idnits 2.17.1 draft-ietf-aaa-diameter-nasreq-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3667, Section 5.1 on line 24. -- Found old boilerplate from RFC 3978, Section 5.5 on line 3823. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure Invitation -- however, there's a paragraph with a matching beginning. Boilerplate error? ( - It does however have an RFC 2026 Section 10.4(B) IPR Disclosure Invitation.) ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == The page length should not exceed 58 lines per page, but there was 77 longer pages, the longest (page 37) being 70 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 89 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 226 has weird spacing: '... legacy syste...' == Line 232 has weird spacing: '...iameter appl...' == Line 379 has weird spacing: '...ages of the...' == Line 3220 has weird spacing: '...tations for t...' == Line 3221 has weird spacing: '...code or data ...' == (2 more instances...) == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs used by NAS applications, in NAS messages, and specify in which Diameter messages they MAY, or MAY NOT be present. [Base] messages and AVPs are not described in this document. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (Jul 2004) is 7224 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'DiamTrans' is mentioned on line 221, but not defined == Missing Reference: 'NASmodel' is mentioned on line 254, but not defined == Missing Reference: 'BASE' is mentioned on line 383, but not defined == Missing Reference: 'RFC3576' is mentioned on line 1458, but not defined ** Obsolete undefined reference: RFC 3576 (Obsoleted by RFC 5176) == Missing Reference: 'PPPMP' is mentioned on line 1519, but not defined == Missing Reference: 'PPTP' is mentioned on line 2258, but not defined == Missing Reference: 'L2TP' is mentioned on line 2258, but not defined == Missing Reference: 'RADIPV6' is mentioned on line 3735, but not defined == Unused Reference: 'AAATrans' is defined on line 3597, but no explicit reference was found in the text == Unused Reference: 'RADIUSIANA' is defined on line 3650, but no explicit reference was found in the text == Unused Reference: 'ExtRADPract' is defined on line 3653, but no explicit reference was found in the text == Unused Reference: 'NASModel' is defined on line 3656, but no explicit reference was found in the text == Unused Reference: 'CDMA2000' is defined on line 3684, but no explicit reference was found in the text ** Obsolete normative reference: RFC 3588 (ref. 'Base') (Obsoleted by RFC 6733) -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 2434 (ref. 'IANAConsid') (Obsoleted by RFC 5226) -- Possible downref: Non-RFC (?) normative reference: ref. 'IANA' -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' -- Obsolete informational reference (is this intentional?): RFC 3576 (ref. 'RADDynAuth') (Obsoleted by RFC 5176) == Outdated reference: A later version (-10) exists of draft-ietf-aaa-eap-06 == Outdated reference: A later version (-20) exists of draft-ietf-aaa-diameter-mobileip-18 -- Duplicate reference: RFC1994, mentioned in 'PAP', was also mentioned in 'PPPCHAP'. Summary: 12 errors (**), 0 flaws (~~), 27 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AAA Working Group Pat R. Calhoun 3 Internet-Draft Airespace Inc. 4 Category: Standards Track Glen Zorn 5 Cisco Systems Inc. 6 David Spence 8 David Mitton 9 Circular Networks 11 Jul 2004 13 Diameter Network Access Server Application 14 draft-ietf-aaa-diameter-nasreq-17.txt 16 Status of this Memo 18 This document is an Internet-Draft and is in full conformance with 19 all provisions of Section 3 of RFC3667. 21 By submitting this Internet-Draft, I certify that any applicable 22 patent or other IPR claims of which I am aware have been disclosed, 23 and any of which I become aware will be disclosed, in accordance with 24 RFC 3668. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF), its areas, and its working groups. Note that 28 other groups may also distribute working documents as Internet- 29 Drafts. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 The list of current Internet-Drafts can be accessed at 37 http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft 38 Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html. 41 This document is a product of the Authentication, Authorization and 42 Accounting (AAA) Working Group of the Internet Engineering Task Force 43 (IETF). Comments are welcome should be submitted to the mailing list 44 aaa-wg@merit.edu. 46 Copyright (C) The Internet Society 2004. 48 Abstract 50 This document describes the Diameter protocol application used for 51 Authentication, Authorization and Accounting (AAA) services in the 52 Network Access Server (NAS) environment. This application 53 specification, when combined with the Diameter Base protocol, 54 Transport Profile, and Extensible Authentication Protocol 55 specifications, satisfies typical network access services 56 requirements. 58 Initial deployments of the Diameter protocol are expected to include 59 legacy systems. Therefore, this application was carefully designed to 60 ease the burden of protocol conversion between RADIUS and Diameter. 61 This is achieved by including the RADIUS attribute space, and 62 eliminating the need to perform many attribute translations. 64 The interactions between Diameter applications and RADIUS specified 65 in this document are to be applied to all Diameter applications. In 66 this sense, this document extends the Base Diameter protocol. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 7 71 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . 7 72 1.2. Requirements Language . . . . . . . . . . . . . . . . . 8 73 1.3. Advertising Application Support . . . . . . . . . . . . 8 74 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . . 8 75 2.1. Diameter Session Establishment . . . . . . . . . . . . . 9 76 2.2. Diameter Session Reauthentication or Reauthorization . . 9 77 2.3. Diameter Session Termination . . . . . . . . . . . . . . 10 78 3. NAS Messages . . . . . . . . . . . . . . . . . . . . . . . . . . 11 79 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . 11 80 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . 13 81 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . 15 82 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . 16 83 3.5. Session-Termination-Request (STR) Command . . . . . . . 17 84 3.6. Session-Termination-Answer (STA) Command . . . . . . . . 18 85 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . 18 86 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . 19 87 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . 20 88 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . 22 89 4. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . . . . 23 90 4.1. Call and Session Information . . . . . . . . . . . . . . 24 91 4.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . . 24 92 4.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . . 25 93 4.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . . 25 94 4.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . . 26 95 4.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . . 26 96 4.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . . 27 97 4.8. Originating-Line-Info AVP . . . . . . . . . . . . . . . 27 98 4.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . . 28 99 5. NAS Authentication AVPs . . . . . . . . . . . . . . . . . . . . 29 100 5.1. User-Password AVP . . . . . . . . . . . . . . . . . . . 30 101 5.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . . 30 102 5.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . . 30 103 5.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . . 30 104 5.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . . 31 105 5.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . . 31 106 5.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . . 31 107 5.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . . 31 108 5.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . . 31 109 5.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . . 32 110 5.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . . 32 111 5.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 32 112 6. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . . . . 32 113 6.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . . 34 114 6.2. Callback-Number AVP . . . . . . . . . . . . . . . . . . 35 115 6.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . . 35 116 6.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . . 35 117 6.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . . 36 118 6.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . 36 119 6.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . . 36 120 6.8. Configuration-Token AVP . . . . . . . . . . . . . . . . 36 121 6.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . . 37 122 6.10. Framed Access Authorization AVPs . . . . . . . . . . . 38 123 6.10.1. Framed-Protocol AVP . . . . . . . . . . . . . 38 124 6.10.2. Framed-Routing AVP . . . . . . . . . . . . . 39 125 6.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . 39 126 6.10.4. Framed-Compression AVP . . . . . . . . . . . 39 127 6.11. IP Access Authorization AVPs . . . . . . . . . . . . . 40 128 6.11.1. Framed-IP-Address AVP . . . . . . . . . . . . 40 129 6.11.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 40 130 6.11.3. Framed-Route AVP . . . . . . . . . . . . . . 40 131 6.11.4. Framed-Pool AVP . . . . . . . . . . . . . . . 41 132 6.11.5. Framed-Interface-Id AVP . . . . . . . . . . . 41 133 6.11.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 41 134 6.11.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 41 135 6.11.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 42 136 6.12. IPX Access . . . . . . . . . . . . . . . . . . . . . . 42 137 6.12.1. Framed-IPX-Network AVP . . . . . . . . . . . 42 138 6.13. AppleTalk Network Access . . . . . . . . . . . . . . . 43 139 6.13.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 43 140 6.13.2. Framed-AppleTalk-Network AVP . . . . . . . . 43 141 6.13.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 43 142 6.14. AppleTalk Remote Access . . . . . . . . . . . . . . . . 44 143 6.14.1. ARAP-Features AVP . . . . . . . . . . . . . . 44 144 6.14.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 44 145 6.15. Non-Framed Access Authorization AVPs . . . . . . . . . 44 146 6.15.1. Login-IP-Host AVP . . . . . . . . . . . . . . 44 147 6.15.2. Login-IPv6-Host AVP . . . . . . . . . . . . . 45 148 6.15.3. Login-Service AVP . . . . . . . . . . . . . . 45 149 6.16. TCP Services . . . . . . . . . . . . . . . . . . . . . 45 150 6.16.1. Login-TCP-Port AVP . . . . . . . . . . . . . 45 151 6.17. LAT Services . . . . . . . . . . . . . . . . . . . . . 46 152 6.17.1. Login-LAT-Service AVP . . . . . . . . . . . . 46 153 6.17.2. Login-LAT-Node AVP . . . . . . . . . . . . . 46 154 6.17.3. Login-LAT-Group AVP . . . . . . . . . . . . . 47 155 6.17.4. Login-LAT-Port AVP . . . . . . . . . . . . . 47 156 7. NAS Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . 48 157 7.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . . 48 158 7.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . . 49 159 7.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . . 50 160 7.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . . 50 161 7.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . . 51 162 7.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . . 52 163 7.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . . 52 164 7.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . . 52 165 7.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . . 53 166 7.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . . 54 167 7.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . . 54 168 8. NAS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . 55 169 8.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . . 56 170 8.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . . 56 171 8.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . . 57 172 8.4. Accounting-Output-Packets AVP . . . . . . . . . . . . . 57 173 8.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . . 57 174 8.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . . 57 175 8.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . . 57 176 8.8. Acct-Delay-Time . . . . . . . . . . . . . . . . . . . . 58 177 8.9. Acct-Link-Count . . . . . . . . . . . . . . . . . . . . 58 178 8.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 59 179 8.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 59 180 9. RADIUS/Diameter Protocol Interactions . . . . . . . . . . . . . 59 181 9.1. RADIUS Request Forwarded as Diameter Request . . . . . . 60 182 9.1.1. RADIUS Dynamic Authorization considerations . 63 183 9.2. Diameter Request Forwarded as RADIUS Request . . . . . . 64 184 9.2.1. RADIUS Dynamic Authorization considerations . 65 185 9.3. AVPs Used Only for Compatibility . . . . . . . . . . . . 67 186 9.3.1. NAS-Identifier AVP . . . . . . . . . . . . . . 67 187 9.3.2. NAS-IP-Address AVP . . . . . . . . . . . . . . 68 188 9.3.3. NAS-IPv6-Address AVP . . . . . . . . . . . . . 69 189 9.3.4. State AVP . . . . . . . . . . . . . . . . . . 69 190 9.3.5. Termination-Cause AVP Code Values . . . . . . 70 191 9.4. Prohibited RADIUS Attributes . . . . . . . . . . . . . . 72 192 9.5. Translatable Diameter AVPs . . . . . . . . . . . . . . . 73 193 9.6. RADIUS Vendor Specific Attributes . . . . . . . . . . . 73 194 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VS 73 195 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AV 74 196 10. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . . 75 197 10.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . 75 198 10.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . 78 199 10.2.1. Accounting Framed Access AVP Table . . . . . 78 200 10.2.2. Accounting Non-Framed Access AVP Table . . . 80 201 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 82 202 11.1. Command Codes . . . . . . . . . . . . . . . . . . . . . 82 203 11.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . 83 204 11.3. Application Identifier . . . . . . . . . . . . . . . . 83 205 11.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . 83 206 11.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . 83 207 12. Security Considerations . . . . . . . . . . . . . . . . . . . . 83 208 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 84 209 13.1. Normative References . . . . . . . . . . . . . . . . . 84 210 13.2. Informative References . . . . . . . . . . . . . . . . 85 212 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 87 213 15. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 88 214 Intellectual Property Considerations . . . . . . . . . . . . . . . . 89 215 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 89 216 1. Introduction 218 This document describes the Diameter protocol application used for 219 AAA in the Network Access Server (NAS) environment. This Diameter NAS 220 application specification, when combined with the Diameter Base 221 protocol [Base], Transport Profile [DiamTrans], and EAP [DiamEAP] 222 specifications, satisfies NAS-related requirements defined in RFC2989 223 [AAACriteria] and RFC3169 [NASCriteria]. 225 Initial deployments of the Diameter protocol are expected to include 226 legacy systems. Therefore, this application was carefully designed 227 to ease the burden of protocol conversion between RADIUS and 228 Diameter. This is achieved by including the RADIUS attribute space, 229 and eliminating the need to perform many attribute translations. 231 The interactions between Diameter applications and RADIUS specified 232 in this document are to be applied to all Diameter applications. 233 In this sense, this document extends the Base Diameter protocol 234 [Base]. 236 This document first describes the operation of a Diameter NAS 237 application. Then it defines the Diameter message Command-Codes. 238 The following sections enumerate the AVPs used in these messages 239 grouped by common usage. These are session identification, 240 authentication, authorization, tunneling, and accounting. The 241 authorization AVPs are further broken down by service type. 242 Interaction and backwards compatibility issues with RADIUS are 243 discussed in later sections. 245 1.1. Terminology 247 The base Diameter [Base] specification Section 1.4 defines most of 248 the terminology used in this document. Additionally, the following 249 terms and acronyms are used in this application: 251 NAS - Network Access Server; a device which provides an access 252 service for a user to a network. The service may be a network 253 connection, or a value added service such as terminal emulation. 254 [NASmodel] 256 PPP - Point-to-Point Protocol; a multiprotocol serial datalink. PPP 257 is the primary IP datalink used for dial-in NAS connection service. 258 [PPP] 260 CHAP - Challenge Handshake Authentication Protocol; an authentication 261 process used in PPP. [PPPCHAP] 262 PAP - Password Authentication Protocol; a deprecated PPP 263 authentication process, but often used for backwards compatibility 264 [PAP]. 266 SLIP - Serial Line Interface Protocol; a serial datalink that only 267 supports IP. An earlier design, prior to PPP. 269 ARAP - Appletalk Remote Access Protocol; a serial datalink for 270 accessing Appletalk networks [ARAP]. 272 IPX - Internet Packet Exchange; The network protocol used by NetWare 273 networks [IPX]. 275 LAT - Local Area Transport; A Digital Equipment Corp. LAN protocol 276 for terminal services [LAT]. 278 VPN - Virtual Private Network; in this document it is used to 279 describe access services which use tunneling methods. 281 1.2. Requirements Language 283 In this document, the key words "MAY", "MUST", "MUST NOT", 284 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT", are to be 285 interpreted as described in [Keywords]. 287 1.3. Advertising Application Support 289 Diameter applications conforming to this specification MUST advertise 290 support by including the value of one (1) in the Auth-Application-Id 291 of Capabilities-Exchange-Request (CER), AA-Request (AAR) and AA- 292 Answer (AAA) messages. All other messages are defined by [Base] and 293 use the Base application id value. 295 2. NAS Calls, Ports, and Sessions 297 The arrival of a new call or service connection at a port of a 298 Network Access Server (NAS) starts a Diameter NAS message exchange. 299 Information about the call, the identity of the user, and the user's 300 authentication information are packaged into a Diameter AA-Request 301 (AAR) message and sent to a server. 303 The server processes the information and responds with a Diameter AA- 304 Answer (AAA) message which contains authorization information for the 305 NAS, or a failure code (Result-Code AVP). If the value of Result- 306 Code is DIAMETER_MULTI_ROUND_AUTH, an additional authentication 307 exchange is indicated, and several AAR and AAA messages may be 308 exchanged until the transaction completes. 310 The Diameter protocol allows authorization-only requests depending on 311 the Auth-Request-Type AVP, where no authentication information is 312 contained in a request from the client. This capability goes beyond 313 the Call Check capabilities described in Section 5.6 of [RADIUS] in 314 that no access decision is requested. As a result, service cannot be 315 started as a result of a response to an authorization-only request 316 without introducing a significant security vulnerability. 318 Since no equivalent capability exists in RADIUS, authorization-only 319 requests from a NAS implementing Diameter may not be easily 320 translated to an equivalent RADIUS message by a Diameter/RADIUS 321 gateway. For example, where a Diameter authorization-only request 322 cannot be translated to a RADIUS Call Check, it would be necessary 323 for the Diameter/RADIUS gateway to add authentication information to 324 the RADIUS Access Request. On receiving the Access-Reply, the 325 Diameter/RADIUS gateway would need to discard the access decision 326 (Accept/Reject). It is not clear that these translations can be 327 accomplished without adding significant security vulnerabilities. 329 2.1. Diameter Session Establishment 331 When the authentication or authorization exchange completes 332 successfully, the NAS application SHOULD start a session context. If 333 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 334 exchange continues until a success or error is returned. 