idnits 2.17.1 draft-ietf-dime-rfc4005bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC4005, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 15, 2010) is 4914 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' == Outdated reference: A later version (-34) exists of draft-ietf-dime-rfc3588bis-25 -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 1334 (Obsoleted by RFC 1994) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn 3 Internet-Draft Network Zen 4 Obsoletes: 4005 (if approved) October 15, 2010 5 Intended status: Standards Track 6 Expires: April 18, 2011 8 Diameter Network Access Server Application 9 draft-ietf-dime-rfc4005bis-01 11 Abstract 13 This document describes the Diameter protocol application used for 14 Authentication, Authorization, and Accounting (AAA) services in the 15 Network Access Server (NAS) environment. When combined with the 16 Diameter Base protocol, Transport Profile, and Extensible 17 Authentication Protocol specifications, this application 18 specification satisfies typical network access services requirements. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 18, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 57 1.3. Advertising Application Support . . . . . . . . . . . . . 6 58 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 6 59 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 60 2.2. Diameter Session Reauthentication or Reauthorization . . . 7 61 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 62 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 8 63 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 64 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 65 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 66 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 67 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 68 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 69 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 70 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 71 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 72 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 73 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 74 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 75 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 76 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 77 4.2.1. Call and Session Information . . . . . . . . . . . . . 24 78 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 79 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 80 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 81 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 82 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 83 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 84 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 85 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 86 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 87 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 88 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 89 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 90 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 91 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 92 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 93 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 94 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 95 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 96 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 97 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 98 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 99 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 100 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 32 101 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 102 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 103 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 104 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 105 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 106 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 107 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 108 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 109 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 35 110 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 111 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 112 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 113 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 114 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 115 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 36 116 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 117 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 118 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 37 119 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 120 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 121 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 122 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 123 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 124 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 125 