idnits 2.17.1 draft-ietf-dime-rfc4005bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. == The 'Obsoletes: ' line in the draft header should list only the _numbers_ of the RFCs which will be obsoleted by this document (if approved); it should not include the word 'RFC' in the list. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The exact meaning of the all-uppercase expression 'MAY NOT' is not defined in RFC 2119. If it is intended as a requirements expression, it should be rewritten using one of the combinations defined in RFC 2119; otherwise it should not be all-uppercase. == The expression 'MAY NOT', while looking like RFC 2119 requirements text, is not defined in RFC 2119, and should not be used. Consider using 'MUST NOT' instead (if that is what you mean). Found 'MAY NOT' in this paragraph: The following tables present the AVPs used by NAS applications in NAS messages and specify in which Diameter messages they MAY or MAY NOT be present. Messages and AVPs defined in the base Diameter protocol [I-D.ietf-dime-rfc3588bis] are not described in this document. Note that AVPs that can only be present within a Grouped AVP are not represented in this table. -- The document date (August 11, 2010) is 5004 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' == Outdated reference: A later version (-34) exists of draft-ietf-dime-rfc3588bis-23 -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 1334 (Obsoleted by RFC 1994) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn, Ed. 3 Internet-Draft Network Zen 4 Obsoletes: RFC4005 August 11, 2010 5 (if approved) 6 Intended status: Standards Track 7 Expires: February 12, 2011 9 Diameter Network Access Server Application 10 draft-ietf-dime-rfc4005bis-00 12 Abstract 14 This document describes the Diameter protocol application used for 15 Authentication, Authorization, and Accounting (AAA) services in the 16 Network Access Server (NAS) environment. When combined with the 17 Diameter Base protocol, Transport Profile, and Extensible 18 Authentication Protocol specifications, this application 19 specification satisfies typical network access services requirements. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on February 12, 2011. 38 Copyright Notice 40 Copyright (c) 2010 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 58 1.3. Advertising Application Support . . . . . . . . . . . . . 6 59 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 6 60 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 61 2.2. Diameter Session Reauthentication or Reauthorization . . . 7 62 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 63 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 8 64 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 65 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 66 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 67 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 68 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 69 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 70 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 71 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 72 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 73 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 74 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 75 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 76 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 77 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 78 4.2.1. Call and Session Information . . . . . . . . . . . . . 24 79 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 80 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 81 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 82 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 83 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26 84 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 85 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 86 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 87 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 88 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 89 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 90 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 91 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 92 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 93 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 94 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 95 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 96 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 97 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 98 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 99 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 100 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 101 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 32 102 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 103 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 104 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 105 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 106 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 107 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 108 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 109 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 110 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 35 111 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 112 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 113 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 114 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 115 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 116 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 36 117 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 118 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 119 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 37 120 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 121 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 122 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 123 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 124 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 125 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 126 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 127 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 128 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 129 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 130 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 131 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 132 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 133 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 134 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 135 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 136 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 137 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 138 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 139 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 140 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 141 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 142 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 143 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 144 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 145 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 146 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 147 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 148 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 149 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 150 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 151 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 152 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 153 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 154 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 155 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 156 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 157 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 158 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 159 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 160 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 161 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 162 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 163 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 164 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 165 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 166 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 167 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 168 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 169 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 170 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 171 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 172 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 173 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 174 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 60 175 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 61 176 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 61 177 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 61 178 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 61 179 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 180 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 181 8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 182 8.2. Informative References . . . . . . . . . . . . . . . . . . 63 183 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65 184 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65 185 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66 187 1. Introduction 189 This document describes the Diameter protocol application used for 190 AAA in the Network Access Server (NAS) environment. When combined 191 with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport 192 Profile [RFC3539], and EAP [RFC4072] specifications, this 193 specification satisfies NAS-related requirements defined in [RFC2989] 194 and [RFC3169]. 196 First, this document describes the operation of a Diameter NAS 197 application. Then it defines the Diameter message Command-Codes. 198 The following sections list the AVPs used in these messages, grouped 199 by common usage. These are session identification, authentication, 200 authorization, tunneling, and accounting. The authorization AVPs are 201 further broken down by service type. 203 1.1. Terminology 205 Section 1.2 of the base Diameter specification 206 [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in 207 this document. Additionally, the following terms and acronyms are 208 used in this application: 210 NAS (Network Access Server) 211 A device that provides an access service for a user to a network. 212 The service may be a network connection or a value-added service 213 such as terminal emulation [RFC2881]. 215 PPP (Point-to-Point Protocol) 216 A multiprotocol serial datalink. PPP is the primary IP datalink 217 used for dial-in NAS connection service [RFC1661]. 219 CHAP (Challenge Handshake Authentication Protocol) 220 An authentication process used in PPP [RFC1994]. 222 PAP (Password Authentication Protocol) 223 A deprecated PPP authentication process, but often used for 224 backward compatibility [RFC1334]. 226 SLIP (Serial Line Interface Protocol) 227 A serial datalink that only supports IP. A design prior to PPP. 229 ARAP (Appletalk Remote Access Protocol) 230 A serial datalink for accessing Appletalk networks [ARAP]. 232 IPX (Internet Packet Exchange) 233 The network protocol used by NetWare networks [IPX]. 235 LAT (Local Area Transport 236 A Digital Equipment Corp. LAN protocol for terminal services 237 [LAT]. 239 VPN (Virtual Private Network) 240 In this document, this term is used to describe access services 241 that use tunneling methods. 243 1.2. Requirements Language 245 In this document, the key words "MAY", "MUST", "MUST NOT", 246 "OPTIONAL", "RECOMMENDED", "SHOULD", and "SHOULD NOT" are to be 247 interpreted as described in [RFC2119], 249 1.3. Advertising Application Support 251 Diameter applications conforming to this specification MUST advertise 252 support by including the value of one (1) in the Auth-Application-Id 253 of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- 254 Answer (AAA) messages. All other messages are defined by RFC 3588 255 and use the Base application id value. 257 2. NAS Calls, Ports, and Sessions 259 The arrival of a new call or service connection at a port of a 260 Network Access Server (NAS) starts a Diameter NAS message exchange. 261 Information about the call, the identity of the user, and the user's 262 authentication information are packaged into a Diameter AA-Request 263 (AAR) message and sent to a server. 265 The server processes the information and responds with a Diameter AA- 266 Answer (AAA) message that contains authorization information for the 267 NAS, or a failure code (Result-Code AVP). A value of 268 DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication 269 exchange, and several AAR and AAA messages may be exchanged until the 270 transaction completes. 272 Depending on the vale of the Auth-Request-Type AVP, the Diameter 273 protocol allows authorization-only requests that contain no 274 authentication information from the client. This capability goes 275 beyond the Call Check capabilities provided by RADIUS (Section 5.6 of 276 [RFC2865]) in that no access decision is requested. As a result, 277 service cannot be started as a result of a response to an 278 authorization-only request without introducing a significant security 279 vulnerability. 281 2.1. Diameter Session Establishment 283 When the authentication or authorization exchange completes 284 successfully, the NAS application SHOULD start a session context. If 285 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 286 exchange continues until a success or error is returned. 288 If accounting is active, the application MUST also send an Accounting 289 message [I-D.ietf-dime-rfc3588bis]. An Accounting-Record-Type of 290 START_RECORD is sent for a new session. If a session fails to start, 291 the EVENT_RECORD message is sent with the reason for the failure 292 described. 294 Note that the return of an unsupportable Accounting-Realtime-Required 295 value [I-D.ietf-dime-rfc3588bis] would result in a failure to 296 establish the session. 298 2.2. Diameter Session Reauthentication or Reauthorization 300 The Diameter Base protocol allows users to be periodically 301 reauthenticated and/or reauthorized. In such instances, the 302 Session-Id AVP in the AAR message MUST be the same as the one present 303 in the original authentication/authorization message. 