idnits 2.17.1 draft-ietf-aaa-diameter-nasreq-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 221 has weird spacing: '...inology use...' == Line 555 has weird spacing: '...ge that incl...' == Line 1594 has weird spacing: '...onveyed by ...' == Line 1922 has weird spacing: '...ent. If addit...' == Line 2110 has weird spacing: '...concise and ...' == (3 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs used by NAS applications, in NAS messages, and specify in which Diameter messages they MAY, or MAY NOT be present. [Base] messages and AVPs are not described here. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 2003) is 7614 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DiamTrans' is mentioned on line 199, but not defined == Missing Reference: 'NASmodel' is mentioned on line 226, but not defined == Missing Reference: 'RADIPV6' is mentioned on line 3059, but not defined == Unused Reference: 'AAATrans' is defined on line 2923, but no explicit reference was found in the text == Unused Reference: 'IANA' is defined on line 2947, but no explicit reference was found in the text == Unused Reference: 'NAI' is defined on line 2964, but no explicit reference was found in the text == Unused Reference: 'RADIUSIANA' is defined on line 2984, but no explicit reference was found in the text == Unused Reference: 'ExtRADPract' is defined on line 2987, but no explicit reference was found in the text == Unused Reference: 'NASModel' is defined on line 2990, but no explicit reference was found in the text == Unused Reference: 'CDMA2000' is defined on line 3019, but no explicit reference was found in the text == Unused Reference: 'TCPCompress' is defined on line 3023, but no explicit reference was found in the text == Unused Reference: 'L2F' is defined on line 3033, but no explicit reference was found in the text == Unused Reference: 'ATMP' is defined on line 3040, but no explicit reference was found in the text == Unused Reference: 'MSMPPE' is defined on line 3043, but no explicit reference was found in the text == Unused Reference: 'UTF-8' is defined on line 3046, but no explicit reference was found in the text -- Unexpected draft version: The latest known version of draft-ietf-aaa-diameter is -16, but you're referring to -17. -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 2373 (ref. 'IPv6Addr') (Obsoleted by RFC 3513) ** Obsolete normative reference: RFC 2434 (ref. 'IANAConsid') (Obsoleted by RFC 5226) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISOLatin' -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 2486 (ref. 'NAI') (Obsoleted by RFC 4282) == Outdated reference: A later version (-10) exists of draft-ietf-aaa-eap-01 == Outdated reference: A later version (-20) exists of draft-ietf-aaa-diameter-mobileip-14 -- Obsolete informational reference (is this intentional?): RFC 1717 (ref. 'PPPMP') (Obsoleted by RFC 1990) -- Obsolete informational reference (is this intentional?): RFC 2279 (ref. 'UTF-8') (Obsoleted by RFC 3629) Summary: 3 errors (**), 0 flaws (~~), 27 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AAA Working Group Pat R. Calhoun 3 Internet-Draft Airespace Inc. 4 Category: Standards Track Glen Zorn 5 Cisco Systems Inc. 6 David Spence 7 Interlink Networks Inc. 8 David Mitton 9 Circular Logic 11 June 2003 13 Diameter Network Access Server Application 14 draft-ietf-aaa-diameter-nasreq-12.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft 33 Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This document is a product of the Authentication, Authorization and 37 Accounting (AAA) Working Group of the Internet Engineering Task Force 38 (IETF). Comments are welcome should be submitted to the mailing list 39 aaa-wg@merit.edu. 41 Copyright (C) The Internet Society 2003. All Rights Reserved. 43 Abstract 45 This document describes the Diameter protocol application used for 46 Authentication, Authorization and Accounting (AAA) services in the 47 Network Access Server (NAS) environment. This application 48 specification, when combined with the Diameter Base protocol, 49 Transport Profile, Extensible Authentication Protocol and CMS 50 Security specifications, satisfies typical network access services 51 requirements. 53 Initial deployments of the Diameter protocol are expected to include 54 legacy systems. Therefore, this application was carefully designed to 55 ease the burden of protocol conversion between RADIUS and Diameter. 56 This is achieved by including the RADIUS attribute space, and 57 eliminating the need to perform many attribute translations. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 1.2. Requirements Language . . . . . . . . . . . . . . . . . . . . 7 64 1.3. Advertising Application Support . . . . . . . . . . . . . . . 7 65 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . . 7 66 2.1. Diameter Session Establishment . . . . . . . . . . . . . . . . 8 67 2.2. Diameter Session Reauthentication or Reauthorization . . . . . 8 68 2.3. Diameter Session Termination . . . . . . . . . . . . . . . . . 9 69 3. NAS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . . . 10 71 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . . . 11 72 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . . 13 73 4.1. Call and Session Information . . . . . . . . . . . . . . . . . 13 74 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . . . . 14 75 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . . . . 15 76 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . . . . 15 77 4.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . . . . . 16 78 4.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . . . . 16 79 4.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . . . . . 16 80 4.8. Originating-Line-Info AVP . . . . . . . . . . . . . . . . . . 17 81 4.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . . . . . 18 82 4.10. Termination-Action AVP . . . . . . . . . . . . . . . . . . . 19 83 5. NAS Authentication AVPs . . . . . . . . . . . . . . . . . . . . 19 84 5.1. User-Password AVP . . . . . . . . . . . . . . . . . . . . . . 20 85 5.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . . . . . 20 86 5.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . . . . . 21 87 5.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . . . . . 21 88 5.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . . . . . 21 89 5.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . . . . . 22 90 5.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . . . . . 22 91 5.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . . . . . 22 92 5.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . . . . . 22 93 5.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . . . . . 22 94 5.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . . . . . 22 95 5.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . . . . 23 96 6. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . . . . 23 97 6.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . . . . . 24 98 6.2. Callback-Number AVP . . . . . . . . . . . . . . . . . . . . . 25 99 6.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . . . . . 26 100 6.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . . . . . 26 101 6.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . . . . . 26 102 6.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . . . . 26 103 6.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . . . . . 27 104 6.8. Configuration-Token AVP . . . . . . . . . . . . . . . . . . . 27 105 6.9. Framed Access Authorization AVPs . . . . . . . . . . . . . . . 27 106 6.9.1. Framed-Protocol AVP . . . . . . . . . . . . . . . . . . . . 27 107 6.9.2. Framed-Routing AVP . . . . . . . . . . . . . . . . . . . . . 28 108 6.9.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . . . . . . . 28 109 6.9.4. Framed-Compression AVP . . . . . . . . . . . . . . . . . . . 28 110 6.10. IP Access . . . . . . . . . . . . . . . . . . . . . . . . . . 28 111 6.10.1. Framed-IP-Address AVP . . . . . . . . . . . . . . . . . . . 29 112 6.10.2. Framed-IP-Netmask AVP . . . . . . . . . . . . . . . . . . . 29 113 6.10.3. Framed-Route AVP . . . . . . . . . . . . . . . . . . . . . 29 114 6.10.4. Framed-Pool AVP . . . . . . . . . . . . . . . . . . . . . . 30 115 6.10.5. Framed-Interface-Id AVP . . . . . . . . . . . . . . . . . . 30 116 6.10.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . . . . . . . . 30 117 6.10.7. Framed-IPv6-Route AVP . . . . . . . . . . . . . . . . . . . 30 118 6.10.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . . . . . . . . 31 119 6.11. IPX Access . . . . . . . . . . . . . . . . . . . . . . . . . 31 120 6.11.1. Framed-IPX-Network AVP . . . . . . . . . . . . . . . . . . 31 121 6.12. Appletalk Access . . . . . . . . . . . . . . . . . . . . . . 31 122 6.12.1. Framed-AppleTalk-Link AVP . . . . . . . . . . . . . . . . . 32 123 6.12.2. Framed-AppleTalk-Network AVP . . . . . . . . . . . . . . . 32 124 6.12.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . . . . . . . . 32 125 6.13. ARAP Access . . . . . . . . . . . . . . . . . . . . . . . . . 33 126 6.13.1. ARAP-Features AVP . . . . . . . . . . . . . . . . . . . . . 33 127 6.13.2. ARAP-Zone-Access AVP . . . . . . . . . . . . . . . . . . . 33 128 6.14. Non-Framed Access Authorization AVPs . . . . . . . . . . . . 33 129 6.14.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . . . . . . 33 130 6.14.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . . . . . . 34 131 6.14.3. Login-Service AVP . . . . . . . . . . . . . . . . . . . . . 34 132 6.15. TCP Services . . . . . . . . . . . . . . . . . . . . . . . . 34 133 6.15.1. Login-TCP-Port AVP . . . . . . . . . . . . . . . . . . . . 34 134 6.15.2. LAT Services . . . . . . . . . . . . . . . . . . . . . . . 35 135 6.15.3. Login-LAT-Service AVP . . . . . . . . . . . . . . . . . . . 35 136 6.15.4. Login-LAT-Node AVP . . . . . . . . . . . . . . . . . . . . 35 137 6.15.5. Login-LAT-Group AVP . . . . . . . . . . . . . . . . . . . . 36 138 6.15.6. Login-LAT-Port AVP . . . . . . . . . . . . . . . . . . . . 36 139 7. NAS Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . 37 140 7.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . . . . . 37 141 7.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . . . . . 38 142 7.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . . . . . 39 143 7.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . . . . . 39 144 7.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . . . . . 40 145 7.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . . . . . 41 146 7.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . . . . . 41 147 7.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . . . . 41 148 7.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . . . . 42 149 7.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . . . . . 43 150 7.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . . . . . 43 151 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 44 152 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . . . . 45 153 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . . . . 45 154 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . . . . 45 155 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . . . . 45 156 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . . . . 46 157 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . . . . 46 158 8.7. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . . . . 46 159 8.8. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . . . . 46 160 8.9. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . . . . . 47 161 8.10. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . . . . 47 162 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . . 48 163 9.1. RADIUS Request Forwarded as Diameter Request . . . . . . . . . 48 164 9.2. Diameter Request Forwarded as RADIUS Request . . . . . . . . . 51 165 9.3. AVPs Used Only for Compatibility . . . . . . . . . . . . . . . 52 166 9.3.1. NAS-Identifier AVP . . . . . . . . . . . . . . . . . . . . . 52 167 9.3.2. NAS-IP-Address AVP . . . . . . . . . . . . . . . . . . . . . 53 168 9.3.3. NAS-IPv6-Address AVP . . . . . . . . . . . . . . . . . . . . 54 169 9.3.4. State AVP . . . . . . . . . . . . . . . . . . . . . . . . . 54 170 9.3.5. Termination-Cause AVP Code Values . . . . . . . . . . . . . 55 171 9.4. Prohibited RADIUS Attributes . . . . . . . . . . . . . . . . . 57 172 9.5. Translatable Diameter AVPs . . . . . . . . . . . . . . . . . . 58 173 9.6. RADIUS Vendor Specific Attributes . . . . . . . . . . . . . . 58 174 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA . . . . . . 58 175 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP . . . . . . 59 176 10. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . . 60 177 10.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . . . 60 178 10.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . . . 63 179 10.2.1. Accounting Framed Access AVP Table . . . . . . . . . . . . 63 180 10.2.2. Accounting Non-Framed Access AVP Table . . . . . . . . . . 64 181 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 66 182 11.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . . . 66 183 11.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . . . 66 184 11.3. Application Identifier . . . . . . . . . . . . . . . . . . . 66 185 11.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . . . 66 186 12. Security Considerations . . . . . . . . . . . . . . . . . . . . 67 187 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 67 188 13.1. Normative References . . . . . . . . . . . . . . . . . . . . 67 189 13.2. Informative References . . . . . . . . . . . . . . . . . . . 68 190 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 70 191 15. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 70 192 Intellectual Property Considerations . . . . . . . . . . . . . . . . 71 193 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 72 194 1. Introduction 196 This document describes the Diameter protocol application used for 197 AAA in the Network Access Server (NAS) environment. This Diameter NAS 198 application specification, when combined with the Diameter Base 199 protocol [Base], Transport Profile [DiamTrans] EAP [DiamEAP], and CMS 200 Security [DiamCMS] specifications, satisfies NAS-related requirements 201 defined in RFC2989 [AAACriteria] and RFC3169 [NASCriteria]. 203 Initial deployments of the Diameter protocol are expected to include 204 legacy systems. Therefore, this application was carefully designed to 205 ease the burden of protocol conversion between RADIUS and Diameter. 206 This is achieved by including the RADIUS attribute space, and 207 eliminating the need to perform many attribute translations. 209 This document first describes the operation of a Diameter NAS 210 application. Then it defines the Diameter message Command-Codes. 211 The following sections enumerate the AVPs used in these messages 212 grouped by common usage. These are session identification, 213 authentication, authorization, tunneling, and accounting. The 214 authorization AVPs are further broken down by service type. 215 Interaction and backwards compatibility issues with RADIUS are 216 discussed in later sections. 218 1.1. Terminology 220 The base Diameter [Base] specification Section 1.4 defines most of 221 the terminology used in this document. Additionally, the 222 following terms and acronyms are used in this application: 224 NAS - Network Access Server; a device which provides an access 225 service to a network. The service may be a network connection, or a 226 value added service such as terminal emulation. [NASmodel] 228 CMS - Cryptographic Message Syntax; A security method used in 229 Diameter to secure AVPs. [DiamCMS] 231 PPP - Point-to-Point Protocol; a multiprotocol serial datalink. PPP 232 is the primary IP datalink used for dial-in NAS connection service. 233 [STD51] 235 CHAP - Challenge Handshake Authentication Protocol; an authentication 236 process used in PPP. [PPPCHAP] 238 PAP - Password Authentication Protocol; a deprecated PPP 239 authentication process, but used for backwards compatibility. 241 SLIP - Serial Line Interface Protocol; a serial datalink that only 242 supports IP. An earlier design, prior to PPP. 244 ARAP - Appletalk Remote Access Protocol; a serial datalink for 245 accessing Appletalk networks. 247 IPX - Internet Packet Exchange; The network protocol used by 248 NetWare networks. 250 LAT - Local Area Transport; A Digital Equipment Corp. LAN protocol 251 for terminal services. 253 VPN - Virtual Private Network; in this document it is used to 254 describe access services which use tunneling methods. 256 1.2. Requirements Language 258 In this document, the key words "MAY", "MUST", "MUST NOT", 259 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be 260 interpreted as described in [Keywords]. 262 1.3. Advertising Application Support 264 Diameter applications conforming to this specification MUST advertise 265 support by including the value of one (1) in the Auth-Application-Id 266 or the Acct-Application-Id AVP of the Capabilities-Exchange-Request 267 and Capabilities-Exchange-Answer commands [Base]. 269 2. NAS Calls, Ports, and Sessions 271 The arrival of a new call or service connection at a port of a 272 Network Access Server (NAS) starts a Diameter NAS message exchange. 273 Information about the call, the identity of the user, and the user's 274 authentication information are packaged into a Diameter AA-Request 275 (AAR) message and sent to a server. 