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 126 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 127 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 128 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 129 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 130 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 131 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 132 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 133 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 134 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 135 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 136 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 137 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 138 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 139 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 140 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 141 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 142 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 143 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 144 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 145 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 146 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 147 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 148 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 149 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 150 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 151 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 152 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 153 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 154 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 155 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 156 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 157 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 158 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 159 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 160 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 161 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 162 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 163 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 164 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 165 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 166 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 167 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 168 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 169 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 170 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 171 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 172 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 173 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 60 174 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 61 175 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 61 176 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 61 177 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 61 178 7. Security Considerations . . . . . . . . . . . . . . . . . . . 61 179 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 62 180 8.1. Normative References . . . . . . . . . . . . . . . . . . . 62 181 8.2. Informative References . . . . . . . . . . . . . . . . . . 63 182 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 65 183 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 65 184 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 66 186 1. Introduction 188 This document describes the Diameter protocol application used for 189 AAA in the Network Access Server (NAS) environment. When combined 190 with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport 191 Profile [RFC3539], and EAP [RFC4072] specifications, this 192 specification satisfies NAS-related requirements defined in [RFC2989] 193 and [RFC3169]. 195 First, this document describes the operation of a Diameter NAS 196 application. Then it defines the Diameter message Command-Codes. 197 The following sections list the AVPs used in these messages, grouped 198 by common usage. These are session identification, authentication, 199 authorization, tunneling, and accounting. The authorization AVPs are 200 further broken down by service type. 202 1.1. Terminology 204 Section 1.2 of the base Diameter specification 205 [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in 206 this document. Additionally, the following terms and acronyms are 207 used in this application: 209 NAS (Network Access Server) 210 A device that provides an access service for a user to a network. 211 The service may be a network connection or a value-added service 212 such as terminal emulation [RFC2881]. 214 PPP (Point-to-Point Protocol) 215 A multiprotocol serial datalink. PPP is the primary IP datalink 216 used for dial-in NAS connection service [RFC1661]. 218 CHAP (Challenge Handshake Authentication Protocol) 219 An authentication process used in PPP [RFC1994]. 221 PAP (Password Authentication Protocol) 222 A deprecated PPP authentication process, but often used for 223 backward compatibility [RFC1334]. 