idnits 2.17.1 draft-ietf-aaa-diameter-nasreq-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 3113 has weird spacing: '...tations for t...' == Line 3114 has weird spacing: '...code or data ...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs used by NAS applications, in NAS messages, and specify in which Diameter messages they MAY, or MAY NOT be present. [Base] messages and AVPs are not described in this document. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Feb 2004) is 7368 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DiamTrans' is mentioned on line 210, but not defined == Missing Reference: 'NASmodel' is mentioned on line 238, but not defined == Missing Reference: 'RFC3576' is mentioned on line 1428, but not defined ** Obsolete undefined reference: RFC 3576 (Obsoleted by RFC 5176) == Missing Reference: 'PPPMP' is mentioned on line 1489, but not defined == Missing Reference: 'PPTP' is mentioned on line 2157, but not defined == Missing Reference: 'L2TP' is mentioned on line 2157, but not defined == Missing Reference: 'RADIPV6' is mentioned on line 3609, but not defined == Unused Reference: 'AAATrans' is defined on line 3483, but no explicit reference was found in the text == Unused Reference: 'RADIUSIANA' is defined on line 3536, but no explicit reference was found in the text == Unused Reference: 'ExtRADPract' is defined on line 3539, but no explicit reference was found in the text == Unused Reference: 'NASModel' is defined on line 3542, but no explicit reference was found in the text == Unused Reference: 'CDMA2000' is defined on line 3570, but no explicit reference was found in the text == Unused Reference: 'UTF-8' is defined on line 3588, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3588 (ref. 'Base') (Obsoleted by RFC 6733) -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 2434 (ref. 'IANAConsid') (Obsoleted by RFC 5226) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 3576 (ref. 'RADDynAuth') (Obsoleted by RFC 5176) == Outdated reference: A later version (-10) exists of draft-ietf-aaa-eap-01 == Outdated reference: A later version (-20) exists of draft-ietf-aaa-diameter-mobileip-14 -- Duplicate reference: RFC1994, mentioned in 'PAP', was also mentioned in 'PPPCHAP'. Summary: 4 errors (**), 0 flaws (~~), 21 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AAA Working Group Pat R. Calhoun 3 Internet-Draft Airespace Inc. 4 Category: Standards Track Glen Zorn 5 Cisco Systems Inc. 6 David Spence 7 Interlink Networks Inc. 8 David Mitton 9 Circular Networks 11 Feb 2004 13 Diameter Network Access Server Application 14 draft-ietf-aaa-diameter-nasreq-14.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 10 of RFC2026. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF), its areas, and its working groups. Note that 23 other groups may also distribute working documents as Internet- 24 Drafts. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 The list of current Internet-Drafts can be accessed at 32 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft 33 Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This document is a product of the Authentication, Authorization and 37 Accounting (AAA) Working Group of the Internet Engineering Task Force 38 (IETF). Comments are welcome should be submitted to the mailing list 39 aaa-wg@merit.edu. 41 Copyright (C) The Internet Society 2004. All Rights Reserved. 43 Abstract 45 This document describes the Diameter protocol application used for 46 Authentication, Authorization and Accounting (AAA) services in the 47 Network Access Server (NAS) environment. This application 48 specification, when combined with the Diameter Base protocol, 49 Transport Profile, and Extensible Authentication Protocol 50 specifications, satisfies typical network access services 51 requirements. 53 Initial deployments of the Diameter protocol are expected to include 54 legacy systems. Therefore, this application was carefully designed to 55 ease the burden of protocol conversion between RADIUS and Diameter. 56 This is achieved by including the RADIUS attribute space, and 57 eliminating the need to perform many attribute translations. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . 7 63 1.2. Requirements Language . . . . . . . . . . . . . . . . . 8 64 1.3. Advertising Application Support . . . . . . . . . . . . 8 65 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . . 8 66 2.1. Diameter Session Establishment . . . . . . . . . . . . . 9 67 2.2. Diameter Session Reauthentication or Reauthorization . . 9 68 2.3. Diameter Session Termination . . . . . . . . . . . . . . 10 69 3. NAS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . 11 71 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . 13 72 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . 15 73 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . 16 74 3.5. Session-Termination-Request (STR) Command . . . . . . . 16 75 3.6. Session-Termination-Answer (STA) Command . . . . . . . . 17 76 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . 18 77 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . 18 78 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . 19 79 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . 21 80 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . . 22 81 4.1. Call and Session Information . . . . . . . . . . . . . . 22 82 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . 23 83 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . 23 84 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . 24 85 4.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . . 25 86 4.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . 25 87 4.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . . 25 88 4.8. Originating-Line-Info AVP . . . . . . . . . . . . . . . 26 89 4.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . . 27 90 5. NAS Authentication AVPs . . . . . . . . . . . . . . . . . . . . 28 91 5.1. User-Password AVP . . . . . . . . . . . . . . . . . . . 28 92 5.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . . 29 93 5.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . . 29 94 5.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . . 29 95 5.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . . 30 96 5.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . . 30 97 5.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . . 30 98 5.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . . 30 99 5.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . . 30 100 5.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . . 30 101 5.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . . 31 102 5.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31 103 6. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . . . . 31 104 6.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . . 33 105 6.2. Callback-Number AVP . . . . . . . . . . . . . . . . . . 34 106 6.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . . 34 107 6.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . . 34 108 6.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . . 35 109 6.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . 35 110 6.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . . 35 111 6.8. Configuration-Token AVP . . . . . . . . . . . . . . . . 35 112 6.9. Framed Access Authorization AVPs . . . . . . . . . . . . 36 113 6.9.1. Framed-Protocol AVP . . . . . . . . . . . . . 36 114 6.9.2. Framed-Routing AVP . . . . . . . . . . . . . . 36 115 6.9.3. Framed-MTU AVP . . . . . . . . . . . . . . . . 36 116 6.9.4. Framed-Compression AVP . . . . . . . . . . . . 37 117 6.10. IP Access Authorization AVPs . . . . . . . . . . . . . 37 118 6.10.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 119 6.10.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 38 120 6.10.3. Framed-Route AVP . . . . . . . . . . . . . . 38 121 6.10.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 122 6.10.5. Framed-Interface-Id AVP . . . . . . . . . . . 39 123 6.10.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 39 124 6.10.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 39 125 6.10.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 126 6.11. IPX Access . . . . . . . . . . . . . . . . . . . . . . 40 127 6.11.1. Framed-IPX-Network AVP . . . . . . . . . . . 40 128 6.12. AppleTalk Network Access . . . . . . . . . . . . . . . 40 129 6.12.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 40 130 6.12.2. Framed-AppleTalk-Network AVP . . . . . . . . 41 131 6.12.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 41 132 6.13. AppleTalk Remote Access . . . . . . . . . . . . . . . . 41 133 6.13.1. ARAP-Features AVP . . . . . . . . . . . . . . 41 134 6.13.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 41 135 6.14. Non-Framed Access Authorization AVPs . . . . . . . . . 42 136 6.14.1. Login-IP-Host AVP . . . . . . . . . . . . . . 42 137 6.14.2. Login-IPv6-Host AVP . . . . . . . . . . . . . 42 138 6.14.3. Login-Service AVP . . . . . . . . . . . . . . 43 139 6.15. TCP Services . . . . . . . . . . . . . . . . . . . . . 43 140 6.15.1. Login-TCP-Port AVP . . . . . . . . . . . . . 43 141 6.15.2. LAT Services . . . . . . . . . . . . . . . . 43 142 6.15.3. Login-LAT-Service AVP . . . . . . . . . . . . 43 143 6.15.4. Login-LAT-Node AVP . . . . . . . . . . . . . 44 144 6.15.5. Login-LAT-Group AVP . . . . . . . . . . . . . 44 145 6.15.6. Login-LAT-Port AVP . . . . . . . . . . . . . 45 146 7. NAS Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . 45 147 7.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . . 46 148 7.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . . 47 149 7.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . . 47 150 7.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . . 48 151 7.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . . 49 152 7.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . . 49 153 7.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . . 49 154 7.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . 50 155 7.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . 51 156 7.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . . 52 157 7.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . . 52 158 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 52 159 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . 53 160 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . 54 161 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . 54 162 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . 54 163 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . 54 164 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . 54 165 8.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . . 55 166 8.8. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . 55 167 8.9. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . 55 168 8.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 56 169 8.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 57 170 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . . 57 171 9.1. RADIUS Request Forwarded as Diameter Request . . . . . . 57 172 9.1.1. RADIUS Dynamic Authorization considerations . 60 173 9.2. Diameter Request Forwarded as RADIUS Request . . . . . . 61 174 9.2.1. RADIUS Dynamic Authorization considerations . 63 175 9.3. AVPs Used Only for Compatibility . . . . . . . . . . . . 64 176 9.3.1. NAS-Identifier AVP . . . . . . . . . . . . . . 64 177 9.3.2. NAS-IP-Address AVP . . . . . . . . . . . . . . 65 178 9.3.3. NAS-IPv6-Address AVP . . . . . . . . . . . . . 66 179 9.3.4. State AVP . . . . . . . . . . . . . . . . . . 66 180 9.3.5. Termination-Cause AVP Code Values . . . . . . 67 181 9.4. Prohibited RADIUS Attributes . . . . . . . . . . . . . . 69 182 9.5. Translatable Diameter AVPs . . . . . . . . . . . . . . . 70 183 9.6. RADIUS Vendor Specific Attributes . . . . . . . . . . . 70 184 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VS 70 185 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AV 71 186 10. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . . 72 187 10.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . 72 188 10.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . 75 189 10.2.1. Accounting Framed Access AVP Table . . . . . 75 190 10.2.2. Accounting Non-Framed Access AVP Table . . . 77 191 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 78 192 11.1. Command Codes . . . . . . . . . . . . . . . . . . . . . 78 193 11.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . 79 194 11.3. Application Identifier . . . . . . . . . . . . . . . . 79 195 11.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . 79 196 11.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . 79 197 12. Security Considerations . . . . . . . . . . . . . . . . . . . . 79 198 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 80 199 13.1. Normative References . . . . . . . . . . . . . . . . . 80 200 13.2. Informative References . . . . . . . . . . . . . . . . 81 201 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 83 202 15. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 83 203 Intellectual Property Considerations . . . . . . . . . . . . . . . . 84 204 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 84 205 1. Introduction 207 This document describes the Diameter protocol application used for 208 AAA in the Network Access Server (NAS) environment. This Diameter NAS 209 application specification, when combined with the Diameter Base 210 protocol [Base], Transport Profile [DiamTrans], and EAP [DiamEAP] 211 specifications, satisfies NAS-related requirements defined in RFC2989 212 [AAACriteria] and RFC3169 [NASCriteria]. 214 Initial deployments of the Diameter protocol are expected to include 215 legacy systems. Therefore, this application was carefully designed to 216 ease the burden of protocol conversion between RADIUS and Diameter. 217 This is achieved by including the RADIUS attribute space, and 218 eliminating the need to perform many attribute translations. 220 This document first describes the operation of a Diameter NAS 221 application. Then it defines the Diameter message Command-Codes. 222 The following sections enumerate the AVPs used in these messages 223 grouped by common usage. These are session identification, 224 authentication, authorization, tunneling, and accounting. The 225 authorization AVPs are further broken down by service type. 226 Interaction and backwards compatibility issues with RADIUS are 227 discussed in later sections. 229 1.1. Terminology 231 The base Diameter [Base] specification Section 1.4 defines most of 232 the terminology used in this document. Additionally, the following 233 terms and acronyms are used in this application: 235 NAS - Network Access Server; a device which provides an access 236 service for a user to a network. The service may be a network 237 connection, or a value added service such as terminal emulation. 238 [NASmodel] 240 PPP - Point-to-Point Protocol; a multiprotocol serial datalink. PPP 241 is the primary IP datalink used for dial-in NAS connection service. 242 [PPP] 244 CHAP - Challenge Handshake Authentication Protocol; an authentication 245 process used in PPP. [PPPCHAP] 247 PAP - Password Authentication Protocol; a deprecated PPP 248 authentication process, but often used for backwards compatibility 249 [PAP]. 251 SLIP - Serial Line Interface Protocol; a serial datalink that only 252 supports IP. An earlier design, prior to PPP. 254 ARAP - Appletalk Remote Access Protocol; a serial datalink for 255 accessing Appletalk networks [ARAP]. 257 IPX - Internet Packet Exchange; The network protocol used by NetWare 258 networks [IPX]. 260 LAT - Local Area Transport; A Digital Equipment Corp. LAN protocol 261 for terminal services [LAT]. 263 VPN - Virtual Private Network; in this document it is used to 264 describe access services which use tunneling methods. 266 1.2. Requirements Language 268 In this document, the key words "MAY", "MUST", "MUST NOT", 269 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be 270 interpreted as described in [Keywords]. 272 1.3. Advertising Application Support 274 Diameter applications conforming to this specification MUST advertise 275 support by including the value of one (1) in the Auth-Application-Id 276 or the Acct-Application-Id AVP of the Capabilities-Exchange-Request 277 and Capabilities-Exchange-Answer commands [Base]. 279 2. NAS Calls, Ports, and Sessions 281 The arrival of a new call or service connection at a port of a 282 Network Access Server (NAS) starts a Diameter NAS message exchange. 283 Information about the call, the identity of the user, and the user's 284 authentication information are packaged into a Diameter AA-Request 285 (AAR) message and sent to a server. 287 The server processes the information and responds with a Diameter AA- 288 Answer (AAA) message which contains authorization information for the 289 NAS, or a failure code (Result-Code AVP). If the value of Result- 290 Code is DIAMETER_MULTI_ROUND_AUTH, an additional authentication 291 exchange is indicated, and several AAR and AAA messages may be 292 exchanged until the transaction completes. 294 The Diameter protocol allows authorization-only requests depending on 295 the Auth-Request-Type AVP, where no authentication information is 296 contained in a request from the client. This capability goes beyond 297 the Call Check capabilities described in Section 5.6 of [RADIUS] in 298 that no access decision is requested. As a result, service cannot be 299 started as a result of a response to an authorization-only request 300 without introducing a significant security vulnerability. 302 Since no equivalent capability exists in RADIUS, authorization-only 303 requests from a NAS implementing Diameter may not be easily 304 translated to an equivalent RADIUS message by a Diameter/RADIUS 305 gateway. For example, where a Diameter authorization-only request 306 cannot be translated to a RADIUS Call Check, it would be necessary 307 for the Diameter/RADIUS gateway to add authentication information to 308 the RADIUS Access Request. On receiving the Access-Reply, the 309 Diameter/RADIUS gateway would need to discard the access decision 310 (Accept/Reject). It is not clear that these translations can be 311 accomplished without adding significant security vulnerabilities. 313 2.1. Diameter Session Establishment 315 When the authentication or authorization exchange completes 316 successfully, the NAS application SHOULD start a session context. If 317 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 318 exchange continues until a success or error is returned. 320 If accounting is active, the application MUST also send an Accounting 321 message [Base]. An Accounting-Record-Type of START_RECORD, is sent 322 for a new session. If a session fails to start, the type 323 EVENT_RECORD message with the reason for the failure described is 324 sent. 326 Note that the return of an unsupportable Accounting-Realtime-Required 327 value [Base] would result in a failure to establish the session. 329 2.2. Diameter Session Reauthentication or Reauthorization 331 The Diameter Base protocol allows for users to be periodically 332 reauthenticated and/or reauthorized. In such instances, the Session- 333 Id AVP in the AAR message MUST be the same as the one present in the 334 original authentication/authorization message. 336 A Diameter server informs the NAS of the maximum time allowed before 337 reauthentication or reauthorization via the Authorization-Lifetime 338 AVP [Base]. A NAS MAY reauthenticate and/or reauthorize before the 339 end, but A NAS MUST reauthenticate and/or reauthorize at the end of 340 the period provided by the Authorization-Lifetime AVP. The failure 341 of a reauthentication exchange will cause the service to be 342 terminated. 