336 If accounting is active, the application MUST also send an Accounting 337 message [Base]. An Accounting-Record-Type of START_RECORD, is sent 338 for a new session. If a session fails to start, the type 339 EVENT_RECORD message with the reason for the failure described is 340 sent. 342 Note that the return of an unsupportable Accounting-Realtime-Required 343 value [Base] would result in a failure to establish the session. 345 2.2. Diameter Session Reauthentication or Reauthorization 347 The Diameter Base protocol allows for users to be periodically 348 reauthenticated and/or reauthorized. In such instances, the Session- 349 Id AVP in the AAR message MUST be the same as the one present in the 350 original authentication/authorization message. 352 A Diameter server informs the NAS of the maximum time allowed before 353 reauthentication or reauthorization via the Authorization-Lifetime 354 AVP [Base]. A NAS MAY reauthenticate and/or reauthorize before the 355 end, but A NAS MUST reauthenticate and/or reauthorize at the end of 356 the period provided by the Authorization-Lifetime AVP. The failure 357 of a reauthentication exchange will cause the service to be 358 terminated. 360 Furthermore, it is possible for Diameter servers to issue an 361 unsolicited reauthentication and/or reauthorization requests (e.g. 362 Re-Auth-Request (RAR) message [Base]) to the NAS. Upon receipt of 363 such a message, the NAS MUST respond to the request with a Re-Auth- 364 Answer (RAA) message [Base]. 366 If the RAR properly identifies an active session, the NAS will 367 initiate a new local reauthentication or authorization sequence as 368 indicated by the Re-Auth-Request-Type value. This will cause the NAS 369 to send a new AAR message using the existing Session-Id. The server 370 will respond with an AAA message to specify the new service 371 parameters. 373 If accounting is active, every change of authentication or 374 authorization SHOULD generate an accounting message. If the NAS 375 service is a continuation of the prior user context, then an 376 Accounting-Record-Type of INTERIM_RECORD indicating the new session 377 attributes and cumulative status would be appropriate. If a new user 378 or a significant change in authorization is detected by the NAS, then 379 the service may consider it appropriate to send two messages of the 380 types STOP_RECORD, and START_RECORD. Accounting may change the 381 subsession identifiers (Acct-Session-ID, or Acct-Sub-Session-Id) to 382 indicate such sub-sessions. A service may also use a different 383 Session-Id value for accounting (See [BASE] Section 9.6). 385 However, the Diameter Session-ID AVP value used for the initial 386 authorization exchange MUST be used to generate an STR message when 387 the session context is terminated. 389 2.3. Diameter Session Termination 391 When a NAS receives an indication that a user's session is being 392 disconnected by the client (e.g. LCP Terminate is received) or 393 administrative command, the NAS MUST issue a Session-Termination- 394 Request (STR) [Base] to its Diameter Server. This will ensure that 395 any resources maintained on the servers are freed appropriately. 397 Furthermore, a NAS that receives a Abort-Session-Request (ASR) [Base] 398 MUST issue an ASA if the session identified is active, and disconnect 399 the PPP (or tunneling) session. 401 Termination of the session context MUST cause the sending of an 402 Accounting STOP_RECORD message [Base], if accounting is active. 404 More information on Diameter Session Termination is in [Base] section 405 8.4 and 8.5 407 3. NAS Messages 409 This section defines the Diameter message Command-Code [Base] values 410 that MUST be supported by all Diameter implementations that conform 411 to this specification. The Command Codes are: 413 Command-Name Abbrev. Code Reference 414 ------------------------------------------------------- 415 AA-Request AAR 265 3.1 416 AA-Answer AAA 265 3.2 417 Re-Auth-Request RAR 258 3.3 418 Re-Auth-Answer RAA 258 3.4 419 Session-Termination-Request STR 275 3.5 420 Session-Termination-Answer STA 275 3.6 421 Abort-Session-Request ASR 274 3.7 422 Abort-Session-Answer ASA 274 3.8 423 Accounting-Request ACR 271 3.9 424 Accounting-Answer ACA 271 3.10 426 3.1. AA-Request (AAR) Command 428 The AA-Request message (AAR), indicated by the Command-Code field set 429 to 265 and the 'R' bit set in the Command Flags field, is used in 430 order to request authentication and/or authorization for a given NAS 431 user. The type of request is identified through the Auth-Request-Type 432 AVP [Base]. The recommended value for most RADIUS interoperabily 433 situations, is AUTHORIZE_AUTHENTICATE. 435 If Authentication is requested the User-Name attribute SHOULD be 436 present, as well as any additional authentication AVPs that would 437 carry the password information. A request for authorization only 438 SHOULD include the information from which the authorization will be 439 performed, such as the User-Name, Called-Station-Id, or Calling- 440 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 441 identifying the source of the call, such as Origin-Host, and NAS- 442 Port. Certain networks MAY use different AVPs for authorization 443 purposes. A request for authorization will include some AVPs defined 444 in section 6. 446 It is possible for a single session to be authorized first, then 447 followed by an authentication request. 449 This AA-Request message MAY be the result of a multi-round 450 authentication exchange, which occurs when the AA-Answer message is 451 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A 452 subsequent AAR message SHOULD be sent, with the User-Password AVP 453 that includes the user's response to the prompt, and MUST include any 454 State AVPs that were present in the AAA message. 456 Message Format 458 ::= < Diameter Header: 265, REQ, PXY > 459 < Session-Id > 460 { Auth-Application-Id } 461 { Origin-Host } 462 { Origin-Realm } 463 { Destination-Realm } 464 { Auth-Request-Type } 465 [ Destination-Host ] 466 [ NAS-Identifier ] 467 [ NAS-IP-Address ] 468 [ NAS-IPv6-Address ] 469 [ NAS-Port ] 470 [ NAS-Port-Id ] 471 [ NAS-Port-Type ] 472 [ Origin-State-Id ] 473 [ Port-Limit ] 474 [ User-Name ] 475 [ User-Password ] 476 [ Service-Type ] 477 [ State ] 478 [ Authorization-Lifetime ] 479 [ Auth-Grace-Period ] 480 [ Auth-Session-State ] 481 [ Callback-Number ] 482 [ Called-Station-Id ] 483 [ Calling-Station-Id ] 484 [ Originating-Line-Info ] 485 [ Connect-Info ] 486 [ CHAP-Auth ] 487 [ CHAP-Challenge ] 488 * [ Framed-Compression ] 489 [ Framed-Interface-Id ] 490 [ Framed-IP-Address ] 491 * [ Framed-IPv6-Prefix ] 493 [ Framed-IP-Netmask ] 494 [ Framed-MTU ] 495 [ Framed-Protocol ] 496 [ ARAP-Password ] 497 [ ARAP-Security ] 498 * [ ARAP-Security-Data ] 499 * [ Login-IP-Host ] 500 * [ Login-IPv6-Host ] 501 [ Login-LAT-Group ] 502 [ Login-LAT-Node ] 503 [ Login-LAT-Port ] 504 [ Login-LAT-Service ] 505 * [ Tunneling ] 506 * [ Proxy-Info ] 507 * [ Route-Record ] 508 * [ AVP ] 510 3.2. AA-Answer (AAA) Command 512 The AA-Answer (AAA) message, is indicated by the Command-Code field 513 set to 265 and the 'R' bit cleared in the Command Flags field, is 514 sent in response to the AA-Request message. If authorization was 515 requested, a successful response will include the authorization AVPs 516 appropriate for the service being provided, as defined in section 6. 518 For authentication exchanges that require more than a single round 519 trip, the server MUST set the Result-Code AVP to 520 DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY 521 include one or more Reply-Message and MAY include zero or one State 522 AVPs. 524 If the Reply-Message AVP was present, the network access server 525 SHOULD send the text to the user's client for display to the user, 526 instructing it to prompt the user for a response. For example, this 527 capability can be achieved in PPP via PAP. If the access client is 528 unable to prompt the user for a new response, it MUST treat the AA- 529 Answer with the Reply-Message AVP as an error, and deny access. 531 Message Format 532 ::= < Diameter Header: 265, PXY > 533 < Session-Id > 534 { Auth-Application-Id } 535 { Auth-Request-Type } 536 { Result-Code } 537 { Origin-Host } 538 { Origin-Realm } 539 [ User-Name ] 540 [ Service-Type ] 541 * [ Class ] 542 * [ Configuration-Token ] 543 [ Acct-Interim-Interval ] 544 [ Error-Message ] 545 [ Error-Reporting-Host ] 546 * [ Failed-AVP ] 547 [ Idle-Timeout ] 548 [ Authorization-Lifetime ] 549 [ Auth-Grace-Period ] 550 [ Auth-Session-State ] 551 [ Re-Auth-Request-Type ] 552 [ Session-Timeout ] 553 [ State ] 554 * [ Reply-Message ] 555 [ Origin-State-Id ] 556 * [ Filter-Id ] 557 [ Password-Retry ] 558 [ Port-Limit ] 559 [ Prompt ] 560 [ ARAP-Challenge-Response ] 561 [ ARAP-Features ] 562 [ ARAP-Security ] 563 * [ ARAP-Security-Data ] 564 [ ARAP-Zone-Access ] 565 [ Callback-Id ] 566 [ Callback-Number ] 567 [ Framed-Appletalk-Link ] 568 * [ Framed-Appletalk-Network ] 569 [ Framed-Appletalk-Zone ] 570 * [ Framed-Compression ] 571 [ Framed-Interface-Id ] 572 [ Framed-IP-Address ] 573 * [ Framed-IPv6-Prefix ] 574 [ Framed-IPv6-Pool ] 575 * [ Framed-IPv6-Route ] 576 [ Framed-IP-Netmask ] 577 * [ Framed-Route ] 578 [ Framed-Pool ] 579 [ Framed-IPX-Network ] 581 [ Framed-MTU ] 582 [ Framed-Protocol ] 583 [ Framed-Routing ] 584 * [ Login-IP-Host ] 585 * [ Login-IPv6-Host ] 586 [ Login-LAT-Group ] 587 [ Login-LAT-Node ] 588 [ Login-LAT-Port ] 589 [ Login-LAT-Service ] 590 [ Login-Service ] 591 [ Login-TCP-Port ] 592 * [ NAS-Filter-Rule ] 593 * [ QoS-Filter-Rule ] 594 * [ Tunneling ] 595 * [ Redirect-Host ] 596 [ Redirect-Host-Usage ] 597 [ Redirect-Max-Cache-Time ] 598 * [ Proxy-Info ] 599 * [ AVP ] 601 3.3. Re-Auth-Request (RAR) Command 603 A Diameter server may initiate a re-authentication and/or re- 604 authorization service for a particular session by issuing a Re-Auth- 605 Request (RAR) message [Base]. 607 For example, for pre-paid services, the Diameter server that 608 originally authorized a session may need some confirmation that the 609 user is still using the services. 611 A NAS that receives a RAR message with Session-Id equal to a 612 currently active session and a Re-Auth-Type that includes 613 authentication, MUST initiate a re-authentication towards the user, 614 if the service supports this particular feature. 616 Message Format 618 ::= < Diameter Header: 258, REQ, PXY > 619 < Session-Id > 620 { Origin-Host } 621 { Origin-Realm } 622 { Destination-Realm } 623 { Destination-Host } 624 { Auth-Application-Id } 625 { Re-Auth-Request-Type } 626 [ User-Name ] 627 [ Origin-State-Id ] 629 [ NAS-Identifier ] 630 [ NAS-IP-Address ] 631 [ NAS-IPv6-Address ] 632 [ NAS-Port ] 633 [ NAS-Port-Id ] 634 [ NAS-Port-Type ] 635 [ Service-Type ] 636 [ Framed-IP-Address ] 637 [ Framed-IPv6-Prefix ] 638 [ Framed-Interface-Id ] 639 [ Called-Station-Id ] 640 [ Calling-Station-Id ] 641 [ Originating-Line-Info ] 642 [ Acct-Session-Id ] 643 [ Acct-Multi-Session-Id ] 644 [ State ] 645 * [ Class ] 646 [ Reply-Message ] 647 * [ Proxy-Info ] 648 * [ Route-Record ] 649 * [ AVP ] 651 3.4. Re-Auth-Answer (RAA) Command 653 The Re-Auth-Answer (RAA) message [Base], is sent in response to the 654 RAR. The Result-Code AVP MUST be present, and indicates the 655 disposition of the request. 657 A successful RAA transaction MUST be followed by an AA-Request 658 message. 660 Message Format 661 ::= < Diameter Header: 258, PXY > 662 < Session-Id > 663 { Result-Code } 664 { Origin-Host } 665 { Origin-Realm } 666 [ User-Name ] 667 [ Origin-State-Id ] 668 [ Error-Message ] 669 [ Error-Reporting-Host ] 670 * [ Failed-AVP ] 671 * [ Redirected-Host ] 672 [ Redirected-Host-Usage ] 673 [ Redirected-Host-Cache-Time ] 674 [ Service-Type ] 675 * [ Configuration-Token ] 676 [ Idle-Timeout ] 677 [ Authorization-Lifetime ] 678 [ Auth-Grace-Period ] 679 [ Re-Auth-Request-Type ] 680 [ State ] 681 * [ Class ] 682 * [ Reply-Message ] 683 [ Prompt ] 684 * [ Proxy-Info ] 685 * [ AVP ] 687 3.5. Session-Termination-Request (STR) Command 689 The Session-Termination-Request (STR) message [Base] is sent by the 690 NAS to inform the Diameter Server that an authenticated and/or 691 authorized session is being terminated. 693 Message Format 695 ::= < Diameter Header: 275, REQ, PXY > 696 < Session-Id > 697 { Origin-Host } 698 { Origin-Realm } 699 { Destination-Realm } 700 { Auth-Application-Id } 701 { Termination-Cause } 702 [ User-Name ] 703 [ Destination-Host ] 704 * [ Class ] 705 [ Origin-State-Id ] 706 * [ Proxy-Info ] 707 * [ Route-Record ] 708 * [ AVP ] 710 3.6. Session-Termination-Answer (STA) Command 712 The Session-Termination-Answer (STA) message [Base] is sent by the 713 Diameter Server to acknowledge the notification that the session has 714 been terminated. The Result-Code AVP MUST be present, and MAY 715 contain an indication that an error occurred while servicing the STR. 717 Upon sending or receipt of the STA, the Diameter Server MUST release 718 all resources for the session indicated by the Session-Id AVP. Any 719 intermediate server in the Proxy-Chain MAY also release any 720 resources, if necessary. 722 Message Format 724 ::= < Diameter Header: 275, PXY > 725 < Session-Id > 726 { Result-Code } 727 { Origin-Host } 728 { Origin-Realm } 729 [ User-Name ] 730 * [ Class ] 731 [ Error-Message ] 732 [ Error-Reporting-Host ] 733 * [ Failed-AVP ] 734 [ Origin-State-Id ] 735 * [ Redirect-Host ] 736 [ Redirect-Host-Usase ] 737 [ Redirect-Max-Cache-Time ] 738 * [ Proxy-Info ] 739 * [ AVP ] 741 3.7. Abort-Session-Request (ASR) Command 743 The Abort-Session-Request (ASR) message [Base], may be sent by any 744 server to the NAS that is providing session service, to request that 745 the session identified by the Session-Id be stopped. 747 Message Format 748 ::= < Diameter Header: 274, REQ, PXY > 749 < Session-Id > 750 { Origin-Host } 751 { Origin-Realm } 752 { Destination-Realm } 753 { Destination-Host } 754 { Auth-Application-Id } 755 [ User-Name ] 756 [ Origin-State-Id ] 757 [ NAS-Identifier ] 758 [ NAS-IP-Address ] 759 [ NAS-IPv6-Address ] 760 [ NAS-Port ] 761 [ NAS-Port-Id ] 762 [ NAS-Port-Type ] 763 [ Service-Type ] 764 [ Framed-IP-Address ] 765 [ Framed-IPv6-Prefix ] 766 [ Framed-Interface-Id ] 767 [ Called-Station-Id ] 768 [ Calling-Station-Id ] 769 [ Originating-Line-Info ] 770 [ Acct-Session-Id ] 771 [ Acct-Multi-Session-Id ] 772 [ State ] 773 * [ Class ] 774 * [ Reply-Message ] 775 * [ Proxy-Info ] 776 * [ Route-Record ] 777 * [ AVP ] 779 3.8. Abort-Session-Answer (ASA) Command 781 The Abort-Session-Answer (ASA) message [Base], is sent in response to 782 the ASR. The Result-Code AVP MUST be present, and indicates the 783 disposition of the request. 785 If the session identified by Session-Id in the ASR was successfully 786 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 787 is not currently active, Result-Code is set to 788 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 789 session for any other reason, Result-Code is set to 790 DIAMETER_UNABLE_TO_COMPLY. 792 Message Format 794 ::= < Diameter Header: 274, PXY > 795 < Session-Id > 796 { Result-Code } 797 { Origin-Host } 798 { Origin-Realm } 799 [ User-Name ] 800 [ Origin-State-Id ] 801 [ State] 802 [ Error-Message ] 803 [ Error-Reporting-Host ] 804 * [ Failed-AVP ] 805 * [ Redirected-Host ] 806 [ Redirected-Host-Usage ] 807 [ Redirected-Max-Cache-Time ] 808 * [ Proxy-Info ] 809 * [ AVP ] 811 3.9. Accounting-Request (ACR) Command 813 The Accounting-Request (ACR) message [Base], is sent by the NAS, to 814 report it's session information to a target server downstream. 816 One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs 817 MUST be present. If the Vendor-Specific-Application-Id grouped AVP 818 is present, it must have an Acct-Application-Id inside. 820 The AVPs listed in the Base MUST be assumed to be present as 821 approriate. NAS service specific accounting AVPs, SHOULD be present 822 as described in section 8 and the rest of this specification. 824 Message Format 825 ::= < Diameter Header: 271, REQ, PXY > 826 < Session-Id > 827 { Origin-Host } 828 { Origin-Realm } 829 { Destination-Realm } 830 { Accounting-Record-Type } 831 { Accounting-Record-Number } 832 [ Acct-Application-Id ] 833 [ Vendor-Specific-Application-Id ] 834 [ User-Name ] 835 [ Accounting-Sub-Session-Id ] 836 [ Acct-Session-Id ] 837 [ Acct-Multi-Session-Id ] 838 [ Origin-State-Id ] 839 [ Destination-Host ] 840 [ Event-Timestamp ] 841 [ Acct-Delay-Time ] 842 [ NAS-Identifier ] 843 [ NAS-IP-Address ] 844 [ NAS-IPv6-Address ] 845 [ NAS-Port ] 846 [ NAS-Port-Id ] 847 [ NAS-Port-Type ] 848 * [ Class ] 849 [ Service-Type ] 850 [ Termination-Cause ] 851 [ Accounting-Input-Octets ] 852 [ Accounting-Input-Packets ] 853 [ Accounting-Output-Octets ] 854 [ Accounting-Output-Packets ] 855 [ Acct-Authentic ] 856 [ Accounting-Auth-Method ] 857 [ Acct-Link-Count ] 858 [ Acct-Session-Time ] 859 [ Acct-Tunnel-Connection ] 860 [ Acct-Tunnel-Packets-Lost ] 861 [ Callback-Id ] 862 [ Callback-Number ] 863 [ Called-Station-Id ] 864 [ Calling-Station-Id ] 865 * [ Connection-Info ] 866 [ Originating-Line-Info ] 867 [ Authorization-Lifetime ] 868 [ Session-Timeout ] 869 [ Idle-Timeout ] 870 [ Port-Limit ] 871 [ Accounting-Realtime-Required ] 872 [ Acct-Interim-Interval ] 874 * [ Filter-Id ] 875 * [ NAS-Filter-Rule ] 876 * [ Qos-Filter-Rule ] 877 [ Framed-AppleTalk-Link ] 878 [ Framed-AppleTalk-Network ] 879 [ Framed-AppleTalk-Zone ] 880 [ Framed-Compression ] 881 [ Framed-Interface-Id ] 882 [ Framed-IP-Address ] 883 [ Framed-IP-Netmask ] 884 * [ Framed-IPv6-Prefix ] 885 [ Framed-IPv6-Pool ] 886 * [ Framed-IPv6-Route ] 887 [ Framed-IPX-Network ] 888 [ Framed-MTU ] 889 [ Framed-Pool ] 890 [ Framed-Protocol ] 891 * [ Framed-Route ] 892 [ Framed-Routing ] 893 * [ Login-IP-Host ] 894 * [ Login-IPv6-Host ] 895 [ Login-LAT-Group ] 896 [ Login-LAT-Node ] 897 [ Login-LAT-Port ] 898 [ Login-LAT-Service ] 899 [ Login-Service ] 900 [ Login-TCP-Port ] 901 * [ Tunneling ] 902 * [ Proxy-Info ] 903 * [ Route-Record ] 904 * [ AVP ] 906 3.10. Accounting-Answer (ACA) Command 908 The Accounting-Answer (ACA) message [Base], is used to acknowledge an 909 Accounting-Request command. The Accounting-Answer command contains 910 the same Session-Id as the Request. If the Accounting- Request was 911 protected by end-to-end security, then the corresponding ACA message 912 MUST be protected by end-to-end security. 914 Only the target Diameter Server, or home Diameter Server, SHOULD 915 respond with the Accounting-Answer command. 917 One of Acct-Application-Id and Vendor-Specific-Application-Id AVPs 918 MUST be present, as was in the request. 920 The AVPs listed in the Base MUST be assumed to be present as 921 approriate. NAS service specific accounting AVPs, SHOULD be present 922 as described in section 8 and the rest of this specification. 924 Message Format 926 ::= < Diameter Header: 271, PXY > 927 < Session-Id > 928 { Result-Code } 929 { Origin-Host } 930 { Origin-Realm } 931 { Accounting-Record-Type } 932 { Accounting-Record-Number } 933 [ Acct-Application-Id ] 934 [ Vendor-Specific-Application-Id ] 935 [ User-Name ] 936 [ Accounting-Sub-Session-Id ] 937 [ Acct-Session-Id ] 938 [ Acct-Multi-Session-Id ] 939 [ Event-Timestamp ] 940 [ Error-Message ] 941 [ Error-Reporting-Host ] 942 * [ Failed-AVP ] 943 [ Origin-State-Id ] 944 [ NAS-Identifier ] 945 [ NAS-IP-Address ] 946 [ NAS-IPv6-Address ] 947 [ NAS-Port ] 948 [ NAS-Port-Id ] 949 [ NAS-Port-Type ] 950 [ Service-Type ] 951 [ Termination-Cause ] 952 [ Accounting-Realtime-Required ] 953 [ Acct-Interim-Interval ] 954 * [ Class ] 955 * [ Proxy-Info ] 956 * [ Route-Record ] 957 * [ AVP ] 959 4. NAS Session AVPs 961 Diameter reserves the AVP Codes 0-255 for RADIUS functions that are 962 implemented in Diameter. 964 AVPs new to Diameter have code values 256 and greater. A Diameter 965 message that includes one of these AVPs may represent functions not 966 present in the RADIUS environment and may cause interoperability 967 issues should the request traverse a AAA system that only supports 968 the RADIUS protocol. 970 There are some RADIUS attributes that are not allowed or supported 971 directly in Diameter. See section 9 below for more information. 973 4.1. Call and Session Information 975 This section contains the AVPs specific to NAS Diameter applications 976 that are needed to identify the call and session context and status 977 information. On a request, this information allows the server to 978 qualify the session. 980 These AVPs are used in addition to the Base AVPs of: 981 Session-Id 982 Auth-Application-Id 983 Origin-Host 984 Origin-Realm 985 Auth-Request-Type 986 Termination-Cause 988 The following table describes the Session level AVPs, their AVP Code 989 values, types, possible flag values and whether the AVP MAY be 990 encrypted. 