225 SLIP (Serial Line Interface Protocol) 226 A serial datalink that only supports IP. A design prior to PPP. 228 ARAP (Appletalk Remote Access Protocol) 229 A serial datalink for accessing Appletalk networks [ARAP]. 231 IPX (Internet Packet Exchange) 232 The network protocol used by NetWare networks [IPX]. 234 LAT (Local Area Transport 235 A Digital Equipment Corp. LAN protocol for terminal services 236 [LAT]. 238 VPN (Virtual Private Network) 239 In this document, this term is used to describe access services 240 that use tunneling methods. 242 1.2. Requirements Language 244 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 245 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 246 document are to be interpreted as described in RFC 2119 [RFC2119]. 248 1.3. Advertising Application Support 250 Diameter applications conforming to this specification MUST advertise 251 support by including the value of one (1) in the Auth-Application-Id 252 of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- 253 Answer (AAA) messages. All other messages are defined by RFC 3588 254 and use the Base application id value. 256 2. NAS Calls, Ports, and Sessions 258 The arrival of a new call or service connection at a port of a 259 Network Access Server (NAS) starts a Diameter NAS message exchange. 260 Information about the call, the identity of the user, and the user's 261 authentication information are packaged into a Diameter AA-Request 262 (AAR) message and sent to a server. 264 The server processes the information and responds with a Diameter AA- 265 Answer (AAA) message that contains authorization information for the 266 NAS, or a failure code (Result-Code AVP). A value of 267 DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication 268 exchange, and several AAR and AAA messages may be exchanged until the 269 transaction completes. 271 Depending on the vale of the Auth-Request-Type AVP, the Diameter 272 protocol allows authorization-only requests that contain no 273 authentication information from the client. This capability goes 274 beyond the Call Check capabilities provided by RADIUS (Section 5.6 of 275 [RFC2865]) in that no access decision is requested. As a result, 276 service cannot be started as a result of a response to an 277 authorization-only request without introducing a significant security 278 vulnerability. 280 2.1. Diameter Session Establishment 282 When the authentication or authorization exchange completes 283 successfully, the NAS application SHOULD start a session context. If 284 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 285 exchange continues until a success or error is returned. 287 If accounting is active, the application MUST also send an Accounting 288 message [I-D.ietf-dime-rfc3588bis]. An Accounting-Record-Type of 289 START_RECORD is sent for a new session. If a session fails to start, 290 the EVENT_RECORD message is sent with the reason for the failure 291 described. 293 Note that the return of an unsupportable Accounting-Realtime-Required 294 value [I-D.ietf-dime-rfc3588bis] would result in a failure to 295 establish the session. 297 2.2. Diameter Session Reauthentication or Reauthorization 299 The Diameter Base protocol allows users to be periodically 300 reauthenticated and/or reauthorized. In such instances, the 301 Session-Id AVP in the AAR message MUST be the same as the one present 302 in the original authentication/authorization message. 304 A Diameter server informs the NAS of the maximum time allowed before 305 reauthentication or reauthorization via the Authorization-Lifetime 306 AVP [I-D.ietf-dime-rfc3588bis]. A NAS MAY reauthenticate and/or 307 reauthorize before the end, but A NAS MUST reauthenticate and/or 308 reauthorize at the end of the period provided by the Authorization- 309 Lifetime AVP. The failure of a reauthentication exchange will 310 terminate the service. 312 Furthermore, it is possible for Diameter servers to issue an 313 unsolicited reauthentication and/or reauthorization request (e.g., 314 Re-Auth-Request (RAR) message [I-D.ietf-dime-rfc3588bis]) to the NAS. 315 Upon receipt of such a message, the NAS MUST respond to the request 316 with a Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis]. 318 If the RAR properly identifies an active session, the NAS will 319 initiate a new local reauthentication or authorization sequence as 320 indicated by the Re-Auth-Request-Type value. This will cause the NAS 321 to send a new AAR message using the existing Session-Id. The server 322 will respond with an AAA message to specify the new service 323 parameters. 325 If accounting is active, every change of authentication or 326 authorization SHOULD generate an accounting message. If the NAS 327 service is a continuation of the prior user context, then an 328 Accounting-Record-Type of INTERIM_RECORD indicating the new session 329 attributes and cumulative status would be appropriate. If a new user 330 or a significant change in authorization is detected by the NAS, then 331 the service may send two messages of the types STOP_RECORD and 332 START_RECORD. Accounting may change the subsession identifiers 333 (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- 334 sessions. A service may also use a different Session-Id value for 335 accounting see Section 9.6 of [I-D.ietf-dime-rfc3588bis]. 