305 A Diameter server informs the NAS of the maximum time allowed before 306 reauthentication or reauthorization via the Authorization-Lifetime 307 AVP [I-D.ietf-dime-rfc3588bis]. A NAS MAY reauthenticate and/or 308 reauthorize before the end, but A NAS MUST reauthenticate and/or 309 reauthorize at the end of the period provided by the Authorization- 310 Lifetime AVP. The failure of a reauthentication exchange will 311 terminate the service. 313 Furthermore, it is possible for Diameter servers to issue an 314 unsolicited reauthentication and/or reauthorization request (e.g., 315 Re-Auth-Request (RAR) message [I-D.ietf-dime-rfc3588bis]) to the NAS. 316 Upon receipt of such a message, the NAS MUST respond to the request 317 with a Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis]. 319 If the RAR properly identifies an active session, the NAS will 320 initiate a new local reauthentication or authorization sequence as 321 indicated by the Re-Auth-Request-Type value. This will cause the NAS 322 to send a new AAR message using the existing Session-Id. The server 323 will respond with an AAA message to specify the new service 324 parameters. 326 If accounting is active, every change of authentication or 327 authorization SHOULD generate an accounting message. If the NAS 328 service is a continuation of the prior user context, then an 329 Accounting-Record-Type of INTERIM_RECORD indicating the new session 330 attributes and cumulative status would be appropriate. If a new user 331 or a significant change in authorization is detected by the NAS, then 332 the service may send two messages of the types STOP_RECORD and 333 START_RECORD. Accounting may change the subsession identifiers 334 (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- 335 sessions. A service may also use a different Session-Id value for 336 accounting see Section 9.6 of [I-D.ietf-dime-rfc3588bis]. 338 However, the Diameter Session-ID AVP value used for the initial 339 authorization exchange MUST be used to generate an STR message when 340 the session context is terminated. 342 2.3. Diameter Session Termination 344 When a NAS receives an indication that a user's session is being 345 disconnected by the client (e.g., LCP Terminate is received) or an 346 administrative command, the NAS MUST issue a Session-Termination- 347 Request (STR) [I-D.ietf-dime-rfc3588bis] to its Diameter Server. 348 This will ensure that any resources maintained on the servers are 349 freed appropriately. 351 Furthermore, a NAS that receives an Abort-Session-Request (ASR) 352 [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session 353 identified is active and disconnect the PPP (or tunneling) session. 355 If accounting is active, an Accounting STOP_RECORD message 356 [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the 357 session context. 359 More information on Diameter Session Termination can be found in 360 Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis]. 362 3. Diameter NAS Application Messages 364 This section defines the Diameter message Command-Code 365 [I-D.ietf-dime-rfc3588bis] values that MUST be supported by all 366 Diameter implementations conforming to this specification. The 367 Command Codes are as follows: 369 +-----------------------------------+---------+------+--------------+ 370 | Command Name | Abbrev. | Code | Reference | 371 +-----------------------------------+---------+------+--------------+ 372 | AA-Request | AAR | 265 | Section 3.1 | 373 | AA-Answer | AAA | 265 | Section 3.2 | 374 | Re-Auth-Request | RAR | 258 | Section 3.3 | 375 | Re-Auth-Answer | RAA | 258 | Section 3.4 | 376 | Session-Termination-Request | STR | 275 | Section 3.5 | 377 | Session-Termination-Answer | STA | 275 | Section 3.6 | 378 | Abort-Session-Request | ASR | 274 | Section 3.7 | 379 | Abort-Session-Answer | ASA | 274 | Section 3.8 | 380 | Accounting-Request | ACR | 271 | Section 3.9 | 381 | Accounting-Answer | ACA | 271 | Section 3.10 | 382 +-----------------------------------+---------+------+--------------+ 384 3.1. AA-Request (AAR) Command 386 The AA-Request (AAR), which is indicated by setting the Command-Code 387 field to 265 and the 'R' bit in the Command Flags field, is used to 388 request authentication and/or authorization for a given NAS user. 389 The type of request is identified through the Auth-Request-Type AVP 390 [I-D.ietf-dime-rfc3588bis] The recommended value for most RADIUS 391 interoperability situations is AUTHORIZE_AUTHENTICATE. 393 If Authentication is requested, the User-Name attribute SHOULD be 394 present, as well as any additional authentication AVPs that would 395 carry the password information. A request for authorization SHOULD 396 only include the information from which the authorization will be 397 performed, such as the User-Name, Called-Station-Id, or Calling- 398 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 399 identifying the source of the call, such as Origin-Host and NAS-Port. 400 Certain networks MAY use different AVPs for authorization purposes. 401 A request for authorization will include some AVPs defined in 402 Section 4.4. 404 It is possible for a single session to be authorized first and then 405 for an authentication request to follow. 407 This AA-Request message MAY be the result of a multi-round 408 authentication exchange, which occurs when the AA-Answer message is 409 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. 410 A subsequent AAR message SHOULD be sent, with the User-Password AVP 411 that includes the user's response to the prompt, and MUST include any 412 State AVPs that were present in the AAA message. 414 Message Format 416 ::= < Diameter Header: 265, REQ, PXY > 417 < Session-Id > 418 { Auth-Application-Id } 419 { Origin-Host } 420 { Origin-Realm } 421 { Destination-Realm } 422 { Auth-Request-Type } 423 [ Destination-Host ] 424 [ NAS-Identifier ] 425 [ NAS-IP-Address ] 426 [ NAS-IPv6-Address ] 427 [ NAS-Port ] 428 [ NAS-Port-Id ] 429 [ NAS-Port-Type ] 430 [ Origin-AAA-Protocol ] 431 [ Origin-State-Id ] 432 [ Port-Limit ] 433 [ User-Name ] 434 [ User-Password ] 435 [ Service-Type ] 436 [ State ] 437 [ Authorization-Lifetime ] 438 [ Auth-Grace-Period ] 439 [ Auth-Session-State ] 440 [ Callback-Number ] 441 [ Called-Station-Id ] 442 [ Calling-Station-Id ] 443 [ Originating-Line-Info ] 444 [ Connect-Info ] 445 [ CHAP-Auth ] 446 [ CHAP-Challenge ] 447 * [ Framed-Compression ] 448 [ Framed-Interface-Id ] 449 [ Framed-IP-Address ] 450 * [ Framed-IPv6-Prefix ] 451 [ Framed-IP-Netmask ] 452 [ Framed-MTU ] 453 [ Framed-Protocol ] 454 [ ARAP-Password ] 455 [ ARAP-Security ] 456 * [ ARAP-Security-Data ] 457 * [ Login-IP-Host ] 458 * [ Login-IPv6-Host ] 459 [ Login-LAT-Group ] 460 [ Login-LAT-Node ] 461 [ Login-LAT-Port ] 462 [ Login-LAT-Service ] 463 * [ Tunneling ] 464 * [ Proxy-Info ] 465 * [ Route-Record ] 466 * [ AVP ] 468 3.2. AA-Answer (AAA) Command 470 The AA-Answer (AAA) message is indicated by setting the Command-Code 471 field to 265 and clearing the 'R' bit in the Command Flags field. It 472 is sent in response to the AA-Request (AAR) message. If 473 authorization was requested, a successful response will include the 474 authorization AVPs appropriate for the service being provided, as 475 defined in Section 4.4. 477 For authentication exchanges requiring more than a single round trip, 478 the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. 479 An AAA message with this result code MAY include one Reply-Message or 480 more and MAY include zero or one State AVPs. 482 If the Reply-Message AVP was present, the network access server 483 SHOULD send the text to the user's client to display to the user, 484 instructing the client to prompt the user for a response. For 485 example, this capability can be achieved in PPP via PAP. If the 486 access client is unable to prompt the user for a new response, it 487 MUST treat the AA-Answer (AAA) with the Reply-Message AVP as an error 488 and deny access. 490 Message Format 492 ::= < Diameter Header: 265, PXY > 493 < Session-Id > 494 { Auth-Application-Id } 495 { Auth-Request-Type } 496 { Result-Code } 497 { Origin-Host } 498 { Origin-Realm } 499 [ User-Name ] 500 [ Service-Type ] 501 * [ Class ] 502 * [ Configuration-Token ] 503 [ Acct-Interim-Interval ] 504 [ Error-Message ] 505 [ Error-Reporting-Host ] 506 * [ Failed-AVP ] 507 [ Idle-Timeout ] 508 [ Authorization-Lifetime ] 509 [ Auth-Grace-Period ] 510 [ Auth-Session-State ] 511 [ Re-Auth-Request-Type ] 512 [ Multi-Round-Time-Out ] 514 [ Session-Timeout ] 515 [ State ] 516 * [ Reply-Message ] 517 [ Origin-AAA-Protocol ] 518 [ Origin-State-Id ] 519 * [ Filter-Id ] 520 [ Password-Retry ] 521 [ Port-Limit ] 522 [ Prompt ] 523 [ ARAP-Challenge-Response ] 524 [ ARAP-Features ] 525 [ ARAP-Security ] 526 * [ ARAP-Security-Data ] 527 [ ARAP-Zone-Access ] 528 [ Callback-Id ] 529 [ Callback-Number ] 530 [ Framed-Appletalk-Link ] 531 * [ Framed-Appletalk-Network ] 532 [ Framed-Appletalk-Zone ] 533 * [ Framed-Compression ] 534 [ Framed-Interface-Id ] 535 [ Framed-IP-Address ] 536 * [ Framed-IPv6-Prefix ] 537 [ Framed-IPv6-Pool ] 538 * [ Framed-IPv6-Route ] 539 [ Framed-IP-Netmask ] 540 * [ Framed-Route ] 541 [ Framed-Pool ] 542 [ Framed-IPX-Network ] 543 [ Framed-MTU ] 544 [ Framed-Protocol ] 545 [ Framed-Routing ] 546 * [ Login-IP-Host ] 547 * [ Login-IPv6-Host ] 548 [ Login-LAT-Group ] 549 [ Login-LAT-Node ] 550 [ Login-LAT-Port ] 551 [ Login-LAT-Service ] 552 [ Login-Service ] 553 [ Login-TCP-Port ] 554 * [ NAS-Filter-Rule ] 555 * [ QoS-Filter-Rule ] 556 * [ Tunneling ] 557 * [ Redirect-Host ] 558 [ Redirect-Host-Usage ] 559 [ Redirect-Max-Cache-Time ] 560 * [ Proxy-Info ] 561 * [ AVP ] 563 3.3. Re-Auth-Request (RAR) Command 565 A Diameter server may initiate a re-authentication and/or re- 566 authorization service for a particular session by issuing a Re-Auth- 567 Request (RAR) message [I-D.ietf-dime-rfc3588bis]. 569 For example, for pre-paid services, the Diameter server that 570 originally authorized a session may need some confirmation that the 571 user is still using the services. 573 If a NAS receives an RAR message with Session-Id equal to a currently 574 active session and a Re-Auth-Type that includes authentication, it 575 MUST initiate a re-authentication toward the user, if the service 576 supports this particular feature. 578 Message Format 580 ::= < Diameter Header: 258, REQ, PXY > 581 < Session-Id > 582 { Origin-Host } 583 { Origin-Realm } 584 { Destination-Realm } 585 { Destination-Host } 586 { Auth-Application-Id } 587 { Re-Auth-Request-Type } 588 [ User-Name ] 589 [ Origin-AAA-Protocol ] 590 [ Origin-State-Id ] 591 [ NAS-Identifier ] 592 [ NAS-IP-Address ] 593 [ NAS-IPv6-Address ] 594 [ NAS-Port ] 595 [ NAS-Port-Id ] 596 [ NAS-Port-Type ] 597 [ Service-Type ] 598 [ Framed-IP-Address ] 599 [ Framed-IPv6-Prefix ] 600 [ Framed-Interface-Id ] 601 [ Called-Station-Id ] 602 [ Calling-Station-Id ] 603 [ Originating-Line-Info ] 604 [ Acct-Session-Id ] 605 [ Acct-Multi-Session-Id ] 606 [ State ] 607 * [ Class ] 608 [ Reply-Message ] 609 * [ Proxy-Info ] 610 * [ Route-Record ] 611 * [ AVP ] 613 3.4. Re-Auth-Answer (RAA) Command 615 The Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis] is sent 616 in response to the RAR. The Result-Code AVP MUST be present and 617 indicates the disposition of the request. 619 A successful RAA transaction MUST be followed by an AAR message. 621 Message Format 623 ::= < Diameter Header: 258, PXY > 624 < Session-Id > 625 { Result-Code } 626 { Origin-Host } 627 { Origin-Realm } 628 [ User-Name ] 629 [ Origin-AAA-Protocol ] 630 [ Origin-State-Id ] 631 [ Error-Message ] 632 [ Error-Reporting-Host ] 633 * [ Failed-AVP ] 634 * [ Redirected-Host ] 635 [ Redirected-Host-Usage ] 636 [ Redirected-Host-Cache-Time ] 637 [ Service-Type ] 638 * [ Configuration-Token ] 639 [ Idle-Timeout ] 640 [ Authorization-Lifetime ] 641 [ Auth-Grace-Period ] 642 [ Re-Auth-Request-Type ] 643 [ State ] 644 * [ Class ] 645 * [ Reply-Message ] 646 [ Prompt ] 647 * [ Proxy-Info ] 648 * [ AVP ] 650 3.5. Session-Termination-Request (STR) Command 652 The Session-Termination-Request (STR) message 653 [I-D.ietf-dime-rfc3588bis] is sent by the NAS to inform the Diameter 654 Server that an authenticated and/or authorized session is being 655 terminated. 657 Message Format 659 ::= < Diameter Header: 275, REQ, PXY > 660 < Session-Id > 661 { Origin-Host } 662 { Origin-Realm } 663 { Destination-Realm } 664 { Auth-Application-Id } 665 { Termination-Cause } 666 [ User-Name ] 667 [ Destination-Host ] 668 * [ Class ] 669 [ Origin-AAA-Protocol ] 670 [ Origin-State-Id ] 671 * [ Proxy-Info ] 672 * [ Route-Record ] 673 * [ AVP ] 675 3.6. Session-Termination-Answer (STA) Command 677 The Session-Termination-Answer (STA) message 678 [I-D.ietf-dime-rfc3588bis] is sent by the Diameter Server to 679 acknowledge the notification that the session has been terminated. 680 The Result-Code AVP MUST be present and MAY contain an indication 681 that an error occurred while the STR was being serviced. 683 Upon sending or receiving the STA, the Diameter Server MUST release 684 all resources for the session indicated by the Session-Id AVP. Any 685 intermediate server in the Proxy-Chain MAY also release any 686 resources, if necessary. 688 Message Format 690 ::= < Diameter Header: 275, PXY > 691 < Session-Id > 692 { Result-Code } 693 { Origin-Host } 694 { Origin-Realm } 695 [ User-Name ] 696 * [ Class ] 697 [ Error-Message ] 698 [ Error-Reporting-Host ] 699 * [ Failed-AVP ] 700 [ Origin-AAA-Protocol ] 701 [ Origin-State-Id ] 702 * [ Redirect-Host ] 703 [ Redirect-Host-Usase ] 704 [ Redirect-Max-Cache-Time ] 705 * [ Proxy-Info ] 706 * [ AVP ] 708 3.7. Abort-Session-Request (ASR) Command 710 The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis] 711 may be sent by any server to the NAS providing session service, to 712 request that the session identified by the Session-Id be stopped. 714 Message Format 716 ::= < Diameter Header: 274, REQ, PXY > 717 < Session-Id > 718 { Origin-Host } 719 { Origin-Realm } 720 { Destination-Realm } 721 { Destination-Host } 722 { Auth-Application-Id } 723 [ User-Name ] 724 [ Origin-AAA-Protocol ] 725 [ Origin-State-Id ] 726 [ NAS-Identifier ] 727 [ NAS-IP-Address ] 728 [ NAS-IPv6-Address ] 729 [ NAS-Port ] 730 [ NAS-Port-Id ] 731 [ NAS-Port-Type ] 732 [ Service-Type ] 733 [ Framed-IP-Address ] 734 [ Framed-IPv6-Prefix ] 735 [ Framed-Interface-Id ] 736 [ Called-Station-Id ] 737 [ Calling-Station-Id ] 738 [ Originating-Line-Info ] 739 [ Acct-Session-Id ] 740 [ Acct-Multi-Session-Id ] 741 [ State ] 742 * [ Class ] 743 * [ Reply-Message ] 744 * [ Proxy-Info ] 745 * [ Route-Record ] 746 * [ AVP ] 748 3.8. Abort-Session-Answer (ASA) Command 750 The ASA message [I-D.ietf-dime-rfc3588bis] is sent in response to the 751 ASR. The Result-Code AVP MUST be present and indicates the 752 disposition of the request. 754 If the session identified by Session-Id in the ASR was successfully 755 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 756 is not currently active, the Result-Code AVP is set to 757 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 758 session for any other reason, the Result-Code AVP is set to 759 DIAMETER_UNABLE_TO_COMPLY. 