991 +---------------------+ 992 | AVP Flag rules | 993 |----+-----+----+-----|----+ 994 AVP Section | | |SHLD| MUST| | 995 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 996 -----------------------------------------|----+-----+----+-----|----| 997 NAS-Port 5 4.2 Unsigned32 | M | P | | V | Y | 998 NAS-Port-Id 87 4.3 UTF8String | M | P | | V | Y | 999 NAS-Port-Type 61 4.4 Enumerated | M | P | | V | Y | 1000 Called-Station-Id 30 4.5 UTF8String | M | P | | V | Y | 1001 Calling-Station- 31 4.6 UTF8String | M | P | | V | Y | 1002 Id | | | | | | 1003 Connect-Info 77 4.7 UTF8String | M | P | | V | Y | 1004 Originating-Line- 94 4.8 OctetString| | M,P | | V | Y | 1005 Info | | | | | | 1006 Reply-Message 18 4.9 UTF8String | M | P | | V | Y | 1007 -----------------------------------------|----+-----+----+-----|----| 1009 4.2. NAS-Port AVP 1011 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1012 physical or virtual port number of the NAS which is authenticating 1013 the user. Note that this is using "port" in its sense of a service 1014 connection on the NAS, not in the sense of an IP protocol identifier. 1016 Either NAS-Port or NAS-Port-Id (AVP Code 87) SHOULD be present in AA- 1017 Request commands if the NAS differentiates among its ports. 1019 4.3. NAS-Port-Id AVP 1021 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1022 of ASCII text that identifies the port of the NAS which is 1023 authenticating the user. Note that this is using "port" in its sense 1024 of a service connection on the NAS, not in the sense of an IP 1025 protocol identifier. 1027 Either NAS-Port or NAS-Port-Id SHOULD be present in AA-Request 1028 commands if the NAS differentiates among its ports. NAS-Port-Id is 1029 intended for use by NASes which cannot conveniently number their 1030 ports. 1032 4.4. NAS-Port-Type AVP 1034 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1035 contains the type of the port on which the NAS is authenticating the 1036 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1037 number ranges for different service types concurrently. 1039 The supported values are defined in [RADIUSTypes]. The following 1040 list is informational and subject to change in the IANA. 1042 0 Async 1043 1 Sync 1044 2 ISDN Sync 1045 3 ISDN Async V.120 1046 4 ISDN Async V.110 1047 5 Virtual 1048 6 PIAFS 1049 7 HDLC Clear Channel 1050 8 X.25 1051 9 X.75 1052 10 G.3 Fax 1053 11 SDSL - Symmetric DSL 1054 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase 1055 Modulation 1056 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone 1057 14 IDSL - ISDN Digital Subscriber Line 1058 15 Ethernet 1059 16 xDSL - Digital Subscriber Line of unknown type 1060 17 Cable 1061 18 Wireless - Other 1062 19 Wireless - IEEE 802.11 1063 20 Token-Ring [RAD802.1X] 1064 21 FDDI [RAD802.1X] 1065 22 Wireless - CDMA2000 1066 23 Wireless - UMTS 1067 24 Wireless - 1X-EV 1068 25 IAPP [IEEE 802.11f] 1070 4.5. Called-Station-Id AVP 1072 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String, and 1073 allows the NAS to send in the request, the ASCII string describing 1074 the layer 2 address that the user contacted to. For dialup access, 1075 this can be a phone number, obtained using Dialed Number 1076 Identification (DNIS) or a similar technology. Note that this may be 1077 different from the phone number the call comes in on. For use with 1078 IEEE 802 access, the Called-Station-Id MAY contain a MAC address, 1079 formatted as described in [RAD802.1X]. It SHOULD only be present in 1080 authentication and/or authorization requests. 1082 If the Auth-Request-Type AVP is set to authorization-only and the 1083 User-Name AVP is absent, the Diameter Server MAY perform 1084 authorization based on this field. This can be used by a NAS to 1085 request whether a call should be answered based on the DNIS. 1087 The codification of the range of allowed usage of this field is 1088 outside the scope of this specification. 1090 4.6. Calling-Station-Id AVP 1092 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String, and 1093 allows the NAS to send in the request the ASCII string describing the 1094 layer 2 address that the user connected from. For dialup access, this 1095 is the phone number that the call came from, using Automatic Number 1096 Identification (ANI) or a similar technology. For use with IEEE 802 1097 access, the Calling-Station-Id AVP MAY contain a MAC address, 1098 formated as described in [RAD802.1X]. It SHOULD only be present in 1099 authentication and/or authorization requests. 1101 If the Auth-Request-Type AVP is set to authorization-only and the 1102 User-Name AVP is absent, the Diameter Server MAY perform 1103 authorization based on this field. This can be used by a NAS to 1104 request whether a call should be answered based on the layer 2 1105 address (ANI, MAC Address, etc.) 1107 The codification of the range of allowed usage of this field is 1108 outside the scope of this specification. 1110 4.7. Connect-Info AVP 1112 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1113 in the AA-Request message or ACR STOP message. When sent in the 1114 Access-Request it indicates the nature of the user's connection. The 1115 connection speed SHOULD be included at the beginning of the first 1116 Connect-Info AVP in the message. If the transmit and receive 1117 connection speeds differ, they may both be included in the first AVP 1118 with the transmit speed first (the speed the NAS modem transmits at), 1119 a slash (/), the receive speed, then optionally other information. 1121 For example, "28800 V42BIS/LAPM" or "52000/31200 V90" 1123 More than one Connect-Info attribute may be present in an Accounting- 1124 Request packet to accommodate expected efforts by ITU to have modems 1125 report more connection information in a standard format that might 1126 exceed 252 octets. 1128 If sent in the ACR STOP, this attribute may be used to summarize 1129 statistics relating to session quality. For example, in IEEE 802.11, 1130 the Connect-Info attribute may contain information on the number of 1131 link layer retransmissions. The exact format of this attribute is 1132 implementation specific. 1134 4.8. Originating-Line-Info AVP 1136 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1137 and is sent by the NAS system to convey information about the origin 1138 of the call from an SS7 system. 1140 The originating line information (OLI) information element indicates 1141 the nature and/or characteristics of the line from which a call 1142 originated (e.g. payphone, hotel, cellular). Telephone companies are 1143 starting to offer OLI to their customers as an option over Primary 1144 Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI 1145 in addition to Called-Station-Id and Calling-Station-Id attributes to 1146 differentiate customer calls and define different services 1147 The Value field contains two octets (00-99). ANSI T1.113 and BELLCORE 1148 394 can be used for additional information about those values and 1149 their use. For more information on current assignment values see 1150 [ANITypes]. 1152 Value Description 1153 ------------------------------------------------------------ 1154 00 Plain Old Telephone Service (POTS) 1155 01 Multiparty line (more than 2) 1156 02 ANI Failure 1157 03 ANI Observed 1158 04 ONI Observed 1159 05 ANI Failure Observed 1160 06 Station Level Rating 1161 07 Special Operator Handling Required 1162 08 InterLATA Restricted 1163 10 Test Call 1164 20 Automatic Identified Outward Dialing (AIOD) 1165 23 Coin or Non-Coin 1166 24 Toll Free Service (Non-Pay origination) 1167 25 Toll Free Service (Pay origination) 1168 27 Toll Free Service (Coin Control origination) 1169 29 Prison/Inmate Service 1170 30-32 Intercept 1171 30 Intercept (blank) 1172 31 Intercept (trouble) 1173 32 Intercept (regular) 1174 34 Telco Operator Handled Call 1175 40-49 Unrestricted Use 1176 52 Outward Wide Area Telecommunications Service (OUTWATS) 1177 60 Telecommunications Relay Service (TRS)(Unrestricted) 1178 61 Cellular/Wireless PCS (Type 1) 1179 62 Cellular/Wireless PCS (Type 2) 1180 63 Cellular/Wireless PCS (Roaming) 1181 66 TRS (Hotel) 1182 67 TRS (Restricted) 1183 70 Pay Station, No coin control 1184 93 Access for private virtual network service 1186 4.9. Reply-Message AVP 1188 The Reply-Message AVP (AVP Code 18) is of type UTF8String, and 1189 contains text which MAY be displayed to the user. When used in an 1190 AA-Answer message with a successful Result-Code AVP it is success 1191 information. When found in AAA message with a Result-Code other than 1192 DIAMETER_SUCCESS, the AVP contains a failure message. 1194 The Reply-Message AVP MAY indicate dialog text to prompt the user 1195 before another AA-Request attempt. When used in an AA-Answer, with a 1196 Result-Code of DIAMETER_MULTI_ROUND_AUTH or in an Re-Auth-Request 1197 message, it MAY contain a dialog text to prompt the user for a 1198 response. 1200 Multiple Reply-Message's MAY be included and if any are displayed, 1201 they MUST be displayed in the same order as they appear in the 1202 Diameter message. 1204 5. NAS Authentication AVPs 1206 This section defines the AVPs that are necessary to carry the 1207 authentication information in the Diameter protocol. The 1208 functionality defined here provides a RADIUS-like AAA service, over a 1209 more reliable and secure transport, as defined in the base protocol 1210 [Base]. 1212 The following table describes the AVPs, their AVP Code values, types, 1213 possible flag values and whether the AVP MAY be encrypted. 1215 +---------------------+ 1216 | AVP Flag rules | 1217 |----+-----+----+-----|----+ 1218 AVP Section | | |SHLD| MUST| | 1219 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1220 -----------------------------------------|----+-----+----+-----|----| 1221 User-Password 2 5.1 OctetString| M | P | | V | Y | 1222 Password-Retry 75 5.2 Unsigned32 | M | P | | V | Y | 1223 Prompt 76 5.3 Enumerated | M | P | | V | Y | 1224 CHAP-Auth 402 5.4 Grouped | M | P | | V | Y | 1225 CHAP-Algorithm 403 5.5 Enumerated | M | P | | V | Y | 1226 CHAP-Ident 404 5.6 OctetString| M | P | | V | Y | 1227 CHAP-Response 405 5.7 OctetString| M | P | | V | Y | 1228 CHAP-Challenge 60 5.8 OctetString| M | P | | V | Y | 1229 ARAP-Password 70 5.9 OctetString| M | P | | V | Y | 1230 ARAP-Challenge- 84 5.10 OctetString| M | P | | V | Y | 1231 Response | | | | | | 1232 ARAP-Security 73 5.11 Unsigned32 | M | P | | V | Y | 1233 ARAP-Security- 74 5.12 OctetString| M | P | | V | Y | 1234 Data | | | | | | 1235 -----------------------------------------|----+-----+----+-----|----| 1237 5.1. User-Password AVP 1239 The User-Password AVP (AVP Code 2) is of type OctetString and 1240 contains the password of the user to be authenticated, or the user's 1241 input in a multi-round authentication exchange. 1243 The User-Password AVP contains a user password or one-time password 1244 and therefore represents sensitive information. As required in 1245 [Base], Diameter messages are encrypted using IPsec or TLS. Unless 1246 this AVP is used for one-time passwords, the User-Password AVP SHOULD 1247 NOT be used in untrusted proxy environments without encrypting it 1248 using end-to-end security techniques, such as the proposed CMS 1249 Security [DiamCMS]. 1251 The clear-text password (prior to encryption) MUST NOT be longer than 1252 128 bytes in length. 1254 5.2. Password-Retry AVP 1256 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1257 included in the AA-Answer if the Result-Code indicates an 1258 authentication failure. The value of this AVP indicates how many 1259 authentication attempts a user may be permitted before being 1260 disconnected. This AVP is primarily intended for use when the Framed- 1261 Protocol AVP (see Section 6.10.1) is set to ARAP. 1263 5.3. Prompt AVP 1265 The Prompt AVP (AVP Code 76) is of type Enumerated, and MAY be 1266 present in the AA-Answer message. When present, it is used by the NAS 1267 to determine whether the user's response, when entered, should be 1268 echoed. 1270 The supported values are listed in [RADIUSTypes]. The following list 1271 is informational: 1273 0 No Echo 1274 1 Echo 1276 5.4. CHAP-Auth AVP 1278 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1279 information necessary to authenticate a user using the PPP Challenge- 1280 Handshake Authentication Protocol (CHAP) [PPPCHAP]. If the CHAP-Auth 1281 AVP is found in a message, the CHAP-Challenge AVP MUST be present as 1282 well. The optional AVPs containing the CHAP response depend upon the 1283 value of the CHAP-Algorithm AVP. The grouped AVP has the following 1284 ABNF grammar: 1286 CHAP-Auth ::= < AVP Header: 402 > 1287 { CHAP-Algorithm } 1288 { CHAP-Ident } 1289 [ CHAP-Response ] 1290 * [ AVP ] 1292 5.5. CHAP-Algorithm AVP 1294 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1295 contains the algorithm identifier used in the computation of the CHAP 1296 response [PPPCHAP]. The following values are currently supported: 1298 CHAP with MD5 5 1299 The CHAP response is computed using the procedure described in 1300 [PPPCHAP]. This algorithm requires that CHAP-Response AVP MUST 1301 be present in the CHAP-Auth AVP. 1303 5.6. CHAP-Ident AVP 1305 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1306 the one octet CHAP Identifier used in the computation of the CHAP 1307 response [PPPCHAP]. 1309 5.7. CHAP-Response AVP 1311 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1312 contains the 16 octet authentication data provided by the user in 1313 response to the CHAP challenge [PPPCHAP]. 1315 5.8. CHAP-Challenge AVP 1317 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1318 contains the CHAP Challenge sent by the NAS to the CHAP peer 1319 [PPPCHAP]. 1321 5.9. ARAP-Password AVP 1323 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1324 only present when the Framed-Protocol AVP (see Section 6.10.1) is 1325 included in the message and is set to ARAP. This AVP MUST NOT be 1326 present if either the User-Password or the CHAP-Auth AVP is present. 1327 See [RADIUSExt] for more information on the contents of this AVP. 1329 5.10. ARAP-Challenge-Response AVP 1331 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1332 and is only present when the Framed-Protocol AVP (see Section 6.10.1) 1333 is included in the message and is set to ARAP. This AVP contains an 8 1334 octet response to the dial-in client's challenge. The RADIUS server 1335 calculates this value by taking the dial-in client's challenge from 1336 the high order 8 octets of the ARAP-Password AVP and performing DES 1337 encryption on this value with the authenticating user's password as 1338 the key. If the user's password is less than 8 octets in length, the 1339 password is padded at the end with NULL octets to a length of 8 1340 before using it as a key. 1342 5.11. ARAP-Security AVP 1344 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32, and MAY be 1345 present in the AA-Answer message if the Framed-Protocol AVP (see 1346 Section 6.10.1) is set to the value of ARAP, and the Result-Code AVP 1347 is set to DIAMETER_MULTI_ROUND_AUTH. See [RADIUSExt] for more 1348 information on the format of this AVP. 1350 5.12. ARAP-Security-Data AVP 1352 The ARAP-Security AVP (AVP Code 74) is of type OctetString, and MAY 1353 be present in the AA-Request or AA-Answer message if the Framed- 1354 Protocol AVP is set to the value of ARAP, and the Result-Code AVP is 1355 set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security 1356 module challenge or response associated with the ARAP Security Module 1357 specified in ARAP-Security. 1359 6. NAS Authorization AVPs 1361 This section contains the authorization AVPs that are supported in 1362 the NAS Application. The Service-Type AVP SHOULD be present in all 1363 messages, and based on its value, additional AVPs defined in this 1364 section and section 7 MAY be present. 1366 Due to space constraints, the short form IPFltrRule is used to 1367 represent IPFilterRule, and QoSFltrRule for QoSFilterRule 1368 +---------------------+ 1369 | AVP Flag rules | 1370 |----+-----+----+-----|----+ 1371 AVP Section | | |SHLD| MUST| | 1372 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 1373 -----------------------------------------|----+-----+----+-----|----| 1374 Service-Type 6 6.1 Enumerated | M | P | | V | Y | 1375 Callback-Number 19 6.2 UTF8String | M | P | | V | Y | 1376 Callback-Id 20 6.3 UTF8String | M | P | | V | Y | 1377 Idle-Timeout 28 6.4 Unsigned32 | M | P | | V | Y | 1378 Port-Limit 62 6.5 Unsigned32 | M | P | | V | Y | 1379 NAS-Filter-Rule 400 6.6 IPFltrRule | M | P | | V | Y | 1380 Filter-Id 11 6.7 UTF8String | M | P | | V | Y | 1381 Configuration- 78 6.8 OctetString| M | | | P,V | | 1382 Token | | | | | | 1383 QoS-Filter-Rule 407 6.9 QoSFltrRule| | | | | | 1384 Framed-Protocol 7 6.10.1 Enumerated | M | P | | V | Y | 1385 Framed-Routing 10 6.10.2 Enumerated | M | P | | V | Y | 1386 Framed-MTU 12 6.10.3 Unsigned32 | M | P | | V | Y | 1387 Framed- 13 6.10.4 Enumerated | M | P | | V | Y | 1388 Compression | | | | | | 1389 Framed-IP-Address 8 6.11.1 OctetString| M | P | | V | Y | 1390 Framed-IP-Netmask 9 6.11.2 OctetString| M | P | | V | Y | 1391 Framed-Route 22 6.11.3 UTF8String | M | P | | V | Y | 1392 Framed-Pool 88 6.11.4 OctetString| M | P | | V | Y | 1393 Framed- 96 6.11.5 Unsigned64 | M | P | | V | Y | 1394 Interface-Id | | | | | | 1395 Framed-IPv6- 97 6.11.6 OctetString| M | P | | V | Y | 1396 Prefix | | | | | | 1397 Framed-IPv6- 99 6.11.7 UTF8String | M | P | | V | Y | 1398 Route | | | | | | 1399 Framed-IPv6-Pool 100 6.11.8 OctetString| M | P | | V | Y | 1400 Framed-IPX- 23 6.12.1 UTF8String | M | P | | V | Y | 1401 Network | | | | | | 1402 Framed-Appletalk- 37 6.13.1 Unsigned32 | M | P | | V | Y | 1403 Link | | | | | | 1404 Framed-Appletalk- 38 6.13.2 Unsigned32 | M | P | | V | Y | 1405 Network | | | | | | 1406 Framed-Appletalk- 39 6.13.3 OctetString| M | P | | V | Y | 1407 Zone | | | | | | 1408 ARAP-Features 71 6.14.1 OctetString| M | P | | V | Y | 1409 ARAP-Zone-Access 72 6.14.2 Enumerated | M | P | | V | Y | 1410 Login-IP-Host 14 6.15.1 OctetString| M | P | | V | Y | 1411 Login-IPv6-Host 98 6.15.2 OctetString| M | P | | V | Y | 1412 Login-Service 15 6.15.3 Enumerated | M | P | | V | Y | 1413 Login-TCP-Port 16 6.16.1 Unsigned32 | M | P | | V | Y | 1414 Login-LAT-Service 34 6.17.1 OctetString| M | P | | V | Y | 1415 Login-LAT-Node 35 6.17.2 OctetString| M | P | | V | Y | 1416 Login-LAT-Group 36 6.17.3 OctetString| M | P | | V | Y | 1417 Login-LAT-Port 63 6.17.4 OctetString| M | P | | V | Y | 1418 -----------------------------------------|----+-----+----+-----|----| 1420 6.1. Service-Type AVP 1422 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1423 the type of service the user has requested, or the type of service to 1424 be provided. One such AVP MAY be present in an authentication and/or 1425 authorization request or response. A NAS is not required to implement 1426 all of these service types, and MUST treat unknown or unsupported 1427 Service-Types received in a response as a failure, and end the 1428 session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1430 When used in a request, the Service-Type AVP SHOULD be considered to 1431 be a hint to the server that the NAS has reason to believe the user 1432 would prefer the kind of service indicated, but the server is not 1433 required to honor the hint. Furthermore, if the service specified by 1434 the server is supported, but not compatible with the current mode of 1435 access, the NAS MUST fail to start the session. The NAS MUST also 1436 generate the appropriate error message(s). 1438 The following values have been defined for the Service-Type AVP. The 1439 complete list of defined values can be found in [RADIUS] and 1440 [RADIUSTypes]. The following list is informational: 1442 1 Login 1443 2 Framed 1444 3 Callback Login 1445 4 Callback Framed 1446 5 Outbound 1447 6 Administrative 1448 7 NAS Prompt 1449 8 Authenticate Only 1450 9 Callback NAS Prompt 1451 10 Call Check 1452 11 Callback Administrative 1453 12 Voice 1454 13 Fax 1455 14 Modem Relay 1456 15 IAPP-Register [IEEE 802.11f] 1457 16 IAPP-AP-Check [IEEE 802.11f] 1458 17 Authorize Only [RFC3576] 1460 The following values are further qualified: 1462 Login 1 1463 The user should be connected to a host. The message MAY include 1464 additional AVPs defined in sections 6.16 or 6.17. 1466 Framed 2 1467 A Framed Protocol should be started for the User, such as PPP 1468 or SLIP. The message MAY include additional AVPs defined in 1469 sections 6.10, or 7 for tunneling services. 