idnits 2.17.1 draft-ietf-aaa-diameter-nasreq-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 224 has weird spacing: '...iameter appl...' == Line 370 has weird spacing: '...ages of the...' == Line 3130 has weird spacing: '...tations for t...' == Line 3131 has weird spacing: '...code or data ...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs used by NAS applications, in NAS messages, and specify in which Diameter messages they MAY, or MAY NOT be present. [Base] messages and AVPs are not described in this document. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Jun 2004) is 7255 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DiamTrans' is mentioned on line 213, but not defined == Missing Reference: 'NASmodel' is mentioned on line 246, but not defined == Missing Reference: 'BASE' is mentioned on line 374, but not defined == Missing Reference: 'RFC3576' is mentioned on line 1447, but not defined ** Obsolete undefined reference: RFC 3576 (Obsoleted by RFC 5176) == Missing Reference: 'PPPMP' is mentioned on line 1508, but not defined == Missing Reference: 'PPTP' is mentioned on line 2168, but not defined == Missing Reference: 'L2TP' is mentioned on line 2168, but not defined == Missing Reference: 'RADIPV6' is mentioned on line 3626, but not defined == Unused Reference: 'AAATrans' is defined on line 3500, but no explicit reference was found in the text == Unused Reference: 'RADIUSIANA' is defined on line 3553, but no explicit reference was found in the text == Unused Reference: 'ExtRADPract' is defined on line 3556, but no explicit reference was found in the text == Unused Reference: 'NASModel' is defined on line 3559, but no explicit reference was found in the text == Unused Reference: 'CDMA2000' is defined on line 3587, but no explicit reference was found in the text == Unused Reference: 'UTF-8' is defined on line 3605, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3588 (ref. 'Base') (Obsoleted by RFC 6733) -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 2434 (ref. 'IANAConsid') (Obsoleted by RFC 5226) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 3576 (ref. 'RADDynAuth') (Obsoleted by RFC 5176) == Outdated reference: A later version (-10) exists of draft-ietf-aaa-eap-01 == Outdated reference: A later version (-20) exists of draft-ietf-aaa-diameter-mobileip-14 -- Duplicate reference: RFC1994, mentioned in 'PAP', was also mentioned in 'PPPCHAP'. Summary: 4 errors (**), 0 flaws (~~), 24 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 AAA Working Group Pat R. Calhoun 2 Internet-Draft Airespace Inc. 3 Category: Standards Track Glen Zorn 4 Cisco Systems Inc. 5 David Spence 7 David Mitton 8 Circular Networks 10 Jun 2004 12 Diameter Network Access Server Application 13 draft-ietf-aaa-diameter-nasreq-15.txt 15 Status of this Memo 17 This document is an Internet-Draft and is in full conformance with 18 all provisions of Section 10 of RFC2026. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft 32 Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This document is a product of the Authentication, Authorization and 36 Accounting (AAA) Working Group of the Internet Engineering Task Force 37 (IETF). Comments are welcome should be submitted to the mailing list 38 aaa-wg@merit.edu. 40 Copyright (C) The Internet Society 2004. All Rights Reserved. 42 Abstract 44 This document describes the Diameter protocol application used for 45 Authentication, Authorization and Accounting (AAA) services in the 46 Network Access Server (NAS) environment. This application 47 specification, when combined with the Diameter Base protocol, 48 Transport Profile, and Extensible Authentication Protocol 49 specifications, satisfies typical network access services 50 requirements. 52 Initial deployments of the Diameter protocol are expected to include 53 legacy systems. Therefore, this application was carefully designed to 54 ease the burden of protocol conversion between RADIUS and Diameter. 55 This is achieved by including the RADIUS attribute space, and 56 eliminating the need to perform many attribute translations. 58 The interactions between Diameter applications and RADIUS specified 59 in this document are to be applied to all Diameter applications. In 60 this sense, this document extends the Base Diameter protocol. 62 Table of Contents 64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7 65 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . 7 66 1.2. Requirements Language . . . . . . . . . . . . . . . . . 8 67 1.3. Advertising Application Support . . . . . . . . . . . . 8 68 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . . 8 69 2.1. Diameter Session Establishment . . . . . . . . . . . . . 9 70 2.2. Diameter Session Reauthentication or Reauthorization . . 9 71 2.3. Diameter Session Termination . . . . . . . . . . . . . . 10 72 3. NAS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . 11 74 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . 14 75 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . 16 76 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . 17 77 3.5. Session-Termination-Request (STR) Command . . . . . . . 18 78 3.6. Session-Termination-Answer (STA) Command . . . . . . . . 19 79 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . 19 80 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . 20 81 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . 21 82 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . 23 83 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . . 24 84 4.1. Call and Session Information . . . . . . . . . . . . . . 25 85 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . 25 86 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . 26 87 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . 26 88 4.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . . 27 89 4.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . 27 90 4.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . . 28 91 4.8. Originating-Line-Info AVP . . . . . . . . . . . . . . . 28 92 4.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . . 29 93 5. NAS Authentication AVPs . . . . . . . . . . . . . . . . . . . . 30 94 5.1. User-Password AVP . . . . . . . . . . . . . . . . . . . 30 95 5.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . . 31 96 5.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . . 31 97 5.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . . 31 98 5.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . . 32 99 5.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . . 32 100 5.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . . 32 101 5.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . . 32 102 5.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . . 32 103 5.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . . 33 104 5.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . . 33 105 5.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 33 106 6. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . . . . 33 107 6.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . . 35 108 6.2. Callback-Number AVP . . . . . . . . . . . . . . . . . . 36 109 6.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . . 36 110 6.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . . 36 111 6.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . . 37 112 6.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . 37 113 6.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . . 37 114 6.8. Configuration-Token AVP . . . . . . . . . . . . . . . . 37 115 6.9. Framed Access Authorization AVPs . . . . . . . . . . . . 38 116 6.9.1. Framed-Protocol AVP . . . . . . . . . . . . . 38 117 6.9.2. Framed-Routing AVP . . . . . . . . . . . . . . 38 118 6.9.3. Framed-MTU AVP . . . . . . . . . . . . . . . . 38 119 6.9.4. Framed-Compression AVP . . . . . . . . . . . . 39 120 6.10. IP Access Authorization AVPs . . . . . . . . . . . . . 39 121 6.10.1. Framed-IP-Address AVP . . . . . . . . . . . . 39 122 6.10.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 39 123 6.10.3. Framed-Route AVP . . . . . . . . . . . . . . 40 124 6.10.4. Framed-Pool AVP . . . . . . . . . . . . . . . 40 125 6.10.5. Framed-Interface-Id AVP . . . . . . . . . . . 40 126 6.10.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 41 127 6.10.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 41 128 6.10.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 41 129 6.11. IPX Access . . . . . . . . . . . . . . . . . . . . . . 41 130 6.11.1. Framed-IPX-Network AVP . . . . . . . . . . . 42 131 6.12. AppleTalk Network Access . . . . . . . . . . . . . . . 42 132 6.12.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 42 133 6.12.2. Framed-AppleTalk-Network AVP . . . . . . . . 42 134 6.12.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 43 135 6.13. AppleTalk Remote Access . . . . . . . . . . . . . . . . 43 136 6.13.1. ARAP-Features AVP . . . . . . . . . . . . . . 43 137 6.13.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 43 138 6.14. Non-Framed Access Authorization AVPs . . . . . . . . . 43 139 6.14.1. Login-IP-Host AVP . . . . . . . . . . . . . . 44 140 6.14.2. Login-IPv6-Host AVP . . . . . . . . . . . . . 44 141 6.14.3. Login-Service AVP . . . . . . . . . . . . . . 44 142 6.15. TCP Services . . . . . . . . . . . . . . . . . . . . . 45 143 6.15.1. Login-TCP-Port AVP . . . . . . . . . . . . . 45 144 6.16. LAT Services . . . . . . . . . . . . . . . . . . . . . 45 145 6.16.1. Login-LAT-Service AVP . . . . . . . . . . . . 45 146 6.16.2. Login-LAT-Node AVP . . . . . . . . . . . . . 46 147 6.16.3. Login-LAT-Group AVP . . . . . . . . . . . . . 46 148 6.16.4. Login-LAT-Port AVP . . . . . . . . . . . . . 47 149 7. NAS Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . 47 150 7.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . . 48 151 7.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . . 49 152 7.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . . 49 153 7.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . . 50 154 7.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . . 51 155 7.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . . 51 156 7.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . . 51 157 7.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . 52 158 7.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . 53 159 7.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . . 54 160 7.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . . 54 161 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 54 162 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . 55 163 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . 56 164 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . 56 165 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . 56 166 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . 56 167 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . 56 168 8.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . . 57 169 8.8. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . 57 170 8.9. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . 57 171 8.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 58 172 8.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 59 173 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . . 59 174 9.1. RADIUS Request Forwarded as Diameter Request . . . . . . 59 175 9.1.1. RADIUS Dynamic Authorization considerations . 62 176 9.2. Diameter Request Forwarded as RADIUS Request . . . . . . 63 177 9.2.1. RADIUS Dynamic Authorization considerations . 65 178 9.3. AVPs Used Only for Compatibility . . . . . . . . . . . . 66 179 9.3.1. NAS-Identifier AVP . . . . . . . . . . . . . . 67 180 9.3.2. NAS-IP-Address AVP . . . . . . . . . . . . . . 67 181 9.3.3. NAS-IPv6-Address AVP . . . . . . . . . . . . . 68 182 9.3.4. State AVP . . . . . . . . . . . . . . . . . . 69 183 9.3.5. Termination-Cause AVP Code Values . . . . . . 69 184 9.4. Prohibited RADIUS Attributes . . . . . . . . . . . . . . 71 185 9.5. Translatable Diameter AVPs . . . . . . . . . . . . . . . 72 186 9.6. RADIUS Vendor Specific Attributes . . . . . . . . . . . 72 187 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VS 72 188 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AV 73 189 10. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . . 74 190 10.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . 74 191 10.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . 77 192 10.2.1. Accounting Framed Access AVP Table . . . . . 77 193 10.2.2. Accounting Non-Framed Access AVP Table . . . 79 194 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 80 195 11.1. Command Codes . . . . . . . . . . . . . . . . . . . . . 80 196 11.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . 81 197 11.3. Application Identifier . . . . . . . . . . . . . . . . 81 198 11.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . 81 199 11.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . 81 200 12. Security Considerations . . . . . . . . . . . . . . . . . . . . 81 201 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 82 202 13.1. Normative References . . . . . . . . . . . . . . . . . 82 203 13.2. Informative References . . . . . . . . . . . . . . . . 83 204 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 85 205 15. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 85 206 Intellectual Property Considerations . . . . . . . . . . . . . . . . 86 207 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 86 208 1. Introduction 210 This document describes the Diameter protocol application used for 211 AAA in the Network Access Server (NAS) environment. This Diameter NAS 212 application specification, when combined with the Diameter Base 213 protocol [Base], Transport Profile [DiamTrans], and EAP [DiamEAP] 214 specifications, satisfies NAS-related requirements defined in RFC2989 215 [AAACriteria] and RFC3169 [NASCriteria]. 217 Initial deployments of the Diameter protocol are expected to include 218 legacy systems. Therefore, this application was carefully designed to 219 ease the burden of protocol conversion between RADIUS and Diameter. 220 This is achieved by including the RADIUS attribute space, and 221 eliminating the need to perform many attribute translations. 223 The interactions between Diameter applications and RADIUS specified 224 in this document are to be applied to all Diameter applications. 225 In this sense, this document extends the Base Diameter protocol 226 [Base]. 228 This document first describes the operation of a Diameter NAS 229 application. Then it defines the Diameter message Command-Codes. 230 The following sections enumerate the AVPs used in these messages 231 grouped by common usage. These are session identification, 232 authentication, authorization, tunneling, and accounting. The 233 authorization AVPs are further broken down by service type. 234 Interaction and backwards compatibility issues with RADIUS are 235 discussed in later sections. 237 1.1. Terminology 239 The base Diameter [Base] specification Section 1.4 defines most of 240 the terminology used in this document. Additionally, the following 241 terms and acronyms are used in this application: 243 NAS - Network Access Server; a device which provides an access 244 service for a user to a network. The service may be a network 245 connection, or a value added service such as terminal emulation. 246 [NASmodel] 248 PPP - Point-to-Point Protocol; a multiprotocol serial datalink. PPP 249 is the primary IP datalink used for dial-in NAS connection service. 250 [PPP] 252 CHAP - Challenge Handshake Authentication Protocol; an authentication 253 process used in PPP. [PPPCHAP] 254 PAP - Password Authentication Protocol; a deprecated PPP 255 authentication process, but often used for backwards compatibility 256 [PAP]. 258 SLIP - Serial Line Interface Protocol; a serial datalink that only 259 supports IP. An earlier design, prior to PPP. 261 ARAP - Appletalk Remote Access Protocol; a serial datalink for 262 accessing Appletalk networks [ARAP]. 264 IPX - Internet Packet Exchange; The network protocol used by NetWare 265 networks [IPX]. 267 LAT - Local Area Transport; A Digital Equipment Corp. LAN protocol 268 for terminal services [LAT]. 270 VPN - Virtual Private Network; in this document it is used to 271 describe access services which use tunneling methods. 273 1.2. Requirements Language 275 In this document, the key words "MAY", "MUST", "MUST NOT", 276 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be 277 interpreted as described in [Keywords]. 279 1.3. Advertising Application Support 281 Diameter applications conforming to this specification MUST advertise 282 support by including the value of one (1) in the Auth-Application-Id 283 or the Acct-Application-Id AVP of the Capabilities-Exchange-Request 284 and Capabilities-Exchange-Answer commands [Base]. 286 2. NAS Calls, Ports, and Sessions 288 The arrival of a new call or service connection at a port of a 289 Network Access Server (NAS) starts a Diameter NAS message exchange. 290 Information about the call, the identity of the user, and the user's 291 authentication information are packaged into a Diameter AA-Request 292 (AAR) message and sent to a server. 294 The server processes the information and responds with a Diameter AA- 295 Answer (AAA) message which contains authorization information for the 296 NAS, or a failure code (Result-Code AVP). If the value of Result- 297 Code is DIAMETER_MULTI_ROUND_AUTH, an additional authentication 298 exchange is indicated, and several AAR and AAA messages may be 299 exchanged until the transaction completes. 301 The Diameter protocol allows authorization-only requests depending on 302 the Auth-Request-Type AVP, where no authentication information is 303 contained in a request from the client. This capability goes beyond 304 the Call Check capabilities described in Section 5.6 of [RADIUS] in 305 that no access decision is requested. As a result, service cannot be 306 started as a result of a response to an authorization-only request 307 without introducing a significant security vulnerability. 309 Since no equivalent capability exists in RADIUS, authorization-only 310 requests from a NAS implementing Diameter may not be easily 311 translated to an equivalent RADIUS message by a Diameter/RADIUS 312 gateway. For example, where a Diameter authorization-only request 313 cannot be translated to a RADIUS Call Check, it would be necessary 314 for the Diameter/RADIUS gateway to add authentication information to 315 the RADIUS Access Request. On receiving the Access-Reply, the 316 Diameter/RADIUS gateway would need to discard the access decision 317 (Accept/Reject). It is not clear that these translations can be 318 accomplished without adding significant security vulnerabilities. 320 2.1. Diameter Session Establishment 322 When the authentication or authorization exchange completes 323 successfully, the NAS application SHOULD start a session context. If 324 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 325 exchange continues until a success or error is returned. 327 If accounting is active, the application MUST also send an Accounting 328 message [Base]. An Accounting-Record-Type of START_RECORD, is sent 329 for a new session. If a session fails to start, the type 330 EVENT_RECORD message with the reason for the failure described is 331 sent. 333 Note that the return of an unsupportable Accounting-Realtime-Required 334 value [Base] would result in a failure to establish the session. 336 2.2. Diameter Session Reauthentication or Reauthorization 338 The Diameter Base protocol allows for users to be periodically 339 reauthenticated and/or reauthorized. In such instances, the Session- 340 Id AVP in the AAR message MUST be the same as the one present in the 341 original authentication/authorization message. 343 A Diameter server informs the NAS of the maximum time allowed before 344 reauthentication or reauthorization via the Authorization-Lifetime 345 AVP [Base]. A NAS MAY reauthenticate and/or reauthorize before the 346 end, but A NAS MUST reauthenticate and/or reauthorize at the end of 347 the period provided by the Authorization-Lifetime AVP. The failure 348 of a reauthentication exchange will cause the service to be 349 terminated. 