idnits 2.17.1 

draft-calhoun-diameter-authent-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** Looks like you're using RFC 2026 boilerplate.  This must be updated to
     follow RFC 3978/3979, as updated by RFC 4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  ** The document seems to lack a 1id_guidelines paragraph about
     Internet-Drafts being working documents. 

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     current Internet-Drafts -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  ** The document seems to lack a 1id_guidelines paragraph about the list of
     Shadow Directories -- however, there's a paragraph with a matching
     beginning. Boilerplate error?

  == The page length should not exceed 58 lines per page, but there was 54
     longer pages, the longest (page 2) being 60 lines

  == It seems as if not all pages are separated by form feeds - found 0 form
     feeds but 55 pages


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack a Security Considerations section.

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack separate sections for Informative/Normative
     References.  All references will be assumed normative when checking for
     downward references.

  ** There are 21 instances of too long lines in the document, the longest
     one being 1 character in excess of 72.

  ** The abstract seems to contain references ([4], [1]), which it shouldn't.
      Please replace those with straight textual mentions of the documents in
     question.

  == There are 2 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  == Line 2439 has weird spacing: '... copied  and  ...'

  == Line 2440 has weird spacing: '...s,  and  deriv...'

  == Line 2441 has weird spacing: '...blished  and...'

  == Line 2442 has weird spacing: '...ed,  in  whole...'

  == Line 2443 has weird spacing: '...hat the  above...'

  == (5 more instances...)

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- Couldn't find a document date in the document -- date freshness check
     skipped.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: '11' is defined on line 2393, but no explicit
     reference was found in the text

  == Unused Reference: '13' is defined on line 2398, but no explicit
     reference was found in the text

  ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865)

  == Outdated reference: A later version (-18) exists of
     draft-calhoun-diameter-08

  -- Possible downref: Normative reference to a draft: ref. '2' 

  ** Obsolete normative reference: RFC 2486 (ref. '3') (Obsoleted by RFC 4282)

  ** Downref: Normative reference to an Informational RFC: RFC 2477 (ref. '4')

  -- Possible downref: Normative reference to a draft: ref. '5' 

  -- Possible downref: Non-RFC (?) normative reference: ref. '8'

  ** Obsolete normative reference: RFC 1717 (ref. '9') (Obsoleted by RFC 1990)

  == Outdated reference: A later version (-08) exists of
     draft-calhoun-diameter-res-mgmt-02

  -- Possible downref: Normative reference to a draft: ref. '10' 

  == Outdated reference: A later version (-09) exists of
     draft-calhoun-diameter-framework-02

  -- Possible downref: Normative reference to a draft: ref. '11' 

  == Outdated reference: A later version (-04) exists of
     draft-calhoun-diameter-proxy-02

  -- Possible downref: Normative reference to a draft: ref. '13' 


     Summary: 13 errors (**), 0 flaws (~~), 17 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	INTERNET DRAFT                                            Pat R. Calhoun
2	Category: Standards Track                          Sun Microsystems, Inc.
3	Title: draft-calhoun-diameter-authent-07.txt              William Bulley
4	Date: October 1999                                    Merit Network, Inc.

6	                                DIAMETER
7	                      Dial-Up (ROAMOPS) Extensions

9	Status of this Memo

11	   This document is an individual contribution for consideration by the
12	   AAA Working Group of the Internet Engineering Task Force.  Comments
13	   should be submitted to the diameter@ipass.com mailing list.

15	   Distribution of this memo is unlimited.

17	   This document is an Internet-Draft and is in full conformance with
18	   all provisions of Section 10 of RFC2026.  Internet-Drafts are working
19	   documents of the Internet Engineering Task Force (IETF), its areas,
20	   and its working groups.  Note that other groups may also distribute
21	   working documents as Internet-Drafts.

23	   Internet-Drafts are draft documents valid for a maximum of six months
24	   and may be updated, replaced, or obsoleted by other documents at any
25	   time.  It is inappropriate to use Internet-Drafts as reference
26	   material or to cite them other than as "work in progress."

28	   The list of current Internet-Drafts can be accessed at:

30	      http://www.ietf.org/ietf/1id-abstracts.txt

32	   The list of Internet-Draft Shadow Directories can be accessed at:

34	      http://www.ietf.org/shadow.html.

36	Abstract

38	   This document describes the DIAMETER Dial-up User Authentication
39	   Extension that is used for ROAMOPS [4] purposes. This specification
40	   was carefully designed to ease the burden of servers that must act as
41	   RADIUS/DIAMETER gateways, by re-using the same address space that
42	   RADIUS has defined [1]. Further, by re-using the same address space,
43	   it allows a single server to read the same dictiionary for both
44	   DIAMETER and RADIUS. This backward compatibility will hopefully
45	   facilitate deployment of DIAMETER.

47	Table of Contents

49	      1.0  Introduction
50	            1.1  Copyright Statement
51	            1.2  Requirements language
52	            1.3  Changes in version -06
53	            1.4  Changes in version -07
54	      2.0  Command Codes
55	            2.1  AA-Request (AAR)
56	            2.2  AA-Answer (AAA)
57	            2.3  AA-Challenge-Ind (ACI)
58	      3.0  DIAMETER AVPs
59	            3.1  User-Name
60	            3.2  User-Password
61	            3.3  CHAP-Password
62	            3.4  NAS-Port
63	            3.5  Service-Type
64	            3.6  Framed-Protocol
65	            3.7  Framed-IP-Address
66	            3.8  Framed-IP-Netmask
67	            3.9  Framed-Routing
68	            3.10 Filter-Id
69	            3.11 Framed-MTU
70	            3.12 Framed-Compression
71	            3.13 Login-IP-Host
72	            3.14 Login-Service
73	            3.15 Login-TCP-Port
74	            3.16 Reply-Message
75	            3.17 Callback-Number
76	            3.18 Callback-Id
77	            3.19 Framed-Route
78	            3.20 Framed-IPX-Network
79	            3.21 Idle-Timeout
80	            3.22 Called-Station-Id
81	            3.23 Calling-Station-Id
82	            3.24 Login-LAT-Service
83	            3.25 Login-LAT-Node
84	            3.26 Login-LAT-Group
85	            3.27 Framed-AppleTalk-Link
86	            3.28 Framed-AppleTalk-Network
87	            3.29 Framed-AppleTalk-Zone
88	            3.30 CHAP-Challenge
89	            3.31 NAS-Port-Type
90	            3.32 Port-Limit
91	            3.33 Login-LAT-Port
92	            3.34 Filter-Rule
93	            3.35 Framed-Password-Policy
94	            3.36 Table of Attributes

96	      4.0  Protocol Definition
97	            4.1  Feature Advertisement/Discovery
98	            4.2  Authorization Procedure
99	            4.3  Integration with Resource-Management
100	      5.0  References
101	      6.0  Acknowledgements
102	      7.0  Authors' Addresses
103	      8.0  Full Copyright Statement

105	1.0  Introduction

107	   This document describes the DIAMETER Dial-up User Authentication
108	   Extension that is used for ROAMOPS [4] purposes. This specification
109	   was carefully designed to ease the burden of servers that must act as
110	   RADIUS/DIAMETER gateways, by re-using the same address space that
111	   RADIUS has defined [1]. Further, by re-using the same address space,
112	   it allows a single server to read the same dictiionary for both
113	   DIAMETER and RADIUS. This backward compatibility will hopefully
114	   facilitate deployment of DIAMETER.

116	   The Extension number for this draft is one (1). This value is used in
117	   the Extension-Id AVP as defined in [2].

119	1.1  Copyright Statement

121	   Copyright   (C) The Internet Society 1999.  All Rights Reserved.

123	1.2  Requirements language

125	   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
126	   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
127	   described in [12].

129	1.3  Changes in version -06

131	   The following changes have been made to version 06:

133	      - Changes to AVP Header Flags

135	      - Change to the document title

137	      - Changed the Command-Specific AVP Flags in all command codes
138	      defined.

140	      - Added a reference to RFC 1994 (CHAP)

142	1.4  Changes in version -07

144	   The following changes have been made to version 07:

146	      - Changed the Filter-Rule Command Code AVP from 280 to 300

148	      - Changed the Framed-Password-Policy Command Code AVP from 280 to
149	      301

151	2.0  Command Codes

153	   This document defines the following DIAMETER Commands. All DIAMETER
154	   implementations supporting this extension MUST support all of the
155	   following commands:

157	      Command Name          Command Code
158	      -----------------------------------
159	      AA-Request                263
160	      AA-Answer                 264
161	      AA-Challenge-Ind          265

163	2.1  AA-Request (AAR)

165	   Description

167	      The AA-Request message is used in order to request authentication
168	      and authorization for a given user.

170	      If Authentication is requested the User-Name attribute MUST be
171	      present. If only Authorization is required it is possible to
172	      authorize based on DNIS and ANI instead. However, it is not
173	      possible to authenticate using a User-Name AVP and later
174	      requesting authorization based on DNIS using the same Session-Id
175	      (although the inverse is legal).

177	      Note that the flag field MAY be used in this command in order to
178	      indicate that either Authentication-Only or Authorization-Only is
179	      required for the request. If the Authentication-Only bit is set
180	      the response MUST NOT include any authorization information. Both
181	      the Authenticate and Authorize bits MUST NOT be set at the same
182	      time. To ensure that a user is both authenticated and authorized,
183	      neither flag is set.