1471 Callback Login 3 1472 The user should be disconnected and called back, then connected 1473 to a host. The message MAY include additional AVPs defined in 1474 this section. 1476 Callback Framed 4 1477 The user should be disconnected and called back, then a Framed 1478 Protocol should be started for the User, such as PPP or SLIP. 1479 The message MAY include additional AVPs defined in sections 1480 6.10, or 7 for tunneling services. 1482 6.2. Callback-Number AVP 1484 The Callback-Number AVP (AVP Code 19) is of type UTF8String, and 1485 contains a dialing string to be used for callback. It MAY be used in 1486 an authentication and/or authorization request as a hint to the 1487 server that a Callback service is desired, but the server is not 1488 required to honor the hint in the corresponding response. 1490 The codification of the range of allowed usage of this field is 1491 outside the scope of this specification. 1493 6.3. Callback-Id AVP 1495 The Callback-Id AVP (AVP Code 20) is of type UTF8String, and contains 1496 the name of a place to be called, to be interpreted by the NAS. This 1497 AVP MAY be present in an authentication and/or authorization 1498 response. 1500 This AVP is not roaming-friendly since it assumes that the Callback- 1501 Id is configured on the NAS. It is therefore preferable to use the 1502 Callback-Number AVP instead. 1504 6.4. Idle-Timeout AVP 1506 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1507 maximum number of consecutive seconds of idle connection allowed to 1508 the user before termination of the session or a prompt is issued. It 1509 MAY be used in an authentication and/or authorization request (or 1510 challenge) as a hint to the server that an idle timeout is desired, 1511 but the server is not required to honor the hint in the corresponding 1512 response. The default is none, or system specific. 1514 6.5. Port-Limit AVP 1516 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1517 maximum number of ports to be provided to the user by the NAS. It 1518 MAY be used in an authentication and/or authorization request as a 1519 hint to the server that multilink PPP [PPPMP] service is desired, but 1520 the server is not required to honor the hint in the corresponding 1521 response. 1523 6.6. NAS-Filter-Rule AVP 1525 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule, and 1526 provides filter rules that need to be configured on the NAS for the 1527 user. One or more such AVPs MAY be present in an authorization 1528 response. 1530 6.7. Filter-Id AVP 1532 The Filter-Id AVP (AVP Code 11) is of type UTF8String, and contains 1533 the name of the filter list for this user. Zero or more Filter-Id 1534 AVPs MAY be sent in an authorization answer. 1536 Identifying a filter list by name allows the filter to be used on 1537 different NASes without regard to filter-list implementation details. 1538 However, this AVP is not roaming friendly since filter naming differs 1539 from one service provider to another. 1541 In non-RADIUS environments, it is RECOMMENDED that the NAS-Filter- 1542 Rule AVP be used instead. 1544 6.8. Configuration-Token AVP 1546 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1547 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1548 Agent in an AA-Answer command to indicate a type of user profile to 1549 be used. It should not be sent to a Diameter Client (NAS). 1551 The format of the Data field of this AVP is site specific. 1553 6.9. QoS-Filter-Rule AVP 1555 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule, and 1556 provides QoS filter rules that need to be configured on the NAS for 1557 the user. One or more such AVPs MAY be present in an authorization 1558 response. 1560 Note: Due to an editorial mistake in [Base], only the AVP format is 1561 discussed. The complete QoSFilterRule definition was not included. 1562 It is reprinted here for clarification. 1564 QoSFilterRule 1566 The QosFilterRule format is derived from the OctetString AVP Base 1567 Format. It uses the ASCII charset. Packets may be marked or 1568 metered based on the following information that is associated with 1569 it: 1571 Direction (in or out) 1572 Source and destination IP address (possibly masked) 1573 Protocol 1574 Source and destination port (lists or ranges) 1575 DSCP values (no mask or range) 1577 Rules for the appropriate direction are evaluated in order, with 1578 the first matched rule terminating the evaluation. Each packet is 1579 evaluated once. If no rule matches, the packet is treated as best 1580 effort. An access device that is unable to interpret or apply a 1581 QoS rule SHOULD NOT terminate the session. 1583 QoSFilterRule filters MUST follow the format: 1585 action dir proto from src to dst [options] 1587 tag - Mark packet with a specific DSCP 1588 [DIFFSERV]. The DSCP option MUST be 1589 included. 1590 meter - Meter traffic. The metering options 1591 MUST be included. 1593 dir The format is as described under IPFilterRule. 1595 proto The format is as described under IPFilterRule. 1597 src and dst The format is as described under IPFilterRule. 1599 options: 1601 DSCP 1602 color values as defined in [DIFFSERV]. Exact 1603 matching of DSCP values is required (no masks or 1604 ranges). 1606 metering 1607 The metering option provides Assured Forwarding, 1608 as defined in [DIFFSERVAF], and MUST be present 1609 if the action is set to meter. The rate option is 1610 the throughput, in bits per second, which is used 1611 by the access device to mark packets. Traffic 1612 above the rate is marked with the color_over 1613 codepoint, while traffic under the rate is marked 1614 with the color_under codepoint. The color_under 1615 and color_over options contain the drop 1616 preferences, and MUST conform to the recommended 1617 codepoint keywords described in [DIFFSERVAF] 1618 (e.g. AF13). 1620 The metering option also supports the strict 1621 limit on traffic required by Expedited 1622 Forwarding, as defined in [DIFFSERVEF]. The 1623 color_over option may contain the keyword "drop" 1624 to prevent forwarding of traffic that exceeds the 1625 rate parameter. 1627 The rule syntax is a modified subset of ipfw(8) from FreeBSD, 1628 and the ipfw.c code may provide a useful base for 1629 implementations. 1631 6.10. Framed Access Authorization AVPs 1633 This section contains the authorization AVPs that are necessary to 1634 support framed access, such as PPP, SLIP, etc. AVPs defined in this 1635 section MAY be present in a message if the Service-Type AVP was set 1636 to "Framed" or "Callback Framed". 1638 6.10.1. Framed-Protocol AVP 1640 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1641 contains the framing to be used for framed access. This AVP MAY be 1642 present in both requests and responses. The supported values are 1643 listed in [RADIUSTypes]. The following list is informational: 1645 1 PPP 1646 2 SLIP 1647 3 AppleTalk Remote Access Protocol (ARAP) 1648 4 Gandalf proprietary SingleLink/MultiLink protocol 1649 5 Xylogics proprietary IPX/SLIP 1650 6 X.75 Synchronous 1652 6.10.2. Framed-Routing AVP 1654 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1655 contains the routing method for the user, when the user is a router 1656 to a network. This AVP SHOULD only be present in authorization 1657 responses. The supported values are listed in [RADIUSTypes]. The 1658 following list is informational: 1660 0 None 1661 1 Send routing packets 1662 2 Listen for routing packets 1663 3 Send and Listen 1665 6.10.3. Framed-MTU AVP 1667 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1668 the Maximum Transmission Unit to be configured for the user, when it 1669 is not negotiated by some other means (such as PPP). This AVP SHOULD 1670 only be present in authorization responses. The MTU value MUST be in 1671 the range of 64 and 65535. 1673 6.10.4. Framed-Compression AVP 1675 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1676 contains the compression protocol to be used for the link. It MAY be 1677 used in an authorization request as a hint to the server that a 1678 specific compression type is desired, but the server is not required 1679 to honor the hint in the corresponding response. 1681 More than one compression protocol AVP MAY be sent. It is the 1682 responsibility of the NAS to apply the proper compression protocol to 1683 appropriate link traffic. 1685 The supported values are listed in [RADIUSTypes]. The following list 1686 is informational: 1688 0 None 1689 1 VJ TCP/IP header compression 1690 2 IPX header compression 1691 3 Stac-LZS compression 1693 6.11. IP Access Authorization AVPs 1695 The AVPs defined in this section are used when the user requests, or 1696 is being granted, access service to IP. 1698 6.11.1. Framed-IP-Address AVP 1700 The Framed-IP-Address AVP (AVP Code 8) [RADIUS] is of type 1701 OctetString and contains an IPv4 address, of the type specified in 1702 the attribute value, to be configured for the user. It MAY be used in 1703 an authorization request as a hint to the server that a specific 1704 address is desired, but the server is not required to honor the hint 1705 in the corresponding response. 1707 Two values have special significance; 0xFFFFFFFF and 0xFFFFFFFE. The 1708 value 0xFFFFFFFF indicates that the NAS should allow the user to 1709 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1710 that the NAS should select an address for the user (e.g. Assigned 1711 from a pool of addresses kept by the NAS). 1713 6.11.2. Framed-IP-Netmask AVP 1715 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1716 contains the four octets of the IPv4 netmask to be configured for the 1717 user when the user is a router to a network. It MAY be used in an 1718 authorization request as a hint to the server that a specific netmask 1719 is desired, but the server is not required to honor the hint in the 1720 corresponding response. This AVP MUST be present in a response if the 1721 request included this AVP with a value of 0xFFFFFFFF. 1723 6.11.3. Framed-Route AVP 1725 The Framed-Route AVP (AVP Code 22) is of type UTF8String, and 1726 contains the ASCII routing information to be configured for the user 1727 on the NAS. Zero or more such AVPs MAY be present in an authorization 1728 response. 1730 The string MUST contain a destination prefix in dotted quad form 1731 optionally followed by a slash and a decimal length specifier stating 1732 how many high order bits of the prefix should be used. That is 1733 followed by a space, a gateway address in dotted quad form, a space, 1734 and one or more metrics separated by spaces. For example, 1735 "192.168.1.0/24 192.168.1.1 1". 1737 The length specifier may be omitted in which case it should default 1738 to 8 bits for class A prefixes, 16 bits for class B prefixes, and 24 1739 bits for class C prefixes. For example, "192.168.1.0 192.168.1.1 1". 1741 Whenever the gateway address is specified as "0.0.0.0" the IP address 1742 of the user SHOULD be used as the gateway address. 1744 6.11.4. Framed-Pool AVP 1746 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1747 the name of an assigned address pool that SHOULD be used to assign an 1748 address for the user. If a NAS does not support multiple address 1749 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1750 used for IP addresses, but can be used for other protocols if the NAS 1751 supports pools for those protocols. 1753 Although specified as type OctetString for compatibility with RADIUS 1754 [RADIUSExt], the encoding of the Data field SHOULD also conform to 1755 the rules for the UTF8String Data Format. 1757 6.11.5. Framed-Interface-Id AVP 1759 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1760 contains the IPv6 interface identifier to be configured for the user. 1761 It MAY be used in authorization requests as a hint to the server that 1762 a specific interface id is desired, but the server is not required to 1763 honor the hint in the corresponding response. 1765 6.11.6. Framed-IPv6-Prefix AVP 1767 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1768 contains the IPv6 prefix to be configured for the user. One or more 1769 AVPs MAY be used in authorization requests as a hint to the server 1770 that a specific IPv6 prefixes are desired, but the server is not 1771 required to honor the hint in the corresponding response. 1773 6.11.7. Framed-IPv6-Route AVP 1775 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String, and 1776 contains the ASCII routing information to be configured for the user 1777 on the NAS. Zero or more such AVPs MAY be present in an authorization 1778 response. 1780 The string MUST contain an IPv6 address prefix followed by a slash 1781 and a decimal length specifier stating how many high order bits of 1782 the prefix should be used. That is followed by a space, a gateway 1783 address in hexadecimal notation, a space, and one or more metrics 1784 separated by spaces. For example: 1785 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1". 1787 Whenever the gateway address is the IPv6 unspecified address the IP 1788 address of the user SHOULD be used as the gateway address, such as: 1789 "2000:0:0:106::/64 :: 1". 1791 6.11.8. Framed-IPv6-Pool AVP 1793 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString, and 1794 contains the name of an assigned pool that SHOULD be used to assign 1795 an IPv6 prefix for the user. If the access device does not support 1796 multiple prefix pools, it MUST ignore this AVP. 1798 Although specified as type OctetString for compatibility with RADIUS 1799 [RADIUSIPv6], the encoding of the Data field SHOULD also conform to 1800 the rules for the UTF8String Data Format. 1802 6.12. IPX Access 1804 The AVPs defined in this section are used when the user requests, or 1805 is being granted, access to an IPX network service. 1807 6.12.1. Framed-IPX-Network AVP 1809 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32, and 1810 contains the IPX Network number to be configured for the user. It MAY 1811 be used in an authorization request as a hint to the server that a 1812 specific address is desired, but the server is not required to honor 1813 the hint in the corresponding response. 1815 Two addresses have special significance; 0xFFFFFFFF and 0xFFFFFFFE. 1816 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1817 select an address (e.g. Negotiated). The value 0xFFFFFFFE indicates 1818 that the NAS should select an address for the user (e.g. assigned 1819 from a pool of one or more IPX networks kept by the NAS). 1821 6.13. AppleTalk Network Access 1823 The AVPs defined in this section are used when the user requests, or 1824 is being granted, access to an AppleTalk network [AppleTalk]. 1826 6.13.1. Framed-AppleTalk-Link AVP 1828 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1829 contains the AppleTalk network number which should be used for the 1830 serial link to the user, which is another AppleTalk router. This AVP 1831 MUST only be present in an authorization response and is never used 1832 when the user is not another router. 1834 Despite the size of the field, values range from zero to 65535. The 1835 special value of zero indicates that this is an unnumbered serial 1836 link. A value of one to 65535 means that the serial line between the 1837 NAS and the user should be assigned that value as an AppleTalk 1838 network number. 1840 6.13.2. Framed-AppleTalk-Network AVP 1842 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1843 and contains the AppleTalk Network number which the NAS should probe 1844 to allocate an AppleTalk node for the user. This AVP MUST only be 1845 present in an authorization response and is never used when the user 1846 is not another router. Multiple instances of this AVP indicate that 1847 the NAS may probe using any of the network numbers specified. 1849 Despite the size of the field, values range from zero to 65535. The 1850 special value zero indicates that the NAS should assign a network for 1851 the user, using its default cable range. A value between one and 1852 65535 (inclusive) indicates the AppleTalk Network the NAS should 1853 probe to find an address for the user. 1855 6.13.3. Framed-AppleTalk-Zone AVP 1857 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1858 and contains the AppleTalk Default Zone to be used for this user. 1859 This AVP MUST only be present in an authorization response. Multiple 1860 instances of this AVP in the same message are not allowed. 1862 The codification of the range of allowed usage of this field is 1863 outside the scope of this specification. 1865 6.14. AppleTalk Remote Access 1867 The AVPs defined in this section are used when the user requests, or 1868 is being granted, access to the AppleTalk network via the AppleTalk 1869 Remote Access Protocol [ARAP]. They are only present if the Framed- 1870 Protocol AVP (see Section 6.10.1) is set to ARAP. Section 2.2 of RFC 1871 2869 [RADIUSExt] describes the operational use of these attributes. 1873 6.14.1. ARAP-Features AVP 1875 The ARAP-Features AVP (AVP Code 71) is of type OctetString, and MAY 1876 be present in the AA-Accept message if the Framed-Protocol AVP is set 1877 to the value of ARAP. See [RADIUSExt] for more information of the 1878 format of this AVP. 1880 6.14.2. ARAP-Zone-Access AVP 1882 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated, and MAY 1883 be present in the AA-Accept message if the Framed-Protocol AVP is set 1884 to the value of ARAP. 1886 The supported values are listed in [RADIUSTypes], and are defined in 1887 [RADIUSExt]. 1889 6.15. Non-Framed Access Authorization AVPs 1891 This section contains the authorization AVPs that are needed to 1892 support terminal server functionality. AVPs defined in this section 1893 MAY be present in a message if the Service-Type AVP was set to 1894 "Login" or "Callback Login". 1896 6.15.1. Login-IP-Host AVP 1898 The Login-IP-Host AVP (AVP Code 14) [RADIUS] is of type OctetString 1899 and contains the IPv4 address of a host with which to connect the 1900 user when the Login-Service AVP is included. It MAY be used in an 1901 AA-Request command as a hint to the Diameter Server that a specific 1902 host is desired, but the Diameter Server is not required to honor the 1903 hint in the AA-Answer. 1905 Two addresses have special significance: All ones and 0. The value 1906 of all ones indicates that the NAS SHOULD allow the user to select an 1907 address. The value 0 indicates that the NAS SHOULD select a host to 1908 connect the user to. 1910 6.15.2. Login-IPv6-Host AVP 1912 The Login-IPv6-Host AVP (AVP Code 98) [RADIUSIPv6] is of type 1913 OctetString and contains the IPv6 address of a host with which to 1914 connect the user when the Login-Service AVP is included. It MAY be 1915 used in an AA-Request command as a hint to the Diameter Server that a 1916 specific host is desired, but the Diameter Server is not required to 1917 honor the hint in the AA-Answer. 1919 Two addresses have special significance: 1920 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1921 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1922 allow the user to select an address. The value 0 indicates that the 1923 NAS SHOULD select a host to connect the user to. 1925 6.15.3. Login-Service AVP 1927 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1928 contains the service which should be used to connect the user to the 1929 login host. This AVP SHOULD only be present in authorization 1930 responses. 1932 The supported values are listed in [RADIUSTypes]. The following list 1933 is informational: 1935 0 Telnet 1936 1 Rlogin 1937 2 TCP Clear 1938 3 PortMaster (proprietary) 1939 4 LAT 1940 5 X25-PAD 1941 6 X25-T3POS 1942 8 TCP Clear Quiet (suppresses any NAS-generated connect 1943 string) 1945 6.16. TCP Services 1947 The AVPs described in this section MAY be present if the Login- 1948 Service AVP is set to Telnet, Rlogin, TCP Clear or TCP Clear Quiet. 1950 6.16.1. Login-TCP-Port AVP 1952 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1953 contains the TCP port with which the user is to be connected, when 1954 the Login-Service AVP is also present. This AVP SHOULD only be 1955 present in authorization responses. The value MUST NOT be greater 1956 than 65535. 1958 6.17. LAT Services 1960 The AVPs described in this section MAY be present if the Login- 1961 Service AVP is set to LAT [LAT]. 1963 6.17.1. Login-LAT-Service AVP 1965 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1966 contains the system with which the user is to be connected by LAT. It 1967 MAY be used in an authorization request as a hint to the server that 1968 a specific service is desired, but the server is not required to 1969 honor the hint in the corresponding response. This AVP MUST only be 1970 present in the response if the Login-Service AVP states that LAT is 1971 desired. 