351 Furthermore, it is possible for Diameter servers to issue an 352 unsolicited reauthentication and/or reauthorization requests (e.g. 353 Re-Auth-Request (RAR) message [Base]) to the NAS. Upon receipt of 354 such a message, the NAS MUST respond to the request with a Re-Auth- 355 Answer (RAA) message [Base]. 357 If the RAR properly identifies an active session, the NAS will 358 initiate a new local reauthentication or authorization sequence as 359 indicated by the Re-Auth-Request-Type value. This will cause the NAS 360 to send a new AAR message using the existing Session-Id. The server 361 will respond with an AAA message to specify the new service 362 parameters. 364 If accounting is active, every change of authentication or 365 authorization SHOULD generate an accounting message. If the NAS 366 service is a continuation of the prior user context, then an 367 Accounting-Record-Type of INTERIM_RECORD indicating the new session 368 attributes and cumulative status would be appropriate. If a new user 369 or a significant change in authorization is detected by the NAS, then 370 the service may consider it appropriate to send two messages of the 371 types STOP_RECORD, and START_RECORD. Accounting may change the 372 subsession identifiers (Acct-Session-ID, or Acct-Sub-Session-Id) to 373 indicate such sub-sessions. A service may also use a different 374 Session-Id value for accounting (See [BASE] Section 9.6). 376 However, the Diameter Session-ID AVP value used for the initial 377 authorization exchange MUST be used to generate an STR message when 378 the session context is terminated. 380 2.3. Diameter Session Termination 382 When a NAS receives an indication that a user's session is being 383 disconnected by the client (e.g. LCP Terminate is received) or 384 administrative command, the NAS MUST issue a Session-Termination- 385 Request (STR) [Base] to its Diameter Server. This will ensure that 386 any resources maintained on the servers are freed appropriately. 388 Furthermore, a NAS that receives a Abort-Session-Request (ASR) [Base] 389 MUST issue an ASA if the session identified is active, and disconnect 390 the PPP (or tunneling) session. 392 Termination of the session context MUST cause the sending of an 393 Accounting STOP_RECORD message [Base], if accounting is active. 395 More information on Diameter Session Termination is in [Base] section 396 8.4 and 8.5 398 3. NAS Messages 400 This section defines the Diameter message Command-Code [Base] values 401 that MUST be supported by all Diameter implementations that conform 402 to this specification. The Command Codes are: 404 Command-Name Abbrev. Code Reference 405 ------------------------------------------------------- 406 AA-Request AAR 265 3.1 407 AA-Answer AAA 265 3.2 408 Re-Auth-Request RAR 258 3.3 409 Re-Auth-Answer RAA 258 3.4 410 Session-Termination-Request STR 275 3.5 411 Session-Termination-Answer STA 275 3.6 412 Abort-Session-Request ASR 274 3.7 413 Abort-Session-Answer ASA 274 3.8 414 Accounting-Request ACR 271 3.9 415 Accounting-Answer ACA 271 3.10 417 3.1. AA-Request (AAR) Command 419 The AA-Request message (AAR), indicated by the Command-Code field set 420 to 265 and the 'R' bit set in the Command Flags field, is used in 421 order to request authentication and/or authorization for a given NAS 422 user. The type of request is identified through the Auth-Request-Type 423 AVP [Base]. The recommended value for most RADIUS interoperabily 424 situations, is AUTHORIZE_AUTHENTICATE. 426 If Authentication is requested the User-Name attribute SHOULD be 427 present, as well as any additional authentication AVPs that would 428 carry the password information. A request for authorization only 429 SHOULD include the information from which the authorization will be 430 performed, such as the User-Name, Called-Station-Id, or Calling- 431 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 432 identifying the source of the call, such as Origin-Host, and NAS- 433 Port. Certain networks MAY use different AVPs for authorization 434 purposes. A request for authorization will include some AVPs defined 435 in section 6. 437 It is possible for a single session to be authorized first, then 438 followed by an authentication request. 440 This AA-Request message MAY be the result of a multi-round 441 authentication exchange, which occurs when the AA-Answer message is 442 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A 443 subsequent AAR message SHOULD be sent, with the User-Password AVP 444 that includes the user's response to the prompt, and MUST include any 445 State AVPs that were present in the AAA message. 447 Message Format 448 ::= < Diameter Header: 265, REQ, PXY > 449 < Session-Id > 450 { Auth-Application-Id } 451 { Origin-Host } 452 { Origin-Realm } 453 { Destination-Realm } 454 { Auth-Request-Type } 455 [ Destination-Host ] 456 [ NAS-Identifier ] 457 [ NAS-IP-Address ] 458 [ NAS-IPv6-Address ] 459 [ NAS-Port ] 460 [ NAS-Port-Id ] 461 [ NAS-Port-Type ] 462 [ Origin-State-Id ] 463 [ Port-Limit ] 464 [ User-Name ] 465 [ User-Password ] 466 [ Service-Type ] 467 [ State ] 468 [ Authorization-Lifetime ] 469 [ Auth-Grace-Period ] 470 [ Auth-Session-State ] 471 [ Callback-Number ] 472 [ Called-Station-Id ] 473 [ Calling-Station-Id ] 474 [ Originating-Line-Info ] 475 [ Connect-Info ] 476 [ CHAP-Auth ] 477 [ CHAP-Challenge ] 478 * [ Framed-Compression ] 479 [ Framed-Interface-Id ] 480 [ Framed-IP-Address ] 481 * [ Framed-IPv6-Prefix ] 482 [ Framed-IP-Netmask ] 483 [ Framed-MTU ] 484 [ Framed-Protocol ] 485 [ ARAP-Password ] 486 [ ARAP-Security ] 487 * [ ARAP-Security-Data ] 488 * [ Login-IP-Host ] 489 * [ Login-IPv6-Host ] 490 [ Login-LAT-Group ] 491 [ Login-LAT-Node ] 492 [ Login-LAT-Port ] 493 [ Login-LAT-Service ] 494 * [ Tunneling ] 495 * [ Proxy-Info ] 496 * [ Route-Record ] 497 * [ AVP ] 499 3.2. AA-Answer (AAA) Command 501 The AA-Answer (AAA) message, is indicated by the Command-Code field 502 set to 265 and the 'R' bit cleared in the Command Flags field, is 503 sent in response to the AA-Request message. If authorization was 504 requested, a successful response will include the authorization AVPs 505 appropriate for the service being provided, as defined in section 6. 507 For authentication exchanges that require more than a single round 508 trip, the server MUST set the Result-Code AVP to 509 DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY 510 include one or more Reply-Message and MAY include zero or one State 511 AVPs. 513 If the Reply-Message AVP was present, the network access server 514 SHOULD send the text to the user's client for display to the user, 515 instructing it to prompt the user for a response. For example, this 516 capability can be achieved in PPP via PAP. If the access client is 517 unable to prompt the user for a new response, it MUST treat the AA- 518 Answer with the Reply-Message AVP as an error, and deny access. 520 Message Format 521 ::= < Diameter Header: 265, PXY > 522 < Session-Id > 523 { Auth-Application-Id } 524 { Auth-Request-Type } 525 { Result-Code } 526 { Origin-Host } 527 { Origin-Realm } 528 [ User-Name ] 529 [ Service-Type ] 530 * [ Class ] 531 * [ Configuration-Token ] 532 [ Acct-Interim-Interval ] 533 [ Error-Message ] 534 [ Error-Reporting-Host ] 535 [ Idle-Timeout ] 536 [ Authorization-Lifetime ] 537 [ Auth-Grace-Period ] 538 [ Auth-Session-State ] 539 [ Re-Auth-Request-Type ] 540 [ Session-Timeout ] 541 [ State ] 542 * [ Reply-Message ] 543 [ Origin-State-Id ] 544 * [ Filter-Id ] 545 [ Password-Retry ] 546 [ Port-Limit ] 547 [ Prompt ] 548 [ ARAP-Challenge-Response ] 549 [ ARAP-Features ] 550 [ ARAP-Security ] 551 * [ ARAP-Security-Data ] 552 [ ARAP-Zone-Access ] 553 [ Callback-Id ] 554 [ Callback-Number ] 555 [ Framed-Appletalk-Link ] 556 * [ Framed-Appletalk-Network ] 557 [ Framed-Appletalk-Zone ] 558 * [ Framed-Compression ] 559 [ Framed-Interface-Id ] 560 [ Framed-IP-Address ] 561 * [ Framed-IPv6-Prefix ] 562 [ Framed-IPv6-Pool ] 563 * [ Framed-IPv6-Route ] 564 [ Framed-IP-Netmask ] 565 * [ Framed-Route ] 566 [ Framed-Pool ] 567 [ Framed-IPX-Network ] 568 [ Framed-MTU ] 570 [ Framed-Protocol ] 571 [ Framed-Routing ] 572 * [ Login-IP-Host ] 573 * [ Login-IPv6-Host ] 574 [ Login-LAT-Group ] 575 [ Login-LAT-Node ] 576 [ Login-LAT-Port ] 577 [ Login-LAT-Service ] 578 [ Login-Service ] 579 [ Login-TCP-Port ] 580 * [ NAS-Filter-Rule ] 581 * [ Tunneling ] 582 * [ Redirect-Host ] 583 [ Redirect-Host-Usage ] 584 [ Redirect-Max-Cache-Time ] 585 * [ Proxy-Info ] 586 * [ AVP ] 588 3.3. Re-Auth-Request (RAR) Command 590 A Diameter server may initiate a re-authentication and/or re- 591 authorization service for a particular session by issuing a Re-Auth- 592 Request (RAR) message [Base]. 594 For example, for pre-paid services, the Diameter server that 595 originally authorized a session may need some confirmation that the 596 user is still using the services. 598 A NAS that receives a RAR message with Session-Id equal to a 599 currently active session and a Re-Auth-Type that includes 600 authentication, MUST initiate a re-authentication towards the user, 601 if the service supports this particular feature. 603 Message Format 605 ::= < Diameter Header: 258, REQ, PXY > 606 < Session-Id > 607 { Origin-Host } 608 { Origin-Realm } 609 { Destination-Realm } 610 { Destination-Host } 611 { Auth-Application-Id } 612 { Re-Auth-Request-Type } 613 [ User-Name ] 614 [ Origin-State-Id ] 615 [ NAS-Identifier ] 616 [ NAS-IP-Address ] 618 [ NAS-IPv6-Address ] 619 [ NAS-Port ] 620 [ NAS-Port-Id ] 621 [ NAS-Port-Type ] 622 [ Service-Type ] 623 [ Framed-IP-Address ] 624 [ Framed-IPv6-Prefix ] 625 [ Framed-Interface-Id ] 626 [ Called-Station-Id ] 627 [ Calling-Station-Id ] 628 [ Originating-Line-Info ] 629 [ Acct-Session-Id ] 630 [ Acct-Multi-Session-Id ] 631 [ State ] 632 * [ Class ] 633 [ Reply-Message ] 634 * [ Proxy-Info ] 635 * [ Route-Record ] 636 * [ AVP ] 638 3.4. Re-Auth-Answer (RAA) Command 640 The Re-Auth-Answer (RAA) message [Base], is sent in response to the 641 RAR. The Result-Code AVP MUST be present, and indicates the 642 disposition of the request. 644 A successful RAA transaction MUST be followed by an AA-Request 645 message. 647 Message Format 648 ::= < Diameter Header: 258, PXY > 649 < Session-Id > 650 { Result-Code } 651 { Origin-Host } 652 { Origin-Realm } 653 [ User-Name ] 654 [ Origin-State-Id ] 655 [ Error-Message ] 656 [ Error-Reporting-Host ] 657 * [ Failed-AVP ] 658 * [ Redirected-Host ] 659 [ Redirected-Host-Usage ] 660 [ Redirected-Host-Cache-Time ] 661 [ Service-Type ] 662 * [ Configuration-Token ] 663 [ Error-Message ] 664 [ Error-Reporting-Host ] 665 [ Idle-Timeout ] 666 [ Authorization-Lifetime ] 667 [ Auth-Grace-Period ] 668 [ Re-Auth-Request-Type ] 669 [ State ] 670 * [ Class ] 671 * [ Reply-Message ] 672 [ Prompt ] 673 * [ Proxy-Info ] 674 * [ AVP ] 676 3.5. Session-Termination-Request (STR) Command 678 The Session-Termination-Request (STR) message [Base] is sent by the 679 NAS to inform the Diameter Server that an authenticated and/or 680 authorized session is being terminated. 682 Message Format 684 ::= < Diameter Header: 275, REQ, PXY > 685 < Session-Id > 686 { Origin-Host } 687 { Origin-Realm } 688 { Destination-Realm } 689 { Auth-Application-Id } 690 { Termination-Cause } 691 [ User-Name ] 692 [ Destination-Host ] 693 * [ Class ] 694 [ Origin-State-Id ] 696 * [ Proxy-Info ] 697 * [ Route-Record ] 698 * [ AVP ] 700 3.6. Session-Termination-Answer (STA) Command 702 The Session-Termination-Answer (STA) message [Base] is sent by the 703 Diameter Server to acknowledge the notification that the session has 704 been terminated. The Result-Code AVP MUST be present, and MAY 705 contain an indication that an error occurred while servicing the STR. 707 Upon sending or receipt of the STA, the Diameter Server MUST release 708 all resources for the session indicated by the Session-Id AVP. Any 709 intermediate server in the Proxy-Chain MAY also release any 710 resources, if necessary. 712 Message Format 714 ::= < Diameter Header: 275, PXY > 715 < Session-Id > 716 { Result-Code } 717 { Origin-Host } 718 { Origin-Realm } 719 [ User-Name ] 720 * [ Class ] 721 [ Error-Message ] 722 [ Error-Reporting-Host ] 723 * [ Failed-AVP ] 724 [ Origin-State-Id ] 725 * [ Redirect-Host ] 726 [ Redirect-Host-Usase ] 727 [ Redirect-Max-Cache-Time ] 728 * [ Proxy-Info ] 729 * [ AVP ] 731 3.7. Abort-Session-Request (ASR) Command 733 The Abort-Session-Request (ASR) message [Base], may be sent by any 734 server to the NAS that is providing session service, to request that 735 the session identified by the Session-Id be stopped. 737 Message Format 738 ::= < Diameter Header: 274, REQ, PXY > 739 < Session-Id > 740 { Origin-Host } 741 { Origin-Realm } 742 { Destination-Realm } 743 { Destination-Host } 744 { Auth-Application-Id } 745 [ User-Name ] 746 [ Origin-State-Id ] 747 [ NAS-Identifier ] 748 [ NAS-IP-Address ] 749 [ NAS-IPv6-Address ] 750 [ NAS-Port ] 751 [ NAS-Port-Id ] 752 [ NAS-Port-Type ] 753 [ Service-Type ] 754 [ Framed-IP-Address ] 755 [ Framed-IPv6-Prefix ] 756 [ Framed-Interface-Id ] 757 [ Called-Station-Id ] 758 [ Calling-Station-Id ] 759 [ Originating-Line-Info ] 760 [ Acct-Session-Id ] 761 [ Acct-Multi-Session-Id ] 762 [ State ] 763 * [ Class ] 764 * [ Reply-Message ] 765 * [ Proxy-Info ] 766 * [ Route-Record ] 767 * [ AVP ] 769 3.8. Abort-Session-Answer (ASA) Command 771 The Abort-Session-Answer (ASA) message [Base], is sent in response to 772 the ASR. The Result-Code AVP MUST be present, and indicates the 773 disposition of the request. 775 If the session identified by Session-Id in the ASR was successfully 776 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 777 is not currently active, Result-Code is set to 778 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 779 session for any other reason, Result-Code is set to 780 DIAMETER_UNABLE_TO_COMPLY. 782 Message Format 784 ::= < Diameter Header: 274, PXY > 785 < Session-Id > 786 { Result-Code } 787 { Origin-Host } 788 { Origin-Realm } 789 [ User-Name ] 790 [ Origin-State-Id ] 791 [ State] 792 [ Error-Message ] 793 [ Error-Reporting-Host ] 794 * [ Failed-AVP ] 795 * [ Redirected-Host ] 796 [ Redirected-Host-Usage ] 797 [ Redirected-Max-Cache-Time ] 798 * [ Proxy-Info ] 799 * [ AVP ] 801 3.9. Accounting-Request (ACR) Command 803 The Accounting-Request (ACR) message [Base], is sent by the NAS, to 804 report it's session information to a target server downstream. 806 One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs 807 MUST be present. If the Vendor-Specific-Application-Id grouped AVP 808 is present, it must have an Acct-Application-Id inside. 810 The AVPs listed in the Base MUST be assumed to be present as 811 approriate. NAS service specific accounting AVPs, SHOULD be present 812 as described in section 8 and the rest of this specification. 814 Message Format 815 ::= < Diameter Header: 271, REQ, PXY > 816 < Session-Id > 817 { Origin-Host } 818 { Origin-Realm } 819 { Destination-Realm } 820 { Accounting-Record-Type } 821 { Accounting-Record-Number } 822 [ Acct-Application-Id ] 823 [ Vendor-Specific-Application-Id ] 824 [ User-Name ] 825 [ Accounting-Sub-Session-Id ] 826 [ Acct-Session-Id ] 827 [ Acct-Multi-Session-Id ] 828 [ Origin-State-Id ] 829 [ Destination-Host ] 830 [ Event-Timestamp ] 831 [ Acct-Delay-Time ] 832 [ NAS-Identifier ] 833 [ NAS-IP-Address ] 834 [ NAS-IPv6-Address ] 835 [ NAS-Port ] 836 [ NAS-Port-Id ] 837 [ NAS-Port-Type ] 838 * [ Class ] 839 [ Service-Type ] 840 [ Termination-Cause ] 841 [ Accounting-Input-Octets ] 842 [ Accounting-Input-Packets ] 843 [ Accounting-Output-Octets ] 844 [ Accounting-Output-Packets ] 845 [ Acct-Authentic ] 846 [ Accounting-Auth-Method ] 847 [ Acct-Link-Count ] 848 [ Acct-Session-Time ] 849 [ Acct-Tunnel-Connection ] 850 [ Acct-Tunnel-Packets-Lost ] 851 [ Callback-Id ] 852 [ Callback-Number ] 853 [ Called-Station-Id ] 854 [ Calling-Station-Id ] 855 * [ Connection-Info ] 856 [ Originating-Line-Info ] 857 [ Authorization-Lifetime ] 858 [ Session-Timeout ] 859 [ Idle-Timeout ] 860 [ Port-Limit ] 861 [ Accounting-Realtime-Required ] 862 [ Acct-Interim-Interval ] 864 * [ Filter-Id ] 865 * [ NAS-Filter-Rule ] 866 [ Framed-AppleTalk-Link ] 867 [ Framed-AppleTalk-Network ] 868 [ Framed-AppleTalk-Zone ] 869 [ Framed-Compression ] 870 [ Framed-Interface-Id ] 871 [ Framed-IP-Address ] 872 [ Framed-IP-Netmask ] 873 * [ Framed-IPv6-Prefix ] 874 [ Framed-IPv6-Pool ] 875 * [ Framed-IPv6-Route ] 876 [ Framed-IPX-Network ] 877 [ Framed-MTU ] 878 [ Framed-Pool ] 879 [ Framed-Protocol ] 880 * [ Framed-Route ] 881 [ Framed-Routing ] 882 * [ Login-IP-Host ] 883 * [ Login-IPv6-Host ] 884 [ Login-LAT-Group ] 885 [ Login-LAT-Node ] 886 [ Login-LAT-Port ] 887 [ Login-LAT-Service ] 888 [ Login-Service ] 889 [ Login-TCP-Port ] 890 * [ Tunneling ] 891 * [ Proxy-Info ] 892 * [ Route-Record ] 893 * [ AVP ] 895 3.10. Accounting-Answer (ACA) Command 897 The Accounting-Answer (ACA) message [Base], is used to acknowledge an 898 Accounting-Request command. The Accounting-Answer command contains 899 the same Session-Id as the Request. If the Accounting- Request was 900 protected by end-to-end security, then the corresponding ACA message 901 MUST be protected by end-to-end security. 903 Only the target Diameter Server, or home Diameter Server, SHOULD 904 respond with the Accounting-Answer command. 906 One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs 907 MUST be present, as was in the request. 909 The AVPs listed in the Base MUST be assumed to be present as 910 approriate. NAS service specific accounting AVPs, SHOULD be present 911 as described in section 8 and the rest of this specification. 913 Message Format 915 ::= < Diameter Header: 271, PXY > 916 < Session-Id > 917 { Result-Code } 918 { Origin-Host } 919 { Origin-Realm } 920 { Accounting-Record-Type } 921 { Accounting-Record-Number } 922 [ Acct-Application-Id ] 923 [ Vendor-Specific-Application-Id ] 924 [ User-Name ] 925 [ Accounting-Sub-Session-Id ] 926 [ Acct-Session-Id ] 927 [ Acct-Multi-Session-Id ] 928 [ Event-Timestamp ] 929 [ Error-Reporting-Host ] 930 [ Origin-State-Id ] 931 [ NAS-Identifier ] 932 [ NAS-IP-Address ] 933 [ NAS-IPv6-Address ] 934 [ NAS-Port ] 935 [ NAS-Port-Id ] 936 [ NAS-Port-Type ] 937 [ Service-Type ] 938 [ Termination-Cause ] 939 [ Accounting-Realtime-Required ] 940 [ Acct-Interim-Interval ] 941 * [ Class ] 942 * [ Proxy-Info ] 943 * [ Route-Record ] 944 * [ AVP ] 946 4. NAS Session AVPs 948 Diameter reserves the AVP Codes 0-255 for RADIUS functions that are 949 implemented in Diameter. 951 AVPs new to Diameter have code values 256 and greater. A Diameter 952 message that includes one of these AVPs may represent functions not 953 present in the RADIUS environment and may cause interoperability 954 issues should the request traverse a AAA system that only supports 955 the RADIUS protocol. 957 There are some RADIUS attributes that are not allowed or supported 958 directly in Diameter. See section 9 below for more information. 960 4.1. Call and Session Information 962 This section contains the AVPs specific to NAS Diameter applications 963 that are needed to identify the call and session context and status 964 information. On a request, this information allows the server to 965 qualify the session. 967 These AVPs are used in addition to the Base AVPs of: 968 Session-Id 969 Auth-Application-Id 970 Origin-Host 971 Origin-Realm 972 Auth-Request-Type 973 Termination-Cause 975 The following table describes the Session level AVPs, their AVP Code 976 values, types, possible flag values and whether the AVP MAY be 977 encrypted. 