337 However, the Diameter Session-ID AVP value used for the initial 338 authorization exchange MUST be used to generate an STR message when 339 the session context is terminated. 341 2.3. Diameter Session Termination 343 When a NAS receives an indication that a user's session is being 344 disconnected by the client (e.g., LCP Terminate is received) or an 345 administrative command, the NAS MUST issue a Session-Termination- 346 Request (STR) [I-D.ietf-dime-rfc3588bis] to its Diameter Server. 347 This will ensure that any resources maintained on the servers are 348 freed appropriately. 350 Furthermore, a NAS that receives an Abort-Session-Request (ASR) 351 [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session 352 identified is active and disconnect the PPP (or tunneling) session. 354 If accounting is active, an Accounting STOP_RECORD message 355 [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the 356 session context. 358 More information on Diameter Session Termination can be found in 359 Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis]. 361 3. Diameter NAS Application Messages 363 This section defines the Diameter message Command-Code 364 [I-D.ietf-dime-rfc3588bis] values that MUST be supported by all 365 Diameter implementations conforming to this specification. The 366 Command Codes are as follows: 368 +-----------------------------------+---------+------+--------------+ 369 | Command Name | Abbrev. | Code | Reference | 370 +-----------------------------------+---------+------+--------------+ 371 | AA-Request | AAR | 265 | Section 3.1 | 372 | AA-Answer | AAA | 265 | Section 3.2 | 373 | Re-Auth-Request | RAR | 258 | Section 3.3 | 374 | Re-Auth-Answer | RAA | 258 | Section 3.4 | 375 | Session-Termination-Request | STR | 275 | Section 3.5 | 376 | Session-Termination-Answer | STA | 275 | Section 3.6 | 377 | Abort-Session-Request | ASR | 274 | Section 3.7 | 378 | Abort-Session-Answer | ASA | 274 | Section 3.8 | 379 | Accounting-Request | ACR | 271 | Section 3.9 | 380 | Accounting-Answer | ACA | 271 | Section 3.10 | 381 +-----------------------------------+---------+------+--------------+ 383 3.1. AA-Request (AAR) Command 385 The AA-Request (AAR), which is indicated by setting the Command-Code 386 field to 265 and the 'R' bit in the Command Flags field, is used to 387 request authentication and/or authorization for a given NAS user. 388 The type of request is identified through the Auth-Request-Type AVP 389 [I-D.ietf-dime-rfc3588bis] The recommended value for most RADIUS 390 interoperability situations is AUTHORIZE_AUTHENTICATE. 392 If Authentication is requested, the User-Name attribute SHOULD be 393 present, as well as any additional authentication AVPs that would 394 carry the password information. A request for authorization SHOULD 395 only include the information from which the authorization will be 396 performed, such as the User-Name, Called-Station-Id, or Calling- 397 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 398 identifying the source of the call, such as Origin-Host and NAS-Port. 399 Certain networks MAY use different AVPs for authorization purposes. 400 A request for authorization will include some AVPs defined in 401 Section 4.4. 403 It is possible for a single session to be authorized first and then 404 for an authentication request to follow. 406 This AA-Request message MAY be the result of a multi-round 407 authentication exchange, which occurs when the AA-Answer message is 408 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. 409 A subsequent AAR message SHOULD be sent, with the User-Password AVP 410 that includes the user's response to the prompt, and MUST include any 411 State AVPs that were present in the AAA message. 413 Message Format 415 ::= < Diameter Header: 265, REQ, PXY > 416 < Session-Id > 417 { Auth-Application-Id } 418 { Origin-Host } 419 { Origin-Realm } 420 { Destination-Realm } 421 { Auth-Request-Type } 422 [ Destination-Host ] 423 [ NAS-Identifier ] 424 [ NAS-IP-Address ] 425 [ NAS-IPv6-Address ] 426 [ NAS-Port ] 427 [ NAS-Port-Id ] 428 [ NAS-Port-Type ] 429 [ Origin-AAA-Protocol ] 430 [ Origin-State-Id ] 431 [ Port-Limit ] 432 [ User-Name ] 433 [ User-Password ] 434 [ Service-Type ] 435 [ State ] 436 [ Authorization-Lifetime ] 437 [ Auth-Grace-Period ] 438 [ Auth-Session-State ] 439 [ Callback-Number ] 440 [ Called-Station-Id ] 441 [ Calling-Station-Id ] 442 [ Originating-Line-Info ] 443 [ Connect-Info ] 444 [ CHAP-Auth ] 445 [ CHAP-Challenge ] 446 * [ Framed-Compression ] 447 [ Framed-Interface-Id ] 448 [ Framed-IP-Address ] 449 * [ Framed-IPv6-Prefix ] 450 [ Framed-IP-Netmask ] 451 [ Framed-MTU ] 452 [ Framed-Protocol ] 453 [ ARAP-Password ] 454 [ ARAP-Security ] 455 * [ ARAP-Security-Data ] 456 * [ Login-IP-Host ] 457 * [ Login-IPv6-Host ] 458 [ Login-LAT-Group ] 459 [ Login-LAT-Node ] 460 [ Login-LAT-Port ] 461 [ Login-LAT-Service ] 462 * [ Tunneling ] 463 * [ Proxy-Info ] 464 * [ Route-Record ] 465 * [ AVP ] 467 3.2. AA-Answer (AAA) Command 469 The AA-Answer (AAA) message is indicated by setting the Command-Code 470 field to 265 and clearing the 'R' bit in the Command Flags field. It 471 is sent in response to the AA-Request (AAR) message. If 472 authorization was requested, a successful response will include the 473 authorization AVPs appropriate for the service being provided, as 474 defined in Section 4.4. 