761 Message Format 763 ::= < Diameter Header: 274, PXY > 764 < Session-Id > 765 { Result-Code } 766 { Origin-Host } 767 { Origin-Realm } 768 [ User-Name ] 769 [ Origin-AAA-Protocol ] 770 [ Origin-State-Id ] 771 [ State] 772 [ Error-Message ] 773 [ Error-Reporting-Host ] 774 * [ Failed-AVP ] 775 * [ Redirected-Host ] 776 [ Redirected-Host-Usage ] 777 [ Redirected-Max-Cache-Time ] 778 * [ Proxy-Info ] 779 * [ AVP ] 781 3.9. Accounting-Request (ACR) Command 783 The ACR message [I-D.ietf-dime-rfc3588bis] is sent by the NAS to 784 report its session information to a target server downstream. 786 Either the Acct-Application-Id AVP or the Vendor-Specific- 787 Application-Id AVP MUST be present. If the Vendor-Specific- 788 Application-Id grouped AVP is present, it must have an Acct- 789 Application-Id inside. 791 The AVPs listed in the Base protocol specification 792 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 793 appropriate. NAS service-specific accounting AVPs SHOULD be present 794 as described in Section 4.6 and the rest of this specification. 796 Message Format 798 ::= < Diameter Header: 271, REQ, PXY > 799 < Session-Id > 800 { Origin-Host } 801 { Origin-Realm } 802 { Destination-Realm } 803 { Accounting-Record-Type } 804 { Accounting-Record-Number } 805 [ Acct-Application-Id ] 806 [ Vendor-Specific-Application-Id ] 807 [ User-Name ] 808 [ Accounting-Sub-Session-Id ] 810 [ Acct-Session-Id ] 811 [ Acct-Multi-Session-Id ] 812 [ Origin-AAA-Protocol ] 813 [ Origin-State-Id ] 814 [ Destination-Host ] 815 [ Event-Timestamp ] 816 [ Acct-Delay-Time ] 817 [ NAS-Identifier ] 818 [ NAS-IP-Address ] 819 [ NAS-IPv6-Address ] 820 [ NAS-Port ] 821 [ NAS-Port-Id ] 822 [ NAS-Port-Type ] 823 * [ Class ] 824 [ Service-Type ] 825 [ Termination-Cause ] 826 [ Accounting-Input-Octets ] 827 [ Accounting-Input-Packets ] 828 [ Accounting-Output-Octets ] 829 [ Accounting-Output-Packets ] 830 [ Acct-Authentic ] 831 [ Accounting-Auth-Method ] 832 [ Acct-Link-Count ] 833 [ Acct-Session-Time ] 834 [ Acct-Tunnel-Connection ] 835 [ Acct-Tunnel-Packets-Lost ] 836 [ Callback-Id ] 837 [ Callback-Number ] 838 [ Called-Station-Id ] 839 [ Calling-Station-Id ] 840 * [ Connection-Info ] 841 [ Originating-Line-Info ] 842 [ Authorization-Lifetime ] 843 [ Session-Timeout ] 844 [ Idle-Timeout ] 845 [ Port-Limit ] 846 [ Accounting-Realtime-Required ] 847 [ Acct-Interim-Interval ] 848 * [ Filter-Id ] 849 * [ NAS-Filter-Rule ] 850 * [ Qos-Filter-Rule ] 851 [ Framed-AppleTalk-Link ] 852 [ Framed-AppleTalk-Network ] 853 [ Framed-AppleTalk-Zone ] 854 [ Framed-Compression ] 855 [ Framed-Interface-Id ] 856 [ Framed-IP-Address ] 857 [ Framed-IP-Netmask ] 859 * [ Framed-IPv6-Prefix ] 860 [ Framed-IPv6-Pool ] 861 * [ Framed-IPv6-Route ] 862 [ Framed-IPX-Network ] 863 [ Framed-MTU ] 864 [ Framed-Pool ] 865 [ Framed-Protocol ] 866 * [ Framed-Route ] 867 [ Framed-Routing ] 868 * [ Login-IP-Host ] 869 * [ Login-IPv6-Host ] 870 [ Login-LAT-Group ] 871 [ Login-LAT-Node ] 872 [ Login-LAT-Port ] 873 [ Login-LAT-Service ] 874 [ Login-Service ] 875 [ Login-TCP-Port ] 876 * [ Tunneling ] 877 * [ Proxy-Info ] 878 * [ Route-Record ] 879 * [ AVP ] 881 3.10. Accounting-Answer (ACA) Command 883 The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an 884 Accounting-Request command. The Accounting-Answer command contains 885 the same Session-Id as the Request. If the Accounting-Request was 886 protected by end-to-end security, then the corresponding ACA message 887 MUST be protected as well. 889 Only the target Diameter Server or home Diameter Server SHOULD 890 respond with the Accounting-Answer command. 892 Either the Acct-Application-Id AVP or the Vendor-Specific- 893 Application-Id AVP MUST be present, as it was in the request. 895 The AVPs listed in the Base protocol specification 896 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 897 appropriate. NAS service-specific accounting AVPs SHOULD be present 898 as described in Section 4.6 and the rest of this specification. 900 Message Format 902 ::= < Diameter Header: 271, PXY > 903 < Session-Id > 904 { Result-Code } 905 { Origin-Host } 906 { Origin-Realm } 907 { Accounting-Record-Type } 908 { Accounting-Record-Number } 909 [ Acct-Application-Id ] 910 [ Vendor-Specific-Application-Id ] 911 [ User-Name ] 912 [ Accounting-Sub-Session-Id ] 913 [ Acct-Session-Id ] 914 [ Acct-Multi-Session-Id ] 915 [ Event-Timestamp ] 916 [ Error-Message ] 917 [ Error-Reporting-Host ] 918 * [ Failed-AVP ] 919 [ Origin-AAA-Protocol ] 920 [ Origin-State-Id ] 921 [ NAS-Identifier ] 922 [ NAS-IP-Address ] 923 [ NAS-IPv6-Address ] 924 [ NAS-Port ] 925 [ NAS-Port-Id ] 926 [ NAS-Port-Type ] 927 [ Service-Type ] 928 [ Termination-Cause ] 929 [ Accounting-Realtime-Required ] 930 [ Acct-Interim-Interval ] 931 * [ Class ] 932 * [ Proxy-Info ] 933 * [ Route-Record ] 934 * [ AVP ] 936 4. Diameter NAS Application AVPs 938 The following sections define a new derived AVP data format, a set of 939 application-specific AVPs and describe the use of AVPs defined in 940 other documents by the Diameter NAS Application. 942 4.1. Derived AVP Data Formats 944 4.1.1. QoSFilterRule 946 The QosFilterRule format is derived from the OctetString AVP Base 947 Format. It uses the ASCII charset. Packets may be marked or metered 948 based on the following information: 950 o Direction (in or out) 952 o Source and destination IP address (possibly masked) 954 o Protocol 956 o Source and destination port (lists or ranges) 958 o DSCP values (no mask or range) 960 Rules for the appropriate direction are evaluated in order; the first 961 matched rule terminates the evaluation. Each packet is evaluated 962 once. If no rule matches, the packet is treated as best effort. An 963 access device unable to interpret or apply a QoS rule SHOULD NOT 964 terminate the session. 966 QoSFilterRule filters MUST follow the following format: 968 action dir proto from src to dst [options] 969 where 971 action 972 tag Mark packet with a specific DSCP [RFC2474] 973 meter Meter traffic 975 dir The format is as described under IPFilterRule 976 [I-D.ietf-dime-rfc3588bis] 978 proto The format is as described under IPFilterRule 979 [I-D.ietf-dime-rfc3588bis] 981 src and dst The format is as described under IPFilterRule 982 [I-D.ietf-dime-rfc3588bis] 984 The options are described in Section 4.4.9. 986 The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the 987 ipfw.c code may provide a useful base for implementations. 989 4.2. NAS Session AVPs 991 Diameter reserves the AVP Codes 0 - 255 for RADIUS functions that are 992 implemented in Diameter. 994 AVPs new to Diameter have code values of 256 and greater. A Diameter 995 message that includes one of these AVPs may represent functions not 996 present in the RADIUS environment and may cause interoperability 997 issues, should the request traverse an AAA system that only supports 998 the RADIUS protocol. 1000 4.2.1. Call and Session Information 1002 This section describes the AVPs specific to NAS Diameter applications 1003 that are needed to identify the call and session context and status 1004 information. On a request, this information allows the server to 1005 qualify the session. 1007 These AVPs are used in addition to the following AVPs from the base 1008 protocol specification [I-D.ietf-dime-rfc3588bis]: 1010 Session-Id 1011 Auth-Application-Id 1012 Origin-Host 1013 Origin-Realm 1014 Auth-Request-Type 1015 Termination-Cause 1017 The following table gives the possible flag values for the session 1018 level AVPs and specifies whether the AVP MAY be encrypted. 1020 +---------------------+ 1021 | AVP Flag rules | 1022 |----+-----+----+-----|----+ 1023 | | |SHLD| MUST| | 1024 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1025 -----------------------------------------|----+-----+----+-----|----| 1026 NAS-Port 4.2.2 | M | P | | V | Y | 1027 NAS-Port-Id 4.2.3 | M | P | | V | Y | 1028 NAS-Port-Type 4.2.4 | M | P | | V | Y | 1029 Called-Station-Id 4.2.5 | M | P | | V | Y | 1030 Calling-Station-Id 4.2.6 | M | P | | V | Y | 1031 Connect-Info 4.2.7 | M | P | | V | Y | 1032 Originating-Line-Info 4.2.8 | | M,P | | V | Y | 1033 Reply-Message 4.2.9 | M | P | | V | Y | 1034 -----------------------------------------|----+-----+----+-----|----| 1036 4.2.2. NAS-Port AVP 1038 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1039 physical or virtual port number of the NAS which is authenticating 1040 the user. Note that "port" is meant in its sense as a service 1041 connection on the NAS, not as an IP protocol identifier. 1043 Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD 1044 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1045 differentiates among its ports. 1047 4.2.3. NAS-Port-Id AVP 1049 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1050 of ASCII text identifying the port of the NAS authenticating the 1051 user. Note that "port" is meant in its sense as a service connection 1052 on the NAS, not as an IP protocol identifier. 1054 Either the NAS-Port-Id or the NAS-Port (Section 4.2.2) SHOULD be 1055 present in the AA-Request (AAR, Section 3.1) command if the NAS 1056 differentiates among its ports. NAS-Port-Id is intended for use by 1057 NASes that cannot conveniently number their ports. 1059 4.2.4. NAS-Port-Type AVP 1061 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1062 contains the type of the port on which the NAS is authenticating the 1063 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1064 number ranges for different service types concurrently. 1066 The currently supported values of the NAS-Port-Type AVP are listed in 1067 [RADIUSTypes]. 1069 4.2.5. Called-Station-Id AVP 1071 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and 1072 allows the NAS to send the ASCII string describing the Layer 2 1073 address the user contacted in the request. For dialup access, this 1074 can be a phone number obtained by using the Dialed Number 1075 Identification Service (DNIS) or a similar technology. Note that 1076 this may be different from the phone number the call comes in on. 1077 For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC 1078 address formatted as described in [RFC3580]. It SHOULD only be 1079 present in authentication and/or authorization requests. 1081 If the Called-Station-Id AVP is present in an AAR message, Auth- 1082 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1083 absent, the Diameter Server MAY perform authorization based on this 1084 AVP. This can be used by a NAS to request whether a call should be 1085 answered based on the DNIS. 1087 The codification of this field's allowed usage range is outside the 1088 scope of this specification. 1090 4.2.6. Calling-Station-Id AVP 1092 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 1093 allows the NAS to send the ASCII string describing the Layer 2 1094 address from which the user connected in the request. For dialup 1095 access, this is the phone number the call came from, using Automatic 1096 Number Identification (ANI) or a similar technology. For use with 1097 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 1098 address, formated as described in [RFC3580]. It SHOULD only be 1099 present in authentication and/or authorization requests. 1101 If the Calling-Station-Id AVP is present in an AAR message, the Auth- 1102 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1103 absent, the Diameter Server MAY perform authorization based on the 1104 value of this AVP. This can be used by a NAS to request whether a 1105 call should be answered based on the Layer 2 address (ANI, MAC 1106 Address, etc.) 1108 The codification of this field's allowed usage range is outside the 1109 scope of this specification. 1111 4.2.7. Connect-Info AVP 1113 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1114 in the AA-Request message or an ACR message with the value of the 1115 Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, 1116 it indicates the nature of the user's connection. The connection 1117 speed SHOULD be included at the beginning of the first Connect-Info 1118 AVP in the message. If the transmit and receive connection speeds 1119 differ, both may be included in the first AVP with the transmit speed 1120 listed first (the speed at which the NAS modem transmits), then a 1121 slash (/), then the receive speed, and then other optional 1122 information. 1124 For example: "28800 V42BIS/LAPM" or "52000/31200 V90" 1126 If sent in an ACR message with the value of the Accounting-Record- 1127 Type AVP set to STOP, this attribute may summarize statistics 1128 relating to session quality. For example, in IEEE 802.11, the 1129 Connect-Info AVP may contain information on the number of link layer 1130 retransmissions. The exact format of this attribute is 1131 implementation specific. 1133 4.2.8. Originating-Line-Info AVP 1135 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1136 and is sent by the NAS system to convey information about the origin 1137 of the call from an SS7 system. 1139 The originating line information (OLI) element indicates the nature 1140 and/or characteristics of the line from which a call originated 1141 (e.g., pay phone, hotel, cellular). Telephone companies are starting 1142 to offer OLI to their customers as an option over Primary Rate 1143 Interface (PRI). Internet Service Providers (ISPs) can use OLI in 1144 addition to Called-Station-Id and Calling-Station-Id attributes to 1145 differentiate customer calls and to define different services. 1147 The Value field contains two octets (00 - 99). ANSI T1.113 and 1148 BELLCORE 394 can be used for additional information about these 1149 values and their use. For information on the currently assigned 1150 values, see [ANITypes]. 1152 4.2.9. Reply-Message AVP 1154 The Reply-Message AVP (AVP Code 18) is of type UTF8String and 1155 contains text that MAY be displayed to the user. When used in an AA- 1156 Answer message with a successful Result-Code AVP, it indicates 1157 success. When found in an AAA message with a Result-Code other than 1158 DIAMETER_SUCCESS, the AVP contains a failure message. 1160 The Reply-Message AVP MAY contain text to prompt the user before 1161 another AA-Request attempt. When used in an AA-Answer message 1162 containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH 1163 or in an Re-Auth-Request message, it MAY contain text to prompt the 1164 user for a response. 1166 4.3. NAS Authentication AVPs 1168 This section defines the AVPs necessary to carry the authentication 1169 information in the Diameter protocol. The functionality defined here 1170 provides a RADIUS-like AAA service over a more reliable and secure 1171 transport, as defined in the base protocol 1172 [I-D.ietf-dime-rfc3588bis]. 1174 The following table gives the possible flag values for the session 1175 level AVPs and specifies whether the AVP MAY be encrypted. 