978 +---------------------+ 979 | AVP Flag rules | 980 |----+-----+----+-----|----+ 981 AVP Section | | |SHLD| MUST| | 982 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 983 -----------------------------------------|----+-----+----+-----|----| 984 NAS-Port 5 4.2 Unsigned32 | M | P | | V | Y | 985 NAS-Port-Id 87 4.3 UTF8String | M | P | | V | Y | 986 NAS-Port-Type 61 4.4 Enumerated | M | P | | V | Y | 987 Called-Station-Id 30 4.5 UTF8String | M | P | | V | Y | 988 Calling-Station- 31 4.6 UTF8String | M | P | | V | Y | 989 Id | | | | | | 990 Connect-Info 77 4.7 UTF8String | M | P | | V | Y | 991 Originating-Line- 94 4.8 OctetString| | M,P | | V | Y | 992 Info | | | | | | 993 Reply-Message 18 4.9 UTF8String | M | P | | V | Y | 994 -----------------------------------------|----+-----+----+-----|----| 996 4.2. NAS-Port AVP 998 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 999 physical or virtual port number of the NAS which is authenticating 1000 the user. Note that this is using "port" in its sense of a service 1001 connection on the NAS, not in the sense of an IP protocol identifier. 1003 Either NAS-Port or NAS-Port-Id (AVP Code 87) SHOULD be present in AA- 1004 Request commands if the NAS differentiates among its ports. 1006 4.3. NAS-Port-Id AVP 1008 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1009 of ASCII text that identifies the port of the NAS which is 1010 authenticating the user. Note that this is using "port" in its sense 1011 of a service connection on the NAS, not in the sense of an IP 1012 protocol identifier. 1014 Either NAS-Port or NAS-Port-Id SHOULD be present in AA-Request 1015 commands if the NAS differentiates among its ports. NAS-Port-Id is 1016 intended for use by NASes which cannot conveniently number their 1017 ports. 1019 4.4. NAS-Port-Type AVP 1021 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1022 contains the type of the port on which the NAS is authenticating the 1023 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1024 number ranges for different service types concurrently. 1026 The supported values are defined in [RADIUSTypes]. The following 1027 list is informational and subject to change in the IANA. 1029 0 Async 1030 1 Sync 1031 2 ISDN Sync 1032 3 ISDN Async V.120 1033 4 ISDN Async V.110 1034 5 Virtual 1035 6 PIAFS 1036 7 HDLC Clear Channel 1037 8 X.25 1038 9 X.75 1039 10 G.3 Fax 1040 11 SDSL - Symmetric DSL 1041 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase 1042 Modulation 1043 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 1044 14 IDSL - ISDN Digital Subscriber Line 1045 15 Ethernet 1046 16 xDSL - Digital Subscriber Line of unknown type 1047 17 Cable 1048 18 Wireless - Other 1049 19 Wireless - IEEE 802.11 1050 20 Token-Ring [RAD802.1X] 1051 21 FDDI [RAD802.1X] 1052 22 Wireless - CDMA2000 1053 23 Wireless - UMTS 1054 24 Wireless - 1X-EV 1055 25 IAPP [IEEE 802.11f] 1057 4.5. Called-Station-Id AVP 1059 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String, and 1060 allows the NAS to send in the request, the ASCII string describing 1061 the layer 2 address that the user contacted to. For dialup access, 1062 this can be a phone number, obtained using Dialed Number 1063 Identification (DNIS) or a similar technology. Note that this may be 1064 different from the phone number the call comes in on. For use with 1065 IEEE 802 access, the Called-Station-Id MAY contain a MAC address, 1066 formatted as described in [RAD802.1X]. It SHOULD only be present in 1067 authentication and/or authorization requests. 1069 If the Auth-Request-Type AVP is set to authorization-only and the 1070 User-Name AVP is absent, the Diameter Server MAY perform 1071 authorization based on this field. This can be used by a NAS to 1072 request whether a call should be answered based on the DNIS. 1074 The codification of the range of allowed usage of this field is 1075 outside the scope of this specification. 1077 4.6. Calling-Station-Id AVP 1079 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String, and 1080 allows the NAS to send in the request the ASCII string describing the 1081 layer 2 address that the user connected from. For dialup access, this 1082 is the phone number that the call came from, using Automatic Number 1083 Identification (ANI) or a similar technology. For use with IEEE 802 1084 access, the Calling-Station-Id AVP MAY contain a MAC address, 1085 formated as described in [RAD802.1X]. It SHOULD only be present in 1086 authentication and/or authorization requests. 1088 If the Auth-Request-Type AVP is set to authorization-only and the 1089 User-Name AVP is absent, the Diameter Server MAY perform 1090 authorization based on this field. This can be used by a NAS to 1091 request whether a call should be answered based on the layer 2 1092 address (ANI, MAC Address, etc.) 1094 The codification of the range of allowed usage of this field is 1095 outside the scope of this specification. 1097 4.7. Connect-Info AVP 1099 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1100 in the AA-Request message or ACR STOP message. When sent in the 1101 Access-Request it indicates the nature of the user's connection. The 1102 connection speed SHOULD be included at the beginning of the first 1103 Connect-Info AVP in the message. If the transmit and receive 1104 connection speeds differ, they may both be included in the first AVP 1105 with the transmit speed first (the speed the NAS modem transmits at), 1106 a slash (/), the receive speed, then optionally other information. 1108 For example, "28800 V42BIS/LAPM" or "52000/31200 V90" 1110 More than one Connect-Info attribute may be present in an Accounting- 1111 Request packet to accommodate expected efforts by ITU to have modems 1112 report more connection information in a standard format that might 1113 exceed 252 octets. 1115 If sent in the ACR STOP, this attribute may be used to summarize 1116 statistics relating to session quality. For example, in IEEE 802.11, 1117 the Connect-Info attribute may contain information on the number of 1118 link layer retransmissions. The exact format of this attribute is 1119 implementation specific. 1121 4.8. Originating-Line-Info AVP 1123 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1124 and is sent by the NAS system to convey information about the origin 1125 of the call from an SS7 system. 1127 The originating line information (OLI) information element indicates 1128 the nature and/or characteristics of the line from which a call 1129 originated (e.g. payphone, hotel, cellular). Telephone companies are 1130 starting to offer OLI to their customers as an option over Primary 1131 Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI 1132 in addition to Called-Station-Id and Calling-Station-Id attributes to 1133 differentiate customer calls and define different services 1135 The Value field contains two octets (00-99). ANSI T1.113 and BELLCORE 1136 394 can be used for additional information about those values and 1137 their use. For more information on current assignment values see 1139 [ANITypes]. 1141 Value Description 1142 ------------------------------------------------------------ 1143 00 Plain Old Telephone Service (POTS) 1144 01 Multiparty line (more than 2) 1145 02 ANI Failure 1146 03 ANI Observed 1147 04 ONI Observed 1148 05 ANI Failure Observed 1149 06 Station Level Rating 1150 07 Special Operator Handling Required 1151 08 InterLATA Restricted 1152 10 Test Call 1153 20 Automatic Identified Outward Dialing (AIOD) 1154 23 Coin or Non-Coin 1155 24 Toll Free Service (Non-Pay origination) 1156 25 Toll Free Service (Pay origination) 1157 27 Toll Free Service (Coin Control origination) 1158 29 Prison/Inmate Service 1159 30-32 Intercept 1160 30 Intercept (blank) 1161 31 Intercept (trouble) 1162 32 Intercept (regular) 1163 34 Telco Operator Handled Call 1164 40-49 Unrestricted Use 1165 52 Outward Wide Area Telecommunications Service (OUTWATS) 1166 60 Telecommunications Relay Service (TRS)(Unrestricted) 1167 61 Cellular/Wireless PCS (Type 1) 1168 62 Cellular/Wireless PCS (Type 2) 1169 63 Cellular/Wireless PCS (Roaming) 1170 66 TRS (Hotel) 1171 67 TRS (Restricted) 1172 70 Pay Station, No coin control 1173 93 Access for private virtual network service 1175 4.9. Reply-Message AVP 1177 The Reply-Message AVP (AVP Code 18) is of type UTF8String, and 1178 contains text which MAY be displayed to the user. When used in an 1179 AA-Answer message with a successful Result-Code AVP it is success 1180 information. When found in AAA message with a Result-Code other than 1181 DIAMETER_SUCCESS, the AVP contains a failure message. 1183 The Reply-Message AVP MAY indicate dialog text to prompt the user 1184 before another AA-Request attempt. When used in an AA-Answer, with a 1185 Result-Code of DIAMETER_MULTI_ROUND_AUTH or in an Re-Auth-Request 1186 message, it MAY contain a dialog text to prompt the user for a 1187 response. 1189 Multiple Reply-Message's MAY be included and if any are displayed, 1190 they MUST be displayed in the same order as they appear in the 1191 Diameter message. 1193 5. NAS Authentication AVPs 1195 This section defines the AVPs that are necessary to carry the 1196 authentication information in the Diameter protocol. The 1197 functionality defined here provides a RADIUS-like AAA service, over a 1198 more reliable and secure transport, as defined in the base protocol 1199 [Base]. 1201 The following table describes the AVPs, their AVP Code values, types, 1202 possible flag values and whether the AVP MAY be encrypted. 1204 +---------------------+ 1205 | AVP Flag rules | 1206 |----+-----+----+-----|----+ 1207 AVP Section | | |SHLD| MUST| | 1208 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1209 -----------------------------------------|----+-----+----+-----|----| 1210 User-Password 2 5.1 OctetString| M | P | | V | Y | 1211 Password-Retry 75 5.2 Unsigned32 | M | P | | V | Y | 1212 Prompt 76 5.3 Enumerated | M | P | | V | Y | 1213 CHAP-Auth 402 5.4 Grouped | M | P | | V | Y | 1214 CHAP-Algorithm 403 5.5 Enumerated | M | P | | V | Y | 1215 CHAP-Ident 404 5.6 OctetString| M | P | | V | Y | 1216 CHAP-Response 405 5.7 OctetString| M | P | | V | Y | 1217 CHAP-Challenge 60 5.8 OctetString| M | P | | V | Y | 1218 ARAP-Password 70 5.9 OctetString| M | P | | V | Y | 1219 ARAP-Challenge- 84 5.10 OctetString| M | P | | V | Y | 1220 Response | | | | | | 1221 ARAP-Security 73 5.11 Unsigned32 | M | P | | V | Y | 1222 ARAP-Security- 74 5.12 OctetString| M | P | | V | Y | 1223 Data | | | | | | 1224 -----------------------------------------|----+-----+----+-----|----| 1226 5.1. User-Password AVP 1228 The User-Password AVP (AVP Code 2) is of type OctetString and 1229 contains the password of the user to be authenticated, or the user's 1230 input in a multi-round authentication exchange. 1232 The User-Password AVP contains a user password or one-time password 1233 and therefore represents sensitive information. As required in 1234 [Base], Diameter messages are encrypted using IPsec or TLS. Unless 1235 this AVP is used for one-time passwords, the User-Password AVP SHOULD 1236 NOT be used in untrusted proxy environments without encrypting it 1237 using end-to-end security techniques, such as the proposed CMS 1238 Security [DiamCMS]. 1240 The clear-text password (prior to encryption) MUST NOT be longer than 1241 128 bytes in length. 1243 5.2. Password-Retry AVP 1245 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1246 included in the AA-Answer if the Result-Code indicates an 1247 authentication failure. The value of this AVP indicates how many 1248 authentication attempts a user may be permitted before being 1249 disconnected. This AVP is primarily intended for use when the Framed- 1250 Protocol AVP (see Section 6.9.1) is set to ARAP. 1252 5.3. Prompt AVP 1254 The Prompt AVP (AVP Code 76) is of type Enumerated, and MAY be 1255 present in the AA-Answer message. When present, it is used by the NAS 1256 to determine whether the user's response, when entered, should be 1257 echoed. 1259 The supported values are listed in [RADIUSTypes]. The following list 1260 is informational: 1262 0 No Echo 1263 1 Echo 1265 5.4. CHAP-Auth AVP 1267 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1268 information necessary to authenticate a user using the PPP Challenge- 1269 Handshake Authentication Protocol (CHAP) [PPPCHAP]. If the CHAP-Auth 1270 AVP is found in a message, the CHAP-Challenge AVP MUST be present as 1271 well. The optional AVPs containing the CHAP response depend upon the 1272 value of the CHAP-Algorithm AVP. The grouped AVP has the following 1273 ABNF grammar: 1275 CHAP-Auth ::= < AVP Header: 402 > 1276 { CHAP-Algorithm } 1277 { CHAP-Ident } 1278 [ CHAP-Response ] 1279 * [ AVP ] 1281 5.5. CHAP-Algorithm AVP 1283 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1284 contains the algorithm identifier used in the computation of the CHAP 1285 response [PPPCHAP]. The following values are currently supported: 1287 CHAP with MD5 5 1288 The CHAP response is computed using the procedure described in 1289 [PPPCHAP]. This algorithm requires that CHAP-Response AVP MUST 1290 be present in the CHAP-Auth AVP. 1292 5.6. CHAP-Ident AVP 1294 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1295 the one octet CHAP Identifier used in the computation of the CHAP 1296 response [PPPCHAP]. 1298 5.7. CHAP-Response AVP 1300 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1301 contains the 16 octet authentication data provided by the user in 1302 response to the CHAP challenge [PPPCHAP]. 1304 5.8. CHAP-Challenge AVP 1306 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1307 contains the CHAP Challenge sent by the NAS to the CHAP peer 1308 [PPPCHAP]. 1310 5.9. ARAP-Password AVP 1312 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1313 only present when the Framed-Protocol AVP (see Section 6.9.1) is 1314 included in the message and is set to ARAP. This AVP MUST NOT be 1315 present if either the User-Password or the CHAP-Auth AVP is present. 1316 See [RADIUSExt] for more information on the contents of this AVP. 1318 5.10. ARAP-Challenge-Response AVP 1320 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1321 and is only present when the Framed-Protocol AVP (see Section 6.9.1) 1322 is included in the message and is set to ARAP. This AVP contains an 8 1323 octet response to the dial-in client's challenge. The RADIUS server 1324 calculates this value by taking the dial-in client's challenge from 1325 the high order 8 octets of the ARAP-Password AVP and performing DES 1326 encryption on this value with the authenticating user's password as 1327 the key. If the user's password is less than 8 octets in length, the 1328 password is padded at the end with NULL octets to a length of 8 1329 before using it as a key. 1331 5.11. ARAP-Security AVP 1333 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32, and MAY be 1334 present in the AA-Answer message if the Framed-Protocol AVP (see 1335 Section 6.9.1) is set to the value of ARAP, and the Result-Code AVP 1336 is set to DIAMETER_MULTI_ROUND_AUTH. See [RADIUSExt] for more 1337 information on the format of this AVP. 1339 5.12. ARAP-Security-Data AVP 1341 The ARAP-Security AVP (AVP Code 74) is of type OctetString, and MAY 1342 be present in the AA-Request or AA-Answer message if the Framed- 1343 Protocol AVP is set to the value of ARAP, and the Result-Code AVP is 1344 set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security 1345 module challenge or response associated with the ARAP Security Module 1346 specified in ARAP-Security. 1348 6. NAS Authorization AVPs 1350 This section contains the authorization AVPs that are supported in 1351 the NAS Application. The Service-Type AVP SHOULD be present in all 1352 messages, and based on its value, additional AVPs defined in this 1353 section and section 7 MAY be present. 1355 Due to space constraints, the short form IPFiltrRule is used to 1356 represent IPFilterRule. 1358 +---------------------+ 1359 | AVP Flag rules | 1360 |----+-----+----+-----|----+ 1361 AVP Section | | |SHLD| MUST| | 1362 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1363 -----------------------------------------|----+-----+----+-----|----| 1364 Service-Type 6 6.1 Enumerated | M | P | | V | Y | 1365 Callback-Number 19 6.2 UTF8String | M | P | | V | Y | 1366 Callback-Id 20 6.3 UTF8String | M | P | | V | Y | 1367 Idle-Timeout 28 6.4 Unsigned32 | M | P | | V | Y | 1368 Port-Limit 62 6.5 Unsigned32 | M | P | | V | Y | 1369 NAS-Filter-Rule 400 6.6 IPFiltrRule| M | P | | V | Y | 1370 Filter-Id 11 6.7 UTF8String | M | P | | V | Y | 1371 Configuration- 78 6.8 OctetString| M | | | P,V | | 1372 Token | | | | | | 1373 Framed-Protocol 7 6.9.1 Enumerated | M | P | | V | Y | 1374 Framed-Routing 10 6.9.2 Enumerated | M | P | | V | Y | 1375 Framed-MTU 12 6.9.3 Unsigned32 | M | P | | V | Y | 1376 Framed- 13 6.9.4 Enumerated | M | P | | V | Y | 1377 Compression | | | | | | 1378 Framed-IP-Address 8 6.10.1 OctetString| M | P | | V | Y | 1379 Framed-IP-Netmask 9 6.10.2 OctetString| M | P | | V | Y | 1380 Framed-Route 22 6.10.3 UTF8String | M | P | | V | Y | 1381 Framed-Pool 88 6.10.4 OctetString| M | P | | V | Y | 1382 Framed- 96 6.10.5 Unsigned64 | M | P | | V | Y | 1383 Interface-Id | | | | | | 1384 Framed-IPv6- 97 6.10.6 OctetString| M | P | | V | Y | 1385 Prefix | | | | | | 1386 Framed-IPv6- 99 6.10.7 UTF8String | M | P | | V | Y | 1387 Route | | | | | | 1388 Framed-IPv6-Pool 100 6.10.8 OctetString| M | P | | V | Y | 1389 Framed-IPX- 23 6.11.1 UTF8String | M | P | | V | Y | 1390 Network | | | | | | 1391 Framed-Appletalk- 37 6.12.1 Unsigned32 | M | P | | V | Y | 1392 Link | | | | | | 1393 Framed-Appletalk- 38 6.12.2 Unsigned32 | M | P | | V | Y | 1394 Network | | | | | | 1395 Framed-Appletalk- 39 6.12.3 OctetString| M | P | | V | Y | 1396 Zone | | | | | | 1397 ARAP-Features 71 6.13.1 OctetString| M | P | | V | Y | 1398 ARAP-Zone-Access 72 6.13.2 Enumerated | M | P | | V | Y | 1399 Login-IP-Host 14 6.14.1 OctetString| M | P | | V | Y | 1400 Login-IPv6-Host 98 6.14.2 OctetString| M | P | | V | Y | 1401 Login-Service 15 6.14.3 Enumerated | M | P | | V | Y | 1402 Login-TCP-Port 16 6.15.1 Unsigned32 | M | P | | V | Y | 1403 Login-LAT-Service 34 6.16.1 OctetString| M | P | | V | Y | 1404 Login-LAT-Node 35 6.16.2 OctetString| M | P | | V | Y | 1405 Login-LAT-Group 36 6.16.3 OctetString| M | P | | V | Y | 1406 Login-LAT-Port 63 6.16.4 OctetString| M | P | | V | Y | 1407 -----------------------------------------|----+-----+----+-----|----| 1409 6.1. Service-Type AVP 1411 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1412 the type of service the user has requested, or the type of service to 1413 be provided. One such AVP MAY be present in an authentication and/or 1414 authorization request or response. A NAS is not required to implement 1415 all of these service types, and MUST treat unknown or unsupported 1416 Service-Types received in a response as a failure, and end the 1417 session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1419 When used in a request, the Service-Type AVP SHOULD be considered to 1420 be a hint to the server that the NAS has reason to believe the user 1421 would prefer the kind of service indicated, but the server is not 1422 required to honor the hint. Furthermore, if the service specified by 1423 the server is supported, but not compatible with the current mode of 1424 access, the NAS MUST fail to start the session. The NAS MUST also 1425 generate the appropriate error message(s). 1427 The following values have been defined for the Service-Type AVP. The 1428 complete list of defined values can be found in [RADIUS] and 1429 [RADIUSTypes]. The following list is informational: 1431 1 Login 1432 2 Framed 1433 3 Callback Login 1434 4 Callback Framed 1435 5 Outbound 1436 6 Administrative 1437 7 NAS Prompt 1438 8 Authenticate Only 1439 9 Callback NAS Prompt 1440 10 Call Check 1441 11 Callback Administrative 1442 12 Voice 1443 13 Fax 1444 14 Modem Relay 1445 15 IAPP-Register [IEEE 802.11f] 1446 16 IAPP-AP-Check [IEEE 802.11f] 1447 17 Authorize Only [RFC3576] 1449 The following values are further qualified: 1451 Login 1 1452 The user should be connected to a host. The message MAY include 1453 additional AVPs defined in sections 6.15 or 6.16. 1455 Framed 2 1456 A Framed Protocol should be started for the User, such as PPP 1457 or SLIP. The message MAY include additional AVPs defined in 1458 sections 6.9, or 7 for tunneling services. 