344 Furthermore, it is possible for Diameter servers to issue an 345 unsolicited reauthentication and/or reauthorization requests (e.g. 346 Re-Auth-Request (RAR) message [Base]) to the NAS. Upon receipt of 347 such a message, the NAS MUST respond to the request with a Re-Auth- 348 Answer (RAA) message [Base]. 350 If the RAR properly identifies an active session, the NAS will 351 initiate a new local reauthentication or authorization sequence as 352 indicated by the Re-Auth-Request-Type value. This will cause the NAS 353 to send a new AAR message using the existing Session-Id. The server 354 will respond with an AAA message to specify the new service 355 parameters. 357 If accounting is active, every change of authentication or 358 authorization MUST generate an Accounting-Record-Type of 359 INTERIM_RECORD indicating the new session attributes and cumulative 360 status. 362 2.3. Diameter Session Termination 364 When a NAS receives an indication that a user's session is being 365 disconnected by the client (e.g. LCP Terminate is received) or 366 administrative command, the NAS MUST issue a Session-Termination- 367 Request (STR) [Base] to its Diameter Server. This will ensure that 368 any resources maintained on the servers are freed appropriately. 370 Furthermore, a NAS that receives a Abort-Session-Request (ASR) [Base] 371 MUST issue an ASA if the session identified is active, and disconnect 372 the PPP (or tunneling) session. 374 Termination of the session context MUST cause the sending of an 375 Accounting STOP_RECORD message [Base], if accounting is active. 377 More information on Diameter Session Termination is in [Base] section 378 8.4 and 8.5 380 3. NAS Messages 382 This section defines the Diameter message Command-Code [Base] values 383 that MUST be supported by all Diameter implementations that conform 384 to this specification. The Command Codes are: 386 Command-Name Abbrev. Code Reference 387 ------------------------------------------------------- 388 AA-Request AAR 265 3.1 389 AA-Answer AAA 265 3.2 390 Re-Auth-Request RAR 258 3.3 391 Re-Auth-Answer RAA 258 3.4 392 Session-Termination-Request STR 275 3.5 393 Session-Termination-Answer STA 275 3.6 394 Abort-Session-Request ASR 274 3.7 395 Abort-Session-Answer ASA 274 3.8 396 Accounting-Request ACR 271 3.9 397 Accounting-Answer ACA 271 3.10 399 3.1. AA-Request (AAR) Command 401 The AA-Request message (AAR), indicated by the Command-Code field set 402 to 265 and the 'R' bit set in the Command Flags field, is used in 403 order to request authentication and/or authorization for a given NAS 404 user. The type of request is identified through the Auth-Request-Type 405 AVP [Base]. The recommended value for most RADIUS interoperabily 406 situations, is AUTHORIZE_AUTHENTICATE. 408 If Authentication is requested the User-Name attribute SHOULD be 409 present, as well as any additional authentication AVPs that would 410 carry the password information. A request for authorization only 411 SHOULD include the information from which the authorization will be 412 performed, such as the User-Name, Called-Station-Id, or Calling- 413 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 414 identifying the source of the call, such as Origin-Host, and NAS- 415 Port. Certain networks MAY use different AVPs for authorization 416 purposes. A request for authorization will include some AVPs defined 417 in section 6. 419 It is possible for a single session to be authorized first, then 420 followed by an authentication request. 422 This AA-Request message MAY be the result of a multi-round 423 authentication exchange, which occurs when the AA-Answer message is 424 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A 425 subsequent AAR message SHOULD be sent, with the User-Password AVP 426 that includes the user's response to the prompt, and MUST include any 427 State AVPs that were present in the AAA message. 429 Message Format 431 ::= < Diameter Header: 265, REQ, PXY > 432 < Session-Id > 433 { Auth-Application-Id } 434 { Origin-Host } 435 { Origin-Realm } 436 { Destination-Realm } 437 { Auth-Request-Type } 438 [ Destination-Host ] 439 [ NAS-Identifier ] 440 [ NAS-IP-Address ] 441 [ NAS-IPv6-Address ] 442 [ NAS-Port ] 443 [ NAS-Port-Id ] 444 [ NAS-Port-Type ] 445 [ Origin-State-Id ] 446 [ Port-Limit ] 447 [ User-Name ] 448 [ User-Password ] 449 [ Service-Type ] 450 [ State ] 451 [ Authorization-Lifetime ] 452 [ Auth-Grace-Period ] 453 [ Auth-Session-State ] 454 [ Callback-Number ] 455 [ Called-Station-Id ] 456 [ Calling-Station-Id ] 457 [ Originating-Line-Info ] 458 [ Connect-Info ] 459 [ CHAP-Auth ] 460 [ CHAP-Challenge ] 461 * [ Framed-Compression ] 462 [ Framed-Interface-Id ] 463 [ Framed-IP-Address ] 464 * [ Framed-IPv6-Prefix ] 465 [ Framed-IP-Netmask ] 466 [ Framed-MTU ] 467 [ Framed-Protocol ] 468 [ ARAP-Password ] 469 [ ARAP-Security ] 470 * [ ARAP-Security-Data ] 471 * [ Login-IP-Host ] 472 * [ Login-IPv6-Host ] 473 [ Login-LAT-Group ] 474 [ Login-LAT-Node ] 475 [ Login-LAT-Port ] 476 [ Login-LAT-Service ] 477 * [ Tunneling ] 478 * [ Proxy-Info ] 479 * [ Route-Record ] 480 * [ AVP ] 482 3.2. AA-Answer (AAA) Command 484 The AA-Answer (AAA) message, is indicated by the Command-Code field 485 set to 265 and the 'R' bit cleared in the Command Flags field, is 486 sent in response to the AA-Request message. If authorization was 487 requested, a successful response will include the authorization AVPs 488 appropriate for the service being provided, as defined in section 6. 490 For authentication exchanges that require more than a single round 491 trip, the server MUST set the Result-Code AVP to 492 DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY 493 include one or more Reply-Message and MAY include zero or one State 494 AVPs. 496 If the Reply-Message AVP was present, the network access server 497 SHOULD send the text to the user's client for display to the user, 498 instructing it to prompt the user for a response. For example, this 499 capability can be achieved in PPP via PAP. If the access client is 500 unable to prompt the user for a new response, it MUST treat the AA- 501 Answer with the Reply-Message AVP as an error, and deny access. 503 Message Format 505 ::= < Diameter Header: 265, PXY > 506 < Session-Id > 507 { Auth-Application-Id } 508 { Auth-Request-Type } 509 { Result-Code } 510 { Origin-Host } 511 { Origin-Realm } 512 [ User-Name ] 513 [ Service-Type ] 514 * [ Class ] 515 * [ Configuration-Token ] 516 [ Acct-Interim-Interval ] 517 [ Error-Message ] 518 [ Error-Reporting-Host ] 519 [ Idle-Timeout ] 520 [ Authorization-Lifetime ] 521 [ Auth-Grace-Period ] 522 [ Auth-Session-State ] 523 [ Re-Auth-Request-Type ] 524 [ Session-Timeout ] 525 [ State ] 526 * [ Reply-Message ] 528 [ Origin-State-Id ] 529 * [ Filter-Id ] 530 [ Password-Retry ] 531 [ Port-Limit ] 532 [ Prompt ] 533 [ ARAP-Challenge-Response ] 534 [ ARAP-Features ] 535 [ ARAP-Security ] 536 * [ ARAP-Security-Data ] 537 [ ARAP-Zone-Access ] 538 [ Callback-Id ] 539 [ Callback-Number ] 540 [ Framed-Appletalk-Link ] 541 * [ Framed-Appletalk-Network ] 542 [ Framed-Appletalk-Zone ] 543 * [ Framed-Compression ] 544 [ Framed-Interface-Id ] 545 [ Framed-IP-Address ] 546 * [ Framed-IPv6-Prefix ] 547 [ Framed-IPv6-Pool ] 548 * [ Framed-IPv6-Route ] 549 [ Framed-IP-Netmask ] 550 * [ Framed-Route ] 551 [ Framed-Pool ] 552 [ Framed-IPX-Network ] 553 [ Framed-MTU ] 554 [ Framed-Protocol ] 555 [ Framed-Routing ] 556 * [ Login-IP-Host ] 557 * [ Login-IPv6-Host ] 558 [ Login-LAT-Group ] 559 [ Login-LAT-Node ] 560 [ Login-LAT-Port ] 561 [ Login-LAT-Service ] 562 [ Login-Service ] 563 [ Login-TCP-Port ] 564 * [ NAS-Filter-Rule ] 565 * [ Tunneling ] 566 * [ Redirect-Host ] 567 [ Redirect-Host-Usage ] 568 [ Redirect-Max-Cache-Time ] 569 * [ Proxy-Info ] 570 * [ AVP ] 572 3.3. Re-Auth-Request (RAR) Command 574 A Diameter server may initiate a re-authentication and/or re- 575 authorization service for a particular session by issuing a Re-Auth- 576 Request (RAR) message [Base]. 578 For example, for pre-paid services, the Diameter server that 579 originally authorized a session may need some confirmation that the 580 user is still using the services. 582 A NAS that receives a RAR message with Session-Id equal to a 583 currently active session and a Re-Auth-Type that includes 584 authentication, MUST initiate a re-authentication towards the user, 585 if the service supports this particular feature. 587 Message Format 589 ::= < Diameter Header: 258, REQ, PXY > 590 < Session-Id > 591 { Origin-Host } 592 { Origin-Realm } 593 { Destination-Realm } 594 { Destination-Host } 595 { Auth-Application-Id } 596 { Re-Auth-Request-Type } 597 [ User-Name ] 598 [ Origin-State-Id ] 599 [ NAS-Identifier ] 600 [ NAS-IP-Address ] 601 [ NAS-IPv6-Address ] 602 [ NAS-Port ] 603 [ NAS-Port-Id ] 604 [ NAS-Port-Type ] 605 [ Service-Type ] 606 [ Framed-IP-Address ] 607 [ Framed-IPv6-Prefix ] 608 [ Framed-Interface-Id ] 609 [ Called-Station-Id ] 610 [ Calling-Station-Id ] 611 [ Originating-Line-Info ] 612 [ Acct-Session-Id ] 613 [ Acct-Multi-Session-Id ] 614 [ State ] 615 * [ Class ] 616 [ Reply-Message ] 617 * [ Proxy-Info ] 618 * [ Route-Record ] 619 * [ AVP ] 621 3.4. Re-Auth-Answer (RAA) Command 623 The Re-Auth-Answer (RAA) message [Base], is sent in response to the 624 RAR. The Result-Code AVP MUST be present, and indicates the 625 disposition of the request. 627 A successful RAA transaction MUST be followed by an AA-Request 628 message. 630 Message Format 632 ::= < Diameter Header: 258, PXY > 633 < Session-Id > 634 { Result-Code } 635 { Origin-Host } 636 { Origin-Realm } 637 [ User-Name ] 638 [ Origin-State-Id ] 639 [ Error-Message ] 640 [ Error-Reporting-Host ] 641 * [ Failed-AVP ] 642 * [ Redirected-Host ] 643 [ Redirected-Host-Usage ] 644 [ Redirected-Host-Cache-Time ] 645 [ Service-Type ] 646 * [ Configuration-Token ] 647 [ Error-Message ] 648 [ Error-Reporting-Host ] 649 [ Idle-Timeout ] 650 [ Authorization-Lifetime ] 651 [ Auth-Grace-Period ] 652 [ Re-Auth-Request-Type ] 653 [ State ] 654 * [ Class ] 655 * [ Reply-Message ] 656 [ Prompt ] 657 * [ Proxy-Info ] 658 * [ AVP ] 660 3.5. Session-Termination-Request (STR) Command 662 The Session-Termination-Request (STR) message [Base] is sent by the 663 NAS to inform the Diameter Server that an authenticated and/or 664 authorized session is being terminated. 666 Message Format 667 ::= < Diameter Header: 275, REQ, PXY > 668 < Session-Id > 669 { Origin-Host } 670 { Origin-Realm } 671 { Destination-Realm } 672 { Auth-Application-Id } 673 { Termination-Cause } 674 [ User-Name ] 675 [ Destination-Host ] 676 * [ Class ] 677 [ Origin-State-Id ] 678 * [ Proxy-Info ] 679 * [ Route-Record ] 680 * [ AVP ] 682 3.6. Session-Termination-Answer (STA) Command 684 The Session-Termination-Answer (STA) message [Base] is sent by the 685 Diameter Server to acknowledge the notification that the session has 686 been terminated. The Result-Code AVP MUST be present, and MAY 687 contain an indication that an error occurred while servicing the STR. 689 Upon sending or receipt of the STA, the Diameter Server MUST release 690 all resources for the session indicated by the Session-Id AVP. Any 691 intermediate server in the Proxy-Chain MAY also release any 692 resources, if necessary. 694 Message Format 696 ::= < Diameter Header: 275, PXY > 697 < Session-Id > 698 { Result-Code } 699 { Origin-Host } 700 { Origin-Realm } 701 [ User-Name ] 702 * [ Class ] 703 [ Error-Message ] 704 [ Error-Reporting-Host ] 705 * [ Failed-AVP ] 706 [ Origin-State-Id ] 707 * [ Redirect-Host ] 708 [ Redirect-Host-Usase ] 709 [ Redirect-Max-Cache-Time ] 710 * [ Proxy-Info ] 711 * [ AVP ] 713 3.7. Abort-Session-Request (ASR) Command 715 The Abort-Session-Request (ASR) message [Base], may be sent by any 716 server to the NAS that is providing session service, to request that 717 the session identified by the Session-Id be stopped. 719 Message Format 721 ::= < Diameter Header: 274, REQ, PXY > 722 < Session-Id > 723 { Origin-Host } 724 { Origin-Realm } 725 { Destination-Realm } 726 { Destination-Host } 727 { Auth-Application-Id } 728 [ User-Name ] 729 [ Origin-State-Id ] 730 [ NAS-Identifier ] 731 [ NAS-IP-Address ] 732 [ NAS-IPv6-Address ] 733 [ NAS-Port ] 734 [ NAS-Port-Id ] 735 [ NAS-Port-Type ] 736 [ Service-Type ] 737 [ Framed-IP-Address ] 738 [ Framed-IPv6-Prefix ] 739 [ Framed-Interface-Id ] 740 [ Called-Station-Id ] 741 [ Calling-Station-Id ] 742 [ Originating-Line-Info ] 743 [ Acct-Session-Id ] 744 [ Acct-Multi-Session-Id ] 745 [ State ] 746 * [ Class ] 747 * [ Reply-Message ] 748 * [ Proxy-Info ] 749 * [ Route-Record ] 750 * [ AVP ] 752 3.8. Abort-Session-Answer (ASA) Command 754 The Abort-Session-Answer (ASA) message [Base], is sent in response to 755 the ASR. The Result-Code AVP MUST be present, and indicates the 756 disposition of the request. 758 If the session identified by Session-Id in the ASR was successfully 759 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 760 is not currently active, Result-Code is set to 761 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 762 session for any other reason, Result-Code is set to 763 DIAMETER_UNABLE_TO_COMPLY. 765 Message Format 767 ::= < Diameter Header: 274, PXY > 768 < Session-Id > 769 { Result-Code } 770 { Origin-Host } 771 { Origin-Realm } 772 [ User-Name ] 773 [ Origin-State-Id ] 774 [ State] 775 [ Error-Message ] 776 [ Error-Reporting-Host ] 777 * [ Failed-AVP ] 778 * [ Redirected-Host ] 779 [ Redirected-Host-Usage ] 780 [ Redirected-Max-Cache-Time ] 781 * [ Proxy-Info ] 782 * [ AVP ] 784 3.9. Accounting-Request (ACR) Command 786 The Accounting-Request (ACR) message [Base], is sent by the NAS, to 787 report it's session information to a target server downstream. 789 One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs 790 MUST be present. If the Vendor-Specific-Application-Id grouped AVP 791 is present, it must have an Acct-Application-Id inside. 793 The AVPs listed in the Base MUST be assumed to be present as 794 approriate. NAS service specific accounting AVPs, SHOULD be present 795 as described in section 8 and the rest of this specification. 797 Message Format 799 ::= < Diameter Header: 271, REQ, PXY > 800 < Session-Id > 801 { Origin-Host } 802 { Origin-Realm } 803 { Destination-Realm } 804 { Accounting-Record-Type } 805 { Accounting-Record-Number } 806 [ Acct-Application-Id ] 807 [ Vendor-Specific-Application-Id ] 808 [ User-Name ] 810 [ Accounting-Sub-Session-Id ] 811 [ Accounting-Session-Id ] 812 [ Acct-Multi-Session-Id ] 813 [ Origin-State-Id ] 814 [ Destination-Host ] 815 [ Event-Timestamp ] 816 [ Acct-Delay-Time ] 817 [ NAS-Identifier ] 818 [ NAS-IP-Address ] 819 [ NAS-IPv6-Address ] 820 [ NAS-Port ] 821 [ NAS-Port-Id ] 822 [ NAS-Port-Type ] 823 * [ Class ] 824 [ Service-Type ] 825 [ Termination-Cause ] 826 [ Accounting-Input-Octets ] 827 [ Accounting-Input-Packets ] 828 [ Accounting-Output-Octets ] 829 [ Accounting-Output-Packets ] 830 [ Acct-Authentic ] 831 [ Accounting-Auth-Method ] 832 [ Acct-Link-Count ] 833 [ Acct-Session-Time ] 834 [ Acct-Tunnel-Connection ] 835 [ Acct-Tunnel-Packets-Lost ] 836 [ Callback-Id ] 837 [ Callback-Number ] 838 [ Called-Station-Id ] 839 [ Calling-Station-Id ] 840 * [ Connection-Info ] 841 [ Originating-Line-Info ] 842 [ Authorization-Lifetime ] 843 [ Session-Timeout ] 844 [ Idle-Timeout ] 845 [ Port-Limit ] 846 [ Accounting-Realtime-Required ] 847 [ Acct-Interim-Interval ] 848 * [ Filter-Id ] 849 * [ NAS-Filter-Rule ] 850 [ Framed-AppleTalk-Link ] 851 [ Framed-AppleTalk-Network ] 852 [ Framed-AppleTalk-Zone ] 853 [ Framed-Compression ] 854 [ Framed-Interface-Id ] 855 [ Framed-IP-Address ] 856 [ Framed-IP-Netmask ] 857 * [ Framed-IPv6-Prefix ] 859 [ Framed-IPv6-Pool ] 860 * [ Framed-IPv6-Route ] 861 [ Framed-IPX-Network ] 862 [ Framed-MTU ] 863 [ Framed-Pool ] 864 [ Framed-Protocol ] 865 * [ Framed-Route ] 866 [ Framed-Routing ] 867 * [ Login-IP-Host ] 868 * [ Login-IPv6-Host ] 869 [ Login-LAT-Group ] 870 [ Login-LAT-Node ] 871 [ Login-LAT-Port ] 872 [ Login-LAT-Service ] 873 [ Login-Service ] 874 [ Login-TCP-Port ] 875 * [ Tunneling ] 876 * [ Proxy-Info ] 877 * [ Route-Record ] 878 * [ AVP ] 880 3.10. Accounting-Answer (ACA) Command 882 The Accounting-Answer (ACA) message [Base], is used to acknowledge an 883 Accounting-Request command. The Accounting-Answer command contains 884 the same Session-Id as the Request. If the Accounting- Request was 885 protected by end-to-end security, then the corresponding ACA message 886 MUST be protected by end-to-end security. 888 Only the target Diameter Server, or home Diameter Server, SHOULD 889 respond with the Accounting-Answer command. 891 One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs 892 MUST be present, as was in the request. 894 The AVPs listed in the Base MUST be assumed to be present as 895 approriate. NAS service specific accounting AVPs, SHOULD be present 896 as described in section 8 and the rest of this specification. 898 Message Format 900 ::= < Diameter Header: 271, PXY > 901 < Session-Id > 902 { Result-Code } 903 { Origin-Host } 904 { Origin-Realm } 905 { Accounting-Record-Type } 906 { Accounting-Record-Number } 907 [ Acct-Application-Id ] 908 [ Vendor-Specific-Application-Id ] 909 [ User-Name ] 910 [ Accounting-Sub-Session-Id ] 911 [ Accounting-Session-Id ] 912 [ Acct-Multi-Session-Id ] 913 [ Event-Timestamp ] 914 [ Error-Reporting-Host ] 915 [ Origin-State-Id ] 916 [ NAS-Identifier ] 917 [ NAS-IP-Address ] 918 [ NAS-IPv6-Address ] 919 [ NAS-Port ] 920 [ NAS-Port-Id ] 921 [ NAS-Port-Type ] 922 [ Service-Type ] 923 [ Termination-Cause ] 924 [ Accounting-Realtime-Required ] 925 [ Acct-Interim-Interval ] 926 * [ Class ] 927 * [ Proxy-Info ] 928 * [ Route-Record ] 929 * [ AVP ] 931 4. NAS Session AVPs 933 Diameter reserves the AVP Codes 0-255 for RADIUS functions that are 934 implemented in Diameter. 936 AVPs new to Diameter have code values 256 and greater. A Diameter 937 message that includes one of these AVPs may represent functions not 938 present in the RADIUS environment and may cause interoperability 939 issues should the request traverse a AAA system that only supports 940 the RADIUS protocol. 942 There are some RADIUS attributes that are not allowed or supported 943 directly in Diameter. See section 9 below for more information. 945 4.1. Call and Session Information 947 This section contains the AVPs specific to NAS Diameter applications 948 that are needed to identify the call and session context and status 949 information. On a request, this information allows the server to 950 qualify the session. 952 These AVPs are used in addition to the Base AVPs of: 953 Session-Id 954 Auth-Application-Id 955 Origin-Host 956 Origin-Realm 957 Auth-Request-Type 959 The following table describes the Session level AVPs, their AVP Code 960 values, types, possible flag values and whether the AVP MAY be 961 encrypted. 962 +---------------------+ 963 | AVP Flag rules | 964 |----+-----+----+-----|----+ 965 AVP Section | | |SHLD| MUST| | 966 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 967 -----------------------------------------|----+-----+----+-----|----| 968 NAS-Port 5 4.2 Unsigned32 | M | P | | V | Y | 969 NAS-Port-Id 87 4.3 UTF8String | M | P | | V | Y | 970 NAS-Port-Type 61 4.4 Enumerated | M | P | | V | Y | 971 Called-Station-Id 30 4.5 UTF8String | M | P | | V | Y | 972 Calling-Station- 31 4.6 UTF8String | M | P | | V | Y | 973 Id | | | | | | 974 Connect-Info 77 4.7 UTF8String | M | P | | V | Y | 975 Originating-Line- 94 4.8 OctetString| | M,P | | V | Y | 976 Info | | | | | | 977 Reply-Message 18 4.9 UTF8String | M | P | | V | Y | 978 Termination- 29 4.10 Enumerated | M | P | | V | Y | 979 Action | | | | | | 980 -----------------------------------------|----+-----+----+-----|----| 982 4.2. NAS-Port AVP 984 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 985 physical or virtual port number of the NAS which is authenticating 986 the user. Note that this is using "port" in its sense of a service 987 connection on the NAS, not in the sense of an IP protocol identifier. 989 Either NAS-Port or NAS-Port-Id (AVP Code 87) SHOULD be present in AA- 990 Request commands if the NAS differentiates among its ports. 