Integer32                           |
2228	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2230	      Type

2232	         281 for Framed-Password-Policy.

2234	      AVP Length

2236	         The length of this attribute MUST be 12.

2238	      AVP Flags

2240	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2241	         upon the security model used. The 'V', 'T' and the 'P' bits
2242	         MUST NOT be set.

2244	      Integer32

2246	         The Integer32 field contains the supported authentication
2247	         schemes supported. The following values are supported:

2249	            PAP         1
2250	            CHAP        2
2251	            MS-CHAP     3
2252	            EAP         4
2253	            SPAP        5

2255	3.36  Table of Attributes

2257	   The following table provides a guide to which attributes may be found
2258	   in which kinds of packets, and in what quantity.

2260	              Success  Failed  AA-Chal  #    Attribute
2261	      AA-Req  AA-Answ  AA-Answ  Req
2262	       0-1      0-1       0      0      1   User-Name
2263	       0-1      0         0      0      2   User-Password [*1]
2264	       0-1      0         0      0      3   CHAP-Password [*1]
2265	       0-1      0         0      0      5   NAS-Port
2266	       0-1      0-1       0      0      6   Service-Type
2267	       0-1      0-1       0      0      7   Framed-Protocol
2268	       0-1      0-1       0      0      8   Framed-IP-Address
2269	       0-1      0-1       0      0      9   Framed-IP-Netmask
2270	       0        0-1       0      0     10   Framed-Routing
2271	       0        0+        0      0     11   Filter-Id
2272	       0        0-1       0      0     12   Framed-MTU
2273	       0+       0+        0      0     13   Framed-Compression
2274	       0+       0+        0      0     14   Login-IP-Host
2275	       0        0-1       0      0     15   Login-Service
2276	       0        0-1       0      0     16   Login-TCP-Port
2277	       0        0+        0+     0+    18   Reply-Message
2278	       0-1      0-1       0      0     19   Callback-Number
2279	       0        0-1       0      0     20   Callback-Id
2280	       0        0+        0      0     22   Framed-Route
2281	       0        0-1       0      0     23   Framed-IPX-Network
2282	       0        0-1       0      0-1   28   Idle-Timeout
2283	       0        0-1       0      0     29   Termination-Action
2284	       0-1      0         0      0     30   Called-Station-Id
2285	       0-1      0         0      0     31   Calling-Station-Id
2286	       0-1      0-1       0      0     34   Login-LAT-Service
2287	       0-1      0-1       0      0     35   Login-LAT-Node
2288	       0-1      0-1       0      0     36   Login-LAT-Group
2289	       0        0-1       0      0     37   Framed-AppleTalk-Link
2290	       0        0+        0      0     38   Framed-AppleTalk-Net.
2291	       0        0-1       0      0     39   Framed-AppleTalk-Zone
2292	       0-1      0         0      0     60   CHAP-Challenge
2293	       0-1      0         0      0     61   NAS-Port-Type
2294	       0-1      0-1       0      0     62   Port-Limit
2295	       0-1      0-1       0      0     63   Login-LAT-Port
2296	       0        0+        0      0    280   Filter-Rule
2297	       0        0         0      0    281   Framed-Password-Policy
2298	              Success  Failed  AA-Chal  #    Attribute
2299	      AA-Req  AA-Answ  AA-Answ  Req

2301	      [*1] An AA-Request MUST NOT contain both a User-Password and a
2302	      CHAP-Password AVP.

2304	      The following table defines the meaning of the above table
2305	      entries.

2307	          0     This attribute MUST NOT be present in packet.

2309	          0+    Zero or more instances of this attribute MAY be present
2310	                in packet.
2311	          0-1   Zero or one instance of this attribute MAY be present
2312	                in packet.
2313	          1     Exactly one instance of this attribute MUST be present
2314	         in
2315	                packet.

2317	4.0  Protocol Definition

2319	   This section will outline how the DIAMETER Authentication Extension
2320	   can be used.

2322	4.1  Feature Advertisement/Discovery

2324	   As defined in [2], the Reboot-Ind and Device-Feature-Query messages
2325	   can be used to inform a peer about locally supported DIAMETER
2326	   Extensions. In order to advertise support of this extension, the
2327	   Extension-Id AVP must be transmitted with a value of one (1).

2329	4.2  Authorization Procedure

2331	   This specification allows two different types of Authorization
2332	   procedures.  The first method is identical to the way RADIUS works
2333	   today and requires the AA-Request to contain the UserName as well as
2334	   either the Password or the CHAP-Password AVPs.

2336	   The second method is used by NASes that send AA-Request whenever they
2337	   receive an incoming call and want to get authorization from the
2338	   DIAMETER Server to answer the call. In this case the AA-Request
2339	   contains the NAS-IP-Address, the Calling-Station-Id and the Called-
2340	   Station-Id AVPs.

2342	   In this case the DIAMETER Server can lookup the combination of the
2343	   Calling-Station-Id and the Called-Station-Id in order to ensure that
2344	   the pair are authorized as per the local policy.