277 The server processes the information and responds with a Diameter AA- 278 Answer (AAA) message which contains authorization information for the 279 NAS, or a failure code (Result-Code AVP). If the value of Result- 280 Code is DIAMETER_MULTI_ROUND_AUTH, an additional authentication 281 exchange is indicated, and several AAR and AAA messages may be 282 exchanged until the transaction completes. 284 The Diameter protocol allows authorization-only requests depending on 285 the Auth-Request-Type AVP, where no authentication information is 286 contained in a request from the client. This capability goes beyond 287 the Call Check capabilities described in Section 5.6 of [RADIUS] in 288 that no access decision is requested. As a result, service cannot be 289 started as a result of a response to an authorization-only request 290 without introducing a significant security vulnerability. 292 Since no equivalent capability exists in RADIUS, authorization-only 293 requests from a NAS implementing Diameter may not be easily 294 translated to an equivalent RADIUS message by a Diameter/RADIUS 295 gateway. For example, where a Diameter authorization-only request 296 cannot be translated to a RADIUS Call Check, it would be necessary 297 for the Diameter/RADIUS gateway to add authentication information to 298 the RADIUS Access Request. On receiving the Access-Reply, the 299 Diameter/RADIUS gateway would need to discard the access decision 300 (Accept/Reject). It is not clear that these translations can be 301 accomplished without adding significant security vulnerabilities. 303 2.1. Diameter Session Establishment 305 When the authentication or authorization exchange completes 306 successfully, the NAS application SHOULD start a session context. If 307 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 308 exchange continues until a success or error is returned. 310 If accounting is active, the application MUST also send an Accounting 311 message [Base]. An Accounting-Record-Type of START_RECORD, is sent 312 for a new session. If a session fails to start, the type 313 EVENT_RECORD message with the reason for the failure described is 314 sent. 316 Note that the return of an unsupportable Accounting-Realtime-Required 317 value [Base] would result in a failure to establish the session. 319 2.2. Diameter Session Reauthentication or Reauthorization 321 The Diameter base protocol allows for users to be periodically 322 reauthenticated and/or reauthorized. In such instances, the Session- 323 Id AVP in the AAR message MUST be the same as the one present in the 324 original authentication/authorization message. 326 A Diameter server informs the NAS of the maximum time allowed before 327 reauthentication or reauthorization via the Authorization-Lifetime 328 AVP [Base]. A NAS MUST reauthenticate and/or reauthorize after the 329 period provided by the Authorization-Lifetime AVP. 331 Furthermore, it is possible for Diameter servers to issue an 332 unsolicited reauthentication and/or reauthorization requests (e.g. 333 Re-Auth-Request (RAR) message) to the NAS. Upon receipt of such a 334 message, the NAS MUST respond to the request with a Re-Auth-Answer 335 (RAA) message. If the Re-Auth-Request-Type is AUTHORIZE_ONLY, the 336 message will contain AVPs to modify the current service. If the Re- 337 Auth-Request-Type is AUTHORIZE_AUTHENTICATE, the NAS will 338 reauthenticate the client, and send a new AAR message using the 339 existing Session-Id. 341 If accounting is active, every change of authentication or 342 authorization MUST generate an Accounting-Record-Type of 343 INTERIM_RECORD indicating the new session attributes and cumulative 344 status. 346 2.3. Diameter Session Termination 348 When a NAS receives an indication that a user's session is being 349 disconnected (e.g. LCP Terminate is received), the NAS MUST issue a 350 Session-Termination-Request (STR) [Base] to its Diameter Server. This 351 will ensure that any resources maintained on the servers is freed 352 appropriately. 354 Further, a NAS that receives a Abort-Session-Request (ASR) [Base] 355 MUST issue an STR if the session requested is active, and disconnect 356 the PPP (or tunneling) session. 358 Termination of the session context MUST cause the sending of 359 an Accounting STOP_RECORD message [Base], if accounting is active. 361 More information on Diameter Session Termination is in [Base] section 362 8.4. 364 3. NAS Messages 366 This section defines new Diameter message Command-Code [Base] values 367 that MUST be supported by all Diameter implementations that conform 368 to this specification. The Command Codes are: 370 Command-Name Abbrev. Code Reference 371 -------------------------------------------------------- 372 AA-Request AAR 265 3.1 373 AA-Answer AAA 265 3.2 375 3.1. AA-Request (AAR) Command 377 The AA-Request message (AAR), indicated by the Command-Code field set 378 to 265 and the 'R' bit set in the Command Flags field, is used in 379 order to request authentication and/or authorization for a given NAS 380 user. The type of request is identified through the Auth-Request-Type 381 AVP, and the default mode is both authentication and authorization. 383 If Authentication is requested the User-Name attribute SHOULD be 384 present, as well as any additional authentication AVPs that would 385 carry the password information. A request for authorization only 386 SHOULD include the information from which the authorization will be 387 performed, such as the User-Name, Called-Station-Id, or Calling- 388 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 389 identifying the source of the call, such as Origin-Host, and NAS- 390 Port. Certain networks MAY use different AVPs for authorization 391 purposes. A request for authorization will include some AVPs defined 392 in section 6. 394 It is possible for a single session to be authorized first, then 395 followed by an authentication request. 397 This AA-Request message MAY be the result of a multi-round 398 authentication exchange, which occurs when the AA-Answer message is 399 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A 400 subsequent AAR message SHOULD be sent, with the User-Password AVP 401 that includes the user's response to the prompt, and MUST include any 402 State AVPs that were present in the AAA message. 404 Message Format 406 ::= < Diameter Header: 265, REQ, PXY > 407 < Session-Id > 408 { Auth-Application-Id } 409 { Origin-Host } 410 { Origin-Realm } 411 { Destination-Realm } 412 { Auth-Request-Type } 413 [ NAS-Port ] 414 [ NAS-Port-Id ] 415 [ Origin-State-Id ] 416 [ Destination-Host ] 417 [ NAS-Identifier ] 418 [ NAS-IP-Address ] 419 [ NAS-IPv6-Address ] 420 [ NAS-Port-Type ] 421 [ Port-Limit ] 422 [ User-Name ] 424 [ User-Password ] 425 [ Service-Type ] 426 [ State ] 427 [ Authorization-Lifetime ] 428 [ Auth-Grace-Period ] 429 [ Auth-Session-State ] 430 [ Callback-Number ] 431 [ Called-Station-Id ] 432 [ Calling-Station-Id ] 433 [ Originating-Line-Info ] 434 [ Connect-Info ] 435 [ CHAP-Auth ] 436 [ CHAP-Challenge ] 437 * [ Framed-Compression ] 438 [ Framed-Interface-Id ] 439 [ Framed-IP-Address ] 440 * [ Framed-IPv6-Prefix ] 441 [ Framed-IP-Netmask ] 442 [ Framed-MTU ] 443 [ Framed-Protocol ] 444 [ ARAP-Password ] 445 [ ARAP-Security ] 446 * [ ARAP-Security-Data ] 447 * [ Login-IP-Host ] 448 * [ Login-IPv6-Host ] 449 [ Login-LAT-Group ] 450 [ Login-LAT-Node ] 451 [ Login-LAT-Port ] 452 [ Login-LAT-Service ] 453 * [ Tunneling ] 454 * [ Proxy-Info ] 455 * [ Route-Record ] 456 * [ AVP ] 458 3.2. AA-Answer (AAA) Command 460 The AA-Answer (AAA) message, is indicated by the Command-Code field 461 set to 265 and the 'R' bit cleared in the Command Flags field, is 462 sent in response to the AA-Request message. If authorization was 463 requested, a successful response will include the authorization AVPs 464 appropriate for the service being provided, as defined in section 6. 466 For authentication exchanges that require more than a single round 467 trip, the server MUST set the Result-Code AVP to 468 DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY 469 include one or more Reply-Message and MAY include zero or one State 470 AVPs. 472 If the Reply-Message AVP was present, the network access server 473 SHOULD send the text to the user's client for display to the user, 474 instructing it to prompt the user for a response. For example, this 475 capability can be achieved in PPP via PAP. If the access client is 476 unable to prompt the user for a new response, it MUST treat the AA- 477 Answer with the Reply-Message AVP as an error, and deny access. 479 Message Format 481 ::= < Diameter Header: 265, PXY > 482 < Session-Id > 483 { Auth-Application-Id } 484 { Auth-Request-Type } 485 { Result-Code } 486 { Origin-Host } 487 { Origin-Realm } 488 [ User-Name ] 489 [ Service-Type ] 490 * [ Class ] 491 * [ Configuration-Token ] 492 [ Acct-Interim-Interval ] 493 [ Error-Message ] 494 [ Error-Reporting-Host ] 495 [ Idle-Timeout ] 496 [ Authorization-Lifetime ] 497 [ Auth-Grace-Period ] 498 [ Auth-Session-State ] 499 [ Re-Auth-Request-Type ] 500 [ Session-Timeout ] 501 [ State ] 502 * [ Reply-Message ] 503 [ Termination-Action ] 504 [ Origin-State-Id ] 505 * [ Filter-Id ] 506 [ Password-Retry ] 507 [ Port-Limit ] 508 [ Prompt ] 509 [ ARAP-Challenge-Response ] 510 [ ARAP-Features ] 511 [ ARAP-Security ] 512 * [ ARAP-Security-Data ] 513 [ ARAP-Zone-Access ] 514 [ Callback-Id ] 515 [ Callback-Number ] 516 [ Framed-Appletalk-Link ] 517 * [ Framed-Appletalk-Network ] 518 [ Framed-Appletalk-Zone ] 519 * [ Framed-Compression ] 521 [ Framed-Interface-Id ] 522 [ Framed-IP-Address ] 523 * [ Framed-IPv6-Prefix ] 524 [ Framed-IPv6-Pool ] 525 * [ Framed-IPv6-Route ] 526 [ Framed-IP-Netmask ] 527 * [ Framed-Route ] 528 [ Framed-Pool ] 529 [ Framed-IPX-Network ] 530 [ Framed-MTU ] 531 [ Framed-Protocol ] 532 [ Framed-Routing ] 533 * [ Login-IP-Host ] 534 * [ Login-IPv6-Host ] 535 [ Login-LAT-Group ] 536 [ Login-LAT-Node ] 537 [ Login-LAT-Port ] 538 [ Login-LAT-Service ] 539 [ Login-Service ] 540 [ Login-TCP-Port ] 541 * [ NAS-Filter-Rule ] 542 * [ Tunneling ] 543 * [ Redirect-Host ] 544 [ Redirect-Host-Usage ] 545 [ Redirect-Max-Cache-Time ] 546 * [ Proxy-Info ] 547 * [ AVP ] 549 4. NAS Session AVPs 551 Diameter reserves the AVP Codes 0-255 for RADIUS functions that are 552 implemented in Diameter. 554 AVPs new to Diameter have code values 256 and greater. A Diameter 555 message that includes one of these AVPs may represent functions not 556 present in the RADIUS environment and may cause interoperability 557 issues should the request traverse a AAA system that only supports 558 the RADIUS protocol. 560 There are some RADIUS attributes that are not allowed or supported 561 directly in Diameter. See section 9 below for more information. 563 4.1. Call and Session Information 565 This section contains the AVPs specific to NAS Diameter applications 566 that are needed to identify the call and session context and status 567 information. On a request, this information allows the server to 568 qualify the session. 570 These AVPs are used in addition to the Base AVPs of: 571 Session-Id 572 Auth-Application-Id 573 Origin-Host 574 Origin-Realm 575 Auth-Request-Type 577 The following table describes the Session level AVPs, their AVP Code 578 values, types, possible flag values and whether the AVP MAY be 579 encrypted. 580 +---------------------+ 581 | AVP Flag rules | 582 |----+-----+----+-----|----+ 583 AVP Section | | |SHLD| MUST| | 584 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 585 -----------------------------------------|----+-----+----+-----|----| 586 NAS-Port 5 4.2 Unsigned32 | M | P | | V | Y | 587 NAS-Port-Id 87 4.3 UTF8String | M | P | | V | Y | 588 NAS-Port-Type 61 4.4 Enumerated | M | P | | V | Y | 589 Called-Station-Id 30 4.5 UTF8String | M | P | | V | Y | 590 Calling-Station- 31 4.6 UTF8String | M | P | | V | Y | 591 Id | | | | | | 592 Connect-Info 77 4.7 UTF8String | M | P | | V | Y | 593 Originating-Line- 94 4.8 OctetString| | M,P | | V | Y | 594 Info | | | | | | 595 Reply-Message 18 4.9 UTF8String | M | P | | V | Y | 596 Termination- 29 4.10 Enumerated | M | P | | V | Y | 597 Action | | | | | | 598 -----------------------------------------|----+-----+----+-----|----| 600 4.2. NAS-Port AVP 602 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 603 physical or virtual port number of the NAS which is authenticating 604 the user. Note that this is using "port" in its sense of a service 605 connection on the NAS, not in the sense of an IP protocol identifier. 607 Either NAS-Port or NAS-Port-Id (AVP Code 87) SHOULD be present in AA- 608 Request commands if the NAS differentiates among its ports. 610 4.3. NAS-Port-Id AVP 612 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 613 of ASCII text that identifies the port of the NAS which is 614 authenticating the user. Note that this is using "port" in its sense 615 of a service connection on the NAS, not in the sense of an IP 616 protocol identifier. 618 Either NAS-Port or NAS-Port-Id SHOULD be present in AA-Request 619 commands if the NAS differentiates among its ports. NAS-Port-Id is 620 intended for use by NASes which cannot conveniently number their 621 ports. 623 4.4. NAS-Port-Type AVP 625 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 626 contains the type of the port on which the NAS is authenticating the 627 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 628 number ranges for different service types concurrently. 630 The supported values are defined in [RADIUSTypes]. The following list 631 is informational: 633 0 Async 634 1 Sync 635 2 ISDN Sync 636 3 ISDN Async V.120 637 4 ISDN Async V.110 638 5 Virtual 639 6 PIAFS 640 7 HDLC Clear Channel 641 8 X.25 642 9 X.75 643 10 G.3 Fax 644 11 SDSL - Symmetric DSL 645 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase 646 Modulation 647 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 648 14 IDSL - ISDN Digital Subscriber Line 649 15 Ethernet 650 16 xDSL - Digital Subscriber Line of unknown type 651 17 Cable 652 18 Wireless - Other 653 19 Wireless - IEEE 802.11 655 4.5. Called-Station-Id AVP 657 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String, and 658 allows the NAS to send in the request, the ASCII string describing 659 the layer 2 address that the user contacted to. For dialup access, 660 this can be a phone number, obtained using Dialed Number 661 Identification (DNIS) or a similar technology. Note that this may be 662 different from the phone number the call comes in on. For use with 663 IEEE 802 access, the Called-Station-Id MAY contain a MAC address, 664 formatted as described in [RAD802.1X]. It SHOULD only be present in 665 authentication and/or authorization requests. 667 If the Auth-Request-Type AVP is set to authorization-only and the 668 User-Name AVP is absent, the Diameter Server MAY perform 669 authorization based on this field. This can be used by a NAS to 670 request whether a call should be answered based on the DNIS. 672 The codification of the range of allowed usage of this field is 673 outside the scope of this specification. 675 4.6. Calling-Station-Id AVP 677 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String, and 678 allows the NAS to send in the request the the ASCII string describing 679 the layer 2 address that the user connected from. For dialup access, 680 this is the phone number that the call came from, using Automatic 681 Number Identification (ANI) or a similar technology. For use with 682 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 683 address, formated as described in [RAD802.1X]. It SHOULD only be 684 present in authentication and/or authorization requests. 686 If the Auth-Request-Type AVP is set to authorization-only and the 687 User-Name AVP is absent, the Diameter Server MAY perform 688 authorization based on this field. This can be used by a NAS to 689 request whether a call should be answered based on the layer 2 690 address (ANI, MAC Address, etc.).sp The codification of the range of 691 allowed usage of this field is outside the scope of this 692 specification. 694 4.7. Connect-Info AVP 696 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 697 in the AA-Request message or ACR STOP message. When sent in the 698 Access-Request it indicates the nature of the user's connection. The 699 connection speed SHOULD be included at the beginning of the first 700 Connect-Info AVP in the message. If the transmit and receive 701 connection speeds differ, they may both be included in the first AVP 702 with the transmit speed first (the speed the NAS modem transmits at), 703 a slash (/), the receive speed, then optionally other information. 705 For example, "28800 V42BIS/LAPM" or "52000/31200 V90" 707 More than one Connect-Info attribute may be present in an Accounting- 708 Request packet to accommodate expected efforts by ITU to have modems 709 report more connection information in a standard format that might 710 exceed 252 octets. 712 If sent in the ACR STOP, this attribute may be used to summarize 713 statistics relating to session quality. For example, in IEEE 802.11, 714 the Connect-Info attribute may contain information on the number of 715 link layer retransmissions. The exact format of this attribute is 716 implementation specific. 718 4.8. Originating-Line-Info AVP 720 The Originating-Line-Info AVP (AVP Code 94 is of type OctetString and 721 is sent by the NAS system to convey information about the origin of 722 the call from an SS7 system. 724 The originating line information (OLI) information element indicates 725 the nature and/or characteristics of the line from which a call 726 originated (e.g. payphone, hotel, cellular). Telephone companies are 727 starting to offer OLI to their customers as an option over Primary 728 Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI 729 in addition to Called-Station-Id and Calling-Station-Id attributes to 730 differentiate customer calls and define different services 732 The Value field contains two octets (00-99). ANSI T1.113 and BELLCORE 733 394 can be used for additional information about those values and 734 their use. For more information on current assignment values see 735 [ANITypes]. 