1460 Callback Login 3 1461 The user should be disconnected and called back, then connected 1462 to a host. The message MAY include additional AVPs defined in 1463 this section. 1465 Callback Framed 4 1466 The user should be disconnected and called back, then a Framed 1467 Protocol should be started for the User, such as PPP or SLIP. 1468 The message MAY include additional AVPs defined in sections 1469 6.9, or 7 for tunneling services. 1471 6.2. Callback-Number AVP 1473 The Callback-Number AVP (AVP Code 19) is of type UTF8String, and 1474 contains a dialing string to be used for callback. It MAY be used in 1475 an authentication and/or authorization request as a hint to the 1476 server that a Callback service is desired, but the server is not 1477 required to honor the hint in the corresponding response. 1479 The codification of the range of allowed usage of this field is 1480 outside the scope of this specification. 1482 6.3. Callback-Id AVP 1484 The Callback-Id AVP (AVP Code 20) is of type UTF8String, and contains 1485 the name of a place to be called, to be interpreted by the NAS. This 1486 AVP MAY be present in an authentication and/or authorization 1487 response. 1489 This AVP is not roaming-friendly since it assumes that the Callback- 1490 Id is configured on the NAS. It is therefore preferable to use the 1491 Callback-Number AVP instead. 1493 6.4. Idle-Timeout AVP 1495 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1496 maximum number of consecutive seconds of idle connection allowed to 1497 the user before termination of the session or a prompt is issued. It 1498 MAY be used in an authentication and/or authorization request (or 1499 challenge) as a hint to the server that an idle timeout is desired, 1500 but the server is not required to honor the hint in the corresponding 1501 response. The default is none, or system specific. 1503 6.5. Port-Limit AVP 1505 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1506 maximum number of ports to be provided to the user by the NAS. It 1507 MAY be used in an authentication and/or authorization request as a 1508 hint to the server that multilink PPP [PPPMP] service is desired, but 1509 the server is not required to honor the hint in the corresponding 1510 response. 1512 6.6. NAS-Filter-Rule AVP 1514 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule, and 1515 provides filter rules that need to be configured on the NAS for the 1516 user. One or more such AVPs MAY be present in an authorization 1517 response. 1519 6.7. Filter-Id AVP 1521 The Filter-Id AVP (AVP Code 11) is of type UTF8String, and contains 1522 the name of the filter list for this user. Zero or more Filter-Id 1523 AVPs MAY be sent in an authorization answer. 1525 Identifying a filter list by name allows the filter to be used on 1526 different NASes without regard to filter-list implementation details. 1527 However, this AVP is not roaming friendly since filter naming differs 1528 from one service provider to another. 1530 In non-RADIUS environments, it is RECOMMENDED that the NAS-Filter- 1531 Rule AVP be used instead. 1533 6.8. Configuration-Token AVP 1535 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1536 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1537 Agent in an AA-Answer command to indicate a type of user profile to 1538 be used. It should not be sent to a Diameter Client (NAS). 1540 The format of the Data field of this AVP is site specific. 1542 6.9. Framed Access Authorization AVPs 1544 This section contains the authorization AVPs that are necessary to 1545 support framed access, such as PPP, SLIP, etc. AVPs defined in this 1546 section MAY be present in a message if the Service-Type AVP was set 1547 to "Framed" or "Callback Framed". 1549 6.9.1. Framed-Protocol AVP 1551 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1552 contains the framing to be used for framed access. This AVP MAY be 1553 present in both requests and responses. The supported values are 1554 listed in [RADIUSTypes]. The following list is informational: 1556 1 PPP 1557 2 SLIP 1558 3 AppleTalk Remote Access Protocol (ARAP) 1559 4 Gandalf proprietary SingleLink/MultiLink protocol 1560 5 Xylogics proprietary IPX/SLIP 1561 6 X.75 Synchronous 1563 6.9.2. Framed-Routing AVP 1565 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1566 contains the routing method for the user, when the user is a router 1567 to a network. This AVP SHOULD only be present in authorization 1568 responses. The supported values are listed in [RADIUSTypes]. The 1569 following list is informational: 1571 0 None 1572 1 Send routing packets 1573 2 Listen for routing packets 1574 3 Send and Listen 1576 6.9.3. Framed-MTU AVP 1578 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1579 the Maximum Transmission Unit to be configured for the user, when it 1580 is not negotiated by some other means (such as PPP). This AVP SHOULD 1581 only be present in authorization responses. The MTU value MUST be in 1582 the range of 64 and 65535. 1584 6.9.4. Framed-Compression AVP 1586 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1587 contains the compression protocol to be used for the link. It MAY be 1588 used in an authorization request as a hint to the server that a 1589 specific compression type is desired, but the server is not required 1590 to honor the hint in the corresponding response. 1592 More than one compression protocol AVP MAY be sent. It is the 1593 responsibility of the NAS to apply the proper compression protocol to 1594 appropriate link traffic. 1596 The supported values are listed in [RADIUSTypes]. The following list 1597 is informational: 1599 0 None 1600 1 VJ TCP/IP header compression 1601 2 IPX header compression 1602 3 Stac-LZS compression 1604 6.10. IP Access Authorization AVPs 1606 The AVPs defined in this section are used when the user requests, or 1607 is being granted, access service to IP. 1609 6.10.1. Framed-IP-Address AVP 1611 The Framed-IP-Address AVP (AVP Code 8) [RADIUS] is of type 1612 OctetString and contains an IPv4 address, of the type specified in 1613 the attribute value, to be configured for the user. It MAY be used in 1614 an authorization request as a hint to the server that a specific 1615 address is desired, but the server is not required to honor the hint 1616 in the corresponding response. 1618 Two values have special significance; 0xFFFFFFFF and 0xFFFFFFFE. The 1619 value 0xFFFFFFFF indicates that the NAS should allow the user to 1620 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1621 that the NAS should select an address for the user (e.g. Assigned 1622 from a pool of addresses kept by the NAS). 1624 6.10.2. Framed-IP-Netmask AVP 1626 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1627 contains the four octets of the IPv4 netmask to be configured for the 1628 user when the user is a router to a network. It MAY be used in an 1629 authorization request as a hint to the server that a specific netmask 1630 is desired, but the server is not required to honor the hint in the 1631 corresponding response. This AVP MUST be present in a response if the 1632 request included this AVP with a value of 0xFFFFFFFF. 1634 6.10.3. Framed-Route AVP 1636 The Framed-Route AVP (AVP Code 22) is of type UTF8String, and 1637 contains the ASCII routing information to be configured for the user 1638 on the NAS. Zero or more such AVPs MAY be present in an authorization 1639 response. 1641 The string MUST contain a destination prefix in dotted quad form 1642 optionally followed by a slash and a decimal length specifier stating 1643 how many high order bits of the prefix should be used. That is 1644 followed by a space, a gateway address in dotted quad form, a space, 1645 and one or more metrics separated by spaces. For example, 1646 "192.168.1.0/24 192.168.1.1 1". 1648 The length specifier may be omitted in which case it should default 1649 to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 1650 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1". 1652 Whenever the gateway address is specified as "0.0.0.0" the IP address 1653 of the user SHOULD be used as the gateway address. 1655 6.10.4. Framed-Pool AVP 1657 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1658 the name of an assigned address pool that SHOULD be used to assign an 1659 address for the user. If a NAS does not support multiple address 1660 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1661 used for IP addresses, but can be used for other protocols if the NAS 1662 supports pools for those protocols. 1664 Although specified as type OctetString for compatibility with RADIUS 1665 [RADIUSExt], the encoding of the Data field SHOULD also conform to 1666 the rules for the UTF8String Data Format. 1668 6.10.5. Framed-Interface-Id AVP 1670 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1671 contains the IPv6 interface identifier to be configured for the user. 1672 It MAY be used in authorization requests as a hint to the server that 1673 a specific interface id is desired, but the server is not required to 1674 honor the hint in the corresponding response. 1676 6.10.6. Framed-IPv6-Prefix AVP 1678 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1679 contains the IPv6 prefix to be configured for the user. One or more 1680 AVPs MAY be used in authorization requests as a hint to the server 1681 that a specific IPv6 prefixes are desired, but the server is not 1682 required to honor the hint in the corresponding response. 1684 6.10.7. Framed-IPv6-Route AVP 1686 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String, and 1687 contains the ASCII routing information to be configured for the user 1688 on the NAS. Zero or more such AVPs MAY be present in an authorization 1689 response. 1691 The string MUST contain an IPv6 address prefix followed by a slash 1692 and a decimal length specifier stating how many high order bits of 1693 the prefix should be used. That is followed by a space, a gateway 1694 address in hexadecimal notation, a space, and one or more metrics 1695 separated by spaces. For example: 1696 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1". 1698 Whenever the gateway address is the IPv6 unspecified address the IP 1699 address of the user SHOULD be used as the gateway address, such as: 1700 "2000:0:0:106::/64 :: 1". 1702 6.10.8. Framed-IPv6-Pool AVP 1704 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString, and 1705 contains the name of an assigned pool that SHOULD be used to assign 1706 an IPv6 prefix for the user. If the access device does not support 1707 multiple prefix pools, it MUST ignore this AVP. 1709 Although specified as type OctetString for compatibility with RADIUS 1710 [RADIUSIPv6], the encoding of the Data field SHOULD also conform to 1711 the rules for the UTF8String Data Format. 1713 6.11. IPX Access 1715 The AVPs defined in this section are used when the user requests, or 1716 is being granted, access to an IPX network service. 1718 6.11.1. Framed-IPX-Network AVP 1720 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and 1721 contains the IPX Network number to be configured for the user. It MAY 1722 be used in an authorization request as a hint to the server that a 1723 specific address is desired, but the server is not required to honor 1724 the hint in the corresponding response. 1726 Two addresses have special significance; 0xFFFFFFFF and 0xFFFFFFFE. 1727 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1728 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1729 that the NAS should select an address for the user (e.g. assigned 1730 from a pool of one or more IPX networks kept by the NAS). 1732 6.12. AppleTalk Network Access 1734 The AVPs defined in this section are used when the user requests, or 1735 is being granted, access to an AppleTalk network [AppleTalk]. 1737 6.12.1. Framed-AppleTalk-Link AVP 1739 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1740 contains the AppleTalk network number which should be used for the 1741 serial link to the user, which is another AppleTalk router. This AVP 1742 MUST only be present in an authorization response and is never used 1743 when the user is not another router. 1745 Despite the size of the field, values range from zero to 65535. The 1746 special value of zero indicates that this is an unnumbered serial 1747 link. A value of one to 65535 means that the serial line between the 1748 NAS and the user should be assigned that value as an AppleTalk 1749 network number. 1751 6.12.2. Framed-AppleTalk-Network AVP 1753 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1754 and contains the AppleTalk Network number which the NAS should probe 1755 to allocate an AppleTalk node for the user. This AVP MUST only be 1756 present in an authorization response and is never used when the user 1757 is not another router. Multiple instances of this AVP indicate that 1758 the NAS may probe using any of the network numbers specified. 1760 Despite the size of the field, values range from zero to 65535. The 1761 special value zero indicates that the NAS should assign a network for 1762 the user, using its default cable range. A value between one and 1763 65535 (inclusive) indicates the AppleTalk Network the NAS should 1764 probe to find an address for the user. 1766 6.12.3. Framed-AppleTalk-Zone AVP 1768 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1769 and contains the AppleTalk Default Zone to be used for this user. 1770 This AVP MUST only be present in an authorization response. Multiple 1771 instances of this AVP in the same message are not allowed. 1773 The codification of the range of allowed usage of this field is 1774 outside the scope of this specification. 1776 6.13. AppleTalk Remote Access 1778 The AVPs defined in this section are used when the user requests, or 1779 is being granted, access to the AppleTalk network via the AppleTalk 1780 Remote Access Protocol [ARAP]. They are only present if the Framed- 1781 Protocol AVP (see Section 6.9.1) is set to ARAP. Section 2.2 of RFC 1782 2869 [RADIUSExt] describes the operational use of these attributes. 1784 6.13.1. ARAP-Features AVP 1786 The ARAP-Features AVP (AVP Code 71) is of type OctetString, and MAY 1787 be present in the AA-Accept message if the Framed-Protocol AVP is set 1788 to the value of ARAP. See [RADIUSExt] for more information of the 1789 format of this AVP. 1791 6.13.2. ARAP-Zone-Access AVP 1793 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated, and MAY 1794 be present in the AA-Accept message if the Framed-Protocol AVP is set 1795 to the value of ARAP. 1797 The supported values are listed in [RADIUSTypes], and are defined in 1798 [RADIUSExt]. 1800 6.14. Non-Framed Access Authorization AVPs 1802 This section contains the authorization AVPs that are needed to 1803 support terminal server functionality. AVPs defined in this section 1804 MAY be present in a message if the Service-Type AVP was set to 1805 "Login" or "Callback Login". 1807 6.14.1. Login-IP-Host AVP 1809 The Login-IP-Host AVP (AVP Code 14) [RADIUS] is of type OctetString 1810 and contains the IPv4 address of a host with which to connect the 1811 user when the Login-Service AVP is included. It MAY be used in an 1812 AA-Request command as a hint to the Diameter Server that a specific 1813 host is desired, but the Diameter Server is not required to honor the 1814 hint in the AA-Answer. 1816 Two addresses have special significance: All ones and 0. The value 1817 of all ones indicates that the NAS SHOULD allow the user to select an 1818 address. The value 0 indicates that the NAS SHOULD select a host to 1819 connect the user to. 1821 6.14.2. Login-IPv6-Host AVP 1823 The Login-IPv6-Host AVP (AVP Code 98) [RADIUSIPv6] is of type 1824 OctetString and contains the IPv6 address of a host with which to 1825 connect the user when the Login-Service AVP is included. It MAY be 1826 used in an AA-Request command as a hint to the Diameter Server that a 1827 specific host is desired, but the Diameter Server is not required to 1828 honor the hint in the AA-Answer. 1830 Two addresses have special significance: 1831 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1832 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1833 allow the user to select an address. The value 0 indicates that the 1834 NAS SHOULD select a host to connect the user to. 1836 6.14.3. Login-Service AVP 1838 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1839 contains the service which should be used to connect the user to the 1840 login host. This AVP SHOULD only be present in authorization 1841 responses. 1843 The supported values are listed in [RADIUSTypes]. The following list 1844 is informational: 1846 0 Telnet 1847 1 Rlogin 1848 2 TCP Clear 1849 3 PortMaster (proprietary) 1850 4 LAT 1851 5 X25-PAD 1852 6 X25-T3POS 1853 8 TCP Clear Quiet (suppresses any NAS-generated connect 1854 string) 1856 6.15. TCP Services 1858 The AVPs described in this section MAY be present if the Login- 1859 Service AVP is set to Telnet, Rlogin, TCP Clear or TCP Clear Quiet. 1861 6.15.1. Login-TCP-Port AVP 1863 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1864 contains the TCP port with which the user is to be connected, when 1865 the Login-Service AVP is also present. This AVP SHOULD only be 1866 present in authorization responses. The value MUST NOT be greater 1867 than 65535. 1869 6.16. LAT Services 1871 The AVPs described in this section MAY be present if the Login- 1872 Service AVP is set to LAT [LAT]. 1874 6.16.1. Login-LAT-Service AVP 1876 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1877 contains the system with which the user is to be connected by LAT. It 1878 MAY be used in an authorization request as a hint to the server that 1879 a specific service is desired, but the server is not required to 1880 honor the hint in the corresponding response. This AVP MUST only be 1881 present in the response if the Login-Service AVP states that LAT is 1882 desired. 1884 Administrators use the service attribute when dealing with clustered 1885 systems, such as a VAX or Alpha cluster. In such an environment 1886 several different time sharing hosts share the same resources (disks, 1887 printers, etc.), and administrators often configure each to offer 1888 access (service) to each of the shared resources. In this case, each 1889 host in the cluster advertises its services through LAT broadcasts. 1891 Sophisticated users often know which service providers (machines) are 1892 faster and tend to use a node name when initiating a LAT connection. 1893 Alternately, some administrators want particular users to use certain 1894 machines as a primitive form of load balancing (although LAT knows 1895 how to do load balancing itself). 1897 The String field contains the identity of the LAT service to use. 1898 The LAT Architecture allows this string to contain $ (dollar), - 1899 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1900 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1901 All LAT string comparisons are case insensitive. 1903 6.16.2. Login-LAT-Node AVP 1905 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1906 contains the Node with which the user is to be automatically 1907 connected by LAT. It MAY be used in an authorization request as a 1908 hint to the server that a specific LAT node is desired, but the 1909 server is not required to honor the hint in the corresponding 1910 response. This AVP MUST only be present in a response if the Login- 1911 Service-Type AVP is set to LAT. 1913 The String field contains the identity of the LAT service to use. 1914 The LAT Architecture allows this string to contain $ (dollar), - 1915 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1916 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1917 All LAT string comparisons are case insensitive. 