1177 +---------------------+ 1178 | AVP Flag rules | 1179 |----+-----+----+-----|----+ 1180 | | |SHLD| MUST| | 1181 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1182 -----------------------------------------|----+-----+----+-----|----| 1183 User-Password 4.3.1 | M | P | | V | Y | 1184 Password-Retry 4.3.2 | M | P | | V | Y | 1185 Prompt 4.3.3 | M | P | | V | Y | 1186 CHAP-Auth 4.3.4 | M | P | | V | Y | 1187 CHAP-Algorithm 4.3.5 | M | P | | V | Y | 1188 CHAP-Ident 4.3.6 | M | P | | V | Y | 1189 CHAP-Response 4.3.7 | M | P | | V | Y | 1190 CHAP-Challenge 4.3.8 | M | P | | V | Y | 1191 ARAP-Password 4.3.9 | M | P | | V | Y | 1192 ARAP-Challenge-Response 4.3.10 | M | P | | V | Y | 1193 ARAP-Security 4.3.11 | M | P | | V | Y | 1194 ARAP-Security-Data 4.3.12 | M | P | | V | Y | 1195 -----------------------------------------|----+-----+----+-----|----| 1197 4.3.1. User-Password AVP 1199 The User-Password AVP (AVP Code 2) is of type OctetString and 1200 contains the password of the user to be authenticated, or the user's 1201 input in a multi-round authentication exchange. 1203 The User-Password AVP contains a user password or one-time password 1204 and therefore represents sensitive information. As required in 1205 [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using 1206 IPsec or TLS. Unless this AVP is used for one-time passwords, the 1207 User-Password AVP SHOULD NOT be used in untrusted proxy environments 1208 without encrypting it by using end-to-end security techniques. 1210 The clear-text password (prior to encryption) MUST NOT be longer than 1211 128 bytes in length. 1213 4.3.2. Password-Retry AVP 1215 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1216 included in the AA-Answer if the Result-Code indicates an 1217 authentication failure. The value of this AVP indicates how many 1218 authentication attempts a user is permitted before being 1219 disconnected. This AVP is primarily intended for use when the 1220 Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. 1222 4.3.3. Prompt AVP 1224 The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present 1225 in the AA-Answer message. When present, it is used by the NAS to 1226 determine whether the user's response, when entered, should be 1227 echoed. 1229 The supported values are listed in [RADIUSTypes] 1231 4.3.4. CHAP-Auth AVP 1233 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1234 information necessary to authenticate a user using the PPP Challenge- 1235 Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth 1236 AVP is found in a message, the CHAP-Challenge AVP Section 4.3.8 MUST 1237 be present as well. The optional AVPs containing the CHAP response 1238 depend upon the value of the CHAP-Algorithm AVP Section 4.3.8. The 1239 grouped AVP has the following ABNF grammar: 1241 CHAP-Auth ::= < AVP Header: 402 > 1242 { CHAP-Algorithm } 1243 { CHAP-Ident } 1244 [ CHAP-Response ] 1245 * [ AVP ] 1247 4.3.5. CHAP-Algorithm AVP 1249 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1250 contains the algorithm identifier used in the computation of the CHAP 1251 response [RFC1994]. The following values are currently supported: 1253 CHAP with MD5 5 The CHAP response is computed by using the procedure 1254 described in [RFC1994] This algorithm requires that the CHAP- 1255 Response AVP Section 4.3.7 MUST be present in the CHAP-Auth AVP 1256 Section 4.3.4. 1258 4.3.6. CHAP-Ident AVP 1260 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1261 the 1 octet CHAP Identifier used in the computation of the CHAP 1262 response [RFC1994] 1264 4.3.7. CHAP-Response AVP 1266 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1267 contains the 16 octet authentication data provided by the user in 1268 response to the CHAP challenge [RFC1994]. 1270 4.3.8. CHAP-Challenge AVP 1272 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1273 contains the CHAP Challenge sent by the NAS to the CHAP peer 1274 [RFC1994]. 1276 4.3.9. ARAP-Password AVP 1278 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1279 only present when the Framed-Protocol AVP (Section 4.4.10.1) is 1280 included in the message and is set to ARAP. This AVP MUST NOT be 1281 present if either the User-Password or the CHAP-Auth AVP is present. 1282 See [RFC2869] for more information on the contents of this AVP. 1284 4.3.10. ARAP-Challenge-Response AVP 1286 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1287 and is only present when the Framed-Protocol AVP (Section 4.4.10.1) 1288 is included in the message and is set to ARAP. This AVP contains an 1289 8 octet response to the dial-in client's challenge. The RADIUS 1290 server calculates this value by taking the dial-in client's challenge 1291 from the high-order 8 octets of the ARAP-Password AVP and performing 1292 DES encryption on this value with the authenticating user's password 1293 as the key. If the user's password is fewer than 8 octets in length, 1294 the password is padded at the end with NULL octets to a length of 1295 8before it is used as a key. 1297 4.3.11. ARAP-Security AVP 1299 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be 1300 present in the AA-Answer message if the Framed-Protocol AVP 1301 (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code 1302 AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1303 DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the 1304 contents of this AVP. 1306 4.3.12. ARAP-Security-Data AVP 1308 The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and 1309 MAY be present in the AA-Request or AA-Answer message if the Framed- 1310 Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the 1311 Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1312 DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module 1313 challenge or response associated with the ARAP Security Module 1314 specified in the ARAP-Security AVP (Section 4.3.11). 1316 4.4. NAS Authorization AVPs 1318 This section contains the authorization AVPs supported in the NAS 1319 Application. The Service-Type AVP SHOULD be present in all messages 1320 and, based on its value, additional AVPs defined in this section and 1321 Section 4.5 MAY be present. 1323 The following table gives the possible flag values for the session 1324 level AVPs and specifies whether the AVP MAY be encrypted. 1326 +---------------------+ 1327 | AVP Flag rules | 1328 |----+-----+----+-----|----+ 1329 | | |SHLD| MUST| | 1330 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1331 -----------------------------------------|----+-----+----+-----|----| 1332 Service-Type 4.4.1 | M | P | | V | Y | 1333 Callback-Number 4.4.2 | M | P | | V | Y | 1334 Callback-Id 4.4.3 | M | P | | V | Y | 1335 Idle-Timeout 4.4.4 | M | P | | V | Y | 1336 Port-Limit 4.4.5 | M | P | | V | Y | 1337 NAS-Filter-Rule 4.4.6 | M | P | | V | Y | 1338 Filter-Id 4.4.7 | M | P | | V | Y | 1339 Configuration-Token 4.4.8 | M | | | P,V | | 1340 QoS-Filter-Rule 4.4.9 | | | | | | 1341 Framed-Protocol 4.4.10.1 | M | P | | V | Y | 1342 Framed-Routing 4.4.10.2 | M | P | | V | Y | 1343 Framed-MTU 4.4.10.3 | M | P | | V | Y | 1344 Framed-Compression 4.4.10.4 | M | P | | V | Y | 1345 Framed-IP-Address 4.4.10.5.1 | M | P | | V | Y | 1346 Framed-IP-Netmask 4.4.10.5.2 | M | P | | V | Y | 1347 Framed-Route 4.4.10.5.3 | M | P | | V | Y | 1348 Framed-Pool 4.4.10.5.4 | M | P | | V | Y | 1349 Framed-Interface-Id 4.4.10.5.5 | M | P | | V | Y | 1350 Framed-IPv6-Prefix 4.4.10.5.6 | M | P | | V | Y | 1351 Framed-IPv6-Route 4.4.10.5.7 | M | P | | V | Y | 1352 Framed-IPv6-Pool 4.4.10.5.8 | M | P | | V | Y | 1353 Framed-IPX-Network 4.4.10.6.1 | M | P | | V | Y | 1354 Framed-Appletalk-Link 4.4.10.7.1 | M | P | | V | Y | 1355 Framed-Appletalk-Network 4.4.10.7.2 | M | P | | V | Y | 1356 Framed-Appletalk-Zone 4.4.10.7.3 | M | P | | V | Y | 1357 ARAP-Features 4.4.10.8.1 | M | P | | V | Y | 1358 ARAP-Zone-Access 4.4.10.8.2 | M | P | | V | Y | 1359 Login-IP-Host 4.4.11.1 | M | P | | V | Y | 1360 Login-IPv6-Host 4.4.11.2 | M | P | | V | Y | 1361 Login-Service 4.4.11.3 | M | P | | V | Y | 1362 Login-TCP-Port 4.4.11.4.1 | M | P | | V | Y | 1363 Login-LAT-Service 4.4.11.5.1 | M | P | | V | Y | 1364 Login-LAT-Node 4.4.11.5.2 | M | P | | V | Y | 1365 Login-LAT-Group 4.4.11.5.3 | M | P | | V | Y | 1366 Login-LAT-Port 4.4.11.5.4 | M | P | | V | Y | 1367 -----------------------------------------|----+-----+----+-----|----| 1369 4.4.1. Service-Type AVP 1371 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1372 the type of service the user has requested or the type of service to 1373 be provided. One such AVP MAY be present in an authentication and/or 1374 authorization request or response. A NAS is not required to 1375 implement all of these service types. It MUST treat unknown or 1376 unsupported Service-Types received in a response as a failure and end 1377 the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1379 When used in a request, the Service-Type AVP SHOULD be considered a 1380 hint to the server that the NAS believes the user would prefer the 1381 kind of service indicated. The server is not required to honor the 1382 hint. Furthermore, if the service specified by the server is 1383 supported, but not compatible with the current mode of access, the 1384 NAS MUST fail to start the session. The NAS MUST also generate the 1385 appropriate error message(s). 1387 The complete list of defined values that the Service-Type AVP can 1388 take can be found in [RFC2865] and [RADIUSTypes], but the following 1389 values require further qualification here: 1391 Login (1) 1392 The user should be connected to a host. The message MAY 1393 include additional AVPs as defined in Section 4.4.11.4 or 1394 Section 4.4.11.5. 1396 Framed (2) 1397 A Framed Protocol, such as PPP or SLIP, should be started for 1398 the User. The message MAY include additional AVPs defined in 1399 Section 4.4.10, or Section 4.5 for tunneling services. 1401 Callback Login (3) 1402 The user should be disconnected and called back, then connected 1403 to a host. The message MAY include additional AVPs defined in 1404 this Section. 1406 Callback Framed (4) 1407 The user should be disconnected and called back, and then a 1408 Framed Protocol, such as PPP or SLIP, should be started for the 1409 User. The message MAY include additional AVPs defined in 1410 Section 4.4.10, or Section 4.5 for tunneling services. 1412 4.4.2. Callback-Number AVP 1414 The Callback-Number AVP (AVP Code 19) is of type UTF8String and 1415 contains a dialing string to be used for callback. It MAY be used in 1416 an authentication and/or authorization request as a hint to the 1417 server that a Callback service is desired, but the server is not 1418 required to honor the hint in the corresponding response. 1420 The codification of this field's allowed usage range is outside the 1421 scope of this specification. 1423 4.4.3. Callback-Id AVP 1425 The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains 1426 the name of a place to be called, to be interpreted by the NAS. This 1427 AVP MAY be present in an authentication and/or authorization 1428 response. 1430 This AVP is not roaming-friendly as it assumes that the Callback-Id 1431 is configured on the NAS. Using the Callback-Number AVP 1432 Section 4.4.2 is therefore preferable. 1434 4.4.4. Idle-Timeout AVP 1436 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1437 maximum number of consecutive seconds of idle connection allowable to 1438 the user before termination of the session or before a prompt is 1439 issued. The default is none, or system specific. 1441 4.4.5. Port-Limit AVP 1443 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1444 maximum number of ports the NAS provides to the user. It MAY be used 1445 in an authentication and/or authorization request as a hint to the 1446 server that multilink PPP [RFC1990] service is desired, but the 1447 server is not required to honor the hint in the corresponding 1448 response. 1450 4.4.6. NAS-Filter-Rule AVP 1452 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule and 1453 provides filter rules that need to be configured on the NAS for the 1454 user. One or more of these AVPs MAY be present in an authorization 1455 response. 1457 4.4.7. Filter-Id AVP 1459 The Filter-Id AVP (AVP Code 11) is of type UTF8String and contains 1460 the name of the filter list for this user. Zero or more Filter-Id 1461 AVPs MAY be sent in an authorization answer. 1463 Identifying a filter list by name allows the filter to be used on 1464 different NASes without regard to filter-list implementation details. 1465 However, this AVP is not roaming-friendly, as filter naming differs 1466 from one service provider to another. 1468 In environments where backward compatibility with RADIUS is not 1469 required, it is RECOMMENDED that the NAS-Filter-Rule AVP 1470 Section 4.4.6 be used instead. 1472 4.4.8. Configuration-Token AVP 1474 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1475 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1476 Agent in an AA-Answer command to indicate a type of user profile to 1477 be used. It should not be sent to a Diameter Client (NAS). 1479 The format of the Data field of this AVP is site specific. 1481 4.4.9. QoS-Filter-Rule AVP 1483 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule 1484 Section 4.1.1 and provides QoS filter rules that need to be 1485 configured on the NAS for the user. One or more such AVPs MAY be 1486 present in an authorization response. 1488 DSCP If action is set to tag Section 4.1.1 this option MUST 1489 be included in the rule. 1491 Color values are defined in [RFC2474]. Exact matching of DSCP 1492 values is required (no masks or ranges). 1494 metering The metering option 1495 provides Assured Forwarding, as defined in [RFC2597]. and MUST 1496 be present if the action is set to meter Section 4.1.1 The rate 1497 option is the throughput, in bits per second, used by the 1498 access device to mark packets. Traffic over the rate is marked 1499 with the color_over codepoint, and traffic under the rate is 1500 marked with the color_under codepoint. The color_under and 1501 color_over options contain the drop preferences and MUST 1502 conform to the recommended codepoint keywords described in 1503 [RFC2597] (e.g., AF13). 1505 The metering option also supports the strict limit on traffic 1506 required by Expedited Forwarding, as defined in [RFC3246]. The 1507 color_over option may contain the keyword "drop" to prevent 1508 forwarding of traffic that exceeds the rate parameter. 1510 4.4.10. Framed Access Authorization AVPs 1512 This section lists the authorization AVPs necessary to support framed 1513 access, such as PPP and SLIP. AVPs defined in this section MAY be 1514 present in a message if the Service-Type AVP was set to "Framed" or 1515 "Callback Framed". 1517 4.4.10.1. Framed-Protocol AVP 1519 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1520 contains the framing to be used for framed access. This AVP MAY be 1521 present in both requests and responses. The supported values are 1522 listed in [RADIUSTypes]. 