185	      The AA-Request message MUST include a unique Session-Id AVP. If
186	      The AA-Request is a result of a successful AA-Challenge-Ind the
187	      Session-Id MUST be identical to the one provided in the initial
188	      AA-Request.

190	   Message Format

192	      Section 3.36 contains a complete list of all valid AVPs for this
193	      message.

195	      <AA-Request> ::= <DIAMETER Header>
196	                       <AA-Request Command AVP>
197	                       <Session-Id AVP>
198	                       <Host-IP-Address AVP>
199	                       [<Host-Name AVP>]
200	                       [<Proxy-State AVP>]
201	                       [<Class AVP>]
202	                       [<State AVP>]
203	                       {<User-Name AVP> ||
204	                        <Called-Station-Id AVP }
205	                       <Miscellaneous AVPs>
206	                       <Timestamp AVP>
207	                       <Nonce AVP>
208	                       {<Integrity-Check-Vector AVP> ||
209	                        <Digital-Signature AVP }

211	   AVP Format

213	      A summary of the AA-Request packet format is shown below. The
214	      fields are transmitted from left to right.

216	       0                   1                   2                   3
217	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
218	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
219	       |                           AVP Code                            |
220	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
221	       |          AVP Length           |CFlags |C|Z|Reservd|P|E|T|V|H|M|
222	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
223	       |                         Command Code                          |
224	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

226	      Code

228	         256     DIAMETER Command

230	      AVP Length

232	         The length of this attribute MUST be 12.

234	      Command Flags

236	         The following Command-specific flag bits may be set in the AA-
237	         Request command:

239	            The 'C' (Authentication-only) bit may be set to indicate
240	            that only authentication of the user is required, and that
241	            no authorization should be performed. Additionally, no
242	            authorization information is expected in the AA-Response
243	            command.

245	            The 'Z' (Authorization-Only) bit may be set to indicate that
246	            only authorization of the user is requested and that no
247	            authentication is required. When this bit is set, no user
248	            authentication AVPs (i.e.  User-Password, etc.) will be
249	            present in the request.

251	      AVP Flags

253	         The AVP Flags field MUST have the 'M' bit set, and MAY have the
254	         'P' bit set if end-to-end message integrity is required.
255	         Furthermore, the 'H', E', 'T' and 'V' bits MUST NOT be set.

257	      Command Type

259	         The Command Type field MUST be set to 263 (AA-Request).

261	2.2  AA-Answer (AAA)

263	   Description

265	      The AA-Answer message is used in order to indicate that
266	      Authentication and/or authorization was successful. If
267	      authorization was requested a list of AVPs with the authorization
268	      information MUST be attached to the message (see section 3.42).

270	      The AA-Answer message MUST include the Session-Id AVP that was
271	      present in the AA-Request. The AA-Answer MUST also include the
272	      Host-Name AVP and the Result-Code AVP to indicate the status of
273	      the session. The following error codes are defined for this
274	      message:

276	         DIAMETER_ERROR_UNKNOWN_DOMAIN       1
277	            This error code is used to indicate to the initiator of the
278	            request that the requested domain is unknown and cannot be
279	            resolved.

281	         DIAMETER_ERROR_USER_UNKNOWN         2
282	            This error code is used to indicate to the initiator that
283	            the username request is not valid.

285	         DIAMETER_ERROR_BAD_PASSWORD         3
286	            This error code indicates that the password provided is
287	            invalid.

289	         DIAMETER_ERROR_CANNOT_AUTHORIZE     4
290	            This error code is used to indicate that the user cannot be
291	            authorized due to the fact that the user has expended the
292	            servers local resources.  This could be a result that the
293	            server believes that the user already has an active session,
294	            or that the user has already spent the number of credits in
295	            his/her account, etc.

297	      Note that the flag field MUST be set to the same value that was
298	      found in the AA-Request message.

300	   Message Format

302	      Section 3.36 contains a complete list of all valid AVPs for this
303	      message.

305	      <AA-Answer> ::= <DIAMETER Header>
306	                       <AA-Answer Command AVP>
307	                       <Session-Id AVP>
308	                       <Result-Code AVP>
309	                       [<Error-Code AVP>]
310	                       <Host-IP-Address AVP>
311	                       [<Host-Name AVP>]
312	                       [<Session-Timeout AVP>]
313	                       [<Proxy-State AVP>]
314	                       [<Class AVP>]
315	                       [<State AVP>]
316	                       <Miscellaneous AVPs>
317	                       <Timestamp AVP>
318	                       <Nonce AVP>
319	                       {<Integrity-Check-Vector AVP> ||
320	                        <Digital-Signature AVP }

322	   AVP Format

324	      A summary of the AA-Answer packet format is shown below. The
325	      fields are transmitted from left to right.

327	       0                   1                   2                   3
328	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
329	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
330	       |                           AVP Code                            |
331	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
332	       |          AVP Length           | Cmd Flags |Reservd|P|E|T|V|H|M|
333	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
334	       |                         Command Code                          |
335	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

337	      Code

339	         256     DIAMETER Command

341	      AVP Length

343	         The length of this attribute MUST be 12.

345	      Command Flags

347	         The Command Flag bits set in the AA-Response MUST match the
348	         setting of the bits in the corresponding AA-Request. The
349	         following Command-specific flag bits may be set in the AA-
350	         Response command:

352	            The 'C' (Authentication-Only) bit indicates that only user
353	            authentication was performed, as requested. No additional
354	            authorization information is present in the AA-Response.

356	            The 'Z' (Authorization-Only) bit indicates that only
357	            authorization of the user was performed, and that no
358	            authentication was done.

360	      AVP Flags

362	         The AVP Flags field MUST have the 'M' bit set, and MAY have the
363	         'P' bit set if end-to-end message integrity is required.
364	         Furthermore, the 'H', E', 'T' and 'V' bits MUST NOT be set.

366	      Command Type

368	         The Command Type field MUST be set to 264 (AA-Answer).

370	2.3  AA-Challenge-Ind (AACI)

372	   Description
373	      If the DIAMETER server desires to send the user a challenge
374	      requiring a response, then the DIAMETER server MUST respond to the
375	      AA-Request by transmitting a packet with the Code field set to 265
376	      (AA-Challenge-Ind).

378	      The message MAY have one or more Reply-Message AVP, and MAY have a
379	      single State AVP, or none.  No other AVPs are permitted in an AA-
380	      Challenge-Ind other than the Integrity-Check-Vector or Digital-
381	      Signature AVP as defined in [2].

383	      On receipt of an AA-Challenge-Ind, the Identifier field is matched
384	      with a pending AA-Request. Invalid packets are silently discarded.

386	      The receipt of a valid AA-Challenge-Ind indicates that a new AA-
387	      Request SHOULD be sent. The NAS MAY display the text message, if
388	      any, to the user, and then prompt the user for a response.  It
389	      then sends its original Acess-Request with a new request ID, with
390	      the User-Password AVP replaced by the user's response (encrypted),
391	      and including the State AVP from the AA-Challenge-Ind, if any.
392	      Only zero or one instances of the State Attribute can be present
393	      in an AA-Request.

395	      A NAS which supports PAP MAY forward the Reply-Message to the
396	      dialin client and accept a PAP response which it can use as though
397	      the user had entered the response.  If the NAS cannot do so, it
398	      should treat the AA-Challenge-Ind as though it had received an
399	      AA-Answer with a Result-Code AVP set to a value other than
400	      DIAMETER_SUCCESS instead.

402	      It is preferable to use EAP [5] instead of the AA-Challenge-Ind,
403	      yet it has been maintained for backward compatibility.

405	      The AA-Challenge-Ind message MUST include the Session-Id AVP that
406	      was present in the AA-Request and MUST include the same flag value
407	      that was found in the AA-Request.

409	      Section 3.36 contains a complete list of all valid AVPs for this
410	      message.

412	      AA-Challenge-Ind ::= <DIAMETER Header>
413	                           <AA-Challenge-Ind Command AVP>
414	                           <Session-Id AVP>
415	                           <Result-Code AVP>
416	                           [<Error-Code AVP>]
417	                           <Host-IP-Address AVP>
418	                           [<Host-Name AVP>]
419	                           [<Proxy-State AVP>]
420	                           [<Class AVP>]
421	                           [<State AVP>]
422	                           <Reply-Message AVPs>
423	                           <Timestamp AVP>
424	                           <Nonce AVP>
425	                           {<Integrity-Check-Vector AVP> ||
426	                            <Digital-Signature AVP }

428	   AVP Format

430	      A summary of the AA-Challenge-Ind packet format is shown below.
431	      The fields are transmitted from left to right.

433	       0                   1                   2                   3
434	       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
435	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
436	       |                           AVP Code                            |
437	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
438	       |          AVP Length           | Cmd Flags |Reservd|P|E|T|V|H|M|
439	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
440	       |                         Command Code                          |
441	       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

443	      Code

445	         256     DIAMETER Command

447	      AVP Length

449	         The length of this attribute MUST be 12.

451	      Command Flags

453	         The Command Flag bits set in the AA-Challenge MUST match the
454	         setting of the bits in the corresponding AA-Request. The
455	         following Command-specific flag bits may be set in the AA-
456	         Challenge command:

458	            The 'C' (Authentication-Only) bit indicates that the user is
459	            being authentication, but that further information is
460	            required from the user.

462	      AVP Flags

464	         The AVP Flags field MUST have the 'M' bit set, and MAY have the
465	         'P' bit set if end-to-end message integrity is required.
466	         Furthermore, the 'H', E', 'T' and 'V' bits MUST NOT be set.

