idnits 2.17.1 draft-ietf-aaa-diameter-nasreq-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 222 has weird spacing: '...inology use...' == Line 556 has weird spacing: '...ge that incl...' == Line 1565 has weird spacing: '...onveyed by ...' == Line 1892 has weird spacing: '...ent. If addit...' == Line 2098 has weird spacing: '...concise and ...' == (4 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs used by NAS applications, in NAS messages, and specify in which Diameter messages they MAY, or MAY NOT be present. [Base] messages and AVPs are not described in this document. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Oct 2003) is 7491 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DiamTrans' is mentioned on line 200, but not defined == Missing Reference: 'NASmodel' is mentioned on line 227, but not defined == Missing Reference: 'RFC3576' is mentioned on line 1046, but not defined ** Obsolete undefined reference: RFC 3576 (Obsoleted by RFC 5176) == Missing Reference: 'PPPMP' is mentioned on line 1107, but not defined == Missing Reference: 'PPTP' is mentioned on line 1773, but not defined == Missing Reference: 'L2TP' is mentioned on line 1773, but not defined == Missing Reference: 'RADIPV6' is mentioned on line 3175, but not defined == Unused Reference: 'AAATrans' is defined on line 3065, but no explicit reference was found in the text == Unused Reference: 'RADIUSIANA' is defined on line 3124, but no explicit reference was found in the text == Unused Reference: 'ExtRADPract' is defined on line 3127, but no explicit reference was found in the text == Unused Reference: 'NASModel' is defined on line 3130, but no explicit reference was found in the text == Unused Reference: 'CDMA2000' is defined on line 3158, but no explicit reference was found in the text == Unused Reference: 'UTF-8' is defined on line 3162, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3588 (ref. 'Base') (Obsoleted by RFC 6733) -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 2434 (ref. 'IANAConsid') (Obsoleted by RFC 5226) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISOLatin' -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 3576 (ref. 'RADDynAuth') (Obsoleted by RFC 5176) == Outdated reference: A later version (-10) exists of draft-ietf-aaa-eap-01 == Outdated reference: A later version (-20) exists of draft-ietf-aaa-diameter-mobileip-14 -- Obsolete informational reference (is this intentional?): RFC 2279 (ref. 'UTF-8') (Obsoleted by RFC 3629) Summary: 4 errors (**), 0 flaws (~~), 25 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AAA Working Group Pat R. Calhoun 3 Internet-Draft Airespace Inc. 4 Category: Standards Track Glen Zorn 5 Cisco Systems Inc. 6 David Spence 7 Interlink Networks Inc. 8 David Mitton 9 Circular Logic 11 Oct 2003 13 Diameter Network Access Server Application 14 draft-ietf-aaa-diameter-nasreq-13.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft 33 Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This document is a product of the Authentication, Authorization and 37 Accounting (AAA) Working Group of the Internet Engineering Task Force 38 (IETF). Comments are welcome should be submitted to the mailing list 39 aaa-wg@merit.edu. 41 Copyright (C) The Internet Society 2003. All Rights Reserved. 43 Abstract 45 This document describes the Diameter protocol application used for 46 Authentication, Authorization and Accounting (AAA) services in the 47 Network Access Server (NAS) environment. This application 48 specification, when combined with the Diameter Base protocol, 49 Transport Profile, and Extensible Authentication Protocol 50 specifications, satisfies typical network access services 51 requirements. 53 Initial deployments of the Diameter protocol are expected to include 54 legacy systems. Therefore, this application was carefully designed to 55 ease the burden of protocol conversion between RADIUS and Diameter. 56 This is achieved by including the RADIUS attribute space, and 57 eliminating the need to perform many attribute translations. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 6 62 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . 6 63 1.2. Requirements Language . . . . . . . . . . . . . . . . . 7 64 1.3. Advertising Application Support . . . . . . . . . . . . 7 65 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . . 7 66 2.1. Diameter Session Establishment . . . . . . . . . . . . . 8 67 2.2. Diameter Session Reauthentication or Reauthorization . . 8 68 2.3. Diameter Session Termination . . . . . . . . . . . . . . 9 69 3. NAS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . 10 71 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . 11 72 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . . 13 73 4.1. Call and Session Information . . . . . . . . . . . . . . 14 74 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . 14 75 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . 15 76 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . 15 77 4.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . . 16 78 4.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . 16 79 4.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . . 17 80 4.8. Originating-Line-Info AVP . . . . . . . . . . . . . . . 17 81 4.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . . 18 82 5. NAS Authentication AVPs . . . . . . . . . . . . . . . . . . . . 19 83 5.1. User-Password AVP . . . . . . . . . . . . . . . . . . . 19 84 5.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . . 20 85 5.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . . 20 86 5.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . . 20 87 5.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . . 20 88 5.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . . 21 89 5.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . . 21 90 5.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . . 21 91 5.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . . 21 92 5.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . . 21 93 5.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . . 22 94 5.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 22 95 6. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . . . . 22 96 6.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . . 23 97 6.2. Callback-Number AVP . . . . . . . . . . . . . . . . . . 25 98 6.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . . 25 99 6.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . . 25 100 6.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . . 25 101 6.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . 26 102 6.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . . 26 103 6.8. Configuration-Token AVP . . . . . . . . . . . . . . . . 26 104 6.9. Framed Access Authorization AVPs . . . . . . . . . . . . 26 105 6.9.1. Framed-Protocol AVP . . . . . . . . . . . . . 26 106 6.9.2. Framed-Routing AVP . . . . . . . . . . . . . . 27 107 6.9.3. Framed-MTU AVP . . . . . . . . . . . . . . . . 27 108 6.9.4. Framed-Compression AVP . . . . . . . . . . . . 27 109 6.10. IP Access . . . . . . . . . . . . . . . . . . . . . . . 28 110 6.10.1. Framed-IP-Address AVP . . . . . . . . . . . . 28 111 6.10.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 28 112 6.10.3. Framed-Route AVP . . . . . . . . . . . . . . 28 113 6.10.4. Framed-Pool AVP . . . . . . . . . . . . . . . 29 114 6.10.5. Framed-Interface-Id AVP . . . . . . . . . . . 29 115 6.10.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 29 116 6.10.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 30 117 6.10.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 30 118 6.11. IPX Access . . . . . . . . . . . . . . . . . . . . . . 30 119 6.11.1. Framed-IPX-Network AVP . . . . . . . . . . . 30 120 6.12. Appletalk Access . . . . . . . . . . . . . . . . . . . 31 121 6.12.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 31 122 6.12.2. Framed-AppleTalk-Network AVP . . . . . . . . 31 123 6.12.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 32 124 6.13. ARAP Access . . . . . . . . . . . . . . . . . . . . . . 32 125 6.13.1. ARAP-Features AVP . . . . . . . . . . . . . . 32 126 6.13.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 32 127 6.14. Non-Framed Access Authorization AVPs . . . . . . . . . 32 128 6.14.1. Login-IP-Host AVP . . . . . . . . . . . . . . 33 129 6.14.2. Login-IPv6-Host AVP . . . . . . . . . . . . . 33 130 6.14.3. Login-Service AVP . . . . . . . . . . . . . . 33 131 6.15. TCP Services . . . . . . . . . . . . . . . . . . . . . 34 132 6.15.1. Login-TCP-Port AVP . . . . . . . . . . . . . 34 133 6.15.2. LAT Services . . . . . . . . . . . . . . . . 34 134 6.15.3. Login-LAT-Service AVP . . . . . . . . . . . . 34 135 6.15.4. Login-LAT-Node AVP . . . . . . . . . . . . . 35 136 6.15.5. Login-LAT-Group AVP . . . . . . . . . . . . . 35 137 6.15.6. Login-LAT-Port AVP . . . . . . . . . . . . . 36 138 7. NAS Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . 36 139 7.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . . 37 140 7.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . . 38 141 7.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . . 38 142 7.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . . 39 143 7.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . . 40 144 7.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . . 40 145 7.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . . 40 146 7.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . 41 147 7.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . 42 148 7.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . . 43 149 7.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . . 43 150 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 43 151 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . 44 152 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . 44 153 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . 45 154 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . 45 155 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . 45 156 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . 45 157 8.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . . 46 158 8.8. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . 46 159 8.9. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . 46 160 8.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 47 161 8.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 47 162 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . . 48 163 9.1. RADIUS Request Forwarded as Diameter Request . . . . . . 48 164 9.2. Diameter Request Forwarded as RADIUS Request . . . . . . 52 165 9.3. AVPs Used Only for Compatibility . . . . . . . . . . . . 55 166 9.3.1. NAS-Identifier AVP . . . . . . . . . . . . . . 55 167 9.3.2. NAS-IP-Address AVP . . . . . . . . . . . . . . 56 168 9.3.3. NAS-IPv6-Address AVP . . . . . . . . . . . . . 57 169 9.3.4. State AVP . . . . . . . . . . . . . . . . . . 57 170 9.3.5. Termination-Cause AVP Code Values . . . . . . 58 171 9.4. Prohibited RADIUS Attributes . . . . . . . . . . . . . . 60 172 9.5. Translatable Diameter AVPs . . . . . . . . . . . . . . . 61 173 9.6. RADIUS Vendor Specific Attributes . . . . . . . . . . . 61 174 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VS 61 175 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AV 62 176 10. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . . 63 177 10.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . 63 178 10.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . 66 179 10.2.1. Accounting Framed Access AVP Table . . . . . 66 180 10.2.2. Accounting Non-Framed Access AVP Table . . . 67 181 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 69 182 11.1. Command Codes . . . . . . . . . . . . . . . . . . . . . 69 183 11.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . 69 184 11.3. Application Identifier . . . . . . . . . . . . . . . . 69 185 11.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . 69 186 11.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . 70 187 12. Security Considerations . . . . . . . . . . . . . . . . . . . . 70 188 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 70 189 13.1. Normative References . . . . . . . . . . . . . . . . . 70 190 13.2. Informative References . . . . . . . . . . . . . . . . 71 191 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 73 192 15. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 73 193 Intellectual Property Considerations . . . . . . . . . . . . . . . . 74 194 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 74 195 1. Introduction 197 This document describes the Diameter protocol application used for 198 AAA in the Network Access Server (NAS) environment. This Diameter NAS 199 application specification, when combined with the Diameter Base 200 protocol [Base], Transport Profile [DiamTrans], and EAP [DiamEAP] 201 specifications, satisfies NAS-related requirements defined in RFC2989 202 [AAACriteria] and RFC3169 [NASCriteria]. 204 Initial deployments of the Diameter protocol are expected to include 205 legacy systems. Therefore, this application was carefully designed to 206 ease the burden of protocol conversion between RADIUS and Diameter. 207 This is achieved by including the RADIUS attribute space, and 208 eliminating the need to perform many attribute translations. 210 This document first describes the operation of a Diameter NAS 211 application. Then it defines the Diameter message Command-Codes. 212 The following sections enumerate the AVPs used in these messages 213 grouped by common usage. These are session identification, 214 authentication, authorization, tunneling, and accounting. The 215 authorization AVPs are further broken down by service type. 216 Interaction and backwards compatibility issues with RADIUS are 217 discussed in later sections. 219 1.1. Terminology 221 The base Diameter [Base] specification Section 1.4 defines most of 222 the terminology used in this document. Additionally, the 223 following terms and acronyms are used in this application: 225 NAS - Network Access Server; a device which provides an access 226 service to a network. The service may be a network connection, or a 227 value added service such as terminal emulation. [NASmodel] 229 CMS - Cryptographic Message Syntax; A security method used in 230 Diameter to secure AVPs. [DiamCMS] 232 PPP - Point-to-Point Protocol; a multiprotocol serial datalink. PPP 233 is the primary IP datalink used for dial-in NAS connection service. 234 [STD51] 236 CHAP - Challenge Handshake Authentication Protocol; an authentication 237 process used in PPP. [PPPCHAP] 239 PAP - Password Authentication Protocol; a deprecated PPP 240 authentication process, but used for backwards compatibility. 242 SLIP - Serial Line Interface Protocol; a serial datalink that only 243 supports IP. An earlier design, prior to PPP. 245 ARAP - Appletalk Remote Access Protocol; a serial datalink for 246 accessing Appletalk networks. 248 IPX - Internet Packet Exchange; The network protocol used by 249 NetWare networks. 251 LAT - Local Area Transport; A Digital Equipment Corp. LAN protocol 252 for terminal services. 254 VPN - Virtual Private Network; in this document it is used to 255 describe access services which use tunneling methods. 257 1.2. Requirements Language 259 In this document, the key words "MAY", "MUST", "MUST NOT", 260 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be 261 interpreted as described in [Keywords]. 263 1.3. Advertising Application Support 265 Diameter applications conforming to this specification MUST advertise 266 support by including the value of one (1) in the Auth-Application-Id 267 or the Acct-Application-Id AVP of the Capabilities-Exchange-Request 268 and Capabilities-Exchange-Answer commands [Base]. 270 2. NAS Calls, Ports, and Sessions 272 The arrival of a new call or service connection at a port of a 273 Network Access Server (NAS) starts a Diameter NAS message exchange. 274 Information about the call, the identity of the user, and the user's 275 authentication information are packaged into a Diameter AA-Request 276 (AAR) message and sent to a server. 278 The server processes the information and responds with a Diameter AA- 279 Answer (AAA) message which contains authorization information for the 280 NAS, or a failure code (Result-Code AVP). If the value of Result- 281 Code is DIAMETER_MULTI_ROUND_AUTH, an additional authentication 282 exchange is indicated, and several AAR and AAA messages may be 283 exchanged until the transaction completes. 285 The Diameter protocol allows authorization-only requests depending on 286 the Auth-Request-Type AVP, where no authentication information is 287 contained in a request from the client. This capability goes beyond 288 the Call Check capabilities described in Section 5.6 of [RADIUS] in 289 that no access decision is requested. As a result, service cannot be 290 started as a result of a response to an authorization-only request 291 without introducing a significant security vulnerability. 293 Since no equivalent capability exists in RADIUS, authorization-only 294 requests from a NAS implementing Diameter may not be easily 295 translated to an equivalent RADIUS message by a Diameter/RADIUS 296 gateway. For example, where a Diameter authorization-only request 297 cannot be translated to a RADIUS Call Check, it would be necessary 298 for the Diameter/RADIUS gateway to add authentication information to 299 the RADIUS Access Request. On receiving the Access-Reply, the 300 Diameter/RADIUS gateway would need to discard the access decision 301 (Accept/Reject). It is not clear that these translations can be 302 accomplished without adding significant security vulnerabilities. 304 2.1. Diameter Session Establishment 306 When the authentication or authorization exchange completes 307 successfully, the NAS application SHOULD start a session context. If 308 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 309 exchange continues until a success or error is returned. 311 If accounting is active, the application MUST also send an Accounting 312 message [Base]. An Accounting-Record-Type of START_RECORD, is sent 313 for a new session. If a session fails to start, the type 314 EVENT_RECORD message with the reason for the failure described is 315 sent. 317 Note that the return of an unsupportable Accounting-Realtime-Required 318 value [Base] would result in a failure to establish the session. 