476 For authentication exchanges requiring more than a single round trip, 477 the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. 478 An AAA message with this result code MAY include one Reply-Message or 479 more and MAY include zero or one State AVPs. 481 If the Reply-Message AVP was present, the network access server 482 SHOULD send the text to the user's client to display to the user, 483 instructing the client to prompt the user for a response. For 484 example, this capability can be achieved in PPP via PAP. If the 485 access client is unable to prompt the user for a new response, it 486 MUST treat the AA-Answer (AAA) with the Reply-Message AVP as an error 487 and deny access. 489 Message Format 491 ::= < Diameter Header: 265, PXY > 492 < Session-Id > 493 { Auth-Application-Id } 494 { Auth-Request-Type } 495 { Result-Code } 496 { Origin-Host } 497 { Origin-Realm } 498 [ User-Name ] 499 [ Service-Type ] 500 * [ Class ] 501 * [ Configuration-Token ] 502 [ Acct-Interim-Interval ] 503 [ Error-Message ] 504 [ Error-Reporting-Host ] 505 * [ Failed-AVP ] 506 [ Idle-Timeout ] 507 [ Authorization-Lifetime ] 508 [ Auth-Grace-Period ] 509 [ Auth-Session-State ] 510 [ Re-Auth-Request-Type ] 511 [ Multi-Round-Time-Out ] 513 [ Session-Timeout ] 514 [ State ] 515 * [ Reply-Message ] 516 [ Origin-AAA-Protocol ] 517 [ Origin-State-Id ] 518 * [ Filter-Id ] 519 [ Password-Retry ] 520 [ Port-Limit ] 521 [ Prompt ] 522 [ ARAP-Challenge-Response ] 523 [ ARAP-Features ] 524 [ ARAP-Security ] 525 * [ ARAP-Security-Data ] 526 [ ARAP-Zone-Access ] 527 [ Callback-Id ] 528 [ Callback-Number ] 529 [ Framed-Appletalk-Link ] 530 * [ Framed-Appletalk-Network ] 531 [ Framed-Appletalk-Zone ] 532 * [ Framed-Compression ] 533 [ Framed-Interface-Id ] 534 [ Framed-IP-Address ] 535 * [ Framed-IPv6-Prefix ] 536 [ Framed-IPv6-Pool ] 537 * [ Framed-IPv6-Route ] 538 [ Framed-IP-Netmask ] 539 * [ Framed-Route ] 540 [ Framed-Pool ] 541 [ Framed-IPX-Network ] 542 [ Framed-MTU ] 543 [ Framed-Protocol ] 544 [ Framed-Routing ] 545 * [ Login-IP-Host ] 546 * [ Login-IPv6-Host ] 547 [ Login-LAT-Group ] 548 [ Login-LAT-Node ] 549 [ Login-LAT-Port ] 550 [ Login-LAT-Service ] 551 [ Login-Service ] 552 [ Login-TCP-Port ] 553 * [ NAS-Filter-Rule ] 554 * [ QoS-Filter-Rule ] 555 * [ Tunneling ] 556 * [ Redirect-Host ] 557 [ Redirect-Host-Usage ] 558 [ Redirect-Max-Cache-Time ] 559 * [ Proxy-Info ] 560 * [ AVP ] 562 3.3. Re-Auth-Request (RAR) Command 564 A Diameter server may initiate a re-authentication and/or re- 565 authorization service for a particular session by issuing a Re-Auth- 566 Request (RAR) message [I-D.ietf-dime-rfc3588bis]. 568 For example, for pre-paid services, the Diameter server that 569 originally authorized a session may need some confirmation that the 570 user is still using the services. 572 If a NAS receives an RAR message with Session-Id equal to a currently 573 active session and a Re-Auth-Type that includes authentication, it 574 MUST initiate a re-authentication toward the user, if the service 575 supports this particular feature. 577 Message Format 579 ::= < Diameter Header: 258, REQ, PXY > 580 < Session-Id > 581 { Origin-Host } 582 { Origin-Realm } 583 { Destination-Realm } 584 { Destination-Host } 585 { Auth-Application-Id } 586 { Re-Auth-Request-Type } 587 [ User-Name ] 588 [ Origin-AAA-Protocol ] 589 [ Origin-State-Id ] 590 [ NAS-Identifier ] 591 [ NAS-IP-Address ] 592 [ NAS-IPv6-Address ] 593 [ NAS-Port ] 594 [ NAS-Port-Id ] 595 [ NAS-Port-Type ] 596 [ Service-Type ] 597 [ Framed-IP-Address ] 598 [ Framed-IPv6-Prefix ] 599 [ Framed-Interface-Id ] 600 [ Called-Station-Id ] 601 [ Calling-Station-Id ] 602 [ Originating-Line-Info ] 603 [ Acct-Session-Id ] 604 [ Acct-Multi-Session-Id ] 605 [ State ] 606 * [ Class ] 607 [ Reply-Message ] 608 * [ Proxy-Info ] 609 * [ Route-Record ] 610 * [ AVP ] 612 3.4. Re-Auth-Answer (RAA) Command 614 The Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis] is sent 615 in response to the RAR. The Result-Code AVP MUST be present and 616 indicates the disposition of the request. 618 A successful RAA transaction MUST be followed by an AAR message. 620 Message Format 622 ::= < Diameter Header: 258, PXY > 623 < Session-Id > 624 { Result-Code } 625 { Origin-Host } 626 { Origin-Realm } 627 [ User-Name ] 628 [ Origin-AAA-Protocol ] 629 [ Origin-State-Id ] 630 [ Error-Message ] 631 [ Error-Reporting-Host ] 632 * [ Failed-AVP ] 633 * [ Redirected-Host ] 634 [ Redirected-Host-Usage ] 635 [ Redirected-Host-Cache-Time ] 636 [ Service-Type ] 637 * [ Configuration-Token ] 638 [ Idle-Timeout ] 639 [ Authorization-Lifetime ] 640 [ Auth-Grace-Period ] 641 [ Re-Auth-Request-Type ] 642 [ State ] 643 * [ Class ] 644 * [ Reply-Message ] 645 [ Prompt ] 646 * [ Proxy-Info ] 647 * [ AVP ] 649 3.5. Session-Termination-Request (STR) Command 651 The Session-Termination-Request (STR) message 652 [I-D.ietf-dime-rfc3588bis] is sent by the NAS to inform the Diameter 653 Server that an authenticated and/or authorized session is being 654 terminated. 