992 4.3. NAS-Port-Id AVP 994 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 995 of ASCII text that identifies the port of the NAS which is 996 authenticating the user. Note that this is using "port" in its sense 997 of a service connection on the NAS, not in the sense of an IP 998 protocol identifier. 1000 Either NAS-Port or NAS-Port-Id SHOULD be present in AA-Request 1001 commands if the NAS differentiates among its ports. NAS-Port-Id is 1002 intended for use by NASes which cannot conveniently number their 1003 ports. 1005 4.4. NAS-Port-Type AVP 1007 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1008 contains the type of the port on which the NAS is authenticating the 1009 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1010 number ranges for different service types concurrently. 1012 The supported values are defined in [RADIUSTypes]. The following 1013 list is informational and subject to change in the IANA. 1015 0 Async 1016 1 Sync 1017 2 ISDN Sync 1018 3 ISDN Async V.120 1019 4 ISDN Async V.110 1020 5 Virtual 1021 6 PIAFS 1022 7 HDLC Clear Channel 1023 8 X.25 1024 9 X.75 1025 10 G.3 Fax 1026 11 SDSL - Symmetric DSL 1027 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase 1028 Modulation 1029 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 1030 14 IDSL - ISDN Digital Subscriber Line 1031 15 Ethernet 1032 16 xDSL - Digital Subscriber Line of unknown type 1033 17 Cable 1034 18 Wireless - Other 1035 19 Wireless - IEEE 802.11 1036 20 Token-Ring [RAD802.1X] 1037 21 FDDI [RAD802.1X] 1039 4.5. Called-Station-Id AVP 1041 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String, and 1042 allows the NAS to send in the request, the ASCII string describing 1043 the layer 2 address that the user contacted to. For dialup access, 1044 this can be a phone number, obtained using Dialed Number 1045 Identification (DNIS) or a similar technology. Note that this may be 1046 different from the phone number the call comes in on. For use with 1047 IEEE 802 access, the Called-Station-Id MAY contain a MAC address, 1048 formatted as described in [RAD802.1X]. It SHOULD only be present in 1049 authentication and/or authorization requests. 1051 If the Auth-Request-Type AVP is set to authorization-only and the 1052 User-Name AVP is absent, the Diameter Server MAY perform 1053 authorization based on this field. This can be used by a NAS to 1054 request whether a call should be answered based on the DNIS. 1056 The codification of the range of allowed usage of this field is 1057 outside the scope of this specification. 1059 4.6. Calling-Station-Id AVP 1061 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String, and 1062 allows the NAS to send in the request the ASCII string describing the 1063 layer 2 address that the user connected from. For dialup access, this 1064 is the phone number that the call came from, using Automatic Number 1065 Identification (ANI) or a similar technology. For use with IEEE 802 1066 access, the Calling-Station-Id AVP MAY contain a MAC address, 1067 formated as described in [RAD802.1X]. It SHOULD only be present in 1068 authentication and/or authorization requests. 1070 If the Auth-Request-Type AVP is set to authorization-only and the 1071 User-Name AVP is absent, the Diameter Server MAY perform 1072 authorization based on this field. This can be used by a NAS to 1073 request whether a call should be answered based on the layer 2 1074 address (ANI, MAC Address, etc.) 1076 The codification of the range of allowed usage of this field is 1077 outside the scope of this specification. 1079 4.7. Connect-Info AVP 1081 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1082 in the AA-Request message or ACR STOP message. When sent in the 1083 Access-Request it indicates the nature of the user's connection. The 1084 connection speed SHOULD be included at the beginning of the first 1085 Connect-Info AVP in the message. If the transmit and receive 1086 connection speeds differ, they may both be included in the first AVP 1087 with the transmit speed first (the speed the NAS modem transmits at), 1088 a slash (/), the receive speed, then optionally other information. 1090 For example, "28800 V42BIS/LAPM" or "52000/31200 V90" 1092 More than one Connect-Info attribute may be present in an Accounting- 1093 Request packet to accommodate expected efforts by ITU to have modems 1094 report more connection information in a standard format that might 1095 exceed 252 octets. 1097 If sent in the ACR STOP, this attribute may be used to summarize 1098 statistics relating to session quality. For example, in IEEE 802.11, 1099 the Connect-Info attribute may contain information on the number of 1100 link layer retransmissions. The exact format of this attribute is 1101 implementation specific. 1103 4.8. Originating-Line-Info AVP 1105 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1106 and is sent by the NAS system to convey information about the origin 1107 of the call from an SS7 system. 1109 The originating line information (OLI) information element indicates 1110 the nature and/or characteristics of the line from which a call 1111 originated (e.g. payphone, hotel, cellular). Telephone companies are 1112 starting to offer OLI to their customers as an option over Primary 1113 Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI 1114 in addition to Called-Station-Id and Calling-Station-Id attributes to 1115 differentiate customer calls and define different services 1117 The Value field contains two octets (00-99). ANSI T1.113 and BELLCORE 1118 394 can be used for additional information about those values and 1119 their use. For more information on current assignment values see 1120 [ANITypes]. 1122 Value Description 1123 ------------------------------------------------------------ 1124 00 Plain Old Telephone Service (POTS) 1125 01 Multiparty line (more than 2) 1126 02 ANI Failure 1127 03 ANI Observed 1128 04 ONI Observed 1129 05 ANI Failure Observed 1130 06 Station Level Rating 1131 07 Special Operator Handling Required 1132 08 InterLATA Restricted 1133 10 Test Call 1134 20 Automatic Identified Outward Dialing (AIOD) 1135 23 Coin or Non-Coin 1136 24 Toll Free Service (Non-Pay origination) 1137 25 Toll Free Service (Pay origination) 1138 27 Toll Free Service (Coin Control origination) 1139 29 Prison/Inmate Service 1140 30-32 Intercept 1141 30 Intercept (blank) 1142 31 Intercept (trouble) 1143 32 Intercept (regular) 1144 34 Telco Operator Handled Call 1145 40-49 Unrestricted Use 1146 52 Outward Wide Area Telecommunications Service (OUTWATS) 1147 60 Telecommunications Relay Service (TRS)(Unrestricted) 1148 61 Cellular/Wireless PCS (Type 1) 1149 62 Cellular/Wireless PCS (Type 2) 1150 63 Cellular/Wireless PCS (Roaming) 1151 66 TRS (Hotel) 1152 67 TRS (Restricted) 1153 70 Pay Station, No coin control 1154 93 Access for private virtual network service 1156 4.9. Reply-Message AVP 1158 The Reply-Message AVP (AVP Code 18) is of type UTF8String, and 1159 contains text which MAY be displayed to the user. When used in an 1160 AA-Answer message with a successful Result-Code AVP it is success 1161 information. When found in AAA message with a Result-Code other than 1162 DIAMETER_SUCCESS, the AVP contains a failure message. 1164 The Reply-Message AVP MAY indicate dialog text to prompt the user 1165 before another AA-Request attempt. When used in an AA-Answer, with a 1166 Result-Code of DIAMETER_MULTI_ROUND_AUTH or in an Re-Auth-Request 1167 message, it MAY contain a dialog text to prompt the user for a 1168 response. 1170 Multiple Reply-Message's MAY be included and if any are displayed, 1171 they MUST be displayed in the same order as they appear in the 1172 Diameter message. 1174 5. NAS Authentication AVPs 1176 This section defines the AVPs that are necessary to carry the 1177 authentication information in the Diameter protocol. The 1178 functionality defined here provides a RADIUS-like AAA service, over a 1179 more reliable and secure transport, as defined in the base protocol 1180 [Base]. 1182 The following table describes the AVPs, their AVP Code values, types, 1183 possible flag values and whether the AVP MAY be encrypted. 1185 +---------------------+ 1186 | AVP Flag rules | 1187 |----+-----+----+-----|----+ 1188 AVP Section | | |SHLD| MUST| | 1189 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1190 -----------------------------------------|----+-----+----+-----|----| 1191 User-Password 2 5.1 OctetString| M | P | | V | Y | 1192 Password-Retry 75 5.2 Unsigned32 | M | P | | V | Y | 1193 Prompt 76 5.3 Enumerated | M | P | | V | Y | 1194 CHAP-Auth 402 5.4 Grouped | M | P | | V | Y | 1195 CHAP-Algorithm 403 5.5 Enumerated | M | P | | V | Y | 1196 CHAP-Ident 404 5.6 OctetString| M | P | | V | Y | 1197 CHAP-Response 405 5.7 OctetString| M | P | | V | Y | 1198 CHAP-Challenge 60 5.8 OctetString| M | P | | V | Y | 1199 ARAP-Password 70 5.9 OctetString| M | P | | V | Y | 1200 ARAP-Challenge- 84 5.10 OctetString| M | P | | V | Y | 1201 Response | | | | | | 1202 ARAP-Security 73 5.11 Unsigned32 | M | P | | V | Y | 1203 ARAP-Security- 74 5.12 OctetString| M | P | | V | Y | 1204 Data | | | | | | 1205 -----------------------------------------|----+-----+----+-----|----| 1207 5.1. User-Password AVP 1209 The User-Password AVP (AVP Code 2) is of type OctetString and 1210 contains the password of the user to be authenticated, or the user's 1211 input in a multi-round authentication exchange. 1213 The User-Password AVP contains a user password or one-time password 1214 and therefore represents sensitive information. As required in 1215 [Base], Diameter messages are encrypted using IPsec or TLS. Unless 1216 this AVP is used for one-time passwords, the User-Password AVP SHOULD 1217 NOT be used in untrusted proxy environments without encrypting it 1218 using end-to-end security techniques, such as the proposed CMS 1219 Security [DiamCMS]. 1221 The clear-text password (prior to encryption) MUST NOT be longer than 1222 128 bytes in length. 1224 5.2. Password-Retry AVP 1226 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1227 included in the AA-Answer if the Result-Code indicates an 1228 authentication failure. The value of this AVP indicates how many 1229 authentication attempts a user may be permitted before being 1230 disconnected. This AVP is primarily intended for use when the Framed- 1231 Protocol AVP (see Section 6.9.1) is set to ARAP. 1233 5.3. Prompt AVP 1235 The Prompt AVP (AVP Code 76) is of type Enumerated, and MAY be 1236 present in the AA-Answer message. When present, it is used by the NAS 1237 to determine whether the user's response, when entered, should be 1238 echoed. 1240 The supported values are listed in [RADIUSTypes]. The following list 1241 is informational: 1243 0 No Echo 1244 1 Echo 1246 5.4. CHAP-Auth AVP 1248 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1249 information necessary to authenticate a user using the PPP Challenge- 1250 Handshake Authentication Protocol (CHAP) [PPPCHAP]. If the CHAP-Auth 1251 AVP is found in a message, the CHAP-Challenge AVP MUST be present as 1252 well. The optional AVPs containing the CHAP response depend upon the 1253 value of the CHAP-Algorithm AVP. The grouped AVP has the following 1254 ABNF grammar: 1256 CHAP-Auth ::= < AVP Header: 402 > 1257 { CHAP-Algorithm } 1258 { CHAP-Ident } 1259 [ CHAP-Response ] 1260 * [ AVP ] 1262 5.5. CHAP-Algorithm AVP 1264 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1265 contains the algorithm identifier used in the computation of the CHAP 1266 response [PPPCHAP]. The following values are currently supported: 1268 CHAP with MD5 5 1269 The CHAP response is computed using the procedure described in 1270 [PPPCHAP]. This algorithm requires that CHAP-Response AVP MUST 1271 be present in the CHAP-Auth AVP. 1273 5.6. CHAP-Ident AVP 1275 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1276 the one octet CHAP Identifier used in the computation of the CHAP 1277 response [PPPCHAP]. 1279 5.7. CHAP-Response AVP 1281 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1282 contains the 16 octet authentication data provided by the user in 1283 response to the CHAP challenge [PPPCHAP]. 1285 5.8. CHAP-Challenge AVP 1287 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1288 contains the CHAP Challenge sent by the NAS to the CHAP peer 1289 [PPPCHAP]. 1291 5.9. ARAP-Password AVP 1293 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1294 only present when the Framed-Protocol AVP (see Section 6.9.1) is 1295 included in the message and is set to ARAP. This AVP MUST NOT be 1296 present if either the User-Password or the CHAP-Auth AVP is present. 1297 See [RADIUSExt] for more information on the contents of this AVP. 1299 5.10. ARAP-Challenge-Response AVP 1301 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1302 and is only present when the Framed-Protocol AVP (see Section 6.9.1) 1303 is included in the message and is set to ARAP. This AVP contains an 8 1304 octet response to the dial-in client's challenge. The RADIUS server 1305 calculates this value by taking the dial-in client's challenge from 1306 the high order 8 octets of the ARAP-Password AVP and performing DES 1307 encryption on this value with the authenticating user's password as 1308 the key. If the user's password is less than 8 octets in length, the 1309 password is padded at the end with NULL octets to a length of 8 1310 before using it as a key. 1312 5.11. ARAP-Security AVP 1314 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32, and MAY be 1315 present in the AA-Answer message if the Framed-Protocol AVP (see 1316 Section 6.9.1) is set to the value of ARAP, and the Result-Code AVP 1317 is set to DIAMETER_MULTI_ROUND_AUTH. See [RADIUSExt] for more 1318 information on the format of this AVP. 1320 5.12. ARAP-Security-Data AVP 1322 The ARAP-Security AVP (AVP Code 74) is of type OctetString, and MAY 1323 be present in the AA-Request or AA-Answer message if the Framed- 1324 Protocol AVP is set to the value of ARAP, and the Result-Code AVP is 1325 set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security 1326 module challenge or response associated with the ARAP Security Module 1327 specified in ARAP-Security. 1329 6. NAS Authorization AVPs 1331 This section contains the authorization AVPs that are supported in 1332 the NAS Application. The Service-Type AVP SHOULD be present in all 1333 messages, and based on its value, additional AVPs defined in this 1334 section and section 7 MAY be present. 1336 Due to space constraints, the short form IPFiltrRule is used to 1337 represent IPFilterRule. 1339 +---------------------+ 1340 | AVP Flag rules | 1341 |----+-----+----+-----|----+ 1342 AVP Section | | |SHLD| MUST| | 1343 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1344 -----------------------------------------|----+-----+----+-----|----| 1345 Service-Type 6 6.1 Enumerated | M | P | | V | Y | 1346 Callback-Number 19 6.2 UTF8String | M | P | | V | Y | 1347 Callback-Id 20 6.3 UTF8String | M | P | | V | Y | 1348 Idle-Timeout 28 6.4 Unsigned32 | M | P | | V | Y | 1349 Port-Limit 62 6.5 Unsigned32 | M | P | | V | Y | 1350 NAS-Filter-Rule 400 6.6 IPFiltrRule| M | P | | V | Y | 1351 Filter-Id 11 6.7 UTF8String | M | P | | V | Y | 1352 Configuration- 78 6.8 OctetString| M | | | P,V | | 1353 Token | | | | | | 1354 Framed-Protocol 7 6.9.1 Enumerated | M | P | | V | Y | 1355 Framed-Routing 10 6.9.2 Enumerated | M | P | | V | Y | 1356 Framed-MTU 12 6.9.3 Unsigned32 | M | P | | V | Y | 1357 Framed- 13 6.9.4 Enumerated | M | P | | V | Y | 1358 Compression | | | | | | 1359 Framed-IP-Address 8 6.10.1 OctetString| M | P | | V | Y | 1360 Framed-IP-Netmask 9 6.10.2 OctetString| M | P | | V | Y | 1361 Framed-Route 22 6.10.3 UTF8String | M | P | | V | Y | 1362 Framed-Pool 88 6.10.4 OctetString| M | P | | V | Y | 1363 Framed- 96 6.10.5 Unsigned64 | M | P | | V | Y | 1364 Interface-Id | | | | | | 1365 Framed-IPv6- 97 6.10.6 OctetString| M | P | | V | Y | 1366 Prefix | | | | | | 1367 Framed-IPv6- 99 6.10.7 UTF8String | M | P | | V | Y | 1368 Route | | | | | | 1369 Framed-IPv6-Pool 100 6.10.8 OctetString| M | P | | V | Y | 1370 Framed-IPX- 23 6.11.1 UTF8String | M | P | | V | Y | 1371 Network | | | | | | 1372 Framed-Appletalk- 37 6.12.1 Unsigned32 | M | P | | V | Y | 1373 Link | | | | | | 1374 Framed-Appletalk- 38 6.12.2 Unsigned32 | M | P | | V | Y | 1375 Network | | | | | | 1376 Framed-Appletalk- 39 6.12.3 OctetString| M | P | | V | Y | 1377 Zone | | | | | | 1378 ARAP-Features 71 6.13.1 OctetString| M | P | | V | Y | 1379 ARAP-Zone-Access 72 6.13.2 Enumerated | M | P | | V | Y | 1380 Login-IP-Host 14 6.14.1 OctetString| M | P | | V | Y | 1381 Login-IPv6-Host 98 6.14.2 OctetString| M | P | | V | Y | 1382 Login-Service 15 6.14.3 Enumerated | M | P | | V | Y | 1383 Login-TCP-Port 16 6.15.1 Unsigned32 | M | P | | V | Y | 1384 Login-LAT-Service 34 6.16.1 OctetString| M | P | | V | Y | 1385 Login-LAT-Node 35 6.16.2 OctetString| M | P | | V | Y | 1386 Login-LAT-Group 36 6.16.3 OctetString| M | P | | V | Y | 1387 Login-LAT-Port 63 6.16.4 OctetString| M | P | | V | Y | 1388 -----------------------------------------|----+-----+----+-----|----| 1390 6.1. Service-Type AVP 1392 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1393 the type of service the user has requested, or the type of service to 1394 be provided. One such AVP MAY be present in an authentication and/or 1395 authorization request or response. A NAS is not required to implement 1396 all of these service types, and MUST treat unknown or unsupported 1397 Service-Types received in a response as a failure, and end the 1398 session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1400 When used in a request, the Service-Type AVP SHOULD be considered to 1401 be a hint to the server that the NAS has reason to believe the user 1402 would prefer the kind of service indicated, but the server is not 1403 required to honor the hint. Furthermore, if the service specified by 1404 the server is supported, but not compatible with the current mode of 1405 access, the NAS MUST fail to start the session. The NAS MUST also 1406 generate the appropriate error message(s). 1408 The following values have been defined for the Service-Type AVP. The 1409 complete list of defined values can be found in [RADIUS] and 1410 [RADIUSTypes]. The following list is informational: 1412 1 Login 1413 2 Framed 1414 3 Callback Login 1415 4 Callback Framed 1416 5 Outbound 1417 6 Administrative 1418 7 NAS Prompt 1419 8 Authenticate Only 1420 9 Callback NAS Prompt 1421 10 Call Check 1422 11 Callback Administrative 1423 12 Voice 1424 13 Fax 1425 14 Modem Relay 1426 15 IAPP-Register [IEEE 802.11f] 1427 16 IAPP-AP-Check [IEEE 802.11f] 1428 17 Authorize Only [RFC3576] 1430 The following values are further qualified: 1432 Login 1 1433 The user should be connected to a host. The message MAY include 1434 additional AVPs defined in sections 6.15 or 6.16. 1436 Framed 2 1437 A Framed Protocol should be started for the User, such as PPP 1438 or SLIP. The message MAY include additional AVPs defined in 1439 sections 6.9, or 7 for tunneling services. 1441 Callback Login 3 1442 The user should be disconnected and called back, then connected 1443 to a host. The message MAY include additional AVPs defined in 1444 this section. 1446 Callback Framed 4 1447 The user should be disconnected and called back, then a Framed 1448 Protocol should be started for the User, such as PPP or SLIP. 1449 The message MAY include additional AVPs defined in sections 1450 6.9, or 7 for tunneling services. 1452 6.2. Callback-Number AVP 1454 The Callback-Number AVP (AVP Code 19) is of type UTF8String, and 1455 contains a dialing string to be used for callback. It MAY be used in 1456 an authentication and/or authorization request as a hint to the 1457 server that a Callback service is desired, but the server is not 1458 required to honor the hint in the corresponding response. 