320 2.2. Diameter Session Reauthentication or Reauthorization 322 The Diameter base protocol allows for users to be periodically 323 reauthenticated and/or reauthorized. In such instances, the Session- 324 Id AVP in the AAR message MUST be the same as the one present in the 325 original authentication/authorization message. 327 A Diameter server informs the NAS of the maximum time allowed before 328 reauthentication or reauthorization via the Authorization-Lifetime 329 AVP [Base]. A NAS MUST reauthenticate and/or reauthorize after the 330 period provided by the Authorization-Lifetime AVP. 332 Furthermore, it is possible for Diameter servers to issue an 333 unsolicited reauthentication and/or reauthorization requests (e.g. 334 Re-Auth-Request (RAR) message) to the NAS. Upon receipt of such a 335 message, the NAS MUST respond to the request with a Re-Auth-Answer 336 (RAA) message. If the Re-Auth-Request-Type is AUTHORIZE_ONLY, the 337 message will contain AVPs to modify the current service. If the Re- 338 Auth-Request-Type is AUTHORIZE_AUTHENTICATE, the NAS will 339 reauthenticate the client, and send a new AAR message using the 340 existing Session-Id. 342 If accounting is active, every change of authentication or 343 authorization MUST generate an Accounting-Record-Type of 344 INTERIM_RECORD indicating the new session attributes and cumulative 345 status. 347 2.3. Diameter Session Termination 349 When a NAS receives an indication that a user's session is being 350 disconnected (e.g. LCP Terminate is received), the NAS MUST issue a 351 Session-Termination-Request (STR) [Base] to its Diameter Server. This 352 will ensure that any resources maintained on the servers is freed 353 appropriately. 355 Further, a NAS that receives a Abort-Session-Request (ASR) [Base] 356 MUST issue an STR if the session requested is active, and disconnect 357 the PPP (or tunneling) session. 359 Termination of the session context MUST cause the sending of 360 an Accounting STOP_RECORD message [Base], if accounting is active. 362 More information on Diameter Session Termination is in [Base] section 363 8.4. 365 3. NAS Messages 367 This section defines new Diameter message Command-Code [Base] values 368 that MUST be supported by all Diameter implementations that conform 369 to this specification. The Command Codes are: 371 Command-Name Abbrev. Code Reference 372 -------------------------------------------------------- 373 AA-Request AAR 265 3.1 374 AA-Answer AAA 265 3.2 376 3.1. AA-Request (AAR) Command 378 The AA-Request message (AAR), indicated by the Command-Code field set 379 to 265 and the 'R' bit set in the Command Flags field, is used in 380 order to request authentication and/or authorization for a given NAS 381 user. The type of request is identified through the Auth-Request-Type 382 AVP [Base]. The recommended value for most RADIUS interoperabily 383 situations, is AUTHORIZE_AUTHENTICATE. 385 If Authentication is requested the User-Name attribute SHOULD be 386 present, as well as any additional authentication AVPs that would 387 carry the password information. A request for authorization only 388 SHOULD include the information from which the authorization will be 389 performed, such as the User-Name, Called-Station-Id, or Calling- 390 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 391 identifying the source of the call, such as Origin-Host, and NAS- 392 Port. Certain networks MAY use different AVPs for authorization 393 purposes. A request for authorization will include some AVPs defined 394 in section 6. 396 It is possible for a single session to be authorized first, then 397 followed by an authentication request. 399 This AA-Request message MAY be the result of a multi-round 400 authentication exchange, which occurs when the AA-Answer message is 401 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A 402 subsequent AAR message SHOULD be sent, with the User-Password AVP 403 that includes the user's response to the prompt, and MUST include any 404 State AVPs that were present in the AAA message. 406 Message Format 408 ::= < Diameter Header: 265, REQ, PXY > 409 < Session-Id > 410 { Auth-Application-Id } 411 { Origin-Host } 412 { Origin-Realm } 413 { Destination-Realm } 414 { Auth-Request-Type } 415 [ NAS-Port ] 416 [ NAS-Port-Id ] 417 [ Origin-State-Id ] 418 [ Destination-Host ] 419 [ NAS-Identifier ] 420 [ NAS-IP-Address ] 421 [ NAS-IPv6-Address ] 422 [ NAS-Port-Type ] 423 [ Port-Limit ] 425 [ User-Name ] 426 [ User-Password ] 427 [ Service-Type ] 428 [ State ] 429 [ Authorization-Lifetime ] 430 [ Auth-Grace-Period ] 431 [ Auth-Session-State ] 432 [ Callback-Number ] 433 [ Called-Station-Id ] 434 [ Calling-Station-Id ] 435 [ Originating-Line-Info ] 436 [ Connect-Info ] 437 [ CHAP-Auth ] 438 [ CHAP-Challenge ] 439 * [ Framed-Compression ] 440 [ Framed-Interface-Id ] 441 [ Framed-IP-Address ] 442 * [ Framed-IPv6-Prefix ] 443 [ Framed-IP-Netmask ] 444 [ Framed-MTU ] 445 [ Framed-Protocol ] 446 [ ARAP-Password ] 447 [ ARAP-Security ] 448 * [ ARAP-Security-Data ] 449 * [ Login-IP-Host ] 450 * [ Login-IPv6-Host ] 451 [ Login-LAT-Group ] 452 [ Login-LAT-Node ] 453 [ Login-LAT-Port ] 454 [ Login-LAT-Service ] 455 * [ Tunneling ] 456 * [ Proxy-Info ] 457 * [ Route-Record ] 458 * [ AVP ] 460 3.2. AA-Answer (AAA) Command 462 The AA-Answer (AAA) message, is indicated by the Command-Code field 463 set to 265 and the 'R' bit cleared in the Command Flags field, is 464 sent in response to the AA-Request message. If authorization was 465 requested, a successful response will include the authorization AVPs 466 appropriate for the service being provided, as defined in section 6. 468 For authentication exchanges that require more than a single round 469 trip, the server MUST set the Result-Code AVP to 470 DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY 471 include one or more Reply-Message and MAY include zero or one State 472 AVPs. 474 If the Reply-Message AVP was present, the network access server 475 SHOULD send the text to the user's client for display to the user, 476 instructing it to prompt the user for a response. For example, this 477 capability can be achieved in PPP via PAP. If the access client is 478 unable to prompt the user for a new response, it MUST treat the AA- 479 Answer with the Reply-Message AVP as an error, and deny access. 481 Message Format 483 ::= < Diameter Header: 265, PXY > 484 < Session-Id > 485 { Auth-Application-Id } 486 { Auth-Request-Type } 487 { Result-Code } 488 { Origin-Host } 489 { Origin-Realm } 490 [ User-Name ] 491 [ Service-Type ] 492 * [ Class ] 493 * [ Configuration-Token ] 494 [ Acct-Interim-Interval ] 495 [ Error-Message ] 496 [ Error-Reporting-Host ] 497 [ Idle-Timeout ] 498 [ Authorization-Lifetime ] 499 [ Auth-Grace-Period ] 500 [ Auth-Session-State ] 501 [ Re-Auth-Request-Type ] 502 [ Session-Timeout ] 503 [ State ] 504 * [ Reply-Message ] 505 [ Origin-State-Id ] 506 * [ Filter-Id ] 507 [ Password-Retry ] 508 [ Port-Limit ] 509 [ Prompt ] 510 [ ARAP-Challenge-Response ] 511 [ ARAP-Features ] 512 [ ARAP-Security ] 513 * [ ARAP-Security-Data ] 514 [ ARAP-Zone-Access ] 515 [ Callback-Id ] 516 [ Callback-Number ] 517 [ Framed-Appletalk-Link ] 518 * [ Framed-Appletalk-Network ] 519 [ Framed-Appletalk-Zone ] 521 * [ Framed-Compression ] 522 [ Framed-Interface-Id ] 523 [ Framed-IP-Address ] 524 * [ Framed-IPv6-Prefix ] 525 [ Framed-IPv6-Pool ] 526 * [ Framed-IPv6-Route ] 527 [ Framed-IP-Netmask ] 528 * [ Framed-Route ] 529 [ Framed-Pool ] 530 [ Framed-IPX-Network ] 531 [ Framed-MTU ] 532 [ Framed-Protocol ] 533 [ Framed-Routing ] 534 * [ Login-IP-Host ] 535 * [ Login-IPv6-Host ] 536 [ Login-LAT-Group ] 537 [ Login-LAT-Node ] 538 [ Login-LAT-Port ] 539 [ Login-LAT-Service ] 540 [ Login-Service ] 541 [ Login-TCP-Port ] 542 * [ NAS-Filter-Rule ] 543 * [ Tunneling ] 544 * [ Redirect-Host ] 545 [ Redirect-Host-Usage ] 546 [ Redirect-Max-Cache-Time ] 547 * [ Proxy-Info ] 548 * [ AVP ] 550 4. NAS Session AVPs 552 Diameter reserves the AVP Codes 0-255 for RADIUS functions that are 553 implemented in Diameter. 555 AVPs new to Diameter have code values 256 and greater. A Diameter 556 message that includes one of these AVPs may represent functions not 557 present in the RADIUS environment and may cause interoperability 558 issues should the request traverse a AAA system that only supports 559 the RADIUS protocol. 561 There are some RADIUS attributes that are not allowed or supported 562 directly in Diameter. See section 9 below for more information. 564 4.1. Call and Session Information 566 This section contains the AVPs specific to NAS Diameter applications 567 that are needed to identify the call and session context and status 568 information. On a request, this information allows the server to 569 qualify the session. 571 These AVPs are used in addition to the Base AVPs of: 572 Session-Id 573 Auth-Application-Id 574 Origin-Host 575 Origin-Realm 576 Auth-Request-Type 578 The following table describes the Session level AVPs, their AVP Code 579 values, types, possible flag values and whether the AVP MAY be 580 encrypted. 581 +---------------------+ 582 | AVP Flag rules | 583 |----+-----+----+-----|----+ 584 AVP Section | | |SHLD| MUST| | 585 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 586 -----------------------------------------|----+-----+----+-----|----| 587 NAS-Port 5 4.2 Unsigned32 | M | P | | V | Y | 588 NAS-Port-Id 87 4.3 UTF8String | M | P | | V | Y | 589 NAS-Port-Type 61 4.4 Enumerated | M | P | | V | Y | 590 Called-Station-Id 30 4.5 UTF8String | M | P | | V | Y | 591 Calling-Station- 31 4.6 UTF8String | M | P | | V | Y | 592 Id | | | | | | 593 Connect-Info 77 4.7 UTF8String | M | P | | V | Y | 594 Originating-Line- 94 4.8 OctetString| | M,P | | V | Y | 595 Info | | | | | | 596 Reply-Message 18 4.9 UTF8String | M | P | | V | Y | 597 Termination- 29 4.10 Enumerated | M | P | | V | Y | 598 Action | | | | | | 599 -----------------------------------------|----+-----+----+-----|----| 601 4.2. NAS-Port AVP 603 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 604 physical or virtual port number of the NAS which is authenticating 605 the user. Note that this is using "port" in its sense of a service 606 connection on the NAS, not in the sense of an IP protocol identifier. 608 Either NAS-Port or NAS-Port-Id (AVP Code 87) SHOULD be present in AA- 609 Request commands if the NAS differentiates among its ports. 611 4.3. NAS-Port-Id AVP 613 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 614 of ASCII text that identifies the port of the NAS which is 615 authenticating the user. Note that this is using "port" in its sense 616 of a service connection on the NAS, not in the sense of an IP 617 protocol identifier. 619 Either NAS-Port or NAS-Port-Id SHOULD be present in AA-Request 620 commands if the NAS differentiates among its ports. NAS-Port-Id is 621 intended for use by NASes which cannot conveniently number their 622 ports. 624 4.4. NAS-Port-Type AVP 626 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 627 contains the type of the port on which the NAS is authenticating the 628 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 629 number ranges for different service types concurrently. 631 The supported values are defined in [RADIUSTypes]. The following list 632 is informational: 634 0 Async 635 1 Sync 636 2 ISDN Sync 637 3 ISDN Async V.120 638 4 ISDN Async V.110 639 5 Virtual 640 6 PIAFS 641 7 HDLC Clear Channel 642 8 X.25 643 9 X.75 644 10 G.3 Fax 645 11 SDSL - Symmetric DSL 646 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase 647 Modulation 648 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 649 14 IDSL - ISDN Digital Subscriber Line 650 15 Ethernet 651 16 xDSL - Digital Subscriber Line of unknown type 652 17 Cable 653 18 Wireless - Other 654 19 Wireless - IEEE 802.11 655 20 Token-Ring [RAD802.1X] 656 21 FDDI [RAD802.1X] 657 22 Wireless - CDMA2000 658 23 Wireless - UMTS 659 24 Wireless - 1X-EV 660 25 IAPP [IEEE 802.11f] 662 4.5. Called-Station-Id AVP 664 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String, and 665 allows the NAS to send in the request, the ASCII string describing the 666 layer 2 address that the user contacted to. For dialup access, this can 667 be a phone number, obtained using Dialed Number Identification (DNIS) or 668 a similar technology. Note that this may be different from the phone 669 number the call comes in on. For use with IEEE 802 access, the Called- 670 Station-Id MAY contain a MAC address, formatted as described in 671 [RAD802.1X]. It SHOULD only be present in authentication and/or 672 authorization requests. 674 If the Auth-Request-Type AVP is set to authorization-only and the User- 675 Name AVP is absent, the Diameter Server MAY perform authorization based 676 on this field. This can be used by a NAS to request whether a call 677 should be answered based on the DNIS. 679 The codification of the range of allowed usage of this field is outside 680 the scope of this specification. 682 4.6. Calling-Station-Id AVP 684 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String, and 685 allows the NAS to send in the request the ASCII string describing the 686 layer 2 address that the user connected from. For dialup access, this 687 is the phone number that the call came from, using Automatic Number 688 Identification (ANI) or a similar technology. For use with IEEE 802 689 access, the Calling-Station-Id AVP MAY contain a MAC address, 690 formated as described in [RAD802.1X]. It SHOULD only be present in 691 authentication and/or authorization requests. 693 If the Auth-Request-Type AVP is set to authorization-only and the 694 User-Name AVP is absent, the Diameter Server MAY perform 695 authorization based on this field. This can be used by a NAS to 696 request whether a call should be answered based on the layer 2 697 address (ANI, MAC Address, etc.) 699 The codification of the range of allowed usage of this field is 700 outside the scope of this specification. 702 4.7. Connect-Info AVP 704 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 705 in the AA-Request message or ACR STOP message. When sent in the 706 Access-Request it indicates the nature of the user's connection. The 707 connection speed SHOULD be included at the beginning of the first 708 Connect-Info AVP in the message. If the transmit and receive 709 connection speeds differ, they may both be included in the first AVP 710 with the transmit speed first (the speed the NAS modem transmits at), 711 a slash (/), the receive speed, then optionally other information. 713 For example, "28800 V42BIS/LAPM" or "52000/31200 V90" 715 More than one Connect-Info attribute may be present in an Accounting- 716 Request packet to accommodate expected efforts by ITU to have modems 717 report more connection information in a standard format that might 718 exceed 252 octets. 720 If sent in the ACR STOP, this attribute may be used to summarize 721 statistics relating to session quality. For example, in IEEE 802.11, 722 the Connect-Info attribute may contain information on the number of 723 link layer retransmissions. The exact format of this attribute is 724 implementation specific. 726 4.8. Originating-Line-Info AVP 728 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 729 and is sent by the NAS system to convey information about the origin 730 of the call from an SS7 system. 732 The originating line information (OLI) information element indicates 733 the nature and/or characteristics of the line from which a call 734 originated (e.g. payphone, hotel, cellular). Telephone companies are 735 starting to offer OLI to their customers as an option over Primary 736 Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI 737 in addition to Called-Station-Id and Calling-Station-Id attributes to 738 differentiate customer calls and define different services 740 The Value field contains two octets (00-99). ANSI T1.113 and BELLCORE 741 394 can be used for additional information about those values and 742 their use. For more information on current assignment values see 743 [ANITypes]. 745 Value Description 746 ------------------------------------------------------------ 747 00 Plain Old Telephone Service (POTS) 748 01 Multiparty line (more than 2) 749 02 ANI Failure 750 03 ANI Observed 751 04 ONI Observed 752 05 ANI Failure Observed 753 06 Station Level Rating 754 07 Special Operator Handling Required 755 08 InterLATA Restricted 756 10 Test Call 757 20 Automatic Identified Outward Dialing (AIOD) 758 23 Coin or Non-Coin 759 24 Toll Free Service (Non-Pay origination) 760 25 Toll Free Service (Pay origination) 761 27 Toll Free Service (Coin Control origination) 762 29 Prison/Inmate Service 763 30-32 Intercept 764 30 Intercept (blank) 765 31 Intercept (trouble) 766 32 Intercept (regular) 767 34 Telco Operator Handled Call 768 40-49 Unrestricted Use 769 52 Outward Wide Area Telecommunications Service (OUTWATS) 770 60 Telecommunications Relay Service (TRS)(Unrestricted) 771 61 Cellular/Wireless PCS (Type 1) 772 62 Cellular/Wireless PCS (Type 2) 773 63 Cellular/Wireless PCS (Roaming) 774 66 TRS (Hotel) 775 67 TRS (Restricted) 776 70 Pay Station, No coin control 777 93 Access for private virtual network service 779 4.9. Reply-Message AVP 781 The Reply-Message AVP (AVP Code 18) is of type UTF8String, and 782 contains text which MAY be displayed to the user. When used in an 783 AA-Answer message with a successful Result-Code AVP it indicates a 784 success message. When found in the same message with a Result-Code 785 other than DIAMETER_SUCCESS it contains a failure message. 787 The Reply-Message AVP MAY indicate a dialog message to prompt the 788 user before another AA-Request attempt. When used in an AA-Answer, it 789 MAY indicate a dialog message to prompt the user for a response. 791 Multiple Reply-Message's MAY be included and if any are displayed, 792 they MUST be displayed in the same order as they appear in the 793 message. 795 5. NAS Authentication AVPs 797 This section defines the AVPs that are necessary to carry the 798 authentication information in the Diameter protocol. The 799 functionality defined here provides a RADIUS-like AAA service, over a 800 more reliable and secure transport, as defined in the base protocol 801 [Base]. 