656 Message Format 658 ::= < Diameter Header: 275, REQ, PXY > 659 < Session-Id > 660 { Origin-Host } 661 { Origin-Realm } 662 { Destination-Realm } 663 { Auth-Application-Id } 664 { Termination-Cause } 665 [ User-Name ] 666 [ Destination-Host ] 667 * [ Class ] 668 [ Origin-AAA-Protocol ] 669 [ Origin-State-Id ] 670 * [ Proxy-Info ] 671 * [ Route-Record ] 672 * [ AVP ] 674 3.6. Session-Termination-Answer (STA) Command 676 The Session-Termination-Answer (STA) message 677 [I-D.ietf-dime-rfc3588bis] is sent by the Diameter Server to 678 acknowledge the notification that the session has been terminated. 679 The Result-Code AVP MUST be present and MAY contain an indication 680 that an error occurred while the STR was being serviced. 682 Upon sending or receiving the STA, the Diameter Server MUST release 683 all resources for the session indicated by the Session-Id AVP. Any 684 intermediate server in the Proxy-Chain MAY also release any 685 resources, if necessary. 687 Message Format 689 ::= < Diameter Header: 275, PXY > 690 < Session-Id > 691 { Result-Code } 692 { Origin-Host } 693 { Origin-Realm } 694 [ User-Name ] 695 * [ Class ] 696 [ Error-Message ] 697 [ Error-Reporting-Host ] 698 * [ Failed-AVP ] 699 [ Origin-AAA-Protocol ] 700 [ Origin-State-Id ] 701 * [ Redirect-Host ] 702 [ Redirect-Host-Usase ] 703 [ Redirect-Max-Cache-Time ] 704 * [ Proxy-Info ] 705 * [ AVP ] 707 3.7. Abort-Session-Request (ASR) Command 709 The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis] 710 may be sent by any server to the NAS providing session service, to 711 request that the session identified by the Session-Id be stopped. 713 Message Format 715 ::= < Diameter Header: 274, REQ, PXY > 716 < Session-Id > 717 { Origin-Host } 718 { Origin-Realm } 719 { Destination-Realm } 720 { Destination-Host } 721 { Auth-Application-Id } 722 [ User-Name ] 723 [ Origin-AAA-Protocol ] 724 [ Origin-State-Id ] 725 [ NAS-Identifier ] 726 [ NAS-IP-Address ] 727 [ NAS-IPv6-Address ] 728 [ NAS-Port ] 729 [ NAS-Port-Id ] 730 [ NAS-Port-Type ] 731 [ Service-Type ] 732 [ Framed-IP-Address ] 733 [ Framed-IPv6-Prefix ] 734 [ Framed-Interface-Id ] 735 [ Called-Station-Id ] 736 [ Calling-Station-Id ] 737 [ Originating-Line-Info ] 738 [ Acct-Session-Id ] 739 [ Acct-Multi-Session-Id ] 740 [ State ] 741 * [ Class ] 742 * [ Reply-Message ] 743 * [ Proxy-Info ] 744 * [ Route-Record ] 745 * [ AVP ] 747 3.8. Abort-Session-Answer (ASA) Command 749 The ASA message [I-D.ietf-dime-rfc3588bis] is sent in response to the 750 ASR. The Result-Code AVP MUST be present and indicates the 751 disposition of the request. 753 If the session identified by Session-Id in the ASR was successfully 754 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 755 is not currently active, the Result-Code AVP is set to 756 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 757 session for any other reason, the Result-Code AVP is set to 758 DIAMETER_UNABLE_TO_COMPLY. 760 Message Format 762 ::= < Diameter Header: 274, PXY > 763 < Session-Id > 764 { Result-Code } 765 { Origin-Host } 766 { Origin-Realm } 767 [ User-Name ] 768 [ Origin-AAA-Protocol ] 769 [ Origin-State-Id ] 770 [ State] 771 [ Error-Message ] 772 [ Error-Reporting-Host ] 773 * [ Failed-AVP ] 774 * [ Redirected-Host ] 775 [ Redirected-Host-Usage ] 776 [ Redirected-Max-Cache-Time ] 777 * [ Proxy-Info ] 778 * [ AVP ] 780 3.9. Accounting-Request (ACR) Command 782 The ACR message [I-D.ietf-dime-rfc3588bis] is sent by the NAS to 783 report its session information to a target server downstream. 785 Either the Acct-Application-Id AVP or the Vendor-Specific- 786 Application-Id AVP MUST be present. If the Vendor-Specific- 787 Application-Id grouped AVP is present, it must have an Acct- 788 Application-Id inside. 790 The AVPs listed in the Base protocol specification 791 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 792 appropriate. NAS service-specific accounting AVPs SHOULD be present 793 as described in Section 4.6 and the rest of this specification. 795 Message Format 797 ::= < Diameter Header: 271, REQ, PXY > 798 < Session-Id > 799 { Origin-Host } 800 { Origin-Realm } 801 { Destination-Realm } 802 { Accounting-Record-Type } 803 { Accounting-Record-Number } 804 [ Acct-Application-Id ] 805 [ Vendor-Specific-Application-Id ] 806 [ User-Name ] 807 [ Accounting-Sub-Session-Id ] 809 [ Acct-Session-Id ] 810 [ Acct-Multi-Session-Id ] 811 [ Origin-AAA-Protocol ] 812 [ Origin-State-Id ] 813 [ Destination-Host ] 814 [ Event-Timestamp ] 815 [ Acct-Delay-Time ] 816 [ NAS-Identifier ] 817 [ NAS-IP-Address ] 818 [ NAS-IPv6-Address ] 819 [ NAS-Port ] 820 [ NAS-Port-Id ] 821 [ NAS-Port-Type ] 822 * [ Class ] 823 [ Service-Type ] 824 [ Termination-Cause ] 825 [ Accounting-Input-Octets ] 826 [ Accounting-Input-Packets ] 827 [ Accounting-Output-Octets ] 828 [ Accounting-Output-Packets ] 829 [ Acct-Authentic ] 830 [ Accounting-Auth-Method ] 831 [ Acct-Link-Count ] 832 [ Acct-Session-Time ] 833 [ Acct-Tunnel-Connection ] 834 [ Acct-Tunnel-Packets-Lost ] 835 [ Callback-Id ] 836 [ Callback-Number ] 837 [ Called-Station-Id ] 838 [ Calling-Station-Id ] 839 * [ Connection-Info ] 840 [ Originating-Line-Info ] 841 [ Authorization-Lifetime ] 842 [ Session-Timeout ] 843 [ Idle-Timeout ] 844 [ Port-Limit ] 845 [ Accounting-Realtime-Required ] 846 [ Acct-Interim-Interval ] 847 * [ Filter-Id ] 848 * [ NAS-Filter-Rule ] 849 * [ Qos-Filter-Rule ] 850 [ Framed-AppleTalk-Link ] 851 [ Framed-AppleTalk-Network ] 852 [ Framed-AppleTalk-Zone ] 853 [ Framed-Compression ] 854 [ Framed-Interface-Id ] 855 [ Framed-IP-Address ] 856 [ Framed-IP-Netmask ] 858 * [ Framed-IPv6-Prefix ] 859 [ Framed-IPv6-Pool ] 860 * [ Framed-IPv6-Route ] 861 [ Framed-IPX-Network ] 862 [ Framed-MTU ] 863 [ Framed-Pool ] 864 [ Framed-Protocol ] 865 * [ Framed-Route ] 866 [ Framed-Routing ] 867 * [ Login-IP-Host ] 868 * [ Login-IPv6-Host ] 869 [ Login-LAT-Group ] 870 [ Login-LAT-Node ] 871 [ Login-LAT-Port ] 872 [ Login-LAT-Service ] 873 [ Login-Service ] 874 [ Login-TCP-Port ] 875 * [ Tunneling ] 876 * [ Proxy-Info ] 877 * [ Route-Record ] 878 * [ AVP ] 880 3.10. Accounting-Answer (ACA) Command 882 The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an 883 Accounting-Request command. The Accounting-Answer command contains 884 the same Session-Id as the Request. If the Accounting-Request was 885 protected by end-to-end security, then the corresponding ACA message 886 MUST be protected as well. 888 Only the target Diameter Server or home Diameter Server SHOULD 889 respond with the Accounting-Answer command. 891 Either the Acct-Application-Id AVP or the Vendor-Specific- 892 Application-Id AVP MUST be present, as it was in the request. 894 The AVPs listed in the Base protocol specification 895 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 896 appropriate. NAS service-specific accounting AVPs SHOULD be present 897 as described in Section 4.6 and the rest of this specification. 899 Message Format 901 ::= < Diameter Header: 271, PXY > 902 < Session-Id > 903 { Result-Code } 904 { Origin-Host } 905 { Origin-Realm } 906 { Accounting-Record-Type } 907 { Accounting-Record-Number } 908 [ Acct-Application-Id ] 909 [ Vendor-Specific-Application-Id ] 910 [ User-Name ] 911 [ Accounting-Sub-Session-Id ] 912 [ Acct-Session-Id ] 913 [ Acct-Multi-Session-Id ] 914 [ Event-Timestamp ] 915 [ Error-Message ] 916 [ Error-Reporting-Host ] 917 * [ Failed-AVP ] 918 [ Origin-AAA-Protocol ] 919 [ Origin-State-Id ] 920 [ NAS-Identifier ] 921 [ NAS-IP-Address ] 922 [ NAS-IPv6-Address ] 923 [ NAS-Port ] 924 [ NAS-Port-Id ] 925 [ NAS-Port-Type ] 926 [ Service-Type ] 927 [ Termination-Cause ] 928 [ Accounting-Realtime-Required ] 929 [ Acct-Interim-Interval ] 930 * [ Class ] 931 * [ Proxy-Info ] 932 * [ AVP ] 934 4. Diameter NAS Application AVPs 936 The following sections define a new derived AVP data format, a set of 937 application-specific AVPs and describe the use of AVPs defined in 938 other documents by the Diameter NAS Application. 940 4.1. Derived AVP Data Formats 942 4.1.1. QoSFilterRule 944 The QosFilterRule format is derived from the OctetString AVP Base 945 Format. It uses the ASCII charset. Packets may be marked or metered 946 based on the following information: 948 o Direction (in or out) 950 o Source and destination IP address (possibly masked) 952 o Protocol 954 o Source and destination port (lists or ranges) 956 o DSCP values (no mask or range) 958 Rules for the appropriate direction are evaluated in order; the first 959 matched rule terminates the evaluation. Each packet is evaluated 960 once. If no rule matches, the packet is treated as best effort. An 961 access device unable to interpret or apply a QoS rule SHOULD NOT 962 terminate the session. 964 QoSFilterRule filters MUST follow the following format: 966 action dir proto from src to dst [options] 967 where 969 action 970 tag Mark packet with a specific DSCP [RFC2474] 971 meter Meter traffic 973 dir The format is as described under IPFilterRule 974 [I-D.ietf-dime-rfc3588bis] 976 proto The format is as described under IPFilterRule 977 [I-D.ietf-dime-rfc3588bis] 979 src and dst The format is as described under IPFilterRule 980 [I-D.ietf-dime-rfc3588bis] 982 The options are described in Section 4.4.9. 984 The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the 985 ipfw.c code may provide a useful base for implementations. 987 4.2. NAS Session AVPs 989 Diameter reserves the AVP Codes 0 - 255 for RADIUS functions that are 990 implemented in Diameter. 992 AVPs new to Diameter have code values of 256 and greater. A Diameter 993 message that includes one of these AVPs may represent functions not 994 present in the RADIUS environment and may cause interoperability 995 issues, should the request traverse an AAA system that only supports 996 the RADIUS protocol. 998 4.2.1. Call and Session Information 1000 This section describes the AVPs specific to NAS Diameter applications 1001 that are needed to identify the call and session context and status 1002 information. On a request, this information allows the server to 1003 qualify the session. 