1460 The codification of the range of allowed usage of this field is 1461 outside the scope of this specification. 1463 6.3. Callback-Id AVP 1465 The Callback-Id AVP (AVP Code 20) is of type UTF8String, and contains 1466 the name of a place to be called, to be interpreted by the NAS. This 1467 AVP MAY be present in an authentication and/or authorization 1468 response. 1470 This AVP is not roaming-friendly since it assumes that the Callback- 1471 Id is configured on the NAS. It is therefore preferable to use the 1472 Callback-Number AVP instead. 1474 6.4. Idle-Timeout AVP 1476 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1477 maximum number of consecutive seconds of idle connection allowed to 1478 the user before termination of the session or a prompt is issued. It 1479 MAY be used in an authentication and/or authorization request (or 1480 challenge) as a hint to the server that an idle timeout is desired, 1481 but the server is not required to honor the hint in the corresponding 1482 response. The default is none, or system specific. 1484 6.5. Port-Limit AVP 1486 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1487 maximum number of ports to be provided to the user by the NAS. It 1488 MAY be used in an authentication and/or authorization request as a 1489 hint to the server that multilink PPP [PPPMP] service is desired, but 1490 the server is not required to honor the hint in the corresponding 1491 response. 1493 6.6. NAS-Filter-Rule AVP 1495 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule, and 1496 provides filter rules that need to be configured on the NAS for the 1497 user. One or more such AVPs MAY be present in an authorization 1498 response. 1500 6.7. Filter-Id AVP 1502 The Filter-Id AVP (AVP Code 11) is of type UTF8String, and contains 1503 the name of the filter list for this user. Zero or more Filter-Id 1504 AVPs MAY be sent in an authorization answer. 1506 Identifying a filter list by name allows the filter to be used on 1507 different NASes without regard to filter-list implementation details. 1508 However, this AVP is not roaming friendly since filter naming differs 1509 from one service provider to another. 1511 In non-RADIUS environments, it is RECOMMENDED that the NAS-Filter- 1512 Rule AVP be used instead. 1514 6.8. Configuration-Token AVP 1516 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1517 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1518 Agent in an AA-Answer command to indicate a type of user profile to 1519 be used. It should not be sent to a Diameter Client (NAS). 1521 The format of the Data field of this AVP is site specific. 1523 6.9. Framed Access Authorization AVPs 1525 This section contains the authorization AVPs that are necessary to 1526 support framed access, such as PPP, SLIP, etc. AVPs defined in this 1527 section MAY be present in a message if the Service-Type AVP was set 1528 to "Framed" or "Callback Framed". 1530 6.9.1. Framed-Protocol AVP 1532 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1533 contains the framing to be used for framed access. This AVP MAY be 1534 present in both requests and responses. The supported values are 1535 listed in [RADIUSTypes]. The following list is informational: 1537 1 PPP 1538 2 SLIP 1539 3 AppleTalk Remote Access Protocol (ARAP) 1540 4 Gandalf proprietary SingleLink/MultiLink protocol 1541 5 Xylogics proprietary IPX/SLIP 1542 6 X.75 Synchronous 1544 6.9.2. Framed-Routing AVP 1546 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1547 contains the routing method for the user, when the user is a router 1548 to a network. This AVP SHOULD only be present in authorization 1549 responses. The supported values are listed in [RADIUSTypes]. The 1550 following list is informational: 1552 0 None 1553 1 Send routing packets 1554 2 Listen for routing packets 1555 3 Send and Listen 1557 6.9.3. Framed-MTU AVP 1559 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1560 the Maximum Transmission Unit to be configured for the user, when it 1561 is not negotiated by some other means (such as PPP). This AVP SHOULD 1562 only be present in authorization responses. The MTU value MUST be in 1563 the range of 64 and 65535. 1565 6.9.4. Framed-Compression AVP 1567 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1568 contains the compression protocol to be used for the link. It MAY be 1569 used in an authorization request as a hint to the server that a 1570 specific compression type is desired, but the server is not required 1571 to honor the hint in the corresponding response. 1573 More than one compression protocol AVP MAY be sent. It is the 1574 responsibility of the NAS to apply the proper compression protocol to 1575 appropriate link traffic. 1577 The supported values are listed in [RADIUSTypes]. The following list 1578 is informational: 1580 0 None 1581 1 VJ TCP/IP header compression 1582 2 IPX header compression 1583 3 Stac-LZS compression 1585 6.10. IP Access Authorization AVPs 1587 The AVPs defined in this section are used when the user requests, or 1588 is being granted, access to IP. They are only present if the Framed- 1589 Protocol AVP (see Section 6.9.1) is set to PPP, SLIP, Gandalf 1590 proprietary SingleLink/MultiLink protocol, or X.75 Synchronous. 1592 6.10.1. Framed-IP-Address AVP 1594 The Framed-IP-Address AVP (AVP Code 8) [RADIUS] is of type 1595 OctetString and contains an IPv4 address, of the type specified in 1596 the attribute value, to be configured for the user. It MAY be used in 1597 an authorization request as a hint to the server that a specific 1598 address is desired, but the server is not required to honor the hint 1599 in the corresponding response. 1601 Two values have special significance; 0xFFFFFFFF and 0xFFFFFFFE. The 1602 value 0xFFFFFFFF indicates that the NAS should allow the user to 1603 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1604 that the NAS should select an address for the user (e.g. Assigned 1605 from a pool of addresses kept by the NAS). 1607 6.10.2. Framed-IP-Netmask AVP 1609 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1610 contains the four octets of the IPv4 netmask to be configured for the 1611 user when the user is a router to a network. It MAY be used in an 1612 authorization request as a hint to the server that a specific netmask 1613 is desired, but the server is not required to honor the hint in the 1614 corresponding response. This AVP MUST be present in a response if the 1615 request included this AVP with a value of 0xFFFFFFFF. 1617 6.10.3. Framed-Route AVP 1619 The Framed-Route AVP (AVP Code 22) is of type UTF8String, and 1620 contains the ASCII routing information to be configured for the user 1621 on the NAS. Zero or more such AVPs MAY be present in an authorization 1622 response. 1624 The string MUST contain a destination prefix in dotted quad form 1625 optionally followed by a slash and a decimal length specifier stating 1626 how many high order bits of the prefix should be used. That is 1627 followed by a space, a gateway address in dotted quad form, a space, 1628 and one or more metrics separated by spaces. For example, 1629 "192.168.1.0/24 192.168.1.1 1". 1631 The length specifier may be omitted in which case it should default 1632 to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 1633 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1". 1635 Whenever the gateway address is specified as "0.0.0.0" the IP address 1636 of the user SHOULD be used as the gateway address. 1638 6.10.4. Framed-Pool AVP 1640 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1641 the name of an assigned address pool that SHOULD be used to assign an 1642 address for the user. If a NAS does not support multiple address 1643 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1644 used for IP addresses, but can be used for other protocols if the NAS 1645 supports pools for those protocols. 1647 Although specified as type OctetString for compatibility with RADIUS 1648 [RADIUSExt], the encoding of the Data field SHOULD also conform to 1649 the rules for the UTF8String Data Format. 1651 6.10.5. Framed-Interface-Id AVP 1653 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1654 contains the IPv6 interface identifier to be configured for the user. 1655 It MAY be used in authorization requests as a hint to the server that 1656 a specific interface id is desired, but the server is not required to 1657 honor the hint in the corresponding response. 1659 6.10.6. Framed-IPv6-Prefix AVP 1661 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1662 contains the IPv6 prefix to be configured for the user. One or more 1663 AVPs MAY be used in authorization requests as a hint to the server 1664 that a specific IPv6 prefixes are desired, but the server is not 1665 required to honor the hint in the corresponding response. 1667 6.10.7. Framed-IPv6-Route AVP 1669 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String, and 1670 contains the ASCII routing information to be configured for the user 1671 on the NAS. Zero or more such AVPs MAY be present in an authorization 1672 response. 1674 The string MUST contain an IPv6 address prefix followed by a slash 1675 and a decimal length specifier stating how many high order bits of 1676 the prefix should be used. That is followed by a space, a gateway 1677 address in hexadecimal notation, a space, and one or more metrics 1678 separated by spaces. For example: 1679 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1". 1681 Whenever the gateway address is the IPv6 unspecified address the IP 1682 address of the user SHOULD be used as the gateway address, such as: 1683 "2000:0:0:106::/64 :: 1". 1685 6.10.8. Framed-IPv6-Pool AVP 1687 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString, and 1688 contains the name of an assigned pool that SHOULD be used to assign 1689 an IPv6 prefix for the user. If the access device does not support 1690 multiple prefix pools, it MUST ignore this AVP. 1692 Although specified as type OctetString for compatibility with RADIUS 1693 [RADIUSIPv6], the encoding of the Data field SHOULD also conform to 1694 the rules for the UTF8String Data Format. 1696 6.11. IPX Access 1698 The AVPs defined in this section are used when the user requests, or 1699 is being granted, access to IPX. They are only present if the Framed- 1700 Protocol AVP (see Section 6.9.1) is set to PPP, Xylogics proprietary 1701 IPX/SLIP, Gandalf proprietary SingleLink/MultiLink protocol, or X.75 1702 Synchronous. 1704 6.11.1. Framed-IPX-Network AVP 1706 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and 1707 contains the IPX Network number to be configured for the user. It MAY 1708 be used in an authorization request as a hint to the server that a 1709 specific address is desired, but the server is not required to honor 1710 the hint in the corresponding response. 1712 Two addresses have special significance; 0xFFFFFFFF and 0xFFFFFFFE. 1713 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1714 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1715 that the NAS should select an address for the user (e.g. assigned 1716 from a pool of one or more IPX networks kept by the NAS). 1718 6.12. AppleTalk Network Access 1720 The AVPs defined in this section are used when the user requests, or 1721 is being granted, access to an AppleTalk network [AppleTalk]. They 1722 are only present if the Framed-Protocol AVP (see Section 6.9.1) is 1723 set to ARAP, PPP, Gandalf proprietary SingleLink/MultiLink protocol, 1724 or X.75 Synchronous. 1726 6.12.1. Framed-AppleTalk-Link AVP 1728 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1729 contains the AppleTalk network number which should be used for the 1730 serial link to the user, which is another AppleTalk router. This AVP 1731 MUST only be present in an authorization response and is never used 1732 when the user is not another router. 1734 Despite the size of the field, values range from zero to 65535. The 1735 special value of zero indicates that this is an unnumbered serial 1736 link. A value of one to 65535 means that the serial line between the 1737 NAS and the user should be assigned that value as an AppleTalk 1738 network number. 1740 6.12.2. Framed-AppleTalk-Network AVP 1742 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1743 and contains the AppleTalk Network number which the NAS should probe 1744 to allocate an AppleTalk node for the user. This AVP MUST only be 1745 present in an authorization response and is never used when the user 1746 is not another router. Multiple instances of this AVP indicate that 1747 the NAS may probe using any of the network numbers specified. 1749 Despite the size of the field, values range from zero to 65535. The 1750 special value zero indicates that the NAS should assign a network for 1751 the user, using its default cable range. A value between one and 1752 65535 (inclusive) indicates the AppleTalk Network the NAS should 1753 probe to find an address for the user. 1755 6.12.3. Framed-AppleTalk-Zone AVP 1757 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1758 and contains the AppleTalk Default Zone to be used for this user. 1759 This AVP MUST only be present in an authorization response. Multiple 1760 instances of this AVP in the same message are not allowed. 1762 The codification of the range of allowed usage of this field is 1763 outside the scope of this specification. 1765 6.13. AppleTalk Remote Access 1767 The AVPs defined in this section are used when the user requests, or 1768 is being granted, access to the AppleTalk network via the AppleTalk 1769 Remote Access Protocol [ARAP]. They are only present if the Framed- 1770 Protocol AVP (see Section 6.9.1) is set to ARAP. Section 2.2 of RFC 1771 2869 [RADIUSExt] describes the operational use of these attributes. 1773 6.13.1. ARAP-Features AVP 1775 The ARAP-Features AVP (AVP Code 71) is of type OctetString, and MAY 1776 be present in the AA-Accept message if the Framed-Protocol AVP is set 1777 to the value of ARAP. See [RADIUSExt] for more information of the 1778 format of this AVP. 1780 6.13.2. ARAP-Zone-Access AVP 1782 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated, and MAY 1783 be present in the AA-Accept message if the Framed-Protocol AVP is set 1784 to the value of ARAP. 1786 The supported values are listed in [RADIUSTypes], and are defined in 1787 [RADIUSExt]. 1789 6.14. Non-Framed Access Authorization AVPs 1791 This section contains the authorization AVPs that are needed to 1792 support terminal server functionality. AVPs defined in this section 1793 MAY be present in a message if the Service-Type AVP was set to 1794 "Login" or "Callback Login". 1796 6.14.1. Login-IP-Host AVP 1798 The Login-IP-Host AVP (AVP Code 14) [RADIUS] is of type OctetString 1799 and contains the IPv4 address of a host with which to connect the 1800 user when the Login-Service AVP is included. It MAY be used in an 1801 AA-Request command as a hint to the Diameter Server that a specific 1802 host is desired, but the Diameter Server is not required to honor the 1803 hint in the AA-Answer. 1805 Two addresses have special significance: All ones and 0. The value 1806 of all ones indicates that the NAS SHOULD allow the user to select an 1807 address. The value 0 indicates that the NAS SHOULD select a host to 1808 connect the user to. 1810 6.14.2. Login-IPv6-Host AVP 1812 The Login-IPv6-Host AVP (AVP Code 98) [RADIUSIPv6] is of type 1813 OctetString and contains the IPv6 address of a host with which to 1814 connect the user when the Login-Service AVP is included. It MAY be 1815 used in an AA-Request command as a hint to the Diameter Server that a 1816 specific host is desired, but the Diameter Server is not required to 1817 honor the hint in the AA-Answer. 1819 Two addresses have special significance: 1820 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1821 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1822 allow the user to select an address. The value 0 indicates that the 1823 NAS SHOULD select a host to connect the user to. 1825 6.14.3. Login-Service AVP 1827 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1828 contains the service which should be used to connect the user to the 1829 login host. This AVP SHOULD only be present in authorization 1830 responses. 1832 The supported values are listed in [RADIUSTypes]. The following list 1833 is informational: 1835 0 Telnet 1836 1 Rlogin 1837 2 TCP Clear 1838 3 PortMaster (proprietary) 1839 4 LAT 1840 5 X25-PAD 1841 6 X25-T3POS 1842 8 TCP Clear Quiet (suppresses any NAS-generated connect 1843 string) 1845 6.15. TCP Services 1847 The AVPs described in this section MAY be present if the Login- 1848 Service AVP is set to Telnet, Rlogin, TCP Clear or TCP Clear Quiet. 1850 6.15.1. Login-TCP-Port AVP 1852 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1853 contains the TCP port with which the user is to be connected, when 1854 the Login-Service AVP is also present. This AVP SHOULD only be 1855 present in authorization responses. The value MUST NOT be greater 1856 than 65535. 1858 6.15.2. LAT Services 1860 The AVPs described in this section MAY be present if the Login- 1861 Service AVP is set to LAT [LAT]. 1863 6.15.3. Login-LAT-Service AVP 1865 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1866 contains the system with which the user is to be connected by LAT. It 1867 MAY be used in an authorization request as a hint to the server that 1868 a specific service is desired, but the server is not required to 1869 honor the hint in the corresponding response. This AVP MUST only be 1870 present in the response if the Login-Service AVP states that LAT is 1871 desired. 1873 Administrators use the service attribute when dealing with clustered 1874 systems, such as a VAX or Alpha cluster. In such an environment 1875 several different time sharing hosts share the same resources (disks, 1876 printers, etc.), and administrators often configure each to offer 1877 access (service) to each of the shared resources. In this case, each 1878 host in the cluster advertises its services through LAT broadcasts. 1880 Sophisticated users often know which service providers (machines) are 1881 faster and tend to use a node name when initiating a LAT connection. 1882 Alternately, some administrators want particular users to use certain 1883 machines as a primitive form of load balancing (although LAT knows 1884 how to do load balancing itself). 1886 The String field contains the identity of the LAT service to use. 1887 The LAT Architecture allows this string to contain $ (dollar), - 1888 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1889 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1890 All LAT string comparisons are case insensitive. 1892 6.15.4. Login-LAT-Node AVP 1894 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1895 contains the Node with which the user is to be automatically 1896 connected by LAT. It MAY be used in an authorization request as a 1897 hint to the server that a specific LAT node is desired, but the 1898 server is not required to honor the hint in the corresponding 1899 response. This AVP MUST only be present in a response if the Login- 1900 Service-Type AVP is set to LAT. 1902 The String field contains the identity of the LAT service to use. 1903 The LAT Architecture allows this string to contain $ (dollar), - 1904 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1905 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1906 All LAT string comparisons are case insensitive. 1908 6.15.5. Login-LAT-Group AVP 1910 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1911 contains a string identifying the LAT group codes which this user is 1912 authorized to use. It MAY be used in an authorization request as a 1913 hint to the server that a specific group is desired, but the server 1914 is not required to honor the hint in the corresponding response. This 1915 AVP MUST only be present in a response if the Login-Service-Type AVP 1916 is set to LAT. 1918 LAT supports 256 different group codes, which LAT uses as a form of 1919 access rights. LAT encodes the group codes as a 256 bit bitmap. 