803 The following table describes the AVPs, their AVP Code values, types, 804 possible flag values and whether the AVP MAY be encrypted. 806 +---------------------+ 807 | AVP Flag rules | 808 |----+-----+----+-----|----+ 809 AVP Section | | |SHLD| MUST| | 810 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 811 -----------------------------------------|----+-----+----+-----|----| 812 User-Password 2 5.1 OctetString| M | P | | V | Y | 813 Password-Retry 75 5.2 Unsigned32 | M | P | | V | Y | 814 Prompt 76 5.3 Enumerated | M | P | | V | Y | 815 CHAP-Auth 402 5.4 Grouped | M | P | | V | Y | 816 CHAP-Algorithm 403 5.5 Enumerated | M | P | | V | Y | 817 CHAP-Ident 404 5.6 OctetString| M | P | | V | Y | 818 CHAP-Response 405 5.7 OctetString| M | P | | V | Y | 819 CHAP-Challenge 60 5.8 OctetString| M | P | | V | Y | 820 ARAP-Password 70 5.9 OctetString| M | P | | V | Y | 821 ARAP-Challenge- 84 5.10 OctetString| M | P | | V | Y | 822 Response | | | | | | 823 ARAP-Security 73 5.11 Unsigned32 | M | P | | V | Y | 824 ARAP-Security- 74 5.12 OctetString| M | P | | V | Y | 825 Data | | | | | | 826 -----------------------------------------|----+-----+----+-----|----| 828 5.1. User-Password AVP 830 The User-Password AVP (AVP Code 2) is of type OctetString and 831 contains the password of the user to be authenticated, or the user's 832 input in a multi-round authentication exchange. 834 The User-Password AVP contains a user password or one-time password 835 and therefore represents sensitive information. As required in 836 [Base], Diameter messages are encrypted using IPsec or TLS. Unless 837 this AVP is used for one-time passwords, the User-Password AVP SHOULD 838 NOT be used in untrusted proxy environments without encrypting it 839 using end-to-end security techniques, such as CMS Security [DiamCMS]. 841 The clear-text password (prior to encryption) MUST NOT be longer than 842 128 bytes in length. 844 5.2. Password-Retry AVP 846 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 847 included in the AA-Answer if the Result-Code indicates an 848 authentication failure. The value of this AVP indicates how many 849 authentication attempts a user may be permitted before being 850 disconnected. This AVP is primarily intended for use when the Framed- 851 Protocol AVP (see Section 6.9.1) is set to ARAP. 853 5.3. Prompt AVP 855 The Prompt AVP (AVP Code 76) is of type Enumerated, and MAY be 856 present in the AA-Answer message. When present, it is used by the NAS 857 to determine whether the user's response, when entered, should be 858 echoed. 860 The supported values are listed in [RADIUSTypes]. The following list 861 is informational: 863 0 No Echo 864 1 Echo 866 5.4. CHAP-Auth AVP 868 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 869 information necessary to authenticate a user using the PPP Challenge- 870 Handshake Authentication Protocol (CHAP) [PPPCHAP]. If the CHAP-Auth 871 AVP is found in a message, the CHAP-Challenge AVP MUST be present as 872 well. The optional AVPs containing the CHAP response depend upon the 873 value of the CHAP-Algorithm AVP. The grouped AVP has the following 874 ABNF grammar: 876 CHAP-Auth ::= < AVP Header: 402 > 877 { CHAP-Algorithm } 878 { CHAP-Ident } 879 [ CHAP-Response ] 880 * [ AVP ] 882 5.5. CHAP-Algorithm AVP 884 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 885 contains the algorithm identifier used in the computation of the CHAP 886 response [PPPCHAP]. The following values are currently supported: 888 CHAP with MD5 5 889 The CHAP response is computed using the procedure described in 890 [PPPCHAP]. This algorithm requires that CHAP-Response AVP MUST 891 be present in the CHAP-Auth AVP. 893 5.6. CHAP-Ident AVP 895 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 896 the one octet CHAP Identifier used in the computation of the CHAP 897 response [PPPCHAP]. 899 5.7. CHAP-Response AVP 901 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 902 contains the 16 octet authentication data provided by the user in 903 response to the CHAP challenge [PPPCHAP]. 905 5.8. CHAP-Challenge AVP 907 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 908 contains the CHAP Challenge sent by the NAS to the CHAP peer 909 [PPPCHAP]. 911 5.9. ARAP-Password AVP 913 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 914 only present when the Framed-Protocol AVP (see Section 6.9.1) is 915 included in the message and is set to ARAP. This AVP MUST NOT be 916 present if either the User-Password or the CHAP-Auth AVP is present. 917 See [RADIUSExt] for more information on the contents of this AVP. 919 5.10. ARAP-Challenge-Response AVP 921 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 922 and is only present when the Framed-Protocol AVP (see Section 6.9.1) 923 is included in the message and is set to ARAP. This AVP contains an 8 924 octet response to the dial-in client's challenge. The RADIUS server 925 calculates this value by taking the dial-in client's challenge from 926 the high order 8 octets of the ARAP-Password AVP and performing DES 927 encryption on this value with the authenticating user's password as 928 the key. If the user's password is less than 8 octets in length, the 929 password is padded at the end with NULL octets to a length of 8 930 before using it as a key. 932 5.11. ARAP-Security AVP 934 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32, and MAY be 935 present in the AA-Answer message if the Framed-Protocol AVP (see 936 Section 6.9.1) is set to the value of ARAP, and the Result-Code AVP 937 is set to DIAMETER_MULTI_ROUND_AUTH. See [RADIUSExt] for more 938 information on the format of this AVP. 940 5.12. ARAP-Security-Data AVP 942 The ARAP-Security AVP (AVP Code 74) is of type OctetString, and MAY 943 be present in the AA-Request or AA-Answer message if the Framed- 944 Protocol AVP is set to the value of ARAP, and the Result-Code AVP is 945 set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security 946 module challenge or response associated with the ARAP Security Module 947 specified in ARAP-Security. 949 6. NAS Authorization AVPs 951 This section contains the authorization AVPs that are supported in 952 the NAS Application. The Service-Type AVP SHOULD be present in all 953 messages, and based on its value, additional AVPs defined in this 954 section and section 7 MAY be present. 956 Due to space constraints, the short form IPFiltrRule is used to 957 represent IPFilterRule. 958 +---------------------+ 959 | AVP Flag rules | 960 |----+-----+----+-----|----+ 961 AVP Section | | |SHLD| MUST| | 962 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 963 -----------------------------------------|----+-----+----+-----|----| 964 Service-Type 6 6.1 Enumerated | M | P | | V | Y | 965 Callback-Number 19 6.2 UTF8String | M | P | | V | Y | 966 Callback-Id 20 6.3 UTF8String | M | P | | V | Y | 967 Idle-Timeout 28 6.4 Unsigned32 | M | P | | V | Y | 968 Port-Limit 62 6.5 Unsigned32 | M | P | | V | Y | 969 NAS-Filter-Rule 400 6.6 IPFiltrRule| M | P | | V | Y | 970 Filter-Id 11 6.7 UTF8String | M | P | | V | Y | 971 Configuration- 78 6.8 OctetString| M | | | P,V | | 972 Token | | | | | | 973 Framed-Protocol 7 6.9.1 Enumerated | M | P | | V | Y | 974 Framed-Routing 10 6.9.2 Enumerated | M | P | | V | Y | 975 Framed-MTU 12 6.9.3 Unsigned32 | M | P | | V | Y | 976 Framed- 13 6.9.4 Enumerated | M | P | | V | Y | 977 Compression | | | | | | 978 Framed-IP-Address 8 6.10.1 OctetString| M | P | | V | Y | 979 Framed-IP-Netmask 9 6.10.2 OctetString| M | P | | V | Y | 980 Framed-Route 22 6.10.3 UTF8String | M | P | | V | Y | 981 Framed-Pool 88 6.10.4 OctetString| M | P | | V | Y | 982 Framed- 96 6.10.5 Unsigned64 | M | P | | V | Y | 983 Interface-Id | | | | | | 984 Framed-IPv6- 97 6.10.6 OctetString| M | P | | V | Y | 985 Prefix | | | | | | 986 Framed-IPv6- 99 6.10.7 UTF8String | M | P | | V | Y | 987 Route | | | | | | 988 Framed-IPv6-Pool 100 6.10.8 OctetString| M | P | | V | Y | 989 Framed-IPX- 23 6.11.1 UTF8String | M | P | | V | Y | 990 Network | | | | | | 991 Framed-Appletalk- 37 6.12.1 Unsigned32 | M | P | | V | Y | 992 Link | | | | | | 993 Framed-Appletalk- 38 6.12.2 Unsigned32 | M | P | | V | Y | 994 Network | | | | | | 995 Framed-Appletalk- 39 6.12.3 OctetString| M | P | | V | Y | 996 Zone | | | | | | 997 ARAP-Features 71 6.13.1 OctetString| M | P | | V | Y | 998 ARAP-Zone-Access 72 6.13.2 Enumerated | M | P | | V | Y | 999 Login-IP-Host 14 6.14.1 OctetString| M | P | | V | Y | 1000 Login-IPv6-Host 98 6.14.2 OctetString| M | P | | V | Y | 1001 Login-Service 15 6.14.3 Enumerated | M | P | | V | Y | 1002 Login-TCP-Port 16 6.15.1 Unsigned32 | M | P | | V | Y | 1003 Login-LAT-Service 34 6.16.1 OctetString| M | P | | V | Y | 1004 Login-LAT-Node 35 6.16.2 OctetString| M | P | | V | Y | 1005 Login-LAT-Group 36 6.16.3 OctetString| M | P | | V | Y | 1006 Login-LAT-Port 63 6.16.4 OctetString| M | P | | V | Y | 1007 -----------------------------------------|----+-----+----+-----|----| 1009 6.1. Service-Type AVP 1011 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1012 the type of service the user has requested, or the type of service to 1013 be provided. One such AVP MAY be present in an authentication and/or 1014 authorization request or response. A NAS is not required to implement 1015 all of these service types, and MUST treat unknown or unsupported 1016 Service-Types as a failure, and end the session with a 1017 DIAMETER_INVALID_AVP_VALUE Result-Code. 1019 When used in a request, the Service-Type AVP SHOULD be considered to 1020 be a hint to the server that the NAS has reason to believe the user 1021 would prefer the kind of service indicated, but the server is not 1022 required to honor the hint. Furthermore, if the service specified by 1023 the server is supported, but not compatible with the current mode of 1024 access, the NAS MUST fail to start the session. It MUST also 1025 generate the appropriate error message(s). 1027 The following values have been defined for the Service-Type AVP. The 1028 complete list of defined values can be found in [RADIUS] and 1029 [RADIUSTypes]. The following list is informational: 1030 1 Login 1031 2 Framed 1032 3 Callback Login 1033 4 Callback Framed 1034 5 Outbound 1035 6 Administrative 1036 7 NAS Prompt 1037 8 Authenticate Only 1038 9 Callback NAS Prompt 1039 10 Call Check 1040 11 Callback Administrative 1041 12 Voice 1042 13 Fax 1043 14 Modem Relay 1044 15 IAPP-Register [IEEE 802.11f] 1045 16 IAPP-AP-Check [IEEE 802.11f] 1046 17 Authorize Only [RFC3576] 1048 The following values are further qualified: 1050 Login 1 1051 The user should be connected to a host. The message MAY include 1052 additional AVPs defined in sections 6.15 or 6.16. 1054 Framed 2 1055 A Framed Protocol should be started for the User, such as PPP 1056 or SLIP. The message MAY include additional AVPs defined in 1057 sections 6.9, or 7 for tunneling services. 1059 Callback Login 3 1060 The user should be disconnected and called back, then connected 1061 to a host. The message MAY include additional AVPs defined in 1062 this section. 1064 Callback Framed 4 1065 The user should be disconnected and called back, then a Framed 1066 Protocol should be started for the User, such as PPP or SLIP. 1067 The message MAY include additional AVPs defined in sections 1068 6.9, or 7 for tunneling services. 1070 6.2. Callback-Number AVP 1072 The Callback-Number AVP (AVP Code 19) is of type UTF8String, and 1073 contains a dialing string to be used for callback. It MAY be used in 1074 an authentication and/or authorization request as a hint to the 1075 server that a Callback service is desired, but the server is not 1076 required to honor the hint in the corresponding response. 1078 The codification of the range of allowed usage of this field is 1079 outside the scope of this specification. 1081 6.3. Callback-Id AVP 1083 The Callback-Id AVP (AVP Code 20) is of type UTF8String, and contains 1084 the name of a place to be called, to be interpreted by the NAS. This 1085 AVP MAY be present in an authentication and/or authorization 1086 response. 1088 This AVP is not roaming-friendly since it assumes that the Callback- 1089 Id is configured on the NAS. It is therefore preferable to use the 1090 Callback-Number AVP instead. 1092 6.4. Idle-Timeout AVP 1094 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1095 maximum number of consecutive seconds of idle connection allowed to 1096 the user before termination of the session or prompt. It MAY be used 1097 in an authentication and/or authorization request (or challenge) as a 1098 hint to the server that an idle timeout is desired, but the server is 1099 not required to honor the hint in the corresponding response. The 1100 default is none, or system specific. 1102 6.5. Port-Limit AVP 1104 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1105 maximum number of ports to be provided to the user by the NAS. It 1106 MAY be used in an authentication and/or authorization request as a 1107 hint to the server that multilink PPP [PPPMP] service is desired, but 1108 the server is not required to honor the hint in the corresponding 1109 response. 1111 6.6. NAS-Filter-Rule AVP 1113 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule, and 1114 provides filter rules that need to be configured on the NAS for the 1115 user. One or more such AVPs MAY be present in an authorization 1116 response. 1118 6.7. Filter-Id AVP 1120 The Filter-Id AVP (AVP Code 11) is of type UTF8String, and contains 1121 the name of the filter list for this user. Zero or more Filter-Id 1122 AVPs MAY be sent in an authorization answer. 1124 Identifying a filter list by name allows the filter to be used on 1125 different NASes without regard to filter-list implementation details. 1126 However, this AVP is not roaming friendly since filter naming differs 1127 from one service provider to another. 1129 In non-RADIUS environments, it is RECOMMENDED that the NAS-Filter- 1130 Rule AVP be used instead. 1132 6.8. Configuration-Token AVP 1134 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1135 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1136 Agent in an AA-Answer command to indicate a type of user profile to 1137 be used. It should not be sent to a Diameter Client (NAS). 1139 The format of the Data field of this AVP is site specific. 1141 6.9. Framed Access Authorization AVPs 1143 This section contains the authorization AVPs that are necessary to 1144 support framed access, such as PPP, SLIP, etc. AVPs defined in this 1145 section MAY be present in a message if the Service-Type AVP was set 1146 to "Framed" or "Callback Framed". 1148 6.9.1. Framed-Protocol AVP 1150 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1151 contains the framing to be used for framed access. This AVP MAY be 1152 present in both requests and responses. The supported values are 1153 listed in [RADIUSTypes]. The following list is informational: 1155 1 PPP 1156 2 SLIP 1157 3 AppleTalk Remote Access Protocol (ARAP) 1158 4 Gandalf proprietary SingleLink/MultiLink protocol 1159 5 Xylogics proprietary IPX/SLIP 1160 6 X.75 Synchronous 1162 6.9.2. Framed-Routing AVP 1164 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1165 contains the routing method for the user, when the user is a router 1166 to a network. This AVP SHOULD only be present in authorization 1167 responses. The supported values are listed in [RADIUSTypes]. The 1168 following list is informational: 1170 0 None 1171 1 Send routing packets 1172 2 Listen for routing packets 1173 3 Send and Listen 1175 6.9.3. Framed-MTU AVP 1177 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1178 the Maximum Transmission Unit to be configured for the user, when it 1179 is not negotiated by some other means (such as PPP). This AVP SHOULD 1180 only be present in authorization responses. The MTU value MUST be in 1181 the range of 64 and 65535. 1183 6.9.4. Framed-Compression AVP 1185 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1186 contains the compression protocol to be used for the link. It MAY be 1187 used in an authorization request as a hint to the server that a 1188 specific compression type is desired, but the server is not required 1189 to honor the hint in the corresponding response. 1191 More than one compression protocol AVP MAY be sent. It is the 1192 responsibility of the NAS to apply the proper compression protocol to 1193 appropriate link traffic. 1195 The supported values are listed in [RADIUSTypes]. The following list 1196 is informational: 1198 0 None 1199 1 VJ TCP/IP header compression 1200 2 IPX header compression 1201 3 Stac-LZS compression 1203 6.10. IP Access 1205 The AVPs defined in this section are used when the user requests, or 1206 is being granted, access to IP. They are only present if the Framed- 1207 Protocol AVP (see Section 6.9.1) is set to PPP, SLIP, Gandalf 1208 proprietary SingleLink/MultiLink protocol, or X.75 Synchronous. 1210 6.10.1. Framed-IP-Address AVP 1212 The Framed-IP-Address AVP (AVP Code 8) [RADIUS] is of type 1213 OctetString and contains an IPv4 address, of the type specified in 1214 the attribute value, to be configured for the user. It MAY be used in 1215 an authorization request as a hint to the server that a specific 1216 address is desired, but the server is not required to honor the hint 1217 in the corresponding response. 1219 Two IPv4 addresses have special significance; 0xFFFFFFFF and 1220 0xFFFFFFFE. The value 0xFFFFFFFF indicates that the NAS should allow 1221 the user to select an address (e.g. Negotiated). The value 0xFFFFFFFE 1222 indicates that the NAS should select an address for the user (e.g. 1223 Assigned from a pool of addresses kept by the NAS). 1225 6.10.2. Framed-IP-Netmask AVP 1227 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1228 contains the four octets of the IPv4 netmask to be configured for the 1229 user when the user is a router to a network. It MAY be used in an 1230 authorization request as a hint to the server that a specific netmask 1231 is desired, but the server is not required to honor the hint in the 1232 corresponding response. This AVP MUST be present in a response if the 1233 request included this AVP with a value of 0xFFFFFFFF. 