468	      Command Type

470	         The Command Type field MUST be set to 265 (AA-Challenge-Ind).

472	3.0  DIAMETER AVPs

474	   This section will define the mandatory AVPs which MUST be supported
475	   by all DIAMETER implementations supporting this extension. The
476	   following AVPs are defined in this document:

478	      Attribute Name       Attribute Code
479	      -----------------------------------
480	      User-Name                   1
481	      User-Password               2
482	      CHAP-Password               3
483	      NAS-Port                    5
484	      Service-Type                6
485	      Framed-Protocol             7
486	      Framed-IP-Address           8
487	      Framed-IP-Netmask           9
488	      Framed-Routing             10
489	      Filter-Id                  11
490	      Framed-MTU                 12
491	      Framed-Compression         13
492	      Login-IP-Host              14
493	      Login-Service              15
494	      Login-TCP-Port             16
495	      Reply-Message              18
496	      Callback-Number            19
497	      Callback-Id                20
498	      Framed-Route               22
499	      Framed-IPX-Network         23
500	      Vendor-Specific            26
501	      Idle-Timeout               28
502	      Termination-Action         29
503	      Called-Station-Id          30
504	      Calling-Station-Id         31
505	      Login-LAT-Service          34
506	      Login-LAT-Node             35
507	      Login-LAT-Group            36
508	      Framed-AppleTalk-Link      37
509	      Framed-AppleTalk-Network   38
510	      Framed-AppleTalk-Zone      39
511	      CHAP-Challenge             60
512	      NAS-Port-Type              61
513	      Port-Limit                 62
514	      Login-LAT-Port             63
515	      Filter-Rule               300
516	      Framed-Password-Policy    301

518	3.1  User-Name

520	   Description

522	      This Attribute indicates the name of the user to be authenticated.
523	      It is normally used in AA-Request packets, but MAY be present in
524	      the AA-Answer message.

526	      A summary of the User-Name Attribute format is shown below. The
527	      fields are transmitted from left to right.

529	   AVP Format

531	      0                   1                   2                   3
532	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
533	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
534	      |                           AVP Code                            |
535	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
536	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
537	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
538	      |   String ...
539	      +-+-+-+-+-+-+-+-+

541	      Type

543	         1 for User-Name.

545	      AVP Length

547	         The length of this attribute MUST be at least 9.

549	      AVP Flags

551	         The 'M' bit MUST be set. The 'H' MAY be set, but the 'E' bit
552	         MUST NOT be set since proxy servers would have no knowledge of
553	         the user's domain. The 'V', 'T' and the 'P' bits MUST NOT be
554	         set.

556	      String

558	         The String field is one or more octets. All DIAMETER systems
559	         SHOULD support User-Name lengths of at least 63 octets. The
560	         format of the User-Name SHOULD follow the format defined in
561	         [3].

563	3.2  User-Password

565	   Description

567	      This Attribute indicates the password of the user to be
568	      authenticated, or the user's input following an AA-Challenge.  It
569	      is only used in AA-Request packets.

571	      This AVP MUST be encrypted using one of the methods described in
572	      [2]. The use of this AVP with shared secret encryption is strongly
573	      discouraged by the author due to the security implications in a
574	      proxy environment, yet the support of this attribute has been
575	      retained for RADIUS backward compability.

577	      A summary of the User-Password Attribute format is shown below.
578	      The fields are transmitted from left to right.

580	   AVP Format

582	      0                   1                   2                   3
583	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
584	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
585	      |                           AVP Code                            |
586	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
587	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
588	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
589	      |    Data ...
590	      +-+-+-+-+-+-+-+-+
591	      Type

593	         2 for User-Password.

595	      AVP Length

597	         The length of this attribute MUST be at least 24 and MUST be no
598	         larger than 136.

600	      AVP Flags
601	         The 'M' bit MUST be set. Either the 'H' or the 'E' bit MUST be
602	         set depending upon the security model used. The 'V', 'T' and
603	         the 'P' bits MUST NOT be set.

605	         The AVP Flags field MUST have bit one (Mandatory Support) set.
606	         One of the AVP Encryption bits MUST be set.

608	      Data

610	         The Data field is between 16 and 128 octets long, inclusive.

612	3.3  CHAP-Password

614	   Description

616	      This Attribute indicates the response value provided by a PPP
617	      Challenge-Handshake Authentication Protocol (CHAP) user in
618	      response to the challenge. It is only used in AA-Request packets.

620	      If the CHAP-Password Attribute is found in a message, the CHAP-
621	      Challenge Attribute (60) MUST be present as well.

623	      A summary of the CHAP-Password Attribute format is shown below.
624	      The fields are transmitted from left to right.

626	   AVP Format

628	      0                   1                   2                   3
629	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
630	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
631	      |                           AVP Code                            |
632	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
633	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
634	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
635	      |  CHAP Ident   |    Data ...
636	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

638	      Type

640	         3 for CHAP-Password.

642	      AVP Length

644	         The length of this attribute MUST be 25.

646	      AVP Flags
647	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
648	         upon the security model used. The 'V', 'T' and the 'P' bits
649	         MUST NOT be set.

651	      CHAP Ident

653	         This field is one octet, and contains the CHAP Identifier from
654	         the user's CHAP Response.

656	      Data

658	         The Data field is 16 octets, and contains the CHAP Response
659	         from the user. The actual computation of the CHAP challenge can
660	         be found in [6].

662	3.4  NAS-Port

664	   Description

666	      This Attribute indicates the physical port number of the NAS which
667	      is authenticating the user. It is normally only used in AA-Request
668	      messages (see section 2.2 for more info). Note that this is using
669	      "port" in its sense of a physical connection on the NAS, not in
670	      the sense of a TCP or UDP port number. Either NAS-Port or NAS-
671	      Port-Type (61) or both SHOULD be present in an AA-Request packet,
672	      if the NAS differentiates among its ports.

674	      A summary of the NAS-Port Attribute format is shown below. The
675	      fields are transmitted from left to right.

677	   AVP Format

679	      0                   1                   2                   3
680	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
681	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
682	      |                           AVP Code                            |
683	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
684	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
685	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
686	      |                           Integer32                           |
687	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

689	      Type

691	         5 for NAS-Port.

693	      AVP Length
694	         The length of this attribute MUST be 12.

696	      AVP Flags

698	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
699	         upon the security model used. The 'V', 'T' and the 'P' bits
700	         MUST NOT be set.

702	      Integer32

704	         The Integer32 field is four octets.

706	3.5  Service-Type

708	   Description

710	      This Attribute indicates the type of service the user has
711	      requested, or the type of service to be provided. It MAY be used
712	      in both AA-Request and AA-Answer messages. A NAS is not required
713	      to implement all of these service types, and MUST treat unknown or
714	      unsupported Service-Types as though an AA-Answer with a Result-
715	      Code other than DIAMETER-SUCCESS had been received instead.

717	      A summary of the Service-Type Attribute format is shown below. The
718	      fields are transmitted from left to right.

720	   AVP Format

722	      0                   1                   2                   3
723	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
724	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
725	      |                           AVP Code                            |
726	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
727	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
728	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
729	      |                           Integer32                           |
730	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

732	      Type

734	         6 for Service-Type.

736	      AVP Flags

738	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
739	         upon the security model used. The 'V', 'T' and the 'P' bits
740	         MUST NOT be set.

742	      AVP Length

744	         The length of this attribute MUST be 12.

746	      Integer32

748	         The Integer32 field is four octets.

750	            1      Login
751	            2      Framed
752	            3      Callback Login
753	            4      Callback Framed
754	            5      Outbound
755	            6      Administrative
756	            7      NAS Prompt
757	            8      Authenticate Only
758	            9      Callback NAS Prompt

760	            The service types are defined as follows when used in an
761	            AA-Answer. When used in an AA-Request, they should be
762	            considered to be a hint to the DIAMETER server that the NAS
763	            has reason to believe the user would prefer the kind of
764	            service indicated, but the server is not required to honor
765	            the hint.

767	            Login               The user should be connected to a host.

769	            Framed              A Framed Protocol should be started for
770	                                the User, such as PPP or SLIP.

772	            Callback Login      The user should be disconnected and
773	                                calledback, then connected to a host.

775	            Callback Framed     The user should be disconnected and
776	                                called back, then a Framed Protocol
777	                                should be started for the User, such as
778	                                PPP or SLIP.

780	            Outbound            The user should be granted access to
781	                                outgoing devices.

783	            Administrative      The user should be granted access to the
784	                                administrative interface to the NAS from
785	                                which privileged commands can be
786	                                executed.

788	            NAS Prompt          The user should be provided a command
789	                                prompt on the NAS from which non-
790	                                privileged commands can be executed.

792	            Authenticate Only   Only Authentication is requested, and no
793	                                authorization information needs to be
794	                                returned in the AA-Answer (typically
795	                                used by proxy servers rather than the
796	                                NAS itself).This SHOULD NOT be used in
797	                                DIAMETER, yet it is maintained for
798	                                backward compatibility.

800	            Callback NAS Prompt The user should be disconnected and
801	                                called back, then provided a command
802	                                prompt on the NAS from which non-
803	                                privileged commands can be executed.

805	3.6  Framed-Protocol

807	   Description

809	      This Attribute indicates the framing to be used for framed access.
810	      It MAY be used in both AA-Request and AA-Answer messages.

812	      A summary of the Framed-Protocol Attribute format is shown below.
813	      The fields are transmitted from left to right.