1973 Administrators use the service attribute when dealing with clustered 1974 systems, such as a VAX or Alpha cluster. In such an environment 1975 several different time sharing hosts share the same resources (disks, 1976 printers, etc.), and administrators often configure each to offer 1977 access (service) to each of the shared resources. In this case, each 1978 host in the cluster advertises its services through LAT broadcasts. 1980 Sophisticated users often know which service providers (machines) are 1981 faster and tend to use a node name when initiating a LAT connection. 1982 Alternately, some administrators want particular users to use certain 1983 machines as a primitive form of load balancing (although LAT knows 1984 how to do load balancing itself). 1986 The String field contains the identity of the LAT service to use. 1987 The LAT Architecture allows this string to contain $ (dollar), - 1988 (hyphen), . (period), _ (underscore), numerics, upper and lower case 1989 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 1990 All LAT string comparisons are case insensitive. 1992 6.17.2. Login-LAT-Node AVP 1994 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1995 contains the Node with which the user is to be automatically 1996 connected by LAT. It MAY be used in an authorization request as a 1997 hint to the server that a specific LAT node is desired, but the 1998 server is not required to honor the hint in the corresponding 1999 response. This AVP MUST only be present in a response if the Login- 2000 Service-Type AVP is set to LAT. 2002 The String field contains the identity of the LAT service to use. 2003 The LAT Architecture allows this string to contain $ (dollar), - 2004 (hyphen), . (period), _ (underscore), numerics, upper and lower case 2005 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 2006 All LAT string comparisons are case insensitive. 2008 6.17.3. Login-LAT-Group AVP 2010 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 2011 contains a string identifying the LAT group codes which this user is 2012 authorized to use. It MAY be used in an authorization request as a 2013 hint to the server that a specific group is desired, but the server 2014 is not required to honor the hint in the corresponding response. This 2015 AVP MUST only be present in a response if the Login-Service-Type AVP 2016 is set to LAT. 2018 LAT supports 256 different group codes, which LAT uses as a form of 2019 access rights. LAT encodes the group codes as a 256 bit bitmap. 2021 Administrators can assign one or more of the group code bits at the 2022 LAT service provider; it will only accept LAT connections that have 2023 these group codes set in the bit map. The administrators assign a 2024 bitmap of authorized group codes to each user; LAT gets these from 2025 the operating system, and uses these in its requests to the service 2026 providers. 2028 The codification of the range of allowed usage of this field is 2029 outside the scope of this specification. 2031 6.17.4. Login-LAT-Port AVP 2033 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 2034 contains the Port with which the user is to be connected by LAT. It 2035 MAY be used in an authorization request as a hint to the server that 2036 a specific port is desired, but the server is not required to honor 2037 the hint in the corresponding response. This AVP MUST only be present 2038 in a response if the Login-Service-Type AVP is set to LAT. 2040 The String field contains the identity of the LAT service to use. 2041 The LAT Architecture allows this string to contain $ (dollar), - 2042 (hyphen), . (period), _ (underscore), numerics, upper and lower case 2043 alphabetics, and the ISO Latin-1 character set extension [ISOLatin]. 2044 All LAT string comparisons are case insensitive. 2046 7. NAS Tunneling 2048 Some NASes support compulsory tunnel services where the incoming 2049 connection data is conveyed by an encapsulation method to a gateway 2050 elsewhere in the network. This is typically transparent to the 2051 service user, and the tunnel characteristics may be described by the 2052 remote AAA server, based on the user's authorization information. 2053 Several tunnel characteristics may be returned, and the NAS 2054 implementation may choose one. [RADTunnels],[RADTunlAcct] 2056 +---------------------+ 2057 | AVP Flag rules | 2058 |----+-----+----+-----|----+ 2059 AVP Section | | |SHLD| MUST| | 2060 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT |Encr| 2061 -----------------------------------------|----+-----+----+-----|----| 2062 Tunneling 401 7.1 Grouped | M | P | | V | N | 2063 Tunnel-Type 64 7.2 Enumerated | M | P | | V | Y | 2064 Tunnel-Medium- 65 7.3 Enumerated | M | P | | V | Y | 2065 Type | | | | | | 2066 Tunnel-Client- 66 7.4 UTF8String | M | P | | V | Y | 2067 Endpoint | | | | | | 2068 Tunnel-Server- 67 7.5 UTF8String | M | P | | V | Y | 2069 Endpoint | | | | | | 2070 Tunnel-Password 69 7.6 OctetString| M | P | | V | Y | 2071 Tunnel-Private- 81 7.7 OctetString| M | P | | V | Y | 2072 Group-Id | | | | | | 2073 Tunnel- 82 7.8 OctetString| M | P | | V | Y | 2074 Assignment-Id | | | | | | 2075 Tunnel-Preference 83 7.9 Unsigned32 | M | P | | V | Y | 2076 Tunnel-Client- 90 7.10 UTF8String | M | P | | V | Y | 2077 Auth-Id | | | | | | 2078 Tunnel-Server- 91 7.11 UTF8String | M | P | | V | Y | 2079 Auth-Id | | | | | | 2080 -----------------------------------------|----+-----+----+-----|----| 2082 7.1. Tunneling AVP 2084 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 2085 following AVPs used to describe a compulsory tunnel service 2086 [RADTunnels],[RADTunlAcct]. Its data field has the following ABNF 2087 grammar: 2089 Tunneling ::= < AVP Header: 401 > 2090 { Tunnel-Type } 2091 { Tunnel-Medium-Type } 2092 { Tunnel-Client-Endpoint } 2093 { Tunnel-Server-Endpoint } 2094 [ Tunnel-Preference ] 2095 [ Tunnel-Client-Auth-Id ] 2096 [ Tunnel-Server-Auth-Id ] 2097 [ Tunnel-Assignment-Id ] 2098 [ Tunnel-Password ] 2099 [ Tunnel-Private-Group-Id ] 2101 7.2. Tunnel-Type AVP 2103 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 2104 the tunneling protocol(s) to be used (in the case of a tunnel 2105 initiator) or the tunneling protocol in use (in the case of a tunnel 2106 terminator). It MAY be used in an authorization request as a hint to 2107 the server that a specific tunnel type is desired, but the server is 2108 not required to honor the hint in the corresponding response. 2110 The Tunnel-Type AVP SHOULD also be included in Accounting-Request 2111 messages. 2113 A tunnel initiator is not required to implement any of these tunnel 2114 types; if a tunnel initiator receives a response that contains only 2115 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 2116 as though a response was received with the Result-Code indicating a 2117 failure. 2119 The supported values are listed in [RADIUSTypes]. The following list 2120 is informational: 2122 1 Point-to-Point Tunneling Protocol (PPTP) 2123 2 Layer Two Forwarding (L2F) 2124 3 Layer Two Tunneling Protocol (L2TP) 2125 4 Ascend Tunnel Management Protocol (ATMP) 2126 5 Virtual Tunneling Protocol (VTP) 2127 6 IP Authentication Header in the Tunnel-mode (AH) 2128 7 IP-in-IP Encapsulation (IP-IP) 2129 8 Minimal IP-in-IP Encapsulation (MIN-IP-IP) 2130 9 IP Encapsulating Security Payload in the Tunnel-mode (ESP) 2131 10 Generic Route Encapsulation (GRE) 2132 11 Bay Dial Virtual Services (DVS) 2133 12 IP-in-IP Tunneling 2134 13 Virtual LANs (VLAN) 2136 7.3. Tunnel-Medium-Type AVP 2138 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 2139 contains the transport medium to use when creating a tunnel for those 2140 protocols (such as L2TP) that can operate over multiple transports. 2141 It MAY be used in an authorization request as a hint to the server 2142 that a specific medium is desired, but the server is not required to 2143 honor the hint in the corresponding response. 2145 The supported values are listed in [RADIUSTypes]. The following list 2146 is informational: 2148 1 IPv4 (IP version 4) 2149 2 IPv6 (IP version 6) 2150 3 NSAP 2151 4 HDLC (8-bit multidrop) 2152 5 BBN 1822 2153 6 802 (includes all 802 media plus Ethernet "canonical 2154 format") 2155 7 E.163 (POTS) 2156 8 E.164 (SMDS, Frame Relay, ATM) 2157 9 F.69 (Telex) 2158 10 X.121 (X.25, Frame Relay) 2159 11 IPX 2160 12 Appletalk 2161 13 Decnet IV 2162 14 Banyan Vines 2163 15 E.164 with NSAP format subaddress 2165 7.4. Tunnel-Client-Endpoint AVP 2167 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String, 2168 and contains the address of the initiator end of the tunnel. It MAY 2169 be used in an authorization request as a hint to the server that a 2170 specific endpoint is desired, but the server is not required to honor 2171 the hint in the corresponding response. 2173 This AVP SHOULD be included in the corresponding Accounting-Request 2174 messages, in which case it indicates the address from which the 2175 tunnel was initiated. This AVP, along with the Tunnel-Server-Endpoint 2176 and Session-Id AVP [Base], MAY be used to provide a globally unique 2177 means to identify a tunnel for accounting and auditing purposes. 2179 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2180 fully qualified domain name (FQDN) of the tunnel client machine, or 2181 it is a "dotted-decimal" IP address. Implementations MUST support 2182 the dotted-decimal format and SHOULD support the FQDN format for IP 2183 addresses. 2185 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2186 FQDN of the tunnel client machine, or it is a text representation of 2187 the address in either the preferred or alternate form [IPv6Addr]. 2188 Conformant implementations MUST support the preferred form and SHOULD 2189 support both the alternate text form and the FQDN format for IPv6 2190 addresses. 2192 If Tunnel-Medium-Type is neither IPv4 nor IPv6, this string is a tag 2193 referring to configuration data local to the Diameter client that 2194 describes the interface or medium-specific client address to use. 2196 7.5. Tunnel-Server-Endpoint AVP 2198 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String, 2199 and contains the address of the server end of the tunnel. It MAY be 2200 used in an authorization request as a hint to the server that a 2201 specific endpoint is desired, but the server is not required to honor 2202 the hint in the corresponding response. 2204 This AVP SHOULD be included in the corresponding Accounting-Request 2205 messages, in which case it indicates the address from which the 2206 tunnel was initiated. This AVP, along with the Tunnel-Client-Endpoint 2207 and Session-Id AVP [Base], MAY be used to provide a globally unique 2208 means to identify a tunnel for accounting and auditing purposes. 2210 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2211 fully qualified domain name (FQDN) of the tunnel server machine, or 2212 it is a "dotted-decimal" IP address. Implementations MUST support 2213 the dotted-decimal format and SHOULD support the FQDN format for IP 2214 addresses. 2216 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2217 FQDN of the tunnel server machine, or it is a text representation of 2218 the address in either the preferred or alternate form [IPv6Addr]. 2219 Implementations MUST support the preferred form and SHOULD support 2220 both the alternate text form and the FQDN format for IPv6 addresses. 2222 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2223 referring to configuration data local to the Diameter client that 2224 describes the interface or medium-specific server address to use. 2226 7.6. Tunnel-Password AVP 2228 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2229 contain a password to be used to authenticate to a remote server. 2230 The Tunnel-Password AVP contains sensitive information. This value is 2231 not protected in the same manner as RADIUS [RADTunnels]. 2233 As required in [Base], Diameter messages are encrypted using IPsec or 2234 TLS. The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2235 environments without encrypting it using end-to-end security 2236 techniques, such as CMS Security [DiamCMS]. 2238 7.7. Tunnel-Private-Group-Id AVP 2240 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString, 2241 and contains the group Id for a particular tunneled session. The 2242 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2243 request if the tunnel initiator can pre-determine the group resulting 2244 from a particular connection and SHOULD be included in the 2245 authorization response if this tunnel session is to be treated as 2246 belonging to a particular private group. Private groups may be used 2247 to associate a tunneled session with a particular group of users. 2248 For example, it MAY be used to facilitate routing of unregistered IP 2249 addresses through a particular interface. This AVP SHOULD be 2250 included in the Accounting-Request messages which pertain to the 2251 tunneled session. 2253 7.8. Tunnel-Assignment-Id AVP 2255 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2256 is used to indicate to the tunnel initiator the particular tunnel to 2257 which a session is to be assigned. Some tunneling protocols, such as 2258 [PPTP] and [L2TP], allow for sessions between the same two tunnel 2259 endpoints to be multiplexed over the same tunnel and also for a given 2260 session to utilize its own dedicated tunnel. This attribute provides 2261 a mechanism for Diameter to be used to inform the tunnel initiator 2262 (e.g. PAC, LAC) whether to assign the session to a multiplexed 2263 tunnel or to a separate tunnel. Furthermore, it allows for sessions 2264 sharing multiplexed tunnels to be assigned to different multiplexed 2265 tunnels. 2267 A particular tunneling implementation may assign differing 2268 characteristics to particular tunnels. For example, different 2269 tunnels may be assigned different QoS parameters. Such tunnels may 2270 be used to carry either individual or multiple sessions. The Tunnel- 2271 Assignment-Id attribute thus allows the Diameter server to indicate 2272 that a particular session is to be assigned to a tunnel that provides 2273 an appropriate level of service. It is expected that any QoS-related 2274 Diameter tunneling attributes defined in the future that accompany 2275 this attribute will be associated by the tunnel initiator with the Id 2276 given by this attribute. In the meantime, any semantic given to a 2277 particular Id string is a matter left to local configuration in the 2278 tunnel initiator. 2280 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2281 the tunnel initiator. The Id it specifies is intended to be of only 2282 local use to Diameter and the tunnel initiator. The Id assigned by 2283 the tunnel initiator is not conveyed to the tunnel peer. 2285 This attribute MAY be included in authorization responses. The tunnel 2286 initiator receiving this attribute MAY choose to ignore it and assign 2287 the session to an arbitrary multiplexed or non-multiplexed tunnel 2288 between the desired endpoints. This AVP SHOULD also be included in 2289 the Accounting-Request messages which pertain to the tunneled 2290 session. 2292 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2293 should assign a session to a tunnel in the following manner: 2295 - If this AVP is present and a tunnel exists between the specified 2296 endpoints with the specified Id, then the session should be 2297 assigned to that tunnel. 2299 - If this AVP is present and no tunnel exists between the 2300 specified endpoints with the specified Id, then a new tunnel 2301 should be established for the session and the specified Id 2302 should be associated with the new tunnel. 2304 - If this AVP is not present, then the session is assigned to an 2305 unnamed tunnel. If an unnamed tunnel does not yet exist between 2306 the specified endpoints then it is established and used for this 2307 and subsequent sessions established without the Tunnel- 2308 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2309 session for which a Tunnel-Assignment-Id AVP was not specified 2310 to a named tunnel (i.e. one that was initiated by a session 2311 specifying this AVP). 2313 Note that the same Id may be used to name different tunnels if such 2314 tunnels are between different endpoints. 2316 7.9. Tunnel-Preference AVP 2318 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2319 used to identify the relative preference assigned to each tunnel when 2320 more than one set of tunneling AVPs is returned within separate 2321 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2322 hint to the server that a specific preference is desired, but the 2323 server is not required to honor the hint in the corresponding 2324 response. 2326 For example, suppose that AVPs describing two tunnels are returned by 2327 the server, one with a Tunnel-Type of PPTP and the other with a 2328 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2329 the Tunnel-Types returned, it will initiate a tunnel of that type. 2330 If, however, it supports both tunnel protocols, it SHOULD use the 2331 value of the Tunnel-Preference AVP to decide which tunnel should be 2332 started. The tunnel having the numerically lowest value in the Value 2333 field of this AVP SHOULD be given the highest preference. The values 2334 assigned to two or more instances of the Tunnel-Preference AVP within 2335 a given authorization response MAY be identical. In this case, the 2336 tunnel initiator SHOULD use locally configured metrics to decide 2337 which set of AVPs to use. 2339 7.10. Tunnel-Client-Auth-Id AVP 2341 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2342 specifies the name used by the tunnel initiator during the 2343 authentication phase of tunnel establishment. It MAY be used in an 2344 authorization request as a hint to the server that a specific 2345 preference is desired, but the server is not required to honor the 2346 hint in the corresponding response. This AVP MUST be present in the 2347 authorization response if an authentication name other than the 2348 default is desired. This AVP SHOULD be included in the Accounting- 2349 Request messages which pertain to the tunneled session. 2351 7.11. Tunnel-Server-Auth-Id AVP 2353 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2354 specifies the name used by the tunnel terminator during the 2355 authentication phase of tunnel establishment. It MAY be used in an 2356 authorization request as a hint to the server that a specific 2357 preference is desired, but the server is not required to honor the 2358 hint in the corresponding response. This AVP MUST be present in the 2359 authorization response if an authentication name other than the 2360 default is desired. This AVP SHOULD be included in the the 2361 Accounting-Request messages which pertain to the tunneled session. 2363 8. NAS Accounting 2365 Applications implementing this specification use Diameter Accounting 2366 as defined in the Base [Base] with the addition of the AVPs in the 2367 following section. Service specific AVP usage is defined in the 2368 tables in Section 10. 2370 If accounting is active, Accounting Request messages (ACR) SHOULD be 2371 sent after the completion of any Authentication or Authorization 2372 transaction and at the end of a Session. The Accounting-Record-Type 2373 value indicates the type of event. All other AVPs identify the 2374 session and provide additional information relevant to the event. 2376 The successful completion of the first Authentication or 2377 Authorization transaction, SHOULD cause a START_RECORD to be sent. If 2378 additional Authentications or Authorizations occur in later 2379 transactions, the first exchange should generate a START_RECORD, and 2380 the later, an INTERIM_RECORD. For a given session, there MUST only 2381 be one set of matching START and STOP records, with any number of 2382 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2383 for not starting a session. 2385 The following table describes the AVPs, their AVP Code values, types, 2386 possible flag values and whether the AVP MAY be encrypted. 