1235 6.10.3. Framed-Route AVP 1237 The Framed-Route AVP (AVP Code 22) is of type UTF8String, and 1238 contains the ASCII routing information to be configured for the user 1239 on the NAS. Zero or more such AVPs MAY be present in an authorization 1240 response. 1242 The string MUST contain a destination prefix in dotted quad form 1243 optionally followed by a slash and a decimal length specifier stating 1244 how many high order bits of the prefix should be used. That is 1245 followed by a space, a gateway address in dotted quad form, a space, 1246 and one or more metrics separated by spaces. For example, 1247 "192.168.1.0/24 192.168.1.1 1". 1249 The length specifier may be omitted in which case it should default 1250 to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 1251 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1". 1253 Whenever the gateway address is specified as "0.0.0.0" the IP address 1254 of the user SHOULD be used as the gateway address. 1256 6.10.4. Framed-Pool AVP 1258 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1259 the name of an assigned address pool that SHOULD be used to assign an 1260 address for the user. If a NAS does not support multiple address 1261 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1262 used for IP addresses, but can be used for other protocols if the NAS 1263 supports pools for those protocols. 1265 Although specified as type OctetString for compatibility with RADIUS 1266 [RADIUSExt], the encoding of the Data field SHOULD also conform to 1267 the rules for the UTF8String Data Format. 1269 6.10.5. Framed-Interface-Id AVP 1271 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1272 contains the IPv6 interface identifier to be configured for the user. 1273 It MAY be used in authorization requests as a hint to the server that 1274 a specific interface id is desired, but the server is not required to 1275 honor the hint in the corresponding response. 1277 6.10.6. Framed-IPv6-Prefix AVP 1279 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1280 contains the IPv6 prefix to be configured for the user. One or more 1281 AVPs MAY be used in authorization requests as a hint to the server 1282 that a specific IPv6 prefixes are desired, but the server is not 1283 required to honor the hint in the corresponding response. 1285 6.10.7. Framed-IPv6-Route AVP 1287 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String, and 1288 contains the ASCII routing information to be configured for the user 1289 on the NAS. Zero or more such AVPs MAY be present in an authorization 1290 response. 1292 The string MUST contain an IPv6 address prefix followed by a slash 1293 and a decimal length specifier stating how many high order bits of 1294 the prefix should be used. That is followed by a space, a gateway 1295 address in hexadecimal notation, a space, and one or more metrics 1296 separated by spaces. For example: 1297 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1". 1299 Whenever the gateway address is the IPv6 unspecified address the IP 1300 address of the user SHOULD be used as the gateway address, such as: 1301 "2000:0:0:106::/64 :: 1". 1303 6.10.8. Framed-IPv6-Pool AVP 1305 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString, and 1306 contains the name of an assigned pool that SHOULD be used to assign 1307 an IPv6 prefix for the user. If the access device does not support 1308 multiple prefix pools, it MUST ignore this AVP. 1310 Although specified as type OctetString for compatibility with RADIUS 1311 [RADIUSIPv6], the encoding of the Data field SHOULD also conform to 1312 the rules for the UTF8String Data Format. 1314 6.11. IPX Access 1316 The AVPs defined in this section are used when the user requests, or 1317 is being granted, access to IPX. They are only present if the Framed- 1318 Protocol AVP (see Section 6.9.1) is set to PPP, Xylogics proprietary 1319 IPX/SLIP, Gandalf proprietary SingleLink/MultiLink protocol, or X.75 1320 Synchronous. 1322 6.11.1. Framed-IPX-Network AVP 1324 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and 1325 contains the IPX Network number to be configured for the user. It MAY 1326 be used in an authorization request as a hint to the server that a 1327 specific address is desired, but the server is not required to honor 1328 the hint in the corresponding response. 1330 Two addresses have special significance; 0xFFFFFFFF and 0xFFFFFFFE. 1331 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1332 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1333 that the NAS should select an address for the user (e.g. assigned 1334 from a pool of one or more IPX networks kept by the NAS). 1336 6.12. Appletalk Access 1338 The AVPs defined in this section are used when the user requests, or 1339 is being granted, access to Appletalk. They are only present if the 1340 Framed-Protocol AVP (see Section 6.9.1) is set to PPP, Gandalf 1341 proprietary SingleLink/MultiLink protocol, or X.75 Synchronous. 1343 6.12.1. Framed-AppleTalk-Link AVP 1345 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1346 contains the AppleTalk network number which should be used for the 1347 serial link to the user, which is another AppleTalk router. This AVP 1348 MUST only be present in an authorization response and is never used 1349 when the user is not another router. 1351 Despite the size of the field, values range from zero to 65535. The 1352 special value of zero indicates that this is an unnumbered serial 1353 link. A value of one to 65535 means that the serial line between the 1354 NAS and the user should be assigned that value as an AppleTalk 1355 network number. 1357 6.12.2. Framed-AppleTalk-Network AVP 1359 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1360 and contains the AppleTalk Network number which the NAS should probe 1361 to allocate an AppleTalk node for the user. This AVP MUST only be 1362 present in an authorization response and is never used when the user 1363 is not another router. Multiple instances of this AVP indicate that 1364 the NAS may probe using any of the network numbers specified. 1366 Despite the size of the field, values range from zero to 65535. The 1367 special value zero indicates that the NAS should assign a network for 1368 the user, using its default cable range. A value between one and 1369 65535 (inclusive) indicates the AppleTalk Network the NAS should 1370 probe to find an address for the user. 1372 6.12.3. Framed-AppleTalk-Zone AVP 1374 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1375 and contains the AppleTalk Default Zone to be used for this user. 1376 This AVP MUST only be present in an authorization response. Multiple 1377 instances of this AVP in the same message are not allowed. 1379 The codification of the range of allowed usage of this field is 1380 outside the scope of this specification. 1382 6.13. ARAP Access 1384 The AVPs defined in this section are used when the user requests, or 1385 is being granted, access to ARAP. They are only present if the 1386 Framed-Protocol AVP (see Section 6.9.1) is set to AppleTalk Remote 1387 Access Protocol (ARAP). 1389 6.13.1. ARAP-Features AVP 1391 The ARAP-Features AVP (AVP Code 71) is of type OctetString, and MAY 1392 be present in the AA-Accept message if the Framed-Protocol AVP is set 1393 to the value of ARAP. See [RADIUSExt] for more information of the 1394 format of this AVP. 1396 6.13.2. ARAP-Zone-Access AVP 1398 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated, and MAY 1399 be present in the AA-Accept message if the Framed-Protocol AVP is set 1400 to the value of ARAP. 1402 The supported values are listed in [RADIUSTypes], and are defined in 1403 [RADIUSExt]. 1405 6.14. Non-Framed Access Authorization AVPs 1407 This section contains the authorization AVPs that are needed to 1408 support terminal server functionality. AVPs defined in this section 1409 MAY be present in a message if the Service-Type AVP was set to 1410 "Login" or "Callback Login". 1412 6.14.1. Login-IP-Host AVP 1414 The Login-IP-Host AVP (AVP Code 14) [RADIUS] is of type OctetString 1415 and contains the IPv4 address of a host with which to connect the 1416 user when the Login-Service AVP is included. It MAY be used in an 1417 AA-Request command as a hint to the Diameter Server that a specific 1418 host is desired, but the Diameter Server is not required to honor the 1419 hint in the AA-Answer. 1421 Two addresses have special significance: All ones and 0. The value 1422 of all ones indicates that the NAS SHOULD allow the user to select an 1423 address. The value 0 indicates that the NAS SHOULD select a host to 1424 connect the user to. 1426 6.14.2. Login-IPv6-Host AVP 1428 The Login-IPv6-Host AVP (AVP Code 98) [RADIUSIPv6] is of type 1429 OctetString and contains the IPv6 address of a host with which to 1430 connect the user when the Login-Service AVP is included. It MAY be 1431 used in an AA-Request command as a hint to the Diameter Server that a 1432 specific host is desired, but the Diameter Server is not required to 1433 honor the hint in the AA-Answer. 1435 Two addresses have special significance: 1436 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1437 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1438 allow the user to select an address. The value 0 indicates that the 1439 NAS SHOULD select a host to connect the user to. 1441 6.14.3. Login-Service AVP 1443 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1444 contains the service which should be used to connect the user to the 1445 login host. This AVP SHOULD only be present in authorization 1446 responses. 1448 The supported values are listed in [RADIUSTypes]. The following list 1449 is informational: 1451 0 Telnet 1452 1 Rlogin 1453 2 TCP Clear 1454 3 PortMaster (proprietary) 1455 4 LAT 1456 5 X25-PAD 1457 6 X25-T3POS 1458 8 TCP Clear Quiet (suppresses any NAS-generated connect 1459 string) 1461 6.15. TCP Services 1463 The AVPs described in this section MAY be present if the Login- 1464 Service AVP is set to Telnet, Rlogin, TCP Clear or TCP Clear Quiet. 1466 6.15.1. Login-TCP-Port AVP 1468 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1469 contains the TCP port with which the user is to be connected, when 1470 the Login-Service AVP is also present. This AVP SHOULD only be 1471 present in authorization responses. The value MUST NOT be greater 1472 than 65535. 1474 6.15.2. LAT Services 1476 The AVP described in this section MAY be present if the Login-Service 1477 AVP is set to LAT. 1479 6.15.3. Login-LAT-Service AVP 1481 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1482 contains the system with which the user is to be connected by LAT. It 1483 MAY be used in an authorization request as a hint to the server that 1484 a specific service is desired, but the server is not required to 1485 honor the hint in the corresponding response. This AVP MUST only be 1486 present in the response if the Login-Service AVP states that LAT is 1487 desired. 1489 Administrators use the service attribute when dealing with clustered 1490 systems, such as a VAX or Alpha cluster. In such an environment 1491 several different time sharing hosts share the same resources (disks, 1492 printers, etc.), and administrators often configure each to offer 1493 access (service) to each of the shared resources. In this case, each 1494 host in the cluster advertises its services through LAT broadcasts. 1496 Sophisticated users often know which service providers (machines) are 1497 faster and tend to use a node name when initiating a LAT connection. 1498 Alternately, some administrators want particular users to use certain 1499 machines as a primitive form of load balancing (although LAT knows 1500 how to do load balancing itself). 1502 The String field contains the identity of the LAT service to use. 1503 The LAT Architecture allows this string to contain $ (dollar), - 1504 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1505 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1506 All LAT string comparisons are case insensitive. 1508 6.15.4. Login-LAT-Node AVP 1510 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1511 contains the Node with which the user is to be automatically 1512 connected by LAT. It MAY be used in an authorization request as a 1513 hint to the server that a specific LAT node is desired, but the 1514 server is not required to honor the hint in the corresponding 1515 response. This AVP MUST only be present in a response if the Service- 1516 Type AVP is set to LAT. 1518 The String field contains the identity of the LAT service to use. 1519 The LAT Architecture allows this string to contain $ (dollar), - 1520 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1521 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1522 All LAT string comparisons are case insensitive. 1524 6.15.5. Login-LAT-Group AVP 1526 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1527 contains a string identifying the LAT group codes which this user is 1528 authorized to use. It MAY be used in an authorization request as a 1529 hint to the server that a specific group is desired, but the server 1530 is not required to honor the hint in the corresponding response. This 1531 AVP MUST only be present in a response if the Service-Type AVP is set 1532 to LAT. 1534 LAT supports 256 different group codes, which LAT uses as a form of 1535 access rights. LAT encodes the group codes as a 256 bit bitmap. 1537 Administrators can assign one or more of the group code bits at the 1538 LAT service provider; it will only accept LAT connections that have 1539 these group codes set in the bit map. The administrators assign a 1540 bitmap of authorized group codes to each user; LAT gets these from 1541 the operating system, and uses these in its requests to the service 1542 providers. 1544 The codification of the range of allowed usage of this field is 1545 outside the scope of this specification. 1547 6.15.6. Login-LAT-Port AVP 1549 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1550 contains the Port with which the user is to be connected by LAT. It 1551 MAY be used in an authorization request as a hint to the server that 1552 a specific port is desired, but the server is not required to honor 1553 the hint in the corresponding response. This AVP MUST only be present 1554 in a response if the Service-Type AVP is set to LAT. 1556 The String field contains the identity of the LAT service to use. 1557 The LAT Architecture allows this string to contain $ (dollar), - 1558 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1559 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1560 All LAT string comparisons are case insensitive. 1562 7. NAS Tunneling 1564 Some NASes support compulsory tunnel services where the incoming 1565 connection data is conveyed by a encapsulation method to a gateway 1566 elsewhere in the network. This is typically transparent to the 1567 service user, and the tunnel characteristics may be described by the 1568 remote AAA server, based on the user's authorization information. 1569 Several tunnel characteristics may be returned, and the NAS 1570 implementation may choose one. [RADTunnels],[RADTunlAcct] 1571 +---------------------+ 1572 | AVP Flag rules | 1573 |----+-----+----+-----|----+ 1574 AVP Section | | |SHLD| MUST| | 1575 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT |Encr| 1576 -----------------------------------------|----+-----+----+-----|----| 1577 Tunneling 401 7.1 Grouped | M | P | | V | N | 1578 Tunnel-Type 64 7.2 Enumerated | M | P | | V | Y | 1579 Tunnel-Medium- 65 7.3 Enumerated | M | P | | V | Y | 1580 Type | | | | | | 1581 Tunnel-Client- 66 7.4 UTF8String | M | P | | V | Y | 1582 Endpoint | | | | | | 1583 Tunnel-Server- 67 7.5 UTF8String | M | P | | V | Y | 1584 Endpoint | | | | | | 1585 Tunnel-Password 69 7.6 OctetString| M | P | | V | Y | 1586 Tunnel-Private- 81 7.7 UTF8String | M | P | | V | Y | 1587 Group-Id | | | | | | 1588 Tunnel- 82 7.8 OctetString| M | P | | V | Y | 1589 Assignment-Id | | | | | | 1590 Tunnel-Preference 83 7.9 Unsigned32 | M | P | | V | Y | 1591 Tunnel-Client- 90 7.10 Unsigned32 | M | P | | V | Y | 1592 Auth-Id | | | | | | 1593 Tunnel-Server- 91 7.11 OctetString| M | P | | V | Y | 1594 Auth-Id | | | | | | 1595 -----------------------------------------|----+-----+----+-----|----| 1597 7.1. Tunneling AVP 1599 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1600 following AVPs used to describe a compulsory tunnel service 1601 [RADTunnels],[RADTunlAcct]. Its data field has the following ABNF 1602 grammar: 1604 Tunneling ::= < AVP Header: 401 > 1605 { Tunnel-Type } 1606 { Tunnel-Medium-Type } 1607 { Tunnel-Client-Endpoint } 1608 { Tunnel-Server-Endpoint } 1609 [ Tunnel-Preference ] 1610 [ Tunnel-Client-Auth-Id ] 1611 [ Tunnel-Server-Auth-Id ] 1612 [ Tunnel-Assignment-Id ] 1613 [ Tunnel-Password ] 1614 [ Tunnel-Private-Group-Id ] 1616 7.2. Tunnel-Type AVP 1618 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1619 the tunneling protocol(s) to be used (in the case of a tunnel 1620 initiator) or the tunneling protocol in use (in the case of a tunnel 1621 terminator). It MAY be used in an authorization request as a hint to 1622 the server that a specific tunnel type is desired, but the server is 1623 not required to honor the hint in the corresponding response. 1625 The Tunnel-Type AVP SHOULD also be included in Accounting-Request 1626 messages. 1628 A tunnel initiator is not required to implement any of these tunnel 1629 types; if a tunnel initiator receives a response that contains only 1630 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1631 as though a response was received with the Result-Code indicating a 1632 failure. 1634 The supported values are listed in [RADIUSTypes]. The following list 1635 is informational: 1637 1 Point-to-Point Tunneling Protocol (PPTP) 1638 2 Layer Two Forwarding (L2F) 1639 3 Layer Two Tunneling Protocol (L2TP) 1640 4 Ascend Tunnel Management Protocol (ATMP) 1641 5 Virtual Tunneling Protocol (VTP) 1642 6 IP Authentication Header in the Tunnel-mode (AH) 1643 7 IP-in-IP Encapsulation (IP-IP) 1644 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) 1645 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) 1646 10 Generic Route Encapsulation (GRE) 1647 11 Bay Dial Virtual Services (DVS) 1648 12 IP-in-IP Tunneling 1649 13 Virtual LANs (VLAN) 1651 7.3. Tunnel-Medium-Type AVP 1653 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1654 contains the transport medium to use when creating a tunnel for those 1655 protocols (such as L2TP) that can operate over multiple transports. 