737 Value Description 738 ------------------------------------------------------------ 739 00 Plain Old Telephone Service (POTS) 740 01 Multiparty line (more than 2) 741 02 ANI Failure 742 03 ANI Observed 743 04 ONI Observed 744 05 ANI Failure Observed 745 06 Station Level Rating 746 07 Special Operator Handling Required 747 08 InterLATA Restricted 748 10 Test Call 749 20 Automatic Identified Outward Dialing (AIOD) 750 23 Coin or Non-Coin 751 24 Toll Free Service (Non-Pay origination) 752 25 Toll Free Service (Pay origination) 753 27 Toll Free Service (Coin Control origination) 754 29 Prison/Inmate Service 755 30-32 Intercept 756 30 Intercept (blank) 757 31 Intercept (trouble) 758 32 Intercept (regular) 759 34 Telco Operator Handled Call 760 40-49 Unrestricted Use 761 52 Outward Wide Area Telecommunications Service (OUTWATS) 762 60 Telecommunications Relay Service (TRS)(Unrestricted) 763 61 Cellular/Wireless PCS (Type 1) 764 62 Cellular/Wireless PCS (Type 2) 765 63 Cellular/Wireless PCS (Roaming) 766 66 TRS (Hotel) 767 67 TRS (Restricted) 768 70 Pay Station, No coin control 769 93 Access for private virtual network service 771 4.9. Reply-Message AVP 773 The Reply-Message AVP (AVP Code 18) is of type UTF8String, and 774 contains text which MAY be displayed to the user. When used in an 775 AA-Answer message with a successful Result-Code AVP it indicates a 776 success message. When found in the same message with a Result-Code 777 other than DIAMETER_SUCCESS it contains a failure message. 779 The Reply-Message AVP MAY indicate a dialog message to prompt the 780 user before another AA-Request attempt. When used in an AA-Answer, it 781 MAY indicate a dialog message to prompt the user for a response. 783 Multiple Reply-Message's MAY be included and if any are displayed, 784 they MUST be displayed in the same order as they appear in the 785 message. 787 4.10. Termination-Action AVP 789 The Termination-Action AVP is of type Enumerated and indicates what 790 action the NAS should take when the specified service is completed. 791 This AVP SHOULD only be present in authorization responses. The 792 following values are supported as listed in [RADIUSTypes]: 794 DEFAULT 0 795 Upon termination of the authorized service the NAS MUST 796 terminate the current session. 798 AA-REQUEST 1 799 When the authorized service terminates, the NAS SHOULD NOT 800 terminate the session or generate a Session-Termination-Request 801 (STR) command. Instead, it SHOULD generate a new AAR command 802 which contains the same value of the Session-Id AVP it sent in 803 the previous AAR command. It SHOULD also include the State AVP 804 from the previous AA-Answer (AAA) command, if it contained one. 806 Note: The Termination-Action AVP is typically used for the login 807 service (Service-Type = 1 or "Login") or by 802.1X supplicants 808 [RAD802.1X] (e.g., NAS-Port-Type = 19 or "Wireless - IEEE 802.11"). 810 When used for the login service, the service typically terminates 811 when the login host clears the connection. The NAS may prompt the 812 user for a new connection and issue a new AA-Request. Accounting 813 could use Accounting-Sub-Session-Ids to keep track of the different 814 usage. 816 When used by 802.1X supplicants, the service typically terminates due 817 to the expiry of the Session-Timeout AVP. The access device may then 818 reauthenticate the user with a new AA-Request. The RECOMMENDED way 819 to do this in Diameter is to use just the Authorization-Lifetime AVP 820 rather than Session-Timeout and Termination-Action AVPs. However, 821 the Termination-Action AVP MAY be present when copied from a RADIUS 822 Access-Accept to a Diameter AA-Answer by a Translation Agent. 824 5. NAS Authentication AVPs 826 This section defines the AVPs that are necessary to carry the 827 authentication information in the Diameter protocol. The 828 functionality defined here provides a RADIUS-like AAA service, over a 829 more reliable and secure transport, as defined in the base protocol 830 [Base]. 832 The following table describes the AVPs, their AVP Code values, types, 833 possible flag values and whether the AVP MAY be encrypted. 835 +---------------------+ 836 | AVP Flag rules | 837 |----+-----+----+-----|----+ 838 AVP Section | | |SHLD| MUST| | 839 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 840 -----------------------------------------|----+-----+----+-----|----| 841 User-Password 2 5.1 OctetString| M | P | | V | Y | 842 Password-Retry 75 5.2 Unsigned32 | M | P | | V | Y | 843 Prompt 76 5.3 Enumerated | M | P | | V | Y | 844 CHAP-Auth 402 5.4 Grouped | M | P | | V | Y | 845 CHAP-Algorithm 403 5.5 Enumerated | M | P | | V | Y | 846 CHAP-Ident 404 5.6 OctetString| M | P | | V | Y | 847 CHAP-Response 405 5.7 OctetString| M | P | | V | Y | 848 CHAP-Challenge 60 5.8 OctetString| M | P | | V | Y | 849 ARAP-Password 70 5.9 OctetString| M | P | | V | Y | 850 ARAP-Challenge- 84 5.10 OctetString| M | P | | V | Y | 851 Response | | | | | | 852 ARAP-Security 73 5.11 Unsigned32 | M | P | | V | Y | 853 ARAP-Security- 74 5.12 OctetString| M | P | | V | Y | 854 Data | | | | | | 855 -----------------------------------------|----+-----+----+-----|----| 857 5.1. User-Password AVP 859 The User-Password AVP (AVP Code 2) is of type OctetString and 860 contains the password of the user to be authenticated, or the user's 861 input in a multi-round authentication exchange. 863 The User-Password AVP contains a user password or one-time password 864 and therefore represents sensitive information. As required in 865 [Base], Diameter messages are encrypted using IPsec or TLS. Unless 866 this AVP is used for one-time passwords, the User- Password AVP 867 SHOULD NOT be used in untrusted proxy environments without encrypting 868 it using end-to-end security techniques, such as CMS Security 869 [DiamCMS]. 871 The clear-text password (prior to encryption) MUST NOT be longer than 872 128 bytes in length. 874 5.2. Password-Retry AVP 876 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 877 included in the AA-Answer if the Result-Code indicates an 878 authentication failure. The value of this AVP indicates how many 879 authentication attempts a user may be permitted before being 880 disconnected. This AVP is primarily intended for use when the Framed- 881 Protocol AVP (see Section 6.9.1) is set to ARAP. 883 5.3. Prompt AVP 885 The Prompt AVP (AVP Code 76) is of type Enumerated, and MAY be 886 present in the AA-Answer message. When present, it is used by the NAS 887 to determine whether the user's response, when entered, should be 888 echoed. 890 The supported values are listed in [RADIUSTypes]. The following list 891 is informational: 893 0 No Echo 894 1 Echo 896 5.4. CHAP-Auth AVP 898 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 899 information necessary to authenticate a user using the PPP Challenge- 900 Handshake Authentication Protocol (CHAP) [PPPCHAP]. If the CHAP-Auth 901 AVP is found in a message, the CHAP-Challenge AVP MUST be present as 902 well. The optional AVPs containing the CHAP response depend upon the 903 value of the CHAP-Algorithm AVP. The grouped AVP has the following 904 ABNF grammar: 906 CHAP-Auth ::= < AVP Header: 402 > 907 { CHAP-Algorithm } 908 { CHAP-Ident } 909 [ CHAP-Response ] 910 * [ AVP ] 912 5.5. CHAP-Algorithm AVP 914 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 915 contains the algorithm identifier used in the computation of the CHAP 916 response [PPPCHAP]. The following values are currently supported: 918 CHAP with MD5 5 919 The CHAP response is computed using the procedure described in 920 [PPPCHAP]. This algorithm requires that CHAP-Response AVP MUST 921 be present in the CHAP-Auth AVP. 923 5.6. CHAP-Ident AVP 925 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 926 the one octet CHAP Identifier used in the computation of the CHAP 927 response [PPPCHAP]. 929 5.7. CHAP-Response AVP 931 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 932 contains the 16 octet authentication data provided by the user in 933 response to the CHAP challenge [PPPCHAP]. 935 5.8. CHAP-Challenge AVP 937 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 938 contains the CHAP Challenge sent by the NAS to the CHAP peer 939 [PPPCHAP]. 941 5.9. ARAP-Password AVP 943 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 944 only present when the Framed-Protocol AVP (see Section 6.9.1) is 945 included in the message and is set to ARAP. This AVP MUST NOT be 946 present if either the User-Password or the CHAP-Auth AVP is present. 947 See [RADIUSExt] for more information on the contents of this AVP. 949 5.10. ARAP-Challenge-Response AVP 951 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 952 and is only present when the Framed-Protocol AVP (see Section 6.9.1) 953 is included in the message and is set to ARAP. This AVP contains an 8 954 octet response to the dial-in client's challenge. The RADIUS server 955 calculates this value by taking the dial-in client's challenge from 956 the high order 8 octets of the ARAP-Password AVP and performing DES 957 encryption on this value with the authenticating user's password as 958 the key. If the user's password is less than 8 octets in length, the 959 password is padded at the end with NULL octets to a length of 8 960 before using it as a key. 962 5.11. ARAP-Security AVP 964 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32, and MAY be 965 present in the AA-Answer message if the Framed-Protocol AVP (see 966 Section 6.9.1) is set to the value of ARAP, and the Result-Code AVP 967 is set to DIAMETER_MULTI_ROUND_AUTH. See [RADIUSExt] for more 968 information on the format of this AVP. 970 5.12. ARAP-Security-Data AVP 972 The ARAP-Security AVP (AVP Code 74) is of type OctetString, and MAY 973 be present in the AA-Request or AA-Answer message if the Framed- 974 Protocol AVP is set to the value of ARAP, and the Result-Code AVP is 975 set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security 976 module challenge or response associated with the ARAP Security Module 977 specified in ARAP-Security. 979 6. NAS Authorization AVPs 981 This section contains the authorization AVPs that are supported in 982 the NAS Application. The Service-Type AVP SHOULD be present in all 983 messages, and based on its value, additional AVPs defined in this 984 section and section 7 MAY be present. 986 Due to space constraints, the short form IPFiltrRule is used to 987 represent IPFilterRule. 988 +---------------------+ 989 | AVP Flag rules | 990 |----+-----+----+-----|----+ 991 AVP Section | | |SHLD| MUST| | 992 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 993 -----------------------------------------|----+-----+----+-----|----| 994 Service-Type 6 6.1 Enumerated | M | P | | V | Y | 995 Callback-Number 19 6.2 UTF8String | M | P | | V | Y | 996 Callback-Id 20 6.3 UTF8String | M | P | | V | Y | 997 Idle-Timeout 28 6.4 Unsigned32 | M | P | | V | Y | 998 Port-Limit 62 6.5 Unsigned32 | M | P | | V | Y | 999 NAS-Filter-Rule 400 6.6 IPFiltrRule| M | P | | V | Y | 1000 Filter-Id 11 6.7 UTF8String | M | P | | V | Y | 1001 Configuration- 78 6.8 OctetString| M | | | P,V | | 1002 Token | | | | | | 1003 Framed-Protocol 7 6.9.1 Enumerated | M | P | | V | Y | 1004 Framed-Routing 10 6.9.2 Enumerated | M | P | | V | Y | 1005 Framed-MTU 12 6.9.3 Unsigned32 | M | P | | V | Y | 1006 Framed- 13 6.9.4 Enumerated | M | P | | V | Y | 1007 Compression | | | | | | 1008 Framed-IP-Address 8 6.10.1 OctetString| M | P | | V | Y | 1009 Framed-IP-Netmask 9 6.10.2 OctetString| M | P | | V | Y | 1010 Framed-Route 22 6.10.3 UTF8String | M | P | | V | Y | 1011 Framed-Pool 88 6.10.4 OctetString| M | P | | V | Y | 1012 Framed- 96 6.10.5 Unsigned64 | M | P | | V | Y | 1013 Interface-Id | | | | | | 1014 Framed-IPv6- 97 6.10.6 OctetString| M | P | | V | Y | 1015 Prefix | | | | | | 1016 Framed-IPv6- 99 6.10.7 UTF8String | M | P | | V | Y | 1017 Route | | | | | | 1018 Framed-IPv6-Pool 100 6.10.8 OctetString| M | P | | V | Y | 1019 Framed-IPX- 23 6.11.1 UTF8String | M | P | | V | Y | 1020 Network | | | | | | 1021 Framed-Appletalk- 37 6.12.1 Unsigned32 | M | P | | V | Y | 1022 Link | | | | | | 1023 Framed-Appletalk- 38 6.12.2 Unsigned32 | M | P | | V | Y | 1024 Network | | | | | | 1025 Framed-Appletalk- 39 6.12.3 OctetString| M | P | | V | Y | 1026 Zone | | | | | | 1027 ARAP-Features 71 6.13.1 OctetString| M | P | | V | Y | 1028 ARAP-Zone-Access 72 6.13.2 Enumerated | M | P | | V | Y | 1029 Login-IP-Host 14 6.14.1 OctetString| M | P | | V | Y | 1030 Login-IPv6-Host 98 6.14.2 OctetString| M | P | | V | Y | 1031 Login-Service 15 6.14.3 Enumerated | M | P | | V | Y | 1032 Login-TCP-Port 16 6.15.1 Unsigned32 | M | P | | V | Y | 1033 Login-LAT-Service 34 6.16.1 OctetString| M | P | | V | Y | 1034 Login-LAT-Node 35 6.16.2 OctetString| M | P | | V | Y | 1035 Login-LAT-Group 36 6.16.3 OctetString| M | P | | V | Y | 1036 Login-LAT-Port 63 6.16.4 OctetString| M | P | | V | Y | 1037 -----------------------------------------|----+-----+----+-----|----| 1039 6.1. Service-Type AVP 1041 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1042 the type of service the user has requested, or the type of service to 1043 be provided. One such AVP MAY be present in an authentication and/or 1044 authorization request or response. A NAS is not required to implement 1045 all of these service types, and MUST treat unknown or unsupported 1046 Service-Types as a failure, and end the session with a 1047 DIAMETER_INVALID_AVP_VALUE Result-Code. 1049 When used in a request, the Service-Type AVP SHOULD be considered to 1050 be a hint to the server that the NAS has reason to believe the user 1051 would prefer the kind of service indicated, but the server is not 1052 required to honor the hint. Furthermore, if the service specified by 1053 the server is supported, but not compatible with the current mode of 1054 access, the NAS MUST fail to start the session. It MUST also 1055 generate the appropriate error message(s). 1057 The following values have been defined for the Service-Type AVP. The 1058 complete list of defined values can be found in [RADIUS] and 1060 [RADIUSTypes]. The following list is informational: 1061 1 Login 1062 2 Framed 1063 3 Callback Login 1064 4 Callback Framed 1065 5 Outbound 1066 6 Administrative 1067 7 NAS Prompt 1068 8 Authenticate Only 1069 9 Callback NAS Prompt 1070 10 Call Check 1071 11 Callback Administrative 1072 12 Voice 1073 13 Fax 1074 14 Modem Relay 1076 The following values are further qualified: 1078 Login 1 1079 The user should be connected to a host. The message MAY include 1080 additional AVPs defined in sections 6.15 or 6.16. 1082 Framed 2 1083 A Framed Protocol should be started for the User, such as PPP 1084 or SLIP. The message MAY include additional AVPs defined in 1085 sections 6.9, or 7 for tunneling services. 1087 Callback Login 3 1088 The user should be disconnected and called back, then connected 1089 to a host. The message MAY include additional AVPs defined in 1090 this section. 1092 Callback Framed 4 1093 The user should be disconnected and called back, then a Framed 1094 Protocol should be started for the User, such as PPP or SLIP. 1095 The message MAY include additional AVPs defined in sections 1096 6.9, or 7 for tunneling services. 1098 6.2. Callback-Number AVP 1100 The Callback-Number AVP (AVP Code 19) is of type UTF8String, and 1101 contains a dialing string to be used for callback. It MAY be used in 1102 an authentication and/or authorization request as a hint to the 1103 server that a Callback service is desired, but the server is not 1104 required to honor the hint in the corresponding response. 1106 The codification of the range of allowed usage of this field is 1107 outside the scope of this specification. 1109 6.3. Callback-Id AVP 1111 The Callback-Id AVP (AVP Code 20) is of type UTF8String, and contains 1112 the name of a place to be called, to be interpreted by the NAS. This 1113 AVP MAY be present in an authentication and/or authorization 1114 response. 1116 This AVP is not roaming-friendly since it assumes that the Callback- 1117 Id is configured on the NAS. It is therefore preferable to use the 1118 Callback-Number AVP instead. 1120 6.4. Idle-Timeout AVP 1122 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1123 maximum number of consecutive seconds of idle connection allowed to 1124 the user before termination of the session or prompt. It MAY be used 1125 in an authentication and/or authorization request (or challenge) as a 1126 hint to the server that an idle timeout is desired, but the server is 1127 not required to honor the hint in the corresponding response. The 1128 default is none, or system specific. 1130 6.5. Port-Limit AVP 1132 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1133 maximum number of ports to be provided to the user by the NAS. It 1134 MAY be used in an authentication and/or authorization request as a 1135 hint to the server that multilink PPP [PPPMP] service is desired, but 1136 the server is not required to honor the hint in the corresponding 1137 response. 1139 6.6. NAS-Filter-Rule AVP 1141 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule, and 1142 provides filter rules that need to be configured on the NAS for the 1143 user. One or more such AVPs MAY be present in an authorization 1144 response. 