1921 Administrators can assign one or more of the group code bits at the 1922 LAT service provider; it will only accept LAT connections that have 1923 these group codes set in the bit map. The administrators assign a 1924 bitmap of authorized group codes to each user; LAT gets these from 1925 the operating system, and uses these in its requests to the service 1926 providers. 1928 The codification of the range of allowed usage of this field is 1929 outside the scope of this specification. 1931 6.15.6. Login-LAT-Port AVP 1933 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1934 contains the Port with which the user is to be connected by LAT. It 1935 MAY be used in an authorization request as a hint to the server that 1936 a specific port is desired, but the server is not required to honor 1937 the hint in the corresponding response. This AVP MUST only be present 1938 in a response if the Login-Service-Type AVP is set to LAT. 1940 The String field contains the identity of the LAT service to use. 1941 The LAT Architecture allows this string to contain $ (dollar), - 1942 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1943 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1944 All LAT string comparisons are case insensitive. 1946 7. NAS Tunneling 1948 Some NASes support compulsory tunnel services where the incoming 1949 connection data is conveyed by a encapsulation method to a gateway 1950 elsewhere in the network. This is typically transparent to the 1951 service user, and the tunnel characteristics may be described by the 1952 remote AAA server, based on the user's authorization information. 1953 Several tunnel characteristics may be returned, and the NAS 1954 implementation may choose one. [RADTunnels],[RADTunlAcct] 1955 +---------------------+ 1956 | AVP Flag rules | 1957 |----+-----+----+-----|----+ 1958 AVP Section | | |SHLD| MUST| | 1959 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT |Encr| 1960 -----------------------------------------|----+-----+----+-----|----| 1961 Tunneling 401 7.1 Grouped | M | P | | V | N | 1962 Tunnel-Type 64 7.2 Enumerated | M | P | | V | Y | 1963 Tunnel-Medium- 65 7.3 Enumerated | M | P | | V | Y | 1964 Type | | | | | | 1965 Tunnel-Client- 66 7.4 UTF8String | M | P | | V | Y | 1966 Endpoint | | | | | | 1967 Tunnel-Server- 67 7.5 UTF8String | M | P | | V | Y | 1968 Endpoint | | | | | | 1969 Tunnel-Password 69 7.6 OctetString| M | P | | V | Y | 1970 Tunnel-Private- 81 7.7 UTF8String | M | P | | V | Y | 1971 Group-Id | | | | | | 1972 Tunnel- 82 7.8 OctetString| M | P | | V | Y | 1973 Assignment-Id | | | | | | 1974 Tunnel-Preference 83 7.9 Unsigned32 | M | P | | V | Y | 1975 Tunnel-Client- 90 7.10 Unsigned32 | M | P | | V | Y | 1976 Auth-Id | | | | | | 1977 Tunnel-Server- 91 7.11 OctetString| M | P | | V | Y | 1978 Auth-Id | | | | | | 1979 -----------------------------------------|----+-----+----+-----|----| 1981 7.1. Tunneling AVP 1983 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1984 following AVPs used to describe a compulsory tunnel service 1985 [RADTunnels],[RADTunlAcct]. Its data field has the following ABNF 1986 grammar: 1988 Tunneling ::= < AVP Header: 401 > 1989 { Tunnel-Type } 1990 { Tunnel-Medium-Type } 1991 { Tunnel-Client-Endpoint } 1992 { Tunnel-Server-Endpoint } 1993 [ Tunnel-Preference ] 1994 [ Tunnel-Client-Auth-Id ] 1995 [ Tunnel-Server-Auth-Id ] 1996 [ Tunnel-Assignment-Id ] 1997 [ Tunnel-Password ] 1998 [ Tunnel-Private-Group-Id ] 2000 7.2. Tunnel-Type AVP 2002 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 2003 the tunneling protocol(s) to be used (in the case of a tunnel 2004 initiator) or the tunneling protocol in use (in the case of a tunnel 2005 terminator). It MAY be used in an authorization request as a hint to 2006 the server that a specific tunnel type is desired, but the server is 2007 not required to honor the hint in the corresponding response. 2009 The Tunnel-Type AVP SHOULD also be included in Accounting-Request 2010 messages. 2012 A tunnel initiator is not required to implement any of these tunnel 2013 types; if a tunnel initiator receives a response that contains only 2014 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 2015 as though a response was received with the Result-Code indicating a 2016 failure. 2018 The supported values are listed in [RADIUSTypes]. The following list 2019 is informational: 2021 1 Point-to-Point Tunneling Protocol (PPTP) 2022 2 Layer Two Forwarding (L2F) 2023 3 Layer Two Tunneling Protocol (L2TP) 2024 4 Ascend Tunnel Management Protocol (ATMP) 2025 5 Virtual Tunneling Protocol (VTP) 2026 6 IP Authentication Header in the Tunnel-mode (AH) 2027 7 IP-in-IP Encapsulation (IP-IP) 2028 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) 2029 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) 2030 10 Generic Route Encapsulation (GRE) 2031 11 Bay Dial Virtual Services (DVS) 2032 12 IP-in-IP Tunneling 2033 13 Virtual LANs (VLAN) 2035 7.3. Tunnel-Medium-Type AVP 2037 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 2038 contains the transport medium to use when creating a tunnel for those 2039 protocols (such as L2TP) that can operate over multiple transports. 2040 It MAY be used in an authorization request as a hint to the server 2041 that a specific medium is desired, but the server is not required to 2042 honor the hint in the corresponding response. 2044 The supported values are listed in [RADIUSTypes]. The following list 2045 is informational: 2047 1 IPv4 (IP version 4) 2048 2 IPv6 (IP version 6) 2049 3 NSAP 2050 4 HDLC (8-bit multidrop) 2051 5 BBN 1822 2052 6 802 (includes all 802 media plus Ethernet "canonical 2053 format") 2054 7 E.163 (POTS) 2055 8 E.164 (SMDS, Frame Relay, ATM) 2056 9 F.69 (Telex) 2057 10 X.121 (X.25, Frame Relay) 2058 11 IPX 2059 12 Appletalk 2060 13 Decnet IV 2061 14 Banyan Vines 2062 15 E.164 with NSAP format subaddress 2064 7.4. Tunnel-Client-Endpoint AVP 2066 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String, 2067 and contains the address of the initiator end of the tunnel. It MAY 2068 be used in an authorization request as a hint to the server that a 2069 specific endpoint is desired, but the server is not required to honor 2070 the hint in the corresponding response. 2072 This AVP SHOULD be included in the corresponding Accounting-Request 2073 messages, in which case it indicates the address from which the 2074 tunnel was initiated. This AVP, along with the Tunnel-Server-Endpoint 2075 and Session-Id AVP [Base], MAY be used to provide a globally unique 2076 means to identify a tunnel for accounting and auditing purposes. 2078 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2079 fully qualified domain name (FQDN) of the tunnel client machine, or 2080 it is a "dotted-decimal" IP address. Implementations MUST support 2081 the dotted-decimal format and SHOULD support the FQDN format for IP 2082 addresses. 2084 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2085 FQDN of the tunnel client machine, or it is a text representation of 2086 the address in either the preferred or alternate form [IPv6Addr]. 2087 Conformant implementations MUST support the preferred form and SHOULD 2088 support both the alternate text form and the FQDN format for IPv6 2089 addresses. 2091 If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is a tag 2092 referring to configuration data local to the Diameter client that 2093 describes the interface or medium-specific client address to use. 2095 7.5. Tunnel-Server-Endpoint AVP 2097 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String, 2098 and contains the address of the server end of the tunnel. It MAY be 2099 used in an authorization request as a hint to the server that a 2100 specific endpoint is desired, but the server is not required to honor 2101 the hint in the corresponding response. 2103 This AVP SHOULD be included in the corresponding Accounting-Request 2104 messages, in which case it indicates the address from which the 2105 tunnel was initiated. This AVP, along with the Tunnel-Client-Endpoint 2106 and Session-Id AVP [Base], MAY be used to provide a globally unique 2107 means to identify a tunnel for accounting and auditing purposes. 2109 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2110 fully qualified domain name (FQDN) of the tunnel server machine, or 2111 it is a "dotted-decimal" IP address. Implementations MUST support 2112 the dotted-decimal format and SHOULD support the FQDN format for IP 2113 addresses. 2115 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2116 FQDN of the tunnel server machine, or it is a text representation of 2117 the address in either the preferred or alternate form [IPv6Addr]. 2118 Implementations MUST support the preferred form and SHOULD support 2119 both the alternate text form and the FQDN format for IPv6 addresses. 2121 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2122 referring to configuration data local to the Diameter client that 2123 describes the interface or medium-specific server address to use. 2125 7.6. Tunnel-Password AVP 2127 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2128 contain a password to be used to authenticate to a remote server. 2129 The Tunnel-Password AVP contains sensitive information. This value is 2130 not protected in the same manner as RADIUS [RADTunnels]. 2132 As required in [Base], Diameter messages are encrypted using IPsec or 2133 TLS. The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2134 environments without encrypting it using end-to-end security 2135 techniques, such as CMS Security [DiamCMS]. 2137 7.7. Tunnel-Private-Group-Id AVP 2139 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString, 2140 and contains the group Id for a particular tunneled session. The 2141 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2142 request if the tunnel initiator can pre-determine the group resulting 2143 from a particular connection and SHOULD be included in the 2144 authorization response if this tunnel session is to be treated as 2145 belonging to a particular private group. Private groups may be used 2146 to associate a tunneled session with a particular group of users. 2147 For example, it MAY be used to facilitate routing of unregistered IP 2148 addresses through a particular interface. This AVP SHOULD be 2149 included in the Accounting-Request messages which pertain to the 2150 tunneled session. 2152 7.8. Tunnel-Assignment-Id AVP 2154 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2155 is used to indicate to the tunnel initiator the particular tunnel to 2156 which a session is to be assigned. Some tunneling protocols, such as 2157 [PPTP] and [L2TP], allow for sessions between the same two tunnel 2158 endpoints to be multiplexed over the same tunnel and also for a given 2159 session to utilize its own dedicated tunnel. This attribute provides 2160 a mechanism for Diameter to be used to inform the tunnel initiator 2161 (e.g. PAC, LAC) whether to assign the session to a multiplexed 2162 tunnel or to a separate tunnel. Furthermore, it allows for sessions 2163 sharing multiplexed tunnels to be assigned to different multiplexed 2164 tunnels. 2166 A particular tunneling implementation may assign differing 2167 characteristics to particular tunnels. For example, different 2168 tunnels may be assigned different QoS parameters. Such tunnels may 2169 be used to carry either individual or multiple sessions. The Tunnel- 2170 Assignment-Id attribute thus allows the Diameter server to indicate 2171 that a particular session is to be assigned to a tunnel that provides 2172 an appropriate level of service. It is expected that any QoS-related 2173 Diameter tunneling attributes defined in the future that accompany 2174 this attribute will be associated by the tunnel initiator with the Id 2175 given by this attribute. In the meantime, any semantic given to a 2176 particular Id string is a matter left to local configuration in the 2177 tunnel initiator. 2179 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2180 the tunnel initiator. The Id it specifies is intended to be of only 2181 local use to Diameter and the tunnel initiator. The Id assigned by 2182 the tunnel initiator is not conveyed to the tunnel peer. 2184 This attribute MAY be included in authorization responses. The tunnel 2185 initiator receiving this attribute MAY choose to ignore it and assign 2186 the session to an arbitrary multiplexed or non-multiplexed tunnel 2187 between the desired endpoints. This AVP SHOULD also be included in 2188 the Accounting-Request messages which pertain to the tunneled 2189 session. 2191 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2192 should assign a session to a tunnel in the following manner: 2194 - If this AVP is present and a tunnel exists between the specified 2195 endpoints with the specified Id, then the session should be 2196 assigned to that tunnel. 2198 - If this AVP is present and no tunnel exists between the 2199 specified endpoints with the specified Id, then a new tunnel 2200 should be established for the session and the specified Id 2201 should be associated with the new tunnel. 2203 - If this AVP is not present, then the session is assigned to an 2204 unnamed tunnel. If an unnamed tunnel does not yet exist between 2205 the specified endpoints then it is established and used for this 2206 and subsequent sessions established without the Tunnel- 2207 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2208 session for which a Tunnel-Assignment-Id AVP was not specified 2209 to a named tunnel (i.e. one that was initiated by a session 2210 specifying this AVP). 2212 Note that the same Id may be used to name different tunnels if such 2213 tunnels are between different endpoints. 2215 7.9. Tunnel-Preference AVP 2217 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2218 used to identify the relative preference assigned to each tunnel when 2219 more than one set of tunneling AVPs is returned within separate 2220 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2221 hint to the server that a specific preference is desired, but the 2222 server is not required to honor the hint in the corresponding 2223 response. 2225 For example, suppose that AVPs describing two tunnels are returned by 2226 the server, one with a Tunnel-Type of PPTP and the other with a 2227 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2228 the Tunnel-Types returned, it will initiate a tunnel of that type. 2229 If, however, it supports both tunnel protocols, it SHOULD use the 2230 value of the Tunnel-Preference AVP to decide which tunnel should be 2231 started. The tunnel having the numerically lowest value in the Value 2232 field of this AVP SHOULD be given the highest preference. The values 2233 assigned to two or more instances of the Tunnel-Preference AVP within 2234 a given authorization response MAY be identical. In this case, the 2235 tunnel initiator SHOULD use locally configured metrics to decide 2236 which set of AVPs to use. 2238 7.10. Tunnel-Client-Auth-Id AVP 2240 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2241 specifies the name used by the tunnel initiator during the 2242 authentication phase of tunnel establishment. It MAY be used in an 2243 authorization request as a hint to the server that a specific 2244 preference is desired, but the server is not required to honor the 2245 hint in the corresponding response. This AVP MUST be present in the 2246 authorization response if an authentication name other than the 2247 default is desired. This AVP SHOULD be included in the Accounting- 2248 Request messages which pertain to the tunneled session. 2250 7.11. Tunnel-Server-Auth-Id AVP 2252 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2253 specifies the name used by the tunnel terminator during the 2254 authentication phase of tunnel establishment. It MAY be used in an 2255 authorization request as a hint to the server that a specific 2256 preference is desired, but the server is not required to honor the 2257 hint in the corresponding response. This AVP MUST be present in the 2258 authorization response if an authentication name other than the 2259 default is desired. This AVP SHOULD be included in the the 2260 Accounting-Request messages which pertain to the tunneled session. 2262 8. NAS Accounting 2264 Applications implementing this specification use Diameter Accounting 2265 as defined in the Base [Base] with the addition of the AVPs in the 2266 following section. Service specific AVP usage is defined in the 2267 tables in Section 10. 2269 If accounting is active, Accounting Request messages (ACR) SHOULD be 2270 sent after the completion of any Authentication or Authorization 2271 transaction and at the end of a Session. The Accounting-Record-Type 2272 value indicates the type of event. All other AVPs identify the 2273 session and provide additional information relevant to the event. 2275 The successful completion of the first Authentication or 2276 Authorization transaction, SHOULD cause a START_RECORD to be sent. If 2277 additional Authentications or Authorizations occur in later 2278 transactions, the first exchange should generate a START_RECORD, and 2279 the later, an INTERIM_RECORD. For a given session, there MUST only 2280 be one set of matching START and STOP records, with any number of 2281 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2282 for not starting a session. 2284 The following table describes the AVPs, their AVP Code values, types, 2285 possible flag values and whether the AVP MAY be encrypted. 2287 +---------------------+ 2288 | AVP Flag rules | 2289 |----+-----+----+-----|----+ 2290 AVP Section | | |SHLD| MUST| | 2291 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2292 -----------------------------------------|----+-----+----+-----|----| 2293 Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | 2294 Input-Octets | | | | | | 2295 Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | 2296 Output-Octets | | | | | | 2297 Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | 2298 Input-Packets | | | | | | 2299 Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | 2300 Output-Packets | | | | | | 2301 Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | 2302 Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | 2303 Acounting-Auth- 406 8.7 Enumerated | M | P | | V | Y | 2304 Method | | | | | | 2305 Acct-Delay-Time 41 8.8 Unsigned32 | M | P | | V | Y | 2306 Acct-Link-Count 51 8.9 Unsigned32 | M | P | | V | Y | 2307 Acct-Tunnel- 68 8.10 OctetString| M | P | | V | Y | 2308 Connection | | | | | | 2309 Acct-Tunnel- 86 8.11 Unsigned32 | M | P | | V | Y | 2310 Packets-Lost | | | | | | 2311 -----------------------------------------|----+-----+----+-----|----| 2313 8.1. Accounting-Input-Octets AVP 2315 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, 2316 and contains the number of octets received from the user. 2318 For NAS usage, this AVP indicates how many octets have been received 2319 from the port in the course of this session and can only be present 2320 in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2321 STOP_RECORD. 2323 8.2. Accounting-Output-Octets AVP 2325 The Accounting-Output-Octets AVP (AVP Code 364) is of type 2326 Unsigned64, and contains the number of octets sent to the user. 2328 For NAS usage, this AVP indicates how many octets have been sent to 2329 the port in the course of this session and can only be present in ACR 2330 messages with an Accounting-Record-Type of INTERIM_RECORD or 2331 STOP_RECORD. 2333 8.3. Accounting-Input-Packets AVP 2335 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64, 2336 and contains the number of packets received from the user. 2338 For NAS usage, this AVP indicates how many packets have been received 2339 from the port over the course of a session being provided to a Framed 2340 User and can only be present in ACR messages with an Accounting- 2341 Record-Type of INTERIM_RECORD or STOP_RECORD. 