1656 It MAY be used in an authorization request as a hint to the server 1657 that a specific medium is desired, but the server is not required to 1658 honor the hint in the corresponding response. 1660 The supported values are listed in [RADIUSTypes]. The following list 1661 is informational: 1663 1 IPv4 (IP version 4) 1664 2 IPv6 (IP version 6) 1665 3 NSAP 1666 4 HDLC (8-bit multidrop) 1667 5 BBN 1822 1668 6 802 (includes all 802 media plus Ethernet "canonical 1669 format") 1670 7 E.163 (POTS) 1671 8 E.164 (SMDS, Frame Relay, ATM) 1672 9 F.69 (Telex) 1673 10 X.121 (X.25, Frame Relay) 1674 11 IPX 1675 12 Appletalk 1676 13 Decnet IV 1677 14 Banyan Vines 1678 15 E.164 with NSAP format subaddress 1680 7.4. Tunnel-Client-Endpoint AVP 1682 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String, 1683 and contains the address of the initiator end of the tunnel. It MAY 1684 be used in an authorization request as a hint to the server that a 1685 specific endpoint is desired, but the server is not required to honor 1686 the hint in the corresponding response. 1688 This AVP SHOULD be included in the corresponding Accounting-Request 1689 messages, in which case it indicates the address from which the 1690 tunnel was initiated. This AVP, along with the Tunnel-Server-Endpoint 1691 and Session-Id AVP [Base], MAY be used to provide a globally unique 1692 means to identify a tunnel for accounting and auditing purposes. 1694 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 1695 fully qualified domain name (FQDN) of the tunnel client machine, or 1696 it is a "dotted-decimal" IP address. Implementations MUST support 1697 the dotted-decimal format and SHOULD support the FQDN format for IP 1698 addresses. 1700 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1701 FQDN of the tunnel client machine, or it is a text representation of 1702 the address in either the preferred or alternate form [IPv6Addr]. 1703 Conformant implementations MUST support the preferred form and SHOULD 1704 support both the alternate text form and the FQDN format for IPv6 1705 addresses. 1707 If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is a tag 1708 referring to configuration data local to the Diameter client that 1709 describes the interface and medium-specific address to use. 1711 7.5. Tunnel-Server-Endpoint AVP 1713 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of UTF8String, and 1714 contains the address of the server end of the tunnel. It MAY be used 1715 in an authorization request as a hint to the server that a specific 1716 endpoint is desired, but the server is not required to honor the hint 1717 in the corresponding response. 1719 This AVP SHOULD be included in the corresponding Accounting-Request 1720 messages, in which case it indicates the address from which the 1721 tunnel was initiated. This AVP, along with the Tunnel-Client-Endpoint 1722 and Session-Id AVP [Base], MAY be used to provide a globally unique 1723 means to identify a tunnel for accounting and auditing purposes. 1725 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 1726 fully qualified domain name (FQDN) of the tunnel client machine, or 1727 it is a "dotted-decimal" IP address. Implementations MUST support 1728 the dotted-decimal format and SHOULD support the FQDN format for IP 1729 addresses. 1731 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1732 FQDN of the tunnel client machine, or it is a text representation of 1733 the address in either the preferred or alternate form [IPv6Addr]. 1734 Implementations MUST support the preferred form and SHOULD support 1735 both the alternate text form and the FQDN format for IPv6 addresses. 1737 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 1738 referring to configuration data local to the Diameter client that 1739 describes the interface and medium-specific address to use. 1741 7.6. Tunnel-Password AVP 1743 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 1744 contain a password to be used to authenticate to a remote server. 1745 The Tunnel-Password AVP contains sensitive information. This value is 1746 not protected in the same manner as RADIUS [RADTunnels]. 1748 As required in [Base], Diameter messages are encrypted using IPsec or 1749 TLS. The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 1750 environments without encrypting it using end-to-end security 1751 techniques, such as CMS Security [DiamCMS]. 1753 7.7. Tunnel-Private-Group-Id AVP 1755 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString, 1756 and contains the group Id for a particular tunneled session. The 1757 Tunnel-Private-Group-Id AVP MAY be included in an authorization 1758 request if the tunnel initiator can pre-determine the group resulting 1759 from a particular connection and SHOULD be included in the 1760 authorization response if this tunnel session is to be treated as 1761 belonging to a particular private group. Private groups may be used 1762 to associate a tunneled session with a particular group of users. 1763 For example, it MAY be used to facilitate routing of unregistered IP 1764 addresses through a particular interface. This AVP SHOULD be 1765 included in the Accounting-Request messages which pertain to the 1766 tunneled session. 1768 7.8. Tunnel-Assignment-Id AVP 1770 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 1771 is used to indicate to the tunnel initiator the particular tunnel to 1772 which a session is to be assigned. Some tunneling protocols, such as 1773 [PPTP] and [L2TP], allow for sessions between the same two tunnel 1774 endpoints to be multiplexed over the same tunnel and also for a given 1775 session to utilize its own dedicated tunnel. This attribute provides 1776 a mechanism for Diameter to be used to inform the tunnel initiator 1777 (e.g. PAC, LAC) whether to assign the session to a multiplexed 1778 tunnel or to a separate tunnel. Furthermore, it allows for sessions 1779 sharing multiplexed tunnels to be assigned to different multiplexed 1780 tunnels. 1782 A particular tunneling implementation may assign differing 1783 characteristics to particular tunnels. For example, different 1784 tunnels may be assigned different QoS parameters. Such tunnels may 1785 be used to carry either individual or multiple sessions. The Tunnel- 1786 Assignment-Id attribute thus allows the Diameter server to indicate 1787 that a particular session is to be assigned to a tunnel that provides 1788 an appropriate level of service. It is expected that any QoS-related 1789 Diameter tunneling attributes defined in the future that accompany 1790 this attribute will be associated by the tunnel initiator with the Id 1791 given by this attribute. In the meantime, any semantic given to a 1792 particular Id string is a matter left to local configuration in the 1793 tunnel initiator. 1795 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 1796 the tunnel initiator. The Id it specifies is intended to be of only 1797 local use to Diameter and the tunnel initiator. The Id assigned by 1798 the tunnel initiator is not conveyed to the tunnel peer. 1800 This attribute MAY be included in authorization responses. The tunnel 1801 initiator receiving this attribute MAY choose to ignore it and assign 1802 the session to an arbitrary multiplexed or non-multiplexed tunnel 1803 between the desired endpoints. This AVP SHOULD also be included in 1804 the Accounting-Request messages which pertain to the tunneled 1805 session. 1807 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 1808 should assign a session to a tunnel in the following manner: 1810 - If this AVP is present and a tunnel exists between the specified 1811 endpoints with the specified Id, then the session should be 1812 assigned to that tunnel. 1814 - If this AVP is present and no tunnel exists between the 1815 specified endpoints with the specified Id, then a new tunnel 1816 should be established for the session and the specified Id 1817 should be associated with the new tunnel. 1819 - If this AVP is not present, then the session is assigned to an 1820 unnamed tunnel. If an unnamed tunnel does not yet exist between 1821 the specified endpoints then it is established and used for this 1822 and subsequent sessions established without the Tunnel- 1823 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 1824 session for which a Tunnel-Assignment-Id AVP was not specified 1825 to a named tunnel (i.e. one that was initiated by a session 1826 specifying this AVP). 1828 Note that the same Id may be used to name different tunnels if such 1829 tunnels are between different endpoints. 1831 7.9. Tunnel-Preference AVP 1833 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 1834 used to identify the relative preference assigned to each tunnel when 1835 more than one set of tunneling AVPs is returned within separate 1836 Grouped-AVP AVPs. It MAY be used in an authorization request as a 1837 hint to the server that a specific preference is desired, but the 1838 server is not required to honor the hint in the corresponding 1839 response. 1841 For example, suppose that AVPs describing two tunnels are returned by 1842 the server, one with a Tunnel-Type of PPTP and the other with a 1843 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 1844 the Tunnel-Types returned, it will initiate a tunnel of that type. 1845 If, however, it supports both tunnel protocols, it SHOULD use the 1846 value of the Tunnel-Preference AVP to decide which tunnel should be 1847 started. The tunnel having the numerically lowest value in the Value 1848 field of this AVP SHOULD be given the highest preference. The values 1849 assigned to two or more instances of the Tunnel-Preference AVP within 1850 a given authorization response MAY be identical. In this case, the 1851 tunnel initiator SHOULD use locally configured metrics to decide 1852 which set of AVPs to use. 1854 7.10. Tunnel-Client-Auth-Id AVP 1856 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 1857 specifies the name used by the tunnel initiator during the 1858 authentication phase of tunnel establishment. It MAY be used in an 1859 authorization request as a hint to the server that a specific 1860 preference is desired, but the server is not required to honor the 1861 hint in the corresponding response. This AVP MUST be present in the 1862 authorization response if an authentication name other than the 1863 default is desired. This AVP SHOULD be included in the Accounting- 1864 Request messages which pertain to the tunneled session. 1866 7.11. Tunnel-Server-Auth-Id AVP 1868 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 1869 specifies the name used by the tunnel terminator during the 1870 authentication phase of tunnel establishment. It MAY be used in an 1871 authorization request as a hint to the server that a specific 1872 preference is desired, but the server is not required to honor the 1873 hint in the corresponding response. This AVP MUST be present in the 1874 authorization response if an authentication name other than the 1875 default is desired. This AVP SHOULD be included in the the 1876 Accounting-Request messages which pertain to the tunneled session. 1878 8. NAS Accounting 1880 Applications implementing this specification use Diameter Accounting 1881 as defined in the Base [Base] with the addition of the AVPs in the 1882 following section. 1884 If accounting is active, Accounting Request messages (ACR) SHOULD be 1885 sent after the completion of any Authentication or Authorization 1886 transaction and at the end of a Session. The Accounting-Record-Type 1887 value indicates the type of event. All other AVPs identify the 1888 session and provide additional information relevant to the event. 1890 The successful completion of the first Authentication or 1891 Authorization transaction, SHOULD cause a START_RECORD should be 1892 sent. If additional Authentications or Authorizations occur in later 1893 transactions, the first exchange should generate a START_RECORD, and 1894 the later, an INTERIM_RECORD. For a given session, there MUST only 1895 be one set of matching START and STOP records, with any number of 1896 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 1897 for not starting a session. 1899 The following table describes the AVPs, their AVP Code values, types, 1900 possible flag values and whether the AVP MAY be encrypted. 1902 +---------------------+ 1903 | AVP Flag rules | 1904 |----+-----+----+-----|----+ 1905 AVP Section | | |SHLD| MUST| | 1906 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1907 -----------------------------------------|----+-----+----+-----|----| 1908 Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | 1909 Input-Octets | | | | | | 1910 Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | 1911 Output-Octets | | | | | | 1912 Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | 1913 Input-Packets | | | | | | 1914 Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | 1915 Output-Packets | | | | | | 1916 Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | 1917 Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | 1918 Acounting-Auth- TBD 8.7 Enumerated | M | P | | V | Y | 1919 Method | | | | | | 1920 Acct-Delay-Time 41 8.8 Unsigned32 | M | P | | V | Y | 1921 Acct-Link-Count 51 8.9 Unsigned32 | M | P | | V | Y | 1922 Acct-Tunnel- 68 8.10 OctetString| M | P | | V | Y | 1923 Connection | | | | | | 1924 Acct-Tunnel- 86 8.11 Unsigned32 | M | P | | V | Y | 1925 Packets-Lost | | | | | | 1926 -----------------------------------------|----+-----+----+-----|----| 1928 8.1. Accounting-Input-Octets AVP 1930 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, 1931 and contains the number of octets received from the user. 1933 For NAS usage, this AVP indicates how many octets have been received 1934 from the port in the course of this session and can only be present 1935 in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 1936 STOP_RECORD. 1938 8.2. Accounting-Output-Octets AVP 1940 The Accounting-Output-Octets AVP (AVP Code 364) is of type 1941 Unsigned64, and contains the number of octets sent to the user. 1943 For NAS usage, this AVP indicates how many octets have been sent to 1944 the port in the course of this session and can only be present in ACR 1945 messages with an Accounting-Record-Type of INTERIM_RECORD or 1946 STOP_RECORD. 1948 8.3. Accounting-Input-Packets AVP 1950 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64, 1951 and contains the number of packets received from the user. 1953 For NAS usage, this AVP indicates how many packets have been received 1954 from the port over the course of a session being provided to a Framed 1955 User and can only be present in ACR messages with an Accounting- 1956 Record-Type of INTERIM_RECORD or STOP_RECORD. 1958 8.4. Accounting-Output-Packets AVP 1960 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64, 1961 and contains the number of IP packets sent to the user. 1963 For NAS usage, this AVP indicates how many packets have been sent to 1964 the port over the course of a session being provided to a Framed User 1965 and can only be present in ACR messages with an Accounting-Record- 1966 Type of INTERIM_RECORD or STOP_RECORD. 1968 8.5. Acct-Session-Time AVP 1970 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32, and 1971 indicates the length of the current session in seconds. It can only 1972 be present in ACR messages with an Accounting-Record-Type of 1973 INTERIM_RECORD or STOP_RECORD. 1975 8.6. Acct-Authentic AVP 1977 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated, and 1978 specifies how the user was authenticated. The supported values are 1979 listed in [RADIUSTypes]. The following list is informational: 1981 1 RADIUS 1982 2 Local 1983 3 Remote 1984 4 Diameter 1986 8.7. Accounting-Auth-Method AVP 1988 The Accounting-Auth-Method AVP (AVP Code TBD) is of type Enumerated. 1989 A NAS MAY include this AVP in an Accounting-Request message to 1990 indicate what authentication method was used to authenticate the 1991 user. (Note that this is equivalent to the RADIUS MS-Acct-Auth-Type 1992 VSA attribute). 1994 The following values are defined: 1995 1 PAP 1996 2 CHAP 1997 3 MS-CHAP-1 1998 4 MS-CHAP-2 1999 5 EAP 2000 7 None 2002 8.8. Acct-Delay-Time 2004 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2005 indicates the number of seconds during which the Diameter client has 2006 been trying to send the Accounting-Request (ACR) which contains it. 2007 The accounting server may subtract this value from the time the ACR 2008 arrives at the server to calculate the approximate time of the event 2009 that caused the ACR to be generated. 2011 This AVP is not used for retransmissions at the transport level (TCP 2012 or SCTP). Rather, it may be used when an ACR command cannot be 2013 transmitted because there is no appropriate peer to transmit it to or 2014 was rejected because it could not be delivered to its destination. 2015 In these cases, the command MAY be buffered and transmitted some time 2016 later when an appropriate peer-connection is available or after 2017 sufficient time has passed that the destination-host may be reachable 2018 and operational. If the ACR is resent in this way the Acct-Delay- 2019 Time AVP SHOULD be included. The value of this AVP indicates the 2020 number of seconds that elapsed between the time of the first attempt 2021 at transmission and the current attempt at transmission. 2023 8.9. Acct-Link-Count 2025 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2026 indicates the total number of links that have been active (current or 2027 closed) in a given multilink session, at the time the accounting 2028 record is generated. This AVP MAY be included in Accounting-Requests 2029 for any session which may be part of a multilink service. 2031 The Acct-Link-Count AVP may be used to make it easier for an 2032 accounting server to know when it has all the records for a given 2033 multilink service. When the number of Accounting-Requests received 2034 with Accounting-Record-Type = STOP_RECORD and the same Acct-Multi- 2035 Session-Id and unique Session-Id's equals the largest value of Acct- 2036 Link-Count seen in those Accounting-Requests, all STOP_RECORD 2037 Accounting-Requests for that multilink service have been received. 