1146 6.7. Filter-Id AVP 1148 The Filter-Id AVP (AVP Code 11) is of type UTF8String, and contains 1149 the name of the filter list for this user. Zero or more Filter-Id 1150 AVPs MAY be sent in an authorization answer. 1152 Identifying a filter list by name allows the filter to be used on 1153 different NASes without regard to filter-list implementation details. 1154 However, this AVP is not roaming friendly since filter naming differs 1155 from one service provider to another. 1157 In non-RADIUS environments, it is RECOMMENDED that the NAS-Filter- 1158 Rule AVP be used instead. 1160 6.8. Configuration-Token AVP 1162 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1163 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1164 Agent in an AA-Answer command to indicate a type of user profile to 1165 be used. It should not be sent to a Diameter Client (NAS). 1167 The format of the Data field of this AVP is site specific. 1169 6.9. Framed Access Authorization AVPs 1171 This section contains the authorization AVPs that are necessary to 1172 support framed access, such as PPP, SLIP, etc. AVPs defined in this 1173 section MAY be present in a message if the Service-Type AVP was set 1174 to "Framed" or "Callback Framed". 1176 6.9.1. Framed-Protocol AVP 1178 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1179 contains the framing to be used for framed access. This AVP MAY be 1180 present in both requests and responses. The supported values are 1181 listed in [RADIUSTypes]. The following list is informational: 1183 1 PPP 1184 2 SLIP 1185 3 AppleTalk Remote Access Protocol (ARAP) 1186 4 Gandalf proprietary SingleLink/MultiLink protocol 1187 5 Xylogics proprietary IPX/SLIP 1188 6 X.75 Synchronous 1190 6.9.2. Framed-Routing AVP 1192 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1193 contains the routing method for the user, when the user is a router 1194 to a network. This AVP SHOULD only be present in authorization 1195 responses. The supported values are listed in [RADIUSTypes]. The 1196 following list is informational: 1198 0 None 1199 1 Send routing packets 1200 2 Listen for routing packets 1201 3 Send and Listen 1203 6.9.3. Framed-MTU AVP 1205 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1206 the Maximum Transmission Unit to be configured for the user, when it 1207 is not negotiated by some other means (such as PPP). This AVP SHOULD 1208 only be present in authorization responses. The MTU value MUST be in 1209 the range of 64 and 65535. 1211 6.9.4. Framed-Compression AVP 1213 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1214 contains the compression protocol to be used for the link. It MAY be 1215 used in an authorization request as a hint to the server that a 1216 specific compression type is desired, but the server is not required 1217 to honor the hint in the corresponding response. 1219 More than one compression protocol AVP MAY be sent. It is the 1220 responsibility of the NAS to apply the proper compression protocol to 1221 appropriate link traffic. 1223 The supported values are listed in [RADIUSTypes]. The following list 1224 is informational: 1226 0 None 1227 1 VJ TCP/IP header compression 1228 2 IPX header compression 1229 3 Stac-LZS compression 1231 6.10. IP Access 1233 The AVPs defined in this section are used when the user requests, or 1234 is being granted, access to IP. They are only present if the Framed- 1235 Protocol AVP (see Section 6.9.1) is set to PPP, SLIP, Gandalf 1236 proprietary SingleLink/MultiLink protocol, or X.75 Synchronous. 1238 6.10.1. Framed-IP-Address AVP 1240 The Framed-IP-Address AVP (AVP Code 8) [RADIUS] is of type 1241 OctetString and contains an IPv4 address, of the type specified in 1242 the attribute value, to be configured for the user. It MAY be used in 1243 an authorization request as a hint to the server that a specific 1244 address is desired, but the server is not required to honor the hint 1245 in the corresponding response. 1247 Two IPv4 addresses have special significance; 0xFFFFFFFF and 1248 0xFFFFFFFE. The value 0xFFFFFFFF indicates that the NAS should allow 1249 the user to select an address (e.g. Negotiated). The value 0xFFFFFFFE 1250 indicates that the NAS should select an address for the user (e.g. 1251 Assigned from a pool of addresses kept by the NAS). 1253 6.10.2. Framed-IP-Netmask AVP 1255 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1256 contains the four octets of the IPv4 netmask to be configured for the 1257 user when the user is a router to a network. It MAY be used in an 1258 authorization request as a hint to the server that a specific netmask 1259 is desired, but the server is not required to honor the hint in the 1260 corresponding response. This AVP MUST be present in a response if the 1261 request included this AVP with a value of 0xFFFFFFFF. 1263 6.10.3. Framed-Route AVP 1265 The Framed-Route AVP (AVP Code 22) is of type UTF8String, and 1266 contains the ASCII routing information to be configured for the user 1267 on the NAS. Zero or more such AVPs MAY be present in an authorization 1268 response. 1270 The string MUST contain a destination prefix in dotted quad form 1271 optionally followed by a slash and a decimal length specifier stating 1272 how many high order bits of the prefix should be used. That is 1273 followed by a space, a gateway address in dotted quad form, a space, 1274 and one or more metrics separated by spaces. For example, 1275 "192.168.1.0/24 192.168.1.1 1". 1277 The length specifier may be omitted in which case it should default 1278 to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 1279 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1". 1281 Whenever the gateway address is specified as "0.0.0.0" the IP address 1282 of the user SHOULD be used as the gateway address. 1284 6.10.4. Framed-Pool AVP 1286 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1287 the name of an assigned address pool that SHOULD be used to assign an 1288 address for the user. If a NAS does not support multiple address 1289 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1290 used for IP addresses, but can be used for other protocols if the NAS 1291 supports pools for those protocols. 1293 Although specified as type OctetString for compatibility with RADIUS 1294 [RADIUSExt], the encoding of the Data field SHOULD also conform to 1295 the rules for the UTF8String Data Format. 1297 6.10.5. Framed-Interface-Id AVP 1299 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1300 contains the IPv6 interface identifier to be configured for the user. 1301 It MAY be used in authorization requests as a hint to the server that 1302 a specific interface id is desired, but the server is not required to 1303 honor the hint in the corresponding response. 1305 6.10.6. Framed-IPv6-Prefix AVP 1307 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1308 contains the IPv6 prefix to be configured for the user. One or more 1309 AVPs MAY be used in authorization requests as a hint to the server 1310 that a specific IPv6 prefixes are desired, but the server is not 1311 required to honor the hint in the corresponding response. 1313 6.10.7. Framed-IPv6-Route AVP 1315 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String, and 1316 contains the ASCII routing information to be configured for the user 1317 on the NAS. Zero or more such AVPs MAY be present in an authorization 1318 response. 1320 The string MUST contain an IPv6 address prefix followed by a slash 1321 and a decimal length specifier stating how many high order bits of 1322 the prefix should be used. That is followed by a space, a gateway 1323 address in hexadecimal notation, a space, and one or more metrics 1324 separated by spaces. For example: 1326 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1". 1328 Whenever the gateway address is the IPv6 unspecified address the IP 1329 address of the user SHOULD be used as the gateway address, such as: 1330 "2000:0:0:106::/64 :: 1". 1332 6.10.8. Framed-IPv6-Pool AVP 1334 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString, and 1335 contains the name of an assigned pool that SHOULD be used to assign 1336 an IPv6 prefix for the user. If the access device does not support 1337 multiple prefix pools, it MUST ignore this AVP. 1339 Although specified as type OctetString for compatibility with RADIUS 1340 [RADIUSIPv6], the encoding of the Data field SHOULD also conform to 1341 the rules for the UTF8String Data Format. 1343 6.11. IPX Access 1345 The AVPs defined in this section are used when the user requests, or 1346 is being granted, access to IPX. They are only present if the Framed- 1347 Protocol AVP (see Section 6.9.1) is set to PPP, Xylogics proprietary 1348 IPX/SLIP, Gandalf proprietarySingleLink/MultiLink protocol, or X.75 1349 Synchronous. 1351 6.11.1. Framed-IPX-Network AVP 1353 The Framed-IPX-Network AVP (AVP Code 23) is of type UTF8String, and 1354 contains the IPX Network number to be configured for the user. It MAY 1355 be used in an authorization request as a hint to the server that a 1356 specific address is desired, but the server is not required to honor 1357 the hint in the corresponding response. 1359 Two addresses have special significance; 0xFFFFFFFF and 0xFFFFFFFE. 1360 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1361 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1362 that the NAS should select an address for the user (e.g. assigned 1363 from a pool of one or more IPX networks kept by the NAS). 1365 6.12. Appletalk Access 1367 The AVPs defined in this section are used when the user requests, or 1368 is being granted, access to Appletalk. They are only present if the 1369 Framed-Protocol AVP (see Section 6.9.1) is set to PPP, Gandalf 1370 proprietary, SingleLink/MultiLink protocol, or X.75 Synchronous. 1372 6.12.1. Framed-AppleTalk-Link AVP 1374 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1375 contains the AppleTalk network number which should be used for the 1376 serial link to the user, which is another AppleTalk router. This AVP 1377 MUST only be present in an authorization response and is never used 1378 when the user is not another router. 1380 Despite the size of the field, values range from zero to 65535. The 1381 special value of zero indicates that this is an unnumbered serial 1382 link. A value of one to 65535 means that the serial line between the 1383 NAS and the user should be assigned that value as an AppleTalk 1384 network number. 1386 6.12.2. Framed-AppleTalk-Network AVP 1388 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1389 and contains the AppleTalk Network number which the NAS should probe 1390 to allocate an AppleTalk node for the user. This AVP MUST only be 1391 present in an authorization response and is never used when the user 1392 is not another router. Multiple instances of this AVP indicate that 1393 the NAS may probe using any of the network numbers specified. 1395 Despite the size of the field, values range from zero to 65535. The 1396 special value zero indicates that the NAS should assign a network for 1397 the user, using its default cable range. A value between one and 1398 65535 (inclusive) indicates the AppleTalk Network the NAS should 1399 probe to find an address for the user. 1401 6.12.3. Framed-AppleTalk-Zone AVP 1403 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1404 and contains the AppleTalk Default Zone to be used for this user. 1405 This AVP MUST only be present in an authorization response. Multiple 1406 instances of this AVP in the same message are not allowed. 1408 The codification of the range of allowed usage of this field is 1409 outside the scope of this specification. 1411 6.13. ARAP Access 1413 The AVPs defined in this section are used when the user requests, or 1414 is being granted, access to ARAP. They are only present if the 1415 Framed-Protocol AVP (see Section 6.9.1) is set to AppleTalk Remote 1416 Access Protocol (ARAP). 1418 6.13.1. ARAP-Features AVP 1420 The ARAP-Features AVP (AVP Code 71) is of type OctetString, and MAY 1421 be present in the AA-Accept message if the Framed-Protocol AVP is set 1422 to the value of ARAP. See [RADIUSExt] for more information of the 1423 format of this AVP. 1425 6.13.2. ARAP-Zone-Access AVP 1427 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated, and MAY 1428 be present in the AA-Accept message if the Framed-Protocol AVP is set 1429 to the value of ARAP. 1431 The supported values are listed in [RADIUSTypes], and are defined in 1432 [RADIUSExt]. 1434 6.14. Non-Framed Access Authorization AVPs 1436 This section contains the authorization AVPs that are needed to 1437 support terminal server functionality. AVPs defined in this section 1438 MAY be present in a message if the Service-Type AVP was set to 1439 "Login" or "Callback Login". 1441 6.14.1. Login-IP-Host AVP 1443 The Login-IP-Host AVP (AVP Code 14) [RADIUS] is of type OctetString 1444 and contains the IPv4 address of a host with which to connect the 1445 user when the Login-Service AVP is included. It MAY be used in an 1446 AA-Request command as a hint to the Diameter Server that a specific 1447 host is desired, but the Diameter Server is not required to honor the 1448 hint in the AA-Answer. 1450 Two addresses have special significance: All ones and 0. The value 1451 of all ones indicates that the NAS SHOULD allow the user to select an 1452 address. The value 0 indicates that the NAS SHOULD select a host to 1453 connect the user to. 1455 6.14.2. Login-IPv6-Host AVP 1457 The Login-IPv6-Host AVP (AVP Code 98) [RADIUSIPv6] is of type 1458 OctetString and contains the IPv6 address of a host with which to 1459 connect the user when the Login-Service AVP is included. It MAY be 1460 used in an AA-Request command as a hint to the Diameter Server that a 1461 specific host is desired, but the Diameter Server is not required to 1462 honor the hint in the AA-Answer. 1464 Two addresses have special significance: 1465 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1466 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1467 allow the user to select an address. The value 0 indicates that the 1468 NAS SHOULD select a host to connect the user to. 1470 6.14.3. Login-Service AVP 1472 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1473 contains the service which should be used to connect the user to the 1474 login host. This AVP SHOULD only be present in authorization 1475 responses. 1477 The supported values are listed in [RADIUSTypes]. The following list 1478 is informational: 1480 0 Telnet 1481 1 Rlogin 1482 2 TCP Clear 1483 3 PortMaster (proprietary) 1484 4 LAT 1485 5 X25-PAD 1486 6 X25-T3POS 1487 8 TCP Clear Quiet (suppresses any NAS-generated connect 1488 string) 1490 6.15. TCP Services 1492 The AVPs described in this section MAY be present if the Login- 1493 Service AVP is set to Telnet, Rlogin, TCP Clear or TCP Clear Quiet. 1495 6.15.1. Login-TCP-Port AVP 1497 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1498 contains the TCP port with which the user is to be connected, when 1499 the Login-Service AVP is also present. This AVP SHOULD only be 1500 present in authorization responses. The value MUST NOT be greater 1501 than 65535. 1503 6.15.2. LAT Services 1505 The AVP described in this section MAY be present if the Login-Service 1506 AVP is set to LAT. 1508 6.15.3. Login-LAT-Service AVP 1510 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1511 contains the system with which the user is to be connected by LAT. It 1512 MAY be used in an authorization request as a hint to the server that 1513 a specific service is desired, but the server is not required to 1514 honor the hint in the corresponding response. This AVP MUST only be 1515 present in the response if the Login-Service AVP states that LAT is 1516 desired. 1518 Administrators use the service attribute when dealing with clustered 1519 systems, such as a VAX or Alpha cluster. In such an environment 1520 several different time sharing hosts share the same resources (disks, 1521 printers, etc.), and administrators often configure each to offer 1522 access (service) to each of the shared resources. In this case, each 1523 host in the cluster advertises its services through LAT broadcasts. 1525 Sophisticated users often know which service providers (machines) are 1526 faster and tend to use a node name when initiating a LAT connection. 1527 Alternately, some administrators want particular users to use certain 1528 machines as a primitive form of load balancing (although LAT knows 1529 how to do load balancing itself). 1531 The String field contains the identity of the LAT service to use. 1532 The LAT Architecture allows this string to contain $ (dollar), - 1533 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1534 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1535 All LAT string comparisons are case insensitive. 1537 6.15.4. Login-LAT-Node AVP 1539 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1540 contains the Node with which the user is to be automatically 1541 connected by LAT. It MAY be used in an authorization request as a 1542 hint to the server that a specific LAT node is desired, but the 1543 server is not required to honor the hint in the corresponding 1544 response. This AVP MUST only be present in a response if the Service- 1545 Type AVP is set to LAT. 1547 The String field contains the identity of the LAT service to use. 1548 The LAT Architecture allows this string to contain $ (dollar), - 1549 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1550 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1551 All LAT string comparisons are case insensitive. 