2388 +---------------------+ 2389 | AVP Flag rules | 2390 |----+-----+----+-----|----+ 2391 AVP Section | | |SHLD| MUST| | 2392 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2393 -----------------------------------------|----+-----+----+-----|----| 2394 Accounting- 363 8.1 Unsigned64 | M | P | | V | Y | 2395 Input-Octets | | | | | | 2396 Accounting- 364 8.2 Unsigned64 | M | P | | V | Y | 2397 Output-Octets | | | | | | 2398 Accounting- 365 8.3 Unsigned64 | M | P | | V | Y | 2399 Input-Packets | | | | | | 2400 Accounting- 366 8.4 Unsigned64 | M | P | | V | Y | 2401 Output-Packets | | | | | | 2402 Acct-Session-Time 46 8.5 Unsigned32 | M | P | | V | Y | 2403 Acct-Authentic 45 8.6 Enumerated | M | P | | V | Y | 2404 Acounting-Auth- 406 8.7 Enumerated | M | P | | V | Y | 2405 Method | | | | | | 2406 Acct-Delay-Time 41 8.8 Unsigned32 | M | P | | V | Y | 2407 Acct-Link-Count 51 8.9 Unsigned32 | M | P | | V | Y | 2408 Acct-Tunnel- 68 8.10 OctetString| M | P | | V | Y | 2409 Connection | | | | | | 2410 Acct-Tunnel- 86 8.11 Unsigned32 | M | P | | V | Y | 2411 Packets-Lost | | | | | | 2412 -----------------------------------------|----+-----+----+-----|----| 2414 8.1. Accounting-Input-Octets AVP 2416 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64, 2417 and contains the number of octets received from the user. 2419 For NAS usage, this AVP indicates how many octets have been received 2420 from the port in the course of this session and can only be present 2421 in ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2422 STOP_RECORD. 2424 8.2. Accounting-Output-Octets AVP 2426 The Accounting-Output-Octets AVP (AVP Code 364) is of type 2427 Unsigned64, and contains the number of octets sent to the user. 2429 For NAS usage, this AVP indicates how many octets have been sent to 2430 the port in the course of this session and can only be present in ACR 2431 messages with an Accounting-Record-Type of INTERIM_RECORD or 2432 STOP_RECORD. 2434 8.3. Accounting-Input-Packets AVP 2436 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64, 2437 and contains the number of packets received from the user. 2439 For NAS usage, this AVP indicates how many packets have been received 2440 from the port over the course of a session being provided to a Framed 2441 User and can only be present in ACR messages with an Accounting- 2442 Record-Type of INTERIM_RECORD or STOP_RECORD. 2444 8.4. Accounting-Output-Packets AVP 2446 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64, 2447 and contains the number of IP packets sent to the user. 2449 For NAS usage, this AVP indicates how many packets have been sent to 2450 the port over the course of a session being provided to a Framed User 2451 and can only be present in ACR messages with an Accounting-Record- 2452 Type of INTERIM_RECORD or STOP_RECORD. 2454 8.5. Acct-Session-Time AVP 2456 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32, and 2457 indicates the length of the current session in seconds. It can only 2458 be present in ACR messages with an Accounting-Record-Type of 2459 INTERIM_RECORD or STOP_RECORD. 2461 8.6. Acct-Authentic AVP 2463 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated, and 2464 specifies how the user was authenticated. The supported values are 2465 listed in [RADIUSTypes]. The following list is informational: 2467 1 RADIUS 2468 2 Local 2469 3 Remote 2470 4 Diameter 2472 8.7. Accounting-Auth-Method AVP 2474 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2475 A NAS MAY include this AVP in an Accounting-Request message to 2476 indicate what authentication method was used to authenticate the 2477 user. (Note that this is equivalent to the RADIUS MS-Acct-Auth-Type 2478 VSA attribute). 2480 The following values are defined: 2481 1 PAP 2482 2 CHAP 2483 3 MS-CHAP-1 2484 4 MS-CHAP-2 2485 5 EAP 2486 7 None 2488 8.8. Acct-Delay-Time 2490 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2491 indicates the number of seconds during which the Diameter client has 2492 been trying to send the Accounting-Request (ACR) which contains it. 2493 The accounting server may subtract this value from the time the ACR 2494 arrives at the server to calculate the approximate time of the event 2495 that caused the ACR to be generated. 2497 This AVP is not used for retransmissions at the transport level (TCP 2498 or SCTP). Rather, it may be used when an ACR command cannot be 2499 transmitted because there is no appropriate peer to transmit it to or 2500 was rejected because it could not be delivered to its destination. 2501 In these cases, the command MAY be buffered and transmitted some time 2502 later when an appropriate peer-connection is available or after 2503 sufficient time has passed that the destination-host may be reachable 2504 and operational. If the ACR is resent in this way the Acct-Delay- 2505 Time AVP SHOULD be included. The value of this AVP indicates the 2506 number of seconds that elapsed between the time of the first attempt 2507 at transmission and the current attempt at transmission. 2509 8.9. Acct-Link-Count 2511 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2512 indicates the total number of links that have been active (current or 2513 closed) in a given multilink session, at the time the accounting 2514 record is generated. This AVP MAY be included in Accounting-Requests 2515 for any session which may be part of a multilink service. 2517 The Acct-Link-Count AVP may be used to make it easier for an 2518 accounting server to know when it has all the records for a given 2519 multilink service. When the number of Accounting-Requests received 2520 with Accounting-Record-Type = STOP_RECORD and the same Acct-Multi- 2521 Session-Id and unique Session-Id's equals the largest value of Acct- 2522 Link-Count seen in those Accounting-Requests, all STOP_RECORD 2523 Accounting-Requests for that multilink service have been received. 2525 The following example showing eight Accounting-Requests illustrates 2526 how the Acct-Link-Count AVP is used. In the table below, only the 2527 relevant AVPs are shown although additional AVPs containing 2528 accounting information will also be present in the Accounting- 2529 Requests. 2531 Acct-Multi- Accounting- Acct- 2532 Session-Id Session-Id Record-Type Link-Count 2533 -------------------------------------------------------- 2534 "...10" "...10" START_RECORD 1 2535 "...10" "...11" START_RECORD 2 2536 "...10" "...11" STOP_RECORD 2 2537 "...10" "...12" START_RECORD 3 2538 "...10" "...13" START_RECORD 4 2539 "...10" "...12" STOP_RECORD 4 2540 "...10" "...13" STOP_RECORD 4 2541 "...10" "...10" STOP_RECORD 4 2543 8.10. Acct-Tunnel-Connection AVP 2545 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString, 2546 and contains the identifier assigned to the tunnel session. This AVP, 2547 along with the Tunnel-Client-Endpoint and Tunnel-Server-Endpoint 2548 AVPs, may be used to provide a means to uniquely identify a tunnel 2549 session for auditing purposes. 2551 The format of the identifier in this AVP depends upon the value of 2552 the Tunnel-Type AVP. For example, to fully identify an L2TP tunnel 2553 connection, the L2TP Tunnel Id and Call Id might be encoded in this 2554 field. The exact encoding of this field is implementation dependent. 2556 8.11. Acct-Tunnel-Packets-Lost AVP 2558 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2559 and contains the number of packets lost on a given link. 2561 9. RADIUS/Diameter Protocol Interactions 2563 This section describes some basic guidelines that may be used by 2564 servers that act as AAA Translation Agents. A complete description of 2565 all the differences between RADIUS and Diameter is beyond the scope 2566 of this section and document. Note that this document does not 2567 restrict implementations from creating additional translation 2568 methods, as long as the translation function doesn't violate the 2569 RADIUS or the Diameter protocols. 2571 While the Diameter protocol is in many ways a superset of RADIUS 2572 functions, there are a number of RADIUS representations that are not 2573 allowed, so as to best use the new capabilities without the older 2574 problems. 2576 There are primarily two different situations that must be handled; 2577 one where a RADIUS request is received that must be forwarded as a 2578 Diameter request, and the inverse. RADIUS does not support a peer- 2579 to-peer architecture and server initiated operations are generally 2580 not supported. See [RADDynAuth] for an alternative. 2582 Some RADIUS attributes are encrypted. RADIUS security and encryption 2583 techniques are applied on a hop-per-hop basis. A Diameter agent will 2584 have to decrypt RADIUS attribute data entering the Diameter system 2585 and if that information is forwarded, MUST secure it using Diameter 2586 specific techniques. 2588 Note that this section uses the two terms; "AVP" and "attribute" in a 2589 concise and specific manner. The former is used to signify a Diameter 2590 AVP, while the latter is used to signify a RADIUS attribute. 2592 9.1. RADIUS Request Forwarded as Diameter Request 2594 This section describes the actions that should be followed when a 2595 Translation Agent receives a RADIUS message that is to be translated 2596 to a Diameter message. 2598 It is important to note that RADIUS servers are assumed to be 2599 stateless, and this section maintains that assumption. It is also 2600 quite possible for the RADIUS messages that comprise the session 2601 (i.e. authentication and accounting messages) will be handled by 2602 different Translation Agents in the proxy network. Therefore, a 2603 RADIUS/Diameter Translation Agent SHOULD NOT be assumed to have an 2604 accurate track on session state information. 2606 When a Translation Agent receives a RADIUS message, the following 2607 steps should be taken: 2609 - If a Message-Authenticator attribute is present, the value MUST 2610 be checked, but not included in the Diameter message. If it is 2611 incorrect, the RADIUS message should be silently discarded. The 2612 gateway system SHOULD generate and include a Message- 2613 Authenticator in return RADIUS responses to this system. 2614 - The transport address of the sender MUST be checked against the 2615 NAS identifying attributes. See the description of NAS- 2616 Identifier and NAS-IP-Address below. 2617 - The Translation Agent must maintain transaction state 2618 information relevant to the RADIUS request, such as the 2619 Identifier field in the RADIUS header, any existing RADIUS 2620 Proxy-State attribute as well as the source IP address and port 2621 number of the UDP packet. These may be maintained locally in a 2622 state table, or may be saved in a Proxy-Info AVP group. A 2623 Diameter Session-Id AVP value must be created using a session 2624 state mapping mechanism. 2625 - If the RADIUS request contained a State attribute, and the 2626 prefix of the data is "Diameter/", the data following the prefix 2627 contains the Diameter Origin-Host/Origin-Realm/Session-Id. If 2628 no such attributes are present, and the RADIUS command is an 2629 Access-Request, a new Session-Id is created. The Session-Id is 2630 included in the Session-Id AVP. 2631 - The Diameter Origin-Host and Origin-Realm AVPs MUST be created 2632 and added using the information from an FQDN corresponding to 2633 the NAS-IP-Address attribute (preferred if available), and/or 2634 the NAS-Identifier attribute. (Note that the RADIUS NAS- 2635 Identifier is not required to be an FQDN) 2636 - The Proxy-Info group SHOULD be added with the local server's 2637 identity being specified in the Proxy-Host AVP. This should 2638 ensure that the response is returned to this system. 2639 - The Destination-Realm AVP is created from the information found 2640 in the RADIUS User-Name attribute. 2641 - If the RADIUS User-Password attribute is present, the password 2642 must be unencrypted using the link's RADIUS shared secret. And 2643 the unencrypted value forwarded in a User-Password AVP using 2644 Diameter security. 2645 - If the RADIUS CHAP-Password attribute is present, the Ident and 2646 Data portion of the attribute are used to create the CHAP-Auth 2647 grouped AVP. 2648 - If the RADIUS message contains an address attribute, it MUST be 2649 converted to the appropriate Diameter AVP and type. 2650 - If the RADIUS message contains Tunnel information [RADTunnels], 2651 the attributes or tagged groups should each be converted to a 2652 Diameter Tunneling Grouped AVP set. If the tunnel information 2653 contains a Tunnel-Password attribute, the RADIUS encryption must 2654 be resolved, and the password forwarded using Diameter security 2655 methods. 2656 - If the RADIUS message received is an Accounting-Request, the 2657 Acct-Status-Type attribute value must be converted to a 2658 Accounting-Record-Type AVP value. If the Acct-Status-Type 2659 attribute value is STOP, the local server MUST issue a Session- 2660 Termination-Request message once the Diameter Accounting-Answer 2661 message has been received. 2662 - If the Accounting message contains a Acct-Termination-Cause 2663 attribute, it should be translated to the equivalent 2664 Termination-Cause AVP value. (see below) 2665 - If the RADIUS message contains the Accounting-Input-Octets, 2666 Accounting-Input-Packets, Accounting-Output-Octets or 2667 Accounting-Output-Packets, these attributes must be converted to 2668 the Diameter equivalent ones. Further, if the Acct-Input- 2669 Gigawords or Acct-Output-Gigawords attributes are present, these 2670 must be used to properly compute the Diameter accounting AVPs. 2672 The corresponding Diameter response is always guaranteed to be 2673 received by the same Translation Agent that translated the original 2674 request, due to the contents of the Proxy-Info AVP group in the 2675 Diameter request. The following steps are applied to the response 2676 message during the Diameter to RADIUS translation: 2678 - If the Diameter Command-Code is set to AA-Answer and the Result- 2679 Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the gateway must 2680 send a RADIUS Access-Challenge with the Origin-Host, Origin- 2681 Realm, and Diameter Session-Id AVPs encapsulated in the RADIUS 2682 State attribute, with the prefix "Diameter/", concatented in the 2683 above order, in UTF-8, [UTF-8] separated with "/" characters. 2684 This is necessary in order to ensure that the Translation Agent 2685 that will receive the subsequent RADIUS Access-Request will have 2686 access to the Session Identifier, and be able to set the 2687 Destination-Host to the correct value. If the Multi-Round-Time- 2688 Out AVP is present, the value of the AVP MUST be inserted in the 2689 RADIUS Session-Timeout AVP. 2690 - If the Command-Code is set to AA-Answer, the Diameter Session-Id 2691 AVP is saved in a new RADIUS Class attribute, whose format 2692 consists of the string "Diameter/" followed by the Diameter 2693 Session Identifier. This will ensure that the subsequent 2694 Accounting messages, which could be received by any Translation 2695 Agent, would have access to the original Diameter Session 2696 Identifier. 2697 - If a Proxy-State attribute was present in the RADIUS request, 2698 the same attribute is added in the response. This information 2699 may be found in the Proxy-Info AVP group, or in a local state 2700 table. 2701 - If state information regarding the RADIUS request was saved in a 2702 Proxy-Info AVPs or local state table, the RADIUS Identifier and 2703 UDP IP Address and port number are extracted and used in issuing 2704 the RADIUS reply. 2706 When translating a Diameter AA-Answer (with successful result code) 2707 to RADIUS Access-Accept, that contains a Session-Timeout or 2708 Authorization-Lifetime AVP; 2710 - If the Diameter message contains a Session-Timeout AVP but no 2711 Authorization-Lifetime AVP, translate it to Session-Timeout 2712 attribute (and no Termination-Action). 2713 - If the Diameter message contains a Authorization-Lifetime AVP 2714 but no Session-Timeout AVP, translate it to Session-Timeout 2715 attribute and Termination-Action set to AA-REQUEST. (And remove 2716 Authorization-Lifetime and Re-Auth-Request-Type) 2717 - If the Diameter message has both, the Session-Timeout must be 2718 greater or equal than Authorization-Lifetime (required by Base). 2719 Translate it to a Session-Timeout value (with value from 2720 Authorization-Lifetime AVP, the smaller one) and Termination- 2721 Action set to AA-REQUEST. (And remove Authorization-Lifetime and 2722 Re-Auth-Request-Type) 2724 9.1.1. RADIUS Dynamic Authorization considerations 2726 A Diameter/RADIUS gateway may be communicating with a server that 2727 implements RADIUS Dynamic Authorization [RADDynAuth]. If it supports 2728 these functions it MUST be listening on the assigned port, and would 2729 receive RADIUS CoA-Request and Disconnect-Request messages. These 2730 can be mapped into the Diameter Re-Auth-Request (RAR) and Abort- 2731 Session-Request (ASR) message exchanges respectively [Base]. 2733 If the [RADDynAuth] is not supported, the port would not be active 2734 and the RADIUS server would receive a ICMP Port Unreachable 2735 indication. Alternatively, if the messages are received, but with an 2736 inappropriate Service-Type, the gateway can respond with the 2737 appropriate NAK message and an Error-Cause attribute with the value 2738 of 405, "Unsupported Service". 2740 The RADIUS CoA-Request and Disconnect-Request messages will not 2741 contain a Diameter Session-Id. Diameter requires this value to match 2742 an active session context. The gateway MUST have a session id cache 2743 (or other means) to be able to identify the sessions that these 2744 functions pertain to. If unable to identify the session, the gateway 2745 (or NAS) should return an Error-Cause value 503, "Session Context Not 2746 Found". 2748 The RADIUS CoA-Request message only supports a change of 2749 authorization attributes, and the received CoA-Request SHOULD include 2750 a Service-Type of "Authorize-Only", this indicates an extended 2751 exchange request by the rules given in [RADDynAuth] Section 3.2 Note 2752 6. This is the only type of exchange supported by Diameter [Base]. 2754 For the CoA-Request, the translated RAR message will have a Re-Auth- 2755 Type of AUTHORIZE_ONLY. The returned RAA will be translated into a 2756 CoA-NAK with Error-Cause "Request Initiated", the gateway's Diameter 2757 client SHOULD also start a reauthorization sequence by sending a AAR 2758 message, which will be translated into an Access-Request message. The 2759 RADIUS server will use the Access-Accept (or Access-Reject) message 2760 to convey the new authorization attributes, which the gateway will 2761 pass back in an AAA message. 2763 Any attributes included in the COA-Request or Access-Accept message 2764 are to be considered mandatory in Diameter, and if they cannot be 2765 supported, MUST result in an message error return to the RADIUS 2766 server with an Error-Cause of "Unsupported Attribute". The Diameter 2767 NAS will attempt to apply all the attributes supplied in the AA 2768 message to the session. 2770 A RADIUS Disconnect-Request message received by the gateway would be 2771 translated to a Diameter Abort-Session-Request (ASR) message [Base]. 2772 The results will be returned by the Diameter client in a Abort- 2773 Session-Answer (ASA) message. A success indication would translate to 2774 a RADIUS Disconnect-ACK, a failure would generate a Disconnect-NAK. 2776 9.2. Diameter Request Forwarded as RADIUS Request 2778 When a server receives a Diameter request that is to be forwarded to 2779 a RADIUS entity, the following steps are an example of the steps that 2780 may be followed: 2782 - The Origin-Host AVP's value is inserted in the NAS-Identifier 2783 attribute. 2784 - The following information MUST be present in the corresponding 2785 Diameter response, and therefore MUST be saved either in a local 2786 state table, or encoded in a RADIUS Proxy-State attribute: 2787 1. Origin-Host AVP 2788 2. Session-Id AVP 2789 3. Proxy-Info AVP 2790 4. Any other AVP that MUST be present in the response, and 2791 has no corresponding RADIUS attribute. 2792 - If the CHAP-Auth AVP is present, the grouped AVPs are used to 2793 create the RADIUS CHAP-Password attribute data. 2794 - If the User-Password AVP is present, the data should be 2795 encrypted and forwarded using RADIUS rules. Likewise for any 2796 other RADIUS encrypted attribute values. 2797 - AVPs that are of the type Address, must be translated to the 2798 corresponding RADIUS attribute. 2799 - If the Accounting-Input-Octets, Accounting-Input-Packets, 2800 Accounting-Output-Octets or Accounting-Output-Packets AVPs are 2801 present, these must be translated to the corresponding RADIUS 2802 attributes. Further, the value of the Diameter AVPs do not fit 2803 within a 32-bit RADIUS attribute, the RADIUS Acct-Input- 2804 Gigawords and Acct-Output-Gigawords must be used. 2805 - If the RADIUS link supports the Message-Authenticator attribute 2806 [RADIUSExt] it SHOULD be generated and added to the request. 