2039 The following example showing eight Accounting-Requests illustrates 2040 how the Acct-Link-Count AVP is used. In the table below, only the 2041 relevant AVPs are shown although additional AVPs containing 2042 accounting information will also be present in the Accounting- 2043 Requests. 2045 Acct-Multi- Accounting- Acct- 2046 Session-Id Session-Id Record-Type Link-Count 2047 -------------------------------------------------------- 2048 "...10" "...10" START_RECORD 1 2049 "...10" "...11" START_RECORD 2 2050 "...10" "...11" STOP_RECORD 2 2051 "...10" "...12" START_RECORD 3 2052 "...10" "...13" START_RECORD 4 2053 "...10" "...12" STOP_RECORD 4 2054 "...10" "...13" STOP_RECORD 4 2055 "...10" "...10" STOP_RECORD 4 2057 8.10. Acct-Tunnel-Connection AVP 2059 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString, 2060 and contains the identifier assigned to the tunnel session. This AVP, 2061 along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint 2062 AVPs, may be used to provide a means to uniquely identify a tunnel 2063 session for auditing purposes. 2065 The format of the identifier in this AVP depends upon the value of 2066 the Tunnel-Type AVP. For example, to fully identify an L2TP tunnel 2067 connection, the L2TP Tunnel Id and Call Id might be encoded in this 2068 field. The exact encoding of this field is implementation dependent. 2070 8.11. Acct-Tunnel-Packets-Lost AVP 2072 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2073 and contains the number of packets lost on a given link. 2075 9. RADIUS/Diameter Protocol Interactions 2077 This section describes some basic guidelines that may be used by 2078 servers that act as AAA Translation Agents. A complete description of 2079 all the differences between RADIUS and Diameter is beyond the scope 2080 of this section and document. Note that this document does not 2081 restrict implementations from creating additional methods, as long as 2082 the translation function doesn't violate the RADIUS or the Diameter 2083 protocols. 2085 There are primarily two different situations that must be handled; 2086 one where a RADIUS request is received that must be forwarded as a 2087 Diameter request, and the inverse. RADIUS does not support a peer- 2088 to-peer architecture and server initiated operations are generally 2089 not supported. See [RADDynAuth] for an alternative. 2091 Some RADIUS attributes are encrypted. RADIUS security and encryption 2092 techniques are applied on a hop-per-hop basis. A Diameter agent will 2093 have to decrypt RADIUS attribute data entering the Diameter system 2094 and if that information is forwarded, MUST secure it using Diameter 2095 specific techniques. 2097 Note that this section uses the two terms; "AVP" and "attribute" in a 2098 concise and specific manner. The former is used to signify a 2099 Diameter AVP, while the latter is used to signify a RADIUS attribute. 2101 9.1. RADIUS Request Forwarded as Diameter Request 2103 This section describes the actions that should be followed when a 2104 Translation Agent receives a RADIUS message that is to be translated 2105 to a Diameter message. 2107 It is important to note that RADIUS servers are assumed to be 2108 stateless, and this section maintains that assumption. It is also 2109 quite possible for the RADIUS messages that comprise the session 2110 (i.e. authentication and accounting messages) will be handled by 2111 different Translation Agents in the proxy network. Therefore, a 2112 RADIUS/Diameter Translation Agent SHOULD NOT be assumed to have an 2113 accurate track on session state information. 2115 When a Translation Agent receives a RADIUS message, the following 2116 steps should be taken: 2118 - If a Message-Authenticator attribute is present, the value MUST 2119 be checked, but not included in the Diameter message. If it is 2120 incorrect, the RADIUS message should be silently discarded. The 2121 gateway system SHOULD generate and include a Message- 2122 Authenticator in return RADIUS responses to this system. 2123 - The transport address of the sender MUST be checked against the 2124 NAS identifying attributes. See the description of NAS- 2125 Identifier and NAS-IP-Address below. 2126 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created 2127 and added using the information from an FQDN corresponding to 2128 the NAS-IP-Address attribute (preferred if available), and/or 2129 the NAS-Identifier attribute. (Note that the RADIUS NAS- 2130 Identifier is not required to be an FQDN) The AAA protocol 2131 specified in the identity would be set to "RADIUS". 2132 - The Proxy-Info group SHOULD be added with the local server's 2133 identity being specified in the Proxy-Host AVP. This should 2134 ensure that the response is returned to this system. 2135 - The Destination-Realm AVP is created from the information found 2136 in the RADIUS User-Name attribute. 2137 - The Translation Agent must maintain transaction state 2138 information relevant to the RADIUS request, such as the 2139 Identifier field in the RADIUS header, any existing RADIUS 2140 Proxy-State attribute as well as the source IP address and port 2141 number of the UDP packet. These may be maintained locally in a 2142 state table, or may be saved in a Proxy-Info AVP group. 2143 - If the RADIUS request contained a State attribute, and the 2144 prefix of the data is "Diameter/", the data following the prefix 2145 contains the Diameter Session-Id. If no such attributes are 2146 present, and the RADIUS command is an Access-Request, a new 2147 Session-Id is created. The Session-Id is included in the 2148 Session-Id AVP. 2149 - If the RADIUS User-Password attribute is present, the password 2150 must be unencrypted using the link's RADIUS shared secret. And 2151 forwarded using Diameter security. 2152 - If the RADIUS CHAP-Password attribute is present, the Ident and 2153 Data portion of the attribute are used to create the CHAP-Auth 2154 grouped AVP. 2155 - If the RADIUS message contains an address attribute, it MUST be 2156 converted to the appropriate Diameter AVP and type. 2157 - If the RADIUS message contains Tunnel information [RADTunnels], 2158 the attributes or tagged groups should each be converted to a 2159 Diameter Tunneling Grouped AVP set. If the tunnel information 2160 contains a Tunnel-Password attribute, the RADIUS encryption must 2161 be resolved, and the password forwarded using Diameter security 2162 methods. 2163 - If the RADIUS message received is an Accounting-Request, the 2164 Acct-Status-Type attribute value must be converted to a 2165 Accounting-Record-Type AVP value. If the Acct-Status-Type 2166 attribute value is STOP, the local server MUST issue a Session- 2167 Termination-Request message once the Diameter Accounting-Answer 2168 message has been received. 2169 - If the Accounting message contains a Acct-Termination-Cause 2170 attribute, it should be translated to the equivalent 2171 Termination-Cause AVP value. (see below) 2172 - If the RADIUS message contains the Accounting-Input-Octets, 2173 Accounting-Input-Packets, Accounting-Output-Octets or 2174 Accounting-Output-Packets, these attributes must be converted to 2175 the Diameter equivalent ones. Further, if the Acct-Input- 2176 Gigawords or Acct-Output-Gigawords attributes are present, these 2177 must be used to properly compute the Diameter accounting AVPs. 2179 The corresponding Diameter response is always guaranteed to be 2180 received by the same Translation Agent that translated the original 2181 request, due to the contents of the Origin-Host AVP in the Diameter 2182 request. The following steps are applied to the response message 2183 during the Diameter to RADIUS translation: 2185 - If the Diameter Command-Code is set to AA-Answer and the Result- 2186 Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must 2187 send a RADIUS Access-Challenge with the Diameter Session-Id and 2188 the Origin-Host AVPs encapsulated in the RADIUS State attribute, 2189 with the prefix "Diameter/". This is necessary in order to 2190 ensure that the Translation Agent that will receive the 2191 subsequent RADIUS Access-Request will have access to the Session 2192 Identifier, and be able to set the Destination-Host to the 2193 correct value. If the Multi-Round-Time-Out AVP is present, the 2194 value of the AVP MUST be inserted in the RADIUS Session-Timeout 2195 AVP. 2196 - If the Command-Code is set to AA-Answer, the Diameter Session-Id 2197 AVP is saved in a new RADIUS Class attribute, whose format 2198 consists of the string "Diameter/" followed by the Diameter 2199 Session Identifier. This will ensure that the subsequent 2200 Accounting messages, which could be received by any Translation 2201 Agent, would have access to the original Diameter Session 2202 Identifier. 2203 - If a Proxy-State attribute was present in the RADIUS request, 2204 the same attribute is added in the response. This information 2205 may be found in the Proxy-Info AVP group, or in a local state 2206 table. 2207 - If state information regarding the RADIUS request was saved in a 2208 Proxy-Info AVP or local state table, the RADIUS Identifier and 2209 UDP IP Address and port number are extracted and used in issuing 2210 the RADIUS reply. 2212 When translating a Diameter AA-Answer (with successful result code) 2213 to RADIUS Access-Accept, that contains a Session-Timeout or 2214 Authorization-Lifetime AVP; 2216 - If the Diameter message contains a Session-Timeout AVP but no 2217 Authorization-Lifetime AVP, translate it to Session-Timeout 2218 attribute (and no Termination-Action). 2219 - If the Diameter message contains a Authorization-Lifetime AVP 2220 but no Session-Timeout AVP, translate it to Session-Timeout 2221 attribute and Termination-Action set to AA-REQUEST. (And remove 2222 Authorization-Lifetime and Re-Auth-Request-Type) 2223 - If the Diameter message has both, the Session-Timeout is always 2224 greater or equal than Authorization-Lifetime (required by Base). 2225 I guess the safest bet is to translate it to Session-Timeout 2226 value (with value from Authorization-Lifetime AVP, the smaller 2227 one) and Termination-Action set to AA-REQUEST. (And remove 2228 Authorization-Lifetime and Re-Auth-Request-Type) 2230 As described in Section 3.2 of [RADDynAuth], a Service-Type of 2231 "Authorize Only" is used in a Disconnect-Request or CoA-Request 2232 message, in order to allow for easier translation between RADIUS and 2233 Diameter. In order to simplify implementation, a RADIUS/Diameter 2234 gateway receiving a RADIUS Disconnect-Request without a Service-Type 2235 value of "Authorize Only" MAY reply with a Disconnect-Nak with an 2236 Error-Cause attribute with value 405," Unsupported Service" and no 2237 Service-Type attribute. 2239 Similarly, a RADIUS/Diameter gateway receiving a RADIUS CoA-Request 2240 without a Service-Type value of "Authorize Only" MAY reply with a 2241 CoA-Nak with an Error-Cause attribute with value 405, "Unsupported 2242 Service" and no Service-Type attribute. 2244 When included within a RADIUS Disconnect-Request or CoA-Request, a 2245 Service-Type Attribute with value "Authorize Only" indicates that the 2246 Request only contains NAS and session identification attributes. 2248 A RADIUS CoA-Request is translated to a Diameter Re-Authorization 2249 Request (RAR), and a RADIUS Disconnect-Request is translated to a 2250 Diameter Session-Termination-Request (STR). 2252 A Diameter Re-Authorization Request (RAR) message will receive a 2253 Diameter Re-Authorization Answer (RAA) reply which is translated to a 2254 RADIUS CoA-NAK containing a Service-Type Attribute with value 2255 "Authorize Only" and an Error-Cause Attribute with value "Request 2256 Initiated." 2258 A Diameter Session-Termination-Request (STR) message will receive a 2259 Diameter Session-Termination-Answer (STA) message reply which is 2260 tranlated to a RADIUS Disconnect-Nak containing a Service-Type 2261 Attribute with value "Authorize Only" and an Error-Cause Attribute 2262 with value "Request Initiated." 2264 After a Diameter Re-Authorization Answer (RAA) is sent, a Diameter 2265 AA-Request will then be sent and is translated to a RADIUS Access- 2266 Request with a Service-Type attribute with value "Authorize Only", 2267 attempting reauthorization. This Access-Request contains the NAS 2268 attributes from the CoA-Request, as well as the session attributes 2269 from the Request legal for inclusion in an Access-Request. The 2270 RADIUS server will send back an Access-Accept to (re-)authorize the 2271 session or an Access-Reject to refuse to (re-)authorize it. This is 2272 translated to a Diameter AA-Answer. 2274 After a Diameter Session-Termination-Answer (STA) is sent, a Diameter 2275 Abort-Session-Request (ASR) will be sent and is translated to a 2276 RADIUS Access-Request with a Service-Type attribute with value 2277 "Authorize Only", attempting reauthorization. This Access-Request 2278 contains the NAS and session attributes from the Disconnect-Rquest. 2279 The RADIUS server send back an Access-Reject to terminate the 2280 session. This is translated to a Diameter Abort-Session-Answer 2281 (ASA)." 2283 9.2. Diameter Request Forwarded as RADIUS Request 2285 When a server receives a Diameter request that is to be forwarded to 2286 a RADIUS entity, the following steps are an example of the steps that 2287 may be followed: 2289 - The Origin-Host AVP's value is inserted in the NAS-Identifier 2290 attribute. 2291 - The following information MUST be present in the corresponding 2292 Diameter response, and therefore MUST be saved either in a local 2293 state table, or encoded in a RADIUS Proxy-State attribute: 2294 1. Origin-Host AVP 2295 2. Session-Id AVP 2296 3. Proxy-Info AVP 2297 4. Any other AVP that MUST be present in the response, and 2298 has no corresponding RADIUS attribute. 2299 - If the CHAP-Auth AVP is present, the grouped AVPs are used to 2300 create the RADIUS CHAP-Password attribute data. 2301 - If the User-Password AVP is present, the data should be 2302 encrypted using RADIUS rules. Likewise for any other encrypted 2303 attribute values. 2304 - AVPs that are of the type Address, must be translated to the 2305 corresponding RADIUS attribute. 2306 - If the Accounting-Input-Octets, Accounting-Input-Packets, 2307 Accounting-Output-Octets or Accounting-Output-Packets AVPs are 2308 present, these must be translated to the corresponding RADIUS 2309 attributes. Further, the value of the Diameter AVPs do not fit 2310 within a 32-bit RADIUS attribute, the RADIUS Acct-Input- 2311 Gigawords and Acct-Output-Gigawords must be used. 2313 - If the RADIUS link supports the Message-Authenticator attribute 2314 [RADIUSExt] it SHOULD be generated and added to the request. 2316 When the corresponding response is received by the Translation Agent, 2317 which is guaranteed in the RADIUS protocol, the following steps may 2318 be followed: 2320 - If the RADIUS code is set to Access-Challenge, a Diameter AA- 2321 Answer message is created with the Result-Code set to 2322 DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is present 2323 in the RADIUS message, its value is inserted in the Multi-Round- 2324 Time-Out AVP. 2325 - If a Proxy-State attribute is present, extract the encoded 2326 information, otherwise retrieve the original Proxy-Info AVP 2327 group information from the local state table. 2328 - The response's Origin-Host information is created from the FQDN 2329 of the source IP address of the RADIUS message. The same FQDN is 2330 also stored to a Route-Record AVP. 2331 - The response's Destination-Host AVP is copied from the saved 2332 request's Origin-Host information. 2333 - The Acct-Session-Id information is added to the Session-Id AVP. 2334 - If a Proxy-Info AVP was present in the request, the same AVP 2335 MUST be added to the response. 2336 - If the RADIUS State attributes are present, these attributes 2337 must be present in the Diameter response. 2338 - Any other AVPs that were saved at request time, and MUST be 2339 present in the response, are added to the message. 2341 When translating a RADIUS Access-Accept to Diameter AA-Answer, that 2342 contains a Session-Timeout attribute, do the following: 2344 - If the RADIUS message contains a Session-Timeout attribute and a 2345 Termination-Action attribute set to DEFAULT (or no Termination- 2346 Action attribute at all), translate it to AA-Answer with a 2347 Session-Timeout AVP, and remove the Termination-Action 2348 attribute. 2349 - If the RADIUS message contains a Session-Timeout attribute and a 2350 Termination-Action attribute set to AA-REQUEST, translate it to 2351 AA-Answer with Authorization-Lifetime AVP and Re-Auth-Request- 2352 Type set to AUTHORIZE_AUTHENTICATE, and remove the Session- 2353 Timeout attribute. 2355 If the Diameter/RADIUS gateway supports [RADDynAuth], it may 2356 translate a Diameter Re-Authorization-Request (RAR) message to a 2357 RADIUS CoA-Request with a Service-Type value of "Authorization Only". 2358 It is possible that the NAS receiving this message will not support 2359 [RADDynAuth], in which case an ICMP Port Unreachable message will be 2360 returned to the Diameter/RADIUS gateway. However, even if the NAS 2361 supports [RADDynAuth], it may not support a Service-Type value of 2362 "Authorization Only" in a CoA-Request message. In this case it will 2363 respond with a CoA-Nak and (optionally) an Error-Cause attribute with 2364 value 405, "Unsupported Service" and no Service-Type attribute. If a 2365 Diameter/RADIUS gateway receives such a packet, or an ICMP port 2366 unreachable message, or if it does not support [RADDynAuth], then it 2367 SHOULD reply to the AAA server with a Diameter Re-Authorization- 2368 Answer (RAA) message with a Result-Code AVP of 2369 "DIAMETER_COMMAND_UNSUPPORTED". 2371 If in response to a CoA-Request sent to the NAS, the Diameter/RADIUS 2372 gateway receives a RADIUS CoA-NAK containing a Service-Type 2373 Attribute with value "Authorize Only" and an Error-Cause Attribute 2374 with value "Request Initiated", this is translated to a Diameter Re- 2375 Authorization-Answer (RAA) with a Result-Code AVP of 2376 "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2378 Subsequently, the Diameter/RADIUS gateway should receive a RADIUS 2379 Access-Request from the NAS, with a Service-Type of "Authorize Only". 