1524 4.4.10.2. Framed-Routing AVP 1526 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1527 contains the routing method for the user when the user is a router to 1528 a network. This AVP SHOULD only be present in authorization 1529 responses. The supported values are listed in [RADIUSTypes]. 1531 4.4.10.3. Framed-MTU AVP 1533 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1534 the Maximum Transmission Unit (MTU) to be configured for the user, 1535 when it is not negotiated by some other means (such as PPP). This 1536 AVP SHOULD only be present in authorization responses. The MTU value 1537 MUST be in the range from 64 to 65535. 1539 4.4.10.4. Framed-Compression AVP 1541 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1542 contains the compression protocol to be used for the link. It MAY be 1543 used in an authorization request as a hint to the server that a 1544 specific compression type is desired, but the server is not required 1545 to honor the hint in the corresponding response. 1547 More than one compression protocol AVP MAY be sent. The NAS is 1548 responsible for applying the proper compression protocol to the 1549 appropriate link traffic. 1551 The supported values are listed in [RADIUSTypes]. 1553 4.4.10.5. IP Access Authorization AVPs 1555 The AVPs defined in this section are used when the user requests, or 1556 is being granted, access service to IP. 1558 4.4.10.5.1. Framed-IP-Address AVP 1560 The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type 1561 OctetString and contains an IPv4 address of the type specified in the 1562 attribute value to be configured for the user. It MAY be used in an 1563 authorization request as a hint to the server that a specific address 1564 is desired, but the server is not required to honor the hint in the 1565 corresponding response. 1567 Two values have special significance: 0xFFFFFFFF and 0xFFFFFFFE. The 1568 value 0xFFFFFFFF indicates that the NAS should allow the user to 1569 select an address (i.e., negotiated). The value 0xFFFFFFFE indicates 1570 that the NAS should select an address for the user (e.g., assigned 1571 from a pool of addresses kept by the NAS). 1573 4.4.10.5.2. Framed-IP-Netmask AVP 1575 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1576 contains the four octets of the IPv4 netmask to be configured for the 1577 user when the user is a router to a network. It MAY be used in an 1578 authorization request as a hint to the server that a specific netmask 1579 is desired, but the server is not required to honor the hint in the 1580 corresponding response. This AVP MUST be present in a response if 1581 the request included this AVP with a value of 0xFFFFFFFF. 1583 4.4.10.5.3. Framed-Route AVP 1585 The Framed-Route AVP (AVP Code 22) is of type UTF8String and contains 1586 the ASCII routing information to be configured for the user on the 1587 NAS. Zero or more of these AVPs MAY be present in an authorization 1588 response. 1590 The string MUST contain a destination prefix in dotted quad form 1591 optionally followed by a slash and a decimal length specifier stating 1592 how many high-order bits of the prefix should be used. This is 1593 followed by a space, a gateway address in dotted quad form, a space, 1594 and one or more metrics separated by spaces; for example, 1596 "192.168.1.0/24 192.168.1.1 1" 1598 The length specifier may be omitted, in which case it should default 1599 to 8 bits for class A prefixes, to 16 bits for class B prefixes, and 1600 to 24 bits for class C prefixes; for example, 1602 "192.168.1.0 192.168.1.1 1" 1604 Whenever the gateway address is specified as "0.0.0.0" the IP address 1605 of the user SHOULD be used as the gateway address. 1607 4.4.10.5.4. Framed-Pool AVP 1609 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1610 the name of an assigned address pool that SHOULD be used to assign an 1611 address for the user. If a NAS does not support multiple address 1612 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1613 used for IP addresses but can be used for other protocols if the NAS 1614 supports pools for those protocols. 1616 Although specified as type OctetString for compatibility with RADIUS 1617 [RFC2865], the encoding of the Data field SHOULD also conform to the 1618 rules for the UTF8String Data Format. 1620 4.4.10.5.5. Framed-Interface-Id AVP 1622 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1623 contains the IPv6 interface identifier to be configured for the user. 1624 It MAY be used in authorization requests as a hint to the server that 1625 a specific interface id is desired, but the server is not required to 1626 honor the hint in the corresponding response. 1628 4.4.10.5.6. Framed-IPv6-Prefix AVP 1630 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1631 contains the IPv6 prefix to be configured for the user. One or more 1632 AVPs MAY be used in authorization requests as a hint to the server 1633 that specific IPv6 prefixes are desired, but the server is not 1634 required to honor the hint in the corresponding response. 1636 4.4.10.5.7. Framed-IPv6-Route AVP 1638 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String and 1639 contains the ASCII routing information to be configured for the user 1640 on the NAS. Zero or more of these AVPs MAY be present in an 1641 authorization response. 1643 The string MUST contain an IPv6 address prefix followed by a slash 1644 and a decimal length specifier stating how many high order bits of 1645 the prefix should be used. This is followed by a space, a gateway 1646 address in hexadecimal notation, a space, and one or more metrics 1647 separated by spaces; for example, 1649 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1" 1651 Whenever the gateway address is the IPv6 unspecified address, the IP 1652 address of the user SHOULD be used as the gateway address, such as 1653 in: 1655 "2000:0:0:106::/64 :: 1" 1657 4.4.10.5.8. Framed-IPv6-Pool AVP 1659 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and 1660 contains the name of an assigned pool that SHOULD be used to assign 1661 an IPv6 prefix for the user. If the access device does not support 1662 multiple prefix pools, it MUST ignore this AVP. 1664 Although specified as type OctetString for compatibility with RADIUS 1665 [RFC3162], the encoding of the Data field SHOULD also conform to the 1666 rules for the UTF8String Data Format. 1668 4.4.10.6. IPX Access AVPs 1670 The AVPs defined in this section are used when the user requests, or 1671 is being granted, access to an IPX network service [IPX]. 1673 4.4.10.6.1. Framed-IPX-Network AVP 1675 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32 and 1676 contains the IPX Network number to be configured for the user. It 1677 MAY be used in an authorization request as a hint to the server that 1678 a specific address is desired, but the server is not required to 1679 honor the hint in the corresponding response. 1681 Two addresses have special significance: 0xFFFFFFFF and 0xFFFFFFFE. 1682 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1683 select an address (i.e., Negotiated). The value 0xFFFFFFFE indicates 1684 that the NAS should select an address for the user (e.g., assign it 1685 from a pool of one or more IPX networks kept by the NAS). 1687 4.4.10.7. AppleTalk Network Access AVPs 1689 The AVPs defined in this section are used when the user requests, or 1690 is being granted, access to an AppleTalk network [AppleTalk]. 1692 4.4.10.7.1. Framed-AppleTalk-Link AVP 1694 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1695 contains the AppleTalk network number that should be used for the 1696 serial link to the user, which is another AppleTalk router. This AVP 1697 MUST only be present in an authorization response and is never used 1698 when the user is not another router. 1700 Despite the size of the field, values range from 0 to 65,535. The 1701 special value of 0 indicates an unnumbered serial link. A value of 1 1702 to 65,535 means that the serial line between the NAS and the user 1703 should be assigned that value as an AppleTalk network number. 1705 4.4.10.7.2. Framed-AppleTalk-Network AVP 1707 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1708 and contains the AppleTalk Network number that the NAS should probe 1709 to allocate an AppleTalk node for the user. This AVP MUST only be 1710 present in an authorization response and is never used when the user 1711 is not another router. Multiple instances of this AVP indicate that 1712 the NAS may probe, using any of the network numbers specified. 1714 Despite the size of the field, values range from 0 to 65,535. The 1715 special value 0 indicates that the NAS should assign a network for 1716 the user, using its default cable range. A value between 1 and 1717 65,535 (inclusive) indicates to the AppleTalk Network that the NAS 1718 should probe to find an address for the user. 1720 4.4.10.7.3. Framed-AppleTalk-Zone AVP 1722 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1723 and contains the AppleTalk Default Zone to be used for this user. 1724 This AVP MUST only be present in an authorization response. Multiple 1725 instances of this AVP in the same message are not allowed. 1727 The codification of this field's allowed range is outside the scope 1728 of this specification. 1730 4.4.10.8. AppleTalk Remote Access AVPs 1732 The AVPs defined in this section are used when the user requests, or 1733 is being granted, access to the AppleTalk network via the AppleTalk 1734 Remote Access Protocol [ARAP] They are only present if the Framed- 1735 Protocol AVP Section 4.4.10.1 is set to ARAP. Section 2.2 of RFC 1736 2869 [RFC2869] describes the operational use of these attributes. 1738 4.4.10.8.1. ARAP-Features AVP 1740 The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be 1741 present in the AA-Accept message if the Framed-Protocol AVP is set to 1742 the value of ARAP. See [RFC2869] for more information about the 1743 format of this AVP. 1745 4.4.10.8.2. ARAP-Zone-Access AVP 1747 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY 1748 be present in the AA-Accept message if the Framed-Protocol AVP is set 1749 to the value of ARAP. 1751 The supported values are listed in [RADIUSTypes] and defined in 1752 [RFC2869]. 1754 4.4.11. Non-Framed Access Authorization AVPs 1756 This section contains the authorization AVPs that are needed to 1757 support terminal server functionality. AVPs defined in this section 1758 MAY be present in a message if the Service-Type AVP was set to 1759 "Login" or "Callback Login". 1761 4.4.11.1. Login-IP-Host AVP 1763 The Login-IP-Host AVP (AVP Code 14) [RFC2865] is of type OctetString 1764 and contains the IPv4 address of a host with which to connect the 1765 user when the Login-Service AVP is included. It MAY be used in an 1766 AA-Request command as a hint to the Diameter Server that a specific 1767 host is desired, but the Diameter Server is not required to honor the 1768 hint in the AA-Answer. 1770 Two addresses have special significance: all ones and 0. The value 1771 of all ones indicates that the NAS SHOULD allow the user to select an 1772 address. The value 0 indicates that the NAS SHOULD select a host to 1773 connect the user to. 1775 4.4.11.2. Login-IPv6-Host AVP 1777 The Login-IPv6-Host AVP (AVP Code 98) [RFC3162] is of type 1778 OctetString and contains the IPv6 address of a host with which to 1779 connect the user when the Login-Service AVP is included. It MAY be 1780 used in an AA-Request command as a hint to the Diameter Server that a 1781 specific host is desired, but the Diameter Server is not required to 1782 honor the hint in the AA-Answer. 1784 Two addresses have special significance, 1785 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1786 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1787 allow the user to select an address. The value 0 indicates that the 1788 NAS SHOULD select a host to connect the user to. 1790 4.4.11.3. Login-Service AVP 1792 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1793 contains the service that should be used to connect the user to the 1794 login host. This AVP SHOULD only be present in authorization 1795 responses. The supported values are listed in [RFC2869]. 1797 4.4.11.4. TCP Services 1799 The AVP described in the following section MAY be present if the 1800 Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear 1801 Quiet. 1803 4.4.11.4.1. Login-TCP-Port AVP 1805 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1806 contains the TCP port with which the user is to be connected when the 1807 Login-Service AVP is also present. This AVP SHOULD only be present 1808 in authorization responses. The value MUST NOT be greater than 1809 65,535. 1811 4.4.11.5. LAT Services 1813 The AVPs described in this section MAY be present if the Login- 1814 Service AVP is set to LAT [LAT]. 1816 4.4.11.5.1. Login-LAT-Service AVP 1818 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1819 contains the system with which the user is to be connected by LAT. 1820 It MAY be used in an authorization request as a hint to the server 1821 that a specific service is desired, but the server is not required to 1822 honor the hint in the corresponding response. This AVP MUST only be 1823 present in the response if the Login-Service AVP states that LAT is 1824 desired. 1826 Administrators use this service attribute when dealing with clustered 1827 systems, such as a VAX or Alpha cluster. In these environments, 1828 several different time-sharing hosts share the same resources (disks, 1829 printers, etc.), and administrators often configure each host to 1830 offer access (service) to each of the shared resources. In this 1831 case, each host in the cluster advertises its services through LAT 1832 broadcasts. 1834 Sophisticated users often know which service providers (machines) are 1835 faster and tend to use a node name when initiating a LAT connection. 1836 Some administrators want particular users to use certain machines as 1837 a primitive form of load balancing (although LAT knows how to do load 1838 balancing itself). 1840 The String field contains the identity of the LAT service to use. 1841 The LAT Architecture allows this string to contain $ (dollar), - 1842 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1843 alphabetics, and the ISO Latin-1 character set extension 1844 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1846 4.4.11.5.2. Login-LAT-Node AVP 1848 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1849 contains the Node with which the user is to be automatically 1850 connected by LAT. It MAY be used in an authorization request as a 1851 hint to the server that a specific LAT node is desired, but the 1852 server is not required to honor the hint in the corresponding 1853 response. This AVP MUST only be present in a response if the Login- 1854 Service-Type AVP is set to LAT. 1856 The String field contains the identity of the LAT service to use. 1857 The LAT Architecture allows this string to contain $ (dollar), - 1858 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1859 alphabetics, and the ISO Latin-1 character set extension 1860 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1862 4.4.11.5.3. Login-LAT-Group AVP 1864 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1865 contains a string identifying the LAT group codes this user is 1866 authorized to use. It MAY be used in an authorization request as a 1867 hint to the server that a specific group is desired, but the server 1868 is not required to honor the hint in the corresponding response. 