1919 6.16.3. Login-LAT-Group AVP 1921 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1922 contains a string identifying the LAT group codes which this user is 1923 authorized to use. It MAY be used in an authorization request as a 1924 hint to the server that a specific group is desired, but the server 1925 is not required to honor the hint in the corresponding response. This 1926 AVP MUST only be present in a response if the Login-Service-Type AVP 1927 is set to LAT. 1929 LAT supports 256 different group codes, which LAT uses as a form of 1930 access rights. LAT encodes the group codes as a 256 bit bitmap. 1932 Administrators can assign one or more of the group code bits at the 1933 LAT service provider; it will only accept LAT connections that have 1934 these group codes set in the bit map. The administrators assign a 1935 bitmap of authorized group codes to each user; LAT gets these from 1936 the operating system, and uses these in its requests to the service 1937 providers. 1939 The codification of the range of allowed usage of this field is 1940 outside the scope of this specification. 1942 6.16.4. Login-LAT-Port AVP 1944 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1945 contains the Port with which the user is to be connected by LAT. It 1946 MAY be used in an authorization request as a hint to the server that 1947 a specific port is desired, but the server is not required to honor 1948 the hint in the corresponding response. This AVP MUST only be present 1949 in a response if the Login-Service-Type AVP is set to LAT. 1951 The String field contains the identity of the LAT service to use. 1952 The LAT Architecture allows this string to contain $ (dollar), - 1953 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1954 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1955 All LAT string comparisons are case insensitive. 1957 7. NAS Tunneling 1959 Some NASes support compulsory tunnel services where the incoming 1960 connection data is conveyed by an encapsulation method to a gateway 1961 elsewhere in the network. This is typically transparent to the 1962 service user, and the tunnel characteristics may be described by the 1963 remote AAA server, based on the user's authorization information. 1964 Several tunnel characteristics may be returned, and the NAS 1965 implementation may choose one. [RADTunnels],[RADTunlAcct] 1966 +---------------------+ 1967 | AVP Flag rules | 1968 |----+-----+----+-----|----+ 1969 AVP Section | | |SHLD| MUST| | 1970 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT |Encr| 1971 -----------------------------------------|----+-----+----+-----|----| 1972 Tunneling 401 7.1 Grouped | M | P | | V | N | 1973 Tunnel-Type 64 7.2 Enumerated | M | P | | V | Y | 1974 Tunnel-Medium- 65 7.3 Enumerated | M | P | | V | Y | 1975 Type | | | | | | 1976 Tunnel-Client- 66 7.4 UTF8String | M | P | | V | Y | 1977 Endpoint | | | | | | 1978 Tunnel-Server- 67 7.5 UTF8String | M | P | | V | Y | 1979 Endpoint | | | | | | 1980 Tunnel-Password 69 7.6 OctetString| M | P | | V | Y | 1981 Tunnel-Private- 81 7.7 OctetString| M | P | | V | Y | 1982 Group-Id | | | | | | 1983 Tunnel- 82 7.8 OctetString| M | P | | V | Y | 1984 Assignment-Id | | | | | | 1985 Tunnel-Preference 83 7.9 Unsigned32 | M | P | | V | Y | 1986 Tunnel-Client- 90 7.10 UTF8String | M | P | | V | Y | 1987 Auth-Id | | | | | | 1988 Tunnel-Server- 91 7.11 UTF8String | M | P | | V | Y | 1989 Auth-Id | | | | | | 1990 -----------------------------------------|----+-----+----+-----|----| 1992 7.1. Tunneling AVP 1994 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1995 following AVPs used to describe a compulsory tunnel service 1996 [RADTunnels],[RADTunlAcct]. Its data field has the following ABNF 1997 grammar: 1999 Tunneling ::= < AVP Header: 401 > 2000 { Tunnel-Type } 2001 { Tunnel-Medium-Type } 2002 { Tunnel-Client-Endpoint } 2003 { Tunnel-Server-Endpoint } 2004 [ Tunnel-Preference ] 2005 [ Tunnel-Client-Auth-Id ] 2006 [ Tunnel-Server-Auth-Id ] 2007 [ Tunnel-Assignment-Id ] 2008 [ Tunnel-Password ] 2009 [ Tunnel-Private-Group-Id ] 2011 7.2. Tunnel-Type AVP 2013 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 2014 the tunneling protocol(s) to be used (in the case of a tunnel 2015 initiator) or the tunneling protocol in use (in the case of a tunnel 2016 terminator). It MAY be used in an authorization request as a hint to 2017 the server that a specific tunnel type is desired, but the server is 2018 not required to honor the hint in the corresponding response. 2020 The Tunnel-Type AVP SHOULD also be included in Accounting-Request 2021 messages. 2023 A tunnel initiator is not required to implement any of these tunnel 2024 types; if a tunnel initiator receives a response that contains only 2025 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 2026 as though a response was received with the Result-Code indicating a 2027 failure. 2029 The supported values are listed in [RADIUSTypes]. The following list 2030 is informational: 2032 1 Point-to-Point Tunneling Protocol (PPTP) 2033 2 Layer Two Forwarding (L2F) 2034 3 Layer Two Tunneling Protocol (L2TP) 2035 4 Ascend Tunnel Management Protocol (ATMP) 2036 5 Virtual Tunneling Protocol (VTP) 2037 6 IP Authentication Header in the Tunnel-mode (AH) 2038 7 IP-in-IP Encapsulation (IP-IP) 2039 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) 2040 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) 2041 10 Generic Route Encapsulation (GRE) 2042 11 Bay Dial Virtual Services (DVS) 2043 12 IP-in-IP Tunneling 2044 13 Virtual LANs (VLAN) 2046 7.3. Tunnel-Medium-Type AVP 2048 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 2049 contains the transport medium to use when creating a tunnel for those 2050 protocols (such as L2TP) that can operate over multiple transports. 2051 It MAY be used in an authorization request as a hint to the server 2052 that a specific medium is desired, but the server is not required to 2053 honor the hint in the corresponding response. 2055 The supported values are listed in [RADIUSTypes]. The following list 2056 is informational: 2058 1 IPv4 (IP version 4) 2059 2 IPv6 (IP version 6) 2060 3 NSAP 2061 4 HDLC (8-bit multidrop) 2062 5 BBN 1822 2063 6 802 (includes all 802 media plus Ethernet "canonical 2064 format") 2065 7 E.163 (POTS) 2066 8 E.164 (SMDS, Frame Relay, ATM) 2067 9 F.69 (Telex) 2068 10 X.121 (X.25, Frame Relay) 2069 11 IPX 2070 12 Appletalk 2071 13 Decnet IV 2072 14 Banyan Vines 2073 15 E.164 with NSAP format subaddress 2075 7.4. Tunnel-Client-Endpoint AVP 2077 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String, 2078 and contains the address of the initiator end of the tunnel. It MAY 2079 be used in an authorization request as a hint to the server that a 2080 specific endpoint is desired, but the server is not required to honor 2081 the hint in the corresponding response. 2083 This AVP SHOULD be included in the corresponding Accounting-Request 2084 messages, in which case it indicates the address from which the 2085 tunnel was initiated. This AVP, along with the Tunnel-Server-Endpoint 2086 and Session-Id AVP [Base], MAY be used to provide a globally unique 2087 means to identify a tunnel for accounting and auditing purposes. 2089 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2090 fully qualified domain name (FQDN) of the tunnel client machine, or 2091 it is a "dotted-decimal" IP address. Implementations MUST support 2092 the dotted-decimal format and SHOULD support the FQDN format for IP 2093 addresses. 2095 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2096 FQDN of the tunnel client machine, or it is a text representation of 2097 the address in either the preferred or alternate form [IPv6Addr]. 2098 Conformant implementations MUST support the preferred form and SHOULD 2099 support both the alternate text form and the FQDN format for IPv6 2100 addresses. 2102 If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is a tag 2103 referring to configuration data local to the Diameter client that 2104 describes the interface or medium-specific client address to use. 2106 7.5. Tunnel-Server-Endpoint AVP 2108 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String, 2109 and contains the address of the server end of the tunnel. It MAY be 2110 used in an authorization request as a hint to the server that a 2111 specific endpoint is desired, but the server is not required to honor 2112 the hint in the corresponding response. 2114 This AVP SHOULD be included in the corresponding Accounting-Request 2115 messages, in which case it indicates the address from which the 2116 tunnel was initiated. This AVP, along with the Tunnel-Client-Endpoint 2117 and Session-Id AVP [Base], MAY be used to provide a globally unique 2118 means to identify a tunnel for accounting and auditing purposes. 2120 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2121 fully qualified domain name (FQDN) of the tunnel server machine, or 2122 it is a "dotted-decimal" IP address. Implementations MUST support 2123 the dotted-decimal format and SHOULD support the FQDN format for IP 2124 addresses. 2126 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2127 FQDN of the tunnel server machine, or it is a text representation of 2128 the address in either the preferred or alternate form [IPv6Addr]. 2129 Implementations MUST support the preferred form and SHOULD support 2130 both the alternate text form and the FQDN format for IPv6 addresses. 2132 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2133 referring to configuration data local to the Diameter client that 2134 describes the interface or medium-specific server address to use. 2136 7.6. Tunnel-Password AVP 2138 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2139 contain a password to be used to authenticate to a remote server. 2140 The Tunnel-Password AVP contains sensitive information. This value is 2141 not protected in the same manner as RADIUS [RADTunnels]. 2143 As required in [Base], Diameter messages are encrypted using IPsec or 2144 TLS. The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2145 environments without encrypting it using end-to-end security 2146 techniques, such as CMS Security [DiamCMS]. 2148 7.7. Tunnel-Private-Group-Id AVP 2150 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString, 2151 and contains the group Id for a particular tunneled session. The 2152 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2153 request if the tunnel initiator can pre-determine the group resulting 2154 from a particular connection and SHOULD be included in the 2155 authorization response if this tunnel session is to be treated as 2156 belonging to a particular private group. Private groups may be used 2157 to associate a tunneled session with a particular group of users. 2158 For example, it MAY be used to facilitate routing of unregistered IP 2159 addresses through a particular interface. This AVP SHOULD be 2160 included in the Accounting-Request messages which pertain to the 2161 tunneled session. 2163 7.8. Tunnel-Assignment-Id AVP 2165 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2166 is used to indicate to the tunnel initiator the particular tunnel to 2167 which a session is to be assigned. Some tunneling protocols, such as 2168 [PPTP] and [L2TP], allow for sessions between the same two tunnel 2169 endpoints to be multiplexed over the same tunnel and also for a given 2170 session to utilize its own dedicated tunnel. This attribute provides 2171 a mechanism for Diameter to be used to inform the tunnel initiator 2172 (e.g. PAC, LAC) whether to assign the session to a multiplexed 2173 tunnel or to a separate tunnel. Furthermore, it allows for sessions 2174 sharing multiplexed tunnels to be assigned to different multiplexed 2175 tunnels. 2177 A particular tunneling implementation may assign differing 2178 characteristics to particular tunnels. For example, different 2179 tunnels may be assigned different QoS parameters. Such tunnels may 2180 be used to carry either individual or multiple sessions. The Tunnel- 2181 Assignment-Id attribute thus allows the Diameter server to indicate 2182 that a particular session is to be assigned to a tunnel that provides 2183 an appropriate level of service. It is expected that any QoS-related 2184 Diameter tunneling attributes defined in the future that accompany 2185 this attribute will be associated by the tunnel initiator with the Id 2186 given by this attribute. In the meantime, any semantic given to a 2187 particular Id string is a matter left to local configuration in the 2188 tunnel initiator. 2190 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2191 the tunnel initiator. The Id it specifies is intended to be of only 2192 local use to Diameter and the tunnel initiator. The Id assigned by 2193 the tunnel initiator is not conveyed to the tunnel peer. 2195 This attribute MAY be included in authorization responses. The tunnel 2196 initiator receiving this attribute MAY choose to ignore it and assign 2197 the session to an arbitrary multiplexed or non-multiplexed tunnel 2198 between the desired endpoints. This AVP SHOULD also be included in 2199 the Accounting-Request messages which pertain to the tunneled 2200 session. 2202 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2203 should assign a session to a tunnel in the following manner: 2205 - If this AVP is present and a tunnel exists between the specified 2206 endpoints with the specified Id, then the session should be 2207 assigned to that tunnel. 2209 - If this AVP is present and no tunnel exists between the 2210 specified endpoints with the specified Id, then a new tunnel 2211 should be established for the session and the specified Id 2212 should be associated with the new tunnel. 2214 - If this AVP is not present, then the session is assigned to an 2215 unnamed tunnel. If an unnamed tunnel does not yet exist between 2216 the specified endpoints then it is established and used for this 2217 and subsequent sessions established without the Tunnel- 2218 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2219 session for which a Tunnel-Assignment-Id AVP was not specified 2220 to a named tunnel (i.e. one that was initiated by a session 2221 specifying this AVP). 2223 Note that the same Id may be used to name different tunnels if such 2224 tunnels are between different endpoints. 2226 7.9. Tunnel-Preference AVP 2228 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2229 used to identify the relative preference assigned to each tunnel when 2230 more than one set of tunneling AVPs is returned within separate 2231 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2232 hint to the server that a specific preference is desired, but the 2233 server is not required to honor the hint in the corresponding 2234 response. 2236 For example, suppose that AVPs describing two tunnels are returned by 2237 the server, one with a Tunnel-Type of PPTP and the other with a 2238 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2239 the Tunnel-Types returned, it will initiate a tunnel of that type. 2240 If, however, it supports both tunnel protocols, it SHOULD use the 2241 value of the Tunnel-Preference AVP to decide which tunnel should be 2242 started. The tunnel having the numerically lowest value in the Value 2243 field of this AVP SHOULD be given the highest preference. The values 2244 assigned to two or more instances of the Tunnel-Preference AVP within 2245 a given authorization response MAY be identical. In this case, the 2246 tunnel initiator SHOULD use locally configured metrics to decide 2247 which set of AVPs to use. 2249 7.10. Tunnel-Client-Auth-Id AVP 2251 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2252 specifies the name used by the tunnel initiator during the 2253 authentication phase of tunnel establishment. It MAY be used in an 2254 authorization request as a hint to the server that a specific 2255 preference is desired, but the server is not required to honor the 2256 hint in the corresponding response. This AVP MUST be present in the 2257 authorization response if an authentication name other than the 2258 default is desired. This AVP SHOULD be included in the Accounting- 2259 Request messages which pertain to the tunneled session. 2261 7.11. Tunnel-Server-Auth-Id AVP 2263 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2264 specifies the name used by the tunnel terminator during the 2265 authentication phase of tunnel establishment. It MAY be used in an 2266 authorization request as a hint to the server that a specific 2267 preference is desired, but the server is not required to honor the 2268 hint in the corresponding response. This AVP MUST be present in the 2269 authorization response if an authentication name other than the 2270 default is desired. This AVP SHOULD be included in the the 2271 Accounting-Request messages which pertain to the tunneled session. 2273 8. NAS Accounting 2275 Applications implementing this specification use Diameter Accounting 2276 as defined in the Base [Base] with the addition of the AVPs in the 2277 following section. Service specific AVP usage is defined in the 2278 tables in Section 10. 2280 If accounting is active, Accounting Request messages (ACR) SHOULD be 2281 sent after the completion of any Authentication or Authorization 2282 transaction and at the end of a Session. The Accounting-Record-Type 2283 value indicates the type of event. All other AVPs identify the 2284 session and provide additional information relevant to the event. 2286 The successful completion of the first Authentication or 2287 Authorization transaction, SHOULD cause a START_RECORD to be sent. If 2288 additional Authentications or Authorizations occur in later 2289 transactions, the first exchange should generate a START_RECORD, and 2290 the later, an INTERIM_RECORD. For a given session, there MUST only 2291 be one set of matching START and STOP records, with any number of 2292 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2293 for not starting a session. 2295 The following table describes the AVPs, their AVP Code values, types, 2296 possible flag values and whether the AVP MAY be encrypted. 2298 +---------------------+ 2299 | AVP Flag rules | 2300 |----+-----+----+-----|----+ 2301 AVP Section | | |SHLD| MUST| | 2302 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2303 -----------------------------------------|----+-----+----+-----|----| 2304 Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | 2305 Input-Octets | | | | | | 2306 Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | 2307 Output-Octets | | | | | | 2308 Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | 2309 Input-Packets | | | | | | 2310 Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | 2311 Output-Packets | | | | | | 2312 Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | 2313 Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | 2314 Acounting-Auth- 406 8.7 Enumerated | M | P | | V | Y | 2315 Method | | | | | | 2316 Acct-Delay-Time 41 8.8 Unsigned32 | M | P | | V | Y | 2317 Acct-Link-Count 51 8.9 Unsigned32 | M | P | | V | Y | 2318 Acct-Tunnel- 68 8.10 OctetString| M | P | | V | Y | 2319 Connection | | | | | | 2320 Acct-Tunnel- 86 8.11 Unsigned32 | M | P | | V | Y | 2321 Packets-Lost | | | | | | 2322 -----------------------------------------|----+-----+----+-----|----| 2324 8.1. Accounting-Input-Octets AVP 2326 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, 2327 and contains the number of octets received from the user. 2329 For NAS usage, this AVP indicates how many octets have been received 2330 from the port in the course of this session and can only be present 2331 in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2332 STOP_RECORD. 2334 8.2. Accounting-Output-Octets AVP 2336 The Accounting-Output-Octets AVP (AVP Code 364) is of type 2337 Unsigned64, and contains the number of octets sent to the user. 2339 For NAS usage, this AVP indicates how many octets have been sent to 2340 the port in the course of this session and can only be present in ACR 2341 messages with an Accounting-Record-Type of INTERIM_RECORD or 2342 STOP_RECORD. 2344 8.3. Accounting-Input-Packets AVP 2346 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64, 2347 and contains the number of packets received from the user. 2349 For NAS usage, this AVP indicates how many packets have been received 2350 from the port over the course of a session being provided to a Framed 2351 User and can only be present in ACR messages with an Accounting- 2352 Record-Type of INTERIM_RECORD or STOP_RECORD. 