2343 8.4. Accounting-Output-Packets AVP 2345 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64, 2346 and contains the number of IP packets sent to the user. 2348 For NAS usage, this AVP indicates how many packets have been sent to 2349 the port over the course of a session being provided to a Framed User 2350 and can only be present in ACR messages with an Accounting-Record- 2351 Type of INTERIM_RECORD or STOP_RECORD. 2353 8.5. Acct-Session-Time AVP 2355 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32, and 2356 indicates the length of the current session in seconds. It can only 2357 be present in ACR messages with an Accounting-Record-Type of 2358 INTERIM_RECORD or STOP_RECORD. 2360 8.6. Acct-Authentic AVP 2362 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated, and 2363 specifies how the user was authenticated. The supported values are 2364 listed in [RADIUSTypes]. The following list is informational: 2366 1 RADIUS 2367 2 Local 2368 3 Remote 2369 4 Diameter 2371 8.7. Accounting-Auth-Method AVP 2373 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2374 A NAS MAY include this AVP in an Accounting-Request message to 2375 indicate what authentication method was used to authenticate the 2376 user. (Note that this is equivalent to the RADIUS MS-Acct-Auth-Type 2377 VSA attribute). 2379 The following values are defined: 2380 1 PAP 2381 2 CHAP 2382 3 MS-CHAP-1 2383 4 MS-CHAP-2 2384 5 EAP 2385 7 None 2387 8.8. Acct-Delay-Time 2389 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2390 indicates the number of seconds during which the Diameter client has 2391 been trying to send the Accounting-Request (ACR) which contains it. 2392 The accounting server may subtract this value from the time the ACR 2393 arrives at the server to calculate the approximate time of the event 2394 that caused the ACR to be generated. 2396 This AVP is not used for retransmissions at the transport level (TCP 2397 or SCTP). Rather, it may be used when an ACR command cannot be 2398 transmitted because there is no appropriate peer to transmit it to or 2399 was rejected because it could not be delivered to its destination. 2400 In these cases, the command MAY be buffered and transmitted some time 2401 later when an appropriate peer-connection is available or after 2402 sufficient time has passed that the destination-host may be reachable 2403 and operational. If the ACR is resent in this way the Acct-Delay- 2404 Time AVP SHOULD be included. The value of this AVP indicates the 2405 number of seconds that elapsed between the time of the first attempt 2406 at transmission and the current attempt at transmission. 2408 8.9. Acct-Link-Count 2410 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2411 indicates the total number of links that have been active (current or 2412 closed) in a given multilink session, at the time the accounting 2413 record is generated. This AVP MAY be included in Accounting-Requests 2414 for any session which may be part of a multilink service. 2416 The Acct-Link-Count AVP may be used to make it easier for an 2417 accounting server to know when it has all the records for a given 2418 multilink service. When the number of Accounting-Requests received 2419 with Accounting-Record-Type = STOP_RECORD and the same Acct-Multi- 2420 Session-Id and unique Session-Id's equals the largest value of Acct- 2421 Link-Count seen in those Accounting-Requests, all STOP_RECORD 2422 Accounting-Requests for that multilink service have been received. 2424 The following example showing eight Accounting-Requests illustrates 2425 how the Acct-Link-Count AVP is used. In the table below, only the 2426 relevant AVPs are shown although additional AVPs containing 2427 accounting information will also be present in the Accounting- 2428 Requests. 2430 Acct-Multi- Accounting- Acct- 2431 Session-Id Session-Id Record-Type Link-Count 2432 -------------------------------------------------------- 2433 "...10" "...10" START_RECORD 1 2434 "...10" "...11" START_RECORD 2 2435 "...10" "...11" STOP_RECORD 2 2436 "...10" "...12" START_RECORD 3 2437 "...10" "...13" START_RECORD 4 2438 "...10" "...12" STOP_RECORD 4 2439 "...10" "...13" STOP_RECORD 4 2440 "...10" "...10" STOP_RECORD 4 2442 8.10. Acct-Tunnel-Connection AVP 2444 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString, 2445 and contains the identifier assigned to the tunnel session. This AVP, 2446 along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint 2447 AVPs, may be used to provide a means to uniquely identify a tunnel 2448 session for auditing purposes. 2450 The format of the identifier in this AVP depends upon the value of 2451 the Tunnel-Type AVP. For example, to fully identify an L2TP tunnel 2452 connection, the L2TP Tunnel Id and Call Id might be encoded in this 2453 field. The exact encoding of this field is implementation dependent. 2455 8.11. Acct-Tunnel-Packets-Lost AVP 2457 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2458 and contains the number of packets lost on a given link. 2460 9. RADIUS/Diameter Protocol Interactions 2462 This section describes some basic guidelines that may be used by 2463 servers that act as AAA Translation Agents. A complete description of 2464 all the differences between RADIUS and Diameter is beyond the scope 2465 of this section and document. Note that this document does not 2466 restrict implementations from creating additional methods, as long as 2467 the translation function doesn't violate the RADIUS or the Diameter 2468 protocols. 2470 There are primarily two different situations that must be handled; 2471 one where a RADIUS request is received that must be forwarded as a 2472 Diameter request, and the inverse. RADIUS does not support a peer- 2473 to-peer architecture and server initiated operations are generally 2474 not supported. See [RADDynAuth] for an alternative. 2476 Some RADIUS attributes are encrypted. RADIUS security and encryption 2477 techniques are applied on a hop-per-hop basis. A Diameter agent will 2478 have to decrypt RADIUS attribute data entering the Diameter system 2479 and if that information is forwarded, MUST secure it using Diameter 2480 specific techniques. 2482 Note that this section uses the two terms; "AVP" and "attribute" in a 2483 concise and specific manner. The former is used to signify a Diameter 2484 AVP, while the latter is used to signify a RADIUS attribute. 2486 9.1. RADIUS Request Forwarded as Diameter Request 2488 This section describes the actions that should be followed when a 2489 Translation Agent receives a RADIUS message that is to be translated 2490 to a Diameter message. 2492 It is important to note that RADIUS servers are assumed to be 2493 stateless, and this section maintains that assumption. It is also 2494 quite possible for the RADIUS messages that comprise the session 2495 (i.e. authentication and accounting messages) will be handled by 2496 different Translation Agents in the proxy network. Therefore, a 2497 RADIUS/Diameter Translation Agent SHOULD NOT be assumed to have an 2498 accurate track on session state information. 2500 When a Translation Agent receives a RADIUS message, the following 2501 steps should be taken: 2503 - If a Message-Authenticator attribute is present, the value MUST 2504 be checked, but not included in the Diameter message. If it is 2505 incorrect, the RADIUS message should be silently discarded. The 2506 gateway system SHOULD generate and include a Message- 2507 Authenticator in return RADIUS responses to this system. 2508 - The transport address of the sender MUST be checked against the 2509 NAS identifying attributes. See the description of NAS- 2510 Identifier and NAS-IP-Address below. 2511 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created 2512 and added using the information from an FQDN corresponding to 2513 the NAS-IP-Address attribute (preferred if available), and/or 2514 the NAS-Identifier attribute. (Note that the RADIUS NAS- 2515 Identifier is not required to be an FQDN) The AAA protocol 2516 specified in the identity would be set to "RADIUS". 2517 - The Proxy-Info group SHOULD be added with the local server's 2518 identity being specified in the Proxy-Host AVP. This should 2519 ensure that the response is returned to this system. 2520 - The Destination-Realm AVP is created from the information found 2521 in the RADIUS User-Name attribute. 2522 - The Translation Agent must maintain transaction state 2523 information relevant to the RADIUS request, such as the 2524 Identifier field in the RADIUS header, any existing RADIUS 2525 Proxy-State attribute as well as the source IP address and port 2526 number of the UDP packet. These may be maintained locally in a 2527 state table, or may be saved in a Proxy-Info AVP group. 2528 - If the RADIUS request contained a State attribute, and the 2529 prefix of the data is "Diameter/", the data following the prefix 2530 contains the Diameter Session-Id. If no such attributes are 2531 present, and the RADIUS command is an Access-Request, a new 2532 Session-Id is created. The Session-Id is included in the 2533 Session-Id AVP. 2534 - If the RADIUS User-Password attribute is present, the password 2535 must be unencrypted using the link's RADIUS shared secret. And 2536 forwarded using Diameter security. 2537 - If the RADIUS CHAP-Password attribute is present, the Ident and 2538 Data portion of the attribute are used to create the CHAP-Auth 2539 grouped AVP. 2540 - If the RADIUS message contains an address attribute, it MUST be 2541 converted to the appropriate Diameter AVP and type. 2542 - If the RADIUS message contains Tunnel information [RADTunnels], 2543 the attributes or tagged groups should each be converted to a 2544 Diameter Tunneling Grouped AVP set. If the tunnel information 2545 contains a Tunnel-Password attribute, the RADIUS encryption must 2546 be resolved, and the password forwarded using Diameter security 2547 methods. 2549 - If the RADIUS message received is an Accounting-Request, the 2550 Acct-Status-Type attribute value must be converted to a 2551 Accounting-Record-Type AVP value. If the Acct-Status-Type 2552 attribute value is STOP, the local server MUST issue a Session- 2553 Termination-Request message once the Diameter Accounting-Answer 2554 message has been received. 2555 - If the Accounting message contains a Acct-Termination-Cause 2556 attribute, it should be translated to the equivalent 2557 Termination-Cause AVP value. (see below) 2558 - If the RADIUS message contains the Accounting-Input-Octets, 2559 Accounting-Input-Packets, Accounting-Output-Octets or 2560 Accounting-Output-Packets, these attributes must be converted to 2561 the Diameter equivalent ones. Further, if the Acct-Input- 2562 Gigawords or Acct-Output-Gigawords attributes are present, these 2563 must be used to properly compute the Diameter accounting AVPs. 2565 The corresponding Diameter response is always guaranteed to be 2566 received by the same Translation Agent that translated the original 2567 request, due to the contents of the Origin-Host AVP in the Diameter 2568 request. The following steps are applied to the response message 2569 during the Diameter to RADIUS translation: 2571 - If the Diameter Command-Code is set to AA-Answer and the Result- 2572 Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must 2573 send a RADIUS Access-Challenge with the Diameter Session-Id and 2574 the Origin-Host AVPs encapsulated in the RADIUS State attribute, 2575 with the prefix "Diameter/". This is necessary in order to 2576 ensure that the Translation Agent that will receive the 2577 subsequent RADIUS Access-Request will have access to the Session 2578 Identifier, and be able to set the Destination-Host to the 2579 correct value. If the Multi-Round-Time-Out AVP is present, the 2580 value of the AVP MUST be inserted in the RADIUS Session-Timeout 2581 AVP. 2582 - If the Command-Code is set to AA-Answer, the Diameter Session-Id 2583 AVP is saved in a new RADIUS Class attribute, whose format 2584 consists of the string "Diameter/" followed by the Diameter 2585 Session Identifier. This will ensure that the subsequent 2586 Accounting messages, which could be received by any Translation 2587 Agent, would have access to the original Diameter Session 2588 Identifier. 2589 - If a Proxy-State attribute was present in the RADIUS request, 2590 the same attribute is added in the response. This information 2591 may be found in the Proxy-Info AVP group, or in a local state 2592 table. 2593 - If state information regarding the RADIUS request was saved in a 2594 Proxy-Info AVP or local state table, the RADIUS Identifier and 2595 UDP IP Address and port number are extracted and used in issuing 2596 the RADIUS reply. 2598 When translating a Diameter AA-Answer (with successful result code) 2599 to RADIUS Access-Accept, that contains a Session-Timeout or 2600 Authorization-Lifetime AVP; 2602 - If the Diameter message contains a Session-Timeout AVP but no 2603 Authorization-Lifetime AVP, translate it to Session-Timeout 2604 attribute (and no Termination-Action). 2605 - If the Diameter message contains a Authorization-Lifetime AVP 2606 but no Session-Timeout AVP, translate it to Session-Timeout 2607 attribute and Termination-Action set to AA-REQUEST. (And remove 2608 Authorization-Lifetime and Re-Auth-Request-Type) 2609 - If the Diameter message has both, the Session-Timeout is always 2610 greater or equal than Authorization-Lifetime (required by Base). 2611 I guess the safest bet is to translate it to Session-Timeout 2612 value (with value from Authorization-Lifetime AVP, the smaller 2613 one) and Termination-Action set to AA-REQUEST. (And remove 2614 Authorization-Lifetime and Re-Auth-Request-Type) 2616 9.1.1. RADIUS Dynamic Authorization considerations 2618 A Diameter/RADIUS gateway may be communicating with a server that 2619 implements RADIUS Dynamic Authorization [RADDynAuth]. If it supports 2620 these functions it MUST be listening on the assigned port, and would 2621 receive RADIUS CoA-Request and Disconnect-Request messages. These 2622 can be mapped into the Diameter Re-Auth-Request (RAR) and Abort- 2623 Session-Request (ASR) message exchanges respectively [Base]. 2625 If the [RADDynAuth] is not supported, the port would not be active 2626 and the RADIUS server would receive a ICMP Port Unreachable 2627 indication. Alternatively, if the messages are received, but with an 2628 inappropriate Service-Type, the gateway can respond with the 2629 appropriate NAK message and an Error-Cause attribute with the value 2630 of 405, "Unsupported Service". 2632 The RADIUS CoA-Request and Disconnect-Request messages will not 2633 contain a Diameter Session-Id. Diameter requires this value to match 2634 an active session context. The gateway MUST have a session id cache 2635 (or other means) to be able to identify the sessions that these 2636 functions pertain to. If unable to identify the session, the gateway 2637 (or NAS) should return an Error-Cause value 503, "Session Context Not 2638 Found". 2640 The RADIUS CoA-Request message only supports a change of 2641 authorization attributes, and the received CoA-Request SHOULD include 2642 a Service-Type of "Authorize-Only", this indicates an extended 2643 exchange request by the rules given in [RADDynAuth] Section 3.2 Note 2644 6. This is the only type of exchange supported by Diameter [Base]. 2646 For the CoA-Request, the translated RAR message will have a Re-Auth- 2647 Type of AUTHORIZE_ONLY. The returned RAA will be translated into a 2648 CoA-NAK with Error-Cause "Request Initiated", the gateway's Diameter 2649 client SHOULD also start a reauthorization sequence by sending a AAR 2650 message, which will be translated into an Access-Request message. The 2651 RADIUS server will use the Access-Accept (or Access-Reject) message 2652 to convey the new authorization attributes, which the gateway will 2653 pass back in an AAA message. 2655 Any attributes included in the COA-Request or Access-Accept message 2656 are to be considered mandatory in Diameter, and if they cannot be 2657 supported, MUST result in an message error return to the RADIUS 2658 server with an Error-Cause of "Unsupported Attribute". The Diameter 2659 NAS will attempt to apply all the attributes supplied in the AA 2660 message to the session. 2662 A RADIUS Disconnect-Request message received by the gateway would be 2663 translated to a Diameter Abort-Session-Request (ASR) message [Base]. 2664 The results will be returned by the Diameter client in a Abort- 2665 Session-Answer (ASA) message. A success indication would translate to 2666 a RADIUS Disconnect-ACK, a failure would generate a Disconnect-NAK. 2668 9.2. Diameter Request Forwarded as RADIUS Request 2670 When a server receives a Diameter request that is to be forwarded to 2671 a RADIUS entity, the following steps are an example of the steps that 2672 may be followed: 2674 - The Origin-Host AVP's value is inserted in the NAS-Identifier 2675 attribute. 2676 - The following information MUST be present in the corresponding 2677 Diameter response, and therefore MUST be saved either in a local 2678 state table, or encoded in a RADIUS Proxy-State attribute: 2679 1. Origin-Host AVP 2680 2. Session-Id AVP 2681 3. Proxy-Info AVP 2682 4. Any other AVP that MUST be present in the response, and 2683 has no corresponding RADIUS attribute. 2684 - If the CHAP-Auth AVP is present, the grouped AVPs are used to 2685 create the RADIUS CHAP-Password attribute data. 2686 - If the User-Password AVP is present, the data should be 2687 encrypted using RADIUS rules. Likewise for any other encrypted 2688 attribute values. 2689 - AVPs that are of the type Address, must be translated to the 2690 corresponding RADIUS attribute. 2691 - If the Accounting-Input-Octets, Accounting-Input-Packets, 2692 Accounting-Output-Octets or Accounting-Output-Packets AVPs are 2693 present, these must be translated to the corresponding RADIUS 2694 attributes. Further, the value of the Diameter AVPs do not fit 2695 within a 32-bit RADIUS attribute, the RADIUS Acct-Input- 2696 Gigawords and Acct-Output-Gigawords must be used. 2697 - If the RADIUS link supports the Message-Authenticator attribute 2698 [RADIUSExt] it SHOULD be generated and added to the request. 2700 When the corresponding response is received by the Translation Agent, 2701 which is guaranteed in the RADIUS protocol, the following steps may 2702 be followed: 2704 - If the RADIUS code is set to Access-Challenge, a Diameter AA- 2705 Answer message is created with the Result-Code set to 2706 DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is present 2707 in the RADIUS message, its value is inserted in the Multi-Round- 2708 Time-Out AVP. 2709 - If a Proxy-State attribute is present, extract the encoded 2710 information, otherwise retrieve the original Proxy-Info AVP 2711 group information from the local state table. 2712 - The response's Origin-Host information is created from the FQDN 2713 of the source IP address of the RADIUS message. The same FQDN is 2714 also stored to a Route-Record AVP. 2715 - The response's Destination-Host AVP is copied from the saved 2716 request's Origin-Host information. 2717 - The Acct-Session-Id information is added to the Session-Id AVP. 2718 - If a Proxy-Info AVP was present in the request, the same AVP 2719 MUST be added to the response. 2720 - If the RADIUS State attributes are present, these attributes 2721 must be present in the Diameter response. 2722 - Any other AVPs that were saved at request time, and MUST be 2723 present in the response, are added to the message. 2725 When translating a RADIUS Access-Accept to Diameter AA-Answer, that 2726 contains a Session-Timeout attribute, do the following: 2728 - If the RADIUS message contains a Session-Timeout attribute and a 2729 Termination-Action attribute set to DEFAULT (or no Termination- 2730 Action attribute at all), translate it to AA-Answer with a 2731 Session-Timeout AVP, and remove the Termination-Action 2732 attribute. 