1869 This AVP MUST only be present in a response if the Login-Service-Type 1870 AVP is set to LAT. 1872 LAT supports 256 different group codes, which LAT uses as a form of 1873 access rights. LAT encodes the group codes as a 256-bit bitmap. 1875 Administrators can assign one or more of the group code bits at the 1876 LAT service provider; it will only accept LAT connections that have 1877 these group codes set in the bitmap. The administrators assign a 1878 bitmap of authorized group codes to each user. LAT gets these from 1879 the operating system and uses them in its requests to the service 1880 providers. 1882 The codification of the range of allowed usage of this field is 1883 outside the scope of this specification. 1885 4.4.11.5.4. Login-LAT-Port AVP 1887 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1888 contains the Port with which the user is to be connected by LAT. It 1889 MAY be used in an authorization request as a hint to the server that 1890 a specific port is desired, but the server is not required to honor 1891 the hint in the corresponding response. This AVP MUST only be 1892 present in a response if the Login-Service-Type AVP is set to LAT. 1894 The String field contains the identity of the LAT service to use. 1895 The LAT Architecture allows this string to contain $ (dollar), - 1896 (hyphen), . (period), _ (underscore), numerics, upper- and lower-case 1897 alphabetics, and the ISO Latin-1 character set extension 1898 [ISO.8859-1.1987]. 1900 All LAT string comparisons are case insensitive. 1902 4.5. NAS Tunneling AVPs 1904 Some NASes support compulsory tunnel services in which the incoming 1905 connection data is conveyed by an encapsulation method to a gateway 1906 elsewhere in the network. This is typically transparent to the 1907 service user, and the tunnel characteristics may be described by the 1908 remote AAA server, based on the user's authorization information. 1909 Several tunnel characteristics may be returned, and the NAS 1910 implementation may choose one. See [RFC2868] and [RFC2867] for 1911 further information. 1913 The following table gives the possible flag values for the session 1914 level AVPs and specifies whether the AVP MAY be encrypted. 1916 +---------------------+ 1917 | AVP Flag rules | 1918 |----+-----+----+-----|----+ 1919 | | |SHLD| MUST| | 1920 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1921 -----------------------------------------|----+-----+----+-----|----| 1922 Tunneling 4.5.1 | M | P | | V | N | 1923 Tunnel-Type 4.5.2 | M | P | | V | Y | 1924 Tunnel-Medium-Type 4.5.3 | M | P | | V | Y | 1925 Tunnel-Client-Endpoint 4.5.4 | M | P | | V | Y | 1926 Tunnel-Server-Endpoint 4.5.5 | M | P | | V | Y | 1927 Tunnel-Password 4.5.6 | M | P | | V | Y | 1928 Tunnel-Private-Group-Id 4.5.7 | M | P | | V | Y | 1929 Tunnel-Assignment-Id 4.5.8 | M | P | | V | Y | 1930 Tunnel-Preference 4.5.9 | M | P | | V | Y | 1931 Tunnel-Client-Auth-Id 4.5.10 | M | P | | V | Y | 1932 Tunnel-Server-Auth-Id 4.5.11 | M | P | | V | Y | 1933 -----------------------------------------|----+-----+----+-----|----| 1935 4.5.1. Tunneling AVP 1937 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1938 following AVPs, used to describe a compulsory tunnel service 1939 ([RFC2868], [RFC2867]). Its data field has the following ABNF 1940 grammar: 1942 Tunneling ::= < AVP Header: 401 > 1943 { Tunnel-Type } 1944 { Tunnel-Medium-Type } 1945 { Tunnel-Client-Endpoint } 1946 { Tunnel-Server-Endpoint } 1947 [ Tunnel-Preference ] 1948 [ Tunnel-Client-Auth-Id ] 1949 [ Tunnel-Server-Auth-Id ] 1950 [ Tunnel-Assignment-Id ] 1951 [ Tunnel-Password ] 1952 [ Tunnel-Private-Group-Id ] 1954 4.5.2. Tunnel-Type AVP 1956 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1957 the tunneling protocol(s) to be used (in the case of a tunnel 1958 initiator) or in use (in the case of a tunnel terminator). It MAY be 1959 used in an authorization request as a hint to the server that a 1960 specific tunnel type is desired, but the server is not required to 1961 honor the hint in the corresponding response. 1963 The Tunnel-Type AVP SHOULD also be included in ACR messages. 1965 A tunnel initiator is not required to implement any of these tunnel 1966 types. If a tunnel initiator receives a response that contains only 1967 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1968 as though a response were received with the Result-Code indicating a 1969 failure. 1971 The supported values are listed in [RADIUSTypes]. 1973 4.5.3. Tunnel-Medium-Type AVP 1975 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1976 contains the transport medium to use when creating a tunnel for 1977 protocols (such as L2TP [RFC2661]) that can operate over multiple 1978 transports. It MAY be used in an authorization request as a hint to 1979 the server that a specific medium is desired, but the server is not 1980 required to honor the hint in the corresponding response. 1982 The supported values are listed in [RADIUSTypes]. 1984 4.5.4. Tunnel-Client-Endpoint AVP 1986 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String 1987 and contains the address of the initiator end of the tunnel. It MAY 1988 be used in an authorization request as a hint to the server that a 1989 specific endpoint is desired, but the server is not required to honor 1990 the hint in the corresponding response. This AVP SHOULD be included 1991 in the corresponding ACR messages, in which case it indicates the 1992 address from which the tunnel was initiated. This AVP, along with 1993 the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs 1994 ([I-D.ietf-dime-rfc3588bis], Section 8.8), can be used to provide a 1995 globally unique means to identify a tunnel for accounting and 1996 auditingpurposes. 1998 If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 1999 (1), then this string is either the fully qualified domain name 2000 (FQDN) of the tunnel client machine, or a "dotted-decimal" IP 2001 address. Implementations MUST support the dotted-decimal format and 2002 SHOULD support the FQDN format for IP addresses. 2004 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2005 FQDN of the tunnel client machine, or a text representation of the 2006 address in either the preferred or alternate form [RFC3516]. 2007 Conforming implementations MUST support the preferred form and SHOULD 2008 support both the alternate text form and the FQDN format for IPv6 2009 addresses. 2011 If Tunnel-Medium-Type is neither IPv4 nor IPv6, then this string is a 2012 tag referring to configuration data local to the Diameter client that 2013 describes the interface or medium-specific client address to use. 2015 4.5.5. Tunnel-Server-Endpoint AVP 2017 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String 2018 and contains the address of the server end of the tunnel. It MAY be 2019 used in an authorization request as a hint to the server that a 2020 specific endpoint is desired, but the server is not required to honor 2021 the hint in the corresponding response. 2023 This AVP SHOULD be included in the corresponding ACR messages, in 2024 which case it indicates the address from which the tunnel was 2025 initiated. This AVP, along with the Tunnel-Client-Endpoint 2026 (Section 4.5.4) and Session-Id AVP ([I-D.ietf-dime-rfc3588bis], 2027 Section 8.8), can be used to provide a globally unique means to 2028 identify a tunnel for accounting and auditing purposes. 2030 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2031 fully qualified domain name (FQDN) of the tunnel server machine, or a 2032 "dotted-decimal" IP address. Implementations MUST support the 2033 dotted-decimal format and SHOULD support the FQDN format for IP 2034 addresses. 2036 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2037 FQDN of the tunnel server machine, or a text representation of the 2038 address in either the preferred or alternate form [RFC3516]. 2039 Implementations MUST support the preferred form and SHOULD support 2040 both the alternate text form and the FQDN format for IPv6 addresses. 2042 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2043 referring to configuration data local to the Diameter client that 2044 describes the interface or medium-specific server address to use. 2046 4.5.6. Tunnel-Password AVP 2048 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2049 contain a password to be used to authenticate to a remote server. 2051 The Tunnel-Password AVP contains sensitive information. This value 2052 is not protected in the same manner as RADIUS [RFC2868]. Diameter 2053 messages are secured by using IPsec or TLS 2054 [I-D.ietf-dime-rfc3588bis]. The Tunnel-Password AVP SHOULD NOT be 2055 used in untrusted proxy environments without encrypting it by using 2056 end-to-end security techniques. 2058 4.5.7. Tunnel-Private-Group-Id AVP 2060 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString 2061 and contains the group Id for a particular tunneled session. The 2062 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2063 request if the tunnel initiator can predetermine the group resulting 2064 from a particular connection. It SHOULD be included in the 2065 authorization response if this tunnel session is to be treated as 2066 belonging to a particular private group. Private groups may be used 2067 to associate a tunneled session with a particular group of users. 2068 For example, it MAY be used to facilitate routing of unregistered IP 2069 addresses through a particular interface. This AVP SHOULD be 2070 included in the ACR messages that pertain to the tunneled session. 2072 4.5.8. Tunnel-Assignment-Id AVP 2074 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2075 is used to indicate to the tunnel initiator the particular tunnel to 2076 which a session is to be assigned. Some tunneling protocols, such as 2077 PPTP [RFC2637] and L2TP [RFC2661], allow for sessions between the 2078 same two tunnel endpoints to be multiplexed over the same tunnel and 2079 also for a given session to use its own dedicated tunnel. This 2080 attribute provides a mechanism for Diameter to inform the tunnel 2081 initiator (e.g., PAC, LAC) whether to assign the session to a 2082 multiplexed tunnel or to a separate tunnel. Furthermore, it allows 2083 for sessions sharing multiplexed tunnels to be assigned to different 2084 multiplexed tunnels. 2086 A particular tunneling implementation may assign differing 2087 characteristics to particular tunnels. For example, different 2088 tunnels may be assigned different QoS parameters. Such tunnels may 2089 be used to carry either individual or multiple sessions. The Tunnel- 2090 Assignment-Id attribute thus allows the Diameter server to indicate 2091 that a particular session is to be assigned to a tunnel providing an 2092 appropriate level of service. It is expected that any QoS-related 2093 Diameter tunneling attributes defined in the future accompanying this 2094 one will be associated by the tunnel initiator with the Id given by 2095 this attribute. In the meantime, any semantic given to a particular 2096 Id string is a matter left to local configuration in the tunnel 2097 initiator. 2099 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2100 the tunnel initiator. The Id it specifies is only intended to be of 2101 local use to Diameter and the tunnel initiator. The Id assigned by 2102 the tunnel initiator is not conveyed to the tunnel peer. 2104 This attribute MAY be included in authorization responses. The 2105 tunnel initiator receiving this attribute MAY choose to ignore it and 2106 to assign the session to an arbitrary multiplexed or non-multiplexed 2107 tunnel between the desired endpoints. This AVP SHOULD also be 2108 included in the Accounting-Request messages pertaining to the 2109 tunneled session. 2111 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2112 should assign a session to a tunnel in the following manner: 2114 o If this AVP is present and a tunnel exists between the specified 2115 endpoints with the specified Id, then the session should be 2116 assigned to that tunnel. 2118 o If this AVP is present and no tunnel exists between the specified 2119 endpoints with the specified Id, then a new tunnel should be 2120 established for the session and the specified Id should be 2121 associated with the new tunnel. 2123 o If this AVP is not present, then the session is assigned to an 2124 unnamed tunnel. If an unnamed tunnel does not yet exist between 2125 the specified endpoints, then it is established and used for this 2126 session and for subsequent ones established without the Tunnel- 2127 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2128 session for which a Tunnel-Assignment-Id AVP was not specified to 2129 a named tunnel (i.e., one that was initiated by a session 2130 specifying this AVP). 2132 Note that the same Id may be used to name different tunnels if these 2133 tunnels are between different endpoints. 2135 4.5.9. Tunnel-Preference AVP 2137 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2138 used to identify the relative preference assigned to each tunnel when 2139 more than one set of tunneling AVPs is returned within separate 2140 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2141 hint to the server that a specific preference is desired, but the 2142 server is not required to honor the hint in the corresponding 2143 response. 2145 For example, suppose that AVPs describing two tunnels are returned by 2146 the server, one with a Tunnel-Type of PPTP and the other with a 2147 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2148 the Tunnel-Types returned, it will initiate a tunnel of that type. 2149 If, however, it supports both tunnel protocols, it SHOULD use the 2150 value of the Tunnel-Preference AVP to decide which tunnel should be 2151 started. The tunnel with the lowest numerical value in the Value 2152 field of this AVP SHOULD be given the highest preference. The values 2153 assigned to two or more instances of the Tunnel-Preference AVP within 2154 a given authorization response MAY be identical. In this case, the 2155 tunnel initiator SHOULD use locally configured metrics to decidewhich 2156 set of AVPs to use. 2158 4.5.10. Tunnel-Client-Auth-Id AVP 2160 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2161 specifies the name used by the tunnel initiator during the 2162 authentication phase of tunnel establishment. It MAY be used in an 2163 authorization request as a hint to the server that a specific 2164 preference is desired, but the server is not required to honor the 2165 hint in the corresponding response. This AVP MUST be present in the 2166 authorization response if an authentication name other than the 2167 default is desired. This AVP SHOULD be included in the ACR messages 2168 pertaining to the tunneled session. 