2354 8.4. Accounting-Output-Packets AVP 2356 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64, 2357 and contains the number of IP packets sent to the user. 2359 For NAS usage, this AVP indicates how many packets have been sent to 2360 the port over the course of a session being provided to a Framed User 2361 and can only be present in ACR messages with an Accounting-Record- 2362 Type of INTERIM_RECORD or STOP_RECORD. 2364 8.5. Acct-Session-Time AVP 2366 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32, and 2367 indicates the length of the current session in seconds. It can only 2368 be present in ACR messages with an Accounting-Record-Type of 2369 INTERIM_RECORD or STOP_RECORD. 2371 8.6. Acct-Authentic AVP 2373 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated, and 2374 specifies how the user was authenticated. The supported values are 2375 listed in [RADIUSTypes]. The following list is informational: 2377 1 RADIUS 2378 2 Local 2379 3 Remote 2380 4 Diameter 2382 8.7. Accounting-Auth-Method AVP 2384 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2385 A NAS MAY include this AVP in an Accounting-Request message to 2386 indicate what authentication method was used to authenticate the 2387 user. (Note that this is equivalent to the RADIUS MS-Acct-Auth-Type 2388 VSA attribute). 2390 The following values are defined: 2391 1 PAP 2392 2 CHAP 2393 3 MS-CHAP-1 2394 4 MS-CHAP-2 2395 5 EAP 2396 7 None 2398 8.8. Acct-Delay-Time 2400 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2401 indicates the number of seconds during which the Diameter client has 2402 been trying to send the Accounting-Request (ACR) which contains it. 2403 The accounting server may subtract this value from the time the ACR 2404 arrives at the server to calculate the approximate time of the event 2405 that caused the ACR to be generated. 2407 This AVP is not used for retransmissions at the transport level (TCP 2408 or SCTP). Rather, it may be used when an ACR command cannot be 2409 transmitted because there is no appropriate peer to transmit it to or 2410 was rejected because it could not be delivered to its destination. 2411 In these cases, the command MAY be buffered and transmitted some time 2412 later when an appropriate peer-connection is available or after 2413 sufficient time has passed that the destination-host may be reachable 2414 and operational. If the ACR is resent in this way the Acct-Delay- 2415 Time AVP SHOULD be included. The value of this AVP indicates the 2416 number of seconds that elapsed between the time of the first attempt 2417 at transmission and the current attempt at transmission. 2419 8.9. Acct-Link-Count 2421 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2422 indicates the total number of links that have been active (current or 2423 closed) in a given multilink session, at the time the accounting 2424 record is generated. This AVP MAY be included in Accounting-Requests 2425 for any session which may be part of a multilink service. 2427 The Acct-Link-Count AVP may be used to make it easier for an 2428 accounting server to know when it has all the records for a given 2429 multilink service. When the number of Accounting-Requests received 2430 with Accounting-Record-Type = STOP_RECORD and the same Acct-Multi- 2431 Session-Id and unique Session-Id's equals the largest value of Acct- 2432 Link-Count seen in those Accounting-Requests, all STOP_RECORD 2433 Accounting-Requests for that multilink service have been received. 2435 The following example showing eight Accounting-Requests illustrates 2436 how the Acct-Link-Count AVP is used. In the table below, only the 2437 relevant AVPs are shown although additional AVPs containing 2438 accounting information will also be present in the Accounting- 2439 Requests. 2441 Acct-Multi- Accounting- Acct- 2442 Session-Id Session-Id Record-Type Link-Count 2443 -------------------------------------------------------- 2444 "...10" "...10" START_RECORD 1 2445 "...10" "...11" START_RECORD 2 2446 "...10" "...11" STOP_RECORD 2 2447 "...10" "...12" START_RECORD 3 2448 "...10" "...13" START_RECORD 4 2449 "...10" "...12" STOP_RECORD 4 2450 "...10" "...13" STOP_RECORD 4 2451 "...10" "...10" STOP_RECORD 4 2453 8.10. Acct-Tunnel-Connection AVP 2455 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString, 2456 and contains the identifier assigned to the tunnel session. This AVP, 2457 along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint 2458 AVPs, may be used to provide a means to uniquely identify a tunnel 2459 session for auditing purposes. 2461 The format of the identifier in this AVP depends upon the value of 2462 the Tunnel-Type AVP. For example, to fully identify an L2TP tunnel 2463 connection, the L2TP Tunnel Id and Call Id might be encoded in this 2464 field. The exact encoding of this field is implementation dependent. 2466 8.11. Acct-Tunnel-Packets-Lost AVP 2468 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2469 and contains the number of packets lost on a given link. 2471 9. RADIUS/Diameter Protocol Interactions 2473 This section describes some basic guidelines that may be used by 2474 servers that act as AAA Translation Agents. A complete description of 2475 all the differences between RADIUS and Diameter is beyond the scope 2476 of this section and document. Note that this document does not 2477 restrict implementations from creating additional translation 2478 methods, as long as the translation function doesn't violate the 2479 RADIUS or the Diameter protocols. 2481 While the Diameter protocol is in many ways a superset of RADIUS 2482 functions, there are a number of RADIUS representations that are not 2483 allowed, so as to best use the new capabilities without the older 2484 problems. 2486 There are primarily two different situations that must be handled; 2487 one where a RADIUS request is received that must be forwarded as a 2488 Diameter request, and the inverse. RADIUS does not support a peer- 2489 to-peer architecture and server initiated operations are generally 2490 not supported. See [RADDynAuth] for an alternative. 2492 Some RADIUS attributes are encrypted. RADIUS security and encryption 2493 techniques are applied on a hop-per-hop basis. A Diameter agent will 2494 have to decrypt RADIUS attribute data entering the Diameter system 2495 and if that information is forwarded, MUST secure it using Diameter 2496 specific techniques. 2498 Note that this section uses the two terms; "AVP" and "attribute" in a 2499 concise and specific manner. The former is used to signify a Diameter 2500 AVP, while the latter is used to signify a RADIUS attribute. 2502 9.1. RADIUS Request Forwarded as Diameter Request 2504 This section describes the actions that should be followed when a 2505 Translation Agent receives a RADIUS message that is to be translated 2506 to a Diameter message. 2508 It is important to note that RADIUS servers are assumed to be 2509 stateless, and this section maintains that assumption. It is also 2510 quite possible for the RADIUS messages that comprise the session 2511 (i.e. authentication and accounting messages) will be handled by 2512 different Translation Agents in the proxy network. Therefore, a 2513 RADIUS/Diameter Translation Agent SHOULD NOT be assumed to have an 2514 accurate track on session state information. 2516 When a Translation Agent receives a RADIUS message, the following 2517 steps should be taken: 2519 - If a Message-Authenticator attribute is present, the value MUST 2520 be checked, but not included in the Diameter message. If it is 2521 incorrect, the RADIUS message should be silently discarded. The 2522 gateway system SHOULD generate and include a Message- 2523 Authenticator in return RADIUS responses to this system. 2524 - The transport address of the sender MUST be checked against the 2525 NAS identifying attributes. See the description of NAS- 2526 Identifier and NAS-IP-Address below. 2527 - The Translation Agent must maintain transaction state 2528 information relevant to the RADIUS request, such as the 2529 Identifier field in the RADIUS header, any existing RADIUS 2530 Proxy-State attribute as well as the source IP address and port 2531 number of the UDP packet. These may be maintained locally in a 2532 state table, or may be saved in a Proxy-Info AVP group. A 2533 Diameter Session-Id AVP value must be created using a session 2534 state mapping mechanism. 2535 - If the RADIUS request contained a State attribute, and the 2536 prefix of the data is "Diameter/", the data following the prefix 2537 contains the Diameter Origin-Host/Origin-Realm/Session-Id. If 2538 no such attributes are present, and the RADIUS command is an 2539 Access-Request, a new Session-Id is created. The Session-Id is 2540 included in the Session-Id AVP. 2541 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created 2542 and added using the information from an FQDN corresponding to 2543 the NAS-IP-Address attribute (preferred if available), and/or 2544 the NAS-Identifier attribute. (Note that the RADIUS NAS- 2545 Identifier is not required to be an FQDN) 2546 - The Proxy-Info group SHOULD be added with the local server's 2547 identity being specified in the Proxy-Host AVP. This should 2548 ensure that the response is returned to this system. 2549 - The Destination-Realm AVP is created from the information found 2550 in the RADIUS User-Name attribute. 2551 - If the RADIUS User-Password attribute is present, the password 2552 must be unencrypted using the link's RADIUS shared secret. And 2553 forwarded using Diameter security. 2554 - If the RADIUS CHAP-Password attribute is present, the Ident and 2555 Data portion of the attribute are used to create the CHAP-Auth 2556 grouped AVP. 2557 - If the RADIUS message contains an address attribute, it MUST be 2558 converted to the appropriate Diameter AVP and type. 2560 - If the RADIUS message contains Tunnel information [RADTunnels], 2561 the attributes or tagged groups should each be converted to a 2562 Diameter Tunneling Grouped AVP set. If the tunnel information 2563 contains a Tunnel-Password attribute, the RADIUS encryption must 2564 be resolved, and the password forwarded using Diameter security 2565 methods. 2566 - If the RADIUS message received is an Accounting-Request, the 2567 Acct-Status-Type attribute value must be converted to a 2568 Accounting-Record-Type AVP value. If the Acct-Status-Type 2569 attribute value is STOP, the local server MUST issue a Session- 2570 Termination-Request message once the Diameter Accounting-Answer 2571 message has been received. 2572 - If the Accounting message contains a Acct-Termination-Cause 2573 attribute, it should be translated to the equivalent 2574 Termination-Cause AVP value. (see below) 2575 - If the RADIUS message contains the Accounting-Input-Octets, 2576 Accounting-Input-Packets, Accounting-Output-Octets or 2577 Accounting-Output-Packets, these attributes must be converted to 2578 the Diameter equivalent ones. Further, if the Acct-Input- 2579 Gigawords or Acct-Output-Gigawords attributes are present, these 2580 must be used to properly compute the Diameter accounting AVPs. 2582 The corresponding Diameter response is always guaranteed to be 2583 received by the same Translation Agent that translated the original 2584 request, due to the contents of the Proxy-Info AVP group in the 2585 Diameter request. The following steps are applied to the response 2586 message during the Diameter to RADIUS translation: 2588 - If the Diameter Command-Code is set to AA-Answer and the Result- 2589 Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must 2590 send a RADIUS Access-Challenge with the Origin-Host, Origin- 2591 Realm, and Diameter Session-Id AVPs encapsulated in the RADIUS 2592 State attribute, with the prefix "Diameter/", concatented in the 2593 above order, in UTF-8, separated with "/" characters. This is 2594 necessary in order to ensure that the Translation Agent that 2595 will receive the subsequent RADIUS Access-Request will have 2596 access to the Session Identifier, and be able to set the 2597 Destination-Host to the correct value. If the Multi-Round-Time- 2598 Out AVP is present, the value of the AVP MUST be inserted in the 2599 RADIUS Session-Timeout AVP. 2600 - If the Command-Code is set to AA-Answer, the Diameter Session-Id 2601 AVP is saved in a new RADIUS Class attribute, whose format 2602 consists of the string "Diameter/" followed by the Diameter 2603 Session Identifier. This will ensure that the subsequent 2604 Accounting messages, which could be received by any Translation 2605 Agent, would have access to the original Diameter Session 2606 Identifier. 2607 - If a Proxy-State attribute was present in the RADIUS request, 2608 the same attribute is added in the response. This information 2609 may be found in the Proxy-Info AVP group, or in a local state 2610 table. 2611 - If state information regarding the RADIUS request was saved in a 2612 Proxy-Info AVPs or local state table, the RADIUS Identifier and 2613 UDP IP Address and port number are extracted and used in issuing 2614 the RADIUS reply. 2616 When translating a Diameter AA-Answer (with successful result code) 2617 to RADIUS Access-Accept, that contains a Session-Timeout or 2618 Authorization-Lifetime AVP; 2620 - If the Diameter message contains a Session-Timeout AVP but no 2621 Authorization-Lifetime AVP, translate it to Session-Timeout 2622 attribute (and no Termination-Action). 2623 - If the Diameter message contains a Authorization-Lifetime AVP 2624 but no Session-Timeout AVP, translate it to Session-Timeout 2625 attribute and Termination-Action set to AA-REQUEST. (And remove 2626 Authorization-Lifetime and Re-Auth-Request-Type) 2627 - If the Diameter message has both, the Session-Timeout must be 2628 greater or equal than Authorization-Lifetime (required by Base). 2629 Translate it to a Session-Timeout value (with value from 2630 Authorization-Lifetime AVP, the smaller one) and Termination- 2631 Action set to AA-REQUEST. (And remove Authorization-Lifetime and 2632 Re-Auth-Request-Type) 2634 9.1.1. RADIUS Dynamic Authorization considerations 2636 A Diameter/RADIUS gateway may be communicating with a server that 2637 implements RADIUS Dynamic Authorization [RADDynAuth]. If it supports 2638 these functions it MUST be listening on the assigned port, and would 2639 receive RADIUS CoA-Request and Disconnect-Request messages. These 2640 can be mapped into the Diameter Re-Auth-Request (RAR) and Abort- 2641 Session-Request (ASR) message exchanges respectively [Base]. 2643 If the [RADDynAuth] is not supported, the port would not be active 2644 and the RADIUS server would receive a ICMP Port Unreachable 2645 indication. Alternatively, if the messages are received, but with an 2646 inappropriate Service-Type, the gateway can respond with the 2647 appropriate NAK message and an Error-Cause attribute with the value 2648 of 405, "Unsupported Service". 2650 The RADIUS CoA-Request and Disconnect-Request messages will not 2651 contain a Diameter Session-Id. Diameter requires this value to match 2652 an active session context. The gateway MUST have a session id cache 2653 (or other means) to be able to identify the sessions that these 2654 functions pertain to. If unable to identify the session, the gateway 2655 (or NAS) should return an Error-Cause value 503, "Session Context Not 2656 Found". 2658 The RADIUS CoA-Request message only supports a change of 2659 authorization attributes, and the received CoA-Request SHOULD include 2660 a Service-Type of "Authorize-Only", this indicates an extended 2661 exchange request by the rules given in [RADDynAuth] Section 3.2 Note 2662 6. This is the only type of exchange supported by Diameter [Base]. 2664 For the CoA-Request, the translated RAR message will have a Re-Auth- 2665 Type of AUTHORIZE_ONLY. The returned RAA will be translated into a 2666 CoA-NAK with Error-Cause "Request Initiated", the gateway's Diameter 2667 client SHOULD also start a reauthorization sequence by sending a AAR 2668 message, which will be translated into an Access-Request message. The 2669 RADIUS server will use the Access-Accept (or Access-Reject) message 2670 to convey the new authorization attributes, which the gateway will 2671 pass back in an AAA message. 2673 Any attributes included in the COA-Request or Access-Accept message 2674 are to be considered mandatory in Diameter, and if they cannot be 2675 supported, MUST result in an message error return to the RADIUS 2676 server with an Error-Cause of "Unsupported Attribute". The Diameter 2677 NAS will attempt to apply all the attributes supplied in the AA 2678 message to the session. 2680 A RADIUS Disconnect-Request message received by the gateway would be 2681 translated to a Diameter Abort-Session-Request (ASR) message [Base]. 2682 The results will be returned by the Diameter client in a Abort- 2683 Session-Answer (ASA) message. A success indication would translate to 2684 a RADIUS Disconnect-ACK, a failure would generate a Disconnect-NAK. 2686 9.2. Diameter Request Forwarded as RADIUS Request 2688 When a server receives a Diameter request that is to be forwarded to 2689 a RADIUS entity, the following steps are an example of the steps that 2690 may be followed: 2692 - The Origin-Host AVP's value is inserted in the NAS-Identifier 2693 attribute. 2694 - The following information MUST be present in the corresponding 2695 Diameter response, and therefore MUST be saved either in a local 2696 state table, or encoded in a RADIUS Proxy-State attribute: 2697 1. Origin-Host AVP 2698 2. Session-Id AVP 2699 3. Proxy-Info AVP 2700 4. Any other AVP that MUST be present in the response, and 2701 has no corresponding RADIUS attribute. 2703 - If the CHAP-Auth AVP is present, the grouped AVPs are used to 2704 create the RADIUS CHAP-Password attribute data. 2705 - If the User-Password AVP is present, the data should be 2706 encrypted using RADIUS rules. Likewise for any other encrypted 2707 attribute values. 2708 - AVPs that are of the type Address, must be translated to the 2709 corresponding RADIUS attribute. 2710 - If the Accounting-Input-Octets, Accounting-Input-Packets, 2711 Accounting-Output-Octets or Accounting-Output-Packets AVPs are 2712 present, these must be translated to the corresponding RADIUS 2713 attributes. Further, the value of the Diameter AVPs do not fit 2714 within a 32-bit RADIUS attribute, the RADIUS Acct-Input- 2715 Gigawords and Acct-Output-Gigawords must be used. 2716 - If the RADIUS link supports the Message-Authenticator attribute 2717 [RADIUSExt] it SHOULD be generated and added to the request. 2719 When the corresponding response is received by the Translation Agent, 2720 which is guaranteed in the RADIUS protocol, the following steps may 2721 be followed: 2723 - If the RADIUS code is set to Access-Challenge, a Diameter AA- 2724 Answer message is created with the Result-Code set to 2725 DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is present 2726 in the RADIUS message, its value is inserted in the Multi-Round- 2727 Time-Out AVP. 2728 - If a Proxy-State attribute is present, extract the encoded 2729 information, otherwise retrieve the original Proxy-Info AVP 2730 group information from the local state table. 2731 - The response's Origin-Host information is created from the FQDN 2732 of the source IP address of the RADIUS message. The same FQDN is 2733 also stored to a Route-Record AVP. 2734 - The response's Destination-Host AVP is copied from the saved 2735 request's Origin-Host information. 2736 - The Session-Id information can be recovered from local state, or 2737 from the constructed State or Proxy-State attribute as above. 2738 - If a Proxy-Info AVP was present in the request, the same AVP 2739 MUST be added to the response. 2740 - If the RADIUS State attributes are present, these attributes 2741 must be present in the Diameter response, minus those added by 2742 the gateway. 