2808 When the corresponding response is received by the Translation Agent, 2809 which is guaranteed in the RADIUS protocol, the following steps may 2810 be followed: 2812 - If the RADIUS code is set to Access-Challenge, a Diameter AA- 2813 Answer message is created with the Result-Code set to 2814 DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is present 2815 in the RADIUS message, its value is inserted in the Multi-Round- 2816 Time-Out AVP. 2817 - If a Proxy-State attribute is present, extract the encoded 2818 information, otherwise retrieve the original Proxy-Info AVP 2819 group information from the local state table. 2820 - The response's Origin-Host information is created from the FQDN 2821 of the source IP address of the RADIUS message. The same FQDN is 2822 also stored to a Route-Record AVP. 2823 - The response's Destination-Host AVP is copied from the saved 2824 request's Origin-Host information. 2825 - The Session-Id information can be recovered from local state, or 2826 from the constructed State or Proxy-State attribute as above. 2827 - If a Proxy-Info AVP was present in the request, the same AVP 2828 MUST be added to the response. 2829 - If the RADIUS State attributes are present, these attributes 2830 must be present in the Diameter response, minus those added by 2831 the gateway. 2832 - Any other AVPs that were saved at request time, and MUST be 2833 present in the response, are added to the message. 2835 When translating a RADIUS Access-Accept to Diameter AA-Answer, that 2836 contains a Session-Timeout attribute, do the following: 2838 - If the RADIUS message contains a Session-Timeout attribute and a 2839 Termination-Action attribute set to DEFAULT (or no Termination- 2840 Action attribute at all), translate it to AA-Answer with a 2841 Session-Timeout AVP, and remove the Termination-Action 2842 attribute. 2843 - If the RADIUS message contains a Session-Timeout attribute and a 2844 Termination-Action attribute set to AA-REQUEST, translate it to 2845 AA-Answer with Authorization-Lifetime AVP and Re-Auth-Request- 2846 Type set to AUTHORIZE_AUTHENTICATE, and remove the Session- 2847 Timeout attribute. 2849 9.2.1. RADIUS Dynamic Authorization considerations 2851 A RADIUS/Diameter gateway that is communicating with a RADIUS client 2852 that implements RADIUS Dynamic Authorization [RADDynAuth], may 2853 translate Diameter Re-Auth-Request (RAR) messages and Abort-Session- 2854 Request (ASR) messages [Base] into RADIUS CoA-Request and Disconnect- 2855 Request messages respectively. 2857 If the RADIUS client does not support the capability, the gateway 2858 will receive an ICMP Port Unreachable indication when it transmits 2859 the RADIUS message. Even if the NAS supports [RADDynAuth], it may not 2860 support the Service-Type in the request message. In this case it 2861 will respond with a NAK message and (optionally) an Error-Cause 2862 attribute with value 405, "Unsupported Service". If the gateway 2863 encounters these error conditions, or if it does not support 2864 [RADDynAuth], it sends a Diameter Answer message with an Result-Code 2865 AVP of "DIAMETER_COMMAND_UNSUPPORTED" to the AAA server. 2867 When encoding the RADIUS messages, the gateway MUST include the 2868 Diameter Session-ID in the RADIUS State attribute value, as mentioned 2869 above. The RADIUS client should return it in the response. 2871 A Diameter Re-Auth-Request (RAR) message [Base] received by the 2872 gateway will be translated into a RADIUS CoA-Request and sent to the 2873 RADIUS client. The RADIUS client should respond with a CoA-ACK or 2874 CoA-NAK message, that the gateway should translate into an Re-Auth- 2875 Answer (RAA) message. 2877 If the gateway receives a RADIUS CoA-NAK response containing a 2878 Service-Type Attribute with value "Authorize Only" and an Error-Cause 2879 Attribute with value "Request Initiated", this indicates an extended 2880 exchange request by the rules given in [RADDynAuth] Section 3.2 Note 2881 6. 2883 The response is translated to a Diameter Re-Auth-Answer (RAA) with a 2884 Result-Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2886 Subsequently, the gateway should receive a RADIUS Access-Request from 2887 the NAS, with a Service-Type of "Authorize Only". This is translated 2888 to a Diameter AA-Request with an Auth-Request-Type AVP of 2889 AUTHORIZE_ONLY, sent to the AAA server. The AAA server will then 2890 reply with a Diameter AA-Answer, which is translated to a RADIUS 2891 Access-Accept or Access-Reject, depending on the value of the Result- 2892 Code AVP. 2894 A Diameter Abort-Session-Request (ASR) message [Base] received by the 2895 gateway will be translated into a RADIUS Disconnect-Request and sent 2896 to the RADIUS client. The RADIUS client should respond with a 2897 Disconnect-ACK or Disconnect-NAK message, that the gateway should 2898 translate into an Abort-Session-Answer (ASA) message. 2900 If the gateway receives a RADIUS Disconnect-NAK response containing a 2901 Service-Type Attribute with value "Authorize Only" and an Error-Cause 2902 Attribute with value "Request Initiated", the Disconnect-NAK response 2903 is translated to a Diameter Abort-Session-Answer (ASA) with a Result- 2904 Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server. 2906 Subsequently, the gateway should receive a RADIUS Access-Request from 2907 the NAS, with a Service-Type of "Authorize Only". This is translated 2908 to a Diameter AA-Request with an Auth-Request-Type AVP of 2909 AUTHORIZE_ONLY, sent to the AAA server. The AAA server will then 2910 reply with a Diameter AA-Answer, which is translated to a RADIUS 2911 Access-Accept or Access-Reject, depending on the value of the Result- 2912 Code AVP. 2914 9.3. AVPs Used Only for Compatibility 2916 The AVPs defined in this section SHOULD only used for backwards 2917 compatibility when a Diameter/RADIUS translation function is invoked, 2918 and are not typically originated by Diameter systems during normal 2919 operations. 2921 +---------------------+ 2922 | AVP Flag rules | 2923 |----+-----+----+-----|----+ 2924 AVP Section | | |SHLD| MUST| | 2925 Attribute Name Code Defined Value Type |MUST| MAY | NOT| NOT|Encr| 2926 -----------------------------------------|----+-----+----+-----|----| 2927 NAS-Identifier 32 9.3.1 UTF8String | M | P | | V | Y | 2928 NAS-IP-Address 4 9.3.2 OctetString| M | P | | V | Y | 2929 NAS-IPv6-Address 95 9.3.3 OctetString| M | P | | V | Y | 2930 State 24 9.3.4 OctetString| M | P | | V | Y | 2931 Termination- 295 9.3.5 Enumerated | M | P | | V | Y | 2932 Cause | | | | | | 2933 -----------------------------------------|----+-----+----+-----|----| 2935 9.3.1. NAS-Identifier AVP 2937 The NAS-Identifier AVP (AVP Code 32) [RADIUS] is of type UTF8String 2938 and contains the identity of the NAS providing service to the user. 2939 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2940 When this AVP is present, the Origin-Host AVP identifies the NAS 2941 providing service to the user. 2943 In RADIUS it would be possible for a rogue NAS to forge the NAS- 2944 Identifier attribute. Diameter/RADIUS translation agents SHOULD 2945 attempt to check a received NAS-Identifier attribute against the 2946 source address of the RADIUS packet, by doing an A/AAAA RR query. If 2947 the NAS-Identifier attribute contains an FQDN, then such a query 2948 would resolve to an IP address matching the source address. However, 2949 the NAS-Identifier attribute is not required to contain an FQDN, so 2950 such a query could fail. In this case, an error should be logged, but 2951 no other action taken, other than doing a reverse lookup on the 2952 source address and inserting the resulting FQDN into the Route-Record 2953 AVP. 2955 Diameter agents and servers SHOULD check whether a NAS-Identifier AVP 2956 corresponds to an entry in the Route-Record AVP. If no match is 2957 found, then an error is logged, but no other action is taken. 2959 9.3.2. NAS-IP-Address AVP 2961 The NAS-IP-Address AVP (AVP Code 4) [RADIUS] is of type OctetString, 2962 and contains the IP Address of the NAS providing service to the user. 2963 This AVP SHOULD only be added by a RADIUS/Diameter Translation Agent. 2964 When this AVP is present, the Origin-Host AVP identifies the NAS 2965 providing service to the user. 2967 In RADIUS it would be possible for a rogue NAS to forge the NAS-IP- 2968 Address attribute value. Diameter/RADIUS translation agents MUST 2969 check a received NAS-IP-Address or NAS-IPv6-Address attribute against 2970 the source address of the RADIUS packet. If they do not match, and 2971 the Diameter/RADIUS translation agent does not know whether the 2972 packet was sent by a RADIUS proxy or NAS (e.g. no Proxy-State 2973 attribute) then by default it is assumed that the source address 2974 corresponds to a RADIUS proxy, and that the NAS Address is behind 2975 that proxy, potentially with some additional RADIUS proxies in 2976 between. The Diameter/RADIUS translation agent MUST insert entries 2977 in the Route-Record AVP corresponding to the apparent route. This 2978 implies doing a reverse lookup on the source address and NAS-IP- 2979 Address, or NAS-IPv6-Address attributes in order to determine the 2980 corresponding FQDNs. 2982 If the source address and the NAS-IP-Address, or NAS-IPv6-Address do 2983 not match, and the Diameter/RADIUS translation agent knows that it is 2984 talking directly to the NAS (e.g. no RADIUS proxies between it and 2985 the NAS), then the error should be logged, and the packet MUST be 2986 discarded. 2988 Diameter agents and servers MUST check whether the NAS-IP-Address AVP 2989 corresponds to an entry in the Route-Record AVP. This is done by 2990 doing a reverse lookup (PTR RR) for the NAS-IP-Address to retrieve 2991 the corresponding FQDN, and checking for a match with the Route- 2992 Record AVP. If no match is found, then an error is logged, but no 2993 other action is taken. 2995 9.3.3. NAS-IPv6-Address AVP 2997 The NAS-IPv6-Address AVP (AVP Code 95) [RADIUSIPv6] is of type 2998 OctetString, and contains the IPv6 Address of the NAS providing 2999 service to the user. This AVP SHOULD only be added by a 3000 RADIUS/Diameter Translation Agent. When this AVP is present, the 3001 Origin-Host AVP identifies the NAS providing service to the user. 3003 In RADIUS it would be possible for a rogue NAS to forge the NAS- 3004 IPv6-Address attribute. Diameter/RADIUS translation agents MUST check 3005 a received NAS-IPv6-Address attribute against the source address of 3006 the RADIUS packet. If they do not match, and the Diameter/RADIUS 3007 translation agent does not know whether the packet was sent by a 3008 RADIUS proxy or NAS (e.g. no Proxy-State attribute) then by default 3009 it is assumed that the source address corresponds to a RADIUS proxy, 3010 and that the NAS-IPv6-Address is behind that proxy, potentially with 3011 some additional RADIUS proxies in between. The Diameter/RADIUS 3012 translation agent MUST insert entries in the Route-Record AVP 3013 corresponding to the apparent route. This implies doing a reverse 3014 lookup on the source address and NAS-IPv6-Address attributes in order 3015 to determine the corresponding FQDNs. 3017 If the source address and the NAS-IPv6-Address do not match, and the 3018 Diameter/RADIUS translation agent knows that it is talking directly 3019 to the NAS (e.g. no RADIUS proxies between it and the NAS), then the 3020 error should be logged, and the packet MUST be discarded. 3022 Diameter agents and servers MUST check whether the NAS-IPv6-Address 3023 AVP corresponds to an entry in the Route-Record AVP. This is done by 3024 doing a reverse lookup (PTR RR) for the NAS-IPv6-Address to retrieve 3025 the corresponding FQDN, and checking for a match with the Record- 3026 Route AVP. If no match is found, then an error is logged, but no 3027 other action is taken. 3029 9.3.4. State AVP 3031 The State AVP (AVP Code 24) [RADIUS] is of type OctetString and has 3032 two uses in the Diameter NAS application. 3034 The State AVP MAY be sent by a Diameter Server to a NAS in an AA- 3035 Response command that contains a Result-Code of 3036 DIAMETER_MULTI_ROUND_AUTH. If so, the NAS MUST return it unmodified 3037 in the subsequent AA-Request command. 3039 The State AVP MAY also be sent by a Diameter Server to a NAS in an 3040 AA-Response command that also includes a Termination-Action AVP with 3041 the value of AA-REQUEST. If the NAS performs the Termination-Action 3042 by sending a new AA-Request command upon termination of the current 3043 service, it MUST return the State AVP unmodified in the new request 3044 command. 3046 In either usage the NAS MUST NOT interpret the AVP locally. Usage of 3047 the State AVP is implementation dependent. 3049 9.3.5. Termination-Cause AVP Code Values 3051 This section defines a mapping between Termination-Cause AVP code 3052 values and RADIUS Acct-Terminate-Cause attribute code values from RFC 3053 2866 [RADIUSAcct] and [RADIUSTypes], thereby allowing a 3054 RADIUS/Diameter Translation Agent to convert between the attribute 3055 and AVP values. This section thus extends the definitions in the 3056 "Termination-Cause AVP" section of the Base Diameter specification. 3058 The table in this section defines the mapping between Termination- 3059 Cause AVP and RADIUS Acct-Terminate-Cause causes. 3061 +-----------------------+ 3062 | Value | 3063 +-----------+-----------+ 3064 Cause Value Name | RADIUS | Diameter | 3065 ------------------------------|-----------+-----------+ 3066 User Request | 1 | 11 | 3067 Lost Carrier | 2 | 12 | 3068 Lost Service | 3 | 13 | 3069 Idle Timeout | 4 | 14 | 3070 Session Timeout | 5 | 15 | 3071 Admin Reset | 6 | 16 | 3072 Admin Reboot | 7 | 17 | 3073 Port Error | 8 | 18 | 3074 NAS Error | 9 | 19 | 3075 NAS Request | 10 | 20 | 3076 NAS Reboot | 11 | 21 | 3077 Port Unneeded | 12 | 22 | 3078 Port Preempted | 13 | 23 | 3079 Port Suspended | 14 | 24 | 3080 Service Unavailable | 15 | 25 | 3081 Callback | 16 | 26 | 3082 User Error | 17 | 27 | 3083 Host Request | 18 | 28 | 3084 Supplicant Restart | 19 | 29 | [RAD802.1X] 3085 Reauthentication Failure | 20 | 30 | [RAD802.1X] 3086 Port Reinit | 21 | 31 | [RAD802.1X] 3087 Port Disabled | 22 | 32 | [RAD802.1X] 3088 ------------------------------|-----------+-----------+ 3090 From RFC 2866, the termination causes are as follows: 3092 User Request User requested termination of service, for 3093 example with LCP Terminate or by logging out. 3095 Lost Carrier DCD was dropped on the port. 3097 Lost Service Service can no longer be provided; for 3098 example, user's connection to a host was 3099 interrupted. 3101 Idle Timeout Idle timer expired. 3103 Session Timeout Maximum session length timer expired. 3105 Admin Reset Administrator reset the port or session. 3107 Admin Reboot Administrator is ending service on the NAS, 3108 for example prior to rebooting the NAS. 3110 Port Error NAS detected an error on the port which 3111 required ending the session. 3113 NAS Error NAS detected some error (other than on the 3114 port) which required ending the session. 3116 NAS Request NAS ended session for a non-error reason not 3117 otherwise listed here. 3119 NAS Reboot The NAS ended the session in order to reboot 3120 non-administratively ("crash"). 3122 Port Unneeded NAS ended session because resource usage fell 3123 below low-water mark (for example, if a 3124 bandwidth-on-demand algorithm decided that 3125 the port was no longer needed). 3127 Port Preempted NAS ended session in order to allocate the 3128 port to a higher priority use. 3130 Port Suspended NAS ended session to suspend a virtual 3131 session. 3133 Service Unavailable NAS was unable to provide requested service. 3135 Callback NAS is terminating current session in order 3136 to perform callback for a new session. 3138 User Error Input from user is in error, causing 3139 termination of session. 3141 Host Request Login Host terminated session normally. 3143 9.4. Prohibited RADIUS Attributes 3145 The following RADIUS attributes MUST NOT appear in a Diameter 3146 message. Instead, they are translated to other Diameter AVPs or 3147 handled in some special manner. The rules for the treatment of the 3148 attributes are discussed in Sections 9.1, 9.2 and 9.6. 3150 Attribute Description Defined Nearest Diameter AVP 3151 ----------------------------------------------------------------- 3152 3 CHAP-Password RFC 2865 CHAP-Auth Group 3153 26 Vendor-Specific RFC 2865 Vendor Specific AVP 3154 29 Termination-Action RFC 2865 Authorization-Lifetime 3155 40 Acct-Status-Type RFC 2866 Accounting-Record-Type 3156 42 Acct-Input-Octets RFC 2866 Accounting-Input-Octets 3157 43 Acct-Output-Octets RFC 2866 Accounting-Output-Octets 3158 47 Acct-Input-Packets RFC 2866 Accounting-Input-Packets 3159 48 Acct-Output-Packets RFC 2866 Accounting-Output-Packets 3160 49 Acct-Terminate-Cause RFC 2866 Termination-Cause 3161 52 Acct-Input-Gigawords RFC 2869 Accounting-Input-Octets 3162 53 Acct-Output-Gigawords RFC 2869 Accounting-Output-Octets 3163 80 Message-Authenticator RFC 2869 none - check and discard 3165 9.5. Translatable Diameter AVPs 3167 In general, Diameter AVPs that are not RADIUS compatible have code 3168 values greater than 255. The table in the section above shows the 3169 AVPs that can be converted into RADIUS attributes. 3171 Another problem may occur with Diameter AVP values that may be more 3172 than 253 octets in length. Some RADIUS attributes ( including but 3173 not limited to: (8)Reply-Message, (79)EAP-Message, and (77)Connect- 3174 Info ) allow concatenation of multiple instances to overcome this 3175 limitation. If this is not possible, a Result-Code of 3176 DIAMETER_INVALID_AVP_LENGTH should be returned. 3178 9.6. RADIUS Vendor Specific Attributes 3180 RADIUS supports the inclusion of Vendor Specific Attributes (VSAs) 3181 through the use of attribute 26. The recommended format [RADIUS] of 3182 the attribute data field includes a 4 octet vendor code followed by a 3183 one octet vendor type field and a one octet length field. The last 3184 two fields MAY be repeated. 3186 9.6.1. Forwarding a Diameter Vendor AVP as a RADIUS VSA 3188 The RADIUS VSA attribute should consist of the following fields; 3190 RADIUS Type = 26, Vendor Specific Attribute 3191 RADIUS Length = total length of attribute (header + data) 3192 RADIUS Vendor code = Diameter Vendor code 3193 RADIUS Vendor type code = low order byte of Diameter AVP code 3194 RADIUS Vendor data length = length of Diameter data 3195 (not including padding) 3197 If the Diameter AVP code is greater than 255, then the RADIUS 3198 speaking code may use a Vendor specific field coding, if it knows one 3199 for that vendor. Otherwise, the AVP will be ignored. Unless it is 3200 flagged as Mandatory, in which case an "DIAMETER_AVP_UNSUPPORTED" 3201 Result-Code will be returned, and the RADIUS message will not be 3202 sent. 3204 9.6.2. Forwarding a RADIUS VSA to a Diameter Vendor AVP 3206 The Diameter AVP will consist of the following fields; 3207 Diameter Flags: V=1, M=0, P=0 3208 Diameter Vendor code = RADIUS VSA Vendor code 3209 Diameter AVP code = RADIUS VSA Vendor type code 3210 Diameter AVP length = length of AVP (header + data + padding) 3211 Diameter Data = RADIUS VSA vendor data 3213 NOTE: that the VSAs are considered as optional by RADIUS rules, and 3214 this specification does not set the Mandatory flag. If a VSA is 3215 desired to be made mandatory, because it represents a required 3216 service policy, the RADIUS gateway should have a process to set the 3217 bit on the Diameter side. 3219 If the RADIUS receiving code knows of vendor specific fields 3220 interpretations for the specific vendor, it may employ them to parse 3221 an extended AVP code or data length, Otherwise the recommended 3222 standard fields will be used. 3224 Nested Multiple vendor data fields MUST be expanded into multiple 3225 Diameter AVPs. 3227 10. AVP Occurrence Tables 3229 The following tables present the AVPs used by NAS applications, in 3230 NAS messages, and specify in which Diameter messages they MAY, or MAY 3231 NOT be present. [Base] messages and AVPs are not described in this 3232 document. Note that AVPs that can only be present within a Grouped 3233 AVP are not represented in this table. 3235 The table uses the following symbols: 3236 0 The AVP MUST NOT be present in the message. 3237 0+ Zero or more instances of the AVP MAY be present in the 3238 message. 3239 0-1 Zero or one instance of the AVP MAY be present in the 3240 message. 3241 1 One instance of the AVP MUST be present in the message. 3243 10.1. AA-Request/Answer AVP Table 3245 The table in this section is limited to the Command Codes defined in 3246 this specification. 