2733 - If the RADIUS message contains a Session-Timeout attribute and a 2734 Termination-Action attribute set to AA-REQUEST, translate it to 2735 AA-Answer with Authorization-Lifetime AVP and Re-Auth-Request- 2736 Type set to AUTHORIZE_AUTHENTICATE, and remove the Session- 2737 Timeout attribute. 2739 9.2.1. RADIUS Dynamic Authorization considerations 2741 A RADIUS/Diameter gateway that is communicating with a RADIUS client 2742 that implements RADIUS Dynamic Authorization [RADDynAuth], may 2743 translate Diameter Re-Auth-Request (RAR) messages and Abort-Session- 2744 Request (ASR) messages [Base] into RADIUS CoA-Request and Disconnect- 2745 Request messages respectively. 2747 If the RADIUS client does not support the capability, the gateway 2748 will receive an ICMP Port Unreachable indication when it transmits 2749 the RADIUS message. Even if the NAS supports [RADDynAuth], it may not 2750 support the Service-Type in the request message. In this case it 2751 will respond with a NAK message and (optionally) an Error-Cause 2752 attribute with value 405, "Unsupported Service". If the gateway 2753 encounters these error conditions, or if it does not support 2754 [RADDynAuth], it sends a Diameter Answer message with an Result-Code 2755 AVP of "DIAMETER_COMMAND_UNSUPPORTED" to the AAA server. 2757 When encoding the RADIUS messages, the gateway MUST include the 2758 Diameter Session-ID in the RADIUS State attribute value, as mentioned 2759 above. The RADIUS client should return it in the response. 2761 A Diameter Re-Auth-Request (RAR) message [Base] received by the 2762 gateway will be translated into a RADIUS CoA-Request and sent to the 2763 RADIUS client. The RADIUS client should respond with a CoA-ACK or 2764 CoA-NAK message, that the gateway should translate into an Re-Auth- 2765 Answer (RAA) message. 2767 If the gateway receives a RADIUS CoA-NAK response containing a 2768 Service-Type Attribute with value "Authorize Only" and an Error-Cause 2769 Attribute with value "Request Initiated", this indicates an extended 2770 exchange request by the rules given in [RADDynAuth] Section 3.2 Note 2771 6. 2773 The response is translated to a Diameter Re-Auth-Answer (RAA) with a 2774 Result-Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2776 Subsequently, the gateway should receive a RADIUS Access-Request from 2777 the NAS, with a Service-Type of "Authorize Only". This is translated 2778 to a Diameter AA-Request with an Auth-Request-Type AVP of 2779 AUTHORIZE_ONLY, sent to the AAA server. The AAA server will then 2780 reply with a Diameter AA-Answer, which is translated to a RADIUS 2781 Access-Accept or Access-Reject, depending on the value of the Result- 2782 Code AVP. 2784 A Diameter Abort-Session-Request (ASR) message [Base] received by the 2785 gateway will be translated into a RADIUS Disconnect-Request and sent 2786 to the RADIUS client. The RADIUS client should respond with a 2787 Disconnect-ACK or Disconnect-NAK message, that the gateway should 2788 translate into an Abort-Session-Answer (ASA) message. 2790 If the gateway receives a RADIUS Disconnect-NAK response containing a 2791 Service-Type Attribute with value "Authorize Only" and an Error-Cause 2792 Attribute with value "Request Initiated", the Disconnect-NAK response 2793 is translated to a Diameter Abort-Session-Answer (ASA) with a Result- 2794 Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2796 Subsequently, the gateway should receive a RADIUS Access-Request from 2797 the NAS, with a Service-Type of "Authorize Only". This is translated 2798 to a Diameter AA-Request with an Auth-Request-Type AVP of 2799 AUTHORIZE_ONLY, sent to the AAA server. The AAA server will then 2800 reply with a Diameter AA-Answer, which is translated to a RADIUS 2801 Access-Accept or Access-Reject, depending on the value of the Result- 2802 Code AVP. 2804 9.3. AVPs Used Only for Compatibility 2806 The AVPs defined in this section SHOULD only used for backwards 2807 compatibility when a Diameter/RADIUS translation function is invoked, 2808 and are not typically originated by Diameter systems during normal 2809 operations. 2811 +---------------------+ 2812 | AVP Flag rules | 2813 |----+-----+----+-----|----+ 2814 AVP Section | | |SHLD| MUST| | 2815 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2816 -----------------------------------------|----+-----+----+-----|----| 2817 NAS-Identifier 32 9.3.1 UTF8String | M | P | | V | Y | 2818 NAS-IP-Address 4 9.3.2 OctetString| M | P | | V | Y | 2819 NAS-IPv6-Address 95 9.3.3 OctetString| M | P | | V | Y | 2820 State 24 9.3.4 OctetString| M | P | | V | Y | 2821 Termination- 295 9.3.5 Enumerated | M | P | | V | Y | 2822 Cause | | | | | | 2823 -----------------------------------------|----+-----+----+-----|----| 2825 9.3.1. NAS-Identifier AVP 2827 The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String 2828 and contains the identity of the NAS providing service to the user. 2829 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2830 When this AVP is present, the Origin-Host AVP identifies the 2831 RADIUS/Diameter Translation Agent rather than the NAS providing 2832 service to the user. 2834 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2835 Identifier attribute. Diameter/RADIUS translation agents SHOULD 2836 attempt to check a received NAS-Identifier attribute against the 2837 source address of the RADIUS packet, by doing an A/AAAA RR query. If 2838 the NAS-Identifier attribute contains an FQDN, then such a query 2839 would resolve to an IP address matching the source address. However, 2840 the NAS-Identifier attribute is not required to contain an FQDN, so 2841 such a query could fail. In this case, an error should be logged, but 2842 no other action taken, other than doing a reverse lookup on the 2843 source address and inserting the resulting FQDN into the Route-Record 2844 AVP. 2846 Diameter agents and servers SHOULD check whether a NAS-Identifier AVP 2847 corresponds to an entry in the Route-Record AVP. If no match is 2848 found, then an error is logged, but no other action is taken. 2850 9.3.2. NAS-IP-Address AVP 2852 The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString, 2853 and contains the IP Address of the NAS providing service to the user. 2854 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2855 When this AVP is present, the Origin-Host AVP identifies the 2856 RADIUS/Diameter Translation Agent rather than the NAS providing 2857 service to the user. 2859 In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- 2860 Address attribute value. Diameter/RADIUS translation agents MUST 2861 check a received NAS-IP-Address or NAS-IPv6-Address attribute against 2862 the source address of the RADIUS packet. If they do not match, and 2863 the Diameter/RADIUS translation agent does not know whether the 2864 packet was sent by a RADIUS proxy or NAS (e.g. no Proxy-State 2865 attribute) then by default it is assumed that the source address 2866 corresponds to a RADIUS proxy, and that the NAS Address is behind 2867 that proxy, potentially with some additional RADIUS proxies in 2868 between. The Diameter/RADIUS translation agent MUST insert entries 2869 in the Route-Record AVP corresponding to the apparent route. This 2870 implies doing a reverse lookup on the source address and NAS-IP- 2871 Address, or NAS-IPv6-Address attributes in order to determine the 2872 corresponding FQDNs. 2874 If the source address and the NAS-IP-Address, or NAS-IPv6-Address do 2875 not match, and the Diameter/RADIUS translation agent knows that it is 2876 talking directly to the NAS (e.g. no RADIUS proxies between it and 2877 the NAS), then the error should be logged, and the packet MUST be 2878 discarded. 2880 Diameter agents and servers MUST check whether the NAS-IP-Address AVP 2881 corresponds to an entry in the Route-Record AVP. This is done by 2882 doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve 2883 the corresponding FQDN, and checking for a match with the Route- 2884 Record AVP. If no match is found, then an error is logged, but no 2885 other action is taken. 2887 9.3.3. NAS-IPv6-Address AVP 2889 The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type 2890 OctetString, and contains the IPv6 Address of the NAS providing 2891 service to the user. This AVP SHOULD only be added by a 2892 RADIUS/Diameter Translation Agent. When this AVP is present, the 2893 Origin-Host AVP identifies the RADIUS/Diameter Translation Agent 2894 rather than the NAS providing service to the user. 2896 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2897 IPv6-Address attribute. Diameter/RADIUS translation agents MUST check 2898 a received NAS-IPv6-Address attribute against the source address of 2899 the RADIUS packet. If they do not match, and the Diameter/RADIUS 2900 translation agent does not know whether the packet was sent by a 2901 RADIUS proxy or NAS (e.g. no Proxy-State attribute) then by default 2902 it is assumed that the source address corresponds to a RADIUS proxy, 2903 and that the NAS-IPv6-Address is behind that proxy, potentially with 2904 some additional RADIUS proxies in between. The Diameter/RADIUS 2905 translation agent MUST insert entries in the Route-Record AVP 2906 corresponding to the apparent route. This implies doing a reverse 2907 lookup on the source address and NAS-IPv6-Address attributes in order 2908 to determine the corresponding FQDNs. 2910 If the source address and the NAS-IPv6-Address do not match, and the 2911 Diameter/RADIUS translation agent knows that it is talking directly 2912 to the NAS (e.g. no RADIUS proxies between it and the NAS), then the 2913 error should be logged, and the packet MUST be discarded. 2915 Diameter agents and servers MUST check whether the NAS-IPv6-Address 2916 AVP corresponds to an entry in the Route-Record AVP. This is done by 2917 doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve 2918 the corresponding FQDN, and checking for a match with the Record- 2919 Route AVP. If no match is found, then an error is logged, but no 2920 other action is taken. 2922 9.3.4. State AVP 2924 The State AVP (AVP Code 24) [RADIUS] is of type OctetString and has 2925 two uses in the Diameter NAS application. 2927 The State AVP MAY be sent by a Diameter Server to a NAS in an AA- 2928 Response command that contains a Result-Code of 2929 DIAMETER_MULTI_ROUND_AUTH. If so, the NAS MUST return it unmodified 2930 in the subsequent AA-Request command. 2932 The State AVP MAY also be sent by a Diameter Server to a NAS in an 2933 AA-Response command that also includes a Termination-Action AVP with 2934 the value of AA-REQUEST. If the NAS performs the Termination-Action 2935 by sending a new AA-Request command upon termination of the current 2936 service, it MUST return the State AVP unmodified in the new request 2937 command. 2939 In either usage the NAS MUST NOT interpret the AVP locally. Usage of 2940 the State AVP is implementation dependent. 2942 9.3.5. Termination-Cause AVP Code Values 2944 This section defines a mapping between Termination-Cause AVP code 2945 values and RADIUS Acct-Terminate-Cause attribute code values from RFC 2946 2866 [RADIUSAcct] and [RADIUSTypes], thereby allowing a 2947 RADIUS/Diameter Translation Agent to convert between the attribute 2948 and AVP values. This section thus extends the definitions in the 2949 "Termination-Cause AVP" section of the Base Diameter specification. 2951 The table in this section defines the mapping between Termination- 2952 Cause AVP and RADIUS Acct-Terminate-Cause causes. 2954 +-----------------------+ 2955 | Value | 2956 +-----------+-----------+ 2957 Cause Value Name | RADIUS | Diameter | 2958 ------------------------------|-----------+-----------+ 2959 User Request | 1 | 11 | 2960 Lost Carrier | 2 | 12 | 2961 Lost Service | 3 | 13 | 2962 Idle Timeout | 4 | 14 | 2963 Session Timeout | 5 | 15 | 2964 Admin Reset | 6 | 16 | 2965 Admin Reboot | 7 | 17 | 2966 Port Error | 8 | 18 | 2967 NAS Error | 9 | 19 | 2968 NAS Request | 10 | 20 | 2969 NAS Reboot | 11 | 21 | 2970 Port Unneeded | 12 | 22 | 2971 Port Preempted | 13 | 23 | 2972 Port Suspended | 14 | 24 | 2973 Service Unavailable | 15 | 25 | 2974 Callback | 16 | 26 | 2975 User Error | 17 | 27 | 2976 Host Request | 18 | 28 | 2977 Supplicant Restart | 19 | 29 | [RAD802.1X] 2978 Reauthentication Failure | 20 | 30 | [RAD802.1X] 2979 Port Reinit | 21 | 31 | [RAD802.1X] 2980 Port Disabled | 22 | 32 | [RAD802.1X] 2981 ------------------------------|-----------+-----------+ 2983 From RFC 2866, the termination causes are as follows: 2985 User Request User requested termination of service, for 2986 example with LCP Terminate or by logging out. 2988 Lost Carrier DCD was dropped on the port. 2990 Lost Service Service can no longer be provided; for 2991 example, user's connection to a host was 2992 interrupted. 2994 Idle Timeout Idle timer expired. 2996 Session Timeout Maximum session length timer expired. 2998 Admin Reset Administrator reset the port or session. 3000 Admin Reboot Administrator is ending service on the NAS, 3001 for example prior to rebooting the NAS. 3003 Port Error NAS detected an error on the port which 3004 required ending the session. 3006 NAS Error NAS detected some error (other than on the 3007 port) which required ending the session. 3009 NAS Request NAS ended session for a non-error reason not 3010 otherwise listed here. 3012 NAS Reboot The NAS ended the session in order to reboot 3013 non-administratively ("crash"). 3015 Port Unneeded NAS ended session because resource usage fell 3016 below low-water mark (for example, if a 3017 bandwidth-on-demand algorithm decided that 3018 the port was no longer needed). 3020 Port Preempted NAS ended session in order to allocate the 3021 port to a higher priority use. 3023 Port Suspended NAS ended session to suspend a virtual 3024 session. 3026 Service Unavailable NAS was unable to provide requested service. 3028 Callback NAS is terminating current session in order 3029 to perform callback for a new session. 3031 User Error Input from user is in error, causing 3032 termination of session. 3034 Host Request Login Host terminated session normally. 3036 9.4. Prohibited RADIUS Attributes 3038 The following RADIUS attributes MUST NOT appear in a Diameter 3039 message. Instead, they are translated to other Diameter AVPs or 3040 handled in some special manner. The rules for the treatment of the 3041 attributes are discussed in Sections 9.1, 9.2 and 9.6. 3043 Attribute Description Defined Nearest Diameter AVP 3044 ----------------------------------------------------------------- 3045 3 CHAP-Password RFC 2865 CHAP-Auth Group 3046 26 Vendor-Specific RFC 2865 Vendor Specific AVP 3047 29 Termination-Action RFC 2865 Authorization-Lifetime 3048 40 Acct-Status-Type RFC 2866 Accounting-Record-Type 3049 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets 3050 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets 3051 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets 3052 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets 3053 49 Acct-Terminate-Cause RFC 2866 Termination-Cause 3054 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets 3055 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets 3056 80 Message-Authenticator RFC 2869 none - check and discard 3058 9.5. Translatable Diameter AVPs 3060 In general, Diameter AVPs that are not RADIUS compatible have code 3061 values greater than 255. The table in the section above shows the 3062 AVPs that can be converted into RADIUS attributes. 3064 Another problem may occur with Diameter AVP values that may be more 3065 than 253 octets in length. Some RADIUS attributes ( including but 3066 not limited to: (8)Reply-Message, (79)EAP-Message, and (77)Connect- 3067 Info ) allow concatenation of multiple instances to overcome this 3068 limitation. If this is not possible, a Result-Code of 3069 DIAMETER_INVALID_AVP_LENGTH should be returned. 3071 9.6. RADIUS Vendor Specific Attributes 3073 RADIUS supports the inclusion of Vendor Specific Attributes (VSAs) 3074 through the use of attribute 26. The recommended format [RADIUS] of 3075 the attribute data field includes a 4 octet vendor code followed by a 3076 one octet vendor type field and a one octet length field. The last 3077 two fields MAY be repeated. 3079 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA 3081 The RADIUS VSA attribute should consist of the following fields; 3083 RADIUS Type = 26, Vendor Specific Attribute 3084 RADIUS Length = total length of attribute (header + data) 3085 RADIUS Vendor code = Diameter Vendor code 3086 RADIUS Vendor type code = low order byte of Diameter AVP code 3087 RADIUS Vendor data length = length of Diameter data 3088 (not including padding) 3090 If the Diameter AVP code is greater than 255, then the RADIUS 3091 speaking code may use a Vendor specific field coding, if it knows one 3092 for that vendor. Otherwise, the AVP will be ignored. Unless it is 3093 flagged as Mandatory, in which case an "DIAMETER_AVP_UNSUPPORTED" 3094 Result-Code will be returned, and the RADIUS message will not be 3095 sent. 3097 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP 3099 The Diameter AVP will consist of the following fields; 3100 Diameter Flags: V=1, M=0, P=0 3101 Diameter Vendor code = RADIUS VSA Vendor code 3102 Diameter AVP code = RADIUS VSA Vendor type code 3103 Diameter AVP length = length of AVP (header + data + padding) 3104 Diameter Data = RADIUS VSA vendor data 3106 NOTE: that the VSAs are considered as optional by RADIUS rules, and 3107 this specification does not set the Mandatory flag. If a VSA is 3108 desired to be made mandatory, because it represents a required 3109 service policy, the RADIUS gateway should have a process to set the 3110 bit on the Diameter side. 3112 If the RADIUS receiving code knows of vendor specific fields 3113 interpretations for the specific vendor, it may employ them to parse 3114 an extended AVP code or data length, Otherwise the recommended 3115 standard fields will be used. 3117 Nested Multiple vendor data fields MUST be expanded into multiple 3118 Diameter AVPs. 3120 10. AVP Occurrence Tables 3122 The following tables present the AVPs used by NAS applications, in 3123 NAS messages, and specify in which Diameter messages they MAY, or MAY 3124 NOT be present. [Base] messages and AVPs are not described in this 3125 document. Note that AVPs that can only be present within a Grouped 3126 AVP are not represented in this table. 3128 The table uses the following symbols: 3129 0 The AVP MUST NOT be present in the message. 3130 0+ Zero or more instances of the AVP MAY be present in the 3131 message. 3132 0-1 Zero or one instance of the AVP MAY be present in the 3133 message. 3134 1 One instance of the AVP MUST be present in the message. 3136 10.1. AA-Request/Answer AVP Table 3138 The table in this section is limited to the Command Codes defined in 3139 this specification. 