1553 6.15.5. Login-LAT-Group AVP 1555 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1556 contains a string identifying the LAT group codes which this user is 1557 authorized to use. It MAY be used in an authorization request as a 1558 hint to the server that a specific group is desired, but the server 1559 is not required to honor the hint in the corresponding response. This 1560 AVP MUST only be present in a response if the Service-Type AVP is set 1561 to LAT. 1563 LAT supports 256 different group codes, which LAT uses as a form of 1564 access rights. LAT encodes the group codes as a 256 bit bitmap. 1566 Administrators can assign one or more of the group code bits at the 1567 LAT service provider; it will only accept LAT connections that have 1568 these group codes set in the bit map. The administrators assign a 1569 bitmap of authorized group codes to each user; LAT gets these from 1570 the operating system, and uses these in its requests to the service 1571 providers. 1573 The codification of the range of allowed usage of this field is 1574 outside the scope of this specification. 1576 6.15.6. Login-LAT-Port AVP 1578 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1579 contains the Port with which the user is to be connected by LAT. It 1580 MAY be used in an authorization request as a hint to the server that 1581 a specific port is desired, but the server is not required to honor 1582 the hint in the corresponding response. This AVP MUST only be present 1583 in a response if the Service-Type AVP is set to LAT. 1585 The String field contains the identity of the LAT service to use. 1586 The LAT Architecture allows this string to contain $ (dollar), - 1587 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1588 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1589 All LAT string comparisons are case insensitive. 1591 7. NAS Tunneling 1593 Some NASes support compulsory tunnel services where the incoming 1594 connection data is conveyed by a encapsulation method to a gateway 1595 elsewhere in the network. This is typically transparent to the 1596 service user, and the tunnel characteristics may be described by the 1597 remote AAA server, based on the user's authorization information. 1598 Several tunnel characteristics may be returned, and the NAS 1599 implementation may choose one. [RADTunnels],[RADTunlAcct] 1601 +---------------------+ 1602 | AVP Flag rules | 1603 |----+-----+----+-----|----+ 1604 AVP Section | | |SHLD| MUST| | 1605 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT |Encr| 1606 -----------------------------------------|----+-----+----+-----|----| 1607 Tunneling 401 7.1 Grouped | M | P | | V | N | 1608 Tunnel-Type 64 7.2 Enumerated | M | P | | V | Y | 1609 Tunnel-Medium- 65 7.3 Enumerated | M | P | | V | Y | 1610 Type | | | | | | 1611 Tunnel-Client- 66 7.4 UTF8String | M | P | | V | Y | 1612 Endpoint | | | | | | 1613 Tunnel-Server- 67 7.5 UTF8String | M | P | | V | Y | 1614 Endpoint | | | | | | 1615 Tunnel-Password 69 7.6 OctetString| M | P | | V | Y | 1616 Tunnel-Private- 81 7.7 UTF8String | M | P | | V | Y | 1617 Group-Id | | | | | | 1618 Tunnel- 82 7.8 OctetString| M | P | | V | Y | 1619 Assignment-Id | | | | | | 1620 Tunnel-Preference 83 7.9 Unsigned32 | M | P | | V | Y | 1621 Tunnel-Client- 90 7.10 Unsigned32 | M | P | | V | Y | 1622 Auth-Id | | | | | | 1623 Tunnel-Server- 91 7.11 OctetString| M | P | | V | Y | 1624 Auth-Id | | | | | | 1625 -----------------------------------------|----+-----+----+-----|----| 1627 7.1. Tunneling AVP 1629 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1630 following AVPs used to describe a compulsory tunnel service 1631 [RADTunnels],[RADTunlAcct]. Its data field has the following ABNF 1632 grammar: 1634 Tunneling ::= < AVP Header: 401 > 1635 { Tunnel-Type } 1636 { Tunnel-Medium-Type } 1637 { Tunnel-Client-Endpoint } 1638 { Tunnel-Server-Endpoint } 1639 [ Tunnel-Preference ] 1640 [ Tunnel-Client-Auth-Id ] 1641 [ Tunnel-Server-Auth-Id ] 1642 [ Tunnel-Assignment-Id ] 1643 [ Tunnel-Password ] 1644 [ Tunnel-Private-Group-Id ] 1646 7.2. Tunnel-Type AVP 1648 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1649 the tunneling protocol(s) to be used (in the case of a tunnel 1650 initiator) or the tunneling protocol in use (in the case of a tunnel 1651 terminator). It MAY be used in an authorization request as a hint to 1652 the server that a specific tunnel type is desired, but the server is 1653 not required to honor the hint in the corresponding response. 1655 The Tunnel-Type AVP SHOULD also be included in Accounting-Request 1656 messages. 1658 A tunnel initiator is not required to implement any of these tunnel 1659 types; if a tunnel initiator receives a response that contains only 1660 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1661 as though a response was received with the Result-Code indicating a 1662 failure. 1664 The supported values are listed in [RADIUSTypes]. The following list 1665 is informational: 1667 1 Point-to-Point Tunneling Protocol (PPTP) 1668 2 Layer Two Forwarding (L2F) 1669 3 Layer Two Tunneling Protocol (L2TP) 1670 4 Ascend Tunnel Management Protocol (ATMP) 1671 5 Virtual Tunneling Protocol (VTP) 1672 6 IP Authentication Header in the Tunnel-mode (AH) 1673 7 IP-in-IP Encapsulation (IP-IP) 1674 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) 1675 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) 1676 10 Generic Route Encapsulation (GRE) 1677 11 Bay Dial Virtual Services (DVS) 1678 12 IP-in-IP Tunneling 1679 13 Virtual LANs (VLAN) 1681 7.3. Tunnel-Medium-Type AVP 1683 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1684 contains the transport medium to use when creating a tunnel for those 1685 protocols (such as L2TP) that can operate over multiple transports. 1686 It MAY be used in an authorization request as a hint to the server 1687 that a specific medium is desired, but the server is not required to 1688 honor the hint in the corresponding response. 1690 The supported values are listed in [RADIUSTypes]. The following list 1691 is informational: 1693 1 IPv4 (IP version 4) 1694 2 IPv6 (IP version 6) 1695 3 NSAP 1696 4 HDLC (8-bit multidrop) 1697 5 BBN 1822 1698 6 802 (includes all 802 media plus Ethernet "canonical 1699 format") 1700 7 E.163 (POTS) 1701 8 E.164 (SMDS, Frame Relay, ATM) 1702 9 F.69 (Telex) 1703 10 X.121 (X.25, Frame Relay) 1704 11 IPX 1705 12 Appletalk 1706 13 Decnet IV 1707 14 Banyan Vines 1708 15 E.164 with NSAP format subaddress 1710 7.4. Tunnel-Client-Endpoint AVP 1712 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String, 1713 and contains the address of the initiator end of the tunnel. It MAY 1714 be used in an authorization request as a hint to the server that a 1715 specific endpoint is desired, but the server is not required to honor 1716 the hint in the corresponding response. 1718 This AVP SHOULD be included in the corresponding Accounting-Request 1719 messages, in which case it indicates the address from which the 1720 tunnel was initiated. This AVP, along with the Tunnel-Server-Endpoint 1721 and Session-Id AVP [Base], MAY be used to provide a globally unique 1722 means to identify a tunnel for accounting and auditing purposes. 1724 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 1725 fully qualified domain name (FQDN) of the tunnel client machine, or 1726 it is a "dotted-decimal" IP address. Implementations MUST support 1727 the dotted-decimal format and SHOULD support the FQDN format for IP 1728 addresses. 1730 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1731 FQDN of the tunnel client machine, or it is a text representation of 1732 the address in either the preferred or alternate form [IPv6Addr]. 1733 Conformant implementations MUST support the preferred form and SHOULD 1734 support both the alternate text form and the FQDN format for IPv6 1735 addresses. 1737 If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is a tag 1738 referring to configuration data local to the Diameter client that 1739 describes the interface and medium-specific address to use. 1741 7.5. Tunnel-Server-Endpoint AVP 1743 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of UTF8String, and 1744 contains the address of the server end of the tunnel. It MAY be used 1745 in an authorization request as a hint to the server that a specific 1746 endpoint is desired, but the server is not required to honor the hint 1747 in the corresponding response. 1749 This AVP SHOULD be included in the corresponding Accounting-Request 1750 messages, in which case it indicates the address from which the 1751 tunnel was initiated. This AVP, along with the Tunnel-Client-Endpoint 1752 and Session-Id AVP [Base], MAY be used to provide a globally unique 1753 means to identify a tunnel for accounting and auditing purposes. 1755 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 1756 fully qualified domain name (FQDN) of the tunnel client machine, or 1757 it is a "dotted-decimal" IP address. Implementations MUST support 1758 the dotted-decimal format and SHOULD support the FQDN format for IP 1759 addresses. 1761 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1762 FQDN of the tunnel client machine, or it is a text representation of 1763 the address in either the preferred or alternate form [IPv6Addr]. 1764 Implementations MUST support the preferred form and SHOULD support 1765 both the alternate text form and the FQDN format for IPv6 addresses. 1767 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 1768 referring to configuration data local to the Diameter client that 1769 describes the interface and medium-specific address to use. 1771 7.6. Tunnel-Password AVP 1773 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 1774 contain a password to be used to authenticate to a remote server. 1775 The Tunnel-Password AVP contains sensitive information. This value is 1776 not protected in the same manner as RADIUS [RADTunnels]. 1778 As required in [Base], Diameter messages are encrypted using IPsec or 1779 TLS. The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 1780 environments without encrypting it using end-to-end security 1781 techniques, such as CMS Security [DiamCMS]. 1783 7.7. Tunnel-Private-Group-Id AVP 1785 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type UTF8String, 1786 and contains the group Id for a particular tunneled session. The 1787 Tunnel-Private-Group-Id AVP MAY be included in an authorization 1788 request if the tunnel initiator can pre-determine the group resulting 1789 from a particular connection and SHOULD be included in the 1790 authorization response if this tunnel session is to be treated as 1791 belonging to a particular private group. Private groups may be used 1792 to associate a tunneled session with a particular group of users. 1793 For example, it MAY be used to facilitate routing of unregistered IP 1794 addresses through a particular interface. This AVP SHOULD be 1795 included in the Accounting-Request messages which pertain to the 1796 tunneled session. 1798 7.8. Tunnel-Assignment-Id AVP 1800 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 1801 is used to indicate to the tunnel initiator the particular tunnel to 1802 which a session is to be assigned. Some tunneling protocols, such as 1803 [PPTP] and [L2TP], allow for sessions between the same two tunnel 1804 endpoints to be multiplexed over the same tunnel and also for a given 1805 session to utilize its own dedicated tunnel. This attribute provides 1806 a mechanism for Diameter to be used to inform the tunnel initiator 1807 (e.g. PAC, LAC) whether to assign the session to a multiplexed 1808 tunnel or to a separate tunnel. Furthermore, it allows for sessions 1809 sharing multiplexed tunnels to be assigned to different multiplexed 1810 tunnels. 1812 A particular tunneling implementation may assign differing 1813 characteristics to particular tunnels. For example, different 1814 tunnels may be assigned different QOS parameters. Such tunnels may 1815 be used to carry either individual or multiple sessions. The Tunnel- 1816 Assignment-Id attribute thus allows the Diameter server to indicate 1817 that a particular session is to be assigned to a tunnel that provides 1818 an appropriate level of service. It is expected that any QOS-related 1819 Diameter tunneling attributes defined in the future that accompany 1820 this attribute will be associated by the tunnel initiator with the Id 1821 given by this attribute. In the meantime, any semantic given to a 1822 particular Id string is a matter left to local configuration in the 1823 tunnel initiator. 1825 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 1826 the tunnel initiator. The Id it specifies is intended to be of only 1827 local use to Diameter and the tunnel initiator. The Id assigned by 1828 the tunnel initiator is not conveyed to the tunnel peer. 1830 This attribute MAY be included in authorization responses. The tunnel 1831 initiator receiving this attribute MAY choose to ignore it and assign 1832 the session to an arbitrary multiplexed or non-multiplexed tunnel 1833 between the desired endpoints. This AVP SHOULD also be included in 1834 the Accounting-Request messages which pertain to the tunneled 1835 session. 1837 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 1838 should assign a session to a tunnel in the following manner: 1840 - If this AVP is present and a tunnel exists between the specified 1841 endpoints with the specified Id, then the session should be 1842 assigned to that tunnel. 1844 - If this AVP is present and no tunnel exists between the 1845 specified endpoints with the specified Id, then a new tunnel 1846 should be established for the session and the specified Id 1847 should be associated with the new tunnel. 1849 - If this AVP is not present, then the session is assigned to an 1850 unnamed tunnel. If an unnamed tunnel does not yet exist between 1851 the specified endpoints then it is established and used for this 1852 and subsequent sessions established without the Tunnel- 1853 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 1854 session for which a Tunnel-Assignment-Id AVP was not specified 1855 to a named tunnel (i.e. one that was initiated by a session 1856 specifying this AVP). 1858 Note that the same Id may be used to name different tunnels if such 1859 tunnels are between different endpoints. 1861 7.9. Tunnel-Preference AVP 1863 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 1864 used to identify the relative preference assigned to each tunnel when 1865 more than one set of tunneling AVPs is returned within separate 1866 Grouped-AVP AVPs. It MAY be used in an authorization request as a 1867 hint to the server that a specific preference is desired, but the 1868 server is not required to honor the hint in the corresponding 1869 response. 1871 For example, suppose that AVPs describing two tunnels are returned by 1872 the server, one with a Tunnel-Type of PPTP and the other with a 1873 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 1874 the Tunnel-Types returned, it will initiate a tunnel of that type. 1875 If, however, it supports both tunnel protocols, it SHOULD use the 1876 value of the Tunnel-Preference AVP to decide which tunnel should be 1877 started. The tunnel having the numerically lowest value in the Value 1878 field of this AVP SHOULD be given the highest preference. The values 1879 assigned to two or more instances of the Tunnel-Preference AVP within 1880 a given authorization response MAY be identical. In this case, the 1881 tunnel initiator SHOULD use locally configured metrics to decide 1882 which set of AVPs to use. 1884 7.10. Tunnel-Client-Auth-Id AVP 1886 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type Unsigned32 and 1887 specifies the name used by the tunnel initiator during the 1888 authentication phase of tunnel establishment. It MAY be used in an 1889 authorization request as a hint to the server that a specific 1890 preference is desired, but the server is not required to honor the 1891 hint in the corresponding response. This AVP MUST be present in the 1892 authorization response if an authentication name other than the 1893 default is desired. This AVP SHOULD be included in the Accounting- 1894 Request messages which pertain to the tunneled session. 1896 7.11. Tunnel-Server-Auth-Id AVP 1898 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type OctetString 1899 and specifies the name used by the tunnel terminator during the 1900 authentication phase of tunnel establishment. It MAY be used in an 1901 authorization request as a hint to the server that a specific 1902 preference is desired, but the server is not required to honor the 1903 hint in the corresponding response. This AVP MUST be present in the 1904 authorization response if an authentication name other than the 1905 default is desired. This AVP SHOULD be included in the the 1906 Accounting-Request messages which pertain to the tunneled session. 1908 8. NAS Accounting 1910 Applications implementing this specification use Diameter Accounting 1911 as defined in the Base [Base] with the addition of the AVPs in the 1912 following section. 1914 If accounting is active, Accounting Request messages (ACR) SHOULD be 1915 sent after the completion of any Authentication or Authorization 1916 transaction and at the end of a Session. The Accounting-Record-Type 1917 value indicates the type of event. All other AVPs identify the 1918 session and provide additional information relevant to the event. 1920 The successful completion of the first Authentication or 1921 Authorization transaction, SHOULD cause a START_RECORD should be 1922 sent. If additional Authentications or Authorizations occur in later 1923 transactions, the first exchange should generate a START_RECORD, and 1924 the later, an INTERIM_RECORD. For a given session, there MUST only 1925 be one set of matching START and STOP records, with any number of 1926 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 1927 for not starting a session. 