815	   AVP Format

817	      0                   1                   2                   3
818	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
819	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
820	      |                           AVP Code                            |
821	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
822	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
823	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
824	      |                           Integer32                           |
825	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

827	      Type

829	         7 for Framed-Protocol.

831	      AVP Length

833	         The length of this attribute MUST be 12.

835	      AVP Flags
836	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
837	         upon the security model used. The 'V', 'T' and the 'P' bits
838	         MUST NOT be set.

840	      Integer32

842	         The Integer32 field is four octets.

844	            1      PPP
845	            2      SLIP
846	            3      AppleTalk Remote Access Protocol (ARAP)
847	            4      Gandalf proprietary SingleLink/MultiLink protocol
848	            5      Xylogics proprietary IPX/SLIP

850	3.7  Framed-IP-Address

852	   Description

854	      This Attribute indicates the address to be configured for the
855	      user. It MAY be used in AA-Request messages as a hint by the NAS
856	      to the server that it would prefer that address, but the server is
857	      not required to honor the hint.

859	      A summary of the Framed-IP-Address Attribute format is shown
860	      below.  The fields are transmitted from left to right.

862	   AVP Format

864	      0                   1                   2                   3
865	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
866	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
867	      |                           AVP Code                            |
868	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
869	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
870	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
871	      |                            Address                            |
872	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

874	      Type

876	         8 for Framed-IP-Address.

878	      AVP Length

880	         The length of this attribute MUST be 12.

882	      AVP Flags
883	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
884	         upon the security model used. The 'V', 'T' and the 'P' bits
885	         MUST NOT be set.

887	      Address

889	         The Address field is four octets. The value 0xFFFFFFFF
890	         indicates that the NAS should allow the user to select an
891	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
892	         the NAS should select an address for the user (e.g. Assigned
893	         from a pool of addresses kept by the NAS). Other valid values
894	         indicate that the NAS should use that value as the user's IP
895	         address.

897	3.8  Framed-IP-Netmask

899	   Description

901	      This Attribute indicates the IP netmask to be configured for the
902	      user when the user is a router to a network. It MUST be used in
903	      AA-Answer messages if the Framed-IP-Address AVP was returned with
904	      a value other than 0xFFFFFFFF. It MAY be used in an AA-Request
905	      message as a hint by the NAS to the server that it would prefer
906	      that netmask, but the server is not required to honor the hint.

908	      A summary of the Framed-IP-Netmask Attribute format is shown
909	      below.  The fields are transmitted from left to right.

911	   AVP Format

913	      0                   1                   2                   3
914	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
915	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
916	      |                           AVP Code                            |
917	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
918	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
919	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
920	      |                            Address                            |
921	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

923	      Type

925	         9 for Framed-IP-Netmask.

927	      AVP Length

929	         The length of this attribute MUST be 12.

931	      AVP Flags

933	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
934	         upon the security model used. The 'V', 'T' and the 'P' bits
935	         MUST NOT be set.

937	      Address

939	         The Address field is four octets specifying the IP netmask of
940	         the user.

942	3.9  Framed-Routing

944	   Description

946	      This Attribute indicates the routing method for the user, when the
947	      user is a router to a network. It is only used in AA-Answer
948	      messages.

950	      A summary of the Framed-Routing Attribute format is shown below.
951	      The fields are transmitted from left to right.

953	   AVP Format

955	      0                   1                   2                   3
956	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
957	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
958	      |                           AVP Code                            |
959	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
960	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
961	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
962	      |                            Integer32                          |
963	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

965	      Type

967	         10 for Framed-Routing.

969	      AVP Length

971	         The length of this attribute MUST be 12.

973	      AVP Flags

975	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
976	         upon the security model used. The 'V', 'T' and the 'P' bits
977	         MUST NOT be set.

979	      Integer32

981	         The Integer32 field is four octets.

983	            0      None
984	            1      Send routing packets
985	            2      Listen for routing packets
986	            3      Send and Listen

988	3.10  Filter-Id

990	   Description

992	      This Attribute indicates the name of the filter list for this
993	      user. Zero or more Filter-Id attributes MAY be sent in an AA-
994	      Answer message.

996	      Identifying a filter list by name allows the filter to be used on
997	      different NASes without regard to filter-list implementation
998	      details. However, this AVP is not roaming friendly since filter
999	      naming differs from one service provider to another.

1001	      It is strongly encouraged to support the Filter-Rule AVP instead.

1003	      A summary of the Filter-Id Attribute format is shown below. The
1004	      fields are transmitted from left to right.

1006	   AVP Format

1008	      0                   1                   2                   3
1009	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1010	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1011	      |                           AVP Code                            |
1012	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1013	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1014	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1015	      |   String ...
1016	      +-+-+-+-+-+-+-+-+

1018	      Type

1020	         11 for Filter-Id.

1022	      AVP Length

1024	         The length of this attribute MUST be at least 9.

1026	      AVP Flags

1028	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1029	         upon the security model used. The 'V', 'T' and the 'P' bits
1030	         MUST NOT be set.

1032	      String

1034	         The String field is one or more octets, and its contents are
1035	         implementation dependent. It is intended to be human readable
1036	         and MUST NOT affect operation of the protocol. It is
1037	         recommended that the message contain displayable ASCII
1038	         characters from the range 32 through 126 decimal.

1040	3.11  Framed-MTU

1042	   Description

1044	      This Attribute indicates the Maximum Transmission Unit to be
1045	      configured for the user, when it is not negotiated by some other
1046	      means (such as PPP). It is only used in AA-Answer messages.

1048	      A summary of the Framed-MTU Attribute format is shown below. The
1049	      fields are transmitted from left to right.

1051	   AVP Format

1053	      0                   1                   2                   3
1054	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1055	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1056	      |                           AVP Code                            |
1057	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1058	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1059	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1060	      |                           Integer32                           |
1061	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1063	      Type

1065	         12 for Framed-MTU.

1067	      AVP Length

1069	         The length of this attribute MUST be 12.

1071	      AVP Flags
1072	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1073	         upon the security model used. The 'V', 'T' and the 'P' bits
1074	         MUST NOT be set.

1076	      Integer32

1078	         The Integer32 field is four octets. Despite the size of the
1079	         field, values range from 64 to 65535.

1081	3.12  Framed-Compression

1083	   Description

1085	      This Attribute indicates a compression protocol to be used for the
1086	      link. It MAY be used in AA-Answer packets. It MAY be used in an
1087	      AA-Request packet as a hint to the server that the NAS would
1088	      prefer to use that compression, but the server is not required to
1089	      honor the hint.

1091	      More than one compression protocol Attribute MAY be sent. It is
1092	      the responsibility of the NAS to apply the proper compression
1093	      protocol to appropriate link traffic.

1095	      A summary of the Framed-Compression Attribute format is shown
1096	      below.  The fields are transmitted from left to right.

1098	   AVP Format

1100	      0                   1                   2                   3
1101	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1102	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1103	      |                           AVP Code                            |
1104	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1105	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1106	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1107	      |                           Integer32                           |
1108	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1110	      Type

1112	         13 for Framed-Compression.

1114	      AVP Length

1116	         The length of this attribute MUST be 12.

1118	      AVP Flags
1119	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1120	         upon the security model used. The 'V', 'T' and the 'P' bits
1121	         MUST NOT be set.

1123	      Integer32

1125	         The Integer32 field is four octets.

1127	            0      None
1128	            1      VJ TCP/IP header compression [7]
1129	            2      IPX header compression

1131	3.13  Login-IP-Host

1133	   Description

1135	      This Attribute indicates the system with which to connect the
1136	      user, when the Login-Service Attribute is included. It MAY be used
1137	      in AA-Answer messages. It MAY be used in an AA-Request message as
1138	      a hint to the server that the NAS would prefer to use that host,
1139	      but the server is not required to honor the hint.

1141	      A summary of the Login-IP-Host Attribute format is shown below.
1142	      The fields are transmitted from left to right.

1144	   AVP Format

1146	      0                   1                   2                   3
1147	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1148	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1149	      |                           AVP Code                            |
1150	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1151	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1152	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1153	      |                            Address                            |
1154	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1156	      Type

1158	         14 for Login-IP-Host.

1160	      AVP Length

1162	         The length of this attribute MUST be 12.

1164	      AVP Flags
1165	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1166	         upon the security model used. The 'V', 'T' and the 'P' bits
1167	         MUST NOT be set.

1169	      Address

1171	         The Address field is four octets. The value 0xFFFFFFFF
1172	         indicates that the NAS SHOULD allow the user to select an
1173	         address. The value zero indicates that the NAS SHOULD select a
1174	         host to connect the user to. Other values indicate the address
1175	         the NAS SHOULD connect the user to.

1177	3.14  Login-Service

1179	   Description

1181	      This Attribute indicates the service which should be used to
1182	      connect the user to the login host. It is only used in AA-Answer
1183	      messages.

1185	      A summary of the Login-Service Attribute format is shown below.
1186	      The fields are transmitted from left to right.

1188	   AVP Format

1190	      0                   1                   2                   3
1191	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1192	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1193	      |                           AVP Code                            |
1194	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1195	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1196	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1197	      |                           Integer32                           |
1198	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1200	      Type

1202	         15 for Login-Service.

1204	      AVP Length

1206	         The length of this attribute MUST be 12.

1208	      AVP Flags

1210	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1211	         upon the security model used. The 'V', 'T' and the 'P' bits
1212	         MUST NOT be set.