2346	4.3  Integration with Resource-Management

2348	   Document [10] specifies the Resource-Token AVP that is used to carry
2349	   information required for a DIAMETER server to rebuild its state
2350	   information in the event of a crash or some other event that would
2351	   cause the server to loose its state information.

2353	   When creating the Resource-Token AVP, the following AVPs MUST be
2354	   present, in addition to the AVPs listed in [10]; the UserName AVP,
2355	   the NAS-IP- Address, the NAS-Port. Any additional AVP MAY be included
2356	   if the AVP is a resource that is being managed (i.e. Framed-IP-
2357	   Address in the case where the DIAMETER Server is allocating IP
2358	   Addresses out of a centrally managed address pool).

2360	5.0  References

2362	    [1] Rigney, et alia, "RADIUS", RFC-2138, Livingston, April 1997
2363	    [2] Calhoun, Rubens, "DIAMETER Base Protocol",
2364	        draft-calhoun-diameter-08.txt, Work in Progress,
2365	        August 1999.
2366	    [3] Aboba, Beadles "The Network Access Identifier." RFC 2486.
2367	        January 1999.
2368	    [4] Aboba, Zorn, "Criteria for Evaluating Roaming Protocols",
2369	        RFC 2477, January 1999.
2370	    [5] Calhoun, Rubens, Aboba, "DIAMETER Extensible Authentication
2371	        Protocol Extensions", draft-calhoun-diameter-eap-03.txt,
2372	        Work in Progress, August 1999.
2373	    [6] W. Simpson, "PPP Challenge Handshake Authentication
2374	        Protocol (CHAP)", RFC 1994, August 1996.
2375	    [7] Jacobson, "Compressing TCP/IP headers for low-speed serial
2376	        links", RFC 1144, February 1990.
2377	    [8] ISO 8859. International Standard -- Information Processing --
2378	        8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin
2379	        Alphabet No. 1, ISO 8859-1:1987.
2380	        <URL:http://www.iso.ch/cate/d16338.html>
2381	    [9] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink Protocol
2382	        (MP)", RFC 1717, November 1994.
2383	    [10] Calhoun, Greene, "DIAMETER Resource Management Extension",
2384	         draft-calhoun-diameter-res-mgmt-02.txt, Work in Progress,
2385	         February 1999.
2386	    [11] Calhoun, Zorn, Pan, "DIAMETER Framework",
2387	         draft-calhoun-diameter-framework-02.txt, Work in Progress,
2388	         December 1998.
2389	    [12] S. Bradner, "Key words for use in RFCs to Indicate
2390	         Requirement Levels", BCP 14, RFC 2119, March 1997.
2391	    [13] P. Calhoun, W. Bulley, "DIAMETER Proxy Server Extensions",
2392	         draft-calhoun-diameter-proxy-02.txt, Work in Progress,
2393	         August 1999.

2395	6.0  Acknowledgements

2397	   The Author wishes to thank Carl Rigney since much of the text in the
2398	   document was shamefully copied from [1] as well as the following
2399	   people for their help in the development of this protocol:

2401	   Nancy Greene, Ryan Moats

2403	7.0  Authors' Addresses

2405	   Questions about this memo can be directed to:

2407	      Pat R. Calhoun
2408	      Network and Security Research Center, Sun Labs
2409	      Sun Microsystems, Inc.
2410	      15 Network Circle
2411	      Menlo Park, California, 94025
2412	      USA

2414	       Phone:  1-650-786-7733
2415	         Fax:  1-650-786-6445
2416	      E-mail:  pcalhoun@eng.sun.com

2418	      William Bulley
2419	      Merit Network, Inc.
2420	      4251 Plymouth Road, Suite C
2421	      Ann Arbor, Michigan, 48105-2785
2422	      USA

2424	       Phone:  1-734-764-9993
2425	         Fax:  1-734-647-3185
2426	      E-mail:  web@merit.edu

2428	8.0  Full Copyright Statement

2430	   Copyright (C) The Internet Society (1999).  All Rights Reserved.

2432	   This document and translations of it may be copied  and  furnished  to
2433	   others,  and  derivative works that comment on or otherwise explain it
2434	   or assist in its implmentation may be prepared, copied, published  and
2435	   distributed,  in  whole  or  in part, without restriction of any kind,
2436	   provided that the  above  copyright  notice  and  this  paragraph  are
2437	   included on all such copies and derivative works.  However, this docu-
2438	   ment itself may not be modified in any way, such as  by  removing  the
2439	   copyright notice or references to the Internet Society or other Inter-
2440	   net organizations, except as needed  for  the  purpose  of  developing
2441	   Internet standards in which case the procedures for copyrights defined
2442	   in the Internet Standards process must be followed, or as required  to
2443	   translate it into languages other than   English.  The limited permis-
2444	   sions granted above are perpetual and  will  not  be  revoked  by  the
2445	   Internet  Society or its successors or assigns.  This document and the
2446	   information contained herein is provided on an "AS IS" basis  and  THE
2447	   INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
2448	   WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY  WAR-
2449	   RANTY  THAT  THE  USE  OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
2450	   RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS  FOR  A
2451	   PARTICULAR PURPOSE."