3248 +-----------+ 3249 | Command | 3250 |-----+-----+ 3251 Attribute Name | AAR | AAA | 3252 ------------------------------|-----+-----+ 3253 Acct-Interim-Interval | 0 | 0-1 | 3254 ARAP-Challenge-Response | 0 | 0-1 | 3255 ARAP-Features | 0 | 0-1 | 3256 ARAP-Password | 0-1 | 0 | 3257 ARAP-Security | 0-1 | 0-1 | 3258 ARAP-Security-Data | 0+ | 0+ | 3259 ARAP-Zone-Access | 0 | 0-1 | 3260 Auth-Application-Id | 1 | 1 | 3261 Auth-Grace-Period | 0-1 | 0-1 | 3262 Auth-Request-Type | 1 | 1 | 3263 Auth-Session-State | 0-1 | 0-1 | 3264 Authorization-Lifetime | 0-1 | 0-1 | 3265 Callback-Id | 0 | 0-1 | 3266 Callback-Number | 0-1 | 0-1 | 3267 Called-Station-Id | 0-1 | 0 | 3268 Calling-Station-Id | 0-1 | 0 | 3269 CHAP-Auth | 0-1 | 0 | 3270 CHAP-Challenge | 0-1 | 0 | 3271 Class | 0 | 0+ | 3272 Configuration-Token | 0 | 0+ | 3273 Connect-Info | 0+ | 0 | 3274 Destination-Host | 0-1 | 0 | 3275 Destination-Realm | 1 | 0 | 3276 Error-Message | 0 | 0-1 | 3277 Error-Reporting-Host | 0 | 0-1 | 3278 Failed-AVP | 0+ | 0+ | 3279 Filter-Id | 0 | 0+ | 3280 Framed-Appletalk-Link | 0 | 0-1 | 3281 Framed-Appletalk-Network | 0 | 0+ | 3282 Framed-Appletalk-Zone | 0 | 0-1 | 3283 Framed-Compression | 0+ | 0+ | 3284 Framed-Interface-Id | 0-1 | 0-1 | 3285 Framed-IP-Address | 0-1 | 0-1 | 3286 Framed-IP-Netmask | 0-1 | 0-1 | 3287 Framed-IPv6-Prefix | 0+ | 0+ | 3288 Framed-IPv6-Pool | 0 | 0-1 | 3289 Framed-IPv6-Route | 0 | 0+ | 3290 Framed-IPX-Network | 0 | 0-1 | 3291 Framed-MTU | 0-1 | 0-1 | 3292 Framed-Pool | 0 | 0-1 | 3293 Framed-Protocol | 0-1 | 0-1 | 3294 ------------------------------|-----+-----+ 3295 +-----------+ 3296 | Command | 3297 |-----+-----+ 3298 Attribute Name | AAR | AAA | 3299 ------------------------------|-----+-----+ 3300 Framed-Route | 0 | 0+ | 3301 Framed-Routing | 0 | 0-1 | 3302 Idle-Timeout | 0 | 0-1 | 3303 Login-IP-Host | 0+ | 0+ | 3304 Login-IPv6-Host | 0+ | 0+ | 3305 Login-LAT-Group | 0-1 | 0-1 | 3306 Login-LAT-Node | 0-1 | 0-1 | 3307 Login-LAT-Port | 0-1 | 0-1 | 3308 Login-LAT-Service | 0-1 | 0-1 | 3309 Login-Service | 0 | 0-1 | 3310 Login-TCP-Port | 0 | 0-1 | 3311 Multi-Round-Time-Out | 0 | 0-1 | 3312 NAS-Filter-Rule | 0 | 0+ | 3313 NAS-Identifier | 0-1 | 0 | 3314 NAS-IP-Address | 0-1 | 0 | 3315 NAS-IPv6-Address | 0-1 | 0 | 3316 NAS-Port | 0-1 | 0 | 3317 NAS-Port-Id | 0-1 | 0 | 3318 NAS-Port-Type | 0-1 | 0 | 3319 Origin-Host | 1 | 1 | 3320 Origin-Realm | 1 | 1 | 3321 Origin-State-Id | 0-1 | 0-1 | 3322 Originating-Line-Info | 0-1 | 0 | 3323 Password-Retry | 0 | 0-1 | 3324 Port-Limit | 0-1 | 0-1 | 3325 Prompt | 0 | 0-1 | 3326 Proxy-Info | 0+ | 0+ | 3327 QoS-Filter-Rule | 0 | 0+ | 3328 Re-Auth-Request-Type | 0 | 0-1 | 3329 Redirect-Host | 0 | 0+ | 3330 Redirect-Host-Usage | 0 | 0-1 | 3331 Redirect-Max-Cache-Time | 0 | 0-1 | 3332 Reply-Message | 0 | 0+ | 3333 Result-Code | 0 | 1 | 3334 Route-Record | 0+ | 0+ | 3335 Service-Type | 0-1 | 0-1 | 3336 Session-Id | 1 | 1 | 3337 Session-Timeout | 0 | 0-1 | 3338 State | 0-1 | 0-1 | 3339 Tunneling | 0+ | 0+ | 3340 User-Name | 0-1 | 0-1 | 3341 User-Password | 0-1 | 0 | 3342 ------------------------------|-----+-----+ 3344 10.2. Accounting AVP Tables 3346 The tables in this section are used to represent which AVPs defined 3347 in this document are to be present and used in NAS application 3348 Accounting messages. These AVPs are defined in this document, as 3349 well as [Base] and [RADIUSAcct]. 3351 10.2.1. Accounting Framed Access AVP Table 3353 The table in this section is used when the Service-Type specifies 3354 Framed Access. 3356 +-----------+ 3357 | Command | 3358 |-----+-----+ 3359 Attribute Name | ACR | ACA | 3360 ---------------------------------------|-----+-----+ 3361 Accounting-Auth-Method | 0-1 | 0 | 3362 Accounting-Input-Octets | 1 | 0 | 3363 Accounting-Input-Packets | 1 | 0 | 3364 Accounting-Output-Octets | 1 | 0 | 3365 Accounting-Output-Packets | 1 | 0 | 3366 Accounting-Record-Number | 0-1 | 0-1 | 3367 Accounting-Record-Type | 1 | 1 | 3368 Accounting-Realtime-Required | 0-1 | 0-1 | 3369 Accounting-Sub-Session-Id | 0-1 | 0-1 | 3370 Acct-Application-Id | 0-1 | 0-1 | 3371 Acct-Session-Id | 1 | 0-1 | 3372 Acct-Multi-Session-Id | 0-1 | 0-1 | 3373 Acct-Authentic | 1 | 0 | 3374 Acct-Delay-Time | 0-1 | 0 | 3375 Acct-Interim-Interval | 0-1 | 0-1 | 3376 Acct-Link-Count | 0-1 | 0 | 3377 Acct-Session-Time | 1 | 0 | 3378 Acct-Tunnel-Connection | 0-1 | 0 | 3379 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 3380 Authorization-Lifetime | 0-1 | 0 | 3381 Callback-Id | 0-1 | 0 | 3382 Callback-Number | 0-1 | 0 | 3383 Called-Station-Id | 0-1 | 0 | 3384 Calling-Station-Id | 0-1 | 0 | 3385 Class | 0+ | 0+ | 3386 Connection-Info | 0+ | 0 | 3387 Destination-Host | 0-1 | 0 | 3388 Destination-Realm | 1 | 0 | 3389 Event-Timestamp | 0-1 | 0-1 | 3390 Error-Message | 0 | 0-1 | 3391 Error-Reporting-Host | 0 | 0-1 | 3392 Failed-AVP | 0 | 0+ | 3393 ---------------------------------------|-----+-----+ 3394 +-----------+ 3395 | Command | 3396 |-----+-----+ 3397 Attribute Name | ACR | ACA | 3398 ---------------------------------------|-----+-----+ 3399 Framed-AppleTalk-Link | 0-1 | 0 | 3400 Framed-AppleTalk-Network | 0-1 | 0 | 3401 Framed-AppleTalk-Zone | 0-1 | 0 | 3402 Framed-Compression | 0-1 | 0 | 3403 Framed-IP-Address | 0-1 | 0 | 3404 Framed-IP-Netmask | 0-1 | 0 | 3405 Framed-IPv6-Prefix | 0+ | 0 | 3406 Framed-IPv6-Pool | 0-1 | 0 | 3407 Framed-IPX-Network | 0-1 | 0 | 3408 Framed-MTU | 0-1 | 0 | 3409 Framed-Pool | 0-1 | 0 | 3410 Framed-Protocol | 0-1 | 0 | 3411 Framed-Route | 0-1 | 0 | 3412 Framed-Routing | 0-1 | 0 | 3413 NAS-Filter-Rule | 0+ | 0 | 3414 NAS-Identifier | 0-1 | 0-1 | 3415 NAS-IP-Address | 0-1 | 0-1 | 3416 NAS-IPv6-Address | 0-1 | 0-1 | 3417 NAS-Port | 0-1 | 0-1 | 3418 NAS-Port-Id | 0-1 | 0-1 | 3419 NAS-Port-Type | 0-1 | 0-1 | 3420 Origin-Host | 1 | 1 | 3421 Origin-Realm | 1 | 1 | 3422 Origin-State-Id | 0-1 | 0-1 | 3423 Originating-Line-Info | 0-1 | 0 | 3424 Proxy-Info | 0+ | 0+ | 3425 QoS-Filter-Rule | 0+ | 0 | 3426 Route-Record | 0+ | 0+ | 3427 Result-Code | 0 | 1 | 3428 Service-Type | 0-1 | 0-1 | 3429 Session-Id | 1 | 1 | 3430 Termination-Cause | 0-1 | 0-1 | 3431 Tunnel-Assignment-Id | 0-1 | 0 | 3432 Tunnel-Client-Endpoint | 0-1 | 0 | 3433 Tunnel-Medium-Type | 0-1 | 0 | 3434 Tunnel-Private-Group-Id | 0-1 | 0 | 3435 Tunnel-Server-Endpoint | 0-1 | 0 | 3436 Tunnel-Type | 0-1 | 0 | 3437 User-Name | 0-1 | 0-1 | 3438 Vendor-Specific-Application-Id | 0-1 | 0-1 | 3439 ---------------------------------------|-----+-----+ 3441 10.2.2. Accounting Non-Framed Access AVP Table 3443 The table in this section is used when the Service-Type specifies 3444 Non-Framed Access. 3446 +-----------+ 3447 | Command | 3448 |-----+-----+ 3449 Attribute Name | ACR | ACA | 3450 ---------------------------------------|-----+-----+ 3451 Accounting-Auth-Method | 0-1 | 0 | 3452 Accounting-Input-Octets | 1 | 0 | 3453 Accounting-Output-Octets | 1 | 0 | 3454 Accounting-Record-Type | 1 | 1 | 3455 Accounting-Record-Number | 0-1 | 0-1 | 3456 Accounting-Realtime-Required | 0-1 | 0-1 | 3457 Accounting-Sub-Session-Id | 0-1 | 0-1 | 3458 Acct-Application-Id | 0-1 | 0-1 | 3459 Acct-Session-Id | 1 | 0-1 | 3460 Acct-Multi-Session-Id | 0-1 | 0-1 | 3461 Acct-Authentic | 1 | 0 | 3462 Acct-Delay-Time | 0-1 | 0 | 3463 Acct-Interim-Interval | 0-1 | 0-1 | 3464 Acct-Link-Count | 0-1 | 0 | 3465 Acct-Session-Time | 1 | 0 | 3466 Authorization-Lifetime | 0-1 | 0 | 3467 Callback-Id | 0-1 | 0 | 3468 Callback-Number | 0-1 | 0 | 3469 Called-Station-Id | 0-1 | 0 | 3470 Calling-Station-Id | 0-1 | 0 | 3471 Class | 0+ | 0+ | 3472 Connection-Info | 0+ | 0 | 3473 Destination-Host | 0-1 | 0 | 3474 Destination-Realm | 1 | 0 | 3475 Event-Timestamp | 0-1 | 0-1 | 3476 Error-Message | 0 | 0-1 | 3477 Error-Reporting-Host | 0 | 0-1 | 3478 Failed-AVP | 0 | 0+ | 3479 Login-IP-Host | 0+ | 0 | 3480 Login-IPv6-Host | 0+ | 0 | 3481 Login-LAT-Service | 0-1 | 0 | 3482 Login-LAT-Node | 0-1 | 0 | 3483 Login-LAT-Group | 0-1 | 0 | 3484 Login-LAT-Port | 0-1 | 0 | 3485 Login-Service | 0-1 | 0 | 3486 Login-TCP-Port | 0-1 | 0 | 3487 ---------------------------------------|-----+-----+ 3488 +-----------+ 3489 | Command | 3490 |-----+-----+ 3491 Attribute Name | ACR | ACA | 3492 ---------------------------------------|-----+-----+ 3493 NAS-Identifier | 0-1 | 0-1 | 3494 NAS-IP-Address | 0-1 | 0-1 | 3495 NAS-IPv6-Address | 0-1 | 0-1 | 3496 NAS-Port | 0-1 | 0-1 | 3497 NAS-Port-Id | 0-1 | 0-1 | 3498 NAS-Port-Type | 0-1 | 0-1 | 3499 Origin-Host | 1 | 1 | 3500 Origin-Realm | 1 | 1 | 3501 Origin-State-Id | 0-1 | 0-1 | 3502 Originating-Line-Info | 0-1 | 0 | 3503 Proxy-Info | 0+ | 0+ | 3504 QoS-Filter-Rule | 0+ | 0 | 3505 Route-Record | 0+ | 0+ | 3506 Result-Code | 0 | 1 | 3507 Session-Id | 1 | 1 | 3508 Service-Type | 0-1 | 0-1 | 3509 Termination-Cause | 0-1 | 0-1 | 3510 User-Name | 0-1 | 0-1 | 3511 Vendor-Specific-Application-Id | 0-1 | 0-1 | 3512 ---------------------------------------|-----+-----+ 3514 11. IANA Considerations 3516 This section provides guidance to the Internet Assigned Numbers 3517 Authority (IANA) regarding registration of values related to the 3518 Diameter protocol, in accordance with BCP 26 [IANAConsid]. 3520 This document defines values in the namespaces that have been created 3521 and defined in the Diameter Base [Base]. The IANA Considerations 3522 section of that document details the assignment criteria. Values 3523 assigned in this document, or by future IANA action, must be 3524 coordinated within this shared namespace. 3526 11.1. Command Codes 3528 This specification assigns the values 265 and 268 from the Command 3529 Code namespace defined in [Base]. See sections 3.1 and 3.2 for the 3530 assignment of the namespace in this specification. 3532 11.2. AVP Codes 3534 This specification assigns the values 363-366 and 400-407 from the 3535 AVP Code namespace defined in [Base]. See sections 4, and 5 for the 3536 assignment of the namespace in this specification. Note that the 3537 values 363-366 are jointly, but consistently, assigned in [DiamMIP]. 3538 This document also creates one new namespace to be managed by IANA, 3539 as described in Section 11.5. 3541 This specification also specifies the use of AVPs in the 0-255 range, 3542 which are defined in [RADIUSTypes]. These values are assigned by the 3543 policy in RFC 2865 Section 6. [RADIUS] 3545 11.3. Application Identifier 3547 This specification uses the value one (1) in the Application 3548 Identifier namespace as assigned in [Base]. See section 1.2 above 3549 for more information. 3551 11.4. CHAP-Algorithm AVP Values 3553 As defined in Section 5.5, the CHAP-Algorithm AVP (AVP Code 403) uses 3554 the values of the "PPP AUTHENTICATION ALGORITHMS" namespace defined 3555 in [PPPCHAP]. 3557 11.5. Accounting-Auth-Method AVP Values 3559 As defined in Section 8.6, the Accounting-Auth-Method AVP (AVP Code 3560 406) defines the values 1-5. All remaining values are available for 3561 assignment via IETF Consensus [IANA]." 3563 12. Security Considerations 3565 This document describes the extention of Diameter for the NAS 3566 application. The security considerations of the Diameter protocol 3567 itself have been discussed in [Base]. Use of this application of 3568 Diameter MUST take into consideration the security issues and 3569 requirements of the Base protocol. 3571 This document does not contain a security protocol, but does discuss 3572 how PPP authentication protocols can be carried within the Diameter 3573 protocol. The PPP authentication protocols that are described are PAP 3574 and CHAP. 3576 The use of PAP SHOULD be discouraged, since it exposes user's 3577 passwords to possibly non-trusted entities. However, PAP is also 3578 frequently used for use with One-Time Passwords, which do not expose 3579 a security risk. 3581 This document also describes how CHAP can be carried within the 3582 Diameter protocol, which is required for RADIUS backward 3583 compatibility. The CHAP protocol, as used in a RADIUS environment, 3584 facilitates authentication replay attacks. 3586 The use of the EAP authentication protocols are described in 3587 [DiamEAP] can offer better security given a method suitable for the 3588 circumstances. 3590 13. References 3592 13.1. Normative References 3594 [Base] P. Calhoun, et.al, "Diameter Base Protocol", RFC 3588, 3595 Sept 2003. 3597 [AAATrans] B. Aboba, J. Wood. "Authentication, Authorization and 3598 Accounting (AAA) Transport Profile", RFC 3539, June 2003 3600 [RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote 3601 Authentication Dial In User Service (RADIUS)", RFC 2865, 3602 June 2000. 3604 [RADIUSTypes] IANA, "RADIUS Types", URL: 3605 3607 [RADIUSIPv6] B. Aboba, G. Zorn, D. Mitton, "RADIUS and IPv6", RFC 3162, 3608 August 2001. 3610 [IPv6Addr] Hinden, R., Deering, S., "Internet Protocol Version 6 3611 (IPv6) Addressing Architecture", RFC 3516, April 2003. 3613 [PPPCHAP] W. Simpson, "PPP Challenge Handshake Authentication 3614 Protocol (CHAP)", RFC 1994, August 1996. 3616 [IANAConsid] Narten, Alvestrand, "Guidelines for Writing an IANA 3617 Considerations Section in RFCs", BCP 26, RFC 2434, October 3618 1998 3620 [IANA] IANA Assigned Numbers Database, URL: 3621 3623 [Keywords] S. Bradner, "Key words for use in RFCs to Indicate 3624 Requirement Levels", BCP 14, RFC 2119, March 1997. 3626 [ANITypes] NANPA Number Resource Info, ANI Assignments, URL: 3627 3630 13.2. Informative References 3632 [RADIUSAcct] C. Rigney, "RADIUS Accounting", RFC 2866, June 2000. 3634 [RADIUSExt] C. Rigney, W. Willats, P. Calhoun, "RADIUS Extensions", 3635 RFC 2869, June 2000. 3637 [RADTunnels] G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. 3638 Goyret, "RADIUS Attributes for Tunnel Protocol Support", 3639 RFC 2868, June 2000. 3641 [RADTunlAcct] G. Zorn, B. Aboba, D. Mitton, "RADIUS Accounting 3642 Modifications for Tunnel Protocol Support", RFC 2867, June 3643 2000. 3645 [RADDynAuth] M. Chiba, M Dommety, M. Eklund, D. Mitton, B. Aboba, 3646 "Dynamic Authorization Extensions to Remote Authentication 3647 Dial In User 3648 Service (RADIUS)", RFC 3576, August 2003. 3650 [RADIUSIANA] B. Aboba, "IANA Considerations for RADIUS", RFC 3575, 3651 August 2003. 3653 [ExtRADPract] D. Mitton, "Network Access Servers Requirements: Extended 3654 RADIUS Practices", RFC 2882, July 2000. 3656 [NASModel] D. Mitton, M. Beadles, "Network Access Server Requirements 3657 Next Generation (NASREQNG) NAS Model", RFC 2881, July 3658 2000. 3660 [NASCriteria] M. Beadles, D. Mitton, "Criteria for Evaluating Network 3661 Access Server Protocols", RFC 3169, September 2001. 3663 [AAACriteria] Aboba, et al., "Criteria for Evaluating AAA Protocols for 3664 Network Access", RFC 2989, Nov 2000. 3666 [DiamEAP] P. Eronen, "Diameter EAP Application", draft-ietf-aaa- 3667 eap-06.txt, IETF work in progress, May 2004. 3669 [DiamCMS] P. Calhoun, W. Bulley, S. Farrell, "Diameter CMS Security 3670 Application", draft-ietf-aaa-diameter-cms-sec-04.txt, IETF 3671 work in progress, March 2002. 3673 [DiamMIP] P. Calhoun, C. Perkins, T. Johansson, P. McCann "Diameter 3674 Mobile IP Application", draft-ietf-aaa-diameter- 3675 mobileip-18.txt, IETF work in progress, May 2004. 3677 [RAD802.1X] P. Congdon, et.al "IEEE 802.1X RADIUS Usage Guidelines", 3678 RFC 3580, September 2003. 3680 [802.1X] IEEE Standard for Local and metropolitan networks - Port- 3681 Based Network Access Control, IEEE Std 802.1X-2001, June 3682 2001 3684 [CDMA2000] 3GPP2 "P.S0001-B", Wireless IP Network Standard, October 3685 2002. 3686 http://www.3gpp2.com/Public_html/specs/P.S0001-B_v1.0.pdf 3688 [AppleTalk] Sidhu, Gursharan; Andrews, Richard F. & Oppenheimer, Alan 3689 B. "Inside AppleTalk", Second Edition, Apple Computer., 3690 1990 3692 [ARAP] Apple Remote Access Protocol (ARAP) Version 2.0 External 3693 Reference Specification", Apple Computer, September 1994, 3694 R0612LL/B 3696 [IPX] Novell, Inc., "NetWare System Technical Interface 3697 Overview", June 1989, # 883-000780-001 3699 [LAT] Local Area Transport (LAT) Specification V5.0, Digital 3700 Equipment Corp., AA-NL26A-TE, June 1989 3702 [DIFFSERV] Nichols, K., Blake, S., Baker, F. and D. Black, 3703 "Definition of the Differentiated Services Field (DS 3704 Field) in the IPv4 and IPv6 Headers", RFC 2474, December 3705 1998. 3707 [DIFFSERVAF] Heinanen, J., Baker, F., Weiss, W. and J. Wroclawski, 3708 "Assured Forwarding PHB Group", RFC 2597, June 1999. 3710 [DIFFSERVEF] Davie, B., Charny, A., Bennet, J., Benson, K., Le Boudec, 3711 J., Courtney, W., Davari, S., Firoiu, V. and D. Stiliadis, 3712 "An Expedited Forwarding PHB", RFC 3246, March 2002. 3714 [UTF-8] F. Yergeau, "UTF-8, a transformation format of ISO 10646", 3715 STD 63, RFC 3629, November 2003 3717 [ISOLatin] ISO 8859. International Standard -- Information Processing 3718 -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 3719 1: Latin Alphabet No. 1, ISO 8859-1:1987. URL: 3720 3722 [PPP] W. Simpson, Editor, "The Point-to-Point Protocol (PPP)", 3723 STD 51, RFC 1661, July 1994 3725 [PAP] B. Lloyd, B. Simpson, "PPP Authentication Protocols" RFC 3726 1334, October 1992, Obsoleted by RFC 1994 3728 14. Acknowledgements 3730 The authors would like to thank Carl Rigney, Allan C. Rubens, William 3731 Allen Simpson, and Steve Willens for their work on the original 3732 RADIUS [RADIUS], from which many of the concepts in this 3733 specification were derived. Thanks, also, to: Carl Rigney for 3734 [RADIUSAcct] and [RADIUSExt]; Ward Willats for [RADIUSExt]; Glen 3735 Zorn, Bernard Aboba and Dave Mitton for [RADTunlAcct] and [RADIPV6]; 3736 Dory Leifer, John Shriver, Matt Holdrege and Ignacio Goyret for their 3737 work on [RADTunnels]. This document stole text and concepts from both 3738 [RADTunnels] and [RADIUSExt]. Thanks go to Carl Williams for 3739 providing IPv6 specific text. 3741 The authors would also like to acknowledge the following people for 3742 their contributions in the development of the Diameter protocol: 3743 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 3744 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 3745 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 3746 Sumit Vakil, John R. Vollbrecht and Jeff Weisberg. 3748 Finally, Pat Calhoun would like to thank Sun Microsystems since most 3749 of the effort put into this document was done while he was in their 3750 employ. 3752 15. Authors' Addresses 3754 Questions about this memo can be directed to: 3756 Pat R. Calhoun 3757 Airespace 3758 110 Nortech Parkway 3759 San Jose, CA 95134 3760 USA 3762 Phone: 1 408-635-2023 3763 E-mail: pcalhoun@airespace.com 3765 Glen Zorn 3766 Cisco Systems, Inc. 3767 500 108th Avenue N.E., Suite 500 3768 Bellevue, WA 98004 3769 USA 3771 Phone: 1 425-471-4861 3772 E-Mail: gwz@cisco.com 3774 David Spence 3775 3259 Bluett Rd. 3776 Ann Arbor, MI 48105 3777 USA 3779 Phone: +1 734 834 6481 3780 EMail: dspence@computer.org 3782 David Mitton 3783 Circular Networks 3784 733 Turnpike St #154 3785 North Andover, MA 01845 3787 Email: dmitton@circularnetworks.com 3789 Intellectual Property Considerations 3791 The IETF takes no position regarding the validity or scope of any 3792 intellectual property or other rights that might be claimed to 3793 pertain to the implementation or use of the technology described in 3794 this document or the extent to which any license under such rights 3795 might or might not be available; neither does it represent that it 3796 has made any effort to identify any such rights. Information on the 3797 IETF's procedures with respect to rights in standards-track and 3798 standards- related documentation can be found in BCP-11. Copies of 3799 claims of rights made available for publication and any assurances of 3800 licenses to be made available, or the result of an attempt made to 3801 obtain a general license or permission for the use of such 3802 proprietary rights by implementers or users of this specification can 3803 be obtained from the IETF Secretariat. 3805 The IETF invites any interested party to bring to its attention any 3806 copyrights, patents or patent applications, or other proprietary 3807 rights which may cover technology that may be required to practice 3808 this standard. Please address the information to the IETF Executive 3809 Director. 3811 Full Copyright Statement 3813 Copyright (C) The Internet Society (2004). This document is subject 3814 to the rights, licenses and restrictions contained in BCP 78, and 3815 except as set forth therein, the authors retain all their rights. 3817 This document and the information contained herein are provided on an 3818 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 3819 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 3820 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 3821 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 3822 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 3823 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.