1214	      Integer32

1216	         The Integer32 field is four octets.

1218	            0      Telnet
1219	            1      Rlogin
1220	            2      TCP Clear
1221	            3      PortMaster (proprietary)
1222	            4      LAT

1224	3.15  Login-TCP-Port

1226	   Description

1228	      This Attribute indicates the TCP port with which the user is to be
1229	      connected, when the Login-Service Attribute is also present. It is
1230	      only used in AA-Answer packets.

1232	      A summary of the Login-TCP-Port Attribute format is shown below.
1233	      The fields are transmitted from left to right.

1235	   AVP Format

1237	      0                   1                   2                   3
1238	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1239	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1240	      |                           AVP Code                            |
1241	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1242	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1243	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1244	      |                           Integer32                           |
1245	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1247	      Type

1249	         16 for Login-TCP-Port.

1251	      AVP Length

1253	         The length of this attribute MUST be 12.

1255	      AVP Flags

1257	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1258	         upon the security model used. The 'V', 'T' and the 'P' bits
1259	         MUST NOT be set.

1261	      Integer32

1263	         The Integer32 field is four octets. Despite the size of the
1264	         field, values range from zero to 65535.

1266	3.16  Reply-Message

1268	   Description

1270	      This Attribute indicates text which MAY be displayed to the user.

1272	      When used in an AA-Answer message with a successful Result-Code
1273	      AVP it indicates the success message. When found in the same
1274	      message with a Result-Code other than DIAMETER-SUCCESS it contains
1275	      the failure message.

1277	      It MAY indicate a dialog message to prompt the user before another
1278	      AA-Request attempt.

1280	      When used in an AA-Challenge, it MAY indicate a dialog message to
1281	      prompt the user for a response.

1283	      Multiple Reply-Message's MAY be included and if any are displayed,
1284	      they MUST be displayed in the same order as they appear in the
1285	      packet.

1287	      A summary of the Reply-Message Attribute format is shown below.
1288	      The fields are transmitted from left to right.

1290	   AVP Format

1292	      0                   1                   2                   3
1293	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1294	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1295	      |                           AVP Code                            |
1296	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1297	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1298	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1299	      |   String ...
1300	      +-+-+-+-+-+-+-+-+

1302	      Type

1304	         18 for Reply-Message.

1306	      AVP Length

1308	         The length of this attribute MUST be at least 9.

1310	      AVP Flags

1312	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1313	         upon the security model used. The 'V', 'T' and the 'P' bits
1314	         MUST NOT be set.

1316	      String

1318	         The String field is one or more octets, and its contents are
1319	         implementation dependent. It is intended to be human readable,
1320	         and MUST NOT affect operation of the protocol. It is
1321	         recommended that the message contain displayable ASCII
1322	         characters from the range 10, 13, and 32 through 126 decimal.
1323	         Mechanisms for extension to other character sets are beyond the
1324	         scope of this specification.

1326	3.17  Callback-Number

1328	   Description

1330	      This Attribute indicates a dialing string to be used for callback.
1331	      It MAY be used in AA-Answer packets. It MAY be used in an AA-
1332	      Request packet as a hint to the server that a Callback service is
1333	      desired, but the server is not required to honor the hint.

1335	      A summary of the Callback-Number Attribute format is shown below.
1336	      The fields are transmitted from left to right.

1338	   AVP Format

1340	      0                   1                   2                   3
1341	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1342	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1343	      |                           AVP Code                            |
1344	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1345	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1346	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1347	      |   String ...
1348	      +-+-+-+-+-+-+-+-+

1350	      Type

1352	         19 for Callback-Number.

1354	      AVP Length

1356	         The length of this attribute MUST be at least 9.

1358	      AVP Flags

1360	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1361	         upon the security model used. The 'V', 'T' and the 'P' bits
1362	         MUST NOT be set.

1364	      String

1366	         The String field is one or more octets. The actual format of
1367	         the information is site or application specific, and a robust
1368	         implementation SHOULD support the field as undistinguished
1369	         octets.

1371	         The codification of the range of allowed usage of this field is
1372	         outside the scope of this specification.

1374	3.18  Callback-Id

1376	   Description

1378	      This Attribute indicates the name of a place to be called, to be
1379	      interpreted by the NAS. It MAY be used in AA-Answer messages.

1381	      This AVP is not roaming friendly since it assumes that the
1382	      Callback-Id is configured on the NAS. It is therefore preferable
1383	      to use the Callback-Number AVP instead.

1385	      A summary of the Callback-Id Attribute format is shown below. The
1386	      fields are transmitted from left to right.

1388	   AVP Format

1390	      0                   1                   2                   3
1391	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1392	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1393	      |                           AVP Code                            |
1394	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1395	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1396	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1397	      |   String ...
1398	      +-+-+-+-+-+-+-+-+

1400	      Type
1401	         20 for Callback-Id.

1403	      AVP Length

1405	         The length of this attribute MUST be at least 9.

1407	      AVP Flags

1409	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1410	         upon the security model used. The 'V', 'T' and the 'P' bits
1411	         MUST NOT be set.

1413	      String

1415	         The String field is one or more octets. The actual format of
1416	         the information is site or application specific, and a robust
1417	         implementation SHOULD support the field as undistinguished
1418	         octets.  The codification of the range of allowed usage of this
1419	         field is outside the scope of this specification.

1421	3.19  Framed-IP-Route

1423	   Description

1425	      This Attribute provides routing information to be configured for
1426	      the user on the NAS. It is used in the AA-Answer message and can
1427	      appear multiple times.

1429	      A summary of the Framed-Route Attribute format is shown below. The
1430	      fields are transmitted from left to right.

1432	   AVP Format

1434	      0                   1                   2                   3
1435	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1436	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1437	      |                           AVP Code                            |
1438	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1439	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1440	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1441	      |   String ...
1442	      +-+-+-+-+-+-+-+-+

1444	      Type

1446	         22 for Framed-IP-Route.

1448	      AVP Length

1450	         The length of this attribute MUST be at least 9.

1452	      AVP Flags

1454	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1455	         upon the security model used. The 'V', 'T' and the 'P' bits
1456	         MUST NOT be set.

1458	      String

1460	         It MUST contain a destination prefix in dotted quad form
1461	         optionally followed by a slash and a decimal length specifier
1462	         stating how many high order bits of the prefix should be used.
1463	         That is followed by a space, a gateway address in dotted quad
1464	         form, a space, and one or more metrics separated by spaces. For
1465	         example, "192.168.1.0/24 192.168.1.1 1".

1467	         The length specifier may be omitted in which case it should
1468	         default to 8 bits for class A prefixes, 16 bits for class B
1469	         prefixes, and 24 bits for class C prefixes. For example,
1470	         "192.168.1.0 192.168.1.1 1".

1472	         Whenever the gateway address is specified as "0.0.0.0" the IP
1473	         address of the user SHOULD be used as the gateway address.

1475	3.20  Framed-IPX-Network

1477	   Description

1479	      This Attribute indicates the IPX Network number to be configured
1480	      for the user. It is used in AA-Answer messages.

1482	      A summary of the Framed-IPX-Network Attribute format is shown
1483	      below.  The fields are transmitted from left to right.

1485	   AVP Format
1486	      0                   1                   2                   3
1487	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1488	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1489	      |                           AVP Code                            |
1490	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1491	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1492	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1493	      |                           Integer32                           |
1494	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1496	      Type

1498	         23 for Framed-IPX-Network.

1500	      AVP Length

1502	         The length of this attribute MUST be 12.

1504	      AVP Flags

1506	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1507	         upon the security model used. The 'V', 'T' and the 'P' bits
1508	         MUST NOT be set.

1510	      Integer32

1512	         The Integer32 field is four octets. The value 0xFFFFFFFF
1513	         indicates that the NAS should allow the user to select an
1514	         address (e.g.  Negotiated). The value 0xFFFFFFFE indicates that
1515	         the NAS should select an address for the user (e.g. assigned
1516	         from a pool of one or more IPX networks kept by the NAS). Other
1517	         values should be used as the IPX network for the link to the
1518	         user.

1520	3.21  Idle-Timeout

1522	   Description

1524	      This Attribute sets the maximum number of consecutive seconds of
1525	      idle connection allowed to the user before termination of the
1526	      session or prompt. This Attribute is available to be sent by the
1527	      server to the client in an AA-Answer or AA-Challenge.

1529	      A summary of the Idle-Timeout Attribute format is shown below. The
1530	      fields are transmitted from left to right.

1532	   AVP Format
1533	      0                   1                   2                   3
1534	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1535	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1536	      |                           AVP Code                            |
1537	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1538	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1539	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1540	      |                           Integer32                           |
1541	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1543	      Type

1545	         28 for Idle-Timeout.

1547	      AVP Length

1549	         The length of this attribute MUST be 12.

1551	      AVP Flags

1553	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1554	         upon the security model used. The 'V', 'T' and the 'P' bits
1555	         MUST NOT be set.

1557	      Integer32

1559	         The Integer32 field is 4 octets, containing a 32-bit unsigned
1560	         integer with the maximum number of consecutive seconds of idle
1561	         time this user should be permitted before being disconnected by
1562	         the NAS.

1564	3.22  Called-Station-Id

1566	   Description

1568	      This Attribute allows the NAS to send in the AA-Request message
1569	      the phone number that the user called, using Dialed Number
1570	      Identification (DNIS) or similar technology. Note that this may be
1571	      different from the phone number the call comes in on. It is only
1572	      used in AA-Request packets.