2380 This is translated to a Diameter AA-Request with an Auth-Request-Type 2381 AVP of AUTHORIZE_ONLY, sent to the AAA server. The AAA server will 2382 then reply with a Diameter AA-Answer, which is translated to a RADIUS 2383 Access-Accept or Access-Reject, depending on the value of the Result- 2384 Code AVP. 2386 A Diameter/RADIUS gateway supporting [RADDynAuth] may translate a 2387 Diameter Session-Termination-Request (STR) message received from the 2388 AAA server to a RADIUS Disconnect-Request with a Service-Type value 2389 of "Authorization Only", sent to the NAS. 2391 It is possible that the NAS receiving this message will not support 2392 [RADDynAuth], in which case an ICMP Port Unreachable message will be 2393 returned to the Diameter/RADIUS gateway. Even if the NAS supports 2394 [RADDynAuth], it may not support a Service-Type value of 2395 "Authorization Only" in a Disconnect-Request message. In this case 2396 it will respond with a CoA-Nak and (optionally) an Error-Cause 2397 attribute with value 405," Unsupported Service" and no Service-Type 2398 attribute. If the Diameter/RADIUS gateway encounters these error 2399 conditions, or if it does not support [RADDynAuth], it sends a 2400 Diameter Re-Authorization-Answer (RAA) message with an Result-Code 2401 AVP of "DIAMETER_COMMAND_UNSUPPORTED" to the AAA server. 2403 If the NAS does support [RADDynAuth] and a Disconnect-Request message 2404 with a Service-Type value of "Authorize Only" it will typically reply 2405 with a RADIUS Disconnect-NAK containing a Service-Type Attribute with 2406 value "Authorize Only" and an Error-Cause Attribute with value 2407 "Request Initiated". A Diameter/RADIUS gateway supporting 2408 [RADDynAuth] translates this to a Diameter Session-Termination-Answer 2409 (STA) with a Result-Code AVP of "DIAMETER_LIMITED_SUCCESS", sent to 2410 the AAA Server. 2412 Subsequently, the Diameter/RADIUS gateway should receive a RADIUS 2413 Access-Request from the NAS, with a Service-Type of "Authorize Only". 2414 This is translated to a Diameter Abort-Session-Request (ASR), sent to 2415 the AAA server. The AAA server will then reply with a Diameter Abort- 2416 Session-Answer (ASA), which the Diameter/RADIUS gateway translates to 2417 a RADIUS Access-Reject sent to the NAS. 2419 9.3. AVPs Used Only for Compatibility 2421 The AVPs defined in this section SHOULD only used for backwards 2422 compatibility when a Diameter/RADIUS translation function is invoked, 2423 and are not typically originated by Diameter systems during normal 2424 operations. 2426 +---------------------+ 2427 | AVP Flag rules | 2428 |----+-----+----+-----|----+ 2429 AVP Section | | |SHLD| MUST| | 2430 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2431 -----------------------------------------|----+-----+----+-----|----| 2432 NAS-Identifier 32 9.3.1 UTF8String | M | P | | V | Y | 2433 NAS-IP-Address 4 9.3.2 OctetString| M | P | | V | Y | 2434 NAS-IPv6-Address 95 9.3.3 OctetString| M | P | | V | Y | 2435 State 24 9.3.4 OctetString| M | P | | V | Y | 2436 Termination- 295 9.3.5 Enumerated | M | P | | V | Y | 2437 Cause | | | | | | 2438 -----------------------------------------|----+-----+----+-----|----| 2440 9.3.1. NAS-Identifier AVP 2442 The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String 2443 and contains the identity of the NAS providing service to the user. 2444 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2445 When this AVP is present, the Origin-Host AVP identifies the 2446 RADIUS/Diameter Translation Agent rather than the NAS providing 2447 service to the user. 2449 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2450 Identifier attribute. Diameter/RADIUS translation agents SHOULD 2451 attempt to check a received NAS-Identifier attribute against the 2452 source address of the RADIUS packet, by doing an A/AAAA RR query. If 2453 the NAS-Identifier attribute contains an FQDN, then such a query 2454 would resolve to an IP address matching the source address. However, 2455 the NAS-Identifier attribute is not required to contain an FQDN, so 2456 such a query could fail. In this case, an error should be logged, but 2457 no other action taken, other than doing a reverse lookup on the 2458 source address and inserting the resulting FQDN into the Route-Record 2459 AVP. 2461 Diameter agents and servers SHOULD check whether a NAS-Identifier AVP 2462 corresponds to an entry in the Route-Record AVP. If no match is 2463 found, then an error is logged, but no other action is taken. 2465 9.3.2. NAS-IP-Address AVP 2467 The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString, 2468 and contains the IP Address of the NAS providing service to the user. 2469 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2470 When this AVP is present, the Origin-Host AVP identifies the 2471 RADIUS/Diameter Translation Agent rather than the NAS providing 2472 service to the user. 2474 In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- 2475 Address attribute value. Diameter/RADIUS translation agents MUST 2476 check a received NAS-IP-Address or NAS-IPv6-Address attribute against 2477 the source address of the RADIUS packet. If they do not match, and 2478 the Diameter/RADIUS translation agent does not know whether the 2479 packet was sent by a RADIUS proxy or NAS (e.g. no Proxy-State 2480 attribute) then by default it is assumed that the source address 2481 corresponds to a RADIUS proxy, and that the NAS Address is behind 2482 that proxy, potentially with some additional RADIUS proxies in 2483 between. The Diameter/RADIUS translation agent MUST insert entries 2484 in the Route-Record AVP corresponding to the apparent route. This 2485 implies doing a reverse lookup on the source address and NAS-IP- 2486 Address, or NAS-IPv6-Address attributes in order to determine the 2487 corresponding FQDNs. 2489 If the source address and the NAS-IP-Address, or NAS-IPv6-Address do 2490 not match, and the Diameter/RADIUS translation agent knows that it is 2491 talking directly to the NAS (e.g. no RADIUS proxies between it and 2492 the NAS), then the error should be logged, and the packet MUST be 2493 discarded. 2495 Diameter agents and servers MUST check whether the NAS-IP-Address AVP 2496 corresponds to an entry in the Route-Record AVP. This is done by 2497 doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve 2498 the corresponding FQDN, and checking for a match with the Route- 2499 Record AVP. If no match is found, then an error is logged, but no 2500 other action is taken. 2502 9.3.3. NAS-IPv6-Address AVP 2504 The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type 2505 OctetString, and contains the IPv6 Address of the NAS providing 2506 service to the user. This AVP SHOULD only be added by a 2507 RADIUS/Diameter Translation Agent. When this AVP is present, the 2508 Origin-Host AVP identifies the RADIUS/Diameter Translation Agent 2509 rather than the NAS providing service to the user. 2511 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2512 IPv6-Address attribute. Diameter/RADIUS translation agents MUST check 2513 a received NAS-IPv6-Address attribute against the source address of 2514 the RADIUS packet. If they do not match, and the Diameter/RADIUS 2515 translation agent does not know whether the packet was sent by a 2516 RADIUS proxy or NAS (e.g. no Proxy-State attribute) then by default 2517 it is assumed that the source address corresponds to a RADIUS proxy, 2518 and that the NAS-IPv6-Address is behind that proxy, potentially with 2519 some additional RADIUS proxies in between. The Diameter/RADIUS 2520 translation agent MUST insert entries in the Route-Record AVP 2521 corresponding to the apparent route. This implies doing a reverse 2522 lookup on the source address and NAS-IPv6-Address attributes in order 2523 to determine the corresponding FQDNs. 2525 If the source address and the NAS-IPv6-Address do not match, and the 2526 Diameter/RADIUS translation agent knows that it is talking directly 2527 to the NAS (e.g. no RADIUS proxies between it and the NAS), then the 2528 error should be logged, and the packet MUST be discarded. 2530 Diameter agents and servers MUST check whether the NAS-IPv6-Address 2531 AVP corresponds to an entry in the Route-Record AVP. This is done by 2532 doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve 2533 the corresponding FQDN, and checking for a match with the Record- 2534 Route AVP. If no match is found, then an error is logged, but no 2535 other action is taken. 2537 9.3.4. State AVP 2539 The State AVP (AVP Code 24) [RADIUS] is of type OctetString and has 2540 two uses in the Diameter NAS application. 2542 The State AVP MAY be sent by a Diameter Server to a NAS in an AA- 2543 Response command that contains a Result-Code of 2544 DIAMETER_MULTI_ROUND_AUTH. If so, the NAS MUST return it unmodified 2545 in the subsequent AA-Request command. 2547 The State AVP MAY also be sent by a Diameter Server to a NAS in an 2548 AA-Response command that also includes a Termination-Action AVP with 2549 the value of AA-REQUEST. If the NAS performs the Termination-Action 2550 by sending a new AA-Request command upon termination of the current 2551 service, it MUST return the State AVP unmodified in the new request 2552 command. 2554 In either usage the NAS MUST NOT interpret the AVP locally. Usage of 2555 the State AVP is implementation dependent. 2557 9.3.5. Termination-Cause AVP Code Values 2559 This section defines a mapping between Termination-Cause AVP code 2560 values and RADIUS Acct-Terminate-Cause attribute code values from RFC 2561 2866 [RADIUSAcct] and [RADIUSTypes], thereby allowing a 2562 RADIUS/Diameter Translation Agent to convert between the attribute 2563 and AVP values. This section thus extends the definitions in the 2564 "Termination-Cause AVP" section of the Base Diameter specification. 2566 The table in this section defines the mapping between Termination- 2567 Cause AVP and RADIUS Acct-Terminate-Cause causes. 2569 +-----------------------+ 2570 | Value | 2571 +-----------+-----------+ 2572 Cause Value Name | RADIUS | Diameter | 2573 ------------------------------|-----------+-----------+ 2574 User Request | 1 | 11 | 2575 Lost Carrier | 2 | 12 | 2576 Lost Service | 3 | 13 | 2577 Idle Timeout | 4 | 14 | 2578 Session Timeout | 5 | 15 | 2579 Admin Reset | 6 | 16 | 2580 Admin Reboot | 7 | 17 | 2581 Port Error | 8 | 18 | 2582 NAS Error | 9 | 19 | 2583 NAS Request | 10 | 20 | 2584 NAS Reboot | 11 | 21 | 2585 Port Unneeded | 12 | 22 | 2586 Port Preempted | 13 | 23 | 2587 Port Suspended | 14 | 24 | 2588 Service Unavailable | 15 | 25 | 2589 Callback | 16 | 26 | 2590 User Error | 17 | 27 | 2591 Host Request | 18 | 28 | 2592 Supplicant Restart | 19 | 29 | [RAD802.1X] 2593 Reauthentication Failure | 20 | 30 | [RAD802.1X] 2594 Port Reinit | 21 | 31 | [RAD802.1X] 2595 Port Disabled | 22 | 32 | [RAD802.1X] 2596 ------------------------------|-----------+-----------+ 2598 From RFC 2866, the termination causes are as follows: 2600 User Request User requested termination of service, for 2601 example with LCP Terminate or by logging out. 2603 Lost Carrier DCD was dropped on the port. 2605 Lost Service Service can no longer be provided; for 2606 example, user's connection to a host was 2607 interrupted. 2609 Idle Timeout Idle timer expired. 2611 Session Timeout Maximum session length timer expired. 2613 Admin Reset Administrator reset the port or session. 2615 Admin Reboot Administrator is ending service on the NAS, 2616 for example prior to rebooting the NAS. 2618 Port Error NAS detected an error on the port which 2619 required ending the session. 2621 NAS Error NAS detected some error (other than on the 2622 port) which required ending the session. 2624 NAS Request NAS ended session for a non-error reason not 2625 otherwise listed here. 2627 NAS Reboot The NAS ended the session in order to reboot 2628 non-administratively ("crash"). 2630 Port Unneeded NAS ended session because resource usage fell 2631 below low-water mark (for example, if a 2632 bandwidth-on-demand algorithm decided that 2633 the port was no longer needed). 2635 Port Preempted NAS ended session in order to allocate the 2636 port to a higher priority use. 2638 Port Suspended NAS ended session to suspend a virtual 2639 session. 2641 Service Unavailable NAS was unable to provide requested service. 2643 Callback NAS is terminating current session in order 2644 to perform callback for a new session. 2646 User Error Input from user is in error, causing 2647 termination of session. 2649 Host Request Login Host terminated session normally. 2651 9.4. Prohibited RADIUS Attributes 2653 The following RADIUS attributes MUST NOT appear in a Diameter 2654 message. Instead, they are translated to other Diameter AVPs or 2655 handled in some special manner. The rules for the treatment of the 2656 attributes are discussed in Sections 9.1, 9.2 and 9.6. 2658 Attribute Description Defined Nearest Diameter AVP 2659 ----------------------------------------------------------------- 2660 3 CHAP-Password RFC 2865 CHAP-Auth Group 2661 26 Vendor-Specific RFC 2865 Vendor Specific AVP 2662 29 Termination-Action RFC 2865 Authorization-Lifetime 2663 40 Acct-Status-Type RFC 2866 Accounting-Record-Type 2664 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets 2665 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets 2666 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets 2667 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets 2668 49 Acct-Terminate-Cause RFC 2866 Termination-Cause 2669 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets 2670 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets 2671 80 Message-Authenticator RFC 2869 none - check and discard 2673 9.5. Translatable Diameter AVPs 2675 In general, Diameter AVPs that are not RADIUS compatible have code 2676 values greater than 255. The table in the section above shows the 2677 AVPs that can be converted into RADIUS attributes. 2679 Another problem may occur with Diameter AVP values that may be more 2680 than 253 octets in length. Some RADIUS attributes ( including but 2681 not limited to: (8)Reply-Message, (79)EAP-Message, and (77)Connect- 2682 Info ) allow concatenation of multiple instances to overcome this 2683 limitation. If this is not possible, a Result-Code of 2684 DIAMETER_INVALID_AVP_LENGTH should be returned. 2686 9.6. RADIUS Vendor Specific Attributes 2688 RADIUS supports the inclusion of Vendor Specific Attributes (VSAs) 2689 through the use of attribute 26. The recommended format [RADIUS] of 2690 the attribute data field includes a 4 octet vendor code followed by a 2691 one octet vendor type field and a one octet length field. The last 2692 two fields MAY be repeated. 2694 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA 2696 The RADIUS VSA attribute should consist of the following fields; 2698 RADIUS Type = 26, Vendor Specific Attribute 2699 RADIUS Length = total length of attribute (header + data) 2700 RADIUS Vendor code = Diameter Vendor code 2701 RADIUS Vendor type code = low order byte of Diameter AVP code 2702 RADIUS Vendor data length = length of Diameter data 2703 (not including padding) 2705 If the Diameter AVP code is greater than 255, then the RADIUS 2706 speaking code may use a Vendor specific field coding, if it knows one 2707 for that vendor. Otherwise, the AVP will be ignored. Unless it is 2708 flagged as Mandatory, in which case an "DIAMETER_AVP_UNSUPPORTED" 2709 Result-Code will be returned, and the RADIUS message will not be 2710 sent. 2712 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP 2714 The Diameter AVP will consist of the following fields; 2715 Diameter Flags: V=1, M=0, P=0 2716 Diameter Vendor code = RADIUS VSA Vendor code 2717 Diameter AVP code = RADIUS VSA Vendor type code 2718 Diameter AVP length = length of AVP (header + data + padding) 2719 Diameter Data = RADIUS VSA vendor data 2721 NOTE: that the VSAs are considered as optional by RADIUS rules, and 2722 this specification does not set the Mandatory flag. If a VSA is 2723 desired to be made mandatory, because it represents a required 2724 service policy, the RADIUS gateway should have a process to set the 2725 bit on the Diameter side. 2727 If the RADIUS receiving code knows of vendor specific fields 2728 interpretations for the specific vendor, it may employ them to parse 2729 an extended AVP code or data length, Otherwise the recommended 2730 standard fields will be used. 2732 Nested Multiple vendor data fields MUST be expanded into multiple 2733 Diameter AVPs. 2735 10. AVP Occurrence Tables 2737 The following tables present the AVPs used by NAS applications, in 2738 NAS messages, and specify in which Diameter messages they MAY, or MAY 2739 NOT be present. [Base] messages and AVPs are not described in this 2740 document. Note that AVPs that can only be present within a Grouped 2741 AVP are not represented in this table. 2743 The table uses the following symbols: 2744 0 The AVP MUST NOT be present in the message. 2745 0+ Zero or more instances of the AVP MAY be present in the 2746 message. 2747 0-1 Zero or one instance of the AVP MAY be present in the 2748 message. 2749 1 One instance of the AVP MUST be present in the message. 2751 10.1. AA-Request/Answer AVP Table 2753 The table in this section is limited to the Command Codes defined in 2754 this specification. 