3141 +-----------+ 3142 | Command | 3143 |-----+-----+ 3144 Attribute Name | AAR | AAA | 3145 ------------------------------|-----+-----+ 3146 Acct-Interim-Interval | 0 | 0-1 | 3147 ARAP-Challenge-Response | 0 | 0-1 | 3148 ARAP-Features | 0 | 0-1 | 3149 ARAP-Password | 0-1 | 0 | 3150 ARAP-Security | 0-1 | 0-1 | 3151 ARAP-Security-Data | 0+ | 0+ | 3152 ARAP-Zone-Access | 0 | 0-1 | 3153 Auth-Application-Id | 1 | 1 | 3154 Auth-Grace-Period | 0-1 | 0-1 | 3155 Auth-Request-Type | 1 | 1 | 3156 Auth-Session-State | 0-1 | 0-1 | 3157 Authorization-Lifetime | 0-1 | 0-1 | 3158 Callback-Id | 0 | 0-1 | 3159 Callback-Number | 0-1 | 0-1 | 3160 Called-Station-Id | 0-1 | 0 | 3161 Calling-Station-Id | 0-1 | 0 | 3162 CHAP-Auth | 0-1 | 0 | 3163 CHAP-Challenge | 0-1 | 0 | 3164 Class | 0 | 0+ | 3165 Configuration-Token | 0 | 0+ | 3166 Connect-Info | 0+ | 0 | 3167 Destination-Host | 0-1 | 0 | 3168 Destination-Realm | 1 | 0 | 3169 Error-Message | 0 | 0-1 | 3170 Error-Reporting-Host | 0 | 0-1 | 3171 Failed-AVP | 0+ | 0+ | 3172 Filter-Id | 0 | 0+ | 3173 Framed-Appletalk-Link | 0 | 0-1 | 3174 Framed-Appletalk-Network | 0 | 0+ | 3175 Framed-Appletalk-Zone | 0 | 0-1 | 3176 Framed-Compression | 0+ | 0+ | 3177 Framed-Interface-Id | 0-1 | 0-1 | 3178 Framed-IP-Address | 0-1 | 0-1 | 3179 Framed-IP-Netmask | 0-1 | 0-1 | 3180 Framed-IPv6-Prefix | 0+ | 0+ | 3181 Framed-IPv6-Pool | 0 | 0-1 | 3182 Framed-IPv6-Route | 0 | 0+ | 3183 Framed-IPX-Network | 0 | 0-1 | 3184 Framed-MTU | 0-1 | 0-1 | 3185 Framed-Pool | 0 | 0-1 | 3186 ------------------------------|-----+-----+ 3187 +-----------+ 3188 | Command | 3189 |-----+-----+ 3190 Attribute Name | AAR | AAA | 3191 ------------------------------|-----+-----+ 3192 Framed-Protocol | 0-1 | 0-1 | 3193 Framed-Route | 0 | 0+ | 3194 Framed-Routing | 0 | 0-1 | 3195 Idle-Timeout | 0 | 0-1 | 3196 Login-IP-Host | 0+ | 0+ | 3197 Login-IPv6-Host | 0+ | 0+ | 3198 Login-LAT-Group | 0-1 | 0-1 | 3199 Login-LAT-Node | 0-1 | 0-1 | 3200 Login-LAT-Port | 0-1 | 0-1 | 3201 Login-LAT-Service | 0-1 | 0-1 | 3202 Login-Service | 0 | 0-1 | 3203 Login-TCP-Port | 0 | 0-1 | 3204 Multi-Round-Time-Out | 0 | 0-1 | 3205 NAS-Filter-Rule | 0 | 0+ | 3206 NAS-Identifier | 0-1 | 0 | 3207 NAS-IP-Address | 0-1 | 0 | 3208 NAS-IPv6-Address | 0-1 | 0 | 3209 NAS-Port | 0-1 | 0 | 3210 NAS-Port-Id | 0-1 | 0 | 3211 NAS-Port-Type | 0-1 | 0 | 3212 Origin-Host | 1 | 1 | 3213 Origin-Realm | 1 | 1 | 3214 Origin-State-Id | 0-1 | 0-1 | 3215 Originating-Line-Info | 0-1 | 0 | 3216 Password-Retry | 0 | 0-1 | 3217 Port-Limit | 0-1 | 0-1 | 3218 Prompt | 0 | 0-1 | 3219 Proxy-Info | 0+ | 0+ | 3220 Re-Auth-Request-Type | 0 | 0-1 | 3221 Redirect-Host | 0 | 0+ | 3222 Redirect-Host-Usage | 0 | 0-1 | 3223 Redirect-Max-Cache-Time | 0 | 0-1 | 3224 Reply-Message | 0 | 0+ | 3225 Result-Code | 0 | 1 | 3226 Route-Record | 0+ | 0+ | 3227 Service-Type | 0-1 | 0-1 | 3228 Session-Id | 1 | 1 | 3229 Session-Timeout | 0 | 0-1 | 3230 State | 0-1 | 0-1 | 3231 Tunneling | 0+ | 0+ | 3232 User-Name | 0-1 | 0-1 | 3233 User-Password | 0-1 | 0 | 3234 ------------------------------|-----+-----+ 3236 10.2. Accounting AVP Tables 3238 The tables in this section are used to represent which AVPs defined 3239 in this document are to be present and used in NAS application 3240 Accounting messages. These AVPs are defined in this document, as 3241 well as [Base] and [RADIUSAcct]. 3243 10.2.1. Accounting Framed Access AVP Table 3245 The table in this section is used when the Service-Type specifies 3246 Framed Access. 3248 +-----------+ 3249 | Command | 3250 |-----+-----+ 3251 Attribute Name | ACR | ACA | 3252 ---------------------------------------|-----+-----+ 3253 Accounting-Auth-Method | 0-1 | 0 | 3254 Accounting-Input-Octets | 1 | 0 | 3255 Accounting-Input-Packets | 1 | 0 | 3256 Accounting-Output-Octets | 1 | 0 | 3257 Accounting-Output-Packets | 1 | 0 | 3258 Accounting-Record-Number | 0-1 | 0-1 | 3259 Accounting-Record-Type | 1 | 1 | 3260 Accounting-Realtime-Required | 0-1 | 0-1 | 3261 Accounting-Sub-Session-Id | 0-1 | 0-1 | 3262 Acct-Application-Id | 0-1 | 0-1 | 3263 Acct-Session-Id | 1 | 0-1 | 3264 Acct-Multi-Session-Id | 0-1 | 0-1 | 3265 Acct-Authentic | 1 | 0 | 3266 Acct-Delay-Time | 0-1 | 0 | 3267 Acct-Interim-Interval | 0-1 | 0-1 | 3268 Acct-Link-Count | 0-1 | 0 | 3269 Acct-Session-Time | 1 | 0 | 3270 Acct-Tunnel-Connection | 0-1 | 0 | 3271 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 3272 Authorization-Lifetime | 0-1 | 0 | 3273 Callback-Id | 0-1 | 0 | 3274 Callback-Number | 0-1 | 0 | 3275 Called-Station-Id | 0-1 | 0 | 3276 Calling-Station-Id | 0-1 | 0 | 3277 Class | 0+ | 0+ | 3278 Connection-Info | 0+ | 0 | 3279 Destination-Host | 0-1 | 0 | 3280 Destination-Realm | 1 | 0 | 3281 ---------------------------------------|-----+-----+ 3282 +-----------+ 3283 | Command | 3284 |-----+-----+ 3285 Attribute Name | ACR | ACA | 3286 ---------------------------------------|-----+-----+ 3287 Event-Timestamp | 0-1 | 0-1 | 3288 Error-Reporting-Host | 0 | 0-1 | 3289 Framed-AppleTalk-Link | 0-1 | 0 | 3290 Framed-AppleTalk-Network | 0-1 | 0 | 3291 Framed-AppleTalk-Zone | 0-1 | 0 | 3292 Framed-Compression | 0-1 | 0 | 3293 Framed-IP-Address | 0-1 | 0 | 3294 Framed-IP-Netmask | 0-1 | 0 | 3295 Framed-IPv6-Prefix | 0+ | 0 | 3296 Framed-IPv6-Pool | 0-1 | 0 | 3297 Framed-IPX-Network | 0-1 | 0 | 3298 Framed-MTU | 0-1 | 0 | 3299 Framed-Pool | 0-1 | 0 | 3300 Framed-Protocol | 0-1 | 0 | 3301 Framed-Route | 0-1 | 0 | 3302 Framed-Routing | 0-1 | 0 | 3303 NAS-Filter-Rule | 0-1 | 0 | 3304 NAS-Identifier | 0-1 | 0-1 | 3305 NAS-IP-Address | 0-1 | 0-1 | 3306 NAS-IPv6-Address | 0-1 | 0-1 | 3307 NAS-Port | 0-1 | 0-1 | 3308 NAS-Port-Id | 0-1 | 0-1 | 3309 NAS-Port-Type | 0-1 | 0-1 | 3310 Origin-Host | 1 | 1 | 3311 Origin-Realm | 1 | 1 | 3312 Origin-State-Id | 0-1 | 0-1 | 3313 Originating-Line-Info | 0-1 | 0 | 3314 Proxy-Info | 0+ | 0+ | 3315 Route-Record | 0+ | 0+ | 3316 Result-Code | 0 | 1 | 3317 Service-Type | 0-1 | 0-1 | 3318 Session-Id | 1 | 1 | 3319 Termination-Cause | 0-1 | 0-1 | 3320 Tunnel-Assignment-Id | 0-1 | 0 | 3321 Tunnel-Client-Endpoint | 0-1 | 0 | 3322 Tunnel-Medium-Type | 0-1 | 0 | 3323 Tunnel-Private-Group-Id | 0-1 | 0 | 3324 Tunnel-Server-Endpoint | 0-1 | 0 | 3325 Tunnel-Type | 0-1 | 0 | 3326 User-Name | 0-1 | 0-1 | 3327 Vendor-Specific-Application-Id | 0-1 | 0-1 | 3328 ---------------------------------------|-----+-----+ 3330 10.2.2. Accounting Non-Framed Access AVP Table 3332 The table in this section is used when the Service-Type specifies 3333 Non-Framed Access. 3335 +-----------+ 3336 | Command | 3337 |-----+-----+ 3338 Attribute Name | ACR | ACA | 3339 ---------------------------------------|-----+-----+ 3340 Accounting-Auth-Method | 0-1 | 0 | 3341 Accounting-Input-Octets | 1 | 0 | 3342 Accounting-Output-Octets | 1 | 0 | 3343 Accounting-Record-Type | 1 | 1 | 3344 Accounting-Record-Number | 0-1 | 0-1 | 3345 Accounting-Realtime-Required | 0-1 | 0-1 | 3346 Accounting-Sub-Session-Id | 0-1 | 0-1 | 3347 Acct-Application-Id | 0-1 | 0-1 | 3348 Acct-Session-Id | 1 | 0-1 | 3349 Acct-Multi-Session-Id | 0-1 | 0-1 | 3350 Acct-Authentic | 1 | 0 | 3351 Acct-Delay-Time | 0-1 | 0 | 3352 Acct-Interim-Interval | 0-1 | 0-1 | 3353 Acct-Link-Count | 0-1 | 0 | 3354 Acct-Session-Time | 1 | 0 | 3355 Authorization-Lifetime | 0-1 | 0 | 3356 Callback-Id | 0-1 | 0 | 3357 Callback-Number | 0-1 | 0 | 3358 Called-Station-Id | 0-1 | 0 | 3359 Calling-Station-Id | 0-1 | 0 | 3360 Class | 0+ | 0+ | 3361 Connection-Info | 0+ | 0 | 3362 Destination-Host | 0-1 | 0 | 3363 Destination-Realm | 1 | 0 | 3364 Event-Timestamp | 0-1 | 0-1 | 3365 Error-Reporting-Host | 0 | 0+ | 3366 Login-IP-Host | 0+ | 0 | 3367 Login-IPv6-Host | 0+ | 0 | 3368 Login-LAT-Service | 0-1 | 0 | 3369 Login-LAT-Node | 0-1 | 0 | 3370 Login-LAT-Group | 0-1 | 0 | 3371 Login-LAT-Port | 0-1 | 0 | 3372 Login-Service | 0-1 | 0 | 3373 Login-TCP-Port | 0-1 | 0 | 3374 ---------------------------------------|-----+-----+ 3375 +-----------+ 3376 | Command | 3377 |-----+-----+ 3378 Attribute Name | ACR | ACA | 3379 ---------------------------------------|-----+-----+ 3380 NAS-Identifier | 0-1 | 0-1 | 3381 NAS-IP-Address | 0-1 | 0-1 | 3382 NAS-IPv6-Address | 0-1 | 0-1 | 3383 NAS-Port | 0-1 | 0-1 | 3384 NAS-Port-Id | 0-1 | 0-1 | 3385 NAS-Port-Type | 0-1 | 0-1 | 3386 Origin-Host | 1 | 1 | 3387 Origin-Realm | 1 | 1 | 3388 Origin-State-Id | 0-1 | 0-1 | 3389 Originating-Line-Info | 0-1 | 0 | 3390 Proxy-Info | 0+ | 0+ | 3391 Route-Record | 0+ | 0+ | 3392 Result-Code | 0 | 1 | 3393 Session-Id | 1 | 1 | 3394 Service-Type | 0-1 | 0-1 | 3395 Termination-Cause | 0-1 | 0-1 | 3396 User-Name | 0-1 | 0-1 | 3397 Vendor-Specific-Application-Id | 0-1 | 0-1 | 3398 ---------------------------------------|-----+-----+ 3400 11. IANA Considerations 3402 This section provides guidance to the Internet Assigned Numbers 3403 Authority (IANA) regarding registration of values related to the 3404 Diameter protocol, in accordance with BCP 26 [IANAConsid]. 3406 This document defines values in the namespaces that have been created 3407 and defined in the Diameter Base [Base]. The IANA Considerations 3408 section of that document details the assignment criteria. Values 3409 assigned in this document, or by future IANA action, must be 3410 coordinated within this shared namespace. 3412 11.1. Command Codes 3414 This specification assigns the values 265 and 268 from the Command 3415 Code namespace defined in [Base]. See sections 3.1 and 3.2 for the 3416 assignment of the namespace in this specification. 3418 11.2. AVP Codes 3420 This specification assigns the values 363-366 and 400-406 from the 3421 AVP Code namespace defined in [Base]. See sections 4, and 5 for the 3422 assignment of the namespace in this specification. Note that the 3423 values 363-366 are jointly, but consistently, assigned in [DiamMIP]. 3424 This document also creates one new namespace to be managed by IANA, 3425 as described in Section 11.5. 3427 This specification also specifies the use of AVPs in the 0-255 range, 3428 which are defined in [RADIUSTypes]. These values are assigned by the 3429 policy in RFC 2865 Section 6. [RADIUS] 3431 11.3. Application Identifier 3433 This specification uses the value one (1) in the Application 3434 Identifier namespace as assigned in [Base]. See section 1.2 above 3435 for more information. 3437 11.4. CHAP-Algorithm AVP Values 3439 As defined in Section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses 3440 the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined 3441 in [PPPCHAP]. 3443 11.5. Accounting-Auth-Method AVP Values 3445 As defined in Section 8.6, the Accounting-Auth-Method AVP (AVP Code 3446 406) defines the values 1-5. All remaining values are available for 3447 assignment via IETF Consensus [IANA]." 3449 12. Security Considerations 3451 This document describes the extention of Diameter for the NAS 3452 application. The security considerations of the Diameter protocol 3453 itself have been discussed in [Base]. Use of this application of 3454 Diameter MUST take into consideration the security issues and 3455 requirements of the Base protocol. 3457 This document does not contain a security protocol, but does discuss 3458 how PPP authentication protocols can be carried within the Diameter 3459 protocol. The PPP authentication protocols that are described are PAP 3460 and CHAP. 3462 The use of PAP SHOULD be discouraged, since it exposes user's 3463 passwords to possibly non-trusted entities. However, PAP is also 3464 frequently used for use with One-Time Passwords, which do not expose 3465 a security risk. 3467 This document also describes how CHAP can be carried within the 3468 Diameter protocol, which is required for RADIUS backward 3469 compatibility. The CHAP protocol, as used in a RADIUS environment, 3470 facilitates authentication replay attacks. 3472 The use of the EAP authentication protocols are described in 3473 [DiamEAP] can offer better security given a method suitable for the 3474 circumstances. 3476 13. References 3478 13.1. Normative References 3480 [Base] P. Calhoun, et.al, "Diameter Base Protocol", RFC 3588, 3481 Sept 2003. 3483 [AAATrans] B. Aboba, J. Wood. "Authentication, Authorization and 3484 Accounting (AAA) Transport Profile", RFC 3539, June 2003 3486 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote 3487 Authentication Dial In User Service (RADIUS)", RFC 2865, 3488 June 2000. 3490 [RADIUSTypes] IANA, "RADIUS Types", URL: 3491 3493 [RADIUSIPv6] B. Aboba, G. Zorn, D. Mitton, "RADIUS and IPv6", RFC 3162, 3494 August 2001. 3496 [IPv6Addr] Hinden, R., Deering, S., "Internet Protocol Version 6 3497 (IPv6) Addressing Architecture", RFC 3516, April 2003. 3499 [PPPCHAP] W. Simpson, "PPP Challenge Handshake Authentication 3500 Protocol (CHAP)", RFC 1994, August 1996. 3502 [IANAConsid] Narten, Alvestrand, "Guidelines for Writing an IANA 3503 Considerations Section in RFCs", BCP 26, RFC 2434, October 3504 1998 3506 [IANA] IANA Assigned Numbers Database, URL: 3507 3509 [Keywords] S. Bradner, "Key words for use in RFCs to Indicate 3510 Requirement Levels", BCP 14, RFC 2119, March 1997. 3512 [ANITypes] NANPA Number Resource Info, ANI Assignments, URL: 3513 3516 13.2. Informative References 3518 [RADIUSAcct] C. Rigney, "RADIUS Accounting", RFC 2866, June 2000. 3520 [RADIUSExt] C. Rigney, W. Willats, P. Calhoun, "RADIUS Extensions", 3521 RFC 2869, June 2000. 3523 [RADTunnels] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. 3524 Goyret, "RADIUS Attributes for Tunnel Protocol Support", 3525 RFC 2868, June 2000. 3527 [RADTunlAcct] G. Zorn, B. Aboba, D. Mitton, "RADIUS Accounting 3528 Modifications for Tunnel Protocol Support", RFC 2867, June 3529 2000. 3531 [RADDynAuth] M. Chiba, M Dommety, M. Eklund, D. Mitton, B. Aboba, 3532 "Dynamic Authorization Extensions to Remote Authentication 3533 Dial In User 3534 Service (RADIUS)", RFC 3576, August 2003. 3536 [RADIUSIANA] B. Aboba, "IANA Considerations for RADIUS", RFC 3575, 3537 August 2003. 3539 [ExtRADPract] D. Mitton, "Network Access Servers Requirements: Extended 3540 RADIUS Practices", RFC 2882, July 2000. 3542 [NASModel] D. Mitton, M. Beadles, "Network Access Server Requirements 3543 Next Generation (NASREQNG) NAS Model", RFC 2881, July 3544 2000. 3546 [NASCriteria] M. Beadles, D. Mitton, "Criteria for Evaluating Network 3547 Access Server Protocols", RFC 3169, September 2001. 3549 [AAACriteria] Aboba, et al., "Criteria for Evaluating AAA Protocols for 3550 Network Access", RFC 2989, Nov 2000. 3552 [DiamEAP] G. Zorn, "Diameter EAP Application", draft-ietf-aaa- 3553 eap-01.txt, IETF work in progress, August 2002. 3555 [DiamCMS] P. Calhoun, W. Bulley, S. Farrell, "Diameter CMS Security 3556 Application", draft-ietf-aaa-diameter-cms-sec-04.txt, IETF 3557 work in progress, March 2002. 3559 [DiamMIP] P. Calhoun, C. Perkins, T. Johansson, "Diameter Mobile IP 3560 Application", draft-ietf-aaa-diameter-mobileip-14.txt, 3561 IETF work in progress, April 2003. 3563 [RAD802.1X] P. Congdon, et.al "IEEE 802.1X RADIUS Usage Guidelines", 3564 RFC 3580, September 2003. 3566 [802.1X] IEEE Standard for Local and metropolitan networks - Port- 3567 Based Network Access Control, IEEE Std 802.1X-2001, June 3568 2001 3570 [CDMA2000] 3GPP2 "P.S0001-B", Wireless IP Network Standard, October 3571 2002. 3572 http://www.3gpp2.com/Public_html/specs/P.S0001-B_v1.0.pdf 3574 [AppleTalk] Sidhu, Gursharan; Andrews, Richard F. & Oppenheimer, Alan 3575 B. "Inside AppleTalk", Second Edition, Apple Computer., 3576 1990 3578 [ARAP] Apple Remote Access Protocol (ARAP) Version 2.0 External 3579 Reference Specification", Apple Computer, September 1994, 3580 R0612LL/B 3582 [IPX] Novell, Inc., "NetWare System Technical Interface 3583 Overview", June 1989, # 883-000780-001 3585 [LAT] Local Area Transport (LAT) Specification V5.0, Digital 3586 Equipment Corp., AA-NL26A-TE, June 1989 3588 [UTF-8] F. Yergeau, "UTF-8, a transformation format of ISO 10646", 3589 STD 63, RFC 3629, November 2003 3591 [ISOLatin] ISO 8859. International Standard -- Information Processing 3592 -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 3593 1: Latin Alphabet No. 1, ISO 8859-1:1987. URL: 3594 3596 [PPP] W. Simpson, Editor, "The Point-to-Point Protocol (PPP)", 3597 STD 51, RFC 1661, July 1994 3599 [PAP] B. Lloyd, B. Simpson, "PPP Authentication Protocols" RFC 3600 1334, October 1992, Obsoleted by RFC 1994 3602 14. Acknowledgements 3604 The authors would like to thank Carl Rigney, Allan C. Rubens, William 3605 Allen Simpson, and Steve Willens for their work on the original 3606 RADIUS [RADIUS], from which many of the concepts in this 3607 specification were derived. Thanks, also, to: Carl Rigney for 3608 [RADIUSAcct] and [RADIUSExt]; Ward Willats for [RADIUSExt]; Glen 3609 Zorn, Bernard Aboba and Dave Mitton for [RADTunlAcct] and [RADIPV6]; 3610 Dory Leifer, John Shriver, Matt Holdrege and Ignacio Goyret for their 3611 work on [RADTunnels]. This document stole text and concepts from both 3612 [RADTunnels] and [RADIUSExt]. Thanks go to Carl Williams for 3613 providing IPv6 specific text. 3615 The authors would also like to acknowledge the following people for 3616 their contributions in the development of the Diameter protocol: 3617 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 3618 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 3619 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 3620 Sumit Vakil, John R. Vollbrecht and Jeff Weisberg. 3622 Finally, Pat Calhoun would like to thank Sun Microsystems since most 3623 of the effort put into this document was done while he was in their 3624 employ. 3626 15. Authors' Addresses 3628 Questions about this memo can be directed to: 3630 Pat R. Calhoun 3631 Airespace 3632 110 Nortech Parkway 3633 San Jose, CA 95134 3634 USA 3636 Phone: 1 408-635-2023 3637 E-mail: pcalhoun@airespace.com 3639 Glen Zorn 3640 Cisco Systems, Inc. 3641 500 108th Avenue N.E., Suite 500 3642 Bellevue, WA 98004 3643 USA 3645 Phone: 1 425-471-4861 3646 E-Mail: gwz@cisco.com 3648 David Spence 3649 Interlink Networks, Inc. 3650 775 Technology Drive, Suite 200 3651 Ann Arbor, MI 48108 3652 USA 3654 Phone: 1 734-821-1203 3655 Fax: 1 734-821-1235 3656 EMail: dspence@interlinknetworks.com 3658 David Mitton 3659 Circular Networks 3660 733 Turnpike St #154 3661 North Andover, MA 01845 3663 Email: dmitton@circularnetworks.com 3665 Intellectual Property Considerations 3667 The IETF takes no position regarding the validity or scope of any 3668 intellectual property or other rights that might be claimed to 3669 pertain to the implementation or use of the technology described in 3670 this document or the extent to which any license under such rights 3671 might or might not be available; neither does it represent that it 3672 has made any effort to identify any such rights. Information on the 3673 IETF's procedures with respect to rights in standards-track and 3674 standards- related documentation can be found in BCP-11. Copies of 3675 claims of rights made available for publication and any assurances of 3676 licenses to be made available, or the result of an attempt made to 3677 obtain a general license or permission for the use of such 3678 proprietary rights by implementers or users of this specification can 3679 be obtained from the IETF Secretariat. 3681 The IETF invites any interested party to bring to its attention any 3682 copyrights, patents or patent applications, or other proprietary 3683 rights which may cover technology that may be required to practice 3684 this standard. Please address the information to the IETF Executive 3685 Director. 3687 Full Copyright Statement 3689 Copyright (C) The Internet Society (2004). All Rights Reserved. 3691 This document and translations of it may be copied and furnished to 3692 others, and derivative works that comment on or otherwise explain it 3693 or assist in its implementation may be prepared, copied, published 3694 and distributed, in whole or in part, without restriction of any 3695 kind, provided that the above copyright notice and this paragraph are 3696 included on all such copies and derivative works. However, this 3697 document itself may not be modified in any way, such as by removing 3698 the copyright notice or references to the Internet Society or other 3699 Internet organizations, except as needed for the purpose of 3700 developing Internet standards in which case the procedures for 3701 copyrights defined in the Internet Standards process must be 3702 followed, or as required to translate it into languages other than 3703 English. The limited permissions granted above are perpetual and will 3704 not be revoked by the Internet Society or its successors or assigns. 3705 This document and the information contained herein is provided on an 3706 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3707 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3708 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3709 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3710 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.