2743 - Any other AVPs that were saved at request time, and MUST be 2744 present in the response, are added to the message. 2746 When translating a RADIUS Access-Accept to Diameter AA-Answer, that 2747 contains a Session-Timeout attribute, do the following: 2749 - If the RADIUS message contains a Session-Timeout attribute and a 2750 Termination-Action attribute set to DEFAULT (or no Termination- 2751 Action attribute at all), translate it to AA-Answer with a 2752 Session-Timeout AVP, and remove the Termination-Action 2753 attribute. 2754 - If the RADIUS message contains a Session-Timeout attribute and a 2755 Termination-Action attribute set to AA-REQUEST, translate it to 2756 AA-Answer with Authorization-Lifetime AVP and Re-Auth-Request- 2757 Type set to AUTHORIZE_AUTHENTICATE, and remove the Session- 2758 Timeout attribute. 2760 9.2.1. RADIUS Dynamic Authorization considerations 2762 A RADIUS/Diameter gateway that is communicating with a RADIUS client 2763 that implements RADIUS Dynamic Authorization [RADDynAuth], may 2764 translate Diameter Re-Auth-Request (RAR) messages and Abort-Session- 2765 Request (ASR) messages [Base] into RADIUS CoA-Request and Disconnect- 2766 Request messages respectively. 2768 If the RADIUS client does not support the capability, the gateway 2769 will receive an ICMP Port Unreachable indication when it transmits 2770 the RADIUS message. Even if the NAS supports [RADDynAuth], it may not 2771 support the Service-Type in the request message. In this case it 2772 will respond with a NAK message and (optionally) an Error-Cause 2773 attribute with value 405, "Unsupported Service". If the gateway 2774 encounters these error conditions, or if it does not support 2775 [RADDynAuth], it sends a Diameter Answer message with an Result-Code 2776 AVP of "DIAMETER_COMMAND_UNSUPPORTED" to the AAA server. 2778 When encoding the RADIUS messages, the gateway MUST include the 2779 Diameter Session-ID in the RADIUS State attribute value, as mentioned 2780 above. The RADIUS client should return it in the response. 2782 A Diameter Re-Auth-Request (RAR) message [Base] received by the 2783 gateway will be translated into a RADIUS CoA-Request and sent to the 2784 RADIUS client. The RADIUS client should respond with a CoA-ACK or 2785 CoA-NAK message, that the gateway should translate into an Re-Auth- 2786 Answer (RAA) message. 2788 If the gateway receives a RADIUS CoA-NAK response containing a 2789 Service-Type Attribute with value "Authorize Only" and an Error-Cause 2790 Attribute with value "Request Initiated", this indicates an extended 2791 exchange request by the rules given in [RADDynAuth] Section 3.2 Note 2792 6. 2794 The response is translated to a Diameter Re-Auth-Answer (RAA) with a 2795 Result-Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2797 Subsequently, the gateway should receive a RADIUS Access-Request from 2798 the NAS, with a Service-Type of "Authorize Only". This is translated 2799 to a Diameter AA-Request with an Auth-Request-Type AVP of 2800 AUTHORIZE_ONLY, sent to the AAA server. The AAA server will then 2801 reply with a Diameter AA-Answer, which is translated to a RADIUS 2802 Access-Accept or Access-Reject, depending on the value of the Result- 2803 Code AVP. 2805 A Diameter Abort-Session-Request (ASR) message [Base] received by the 2806 gateway will be translated into a RADIUS Disconnect-Request and sent 2807 to the RADIUS client. The RADIUS client should respond with a 2808 Disconnect-ACK or Disconnect-NAK message, that the gateway should 2809 translate into an Abort-Session-Answer (ASA) message. 2811 If the gateway receives a RADIUS Disconnect-NAK response containing a 2812 Service-Type Attribute with value "Authorize Only" and an Error-Cause 2813 Attribute with value "Request Initiated", the Disconnect-NAK response 2814 is translated to a Diameter Abort-Session-Answer (ASA) with a Result- 2815 Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2817 Subsequently, the gateway should receive a RADIUS Access-Request from 2818 the NAS, with a Service-Type of "Authorize Only". This is translated 2819 to a Diameter AA-Request with an Auth-Request-Type AVP of 2820 AUTHORIZE_ONLY, sent to the AAA server. The AAA server will then 2821 reply with a Diameter AA-Answer, which is translated to a RADIUS 2822 Access-Accept or Access-Reject, depending on the value of the Result- 2823 Code AVP. 2825 9.3. AVPs Used Only for Compatibility 2827 The AVPs defined in this section SHOULD only used for backwards 2828 compatibility when a Diameter/RADIUS translation function is invoked, 2829 and are not typically originated by Diameter systems during normal 2830 operations. 2832 +---------------------+ 2833 | AVP Flag rules | 2834 |----+-----+----+-----|----+ 2835 AVP Section | | |SHLD| MUST| | 2836 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2837 -----------------------------------------|----+-----+----+-----|----| 2838 NAS-Identifier 32 9.3.1 UTF8String | M | P | | V | Y | 2839 NAS-IP-Address 4 9.3.2 OctetString| M | P | | V | Y | 2840 NAS-IPv6-Address 95 9.3.3 OctetString| M | P | | V | Y | 2841 State 24 9.3.4 OctetString| M | P | | V | Y | 2842 Termination- 295 9.3.5 Enumerated | M | P | | V | Y | 2843 Cause | | | | | | 2844 -----------------------------------------|----+-----+----+-----|----| 2846 9.3.1. NAS-Identifier AVP 2848 The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String 2849 and contains the identity of the NAS providing service to the user. 2850 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2851 When this AVP is present, the Origin-Host AVP identifies the NAS 2852 providing service to the user. 2854 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2855 Identifier attribute. Diameter/RADIUS translation agents SHOULD 2856 attempt to check a received NAS-Identifier attribute against the 2857 source address of the RADIUS packet, by doing an A/AAAA RR query. If 2858 the NAS-Identifier attribute contains an FQDN, then such a query 2859 would resolve to an IP address matching the source address. However, 2860 the NAS-Identifier attribute is not required to contain an FQDN, so 2861 such a query could fail. In this case, an error should be logged, but 2862 no other action taken, other than doing a reverse lookup on the 2863 source address and inserting the resulting FQDN into the Route-Record 2864 AVP. 2866 Diameter agents and servers SHOULD check whether a NAS-Identifier AVP 2867 corresponds to an entry in the Route-Record AVP. If no match is 2868 found, then an error is logged, but no other action is taken. 2870 9.3.2. NAS-IP-Address AVP 2872 The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString, 2873 and contains the IP Address of the NAS providing service to the user. 2874 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2875 When this AVP is present, the Origin-Host AVP identifies the NAS 2876 providing service to the user. 2878 In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- 2879 Address attribute value. Diameter/RADIUS translation agents MUST 2880 check a received NAS-IP-Address or NAS-IPv6-Address attribute against 2881 the source address of the RADIUS packet. If they do not match, and 2882 the Diameter/RADIUS translation agent does not know whether the 2883 packet was sent by a RADIUS proxy or NAS (e.g. no Proxy-State 2884 attribute) then by default it is assumed that the source address 2885 corresponds to a RADIUS proxy, and that the NAS Address is behind 2886 that proxy, potentially with some additional RADIUS proxies in 2887 between. The Diameter/RADIUS translation agent MUST insert entries 2888 in the Route-Record AVP corresponding to the apparent route. This 2889 implies doing a reverse lookup on the source address and NAS-IP- 2890 Address, or NAS-IPv6-Address attributes in order to determine the 2891 corresponding FQDNs. 2893 If the source address and the NAS-IP-Address, or NAS-IPv6-Address do 2894 not match, and the Diameter/RADIUS translation agent knows that it is 2895 talking directly to the NAS (e.g. no RADIUS proxies between it and 2896 the NAS), then the error should be logged, and the packet MUST be 2897 discarded. 2899 Diameter agents and servers MUST check whether the NAS-IP-Address AVP 2900 corresponds to an entry in the Route-Record AVP. This is done by 2901 doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve 2902 the corresponding FQDN, and checking for a match with the Route- 2903 Record AVP. If no match is found, then an error is logged, but no 2904 other action is taken. 2906 9.3.3. NAS-IPv6-Address AVP 2908 The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type 2909 OctetString, and contains the IPv6 Address of the NAS providing 2910 service to the user. This AVP SHOULD only be added by a 2911 RADIUS/Diameter Translation Agent. When this AVP is present, the 2912 Origin-Host AVP identifies the NAS providing service to the user. 2914 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2915 IPv6-Address attribute. Diameter/RADIUS translation agents MUST check 2916 a received NAS-IPv6-Address attribute against the source address of 2917 the RADIUS packet. If they do not match, and the Diameter/RADIUS 2918 translation agent does not know whether the packet was sent by a 2919 RADIUS proxy or NAS (e.g. no Proxy-State attribute) then by default 2920 it is assumed that the source address corresponds to a RADIUS proxy, 2921 and that the NAS-IPv6-Address is behind that proxy, potentially with 2922 some additional RADIUS proxies in between. The Diameter/RADIUS 2923 translation agent MUST insert entries in the Route-Record AVP 2924 corresponding to the apparent route. This implies doing a reverse 2925 lookup on the source address and NAS-IPv6-Address attributes in order 2926 to determine the corresponding FQDNs. 2928 If the source address and the NAS-IPv6-Address do not match, and the 2929 Diameter/RADIUS translation agent knows that it is talking directly 2930 to the NAS (e.g. no RADIUS proxies between it and the NAS), then the 2931 error should be logged, and the packet MUST be discarded. 2933 Diameter agents and servers MUST check whether the NAS-IPv6-Address 2934 AVP corresponds to an entry in the Route-Record AVP. This is done by 2935 doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve 2936 the corresponding FQDN, and checking for a match with the Record- 2937 Route AVP. If no match is found, then an error is logged, but no 2938 other action is taken. 2940 9.3.4. State AVP 2942 The State AVP (AVP Code 24) [RADIUS] is of type OctetString and has 2943 two uses in the Diameter NAS application. 2945 The State AVP MAY be sent by a Diameter Server to a NAS in an AA- 2946 Response command that contains a Result-Code of 2947 DIAMETER_MULTI_ROUND_AUTH. If so, the NAS MUST return it unmodified 2948 in the subsequent AA-Request command. 2950 The State AVP MAY also be sent by a Diameter Server to a NAS in an 2951 AA-Response command that also includes a Termination-Action AVP with 2952 the value of AA-REQUEST. If the NAS performs the Termination-Action 2953 by sending a new AA-Request command upon termination of the current 2954 service, it MUST return the State AVP unmodified in the new request 2955 command. 2957 In either usage the NAS MUST NOT interpret the AVP locally. Usage of 2958 the State AVP is implementation dependent. 2960 9.3.5. Termination-Cause AVP Code Values 2962 This section defines a mapping between Termination-Cause AVP code 2963 values and RADIUS Acct-Terminate-Cause attribute code values from RFC 2964 2866 [RADIUSAcct] and [RADIUSTypes], thereby allowing a 2965 RADIUS/Diameter Translation Agent to convert between the attribute 2966 and AVP values. This section thus extends the definitions in the 2967 "Termination-Cause AVP" section of the Base Diameter specification. 2969 The table in this section defines the mapping between Termination- 2970 Cause AVP and RADIUS Acct-Terminate-Cause causes. 2971 +-----------------------+ 2972 | Value | 2973 +-----------+-----------+ 2974 Cause Value Name | RADIUS | Diameter | 2975 ------------------------------|-----------+-----------+ 2976 User Request | 1 | 11 | 2977 Lost Carrier | 2 | 12 | 2978 Lost Service | 3 | 13 | 2979 Idle Timeout | 4 | 14 | 2980 Session Timeout | 5 | 15 | 2981 Admin Reset | 6 | 16 | 2982 Admin Reboot | 7 | 17 | 2983 Port Error | 8 | 18 | 2984 NAS Error | 9 | 19 | 2985 NAS Request | 10 | 20 | 2986 NAS Reboot | 11 | 21 | 2987 Port Unneeded | 12 | 22 | 2988 Port Preempted | 13 | 23 | 2989 Port Suspended | 14 | 24 | 2990 Service Unavailable | 15 | 25 | 2991 Callback | 16 | 26 | 2992 User Error | 17 | 27 | 2993 Host Request | 18 | 28 | 2994 Supplicant Restart | 19 | 29 | [RAD802.1X] 2995 Reauthentication Failure | 20 | 30 | [RAD802.1X] 2996 Port Reinit | 21 | 31 | [RAD802.1X] 2997 Port Disabled | 22 | 32 | [RAD802.1X] 2998 ------------------------------|-----------+-----------+ 3000 From RFC 2866, the termination causes are as follows: 3002 User Request User requested termination of service, for 3003 example with LCP Terminate or by logging out. 3005 Lost Carrier DCD was dropped on the port. 3007 Lost Service Service can no longer be provided; for 3008 example, user's connection to a host was 3009 interrupted. 3011 Idle Timeout Idle timer expired. 3013 Session Timeout Maximum session length timer expired. 3015 Admin Reset Administrator reset the port or session. 3017 Admin Reboot Administrator is ending service on the NAS, 3018 for example prior to rebooting the NAS. 3020 Port Error NAS detected an error on the port which 3021 required ending the session. 3023 NAS Error NAS detected some error (other than on the 3024 port) which required ending the session. 3026 NAS Request NAS ended session for a non-error reason not 3027 otherwise listed here. 3029 NAS Reboot The NAS ended the session in order to reboot 3030 non-administratively ("crash"). 3032 Port Unneeded NAS ended session because resource usage fell 3033 below low-water mark (for example, if a 3034 bandwidth-on-demand algorithm decided that 3035 the port was no longer needed). 3037 Port Preempted NAS ended session in order to allocate the 3038 port to a higher priority use. 3040 Port Suspended NAS ended session to suspend a virtual 3041 session. 3043 Service Unavailable NAS was unable to provide requested service. 3045 Callback NAS is terminating current session in order 3046 to perform callback for a new session. 3048 User Error Input from user is in error, causing 3049 termination of session. 3051 Host Request Login Host terminated session normally. 3053 9.4. Prohibited RADIUS Attributes 3055 The following RADIUS attributes MUST NOT appear in a Diameter 3056 message. Instead, they are translated to other Diameter AVPs or 3057 handled in some special manner. The rules for the treatment of the 3058 attributes are discussed in Sections 9.1, 9.2 and 9.6. 3060 Attribute Description Defined Nearest Diameter AVP 3061 ----------------------------------------------------------------- 3062 3 CHAP-Password RFC 2865 CHAP-Auth Group 3063 26 Vendor-Specific RFC 2865 Vendor Specific AVP 3064 29 Termination-Action RFC 2865 Authorization-Lifetime 3065 40 Acct-Status-Type RFC 2866 Accounting-Record-Type 3066 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets 3067 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets 3068 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets 3069 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets 3070 49 Acct-Terminate-Cause RFC 2866 Termination-Cause 3071 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets 3072 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets 3073 80 Message-Authenticator RFC 2869 none - check and discard 3075 9.5. Translatable Diameter AVPs 3077 In general, Diameter AVPs that are not RADIUS compatible have code 3078 values greater than 255. The table in the section above shows the 3079 AVPs that can be converted into RADIUS attributes. 3081 Another problem may occur with Diameter AVP values that may be more 3082 than 253 octets in length. Some RADIUS attributes ( including but 3083 not limited to: (8)Reply-Message, (79)EAP-Message, and (77)Connect- 3084 Info ) allow concatenation of multiple instances to overcome this 3085 limitation. If this is not possible, a Result-Code of 3086 DIAMETER_INVALID_AVP_LENGTH should be returned. 3088 9.6. RADIUS Vendor Specific Attributes 3090 RADIUS supports the inclusion of Vendor Specific Attributes (VSAs) 3091 through the use of attribute 26. The recommended format [RADIUS] of 3092 the attribute data field includes a 4 octet vendor code followed by a 3093 one octet vendor type field and a one octet length field. The last 3094 two fields MAY be repeated. 3096 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA 3098 The RADIUS VSA attribute should consist of the following fields; 3100 RADIUS Type = 26, Vendor Specific Attribute 3101 RADIUS Length = total length of attribute (header + data) 3102 RADIUS Vendor code = Diameter Vendor code 3103 RADIUS Vendor type code = low order byte of Diameter AVP code 3104 RADIUS Vendor data length = length of Diameter data 3105 (not including padding) 3107 If the Diameter AVP code is greater than 255, then the RADIUS 3108 speaking code may use a Vendor specific field coding, if it knows one 3109 for that vendor. Otherwise, the AVP will be ignored. Unless it is 3110 flagged as Mandatory, in which case an "DIAMETER_AVP_UNSUPPORTED" 3111 Result-Code will be returned, and the RADIUS message will not be 3112 sent. 3114 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP 3116 The Diameter AVP will consist of the following fields; 3117 Diameter Flags: V=1, M=0, P=0 3118 Diameter Vendor code = RADIUS VSA Vendor code 3119 Diameter AVP code = RADIUS VSA Vendor type code 3120 Diameter AVP length = length of AVP (header + data + padding) 3121 Diameter Data = RADIUS VSA vendor data 3123 NOTE: that the VSAs are considered as optional by RADIUS rules, and 3124 this specification does not set the Mandatory flag. If a VSA is 3125 desired to be made mandatory, because it represents a required 3126 service policy, the RADIUS gateway should have a process to set the 3127 bit on the Diameter side. 3129 If the RADIUS receiving code knows of vendor specific fields 3130 interpretations for the specific vendor, it may employ them to parse 3131 an extended AVP code or data length, Otherwise the recommended 3132 standard fields will be used. 3134 Nested Multiple vendor data fields MUST be expanded into multiple 3135 Diameter AVPs. 3137 10. AVP Occurrence Tables 3139 The following tables present the AVPs used by NAS applications, in 3140 NAS messages, and specify in which Diameter messages they MAY, or MAY 3141 NOT be present. [Base] messages and AVPs are not described in this 3142 document. Note that AVPs that can only be present within a Grouped 3143 AVP are not represented in this table. 3145 The table uses the following symbols: 3146 0 The AVP MUST NOT be present in the message. 3147 0+ Zero or more instances of the AVP MAY be present in the 3148 message. 3149 0-1 Zero or one instance of the AVP MAY be present in the 3150 message. 3151 1 One instance of the AVP MUST be present in the message. 3153 10.1. AA-Request/Answer AVP Table 3155 The table in this section is limited to the Command Codes defined in 3156 this specification. 