1574	      If the Authorization-Only flag is set in the message and the
1575	      User-Name AVP is absent, the DIAMETER Server MUST perform
1576	      authorization based on this field. This can be used by a NAS to
1577	      request whether a call should be answered based on the DNIS.

1579	      A summary of the Called-Station-Id Attribute format is shown
1580	      below.  The fields are transmitted from left to right.

1582	   AVP Format

1584	      0                   1                   2                   3
1585	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1586	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1587	      |                           AVP Code                            |
1588	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1589	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1590	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1591	      |   String ...
1592	      +-+-+-+-+-+-+-+-+

1594	      Type

1596	         30 for Called-Station-Id.

1598	      AVP Length

1600	         The length of this attribute MUST be at least 9.

1602	      AVP Flags

1604	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1605	         upon the security model used. The 'V', 'T' and the 'P' bits
1606	         MUST NOT be set.

1608	      String

1610	         The String field is one or more octets, containing the phone
1611	         number that the user's call came in on.

1613	         The actual format of the information is site or application
1614	         specific. Printable ASCII is recommended, but a robust
1615	         implementation SHOULD support the field as undistinguished
1616	         octets.

1618	         The codification of the range of allowed usage of this field is
1619	         outside the scope of this specification.

1621	3.23  Calling-Station-Id

1623	   Description

1625	      This Attribute allows the NAS to send in the AA-Request packet the
1626	      phone number that the call came from, using Automatic Number
1627	      Identification (ANI) or similar technology. It is only used in
1628	      AA-Request packets.

1630	      If the Authorization-Only flag is set in the message and the
1631	      User-Name AVP is absent, the DIAMETER Server must perform
1632	      authorization based on this field. This can be used by a NAS to
1633	      request whether a call should be answered based on the ANI.

1635	      A summary of the Calling-Station-Id Attribute format is shown
1636	      below.  The fields are transmitted from left to right.

1638	   AVP Format

1640	      0                   1                   2                   3
1641	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1642	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1643	      |                           AVP Code                            |
1644	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1645	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1646	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1647	      |   String ...
1648	      +-+-+-+-+-+-+-+-+

1650	      Type

1652	         31 for Calling-Station-Id.

1654	      AVP Length

1656	         The length of this attribute MUST be at least 9.

1658	      AVP Flags

1660	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1661	         upon the security model used. The 'V', 'T' and the 'P' bits
1662	         MUST NOT be set.

1664	      String

1666	         The String field is one or more octets, containing the phone
1667	         number that the user placed the call from.

1669	         The actual format of the information is site or application
1670	         specific. Printable ASCII is recommended, but a robust
1671	         implementation SHOULD support the field as undistinguished
1672	         octets.

1674	         The codification of the range of allowed usage of this field is
1675	         outside the scope of this specification.

1677	3.24  Login-LAT-Service

1679	   Description

1681	      This Attribute indicates the system with which the user is to be
1682	      connected by LAT. It MAY be used in AA-Answer packets, but only
1683	      when LAT is specified as the Login-Service. It MAY be used in an
1684	      AA-Request packet as a hint to the server, but the server is not
1685	      required to honor the hint.

1687	      Administrators use the service attribute when dealing with
1688	      clustered systems, such as a VAX or Alpha cluster. In such an
1689	      environment several different time sharing hosts share the same
1690	      resources (disks, printers, etc.), and administrators often
1691	      configure each to offer access (service) to each of the shared
1692	      resources. In this case, each host in the cluster advertises its
1693	      services through LAT broadcasts.

1695	      Sophisticated users often know which service providers (machines)
1696	      are faster and tend to use a node name when initiating a LAT
1697	      connection. Alternately, some administrators want particular users
1698	      to use certain machines as a primitive form of load balancing
1699	      (although LAT knows how to do load balancing itself).

1701	      A summary of the Login-LAT-Service Attribute format is shown
1702	      below.  The fields are transmitted from left to right.

1704	   AVP Format

1706	      0                   1                   2                   3
1707	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1708	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1709	      |                           AVP Code                            |
1710	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1711	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1712	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1713	      |   String ...
1714	      +-+-+-+-+-+-+-+-+

1716	      Type

1718	         34 for Login-LAT-Service.

1720	      AVP Length
1721	         The length of this attribute MUST be at least 9.

1723	      AVP Flags

1725	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1726	         upon the security model used. The 'V', 'T' and the 'P' bits
1727	         MUST NOT be set.

1729	      String

1731	         The String field is one or more octets, and contains the
1732	         identity of the LAT service to use. The LAT Architecture allows
1733	         this string to contain $ (dollar), - (hyphen), . (period), _
1734	         (underscore), numerics, upper and lower case alphabetics, and
1735	         the ISO Latin-1 character set extension [8]. All LAT string
1736	         comparisons are case insensitive.

1738	3.25  Login-LAT-Node

1740	   Description

1742	      This Attribute indicates the Node with which the user is to be
1743	      automatically connected by LAT. It MAY be used in AA-Answer
1744	      packets, but only when LAT is specified as the Login-Service. It
1745	      MAY be used in an AA-Request packet as a hint to the server, but
1746	      the server is not required to honor the hint.

1748	      A summary of the Login-LAT-Node Attribute format is shown below.
1749	      The fields are transmitted from left to right.

1751	   AVP Format

1753	      0                   1                   2                   3
1754	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1755	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1756	      |                           AVP Code                            |
1757	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1758	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1759	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1760	      |   String ...
1761	      +-+-+-+-+-+-+-+-+

1763	      Type

1765	         35 for Login-LAT-Node.

1767	      AVP Length
1768	         The length of this attribute MUST be at least 9.

1770	      AVP Flags

1772	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1773	         upon the security model used. The 'V', 'T' and the 'P' bits
1774	         MUST NOT be set.

1776	      String

1778	         The String field is one or more octets, and contains the
1779	         identity of the LAT Node to connect the user to. The LAT
1780	         Architecture allows this string to contain $ (dollar), -
1781	         (hyphen), . (period), _ (underscore), numerics, upper and lower
1782	         case alphabetics, and the ISO Latin-1 character set extension.
1783	         All LAT string comparisons are case insensitive.

1785	3.26  Login-LAT-Group

1787	   Description

1789	      This Attribute contains a string identifying the LAT group codes
1790	      which this user is authorized to use. It MAY be used in AA-Answer
1791	      packets, but only when LAT is specified as the Login-Service. It
1792	      MAY be used in an AA-Request packet as a hint to the server, but
1793	      the server is not required to honor the hint.

1795	      LAT supports 256 different group codes, which LAT uses as a form
1796	      of access rights. LAT encodes the group codes as a 256 bit bitmap.

1798	      Administrators can assign one or more of the group code bits at
1799	      the LAT service provider; it will only accept LAT connections that
1800	      have these group codes set in the bit map. The administrators
1801	      assign a bitmap of authorized group codes to each user; LAT gets
1802	      these from the operating system, and uses these in its requests to
1803	      the service providers.

1805	      A summary of the Login-LAT-Group Attribute format is shown below.
1806	      The fields are transmitted from left to right.

1808	   AVP Format
1809	      0                   1                   2                   3
1810	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1811	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1812	      |                           AVP Code                            |
1813	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1814	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1815	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1816	      |    Data ...
1817	      +-+-+-+-+-+-+-+-+

1819	      Type

1821	         36 for Login-LAT-Group.

1823	      AVP Length

1825	         The length of this attribute MUST be 40.

1827	      AVP Flags

1829	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1830	         upon the security model used. The 'V', 'T' and the 'P' bits
1831	         MUST NOT be set.

1833	      Data

1835	         The Data field is a 32 octet bit map, most significant octet
1836	         first. A robust implementation SHOULD support the field as
1837	         undistinguished octets.

1839	         The codification of the range of allowed usage of this field is
1840	         outside the scope of this specification.

1842	3.27  Framed-AppleTalk-Link

1844	   Description

1846	      This Attribute indicates the AppleTalk network number which should
1847	      be used for the serial link to the user, which is another
1848	      AppleTalk router. It is only used in AA-Answer packets. It is
1849	      never used when the user is not another router.

1851	      A summary of the Framed-AppleTalk-Link Attribute format is shown
1852	      below. The fields are transmitted from left to right.

1854	   AVP Format
1855	      0                   1                   2                   3
1856	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1857	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1858	      |                           AVP Code                            |
1859	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1860	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1861	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1862	      |                           Integer32                           |
1863	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1865	      Type

1867	         37 for Framed-AppleTalk-Link.

1869	      AVP Length

1871	         The length of this attribute MUST be 12.

1873	      AVP Flags

1875	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1876	         upon the security model used. The 'V', 'T' and the 'P' bits
1877	         MUST NOT be set.

1879	      Integer32

1881	         The Integer32 field is four octets. Despite the size of the
1882	         field, values range from zero to 65535. The special value of
1883	         zero indicates that this is an unnumbered serial link. A value
1884	         of one to 65535 means that the serial line between the NAS and
1885	         the user should be assigned that value as an AppleTalk network
1886	         number.

1888	3.28  Framed-AppleTalk-Network

1890	   Description

1892	      This Attribute indicates the AppleTalk Network number which the
1893	      NAS should probe to allocate an AppleTalk node for the user. It is
1894	      only used in AA-Answer packets. It is never used when the user is
1895	      another router. Multiple instances of this Attribute indicate that
1896	      the NAS may probe using any of the network numbers specified.

1898	      A summary of the Framed-AppleTalk-Network Attribute format is
1899	      shown below. The fields are transmitted from left to right.