2756 +-----------+ 2757 | Command | 2758 |-----+-----+ 2759 Attribute Name | AAR | AAA | 2760 ------------------------------|-----+-----+ 2761 Acct-Interim-Interval | 0 | 0-1 | 2762 ARAP-Challenge-Response | 0 | 0-1 | 2763 ARAP-Features | 0 | 0-1 | 2764 ARAP-Password | 0-1 | 0 | 2765 ARAP-Security | 0-1 | 0-1 | 2766 ARAP-Security-Data | 0+ | 0+ | 2767 ARAP-Zone-Access | 0 | 0-1 | 2768 Auth-Application-Id | 1 | 1 | 2769 Auth-Grace-Period | 0-1 | 0-1 | 2770 Auth-Request-Type | 1 | 1 | 2771 Auth-Session-State | 0-1 | 0-1 | 2772 Authorization-Lifetime | 0-1 | 0-1 | 2773 Callback-Id | 0 | 0-1 | 2774 Callback-Number | 0-1 | 0-1 | 2775 Called-Station-Id | 0-1 | 0 | 2776 Calling-Station-Id | 0-1 | 0 | 2777 CHAP-Auth | 0-1 | 0 | 2778 CHAP-Challenge | 0-1 | 0 | 2779 Class | 0 | 0+ | 2780 Configuration-Token | 0 | 0+ | 2781 Connect-Info | 0-1 | 0 | 2782 Destination-Host | 0-1 | 0 | 2783 Destination-Realm | 1 | 0 | 2784 Error-Message | 0 | 0-1 | 2785 Error-Reporting-Host | 0 | 0-1 | 2786 Failed-AVP | 0+ | 0+ | 2787 Filter-Id | 0 | 0+ | 2788 Framed-Appletalk-Link | 0 | 0-1 | 2789 Framed-Appletalk-Network | 0 | 0+ | 2790 Framed-Appletalk-Zone | 0 | 0-1 | 2791 Framed-Compression | 0+ | 0+ | 2792 Framed-Interface-Id | 0-1 | 0-1 | 2793 Framed-IP-Address | 0-1 | 0-1 | 2794 Framed-IP-Netmask | 0-1 | 0-1 | 2795 Framed-IPv6-Prefix | 0+ | 0+ | 2796 Framed-IPv6-Pool | 0 | 0-1 | 2797 Framed-IPv6-Route | 0 | 0+ | 2798 Framed-IPX-Network | 0 | 0-1 | 2799 Framed-MTU | 0-1 | 0-1 | 2800 Framed-Pool | 0 | 0-1 | 2801 Framed-Protocol | 0-1 | 0-1 | 2802 Framed-Route | 0 | 0+ | 2803 ------------------------------|-----+-----+ 2804 +-----------+ 2805 | Command | 2806 |-----+-----+ 2807 Attribute Name | AAR | AAA | 2808 ------------------------------|-----+-----+ 2809 Framed-Routing | 0 | 0-1 | 2810 Idle-Timeout | 0 | 0-1 | 2811 Login-IP-Host | 0+ | 0+ | 2812 Login-IPv6-Host | 0+ | 0+ | 2813 Login-LAT-Group | 0-1 | 0-1 | 2814 Login-LAT-Node | 0-1 | 0-1 | 2815 Login-LAT-Port | 0-1 | 0-1 | 2816 Login-LAT-Service | 0-1 | 0-1 | 2817 Login-Service | 0 | 0-1 | 2818 Login-TCP-Port | 0 | 0-1 | 2819 Multi-Round-Time-Out | 0 | 0-1 | 2820 NAS-Filter-Rule | 0 | 0+ | 2821 NAS-Identifier | 0-1 | 0 | 2822 NAS-IP-Address | 0-1 | 0 | 2823 NAS-IPv6-Address | 0-1 | 0 | 2824 NAS-Port | 0-1 | 0 | 2825 NAS-Port-Id | 0-1 | 0 | 2826 NAS-Port-Type | 0-1 | 0 | 2827 Originating-Line-Info | 0-1 | 0 | 2828 Origin-Host | 1 | 1 | 2829 Origin-Realm | 1 | 1 | 2830 Origin-State-Id | 0-1 | 0-1 | 2831 Password-Retry | 0 | 0-1 | 2832 Port-Limit | 0-1 | 0-1 | 2833 Prompt | 0 | 0-1 | 2834 Proxy-Info | 0+ | 0+ | 2835 Re-Auth-Request-Type | 0 | 0-1 | 2836 Redirect-Host | 0 | 0+ | 2837 Redirect-Host-Usage | 0 | 0-1 | 2838 Redirect-Max-Cache-Time | 0 | 0-1 | 2839 Reply-Message | 0 | 0+ | 2840 Result-Code | 0 | 1 | 2841 Route-Record | 0+ | 0+ | 2842 Service-Type | 0-1 | 0-1 | 2843 Session-Id | 1 | 1 | 2844 Session-Timeout | 0 | 0-1 | 2845 State | 0-1 | 0-1 | 2846 Tunneling | 0+ | 0+ | 2847 User-Name | 0-1 | 0-1 | 2848 User-Password | 0-1 | 0 | 2849 ------------------------------|-----+-----+ 2851 10.2. Accounting AVP Tables 2853 The tables in this section are used to represent which AVPs defined 2854 in this document are to be present and used in NAS application 2855 Accounting messages. These AVPs are defined in this document, as 2856 well as [Base] and [RADIUSAcct]. 2858 10.2.1. Accounting Framed Access AVP Table 2860 The table in this section is used when the Service-Type specifies 2861 Framed Access. 2863 +-----------+ 2864 | Command | 2865 |-----+-----+ 2866 Attribute Name | ACR | ACA | 2867 ---------------------------------------|-----+-----+ 2868 Accounting-Auth-Method | 0-1 | 0 | 2869 Accounting-Input-Octets | 1 | 0 | 2870 Accounting-Input-Packets | 1 | 0 | 2871 Accounting-Output-Octets | 1 | 0 | 2872 Accounting-Output-Packets | 1 | 0 | 2873 Accounting-Record-Type | 1 | 1 | 2874 Accounting-Record-Number | 0-1 | 0-1 | 2875 Accounting-Realtime-Required | 0-1 | 0 | 2876 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2877 Acct-Application-Id | 0-1 | 0-1 | 2878 Acct-Session-Id | 0-1 | 0-1 | 2879 Acct-Multi-Session-Id | 0-1 | 0-1 | 2880 Acct-Authentic | 1 | 0 | 2881 Acct-Delay-Time | 0-1 | 0 | 2882 Acct-Interim-Interval | 0-1 | 0 | 2883 Acct-Link-Count | 0-1 | 0 | 2884 Acct-Session-Time | 1 | 0 | 2885 Acct-Tunnel-Connection | 0-1 | 0 | 2886 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2887 Connection-Info | 0+ | 0 | 2888 Event-Timestamp | 0-1 | 0-1 | 2889 Error-Reporting-Host | 0 | 0-1 | 2890 Framed-AppleTalk-Link | 0-1 | 0 | 2891 Framed-AppleTalk-Network | 0-1 | 0 | 2892 Framed-AppleTalk-Zone | 0-1 | 0 | 2893 Framed-Compression | 0-1 | 0 | 2894 ---------------------------------------|-----+-----+ 2895 +-----------+ 2896 | Command | 2897 |-----+-----+ 2898 Attribute Name | ACR | ACA | 2899 ---------------------------------------|-----+-----+ 2900 Framed-IP-Address | 0-1 | 0 | 2901 Framed-IP-Netmask | 0-1 | 0 | 2902 Framed-IPv6-Pool | 0-1 | 0 | 2903 Framed-IPX-Network | 0-1 | 0 | 2904 Framed-MTU | 0-1 | 0 | 2905 Framed-Pool | 0-1 | 0 | 2906 Framed-Protocol | 0-1 | 0 | 2907 Framed-Route | 0-1 | 0 | 2908 Framed-Routing | 0-1 | 0 | 2909 NAS-Filter-Rule | 0-1 | 0 | 2910 NAS-Identifier | 0-1 | 0-1 | 2911 NAS-IP-Address | 0-1 | 0-1 | 2912 NAS-IPv6-Address | 0-1 | 0-1 | 2913 NAS-Port | 0-1 | 0-1 | 2914 NAS-Port-Id | 0-1 | 0-1 | 2915 NAS-Port-Type | 0-1 | 0-1 | 2916 Origin-Host | 1 | 1 | 2917 Origin-Realm | 1 | 1 | 2918 Origin-State-Id | 0-1 | 0-1 | 2919 Proxy-Info | 0+ | 0+ | 2920 Route-Record | 0+ | 0+ | 2921 Service-Type | 0-1 | 0-1 | 2922 Termination-Cause | 0-1 | 0-1 | 2923 Tunnel-Assignment-Id | 0-1 | 0 | 2924 Tunnel-Client-Endpoint | 0-1 | 0 | 2925 Tunnel-Medium-Type | 0-1 | 0 | 2926 Tunnel-Private-Group-Id | 0-1 | 0 | 2927 Tunnel-Server-Endpoint | 0-1 | 0 | 2928 Tunnel-Type | 0-1 | 0 | 2929 User-Name | 0-1 | 0-1 | 2930 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2931 ---------------------------------------|-----+-----+ 2933 10.2.2. Accounting Non-Framed Access AVP Table 2935 The table in this section is used when the Service-Type specifies 2936 Non-Framed Access. 2938 +-----------+ 2939 | Command | 2940 |-----+-----+ 2941 Attribute Name | ACR | ACA | 2942 ---------------------------------------|-----+-----+ 2943 Accounting-Auth-Method | 0-1 | 0 | 2944 Accounting-Input-Octets | 1 | 0 | 2945 Accounting-Output-Octets | 1 | 0 | 2946 Accounting-Record-Type | 1 | 1 | 2947 Accounting-Record-Number | 0-1 | 0-1 | 2948 Accounting-Realtime-Required | 0-1 | 0 | 2949 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2950 Acct-Application-Id | 1 | 1 | 2951 Acct-Session-Id | 1 | 0-1 | 2952 Acct-Multi-Session-Id | 0-1 | 0-1 | 2953 Acct-Authentic | 1 | 0 | 2954 Acct-Delay-Time | 0-1 | 0 | 2955 Acct-Interim-Interval | 0-1 | 0 | 2956 Acct-Link-Count | 0-1 | 0 | 2957 Acct-Session-Time | 1 | 0 | 2958 Event-Timestamp | 0-1 | 0-1 | 2959 Error-Reporting-Host | 0 | 0-1 | 2960 Login-IP-Host | 0+ | 0 | 2961 Login-IPv6-Host | 0+ | 0 | 2962 Login-LAT-Service | 0-1 | 0 | 2963 Login-LAT-Node | 0-1 | 0 | 2964 Login-LAT-Group | 0-1 | 0 | 2965 Login-LAT-Port | 0-1 | 0 | 2966 Login-Service | 0-1 | 0 | 2967 Login-TCP-Port | 0-1 | 0 | 2968 NAS-Identifier | 0-1 | 0-1 | 2969 NAS-IP-Address | 0-1 | 0-1 | 2970 NAS-IPv6-Address | 0-1 | 0-1 | 2971 NAS-Port | 0-1 | 0-1 | 2972 NAS-Port-Id | 0-1 | 0-1 | 2973 NAS-Port-Type | 0-1 | 0-1 | 2974 Origin-Host | 1 | 1 | 2975 Origin-Realm | 1 | 1 | 2976 Origin-State-Id | 0-1 | 0-1 | 2977 Proxy-Info | 0+ | 0+ | 2978 Route-Record | 0+ | 0+ | 2979 Service-Type | 0-1 | 0-1 | 2980 Termination-Cause | 0-1 | 0-1 | 2981 User-Name | 0-1 | 0-1 | 2982 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2983 ---------------------------------------|-----+-----+ 2985 11. IANA Considerations 2987 This section provides guidance to the Internet Assigned Numbers 2988 Authority (IANA) regarding registration of values related to the 2989 Diameter protocol, in accordance with BCP 26 [IANAConsid]. 2991 This document defines values in the namespaces that have created and 2992 defined in the Diameter Base [Base]. The IANA Considerations section 2993 of that document details the assignment criteria. Values assigned in 2994 this document, or by future IANA action, must be coordinated within 2995 this shared namespace. 2997 11.1. Command Codes 2999 This specification assigns the values 265 and 268 from the Command 3000 Code namespace defined in [Base]. See sections 3.1 and 3.2 for the 3001 assignment of the namespace in this specification. 3003 11.2. AVP Codes 3005 This specification assigns the values 363-366 and 400-405 from the 3006 AVP Code namespace defined in [Base]. See sections 4, and 5 for the 3007 assignment of the namespace in this specification. Note that the 3008 values 363-366 are jointly, but consistently, assigned in [DiamMIP]. 3009 This document also creates one new namespace to be managed by IANA, 3010 as described in Section 11.5. 3012 This specification also specifies the use of AVPs in the 0-255 range, 3013 which are defined in [RADIUSTypes]. These values are assigned by the 3014 policy in RFC 2865 Section 6. [RADIUS] 3016 11.3. Application Identifier 3018 This specification uses the value one (1) in the Application 3019 Identifier namespace as assigned in [Base]. See section 1.2 above 3020 for more information. 3022 11.4. CHAP-Algorithm AVP Values 3024 As defined in Section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses 3025 the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined 3026 in [PPPCHAP]. 3028 11.5. Accounting-Auth-Method AVP Values 3030 As defined in Section 8.6, the Accounting-Auth-Method AVP (AVP Code 3031 TBD) defines the values 1-5. All remaining values are available for 3032 assignment via IETF Consensus [IANA]." 3034 12. Security Considerations 3036 The security considerations of the Diameter protocol itself have been 3037 discussed in [Base]. 3039 This document does not contain a security protocol, but does discuss 3040 how PPP authentication protocols can be carried within the Diameter 3041 protocol. The PPP authentication protocols that are described are PAP 3042 and CHAP. 3044 The use of PAP SHOULD be discouraged, since it exposes user's 3045 passwords to possibly non-trusted entities. However, PAP is also 3046 frequently used for use with One-Time Passwords (OTP), which do not 3047 expose a security risk. 3049 This document also describes how CHAP can be carried within the 3050 Diameter protocol, which is required for RADIUS backward 3051 compatibility. The CHAP protocol, as used in a RADIUS environment, 3052 facilitates authentication replay attacks. 3054 The use of the EAP authentication protocols are described in 3055 [DiamEAP] can offer better security given a method suitable for the 3056 circumstances. 3058 13. References 3060 13.1. Normative References 3062 [Base] P. Calhoun, et.al, "Diameter Base Protocol", RFC3588, Sept 3063 2003. 3065 [AAATrans] B. Aboba, J. Wood. "Authentication, Authorization and 3066 Accounting (AAA) Transport Profile", draft-ietf-aaa- 3067 transport-12, IETF work in progress, January 2003 3069 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote 3070 Authentication Dial In User Service (RADIUS)", RFC 2865, 3071 June 2000. 3073 [RADIUSTypes] IANA, "RADIUS Types", URL: 3074 3076 [RADIUSIPv6] B. Aboba, G. Zorn, D. Mitton, "RADIUS and IPv6", RFC 3162, 3077 August 2001. 3079 [IPv6Addr] Hinden, R., Deering, S., "Internet Protocol Version 6 3080 (IPv6) Addressing Architecture", RFC 3516, April 2003. 3082 [PPPCHAP] W. Simpson, "PPP Challenge Handshake Authentication 3083 Protocol (CHAP)", RFC 1994, August 1996. 3085 [IANAConsid] Narten, Alvestrand, "Guidelines for Writing an IANA 3086 Considerations Section in RFCs", BCP 26, RFC 2434, October 3087 1998 3089 [IANA] IANA Assigned Numbers Database, URL: 3090 3092 [Keywords] S. Bradner, "Key words for use in RFCs to Indicate 3093 Requirement Levels", BCP 14, RFC 2119, March 1997. 3095 [ISOLatin] ISO 8859. International Standard -- Information Processing 3096 -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 3097 1: Latin Alphabet No. 1, ISO 8859-1:1987. URL: 3098 3100 [ANITypes] NANPA Number Resource Info, ANI Assignments, URL: 3101 3104 13.2. Informative References 3106 [RADIUSAcct] C. Rigney, "RADIUS Accounting", RFC 2866, June 2000. 3108 [RADIUSExt] C. Rigney, W. Willats, P. Calhoun, "RADIUS Extensions", 3109 RFC 2869, June 2000. 3111 [RADTunnels] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. 3112 Goyret, "RADIUS Attributes for Tunnel Protocol Support", 3113 RFC 2868, June 2000. 3115 [RADTunlAcct] G. Zorn, B. Aboba, D. Mitton, "RADIUS Accounting 3116 Modifications for Tunnel Protocol Support", RFC 2867, June 3117 2000. 3119 [RADDynAuth] M. Chiba, M Dommety, M. Eklund, D. Mitton, B. Aboba, 3120 "Dynamic Authorization Extensions to Remote Authentication 3121 Dial In User 3122 Service (RADIUS)", RFC 3576, August 2003. 3124 [RADIUSIANA] B. Aboba, "IANA Considerations for RADIUS", RFC 3575, 3125 August 2003. 3127 [ExtRADPract] D. Mitton, "Network Access Servers Requirements: Extended 3128 RADIUS Practices", RFC 2882, July 2000. 3130 [NASModel] D. Mitton, M. Beadles, "Network Access Server Requirements 3131 Next Generation (NASREQNG) NAS Model", RFC 2881, July 3132 2000. 3134 [NASCriteria] M. Beadles, D. Mitton, "Criteria for Evaluating Network 3135 Access Server Protocols", RFC 3169, September 2001. 3137 [AAACriteria] Aboba, et al., "Criteria for Evaluating AAA Protocols for 3138 Network Access", RFC 2989, Nov 2000. 3140 [DiamEAP] G. Zorn, "Diameter EAP Application", draft-ietf-aaa- 3141 eap-01.txt, IETF work in progress, August 2002. 3143 [DiamCMS] P. Calhoun, W. Bulley, S. Farrell, "Diameter CMS Security 3144 Application", draft-ietf-aaa-diameter-cms-sec-04.txt, IETF 3145 work in progress, March 2002. 3147 [DiamMIP] P. Calhoun, C. Perkins, T. Johansson, "Diameter Mobile IP 3148 Application", draft-ietf-aaa-diameter-mobileip-14.txt, 3149 IETF work in progress, April 2003. 3151 [RAD802.1X] P. Congdon, et.al "IEEE 802.1X RADIUS Usage Guidelines", 3152 RFC 3580, September 2003. 3154 [802.1X] IEEE Standard for Local and metropolitan networks - Port- 3155 Based Network Access Control, IEEE Std 802.1X-2001, June 3156 2001 3158 [CDMA2000] 3GPP2 "P.S0001-B", Wireless IP Network Standard, October 3159 2002. 3160 http://www.3gpp2.com/Public_html/specs/P.S0001-B_v1.0.pdf 3162 [UTF-8] F. Yergeau, "UTF-8, a transformation format of ISO 10646", 3163 RFC 2279, January 1998. 3165 [STD51] W. Simpson, Editor, "The Point-to-Point Protocol (PPP)", 3166 STD 51, RFC 1661, July 1994 3168 14. Acknowledgements 3170 The authors would like to thank Carl Rigney, Allan C. Rubens, William 3171 Allen Simpson, and Steve Willens for their work on the original 3172 RADIUS [RADIUS], from which many of the concepts in this 3173 specification were derived. Thanks, also, to: Carl Rigney for 3174 [RADIUSAcct] and [RADIUSExt]; Ward Willats for [RADIUSExt]; Glen 3175 Zorn, Bernard Aboba and Dave Mitton for [RADTunlAcct] and [RADIPV6]; 3176 Dory Leifer, John Shriver, Matt Holdrege and Ignacio Goyret for their 3177 work on [RADTunnels]. This document stole text and concepts from both 3178 [RADTunnels] and [RADIUSExt]. Thanks go to Carl Williams for 3179 providing IPv6 specific text. 3181 The authors would also like to acknowledge the following people for 3182 their contributions in the development of the Diameter protocol: 3183 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 3184 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 3185 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 3186 Sumit Vakil, John R. Vollbrecht and Jeff Weisberg. 3188 Finally, Pat Calhoun would like to thank Sun Microsystems since most 3189 of the effort put into this document was done while he was in their 3190 employ. 3192 15. Authors' Addresses 3194 Questions about this memo can be directed to: 3196 Pat R. Calhoun 3197 Airespace 3198 110 Nortech Parkway 3199 San Jose, CA 95134 3200 USA 3202 Phone: 1 408-635-2023 3203 E-mail: pcalhoun@airespace.com 3205 Glen Zorn 3206 Cisco Systems, Inc. 3207 500 108th Avenue N.E., Suite 500 3208 Bellevue, WA 98004 3209 USA 3211 Phone: 1 425-471-4861 3212 E-Mail: gwz@cisco.com 3214 David Spence 3215 Interlink Networks, Inc. 3216 775 Technology Drive, Suite 200 3217 Ann Arbor, MI 48108 3218 USA 3220 Phone: 1 734-821-1203 3221 Fax: 1 734-821-1235 3222 EMail: dspence@interlinknetworks.com 3224 David Mitton 3225 Circular Logic Unlimited 3226 733 Turnpike St #154 3227 North Andover, MA 01845 3229 Email: david@mitton.com 3231 Intellectual Property Considerations 3233 The IETF takes no position regarding the validity or scope of any 3234 intellectual property or other rights that might be claimed to 3235 pertain to the implementation or use of the technology described in 3236 this document or the extent to which any license under such rights 3237 might or might not be available; neither does it represent that it 3238 has made any effort to identify any such rights. Information on the 3239 IETF's procedures with respect to rights in standards-track and 3240 standards- related documentation can be found in BCP-11. Copies of 3241 claims of rights made available for publication and any assurances of 3242 licenses to be made available, or the result of an attempt made to 3243 obtain a general license or permission for the use of such 3244 proprietary rights by implementers or users of this specification can 3245 be obtained from the IETF Secretariat. 3247 The IETF invites any interested party to bring to its attention any 3248 copyrights, patents or patent applications, or other proprietary 3249 rights which may cover technology that may be required to practice 3250 this standard. Please address the information to the IETF Executive 3251 Director. 3253 Full Copyright Statement 3255 Copyright (C) The Internet Society (2003). All Rights Reserved. 3257 This document and translations of it may be copied and furnished to 3258 others, and derivative works that comment on or otherwise explain it 3259 or assist in its implementation may be prepared, copied, published 3260 and distributed, in whole or in part, without restriction of any 3261 kind, provided that the above copyright notice and this paragraph are 3262 included on all such copies and derivative works. However, this 3263 document itself may not be modified in any way, such as by removing 3264 the copyright notice or references to the Internet Society or other 3265 Internet organizations, except as needed for the purpose of 3266 developing Internet standards in which case the procedures for 3267 copyrights defined in the Internet Standards process must be 3268 followed, or as required to translate it into languages other than 3269 English. The limited permissions granted above are perpetual and will 3270 not be revoked by the Internet Society or its successors or assigns. 3271 This document and the information contained herein is provided on an 3272 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3273 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3274 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3275 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3276 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.