3158 +-----------+ 3159 | Command | 3160 |-----+-----+ 3161 Attribute Name | AAR | AAA | 3162 ------------------------------|-----+-----+ 3163 Acct-Interim-Interval | 0 | 0-1 | 3164 ARAP-Challenge-Response | 0 | 0-1 | 3165 ARAP-Features | 0 | 0-1 | 3166 ARAP-Password | 0-1 | 0 | 3167 ARAP-Security | 0-1 | 0-1 | 3168 ARAP-Security-Data | 0+ | 0+ | 3169 ARAP-Zone-Access | 0 | 0-1 | 3170 Auth-Application-Id | 1 | 1 | 3171 Auth-Grace-Period | 0-1 | 0-1 | 3172 Auth-Request-Type | 1 | 1 | 3173 Auth-Session-State | 0-1 | 0-1 | 3174 Authorization-Lifetime | 0-1 | 0-1 | 3175 Callback-Id | 0 | 0-1 | 3176 Callback-Number | 0-1 | 0-1 | 3177 Called-Station-Id | 0-1 | 0 | 3178 Calling-Station-Id | 0-1 | 0 | 3179 CHAP-Auth | 0-1 | 0 | 3180 CHAP-Challenge | 0-1 | 0 | 3181 Class | 0 | 0+ | 3182 Configuration-Token | 0 | 0+ | 3183 Connect-Info | 0+ | 0 | 3184 Destination-Host | 0-1 | 0 | 3185 Destination-Realm | 1 | 0 | 3186 Error-Message | 0 | 0-1 | 3187 Error-Reporting-Host | 0 | 0-1 | 3188 Failed-AVP | 0+ | 0+ | 3189 Filter-Id | 0 | 0+ | 3190 Framed-Appletalk-Link | 0 | 0-1 | 3191 Framed-Appletalk-Network | 0 | 0+ | 3192 Framed-Appletalk-Zone | 0 | 0-1 | 3193 Framed-Compression | 0+ | 0+ | 3194 Framed-Interface-Id | 0-1 | 0-1 | 3195 Framed-IP-Address | 0-1 | 0-1 | 3196 Framed-IP-Netmask | 0-1 | 0-1 | 3197 Framed-IPv6-Prefix | 0+ | 0+ | 3198 Framed-IPv6-Pool | 0 | 0-1 | 3199 Framed-IPv6-Route | 0 | 0+ | 3200 Framed-IPX-Network | 0 | 0-1 | 3201 Framed-MTU | 0-1 | 0-1 | 3202 Framed-Pool | 0 | 0-1 | 3203 ------------------------------|-----+-----+ 3204 +-----------+ 3205 | Command | 3206 |-----+-----+ 3207 Attribute Name | AAR | AAA | 3208 ------------------------------|-----+-----+ 3209 Framed-Protocol | 0-1 | 0-1 | 3210 Framed-Route | 0 | 0+ | 3211 Framed-Routing | 0 | 0-1 | 3212 Idle-Timeout | 0 | 0-1 | 3213 Login-IP-Host | 0+ | 0+ | 3214 Login-IPv6-Host | 0+ | 0+ | 3215 Login-LAT-Group | 0-1 | 0-1 | 3216 Login-LAT-Node | 0-1 | 0-1 | 3217 Login-LAT-Port | 0-1 | 0-1 | 3218 Login-LAT-Service | 0-1 | 0-1 | 3219 Login-Service | 0 | 0-1 | 3220 Login-TCP-Port | 0 | 0-1 | 3221 Multi-Round-Time-Out | 0 | 0-1 | 3222 NAS-Filter-Rule | 0 | 0+ | 3223 NAS-Identifier | 0-1 | 0 | 3224 NAS-IP-Address | 0-1 | 0 | 3225 NAS-IPv6-Address | 0-1 | 0 | 3226 NAS-Port | 0-1 | 0 | 3227 NAS-Port-Id | 0-1 | 0 | 3228 NAS-Port-Type | 0-1 | 0 | 3229 Origin-Host | 1 | 1 | 3230 Origin-Realm | 1 | 1 | 3231 Origin-State-Id | 0-1 | 0-1 | 3232 Originating-Line-Info | 0-1 | 0 | 3233 Password-Retry | 0 | 0-1 | 3234 Port-Limit | 0-1 | 0-1 | 3235 Prompt | 0 | 0-1 | 3236 Proxy-Info | 0+ | 0+ | 3237 Re-Auth-Request-Type | 0 | 0-1 | 3238 Redirect-Host | 0 | 0+ | 3239 Redirect-Host-Usage | 0 | 0-1 | 3240 Redirect-Max-Cache-Time | 0 | 0-1 | 3241 Reply-Message | 0 | 0+ | 3242 Result-Code | 0 | 1 | 3243 Route-Record | 0+ | 0+ | 3244 Service-Type | 0-1 | 0-1 | 3245 Session-Id | 1 | 1 | 3246 Session-Timeout | 0 | 0-1 | 3247 State | 0-1 | 0-1 | 3248 Tunneling | 0+ | 0+ | 3249 User-Name | 0-1 | 0-1 | 3250 User-Password | 0-1 | 0 | 3251 ------------------------------|-----+-----+ 3253 10.2. Accounting AVP Tables 3255 The tables in this section are used to represent which AVPs defined 3256 in this document are to be present and used in NAS application 3257 Accounting messages. These AVPs are defined in this document, as 3258 well as [Base] and [RADIUSAcct]. 3260 10.2.1. Accounting Framed Access AVP Table 3262 The table in this section is used when the Service-Type specifies 3263 Framed Access. 3265 +-----------+ 3266 | Command | 3267 |-----+-----+ 3268 Attribute Name | ACR | ACA | 3269 ---------------------------------------|-----+-----+ 3270 Accounting-Auth-Method | 0-1 | 0 | 3271 Accounting-Input-Octets | 1 | 0 | 3272 Accounting-Input-Packets | 1 | 0 | 3273 Accounting-Output-Octets | 1 | 0 | 3274 Accounting-Output-Packets | 1 | 0 | 3275 Accounting-Record-Number | 0-1 | 0-1 | 3276 Accounting-Record-Type | 1 | 1 | 3277 Accounting-Realtime-Required | 0-1 | 0-1 | 3278 Accounting-Sub-Session-Id | 0-1 | 0-1 | 3279 Acct-Application-Id | 0-1 | 0-1 | 3280 Acct-Session-Id | 1 | 0-1 | 3281 Acct-Multi-Session-Id | 0-1 | 0-1 | 3282 Acct-Authentic | 1 | 0 | 3283 Acct-Delay-Time | 0-1 | 0 | 3284 Acct-Interim-Interval | 0-1 | 0-1 | 3285 Acct-Link-Count | 0-1 | 0 | 3286 Acct-Session-Time | 1 | 0 | 3287 Acct-Tunnel-Connection | 0-1 | 0 | 3288 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 3289 Authorization-Lifetime | 0-1 | 0 | 3290 Callback-Id | 0-1 | 0 | 3291 Callback-Number | 0-1 | 0 | 3292 Called-Station-Id | 0-1 | 0 | 3293 Calling-Station-Id | 0-1 | 0 | 3294 Class | 0+ | 0+ | 3295 Connection-Info | 0+ | 0 | 3296 Destination-Host | 0-1 | 0 | 3297 Destination-Realm | 1 | 0 | 3298 ---------------------------------------|-----+-----+ 3299 +-----------+ 3300 | Command | 3301 |-----+-----+ 3302 Attribute Name | ACR | ACA | 3303 ---------------------------------------|-----+-----+ 3304 Event-Timestamp | 0-1 | 0-1 | 3305 Error-Reporting-Host | 0 | 0-1 | 3306 Framed-AppleTalk-Link | 0-1 | 0 | 3307 Framed-AppleTalk-Network | 0-1 | 0 | 3308 Framed-AppleTalk-Zone | 0-1 | 0 | 3309 Framed-Compression | 0-1 | 0 | 3310 Framed-IP-Address | 0-1 | 0 | 3311 Framed-IP-Netmask | 0-1 | 0 | 3312 Framed-IPv6-Prefix | 0+ | 0 | 3313 Framed-IPv6-Pool | 0-1 | 0 | 3314 Framed-IPX-Network | 0-1 | 0 | 3315 Framed-MTU | 0-1 | 0 | 3316 Framed-Pool | 0-1 | 0 | 3317 Framed-Protocol | 0-1 | 0 | 3318 Framed-Route | 0-1 | 0 | 3319 Framed-Routing | 0-1 | 0 | 3320 NAS-Filter-Rule | 0-1 | 0 | 3321 NAS-Identifier | 0-1 | 0-1 | 3322 NAS-IP-Address | 0-1 | 0-1 | 3323 NAS-IPv6-Address | 0-1 | 0-1 | 3324 NAS-Port | 0-1 | 0-1 | 3325 NAS-Port-Id | 0-1 | 0-1 | 3326 NAS-Port-Type | 0-1 | 0-1 | 3327 Origin-Host | 1 | 1 | 3328 Origin-Realm | 1 | 1 | 3329 Origin-State-Id | 0-1 | 0-1 | 3330 Originating-Line-Info | 0-1 | 0 | 3331 Proxy-Info | 0+ | 0+ | 3332 Route-Record | 0+ | 0+ | 3333 Result-Code | 0 | 1 | 3334 Service-Type | 0-1 | 0-1 | 3335 Session-Id | 1 | 1 | 3336 Termination-Cause | 0-1 | 0-1 | 3337 Tunnel-Assignment-Id | 0-1 | 0 | 3338 Tunnel-Client-Endpoint | 0-1 | 0 | 3339 Tunnel-Medium-Type | 0-1 | 0 | 3340 Tunnel-Private-Group-Id | 0-1 | 0 | 3341 Tunnel-Server-Endpoint | 0-1 | 0 | 3342 Tunnel-Type | 0-1 | 0 | 3343 User-Name | 0-1 | 0-1 | 3344 Vendor-Specific-Application-Id | 0-1 | 0-1 | 3345 ---------------------------------------|-----+-----+ 3347 10.2.2. Accounting Non-Framed Access AVP Table 3349 The table in this section is used when the Service-Type specifies 3350 Non-Framed Access. 3352 +-----------+ 3353 | Command | 3354 |-----+-----+ 3355 Attribute Name | ACR | ACA | 3356 ---------------------------------------|-----+-----+ 3357 Accounting-Auth-Method | 0-1 | 0 | 3358 Accounting-Input-Octets | 1 | 0 | 3359 Accounting-Output-Octets | 1 | 0 | 3360 Accounting-Record-Type | 1 | 1 | 3361 Accounting-Record-Number | 0-1 | 0-1 | 3362 Accounting-Realtime-Required | 0-1 | 0-1 | 3363 Accounting-Sub-Session-Id | 0-1 | 0-1 | 3364 Acct-Application-Id | 0-1 | 0-1 | 3365 Acct-Session-Id | 1 | 0-1 | 3366 Acct-Multi-Session-Id | 0-1 | 0-1 | 3367 Acct-Authentic | 1 | 0 | 3368 Acct-Delay-Time | 0-1 | 0 | 3369 Acct-Interim-Interval | 0-1 | 0-1 | 3370 Acct-Link-Count | 0-1 | 0 | 3371 Acct-Session-Time | 1 | 0 | 3372 Authorization-Lifetime | 0-1 | 0 | 3373 Callback-Id | 0-1 | 0 | 3374 Callback-Number | 0-1 | 0 | 3375 Called-Station-Id | 0-1 | 0 | 3376 Calling-Station-Id | 0-1 | 0 | 3377 Class | 0+ | 0+ | 3378 Connection-Info | 0+ | 0 | 3379 Destination-Host | 0-1 | 0 | 3380 Destination-Realm | 1 | 0 | 3381 Event-Timestamp | 0-1 | 0-1 | 3382 Error-Reporting-Host | 0 | 0+ | 3383 Login-IP-Host | 0+ | 0 | 3384 Login-IPv6-Host | 0+ | 0 | 3385 Login-LAT-Service | 0-1 | 0 | 3386 Login-LAT-Node | 0-1 | 0 | 3387 Login-LAT-Group | 0-1 | 0 | 3388 Login-LAT-Port | 0-1 | 0 | 3389 Login-Service | 0-1 | 0 | 3390 Login-TCP-Port | 0-1 | 0 | 3391 ---------------------------------------|-----+-----+ 3392 +-----------+ 3393 | Command | 3394 |-----+-----+ 3395 Attribute Name | ACR | ACA | 3396 ---------------------------------------|-----+-----+ 3397 NAS-Identifier | 0-1 | 0-1 | 3398 NAS-IP-Address | 0-1 | 0-1 | 3399 NAS-IPv6-Address | 0-1 | 0-1 | 3400 NAS-Port | 0-1 | 0-1 | 3401 NAS-Port-Id | 0-1 | 0-1 | 3402 NAS-Port-Type | 0-1 | 0-1 | 3403 Origin-Host | 1 | 1 | 3404 Origin-Realm | 1 | 1 | 3405 Origin-State-Id | 0-1 | 0-1 | 3406 Originating-Line-Info | 0-1 | 0 | 3407 Proxy-Info | 0+ | 0+ | 3408 Route-Record | 0+ | 0+ | 3409 Result-Code | 0 | 1 | 3410 Session-Id | 1 | 1 | 3411 Service-Type | 0-1 | 0-1 | 3412 Termination-Cause | 0-1 | 0-1 | 3413 User-Name | 0-1 | 0-1 | 3414 Vendor-Specific-Application-Id | 0-1 | 0-1 | 3415 ---------------------------------------|-----+-----+ 3417 11. IANA Considerations 3419 This section provides guidance to the Internet Assigned Numbers 3420 Authority (IANA) regarding registration of values related to the 3421 Diameter protocol, in accordance with BCP 26 [IANAConsid]. 3423 This document defines values in the namespaces that have been created 3424 and defined in the Diameter Base [Base]. The IANA Considerations 3425 section of that document details the assignment criteria. Values 3426 assigned in this document, or by future IANA action, must be 3427 coordinated within this shared namespace. 3429 11.1. Command Codes 3431 This specification assigns the values 265 and 268 from the Command 3432 Code namespace defined in [Base]. See sections 3.1 and 3.2 for the 3433 assignment of the namespace in this specification. 3435 11.2. AVP Codes 3437 This specification assigns the values 363-366 and 400-406 from the 3438 AVP Code namespace defined in [Base]. See sections 4, and 5 for the 3439 assignment of the namespace in this specification. Note that the 3440 values 363-366 are jointly, but consistently, assigned in [DiamMIP]. 3441 This document also creates one new namespace to be managed by IANA, 3442 as described in Section 11.5. 3444 This specification also specifies the use of AVPs in the 0-255 range, 3445 which are defined in [RADIUSTypes]. These values are assigned by the 3446 policy in RFC 2865 Section 6. [RADIUS] 3448 11.3. Application Identifier 3450 This specification uses the value one (1) in the Application 3451 Identifier namespace as assigned in [Base]. See section 1.2 above 3452 for more information. 3454 11.4. CHAP-Algorithm AVP Values 3456 As defined in Section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses 3457 the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined 3458 in [PPPCHAP]. 3460 11.5. Accounting-Auth-Method AVP Values 3462 As defined in Section 8.6, the Accounting-Auth-Method AVP (AVP Code 3463 406) defines the values 1-5. All remaining values are available for 3464 assignment via IETF Consensus [IANA]." 3466 12. Security Considerations 3468 This document describes the extention of Diameter for the NAS 3469 application. The security considerations of the Diameter protocol 3470 itself have been discussed in [Base]. Use of this application of 3471 Diameter MUST take into consideration the security issues and 3472 requirements of the Base protocol. 3474 This document does not contain a security protocol, but does discuss 3475 how PPP authentication protocols can be carried within the Diameter 3476 protocol. The PPP authentication protocols that are described are PAP 3477 and CHAP. 3479 The use of PAP SHOULD be discouraged, since it exposes user's 3480 passwords to possibly non-trusted entities. However, PAP is also 3481 frequently used for use with One-Time Passwords, which do not expose 3482 a security risk. 3484 This document also describes how CHAP can be carried within the 3485 Diameter protocol, which is required for RADIUS backward 3486 compatibility. The CHAP protocol, as used in a RADIUS environment, 3487 facilitates authentication replay attacks. 3489 The use of the EAP authentication protocols are described in 3490 [DiamEAP] can offer better security given a method suitable for the 3491 circumstances. 3493 13. References 3495 13.1. Normative References 3497 [Base] P. Calhoun, et.al, "Diameter Base Protocol", RFC 3588, 3498 Sept 2003. 3500 [AAATrans] B. Aboba, J. Wood. "Authentication, Authorization and 3501 Accounting (AAA) Transport Profile", RFC 3539, June 2003 3503 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote 3504 Authentication Dial In User Service (RADIUS)", RFC 2865, 3505 June 2000. 3507 [RADIUSTypes] IANA, "RADIUS Types", URL: 3508 3510 [RADIUSIPv6] B. Aboba, G. Zorn, D. Mitton, "RADIUS and IPv6", RFC 3162, 3511 August 2001. 3513 [IPv6Addr] Hinden, R., Deering, S., "Internet Protocol Version 6 3514 (IPv6) Addressing Architecture", RFC 3516, April 2003. 3516 [PPPCHAP] W. Simpson, "PPP Challenge Handshake Authentication 3517 Protocol (CHAP)", RFC 1994, August 1996. 3519 [IANAConsid] Narten, Alvestrand, "Guidelines for Writing an IANA 3520 Considerations Section in RFCs", BCP 26, RFC 2434, October 3521 1998 3523 [IANA] IANA Assigned Numbers Database, URL: 3524 3526 [Keywords] S. Bradner, "Key words for use in RFCs to Indicate 3527 Requirement Levels", BCP 14, RFC 2119, March 1997. 3529 [ANITypes] NANPA Number Resource Info, ANI Assignments, URL: 3530 3533 13.2. Informative References 3535 [RADIUSAcct] C. Rigney, "RADIUS Accounting", RFC 2866, June 2000. 3537 [RADIUSExt] C. Rigney, W. Willats, P. Calhoun, "RADIUS Extensions", 3538 RFC 2869, June 2000. 3540 [RADTunnels] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. 3541 Goyret, "RADIUS Attributes for Tunnel Protocol Support", 3542 RFC 2868, June 2000. 3544 [RADTunlAcct] G. Zorn, B. Aboba, D. Mitton, "RADIUS Accounting 3545 Modifications for Tunnel Protocol Support", RFC 2867, June 3546 2000. 3548 [RADDynAuth] M. Chiba, M Dommety, M. Eklund, D. Mitton, B. Aboba, 3549 "Dynamic Authorization Extensions to Remote Authentication 3550 Dial In User 3551 Service (RADIUS)", RFC 3576, August 2003. 3553 [RADIUSIANA] B. Aboba, "IANA Considerations for RADIUS", RFC 3575, 3554 August 2003. 3556 [ExtRADPract] D. Mitton, "Network Access Servers Requirements: Extended 3557 RADIUS Practices", RFC 2882, July 2000. 3559 [NASModel] D. Mitton, M. Beadles, "Network Access Server Requirements 3560 Next Generation (NASREQNG) NAS Model", RFC 2881, July 3561 2000. 3563 [NASCriteria] M. Beadles, D. Mitton, "Criteria for Evaluating Network 3564 Access Server Protocols", RFC 3169, September 2001. 3566 [AAACriteria] Aboba, et al., "Criteria for Evaluating AAA Protocols for 3567 Network Access", RFC 2989, Nov 2000. 3569 [DiamEAP] G. Zorn, "Diameter EAP Application", draft-ietf-aaa- 3570 eap-01.txt, IETF work in progress, August 2002. 3572 [DiamCMS] P. Calhoun, W. Bulley, S. Farrell, "Diameter CMS Security 3573 Application", draft-ietf-aaa-diameter-cms-sec-04.txt, IETF 3574 work in progress, March 2002. 3576 [DiamMIP] P. Calhoun, C. Perkins, T. Johansson, "Diameter Mobile IP 3577 Application", draft-ietf-aaa-diameter-mobileip-14.txt, 3578 IETF work in progress, April 2003. 3580 [RAD802.1X] P. Congdon, et.al "IEEE 802.1X RADIUS Usage Guidelines", 3581 RFC 3580, September 2003. 3583 [802.1X] IEEE Standard for Local and metropolitan networks - Port- 3584 Based Network Access Control, IEEE Std 802.1X-2001, June 3585 2001 3587 [CDMA2000] 3GPP2 "P.S0001-B", Wireless IP Network Standard, October 3588 2002. 3589 http://www.3gpp2.com/Public_html/specs/P.S0001-B_v1.0.pdf 3591 [AppleTalk] Sidhu, Gursharan; Andrews, Richard F. & Oppenheimer, Alan 3592 B. "Inside AppleTalk", Second Edition, Apple Computer., 3593 1990 3595 [ARAP] Apple Remote Access Protocol (ARAP) Version 2.0 External 3596 Reference Specification", Apple Computer, September 1994, 3597 R0612LL/B 3599 [IPX] Novell, Inc., "NetWare System Technical Interface 3600 Overview", June 1989, # 883-000780-001 3602 [LAT] Local Area Transport (LAT) Specification V5.0, Digital 3603 Equipment Corp., AA-NL26A-TE, June 1989 3605 [UTF-8] F. Yergeau, "UTF-8, a transformation format of ISO 10646", 3606 STD 63, RFC 3629, November 2003 3608 [ISOLatin] ISO 8859. International Standard -- Information Processing 3609 -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 3610 1: Latin Alphabet No. 1, ISO 8859-1:1987. URL: 3611 3613 [PPP] W. Simpson, Editor, "The Point-to-Point Protocol (PPP)", 3614 STD 51, RFC 1661, July 1994 3616 [PAP] B. Lloyd, B. Simpson, "PPP Authentication Protocols" RFC 3617 1334, October 1992, Obsoleted by RFC 1994 3619 14. Acknowledgements 3621 The authors would like to thank Carl Rigney, Allan C. Rubens, William 3622 Allen Simpson, and Steve Willens for their work on the original 3623 RADIUS [RADIUS], from which many of the concepts in this 3624 specification were derived. Thanks, also, to: Carl Rigney for 3625 [RADIUSAcct] and [RADIUSExt]; Ward Willats for [RADIUSExt]; Glen 3626 Zorn, Bernard Aboba and Dave Mitton for [RADTunlAcct] and [RADIPV6]; 3627 Dory Leifer, John Shriver, Matt Holdrege and Ignacio Goyret for their 3628 work on [RADTunnels]. This document stole text and concepts from both 3629 [RADTunnels] and [RADIUSExt]. Thanks go to Carl Williams for 3630 providing IPv6 specific text. 3632 The authors would also like to acknowledge the following people for 3633 their contributions in the development of the Diameter protocol: 3634 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 3635 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 3636 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 3637 Sumit Vakil, John R. Vollbrecht and Jeff Weisberg. 3639 Finally, Pat Calhoun would like to thank Sun Microsystems since most 3640 of the effort put into this document was done while he was in their 3641 employ. 3643 15. Authors' Addresses 3645 Questions about this memo can be directed to: 3647 Pat R. Calhoun 3648 Airespace 3649 110 Nortech Parkway 3650 San Jose, CA 95134 3651 USA 3653 Phone: 1 408-635-2023 3654 E-mail: pcalhoun@airespace.com 3656 Glen Zorn 3657 Cisco Systems, Inc. 3658 500 108th Avenue N.E., Suite 500 3659 Bellevue, WA 98004 3660 USA 3662 Phone: 1 425-471-4861 3663 E-Mail: gwz@cisco.com 3665 David Spence 3666 3259 Bluett Rd. 3667 Ann Arbor, MI 48105 3668 USA 3670 Phone: +1 734 834 6481 3671 EMail: dspence@computer.org 3673 David Mitton 3674 Circular Networks 3675 733 Turnpike St #154 3676 North Andover, MA 01845 3678 Email: dmitton@circularnetworks.com 3680 Intellectual Property Considerations 3682 The IETF takes no position regarding the validity or scope of any 3683 intellectual property or other rights that might be claimed to 3684 pertain to the implementation or use of the technology described in 3685 this document or the extent to which any license under such rights 3686 might or might not be available; neither does it represent that it 3687 has made any effort to identify any such rights. Information on the 3688 IETF's procedures with respect to rights in standards-track and 3689 standards- related documentation can be found in BCP-11. Copies of 3690 claims of rights made available for publication and any assurances of 3691 licenses to be made available, or the result of an attempt made to 3692 obtain a general license or permission for the use of such 3693 proprietary rights by implementers or users of this specification can 3694 be obtained from the IETF Secretariat. 3696 The IETF invites any interested party to bring to its attention any 3697 copyrights, patents or patent applications, or other proprietary 3698 rights which may cover technology that may be required to practice 3699 this standard. Please address the information to the IETF Executive 3700 Director. 3702 Full Copyright Statement 3704 Copyright (C) The Internet Society (2004). All Rights Reserved. 3706 This document and translations of it may be copied and furnished to 3707 others, and derivative works that comment on or otherwise explain it 3708 or assist in its implementation may be prepared, copied, published 3709 and distributed, in whole or in part, without restriction of any 3710 kind, provided that the above copyright notice and this paragraph are 3711 included on all such copies and derivative works. However, this 3712 document itself may not be modified in any way, such as by removing 3713 the copyright notice or references to the Internet Society or other 3714 Internet organizations, except as needed for the purpose of 3715 developing Internet standards in which case the procedures for 3716 copyrights defined in the Internet Standards process must be 3717 followed, or as required to translate it into languages other than 3718 English. The limited permissions granted above are perpetual and will 3719 not be revoked by the Internet Society or its successors or assigns. 3720 This document and the information contained herein is provided on an 3721 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 3722 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3723 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 3724 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 3725 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.