1901	   AVP Format
1902	      0                   1                   2                   3
1903	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1904	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1905	      |                           AVP Code                            |
1906	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1907	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1908	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1909	      |                           Integer32                           |
1910	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

1912	      Type

1914	         38 for Framed-AppleTalk-Network.

1916	      AVP Length

1918	         The length of this attribute MUST be 12.

1920	      AVP Flags

1922	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1923	         upon the security model used. The 'V', 'T' and the 'P' bits
1924	         MUST NOT be set.

1926	      Integer32

1928	         The Integer32 field is four octets. Despite the size of the
1929	         field, values range from zero to 65535. The special value zero
1930	         indicates that the NAS should assign a network for the user,
1931	         using its default cable range. A value between one and 65535
1932	         (inclusive) indicates the AppleTalk Network the NAS should
1933	         probe to find an address for the user.

1935	3.29  Framed-AppleTalk-Zone

1937	   Description

1939	      This Attribute indicates the AppleTalk Default Zone to be used for
1940	      this user. It is only used in AA-Answer packets. Multiple
1941	      instances of this attribute in the same packet are not allowed.

1943	      A summary of the Framed-AppleTalk-Zone Attribute format is shown
1944	      below. The fields are transmitted from left to right.

1946	   AVP Format
1947	      0                   1                   2                   3
1948	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1949	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1950	      |                           AVP Code                            |
1951	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1952	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1953	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1954	      |    Data ...
1955	      +-+-+-+-+-+-+-+-+

1957	      Type

1959	         39 for Framed-AppleTalk-Zone.

1961	      AVP Length

1963	         The length of this attribute MUST be at least 9.

1965	      AVP Flags

1967	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
1968	         upon the security model used. The 'V', 'T' and the 'P' bits
1969	         MUST NOT be set.

1971	      String

1973	         The name of the Default AppleTalk Zone to be used for this
1974	         user.  A robust implementation SHOULD support the field as
1975	         undistinguished octets.

1977	         The codification of the range of allowed usage of this field is
1978	         outside the scope of this specification.

1980	3.30  CHAP-Challenge

1982	   Description

1984	      This Attribute contains the CHAP Challenge sent by the NAS to a
1985	      PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is
1986	      only used in AA-Request packets.

1988	      A summary of the CHAP-Challenge Attribute format is shown below.
1989	      The fields are transmitted from left to right.

1991	   AVP Format
1992	      0                   1                   2                   3
1993	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1994	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1995	      |                           AVP Code                            |
1996	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1997	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
1998	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1999	      |    Data ...
2000	      +-+-+-+-+-+-+-+-+

2002	      Type

2004	         60 for CHAP-Challenge.

2006	      AVP Length

2008	         The length of this attribute MUST be at least 24.

2010	      AVP Flags

2012	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2013	         upon the security model used. The 'V', 'T' and the 'P' bits
2014	         MUST NOT be set.

2016	      Data

2018	         The Data field contains the CHAP Challenge.

2020	3.31  NAS-Port-Type

2022	   Description

2024	      This Attribute indicates the type of the physical port of the NAS
2025	      which is authenticating the user. It can be used instead of or in
2026	      addition to the NAS-Port (5) attribute. It is only used in AA-
2027	      Request packets. Either NAS-Port (5) or NAS-Port-Type or both
2028	      SHOULD be present in an AA-Request packet, if the NAS
2029	      differentiates among its ports.

2031	      A summary of the NAS-Port-Type Attribute format is shown below.
2032	      The fields are transmitted from left to right.

2034	   AVP Format
2035	      0                   1                   2                   3
2036	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2037	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2038	      |                           AVP Code                            |
2039	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2040	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2041	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2042	      |                           Integer32                           |
2043	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2045	      Type

2047	         61 for NAS-Port-Type.

2049	      AVP Length

2051	         The length of this attribute MUST be 12.

2053	      AVP Flags

2055	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2056	         upon the security model used. The 'V', 'T' and the 'P' bits
2057	         MUST NOT be set.

2059	      Integer32

2061	         The Integer32 field is four octets. "Virtual" refers to a
2062	         connection to the NAS via some transport protocol, instead of
2063	         through a physical port. For example, if a user telnetted into
2064	         a NAS to authenticate himself as an Outbound-User, the AA-
2065	         Request might include NAS-Port-Type = Virtual as a hint to the
2066	         RADIUS server that the user was not on a physical port.

2068	            0       Async
2069	            1       Sync
2070	            2       ISDN Sync
2071	            3       ISDN Async V.120
2072	            4       ISDN Async V.110
2073	            5       Virtual

2075	3.32  Port-Limit

2077	   Description

2079	      This Attribute sets the maximum number of ports to be provided to
2080	      the user by the NAS. This Attribute MAY be sent by the server to
2081	      the client in an AA-Answer packet. It is intended for use in
2082	      conjunction with Multilink PPP [9] or similar uses. It MAY also be
2083	      sent by the NAS to the server as a hint that that many ports are
2084	      desired for use, but the server is not required to honor the hint.

2086	      A summary of the Port-Limit Attribute format is shown below. The
2087	      fields are transmitted from left to right.

2089	   AVP Format

2091	      0                   1                   2                   3
2092	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2093	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2094	      |                           AVP Code                            |
2095	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2096	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2097	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2098	      |                           Integer32                           |
2099	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2101	      Type

2103	         62 for Port-Limit.

2105	      AVP Length

2107	         The length of this attribute MUST be 12.

2109	      AVP Flags

2111	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2112	         upon the security model used. The 'V', 'T' and the 'P' bits
2113	         MUST NOT be set.

2115	      Integer32

2117	         The Integer32 field is four octets, containing a 32-bit
2118	         unsigned integer with the maximum number of ports this user
2119	         should be allowed to connect to on the NAS.

2121	3.33  Login-LAT-Port

2123	   Description

2125	      This Attribute indicates the Port with which the user is to be
2126	      connected by LAT. It MAY be used in AA-Answer packets, but only
2127	      when LAT is specified as the Login-Service. It MAY be used in an
2128	      AA-Request packet as a hint to the server, but the server is not
2129	      required to honor the hint.

2131	      A summary of the Login-LAT-Port Attribute format is shown below.
2132	      The fields are transmitted from left to right.

2134	   AVP Format

2136	      0                   1                   2                   3
2137	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2138	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2139	      |                           AVP Code                            |
2140	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2141	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2142	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2143	      |   String ...
2144	      +-+-+-+-+-+-+-+-+

2146	      Type

2148	         63 for Login-LAT-Port.

2150	      AVP Length

2152	         The length of this attribute MUST be at least 9.

2154	      AVP Flags

2156	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2157	         upon the security model used. The 'V', 'T' and the 'P' bits
2158	         MUST NOT be set.

2160	      String

2162	         The String field is one or more octets, and contains the
2163	         identity of the LAT port to use. The LAT Architecture allows
2164	         this string to contain $ (dollar), - (hyphen), . (period), _
2165	         (underscore), numerics, upper and lower case alphabetics, and
2166	         the ISO Latin-1 character set extension. All LAT string
2167	         comparisons are case insensitive.

2169	3.34  Filter-Rule

2171	   Description

2173	      This Attribute provides filter rules that need to be configured on
2174	      the NAS for the user. It is used in the AA-Answer message and can
2175	      appear multiple times.

2177	      A summary of the Filter-Rule Attribute format is shown below. The
2178	      fields are transmitted from left to right.

2180	   AVP Format

2182	      0                   1                   2                   3
2183	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2184	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2185	      |                           AVP Code                            |
2186	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2187	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2188	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2189	      |   String ...
2190	      +-+-+-+-+-+-+-+-+

2192	      Type

2194	         300 for Filter-Rule.

2196	      AVP Length

2198	         The length of this attribute MUST be at least 9.

2200	      AVP Flags

2202	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2203	         upon the security model used. The 'V', 'T' and the 'P' bits
2204	         MUST NOT be set.

2206	      String

2208	         The String field MUST contain a filter rule in the following
2209	         format:  "permit (offset=value AND offset=value) OR
2210	         offset=value" or "deny (offset=value AND offset=value) OR
2211	         offset=value".

2213	3.35  Framed-Password-Policy

2215	   Description

2217	      This Attribute is used to indicate to a peer what types of
2218	      authentication are supported by the issuing DIAMETER peer. More
2219	      than one Framed-Password-Policy AVP MAY be present in the Domain-
2220	      Discovery-Answer message.

2222	      A summary of the User-Name Attribute format is shown below. The
2223	      fields are transmitted from left to right.

2225	   AVP Format

2227	      0                   1                   2                   3
2228	      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2229	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2230	      |                           AVP Code                            |
2231	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2232	      |          AVP Length           |     Reserved      |P|E|T|V|H|M|
2233	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2234	      |                           Integer32                           |
2235	      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2237	      Type

2239	         301 for Framed-Password-Policy.

2241	      AVP Length

2243	         The length of this attribute MUST be 12.

2245	      AVP Flags

2247	         The 'M' bit MUST be set. The 'H' and 'E' MAY be set depending
2248	         upon the security model used. The 'V', 'T' and the 'P' bits
2249	         MUST NOT be set.

2251	      Integer32

2253	         The Integer32 field contains the supported authentication
2254	         schemes supported. The following values are supported:

2256	            PAP         1
2257	            CHAP        2
2258	            MS-CHAP     3
2259	            EAP         4
2260	            SPAP        5

2262	3.36  Table of Attributes

2264	   The following table provides a guide to which attributes may be found
2265	   in which kinds of packets, and in what quantity.