1929 The following table describes the AVPs, their AVP Code values, types, 1930 possible flag values and whether the AVP MAY be encrypted. 1932 +---------------------+ 1933 | AVP Flag rules | 1934 |----+-----+----+-----|----+ 1935 AVP Section | | |SHLD| MUST| | 1936 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1937 -----------------------------------------|----+-----+----+-----|----| 1938 Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | 1939 Input-Octets | | | | | | 1940 Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | 1941 Output-Octets | | | | | | 1942 Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | 1943 Input-Packets | | | | | | 1944 Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | 1945 Output-Packets | | | | | | 1946 Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | 1947 Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | 1948 Acct-Delay-Time 41 8.7 Unsigned32 | M | P | | V | Y | 1949 Acct-Link-Count 51 8.8 Unsigned32 | M | P | | V | Y | 1950 Acct-Tunnel- 68 8.9 OctetString| M | P | | V | Y | 1951 Connection | | | | | | 1952 Acct-Tunnel- 86 8.10 Unsigned32 | M | P | | V | Y | 1953 Packets-Lost | | | | | | 1954 -----------------------------------------|----+-----+----+-----|----| 1956 8.1. Accounting-Input-Octets AVP 1958 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, 1959 and contains the number of octets received from the user. 1961 For NAS usage, this AVP indicates how many octets have been received 1962 from the port in the course of this session and can only be present 1963 in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 1964 STOP_RECORD. 1966 8.2. Accounting-Output-Octets AVP 1968 The Accounting-Output-Octets AVP (AVP Code 364) is of type 1969 Unsigned64, and contains the number of octets sent to the user. 1971 For NAS usage, this AVP indicates how many octets have been sent to 1972 the port in the course of this session and can only be present in ACR 1973 messages with an Accounting-Record-Type of INTERIM_RECORD or 1974 STOP_RECORD. 1976 8.3. Accounting-Input-Packets AVP 1978 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64, 1979 and contains the number of packets received from the user. 1981 For NAS usage, this AVP indicates how many packets have been received 1982 from the port over the course of a session being provided to a Framed 1983 User and can only be present in ACR messages with an Accounting- 1984 Record-Type of INTERIM_RECORD or STOP_RECORD. 1986 8.4. Accounting-Output-Packets AVP 1988 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64, 1989 and contains the number of IP packets sent to the user. 1991 For NAS usage, this AVP indicates how many packets have been sent to 1992 the port over the course of a session being provided to a Framed User 1993 and can only be present in ACR messages with an Accounting-Record- 1994 Type of INTERIM_RECORD or STOP_RECORD. 1996 8.5. Acct-Session-Time AVP 1998 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32, and 1999 indicates the length of the current session in seconds. It can only 2000 be present in ACR messages with an Accounting-Record-Type of 2001 INTERIM_RECORD or STOP_RECORD. 2003 8.6. Acct-Authentic AVP 2005 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated, and 2006 specifies how the user was authenticated. The supported values are 2007 listed in [RADIUSTypes]. The following list is informational: 2009 1 RADIUS 2010 2 Local 2011 3 Remote 2012 4 Diameter 2014 8.7. Acct-Delay-Time 2016 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2017 indicates the number of seconds during which the Diameter client has 2018 been trying to send the Accounting-Request (ACR) which contains it. 2019 The accounting server may subtract this value from the time the ACR 2020 arrives at the server to calculate the approximate time of the event 2021 that caused the ACR to be generated. 2023 This AVP is not used for retransmissions at the transport level (TCP 2024 or SCTP). Rather, it may be used when an ACR command cannot be 2025 transmitted because there is no appropriate peer to transmit it to or 2026 was rejected because it could not be delivered to its destination. 2027 In these cases, the command MAY be buffered and transmitted some time 2028 later when an appropriate peer-connection is available or after 2029 sufficient time has passed that the destination-host may be reachable 2030 and operational. If the ACR is resent in this way the Acct-Delay- 2031 Time AVP SHOULD be included. The value of this AVP indicates the 2032 number of seconds that elapsed between the time of the first attempt 2033 at transmission and the current attempt at transmission. 2035 8.8. Acct-Link-Count 2037 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2038 indicates the total number of links that have been active (current or 2039 closed) in a given multilink session, at the time the accounting 2040 record is generated. This AVP MAY be included in Accounting-Requests 2041 for any session which may be part of a multilink service. 2043 The Acct-Link-Count AVP may be used to make it easier for an 2044 accounting server to know when it has all the records for a given 2045 multilink service. When the number of Accounting-Requests received 2046 with Accounting-Record-Type = STOP_RECORD and the same Acct-Multi- 2047 Session-Id and unique Session-Id's equals the largest value of Acct- 2048 Link-Count seen in those Accounting-Requests, all STOP_RECORD 2049 Accounting-Requests for that multilink service have been received. 2051 The following example showing eight Accounting-Requests illustrates 2052 how the Acct-Link-Count AVP is used. In the table below, only the 2053 relevant AVPs are shown although additional AVPs containing 2054 accounting information will also be present in the Accounting- 2055 Requests. 2057 Acct-Multi- Accounting- Acct- 2058 Session-Id Session-Id Record-Type Link-Count 2059 -------------------------------------------------------- 2060 "...10" "...10" START_RECORD 1 2061 "...10" "...11" START_RECORD 2 2062 "...10" "...11" STOP_RECORD 2 2063 "...10" "...12" START_RECORD 3 2064 "...10" "...13" START_RECORD 4 2065 "...10" "...12" STOP_RECORD 4 2066 "...10" "...13" STOP_RECORD 4 2067 "...10" "...10" STOP_RECORD 4 2069 8.9. Acct-Tunnel-Connection AVP 2071 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString, 2072 and contains the identifier assigned to the tunnel session. This AVP, 2073 along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint 2074 AVPs, may be used to provide a means to uniquely identify a tunnel 2075 session for auditing purposes. 2077 The format of the identifier in this AVP depends upon the value of 2078 the Tunnel-Type AVP. For example, to fully identify an L2TP tunnel 2079 connection, the L2TP Tunnel Id and Call Id might be encoded in this 2080 field. The exact encoding of this field is implementation dependent. 2082 8.10. Acct-Tunnel-Packets-Lost AVP 2084 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2085 and contains the number of packets lost on a given link. 2087 9. RADIUS/Diameter Protocol Interactions 2089 This section describes some basic guidelines that may be used by 2090 servers that act as AAA Translation Agents. A complete description of 2091 all the differences between RADIUS and Diameter is beyond the scope 2092 of this section and document. Note that this document does not 2093 restrict implementations from creating additional methods, as long as 2094 the translation function doesn't violate the RADIUS or the Diameter 2095 protocols. 2097 There are primarily two different situations that must be handled; 2098 one where a RADIUS request is received that must be forwarded as a 2099 Diameter request, and the inverse. RADIUS does not support a peer- 2100 to-peer architecture and server initiated operations are generally 2101 not supported. See [RADDynAuth] for an alternative. 2103 Some RADIUS attributes are encrypted. RADIUS security and encryption 2104 techniques are applied on a hop-per-hop basis. A Diameter agent will 2105 have to decrypt RADIUS attribute data entering the Diameter system 2106 and if that information is forwarded, MUST secure it using Diameter 2107 specific techniques. 2109 Note that this section uses the two terms; "AVP" and "attribute" in a 2110 concise and specific manner. The former is used to signify a 2111 Diameter AVP, while the latter is used to signify a RADIUS attribute. 2113 9.1. RADIUS Request Forwarded as Diameter Request 2115 This section describes the actions that should be followed when a 2116 Translation Agent receives a RADIUS message that is to be translated 2117 to a Diameter message. 2119 It is important to note that RADIUS servers are assumed to be 2120 stateless, and this section maintains that assumption. It is also 2121 quite possible for the RADIUS messages that comprise the session 2122 (i.e. authentication and accounting messages) will be handled by 2123 different Translation Agents in the proxy network. Therefore, a 2124 RADIUS/Diameter Translation Agent SHOULD NOT be assumed to have an 2125 accurate track on session state information. 2127 When a Translation Agent receives a RADIUS message, the following 2128 steps should be taken: 2130 - If a Message-Authenticator attribute is present, the value MUST 2131 be checked, but not included in the Diameter message. If it is 2132 incorrect, the RADIUS message should be silently discarded. The 2133 gateway system SHOULD generate and include a Message- 2134 Authenticator in return RADIUS responses to this system. 2135 - The transport address of the sender MUST be checked against the 2136 NAS identifying attributes. See the description of NAS- 2137 Identifier and NAS-IP-Address below. 2138 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created 2139 and added using the information from an FQDN corresponding to 2140 the NAS-IP-Address attribute (preferred if availible), and/or 2141 the NAS-Identifier attribute. (Note that the RADIUS NAS- 2142 Identifier is not required to be an FQDN) The AAA protocol 2143 specified in the identity would be set to "RADIUS". 2144 - The Proxy-Info group SHOULD be added with the local server's 2145 identity being specified in the Proxy-Host AVP. This should 2146 ensure that the response is returned to this system. 2147 - The Destination-Realm AVP is created from the information found 2148 in the RADIUS User-Name attribute. 2149 - The Translation Agent must maintain transaction state 2150 information relevant to the RADIUS request, such as the 2151 Identifier field in the RADIUS header, any existing RADIUS 2152 Proxy-State attribute as well as the source IP address and port 2153 number of the UDP packet. These may be maintained locally in a 2154 state table, or may be saved in a Proxy-Info AVP group. 2155 - If the RADIUS request contained a State attribute, and the 2156 prefix of the data is "Diameter/", the data following the prefix 2157 contains the Diameter Session-Id. If no such attributes are 2158 present, and the RADIUS command is an Access-Request, a new 2159 Session-Id is created. The Session-Id is included in the 2160 Session-Id AVP. 2161 - If the RADIUS User-Password attribute is present, the password 2162 must be unencrypted using the link's RADIUS shared secret. And 2163 forwarded using Diameter security. 2164 - If the RADIUS CHAP-Password attribute is present, the Ident and 2165 Data portion of the attribute are used to create the CHAP-Auth 2166 grouped AVP. 2167 - If the RADIUS message contains an address attribute, it MUST be 2168 converted to the appropriate Diameter AVP and type. 2169 - If the RADIUS message contains Tunnel information [RADTunnels], 2170 the attributes or tagged groups should each be converted to a 2171 Diameter Tunneling Grouped AVP set. If the tunnel information 2172 contains a Tunnel-Password attribute, the RADIUS encryption must 2173 be resolved, and the password forwarded using Diameter security 2174 methods. 2175 - If the RADIUS message received is an Accounting-Request, the 2176 Acct-Status-Type attribute value must be converted to a 2177 Accounting-Record-Type AVP value. If the Acct-Status-Type 2178 attribute value is STOP, the local server MUST issue a Session- 2179 Termination-Request message once the Diameter Accounting-Answer 2180 message has been received. 2182 - If the Accounting message contains a Acct-Termination-Cause 2183 attribute, it should be translated to the equivalent 2184 Termination-Cause AVP value. (see below) 2185 - If the RADIUS message contains the Accounting-Input-Octets, 2186 Accounting-Input-Packets, Accounting-Output-Octets or 2187 Accounting-Output-Packets, these attributes must be converted to 2188 the Diameter equivalent ones. Further, if the Acct-Input- 2189 Gigawords or Acct-Output-Gigawords attributes are present, these 2190 must be used to properly compute the Diameter accounting AVPs. 2192 The corresponding Diameter response is always guaranteed to be 2193 received by the same Translation Agent that translated the original 2194 request, due to the contents of the Origin-Host AVP in the Diameter 2195 request. The following steps are applied to the response message 2196 during the Diameter to RADIUS translation: 2198 - If the Diameter Command-Code is set to AA-Answer and the Result- 2199 Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must 2200 send a RADIUS Access-Challenge with the Diameter Session-Id and 2201 the Origin-Host AVPs encapsulated in the RADIUS State attribute, 2202 with the prefix "Diameter/". This is necessary in order to 2203 ensure that the Translation Agent that will receive the 2204 subsequent RADIUS Access-Request will have access to the Session 2205 Identifier, and be able to set the Destination-Host to the 2206 correct value. If the Multi-Round-Time-Out AVP is present, the 2207 value of the AVP MUST be inserted in the RADIUS Session-Timeout 2208 AVP. 2209 - If the Command-Code is set to AA-Answer, the Diameter Session-Id 2210 AVP is saved in a new RADIUS Class attribute, whose format 2211 consists of the string "Diameter/" followed by the Diameter 2212 Session Identifier. This will ensure that the subsequent 2213 Accounting messages, which could be received by any Translation 2214 Agent, would have access to the original Diameter Session 2215 Identifier. 2216 - If a Proxy-State attribute was present in the RADIUS request, 2217 the same attribute is added in the response. This information 2218 may be found in the Proxy-Info AVP group, or in a local state 2219 table. 2220 - If state information regarding the RADIUS request was saved in a 2221 Proxy-Info AVP or local state table, the RADIUS Identifier and 2222 UDP IP Address and port number are extracted and used in issuing 2223 the RADIUS reply. 2225 If the Diameter translation system receives a message as specified in 2226 [RADDynAuth], it may translate it into a Diameter Re-Auth-Request 2227 message. The consistency and security rules of that specification 2228 MUST be applied to the processing and forwarding of this type of 2229 message. 2231 9.2. Diameter Request Forwarded as RADIUS Request 2233 When a server receives a Diameter request that is to be forwarded to 2234 a RADIUS entity, the following steps are an example of the steps that 2235 may be followed: 2237 - The Origin-Host AVP's value is inserted in the NAS-Identifier 2238 attribute. 2239 - The following information MUST be present in the corresponding 2240 Diameter response, and therefore MUST be saved either in a local 2241 state table, or encoded in a RADIUS Proxy-State attribute: 2242 1. Origin-Host AVP 2243 2. Session-Id AVP 2244 3. Proxy-Info AVP 2245 4. Route-Record AVPs (in the proper order) 2246 5. Any other AVP that MUST be present in the response, and 2247 has no corresponding RADIUS attribute. 2248 - If the CHAP-Auth AVP is present, the grouped AVPs are used to 2249 create the RADIUS CHAP-Password attribute data. 2250 - If the User-Password AVP is present, the data should be 2251 encrypted using RADIUS rules. Likewise for any other encrypted 2252 attribute values. 2253 - AVPs that are of the type Address, must be translated to the 2254 corresponding RADIUS attribute. 2255 - If the Accounting-Input-Octets, Accounting-Input-Packets, 2256 Accounting-Output-Octets or Accounting-Output-Packets AVPs are 2257 present, these must be translated to the corresponding RADIUS 2258 attributes. Further, the value of the Diameter AVPs do not fit 2259 within a 32-bit RADIUS attribute, the RADIUS Acct-Input- 2260 Gigawords and Acct-Output-Gigawords must be used. 2261 - If the RADIUS link supports the Message-Authenticator attribute 2262 [RADIUSExt] it SHOULD be generated and added to the request. 2264 When the corresponding response is received by the Translation Agent, 2265 which is guaranteed in the RADIUS protocol, the following steps may 2266 be followed: 2268 - If the RADIUS code is set to Access-Challenge, a Diameter AA- 2269 Answer message is created with the Result-Code set to 2270 DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is present 2271 in the RADIUS message, its value is inserted in the Multi-Round- 2272 Time-Out AVP. 2273 - If a Proxy-State attribute is present, extract the encoded 2274 information, otherwise retrieve the original Proxy-Info AVP 2275 group information from the local state table. 2276 - The response's Origin-Host information is created from the FQDN 2277 of the source IP address of the RADIUS message. 