2170 4.5.11. Tunnel-Server-Auth-Id AVP 2172 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2173 specifies the name used by the tunnel terminator during the 2174 authentication phase of tunnel establishment. It MAY be used in an 2175 authorization request as a hint to the server that a specific 2176 preference is desired, but the server is not required to honor the 2177 hint in the corresponding response. This AVP MUST be present in the 2178 authorization response if an authentication name other than the 2179 default is desired. This AVP SHOULD be included in the ACR messages 2180 pertaining to the tunneled session. 2182 4.6. NAS Accounting AVPs 2184 Applications implementing this specification use Diameter Accounting 2185 (as defined in [I-D.ietf-dime-rfc3588bis]) and the AVPs in the 2186 following section. Service-specific AVP usage is defined in the 2187 tables in Section 5. 2189 If accounting is active, Accounting Request (ACR) messages SHOULD be 2190 sent after the completion of any Authentication or Authorization 2191 transaction and at the end of a Session. The value of the 2192 Accounting-Record-Type AVP [I-D.ietf-dime-rfc3588bis] indicates the 2193 type of event. All other AVPs identify the session and provide 2194 additional information relevant to the event. 2196 The successful completion of the first Authentication or 2197 Authorization transaction SHOULD cause a START_RECORD to be sent. If 2198 additional Authentications or Authorizations occur in later 2199 transactions, the first exchange should generate a START_RECORD, and 2200 the later an INTERIM_RECORD. For a given session, there MUST only be 2201 one set of matching START and STOP records, with any number of 2202 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2203 a session wasn't started. 2205 The following table gives the possible flag values for the session 2206 level AVPs and specifies whether the AVP MAY be encrypted. 2208 +---------------------+ 2209 | AVP Flag rules | 2210 |----+-----+----+-----|----+ 2211 Section | | |SHLD| MUST| | 2212 Attribute Name Defined |MUST| MAY | NOT| NOT|Encr| 2213 -----------------------------------------|----+-----+----+-----|----| 2214 Accounting-Input-Octets 4.6.1 | M | P | | V | Y | 2215 Accounting-Output-Octets 4.6.2 | M | P | | V | Y | 2216 Accounting-Input-Packets 4.6.3 | M | P | | V | Y | 2217 Accounting-Output-Packets 4.6.4 | M | P | | V | Y | 2218 Acct-Session-Time 4.6.5 | M | P | | V | Y | 2219 Acct-Authentic 4.6.6 | M | P | | V | Y | 2220 Accounting-Auth-Method 4.6.7 | M | P | | V | Y | 2221 Acct-Delay-Time 4.6.8 | M | P | | V | Y | 2222 Acct-Link-Count 4.6.9 | M | P | | V | Y | 2223 Acct-Tunnel-Connection 4.6.10 | M | P | | V | Y | 2224 Acct-Tunnel-Packets-Lost 4.6.11 | M | P | | V | Y | 2225 -----------------------------------------|----+-----+----+-----|----| 2227 4.6.1. Accounting-Input-Octets AVP 2229 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 2230 and contains the number of octets received from the user. 2232 For NAS usage, this AVP indicates how many octets have been received 2233 from the port in the course of this session. It can only be present 2234 in ACR messages with an Accounting-Record-Type 2235 [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. 2237 4.6.2. Accounting-Output-Octets AVP 2239 The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 2240 and contains the number of octets sent to the user. 2242 For NAS usage, this AVP indicates how many octets have been sent to 2243 the port in the course of this session. It can only be present in 2244 ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2245 STOP_RECORD. 2247 4.6.3. Accounting-Input-Packets AVP 2249 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and 2250 contains the number of packets received from the user. 2252 For NAS usage, this AVP indicates how many packets have been received 2253 from the port over the course of a session being provided to a Framed 2254 User. It can only be present in ACR messages with an Accounting- 2255 Record-Type of INTERIM_RECORD or STOP_RECORD. 2257 4.6.4. Accounting-Output-Packets AVP 2259 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 2260 and contains the number of IP packets sent to the user. 2262 For NAS usage, this AVP indicates how many packets have been sent to 2263 the port over the course of a session being provided to a Framed 2264 User. It can only be present in ACR messages with an Accounting- 2265 Record-Type of INTERIM_RECORD or STOP_RECORD. 2267 4.6.5. Acct-Session-Time AVP 2269 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and 2270 indicates the length of the current session in seconds. It can only 2271 be present in ACR messages with an Accounting-Record-Type of 2272 INTERIM_RECORD or STOP_RECORD. 2274 4.6.6. Acct-Authentic AVP 2276 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and 2277 specifies how the user was authenticated. The supported values are 2278 listed in [RADIUSTypes]. 2280 4.6.7. Accounting-Auth-Method AVP 2282 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2283 A NAS MAY include this AVP in an Accounting-Request message to 2284 indicate the method used to authenticate the user. (Note that this 2285 AVP is semantically equivalent, and the supported values are 2286 identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS 2287 attribute [RFC2548]). 2289 4.6.8. Acct-Delay-Time AVP 2291 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2292 indicates the number of seconds the Diameter client has been trying 2293 to send the Accounting-Request (ACR). The accounting server may 2294 subtract this value from the time when the ACR arrives at the server 2295 to calculate the approximate time of the event that caused the ACR to 2296 be generated. 2298 This AVP is not used for retransmissions at the transport level (TCP 2299 or SCTP). Rather, it may be used when an ACR command cannot be 2300 transmitted because there is no appropriate peer to transmit it to or 2301 was rejected because it could not be delivered. In these cases, the 2302 command MAY be buffered and transmitted later, when an appropriate 2303 peer-connection is available or after sufficient time has passed that 2304 the destination-host may be reachable and operational. If the ACR is 2305 re-sent in this way, the Acct-Delay-Time AVP SHOULD be included. The 2306 value of this AVP indicates the number of seconds that elapsed 2307 between the time of the first attempt at transmission and the current 2308 attempt. 2310 4.6.9. Acct-Link-Count AVP 2312 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2313 indicates the total number of links that have been active (current or 2314 closed) in a given multilink session at the time the accounting 2315 record is generated. This AVP MAY be included in Accounting-Requests 2316 for any session that may be part of a multilink service. 2318 The Acct-Link-Count AVP may be used to make it easier for an 2319 accounting server to know when it has all the records for a given 2320 multilink service. When the number of Accounting-Requests received 2321 with Accounting-Record-Type = STOP_RECORD and with the same Acct- 2322 Multi-Session-Id and unique Session-Ids equals the largest value of 2323 Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD 2324 Accounting-Requests for that multilink service have been received. 2326 The following example, showing eight Accounting-Requests, illustrates 2327 how the Acct-Link-Count AVP is used. In the table below, only the 2328 relevant AVPs are shown, although additional AVPs containing 2329 accounting information will be present in the Accounting-Requests. 2331 Acct-Multi- Accounting- Acct- 2332 Session-Id Session-Id Record-Type Link-Count 2333 -------------------------------------------------------- 2334 "...10" "...10" START_RECORD 1 2335 "...10" "...11" START_RECORD 2 2336 "...10" "...11" STOP_RECORD 2 2337 "...10" "...12" START_RECORD 3 2338 "...10" "...13" START_RECORD 4 2339 "...10" "...12" STOP_RECORD 4 2340 "...10" "...13" STOP_RECORD 4 2341 "...10" "...10" STOP_RECORD 4 2343 4.6.10. Acct-Tunnel-Connection AVP 2345 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString 2346 and contains the identifier assigned to the tunnel session. This 2347 AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and 2348 Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a 2349 means to uniquely identify a tunnel session for auditing purposes. 2351 The format of the identifier in this AVP depends upon the value of 2352 the Tunnel-Type AVP (Section 4.5.2). For example, to identify an 2353 L2TP tunnel connection fully, the L2TP Tunnel Id and Call Id might be 2354 encoded in this field. The exact encoding of this field is 2355 implementation dependent. 2357 4.6.11. Acct-Tunnel-Packets-Lost AVP 2359 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2360 and contains the number of packets lost on a given tunnel. 2362 5. AVP Occurrence Tables 2364 The following tables present the AVPs used by NAS applications in NAS 2365 messages and specify in which Diameter messages they MAY or MAY NOT 2366 be present. Messages and AVPs defined in the base Diameter protocol 2367 [I-D.ietf-dime-rfc3588bis] are not described in this document. Note 2368 that AVPs that can only be present within a Grouped AVP are not 2369 represented in this table. 2371 The table uses the following symbols: 2373 0 The AVP MUST NOT be present in the message. 2374 0+ Zero or more instances of the AVP MAY be present in the 2375 message. 2376 0-1 Zero or one instance of the AVP MAY be present in the 2377 message. 2378 1 Exactly one instance of the AVP MUST be present in the 2379 message. 2381 5.1. AA-Request/Answer AVP Table 2383 The table in this section is limited to the Command Codes defined in 2384 this specification. 2386 +-----------+ 2387 | Command | 2388 |-----+-----+ 2389 AVP Name | AAR | AAA | 2390 ------------------------------|-----+-----+ 2391 Acct-Interim-Interval | 0 | 0-1 | 2392 ARAP-Challenge-Response | 0 | 0-1 | 2393 ARAP-Features | 0 | 0-1 | 2394 ARAP-Password | 0-1 | 0 | 2395 ARAP-Security | 0-1 | 0-1 | 2396 ARAP-Security-Data | 0+ | 0+ | 2397 ARAP-Zone-Access | 0 | 0-1 | 2398 Auth-Application-Id | 1 | 1 | 2399 Auth-Grace-Period | 0-1 | 0-1 | 2400 Auth-Request-Type | 1 | 1 | 2401 Auth-Session-State | 0-1 | 0-1 | 2402 Authorization-Lifetime | 0-1 | 0-1 | 2403 ------------------------------|-----+-----+ 2404 +-----------+ 2405 | Command | 2406 |-----+-----+ 2407 Attribute Name | AAR | AAA | 2408 ------------------------------|-----+-----+ 2409 Callback-Id | 0 | 0-1 | 2410 Callback-Number | 0-1 | 0-1 | 2411 Called-Station-Id | 0-1 | 0 | 2412 Calling-Station-Id | 0-1 | 0 | 2413 CHAP-Auth | 0-1 | 0 | 2414 CHAP-Challenge | 0-1 | 0 | 2415 Class | 0 | 0+ | 2416 Configuration-Token | 0 | 0+ | 2417 Connect-Info | 0+ | 0 | 2418 Destination-Host | 0-1 | 0 | 2419 Destination-Realm | 1 | 0 | 2420 Error-Message | 0 | 0-1 | 2421 Error-Reporting-Host | 0 | 0-1 | 2422 Failed-AVP | 0+ | 0+ | 2423 Filter-Id | 0 | 0+ | 2424 Framed-Appletalk-Link | 0 | 0-1 | 2425 Framed-Appletalk-Network | 0 | 0+ | 2426 Framed-Appletalk-Zone | 0 | 0-1 | 2427 Framed-Compression | 0+ | 0+ | 2428 Framed-Interface-Id | 0-1 | 0-1 | 2429 Framed-IP-Address | 0-1 | 0-1 | 2430 Framed-IP-Netmask | 0-1 | 0-1 | 2431 Framed-IPv6-Prefix | 0+ | 0+ | 2432 Framed-IPv6-Pool | 0 | 0-1 | 2433 Framed-IPv6-Route | 0 | 0+ | 2434 Framed-IPX-Network | 0 | 0-1 | 2435 Framed-MTU | 0-1 | 0-1 | 2436 Framed-Pool | 0 | 0-1 | 2437 Framed-Protocol | 0-1 | 0-1 | 2438 Framed-Route | 0 | 0+ | 2439 Framed-Routing | 0 | 0-1 | 2440 Idle-Timeout | 0 | 0-1 | 2441 Login-IP-Host | 0+ | 0+ | 2442 Login-IPv6-Host | 0+ | 0+ | 2443 Login-LAT-Group | 0-1 | 0-1 | 2444 Login-LAT-Node | 0-1 | 0-1 | 2445 Login-LAT-Port | 0-1 | 0-1 | 2446 Login-LAT-Service | 0-1 | 0-1 | 2447 Login-Service | 0 | 0-1 | 2448 Login-TCP-Port | 0 | 0-1 | 2449 Multi-Round-Time-Out | 0 | 0-1 | 2450 ------------------------------|-----+-----+ 2451 +-----------+ 2452 | Command | 2453 |-----+-----+ 2454 Attribute Name | AAR | AAA | 2455 ------------------------------|-----+-----+ 2456 NAS-Filter-Rule | 0 | 0+ | 2457 NAS-Identifier | 0-1 | 0 | 2458 NAS-IP-Address | 0-1 | 0 | 2459 NAS-IPv6-Address | 0-1 | 0 | 2460 NAS-Port | 0-1 | 0 | 2461 NAS-Port-Id | 0-1 | 0 | 2462 NAS-Port-Type | 0-1 | 0 | 2463 Origin-AAA-Protocol | 0-1 | 0-1 | 2464 Origin-Host | 1 | 1 | 2465 Origin-Realm | 1 | 1 | 2466 Origin-State-Id | 0-1 | 0-1 | 2467 Originating-Line-Info | 0-1 | 0 | 2468 Password-Retry | 0 | 0-1 | 2469 Port-Limit | 0-1 | 0-1 | 2470 Prompt | 0 | 0-1 | 2471 Proxy-Info | 0+ | 0+ | 2472 QoS-Filter-Rule | 0 | 0+ | 2473 Re-Auth-Request-Type | 0 | 0-1 | 2474 Redirect-Host | 0 | 0+ | 2475 Redirect-Host-Usage | 0 | 0-1 | 2476 Redirect-Max-Cache-Time | 0 | 0-1 | 2477 Reply-Message | 0 | 0+ | 2478 Result-Code | 0 | 1 | 2479 Route-Record | 0+ | 0+ | 2480 Service-Type | 0-1 | 0-1 | 2481 Session-Id | 1 | 1 | 2482 Session-Timeout | 0 | 0-1 | 2483 State | 0-1 | 0-1 | 2484 Tunneling | 0+ | 0+ | 2485 User-Name | 0-1 | 0-1 | 2486 User-Password | 0-1 | 0 | 2487 ------------------------------|-----+-----+ 2489 5.2. Accounting AVP Tables 2491 The tables in this section are used to show which AVPs defined in 2492 this document are to be present and used in NAS application 2493 Accounting messages. These AVPs are defined in this document, as 2494 well as in [I-D.ietf-dime-rfc3588bis] and [RFC2866]. 2496 5.2.1. Framed Access Accounting AVP Table 2498 The table in this section is used when the Service-Type AVP 2499 (Section 4.4.1) specifies Framed Access. 