2267	              Success  Failed  AA-Chal  #    Attribute
2268	      AA-Req  AA-Answ  AA-Answ  Req
2269	       0-1      0-1       0      0      1   User-Name
2270	       0-1      0         0      0      2   User-Password [*1]
2271	       0-1      0         0      0      3   CHAP-Password [*1]
2272	       0-1      0         0      0      5   NAS-Port
2273	       0-1      0-1       0      0      6   Service-Type
2274	       0-1      0-1       0      0      7   Framed-Protocol
2275	       0-1      0-1       0      0      8   Framed-IP-Address
2276	       0-1      0-1       0      0      9   Framed-IP-Netmask
2277	       0        0-1       0      0     10   Framed-Routing
2278	       0        0+        0      0     11   Filter-Id
2279	       0        0-1       0      0     12   Framed-MTU
2280	       0+       0+        0      0     13   Framed-Compression
2281	       0+       0+        0      0     14   Login-IP-Host
2282	       0        0-1       0      0     15   Login-Service
2283	       0        0-1       0      0     16   Login-TCP-Port
2284	       0        0+        0+     0+    18   Reply-Message
2285	       0-1      0-1       0      0     19   Callback-Number
2286	       0        0-1       0      0     20   Callback-Id
2287	       0        0+        0      0     22   Framed-Route
2288	       0        0-1       0      0     23   Framed-IPX-Network
2289	       0        0-1       0      0-1   28   Idle-Timeout
2290	       0        0-1       0      0     29   Termination-Action
2291	       0-1      0         0      0     30   Called-Station-Id
2292	       0-1      0         0      0     31   Calling-Station-Id
2293	       0-1      0-1       0      0     34   Login-LAT-Service
2294	       0-1      0-1       0      0     35   Login-LAT-Node
2295	       0-1      0-1       0      0     36   Login-LAT-Group
2296	       0        0-1       0      0     37   Framed-AppleTalk-Link
2297	       0        0+        0      0     38   Framed-AppleTalk-Net.
2298	       0        0-1       0      0     39   Framed-AppleTalk-Zone
2299	       0-1      0         0      0     60   CHAP-Challenge
2300	       0-1      0         0      0     61   NAS-Port-Type
2301	       0-1      0-1       0      0     62   Port-Limit
2302	       0-1      0-1       0      0     63   Login-LAT-Port
2303	       0        0+        0      0    280   Filter-Rule
2304	       0        0         0      0    281   Framed-Password-Policy
2305	              Success  Failed  AA-Chal  #    Attribute
2306	      AA-Req  AA-Answ  AA-Answ  Req

2308	      [*1] An AA-Request MUST NOT contain both a User-Password and a
2309	      CHAP-Password AVP.

2311	      The following table defines the meaning of the above table
2312	      entries.

2314	          0     This attribute MUST NOT be present in packet.
2315	          0+    Zero or more instances of this attribute MAY be present
2316	                in packet.
2317	          0-1   Zero or one instance of this attribute MAY be present
2318	                in packet.
2319	          1     Exactly one instance of this attribute MUST be present

2321	         in
2322	                packet.

2324	4.0  Protocol Definition

2326	   This section will outline how the DIAMETER Authentication Extension
2327	   can be used.

2329	4.1  Feature Advertisement/Discovery

2331	   As defined in [2], the Reboot-Ind and Device-Feature-Query messages
2332	   can be used to inform a peer about locally supported DIAMETER
2333	   Extensions. In order to advertise support of this extension, the
2334	   Extension-Id AVP must be transmitted with a value of one (1).

2336	4.2  Authorization Procedure

2338	   This specification allows two different types of Authorization
2339	   procedures.  The first method is identical to the way RADIUS works
2340	   today and requires the AA-Request to contain the UserName as well as
2341	   either the Password or the CHAP-Password AVPs.

2343	   The second method is used by NASes that send AA-Request whenever they
2344	   receive an incoming call and want to get authorization from the
2345	   DIAMETER Server to answer the call. In this case the AA-Request
2346	   contains the NAS-IP-Address, the Calling-Station-Id and the Called-
2347	   Station-Id AVPs.

2349	   In this case the DIAMETER Server can lookup the combination of the
2350	   Calling-Station-Id and the Called-Station-Id in order to ensure that
2351	   the pair are authorized as per the local policy.

2353	4.3  Integration with Resource-Management

2355	   Document [10] specifies the Resource-Token AVP that is used to carry
2356	   information required for a DIAMETER server to rebuild its state
2357	   information in the event of a crash or some other event that would
2358	   cause the server to loose its state information.

2360	   When creating the Resource-Token AVP, the following AVPs MUST be
2361	   present, in addition to the AVPs listed in [10]; the UserName AVP,
2362	   the NAS-IP- Address, the NAS-Port. Any additional AVP MAY be included
2363	   if the AVP is a resource that is being managed (i.e. Framed-IP-
2364	   Address in the case where the DIAMETER Server is allocating IP
2365	   Addresses out of a centrally managed address pool).

2367	5.0  References

2369	    [1] Rigney, et alia, "RADIUS", RFC-2138, Livingston, April 1997
2370	    [2] Calhoun, Rubens, "DIAMETER Base Protocol",
2371	        draft-calhoun-diameter-08.txt, Work in Progress,
2372	        August 1999.
2373	    [3] Aboba, Beadles "The Network Access Identifier." RFC 2486.
2374	        January 1999.
2375	    [4] Aboba, Zorn, "Criteria for Evaluating Roaming Protocols",
2376	        RFC 2477, January 1999.
2377	    [5] Calhoun, Rubens, Aboba, "DIAMETER Extensible Authentication
2378	        Protocol Extensions", draft-calhoun-diameter-eap-03.txt,
2379	        Work in Progress, August 1999.
2380	    [6] W. Simpson, "PPP Challenge Handshake Authentication
2381	        Protocol (CHAP)", RFC 1994, August 1996.
2382	    [7] Jacobson, "Compressing TCP/IP headers for low-speed serial
2383	        links", RFC 1144, February 1990.
2384	    [8] ISO 8859. International Standard -- Information Processing --
2385	        8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin
2386	        Alphabet No. 1, ISO 8859-1:1987.
2387	        <URL:http://www.iso.ch/cate/d16338.html>
2388	    [9] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink Protocol
2389	        (MP)", RFC 1717, November 1994.
2390	    [10] Calhoun, Greene, "DIAMETER Resource Management Extension",
2391	         draft-calhoun-diameter-res-mgmt-02.txt, Work in Progress,
2392	         February 1999.
2393	    [11] Calhoun, Zorn, Pan, "DIAMETER Framework",
2394	         draft-calhoun-diameter-framework-02.txt, Work in Progress,
2395	         December 1998.
2396	    [12] S. Bradner, "Key words for use in RFCs to Indicate
2397	         Requirement Levels", BCP 14, RFC 2119, March 1997.
2398	    [13] P. Calhoun, W. Bulley, "DIAMETER Proxy Server Extensions",
2399	         draft-calhoun-diameter-proxy-02.txt, Work in Progress,
2400	         August 1999.

2402	6.0  Acknowledgements

2404	   The Author wishes to thank Carl Rigney since much of the text in the
2405	   document was shamefully copied from [1] as well as the following
2406	   people for their help in the development of this protocol:

2408	   Nancy Greene, Ryan Moats

2410	7.0  Authors' Addresses

2412	   Questions about this memo can be directed to:

2414	      Pat R. Calhoun
2415	      Network and Security Research Center, Sun Labs
2416	      Sun Microsystems, Inc.
2417	      15 Network Circle
2418	      Menlo Park, California, 94025
2419	      USA

2421	       Phone:  1-650-786-7733
2422	         Fax:  1-650-786-6445
2423	      E-mail:  pcalhoun@eng.sun.com

2425	      William Bulley
2426	      Merit Network, Inc.
2427	      4251 Plymouth Road, Suite C
2428	      Ann Arbor, Michigan, 48105-2785
2429	      USA

2431	       Phone:  1-734-764-9993
2432	         Fax:  1-734-647-3185
2433	      E-mail:  web@merit.edu

2435	8.0  Full Copyright Statement

2437	   Copyright (C) The Internet Society (1999).  All Rights Reserved.

2439	   This document and translations of it may be copied  and  furnished  to
2440	   others,  and  derivative works that comment on or otherwise explain it
2441	   or assist in its implmentation may be prepared, copied, published  and
2442	   distributed,  in  whole  or  in part, without restriction of any kind,
2443	   provided that the  above  copyright  notice  and  this  paragraph  are
2444	   included on all such copies and derivative works.  However, this docu-
2445	   ment itself may not be modified in any way, such as  by  removing  the
2446	   copyright notice or references to the Internet Society or other Inter-
2447	   net organizations, except as needed  for  the  purpose  of  developing
2448	   Internet standards in which case the procedures for copyrights defined
2449	   in the Internet Standards process must be followed, or as required  to
2450	   translate it into languages other than   English.  The limited permis-
2451	   sions granted above are perpetual and  will  not  be  revoked  by  the
2452	   Internet  Society or its successors or assigns.  This document and the
2453	   information contained herein is provided on an "AS IS" basis  and  THE
2454	   INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL
2455	   WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY  WAR-
2456	   RANTY  THAT  THE  USE  OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
2457	   RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS  FOR  A
2458	   PARTICULAR PURPOSE."