2279 - The reponse's Destination-Host AVP is copied from the saved 2280 request's Origin-Host information. 2281 - The Acct-Session-Id information is added to the Session-Id AVP. 2282 - The Route-Record AVPs MUST be added to the Diameter message, in 2283 the same order they were present in the request. The gateway's 2284 position in the forwarding should be properly recorded. 2285 - If a Proxy-Info AVP was present in the request, the same AVP 2286 MUST be added to the response. 2287 - If the RADIUS State attributes are present, these attributes 2288 must be present in the Diameter response. 2289 - Any other AVPs that were saved at request time, and MUST be 2290 present in the response, are added to the message. 2292 9.3. AVPs Used Only for Compatibility 2294 The AVPs defined in this section SHOULD only used for backwards 2295 compatibility when a Diameter/RADIUS translation function is invoked, 2296 and are not typically originated by Diameter systems during normal 2297 operations. 2299 +---------------------+ 2300 | AVP Flag rules | 2301 |----+-----+----+-----|----+ 2302 AVP Section | | |SHLD| MUST| | 2303 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2304 -----------------------------------------|----+-----+----+-----|----| 2305 NAS-Identifier 32 9.3.1 UTF8String | M | P | | V | Y | 2306 NAS-IP-Address 4 9.3.2 OctetString| M | P | | V | Y | 2307 NAS-IPv6-Address 95 9.3.3 OctetString| M | P | | V | Y | 2308 State 24 9.3.4 OctetString| M | P | | V | Y | 2309 Termination- 295 9.3.5 Enumerated | M | P | | V | Y | 2310 Cause | | | | | | 2311 -----------------------------------------|----+-----+----+-----|----| 2313 9.3.1. NAS-Identifier AVP 2315 The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String 2316 and contains the identity of the NAS providing service to the user. 2317 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2318 When this AVP is present, the Origin-Host AVP identifies the 2319 RADIUS/Diameter Translation Agent rather than the NAS providing 2320 service to the user. 2322 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2323 Identifier attribute. Diameter/RADIUS translation agents SHOULD 2324 attempt to check a received NAS-Identifier attribute against the 2325 source address of the RADIUS packet, by doing an A/AAAA RR query. If 2326 the NAS-Identifier attribute contains an FQDN, then such a query 2327 would resolve to an IP address matching the source address. However, 2328 the NAS-Identifier attribute is not required to contain an FQDN, so 2329 such a query could fail. In this case, an error should be logged, but 2330 no other action taken, other than doing a reverse lookup on the 2331 source address and inserting the resulting FQDN into the Route-Record 2332 AVP. 2334 Diameter agents and servers SHOULD check whether a NAS-Identifier AVP 2335 corresponds to an entry in the Record-Route AVP. If no match is 2336 found, then an error is logged, but no other action is taken. 2338 9.3.2. NAS-IP-Address AVP 2340 The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString, 2341 and contains the IP Address of the NAS providing service to the user. 2342 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2343 When this AVP is present, the Origin-Host AVP identifies the 2344 RADIUS/Diameter Translation Agent rather than the NAS providing 2345 service to the user. 2347 In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- 2348 Address attribute value. Diameter/RADIUS translation agents MUST 2349 check a received NAS-IP-Address or NAS-IPv6-Address attribute against 2350 the source address of the RADIUS packet. If they do not match, and 2351 the Diameter/RADIUS translation agent does not know whether the 2352 packet was sent by a RADIUS proxy or NAS (e.g. no Proxy-State 2353 attribute) then by default it is assumed that the source address 2354 corresponds to a RADIUS proxy, and that the NAS Address is behind 2355 that proxy, potentially with some additional RADIUS proxies in 2356 between. The Diameter/RADIUS translation agent MUST insert entries 2357 in the Route-Record AVP corresponding to the apparent route. This 2358 implies doing a reverse lookup on the source address and NAS-IP- 2359 Address, or NAS-IPv6-Address attributes in order to determine the 2360 corresponding FQDNs. 2362 If the source address and the NAS-IP-Address, or NAS-IPv6-Address do 2363 not match, and the Diameter/RADIUS translation agent knows that it is 2364 talking directly to the NAS (e.g. no RADIUS proxies between it and 2365 the NAS), then the error should be logged, and the packet MUST be 2366 discarded. 2368 Diameter agents and servers MUST check whether the NAS-IP-Address AVP 2369 corresponds to an entry in the Record-Route AVP. This is done by 2370 doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve 2371 the corresponding FQDN, and checking for a match with the Record- 2372 Route AVP. If no match is found, then an error is logged, but no 2373 other action is taken. 2375 9.3.3. NAS-IPv6-Address AVP 2377 The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type 2378 OctetString, and contains the IPv6 Address of the NAS providing 2379 service to the user. This AVP SHOULD only be added by a 2380 RADIUS/Diameter Translation Agent. When this AVP is present, the 2381 Origin-Host AVP identifies the RADIUS/Diameter Translation Agent 2382 rather than the NAS providing service to the user. 2384 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2385 IPv6-Address attribute. Diameter/RADIUS translation agents MUST check 2386 a received NAS-IPv6-Address attribute against the source address of 2387 the RADIUS packet. If they do not match, and the Diameter/RADIUS 2388 translation agent does not know whether the packet was sent by a 2389 RADIUS proxy or NAS (e.g. no Proxy-State attribute) then by default 2390 it is assumed that the source address corresponds to a RADIUS proxy, 2391 and that the NAS-IPv6-Address is behind that proxy, potentially with 2392 some additional RADIUS proxies in between. The Diameter/RADIUS 2393 translation agent MUST insert entries in the Route-Record AVP 2394 corresponding to the apparent route. This implies doing a reverse 2395 lookup on the source address and NAS-IP-Address attributes in order 2396 to determine the corresponding FQDNs. 2398 If the source address and the NAS-IPv6-Address do not match, and the 2399 Diameter/RADIUS translation agent knows that it is talking directly 2400 to the NAS (e.g. no RADIUS proxies between it and the NAS), then the 2401 error should be logged, and the packet MUST be discarded. 2403 Diameter agents and servers MUST check whether the NAS-IPv6-Address 2404 AVP corresponds to an entry in the Record-Route AVP. This is done by 2405 doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve 2406 the corresponding FQDN, and checking for a match with the Record- 2407 Route AVP. If no match is found, then an error is logged, but no 2409 9.3.4. State AVP 2411 The State AVP (AVP Code 24) [RADIUS] is of type OctetString and has 2412 two uses in the Diameter NAS application. 2414 The State AVP MAY be sent by a Diameter Server to a NAS in an AA- 2415 Response command that contains a Result-Code of 2416 DIAMETER_MULTI_ROUND_AUTH. If so, the NAS MUST return it unmodified 2417 in the subsequent AA-Request command. 2419 The State AVP MAY also be sent by a Diameter Server to a NAS in an 2420 AA-Response command that also includes a Termination-Action AVP with 2421 the value of AA-REQUEST. If the NAS performs the Termination-Action 2422 by sending a new AA-Request command upon termination of the current 2423 service, it MUST return the State AVP unmodified in the new request 2424 command. 2426 In either usage the NAS MUST NOT interpret the AVP locally. Usage of 2427 the State AVP is implementation dependent. 2429 9.3.5. Termination-Cause AVP Code Values 2431 This section defines a mapping between Termination-Cause AVP code 2432 values and RADIUS Acct-Terminate-Cause attribute code values from RFC 2433 2866 [RADIUSAcct] and [RADIUSTypes], thereby allowing a 2434 RADIUS/Diameter Translation Agent to convert between the attribute 2435 and AVP values. This section thus extends the definitions in the 2436 "Termination-Cause AVP" section of the Base Diameter specification. 2438 The table in this section defines the mapping between Termination- 2439 Cause AVP and RADIUS Acct-Terminate-Cause causes. 2441 +-----------------------+ 2442 | Value | 2443 +-----------+-----------+ 2444 Cause Value Name | RADIUS | Diameter | 2445 ------------------------------|-----------+-----------+ 2446 User Request | 1 | 11 | 2447 Lost Carrier | 2 | 12 | 2448 Lost Service | 3 | 13 | 2449 Idle Timeout | 4 | 14 | 2450 Session Timeout | 5 | 15 | 2451 Admin Reset | 6 | 16 | 2452 Admin Reboot | 7 | 17 | 2453 Port Error | 8 | 18 | 2454 NAS Error | 9 | 19 | 2455 NAS Request | 10 | 20 | 2456 NAS Reboot | 11 | 21 | 2457 Port Unneeded | 12 | 22 | 2458 Port Preempted | 13 | 23 | 2459 Port Suspended | 14 | 24 | 2460 Service Unavailable | 15 | 25 | 2461 Callback | 16 | 26 | 2462 User Error | 17 | 27 | 2463 Host Request | 18 | 28 | 2464 Supplicant Restart | 19 | 29 | [RAD802.1X] 2465 Reauthentication Failure | 20 | 30 | [RAD802.1X] 2466 Port Reinit | 21 | 31 | [RAD802.1X] 2467 Port Disabled | 22 | 32 | [RAD802.1X] 2468 ------------------------------|-----------+-----------+ 2470 From RFC 2866, the termination causes are as follows: 2472 User Request User requested termination of service, for 2473 example with LCP Terminate or by logging out. 2475 Lost Carrier DCD was dropped on the port. 2477 Lost Service Service can no longer be provided; for 2478 example, user's connection to a host was 2479 interrupted. 2481 Idle Timeout Idle timer expired. 2483 Session Timeout Maximum session length timer expired. 2485 Admin Reset Administrator reset the port or session. 2487 Admin Reboot Administrator is ending service on the NAS, 2488 for example prior to rebooting the NAS. 2490 Port Error NAS detected an error on the port which 2491 required ending the session. 2493 NAS Error NAS detected some error (other than on the 2494 port) which required ending the session. 2496 NAS Request NAS ended session for a non-error reason not 2497 otherwise listed here. 2499 NAS Reboot The NAS ended the session in order to reboot 2500 non-administratively ("crash"). 2502 Port Unneeded NAS ended session because resource usage fell 2503 below low-water mark (for example, if a 2504 bandwidth-on-demand algorithm decided that 2505 the port was no longer needed). 2507 Port Preempted NAS ended session in order to allocate the 2508 port to a higher priority use. 2510 Port Suspended NAS ended session to suspend a virtual 2511 session. 2513 Service Unavailable NAS was unable to provide requested service. 2515 Callback NAS is terminating current session in order 2516 to perform callback for a new session. 2518 User Error Input from user is in error, causing 2519 termination of session. 2521 Host Request Login Host terminated session normally. 2523 9.4. Prohibited RADIUS Attributes 2525 The following RADIUS attributes MUST NOT appear in a Diameter 2526 message. Instead, they are translated to other Diameter AVPs or 2527 handled in some special manner. The rules for the treatment of the 2528 attributes are discussed in Sections 9.1, 9.2 and 9.6. 2530 Attribute Description Defined Nearest Diameter AVP 2531 ----------------------------------------------------------------- 2532 3 CHAP-Password RFC 2865 CHAP-Auth Group 2533 26 Vendor-Specific RFC 2865 Vendor Specific AVP 2534 40 Acct-Status-Type RFC 2866 Accounting-Record-Type 2535 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets 2536 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets 2537 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets 2538 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets 2539 49 Acct-Terminate-Cause RFC 2866 Termination-Cause 2540 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets 2541 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets 2542 80 Message-Authenticator RFC 2869 none - check and discard 2544 9.5. Translatable Diameter AVPs 2546 In general, Diameter AVPs that are not RADIUS compatible have code 2547 values greater than 255. The table in the section above shows the 2548 AVPs that can be converted into RADIUS attributes. 2550 Another problem may occur with Diameter AVP values that may be more 2551 than 253 octets in length. Some RADIUS attributes (including but 2552 not limited to: (8)Reply-Message, (79)EAP-Message, and (77)Connect- 2553 Info ) allow concatenation of multiple instances to overcome this 2554 limitation. If this is not possible, a Result-Code of 2555 DIAMETER_INVALID_AVP_LENGTH should be returned. 2557 9.6. RADIUS Vendor Specific Attributes 2559 RADIUS supports the inclusion of Vendor Specific Attributes (VSAs) 2560 through the use of attribute 26. The recommended format [RADIUS] of 2561 the attribute data field includes a 4 octet vendor code followed by a 2562 one octet vendor type field and a one octet length field. The last 2563 two fields MAY be repeated. 2565 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA 2567 The RADIUS VSA attribute should consist of the following fields; 2569 RADIUS Type = 26, Vendor Specific Attribute 2570 RADIUS Length = total length of attribute (header + data) 2571 RADIUS Vendor code = Diameter Vendor code 2572 RADIUS Vendor type code = low order byte of Diameter AVP code 2573 RADIUS Vendor data length = length of Diameter data 2574 (not including padding) 2576 If the Diameter AVP code is greater than 255, then the RADIUS 2577 speaking code may use a Vendor specific field coding, if it knows one 2578 for that vendor. Otherwise, the AVP will be ignored. Unless it is 2579 flagged as Mandatory, in which case an "DIAMETER_AVP_UNSUPPORTED" 2580 Result-Code will be returned, and the RADIUS message will not be 2581 sent. 2583 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP 2585 The Diameter AVP will consist of the following fields; 2586 Diameter Flags: V=1, M=0, P=0 2587 Diameter Vendor code = RADIUS VSA Vendor code 2588 Diameter AVP code = RADIUS VSA Vendor type code 2589 Diameter AVP length = length of AVP (header + data + padding) 2590 Diameter Data = RADIUS VSA vendor data 2592 NOTE: that the VSAs are considered as optional RADIUS rules, and this 2593 method does not set the Mandatory flag. If a VSA is desired to be 2594 made mandatory, because it represents a required service policy, the 2595 RADIUS gateway should have a process to set the bit. 2597 If the RADIUS receiving code knows of vendor specific fields 2598 interpretations for the specific vendor, it may employ them to parse 2599 an extended AVP code or data length, Otherwise the recommended 2600 standard fields will be used. 2602 Nested Multiple vendor data fields MUST be expanded into multiple 2603 Diameter AVPs. 2605 10. AVP Occurrence Tables 2607 The following tables present the AVPs used by NAS applications, in 2608 NAS messages, and specify in which Diameter messages they MAY, or MAY 2609 NOT be present. [Base] messages and AVPs are not described here. 2610 Note that AVPs that can only be present within a Grouped AVP are not 2611 represented in this table. 2613 The table uses the following symbols: 2614 0 The AVP MUST NOT be present in the message. 2615 0+ Zero or more instances of the AVP MAY be present in the 2616 message. 2617 0-1 Zero or one instance of the AVP MAY be present in the 2618 message. 2619 1 One instance of the AVP MUST be present in the message. 2621 10.1. AA-Request/Answer AVP Table 2623 The table in this section is limited to the Command Codes defined in 2624 this specification. 2626 +-----------+ 2627 | Command | 2628 |-----+-----+ 2629 Attribute Name | AAR | AAA | 2630 ------------------------------|-----+-----+ 2631 Acct-Interim-Interval | 0 | 0-1 | 2632 ARAP-Challenge-Response | 0 | 0-1 | 2633 ARAP-Features | 0 | 0-1 | 2634 ARAP-Password | 0-1 | 0 | 2635 ARAP-Security | 0-1 | 0-1 | 2636 ARAP-Security-Data | 0+ | 0+ | 2637 ARAP-Zone-Access | 0 | 0-1 | 2638 Auth-Application-Id | 1 | 1 | 2639 Auth-Grace-Period | 0-1 | 0-1 | 2640 Auth-Request-Type | 1 | 1 | 2641 Auth-Session-State | 0-1 | 0-1 | 2642 Authorization-Lifetime | 0-1 | 0-1 | 2643 Callback-Id | 0 | 0-1 | 2644 Callback-Number | 0-1 | 0-1 | 2645 Called-Station-Id | 0-1 | 0 | 2646 Calling-Station-Id | 0-1 | 0 | 2647 CHAP-Auth | 0-1 | 0 | 2648 CHAP-Challenge | 0-1 | 0 | 2649 Class | 0 | 0+ | 2650 Configuration-Token | 0 | 0+ | 2651 Connect-Info | 0-1 | 0 | 2652 Destination-Host | 0-1 | 0 | 2653 Destination-Realm | 1 | 0 | 2654 Error-Message | 0 | 0-1 | 2655 Error-Reporting-Host | 0 | 0-1 | 2656 Failed-AVP | 0+ | 0+ | 2657 Filter-Id | 0 | 0+ | 2658 Framed-Appletalk-Link | 0 | 0-1 | 2659 Framed-Appletalk-Network | 0 | 0+ | 2660 Framed-Appletalk-Zone | 0 | 0-1 | 2661 Framed-Compression | 0+ | 0+ | 2662 Framed-Interface-Id | 0-1 | 0-1 | 2663 Framed-IP-Address | 0-1 | 0-1 | 2664 Framed-IP-Netmask | 0-1 | 0-1 | 2665 Framed-IPv6-Prefix | 0+ | 0+ | 2666 Framed-IPv6-Pool | 0 | 0-1 | 2667 Framed-IPv6-Route | 0 | 0+ | 2668 Framed-IPX-Network | 0 | 0-1 | 2669 Framed-MTU | 0-1 | 0-1 | 2670 Framed-Pool | 0 | 0-1 | 2671 Framed-Protocol | 0-1 | 0-1 | 2672 Framed-Route | 0 | 0+ | 2673 ------------------------------|-----+-----+ 2674 +-----------+ 2675 | Command | 2676 |-----+-----+ 2677 Attribute Name | AAR | AAA | 2678 ------------------------------|-----+-----+ 2679 Framed-Routing | 0 | 0-1 | 2680 Idle-Timeout | 0 | 0-1 | 2681 Login-IP-Host | 0+ | 0+ | 2682 Login-IPv6-Host | 0+ | 0+ | 2683 Login-LAT-Group | 0-1 | 0-1 | 2684 Login-LAT-Node | 0-1 | 0-1 | 2685 Login-LAT-Port | 0-1 | 0-1 | 2686 Login-LAT-Service | 0-1 | 0-1 | 2687 Login-Service | 0 | 0-1 | 2688 Login-TCP-Port | 0 | 0-1 | 2689 Multi-Round-Time-Out | 0 | 0-1 | 2690 NAS-Filter-Rule | 0 | 0+ | 2691 NAS-Identifier | 0-1 | 0 | 2692 NAS-IP-Address | 0-1 | 0 | 2693 NAS-IPv6-Address | 0-1 | 0 | 2694 NAS-Port | 0-1 | 0 | 2695 NAS-Port-Id | 0-1 | 0 | 2696 NAS-Port-Type | 0-1 | 0 | 2697 Originating-Line-Info | 0-1 | 0 | 2698 Origin-Host | 1 | 1 | 2699 Origin-Realm | 1 | 1 | 2700 Origin-State-Id | 0-1 | 0-1 | 2701 Password-Retry | 0 | 0-1 | 2702 Port-Limit | 0-1 | 0-1 | 2703 Prompt | 0 | 0-1 | 2704 Proxy-Info | 0+ | 0+ | 2705 Re-Auth-Request-Type | 0 | 0-1 | 2706 Redirect-Host | 0 | 0+ | 2707 Redirect-Host-Usage | 0 | 0-1 | 2708 Redirect-Max-Cache-Time | 0 | 0-1 | 2709 Reply-Message | 0 | 0+ | 2710 Result-Code | 0 | 1 | 2711 Route-Record | 0+ | 0 | 2712 Service-Type | 0-1 | 0-1 | 2713 Session-Id | 1 | 1 | 2714 Session-Timeout | 0 | 0-1 | 2715 State | 0-1 | 0-1 | 2716 Termination-Action | 0 | 0-1 | 2717 Termination-Cause | 0 | 0-1 | 2718 Tunneling | 0+ | 0+ | 2719 User-Name | 0-1 | 0-1 | 2720 User-Password | 0-1 | 0 |" 2721 ------------------------------|-----+-----+ 2723 10.2. Accounting AVP Tables 2725 The tables in this section are used to represent which AVPs defined 2726 in this document are to be present and used in NAS application 2727 Accounting messages. These AVPs are defined in this document, as 2728 well as [Base] and [RADIUSAcct]. 