2501 +-----------+ 2502 | Command | 2503 |-----+-----+ 2504 Attribute Name | ACR | ACA | 2505 ---------------------------------------|-----+-----+ 2506 Accounting-Auth-Method | 0-1 | 0 | 2507 Accounting-Input-Octets | 1 | 0 | 2508 Accounting-Input-Packets | 1 | 0 | 2509 Accounting-Output-Octets | 1 | 0 | 2510 Accounting-Output-Packets | 1 | 0 | 2511 Accounting-Record-Number | 0-1 | 0-1 | 2512 Accounting-Record-Type | 1 | 1 | 2513 Accounting-Realtime-Required | 0-1 | 0-1 | 2514 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2515 Acct-Application-Id | 0-1 | 0-1 | 2516 Acct-Session-Id | 1 | 0-1 | 2517 Acct-Multi-Session-Id | 0-1 | 0-1 | 2518 Acct-Authentic | 1 | 0 | 2519 Acct-Delay-Time | 0-1 | 0 | 2520 Acct-Interim-Interval | 0-1 | 0-1 | 2521 Acct-Link-Count | 0-1 | 0 | 2522 Acct-Session-Time | 1 | 0 | 2523 Acct-Tunnel-Connection | 0-1 | 0 | 2524 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2525 Authorization-Lifetime | 0-1 | 0 | 2526 Callback-Id | 0-1 | 0 | 2527 Callback-Number | 0-1 | 0 | 2528 Called-Station-Id | 0-1 | 0 | 2529 Calling-Station-Id | 0-1 | 0 | 2530 Class | 0+ | 0+ | 2531 Connection-Info | 0+ | 0 | 2532 Destination-Host | 0-1 | 0 | 2533 Destination-Realm | 1 | 0 | 2534 Event-Timestamp | 0-1 | 0-1 | 2535 Error-Message | 0 | 0-1 | 2536 Error-Reporting-Host | 0 | 0-1 | 2537 Failed-AVP | 0 | 0+ | 2538 ---------------------------------------|-----+-----+ 2539 +-----------+ 2540 | Command | 2541 |-----+-----+ 2542 Attribute Name | ACR | ACA | 2543 ---------------------------------------|-----+-----+ 2544 Framed-AppleTalk-Link | 0-1 | 0 | 2545 Framed-AppleTalk-Network | 0-1 | 0 | 2546 Framed-AppleTalk-Zone | 0-1 | 0 | 2547 Framed-Compression | 0-1 | 0 | 2548 Framed-IP-Address | 0-1 | 0 | 2549 Framed-IP-Netmask | 0-1 | 0 | 2550 Framed-IPv6-Prefix | 0+ | 0 | 2551 Framed-IPv6-Pool | 0-1 | 0 | 2552 Framed-IPX-Network | 0-1 | 0 | 2553 Framed-MTU | 0-1 | 0 | 2554 Framed-Pool | 0-1 | 0 | 2555 Framed-Protocol | 0-1 | 0 | 2556 Framed-Route | 0-1 | 0 | 2557 Framed-Routing | 0-1 | 0 | 2558 NAS-Filter-Rule | 0+ | 0 | 2559 NAS-Identifier | 0-1 | 0-1 | 2560 NAS-IP-Address | 0-1 | 0-1 | 2561 NAS-IPv6-Address | 0-1 | 0-1 | 2562 NAS-Port | 0-1 | 0-1 | 2563 NAS-Port-Id | 0-1 | 0-1 | 2564 NAS-Port-Type | 0-1 | 0-1 | 2565 Origin-AAA-Protocol | 0-1 | 0-1 | 2566 Origin-Host | 1 | 1 | 2567 Origin-Realm | 1 | 1 | 2568 Origin-State-Id | 0-1 | 0-1 | 2569 Originating-Line-Info | 0-1 | 0 | 2570 Proxy-Info | 0+ | 0+ | 2571 QoS-Filter-Rule | 0+ | 0 | 2572 Route-Record | 0+ | 0+ | 2573 Result-Code | 0 | 1 | 2574 Service-Type | 0-1 | 0-1 | 2575 Session-Id | 1 | 1 | 2576 Termination-Cause | 0-1 | 0-1 | 2577 Tunnel-Assignment-Id | 0-1 | 0 | 2578 Tunnel-Client-Endpoint | 0-1 | 0 | 2579 Tunnel-Medium-Type | 0-1 | 0 | 2580 Tunnel-Private-Group-Id | 0-1 | 0 | 2581 Tunnel-Server-Endpoint | 0-1 | 0 | 2582 Tunnel-Type | 0-1 | 0 | 2583 User-Name | 0-1 | 0-1 | 2584 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2585 ---------------------------------------|-----+-----+ 2587 5.2.2. Non-Framed Access Accounting AVP Table 2589 The table in this section is used when the Service-Type AVP 2590 (Section 4.4.1) specifies Non-Framed Access. 2592 +-----------+ 2593 | Command | 2594 |-----+-----+ 2595 Attribute Name | ACR | ACA | 2596 ---------------------------------------|-----+-----+ 2597 Accounting-Auth-Method | 0-1 | 0 | 2598 Accounting-Input-Octets | 1 | 0 | 2599 Accounting-Output-Octets | 1 | 0 | 2600 Accounting-Record-Type | 1 | 1 | 2601 Accounting-Record-Number | 0-1 | 0-1 | 2602 Accounting-Realtime-Required | 0-1 | 0-1 | 2603 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2604 Acct-Application-Id | 0-1 | 0-1 | 2605 Acct-Session-Id | 1 | 0-1 | 2606 Acct-Multi-Session-Id | 0-1 | 0-1 | 2607 Acct-Authentic | 1 | 0 | 2608 Acct-Delay-Time | 0-1 | 0 | 2609 Acct-Interim-Interval | 0-1 | 0-1 | 2610 Acct-Link-Count | 0-1 | 0 | 2611 Acct-Session-Time | 1 | 0 | 2612 Authorization-Lifetime | 0-1 | 0 | 2613 Callback-Id | 0-1 | 0 | 2614 Callback-Number | 0-1 | 0 | 2615 Called-Station-Id | 0-1 | 0 | 2616 Calling-Station-Id | 0-1 | 0 | 2617 Class | 0+ | 0+ | 2618 Connection-Info | 0+ | 0 | 2619 Destination-Host | 0-1 | 0 | 2620 Destination-Realm | 1 | 0 | 2621 Event-Timestamp | 0-1 | 0-1 | 2622 Error-Message | 0 | 0-1 | 2623 Error-Reporting-Host | 0 | 0-1 | 2624 Failed-AVP | 0 | 0+ | 2625 Login-IP-Host | 0+ | 0 | 2626 Login-IPv6-Host | 0+ | 0 | 2627 Login-LAT-Service | 0-1 | 0 | 2628 Login-LAT-Node | 0-1 | 0 | 2629 Login-LAT-Group | 0-1 | 0 | 2630 Login-LAT-Port | 0-1 | 0 | 2631 Login-Service | 0-1 | 0 | 2632 Login-TCP-Port | 0-1 | 0 | 2633 ---------------------------------------|-----+-----+ 2634 +-----------+ 2635 | Command | 2636 |-----+-----+ 2637 Attribute Name | ACR | ACA | 2638 ---------------------------------------|-----+-----+ 2639 NAS-Identifier | 0-1 | 0-1 | 2640 NAS-IP-Address | 0-1 | 0-1 | 2641 NAS-IPv6-Address | 0-1 | 0-1 | 2642 NAS-Port | 0-1 | 0-1 | 2643 NAS-Port-Id | 0-1 | 0-1 | 2644 NAS-Port-Type | 0-1 | 0-1 | 2645 Origin-AAA-Protocol | 0-1 | 0-1 | 2646 Origin-Host | 1 | 1 | 2647 Origin-Realm | 1 | 1 | 2648 Origin-State-Id | 0-1 | 0-1 | 2649 Originating-Line-Info | 0-1 | 0 | 2650 Proxy-Info | 0+ | 0+ | 2651 QoS-Filter-Rule | 0+ | 0 | 2652 Route-Record | 0+ | 0+ | 2653 Result-Code | 0 | 1 | 2654 Session-Id | 1 | 1 | 2655 Service-Type | 0-1 | 0-1 | 2656 Termination-Cause | 0-1 | 0-1 | 2657 User-Name | 0-1 | 0-1 | 2658 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2659 ---------------------------------------|-----+-----+ 2661 6. IANA Considerations 2663 This section provides guidance to the Internet Assigned Numbers 2664 Authority (IANA) regarding registration of values related to the 2665 Diameter protocol, in accordance with BCP 26 [RFC5226]. 2667 This document defines values in the namespaces that have been created 2668 and defined in the Diameter Base [I-D.ietf-dime-rfc3588bis]. The 2669 IANA Considerations section of that document details the assignment 2670 criteria. Values assigned in this document, or by future IANA 2671 action, must be coordinated within this shared namespace. 2673 6.1. Command Codes 2675 This specification assigns the value 265 from the Command Code 2676 namespace defined in [I-D.ietf-dime-rfc3588bis]. See Sections 3.1 2677 and 3.2 for the assignment of the namespace in this specification. 2679 6.2. AVP Codes 2681 This specification assigns the values 363 - 366 and 400 - 408 from 2682 the AVP Code namespace defined in [I-D.ietf-dime-rfc3588bis]. See 2683 Section 4 for the assignment of the namespace in this specification. 2684 Note that the values 363 - 366 are jointly, but consistently, 2685 assigned in [RFC4004]. This document also creates one new namespace 2686 to be managed by IANA, as described in Section 6.5 2688 This specification also specifies the use of AVPs in the 0 - 255 2689 range, which are listed in [RADIUSTypes] These values are assigned 2690 according to the policy stated in Section 6 of [RFC2865], as amended 2691 by [RFC3575]. 2693 6.3. Application Identifier 2695 This specification uses the value one (1) in the Application 2696 Identifier namespace as assigned in [I-D.ietf-dime-rfc3588bis]. See 2697 Section 1.3 above for more information. 2699 6.4. CHAP-Algorithm AVP Values 2701 As defined in Section 4.3.4, the CHAP-Algorithm AVP (AVP Code 403) 2702 uses the values of the "PPP AUTHENTICATION ALGORITHMS" namespace 2703 defined in [RFC1994]. 2705 6.5. Accounting-Auth-Method AVP Values 2707 As defined in Section 4.6.7 the Accounting-Auth-Method AVP (AVP Code 2708 406) defines the values 1 - 5. All remaining values are available 2709 for assignment via the IETF Review policy [RFC5226]. 2711 7. Security Considerations 2713 This document describes the extension of Diameter for the NAS 2714 application. The security considerations of the Diameter protocol 2715 itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of 2716 this application of Diameter MUST take into consideration the 2717 security issues and requirements of the Base protocol. 2719 This document does not contain a security protocol but does discuss 2720 how PPP authentication protocols can be carried within the Diameter 2721 protocol. The PPP authentication protocols described are PAP and 2722 CHAP. 2724 The use of PAP SHOULD be discouraged, as it exposes users' passwords 2725 to possibly non-trusted entities. However, PAP is also frequently 2726 used for use with One-Time Passwords, which do not expose a security 2727 risk. 2729 This document also describes how CHAP can be carried within the 2730 Diameter protocol, which is required for RADIUS backward 2731 compatibility. The CHAP protocol, as used in a RADIUS environment, 2732 facilitates authentication replay attacks. 2734 The use of the EAP authentication protocols [RFC4072] can offer 2735 better security, given a method suitable for the circumstances. 2737 8. References 2739 8.1. Normative References 2741 [ANITypes] NANPA Number Resource Info, "ANI 2742 Assignments", . 2746 [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and 2747 G. Zorn, "Diameter Base Protocol", 2748 draft-ietf-dime-rfc3588bis-23 (work in 2749 progress), August 2010. 2751 [RADIUSTypes] IANA, "RADIUS Types", . 2754 [RFC1994] Simpson, W., "PPP Challenge Handshake 2755 Authentication Protocol (CHAP)", 2756 RFC 1994, August 1996. 2758 [RFC2119] Bradner, S., "Key words for use in RFCs 2759 to Indicate Requirement Levels", BCP 14, 2760 RFC 2119, March 1997. 2762 [RFC2865] Rigney, C., Willens, S., Rubens, A., and 2763 W. Simpson, "Remote Authentication Dial 2764 In User Service (RADIUS)", RFC 2865, 2765 June 2000. 2767 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, 2768 "RADIUS and IPv6", RFC 3162, August 2001. 2770 [RFC3516] Nerenberg, L., "IMAP4 Binary Content 2771 Extension", RFC 3516, April 2003. 2773 [RFC3539] Aboba, B. and J. Wood, "Authentication, 2774 Authorization and Accounting (AAA) 2775 Transport Profile", RFC 3539, June 2003. 2777 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines 2778 for Writing an IANA Considerations 2779 Section in RFCs", BCP 26, RFC 5226, 2780 May 2008. 2782 8.2. Informative References 2784 [ARAP] Apple Computer, "Apple Remote Access 2785 Protocol (ARAP) Version 2.0 External 2786 Reference Specification", R0612LL/B , 2787 September 1994. 2789 [AppleTalk] Sidhu, G., Andrews, R., and A. 2790 Oppenheimer, "Inside AppleTalk", Second 2791 Edition Apple Computer, 1990. 2793 [IPX] Novell, Inc., "NetWare System Technical 2794 Interface Overview", #883-000780-001, 2795 June 1989. 2797 [ISO.8859-1.1987] International Organization for 2798 Standardization, "Information technology 2799 - 8-bit single byte coded graphic - 2800 character sets - Part 1: Latin alphabet 2801 No. 1, JTC1/SC2", ISO Standard 8859-1, 2802 1987. 2804 [LAT] Digital Equipment Corp., "Local Area 2805 Transport (LAT) Specification V5.0", AA- 2806 NL26A-TE, June 1989. 2808 [RFC1334] Lloyd, B. and W. Simpson, "PPP 2809 Authentication Protocols", RFC 1334, 2810 October 1992. 2812 [RFC1661] Simpson, W., "The Point-to-Point Protocol 2813 (PPP)", STD 51, RFC 1661, July 1994. 2815 [RFC1990] Sklower, K., Lloyd, B., McGregor, G., 2816 Carr, D., and T. Coradetti, "The PPP 2817 Multilink Protocol (MP)", RFC 1990, 2818 August 1996. 2820 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. 2821 Black, "Definition of the Differentiated 2822 Services Field (DS Field) in the IPv4 and 2823 IPv6 Headers", RFC 2474, December 1998. 2825 [RFC2548] Zorn, G., "Microsoft Vendor-specific 2826 RADIUS Attributes", RFC 2548, March 1999. 2828 [RFC2597] Heinanen, J., Baker, F., Weiss, W., and 2829 J. Wroclawski, "Assured Forwarding PHB 2830 Group", RFC 2597, June 1999. 2832 [RFC2637] Hamzeh, K., Pall, G., Verthein, W., 2833 Taarud, J., Little, W., and G. Zorn, 2834 "Point-to-Point Tunneling Protocol", 2835 RFC 2637, July 1999. 2837 [RFC2661] Townsley, W., Valencia, A., Rubens, A., 2838 Pall, G., Zorn, G., and B. Palter, "Layer 2839 Two Tunneling Protocol "L2TP"", RFC 2661, 2840 August 1999. 2842 [RFC2866] Rigney, C., "RADIUS Accounting", 2843 RFC 2866, June 2000. 2845 [RFC2867] Zorn, G., Aboba, B., and D. Mitton, 2846 "RADIUS Accounting Modifications for 2847 Tunnel Protocol Support", RFC 2867, 2848 June 2000. 2850 [RFC2868] Zorn, G., Leifer, D., Rubens, A., 2851 Shriver, J., Holdrege, M., and I. Goyret, 2852 "RADIUS Attributes for Tunnel Protocol 2853 Support", RFC 2868, June 2000. 2855 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, 2856 "RADIUS Extensions", RFC 2869, June 2000. 2858 [RFC2881] Mitton, D. and M. Beadles, "Network 2859 Access Server Requirements Next 2860 Generation (NASREQNG) NAS Model", 2861 RFC 2881, July 2000. 2863 [RFC2989] Aboba, B., Calhoun, P., Glass, S., 2864 Hiller, T., McCann, P., Shiino, H., Zorn, 2865 G., Dommety, G., C.Perkins, B.Patil, 2866 D.Mitton, S.Manning, M.Beadles, P.Walsh, 2867 X.Chen, S.Sivalingham, A.Hameed, 2868 M.Munson, S.Jacobs, B.Lim, B.Hirschman, 2869 R.Hsu, Y.Xu, E.Campell, S.Baba, and 2870 E.Jaques, "Criteria for Evaluating AAA 2871 Protocols for Network Access", RFC 2989, 2872 November 2000. 2874 [RFC3169] Beadles, M. and D. Mitton, "Criteria for 2875 Evaluating Network Access Server 2876 Protocols", RFC 3169, September 2001. 2878 [RFC3246] Davie, B., Charny, A., Bennet, J., 2879 Benson, K., Le Boudec, J., Courtney, W., 2880 Davari, S., Firoiu, V., and D. Stiliadis, 2881 "An Expedited Forwarding PHB (Per-Hop 2882 Behavior)", RFC 3246, March 2002. 2884 [RFC3575] Aboba, B., "IANA Considerations for 2885 RADIUS (Remote Authentication Dial In 2886 User Service)", RFC 3575, July 2003. 2888 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, 2889 G., and J. Roese, "IEEE 802.1X Remote 2890 Authentication Dial In User Service 2891 (RADIUS) Usage Guidelines", RFC 3580, 2892 September 2003. 2894 [RFC4004] Calhoun, P., Johansson, T., Perkins, C., 2895 Hiller, T., and P. McCann, "Diameter 2896 Mobile IPv4 Application", RFC 4004, 2897 August 2005. 2899 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, 2900 "Diameter Extensible Authentication 2901 Protocol (EAP) Application", RFC 4072, 2902 August 2005. 2904 Appendix A. Acknowledgements 2906 A.1. RFC 4005 2908 The authors would like to thank Carl Rigney, Allan C. Rubens, William 2909 Allen Simpson, and Steve Willens for their work on the original 2910 RADIUS protocol, from which many of the concepts in this 2911 specification were derived. Thanks, also, to Carl Rigney for 2912 [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, 2913 Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory 2914 Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and 2915 Ignacio Goyret for their work on [RFC2868]. This document stole text 2916 and concepts from both [RFC2868] and [RFC2869]. Thanks go to Carl 2917 Williams for providing IPv6-specific text. 2919 The authors would also like to acknowledge the following people for 2920 their contributions in the development of the Diameter protocol: 2921 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 2922 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 2923 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 2924 Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. 2926 Finally, Pat Calhoun would like to thank Sun Microsystems, as most of 2927 the effort put into this document was done while he was in their 2928 employ. 2930 A.2. RFC 4005bis 2932 The vast majority of the text in this document was lifted directly 2933 fro RFC 4005; the editor owes a debt of gratitude to the authors 2934 thereof (especially Dave Mitton, who somehow managed to make nroff 2935 paginate the AVP Occurance Tables correctly!). 2937 Author's Address 2939 Glen Zorn (editor) 2940 Network Zen 2941 1463 East Republican Street 2942 #358 2943 Seattle, Washington 98112 2944 USA 2946 EMail: gwz@net-zen.net