2730 10.2.1. Accounting Framed Access AVP Table 2732 The table in this section is used when the Service-Type specifies 2733 Framed Access. 2735 +-----------+ 2736 | Command | 2737 |-----+-----+ 2738 Attribute Name | ACR | ACA | 2739 ---------------------------------------|-----+-----+ 2740 Accounting-Input-Octets | 1 | 0 | 2741 Accounting-Input-Packets | 1 | 0 | 2742 Accounting-Output-Octets | 1 | 0 | 2743 Accounting-Output-Packets | 1 | 0 | 2744 Accounting-Record-Type | 1 | 1 | 2745 Accounting-Record-Number | 0-1 | 0-1 | 2746 Accounting-Realtime-Required | 0-1 | 0 | 2747 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2748 Acct-Application-Id | 0-1 | 0-1 | 2749 Acct-Session-Id | 0-1 | 0-1 | 2750 Acct-Multi-Session-Id | 0-1 | 0-1 | 2751 Acct-Authentic | 1 | 0 | 2752 Acct-Delay-Time | 0-1 | 0 | 2753 Acct-Interim-Interval | 0-1 | 0 | 2754 Acct-Link-Count | 0-1 | 0 | 2755 Acct-Session-Time | 1 | 0 | 2756 Acct-Tunnel-Connection | 0-1 | 0 | 2757 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2758 Connection-Info | 0+ | 0 | 2759 Event-Timestamp | 0-1 | 0-1 | 2760 Error-Reporting-Host | 0 | 0-1 | 2761 Framed-AppleTalk-Link | 0-1 | 0 | 2762 Framed-AppleTalk-Network | 0-1 | 0 | 2763 Framed-AppleTalk-Zone | 0-1 | 0 | 2764 Framed-Compression | 0-1 | 0 | 2765 ---------------------------------------|-----+-----+ 2766 +-----------+ 2767 | Command | 2768 |-----+-----+ 2769 Attribute Name | ACR | ACA | 2770 ---------------------------------------|-----+-----+ 2771 Framed-IP-Address | 0-1 | 0 | 2772 Framed-IP-Netmask | 0-1 | 0 | 2773 Framed-IPv6-Pool | 0-1 | 0 | 2774 Framed-IPX-Network | 0-1 | 0 | 2775 Framed-MTU | 0-1 | 0 | 2776 Framed-Pool | 0-1 | 0 | 2777 Framed-Protocol | 0-1 | 0 | 2778 Framed-Route | 0-1 | 0 | 2779 Framed-Routing | 0-1 | 0 | 2780 NAS-Filter-Rule | 0-1 | 0 | 2781 NAS-Identifier | 0-1 | 0-1 | 2782 NAS-IP-Address | 0-1 | 0-1 | 2783 NAS-IPv6-Address | 0-1 | 0-1 | 2784 NAS-Port | 0-1 | 0-1 | 2785 NAS-Port-Id | 0-1 | 0-1 | 2786 NAS-Port-Type | 0-1 | 0-1 | 2787 Origin-Host | 1 | 1 | 2788 Origin-Realm | 1 | 1 | 2789 Origin-State-Id | 0-1 | 0-1 | 2790 Proxy-Info | 0+ | 0+ | 2791 Route-Record | 0+ | 0+ | 2792 Service-Type | 0-1 | 0-1 | 2793 Termination-Cause | 0-1 | 0-1 | 2794 Tunnel-Assignment-Id | 0-1 | 0 | 2795 Tunnel-Client-Endpoint | 0-1 | 0 | 2796 Tunnel-Medium-Type | 0-1 | 0 | 2797 Tunnel-Private-Group-Id | 0-1 | 0 | 2798 Tunnel-Server-Endpoint | 0-1 | 0 | 2799 Tunnel-Type | 0-1 | 0 | 2800 User-Name | 0-1 | 0-1 | 2801 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2802 ---------------------------------------|-----+-----+ 2804 10.2.2. Accounting Non-Framed Access AVP Table 2806 The table in this section is used when the Service-Type specifies 2807 Non-Framed Access. 2809 +-----------+ 2810 | Command | 2811 |-----+-----+ 2812 Attribute Name | ACR | ACA | 2813 ---------------------------------------|-----+-----+ 2814 Accounting-Input-Octets | 1 | 0 | 2815 Accounting-Output-Octets | 1 | 0 | 2816 Accounting-Record-Type | 1 | 1 | 2817 Accounting-Record-Number | 0-1 | 0-1 | 2818 Accounting-Realtime-Required | 0-1 | 0 | 2819 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2820 Acct-Application-Id | 1 | 1 | 2821 Acct-Session-Id | 1 | 0-1 | 2822 Acct-Multi-Session-Id | 0-1 | 0-1 | 2823 Acct-Authentic | 1 | 0 | 2824 Acct-Delay-Time | 0-1 | 0 | 2825 Acct-Interim-Interval | 0-1 | 0 | 2826 Acct-Link-Count | 0-1 | 0 | 2827 Acct-Session-Time | 1 | 0 | 2828 Event-Timestamp | 0-1 | 0-1 | 2829 Error-Reporting-Host | 0 | 0-1 | 2830 Login-IP-Host | 0+ | 0 | 2831 Login-IPv6-Host | 0+ | 0 | 2832 Login-LAT-Service | 0-1 | 0 | 2833 Login-LAT-Node | 0-1 | 0 | 2834 Login-LAT-Group | 0-1 | 0 | 2835 Login-LAT-Port | 0-1 | 0 | 2836 Login-Service | 0-1 | 0 | 2837 Login-TCP-Port | 0-1 | 0 | 2838 NAS-Identifier | 0-1 | 0-1 | 2839 NAS-IP-Address | 0-1 | 0-1 | 2840 NAS-IPv6-Address | 0-1 | 0-1 | 2841 NAS-Port | 0-1 | 0-1 | 2842 NAS-Port-Id | 0-1 | 0-1 | 2843 NAS-Port-Type | 0-1 | 0-1 | 2844 Origin-Host | 1 | 1 | 2845 Origin-Realm | 1 | 1 | 2846 Origin-State-Id | 0-1 | 0-1 | 2847 Proxy-Info | 0+ | 0+ | 2848 Route-Record | 0+ | 0+ | 2849 Service-Type | 0-1 | 0-1 | 2850 Termination-Cause | 0-1 | 0-1 | 2851 User-Name | 0-1 | 0-1 | 2852 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2853 ---------------------------------------|-----+-----+ 2855 11. IANA Considerations 2857 This section provides guidance to the Internet Assigned Numbers 2858 Authority (IANA) regarding registration of values related to the 2859 Diameter protocol, in accordance with BCP 26 [IANAConsid]. 2861 This document defines values in the namespaces that have created and 2862 defined in the Diameter Base [Base]. The IANA Considerations section 2863 of that document details the assignment criteria. Values assigned in 2864 this document, or by future IANA action, must be coordinated within 2865 this shared namespace. 2867 11.1. Command Codes 2869 This specification assigns the values 265 and 268 from the Command 2870 Code namespace defined in [Base]. See sections 3.1 and 3.2 for the 2871 assignment of the namespace in this specification. 2873 11.2. AVP Codes 2875 This specification assigns the values 363-366 and 400-405 from the 2876 AVP Code namespace defined in [Base]. See sections 4, and 5 for the 2877 assignment of the namespace in this specification. Note that the 2878 values 363-366 are jointly, but consistently, assigned in [DiamMIP]. 2880 This specification also specifies the use of AVPs in the 0-255 range, 2881 which are defined in [RADIUSTypes]. These values are assigned by the 2882 policy in RFC 2865 Section 6. [RADIUS] 2884 11.3. Application Identifier 2886 This specification uses the value one (1) in the Application 2887 Identifier namespace as assigned in [Base]. See section 1.2 above 2888 for more information. 2890 11.4. CHAP-Algorithm AVP Values 2892 As defined in Section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses 2893 the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined 2894 in [PPPCHAP]. 2896 12. Security Considerations 2898 The security considerations of the Diameter protocol itself have 2899 been discussed in [Base]. 2901 This document does not contain a security protocol, but does discuss 2902 how PPP authentication protocols can be carried within the Diameter 2903 protocol. The PPP authentication protocols that are described are PAP 2904 and CHAP. 2906 The use of PAP SHOULD be discouraged, since it exposes user's 2907 passwords to possibly non-trusted entities. However, PAP is also 2908 frequently used for use with One-Time Passwords (OTP), which do not 2909 expose a security risk. 2911 This document also describes how CHAP can be carried within the 2912 Diameter protocol, which is required for RADIUS backward 2913 compatibility. The CHAP protocol, as used in a RADIUS environment, 2914 facilitates authentication replay attacks. 2916 13. References 2918 13.1. Normative References 2920 [Base] P. Calhoun, et.al, "Diameter Base Protocol", draft-ietf- 2921 aaa-diameter-17.txt, IETF work in progress, December 2002. 2923 [AAATrans] B. Aboba, J. Wood. "Authentication, Authorization and 2924 Accounting (AAA) Transport Profile", draft-ietf-aaa- 2925 transport-12, IETF work in progress, January 2003 2927 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote 2928 Authentication Dial In User Service (RADIUS)", RFC 2865, 2929 June 2000. 2931 [RADIUSTypes] IANA, "RADIUS Types", URL: 2932 2934 [RADIUSIPv6] B. Aboba, G. Zorn, D. Mitton, "RADIUS and IPv6", RFC 3162, 2935 August 2001. 2937 [IPv6Addr] Hinden, R., Deering, S., "IP Version 6 Addressing 2938 Architecture", RFC 2373, July 1998 2940 [PPPCHAP] W. Simpson, "PPP Challenge Handshake Authentication 2941 Protocol (CHAP)", RFC 1994, August 1996. 2943 [IANAConsid] Narten, Alvestrand, "Guidelines for Writing an IANA 2944 Considerations Section in RFCs", BCP 26, RFC 2434, October 2945 1998 2947 [IANA] IANA Assigned Numbers Database, URL: 2948 2950 [Keywords] S. Bradner, "Key words for use in RFCs to Indicate 2951 Requirement Levels", BCP 14, RFC 2119, March 1997. 2953 [ISOLatin] ISO 8859. International Standard -- Information Processing 2954 -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 2955 1: Latin Alphabet No. 1, ISO 8859-1:1987. URL: 2956 2958 [ANITypes] NANPA Number Resource Info, ANI Assignments, URL: 2959 2962 13.2. Informative References 2964 [NAI] B. Aboba, M. Beadles, "The Network Access Identifier." RFC 2965 2486. January 1999. 2967 [RADIUSAcct] C. Rigney, "RADIUS Accounting", RFC 2866, June 2000. 2969 [RADIUSExt] C. Rigney, W. Willats, P. Calhoun, "RADIUS Extensions", 2970 RFC 2869, June 2000. 2972 [RADTunnels] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. 2973 Goyret, "RADIUS Attributes for Tunnel Protocol Support", 2974 RFC 2868, June 2000. 2976 [RADTunlAcct] G. Zorn, B. Aboba, D. Mitton, "RADIUS Accounting 2977 Modifications for Tunnel Protocol Support", RFC 2867, June 2978 2000. 2980 [RADDynAuth] M. Chiba, M Dommety, M. Eklund, D. Mitton, B. Aboba, 2981 draft-chiba-radius-dynamic-authorization-20.txt", Work in 2982 Progress, May 2003 2984 [RADIUSIANA] B. Aboba, "IANA Considerations for RADIUS", draft-aboba- 2985 radius-iana-07.txt, Work in Progress, April 2003 2987 [ExtRADPract] D. Mitton, "Network Access Servers Requirements: Extended 2988 RADIUS Practices", RFC 2882, July 2000. 2990 [NASModel] D. Mitton, M. Beadles, "Network Access Server Requirements 2991 Next Generation (NASREQNG) NAS Model", RFC 2881, July 2992 2000. 2994 [NASCriteria] M. Beadles, D. Mitton, "Criteria for Evaluating Network 2995 Access Server Protocols", RFC 3169, September 2001. 2997 [AAACriteria] Aboba, et al., "Criteria for Evaluating AAA Protocols for 2998 Network Access", RFC 2989, Nov 2000. 3000 [DiamEAP] G. Zorn, "Diameter EAP Application", draft-ietf-aaa- 3001 eap-01.txt, IETF work in progress, August 2002. 3003 [DiamCMS] P. Calhoun, W. Bulley, S. Farrell, "Diameter CMS Security 3004 Application", draft-ietf-aaa-diameter-cms-sec-04.txt, IETF 3005 work in progress, March 2002. 3007 [DiamMIP] P. Calhoun, C. Perkins, T. Johansson, "Diameter Mobile IP 3008 Application", draft-ietf-aaa-diameter-mobileip-14.txt, 3009 IETF work in progress, April 2003. 3011 [RAD802.1X] P. Congdon, et.al "IEEE 802.1X RADIUS Usage Guidelines", 3012 draft-congdon-8021x-RADIUS-29.txt, IETF work in progress, 3013 April 2003. 3015 [802.1X] IEEE Standard for Local and metropolitan networks - Port- 3016 Based Network Access Control, IEEE Std 802.1X-2001, June 3017 2001 3019 [CDMA2000] 3GPP2 "P.S0001-B", Wireless IP Network Standard, October 3020 2002. 3021 http://www.3gpp2.com/Public_html/specs/P.S0001-B_v1.0.pdf 3023 [TCPCompress] Jacobson, "Compressing TCP/IP headers for low-speed serial 3024 links", RFC 1144, February 1990. 3026 [PPPMP] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink 3027 Protocol (MP)", RFC 1717, November 1994. 3029 [PPTP] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, 3030 W., Zorn, G., "Point-to-Point Tunneling Protocol (PPTP)", 3031 RFC 2637, July 1999 3033 [L2F] Valencia, A., Littlewood, M., Kolar, T., "Cisco Layer Two 3034 Forwarding (Protocol) 'L2F'", RFC 2341, May 1998 3036 [L2TP] Townsley, W. M., Valencia, A., Rubens, A., Pall, G. S., 3037 Zorn, G., Palter, B., "Layer Two Tunneling Protocol 3038 (L2TP)", RFC 2661, August 1999 3040 [ATMP] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", 3041 RFC 2107, February 1997 3043 [MSMPPE] G. Pall, G. Zorn, "Microsoft Point-To-Point Encryption 3044 (MPPE) Protocol", RFC 3078, March 2001. 3046 [UTF-8] F. Yergeau, "UTF-8, a transformation format of ISO 10646", 3047 RFC 2279, January 1998. 3049 [STD51] W. Simpson, Editor, "The Point-to-Point Protocol (PPP)", 3050 STD 51, RFC 1661, July 1994 3052 14. Acknowledgements 3054 The authors would like to thank Carl Rigney, Allan C. Rubens, William 3055 Allen Simpson, and Steve Willens for their work on the original 3056 RADIUS [RADIUS], from which many of the concepts in this 3057 specification were derived. Thanks, also, to: Carl Rigney for 3058 [RADIUSAcct] and [RADIUSExt]; Ward Willats for [RADIUSExt]; Glen 3059 Zorn, Bernard Aboba and Dave Mitton for [RADTunlAcct] and [RADIPV6]; 3060 Dory Leifer, John Shriver, Matt Holdrege and Ignacio Goyret for their 3061 work on [RADTunnels]. This document stole text and concepts from both 3062 [RADTunnels] and [RADIUSExt]. Thanks go to Carl Williams for 3063 providing IPv6 specific text. 3065 The authors would also like to acknowledge the following people for 3066 their contributions in the development of the Diameter protocol: 3067 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 3068 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 3069 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 3070 Sumit Vakil, John R. Vollbrecht and Jeff Weisberg. 3072 Finally, Pat Calhoun would like to thank Sun Microsystems since most 3073 of the effort put into this document was done while he was in their 3074 employ. 3076 15. Authors' Addresses 3078 Questions about this memo can be directed to: 3080 Pat R. Calhoun 3081 Airespace 3082 110 Nortech Parkway 3083 San Jose, CA 95134 3084 USA 3086 Phone: 1 408-635-2023 3087 E-mail: pcalhoun@airespace.com 3089 Glen Zorn 3090 Cisco Systems, Inc. 3091 500 108th Avenue N.E., Suite 500 3092 Bellevue, WA 98004 3093 USA 3095 Phone: 1 425-471-4861 3096 E-Mail: gwz@cisco.com 3098 David Spence 3099 Interlink Networks, Inc. 3100 775 Technology Drive, Suite 200 3101 Ann Arbor, MI 48108 3102 USA 3104 Phone: 1 734-821-1203 3105 Fax: 1 734-821-1235 3106 EMail: dspence@interlinknetworks.com 3108 David Mitton 3109 Circular Logic Unlimited 3110 733 Turnpike St #154 3111 North Andover, MA 01845 3113 Email: david@mitton.com 3115 Intellectual Property Considerations 3117 The IETF takes no position regarding the validity or scope of any 3118 intellectual property or other rights that might be claimed to 3119 pertain to the implementation or use of the technology described in 3120 this document or the extent to which any license under such rights 3121 might or might not be available; neither does it represent that it 3122 has made any effort to identify any such rights. Information on the 3123 IETF's procedures with respect to rights in standards-track and 3124 standards- related documentation can be found in BCP-11. Copies of 3125 claims of rights made available for publication and any assurances of 3126 licenses to be made available, or the result of an attempt made to 3127 obtain a general license or permission for the use of such 3128 proprietary rights by implementers or users of this specification can 3129 be obtained from the IETF Secretariat. 3131 The IETF invites any interested party to bring to its attention any 3132 copyrights, patents or patent applications, or other proprietary 3133 rights which may cover technology that may be required to practice 3134 this standard. Please address the information to the IETF Executive 3135 Director. 3137 Full Copyright Statement 3139 Copyright (C) The Internet Society (2003). All Rights Reserved. 3141 This document and translations of it may be copied and furnished to 3142 others, and derivative works that comment on or otherwise explain it 3143 or assist in its implementation may be prepared, copied, published 3144 and distributed, in whole or in part, without restriction of any 3145 kind, provided that the above copyright notice and this paragraph are 3146 included on all such copies and derivative works. However, this 3147 document itself may not be modified in any way, such as by removing 3148 the copyright notice or references to the Internet Society or other 3149 Internet organizations, except as needed for the purpose of 3150 developing Internet standards in which case the procedures for 3151 copyrights defined in the Internet Standards process must be 3152 followed, or as required to translate it into languages other than 3153 English. The limited permissions granted above are perpetual and will 3154 not be revoked by the Internet Society or its successors or assigns. 3155 This document and the information contained herein is provided on an 3156 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3157 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3158 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3159 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3160 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.