1005 These AVPs are used in addition to the following AVPs from the base 1006 protocol specification [I-D.ietf-dime-rfc3588bis]: 1008 Session-Id 1009 Auth-Application-Id 1010 Origin-Host 1011 Origin-Realm 1012 Auth-Request-Type 1013 Termination-Cause 1015 The following table gives the possible flag values for the session 1016 level AVPs and specifies whether the AVP MAY be encrypted. 1018 +---------------------+ 1019 | AVP Flag rules | 1020 |----+-----+----+-----|----+ 1021 | | |SHLD| MUST| | 1022 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1023 -----------------------------------------|----+-----+----+-----|----| 1024 NAS-Port 4.2.2 | M | P | | V | Y | 1025 NAS-Port-Id 4.2.3 | M | P | | V | Y | 1026 NAS-Port-Type 4.2.4 | M | P | | V | Y | 1027 Called-Station-Id 4.2.5 | M | P | | V | Y | 1028 Calling-Station-Id 4.2.6 | M | P | | V | Y | 1029 Connect-Info 4.2.7 | M | P | | V | Y | 1030 Originating-Line-Info 4.2.8 | | M,P | | V | Y | 1031 Reply-Message 4.2.9 | M | P | | V | Y | 1032 -----------------------------------------|----+-----+----+-----|----| 1034 4.2.2. NAS-Port AVP 1036 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1037 physical or virtual port number of the NAS which is authenticating 1038 the user. Note that "port" is meant in its sense as a service 1039 connection on the NAS, not as an IP protocol identifier. 1041 Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD 1042 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1043 differentiates among its ports. 1045 4.2.3. NAS-Port-Id AVP 1047 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1048 of ASCII text identifying the port of the NAS authenticating the 1049 user. Note that "port" is meant in its sense as a service connection 1050 on the NAS, not as an IP protocol identifier. 1052 Either the NAS-Port-Id or the NAS-Port (Section 4.2.2) SHOULD be 1053 present in the AA-Request (AAR, Section 3.1) command if the NAS 1054 differentiates among its ports. NAS-Port-Id is intended for use by 1055 NASes that cannot conveniently number their ports. 1057 4.2.4. NAS-Port-Type AVP 1059 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1060 contains the type of the port on which the NAS is authenticating the 1061 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1062 number ranges for different service types concurrently. 1064 The currently supported values of the NAS-Port-Type AVP are listed in 1065 [RADIUSTypes]. 1067 4.2.5. Called-Station-Id AVP 1069 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and 1070 allows the NAS to send the ASCII string describing the Layer 2 1071 address the user contacted in the request. For dialup access, this 1072 can be a phone number obtained by using the Dialed Number 1073 Identification Service (DNIS) or a similar technology. Note that 1074 this may be different from the phone number the call comes in on. 1075 For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC 1076 address formatted as described in [RFC3580]. It SHOULD only be 1077 present in authentication and/or authorization requests. 1079 If the Called-Station-Id AVP is present in an AAR message, Auth- 1080 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1081 absent, the Diameter Server MAY perform authorization based on this 1082 AVP. This can be used by a NAS to request whether a call should be 1083 answered based on the DNIS. 1085 The codification of this field's allowed usage range is outside the 1086 scope of this specification. 1088 4.2.6. Calling-Station-Id AVP 1090 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 1091 allows the NAS to send the ASCII string describing the Layer 2 1092 address from which the user connected in the request. For dialup 1093 access, this is the phone number the call came from, using Automatic 1094 Number Identification (ANI) or a similar technology. For use with 1095 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 1096 address, formated as described in [RFC3580]. It SHOULD only be 1097 present in authentication and/or authorization requests. 1099 If the Calling-Station-Id AVP is present in an AAR message, the Auth- 1100 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1101 absent, the Diameter Server MAY perform authorization based on the 1102 value of this AVP. This can be used by a NAS to request whether a 1103 call should be answered based on the Layer 2 address (ANI, MAC 1104 Address, etc.) 1106 The codification of this field's allowed usage range is outside the 1107 scope of this specification. 1109 4.2.7. Connect-Info AVP 1111 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1112 in the AA-Request message or an ACR message with the value of the 1113 Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, 1114 it indicates the nature of the user's connection. The connection 1115 speed SHOULD be included at the beginning of the first Connect-Info 1116 AVP in the message. If the transmit and receive connection speeds 1117 differ, both may be included in the first AVP with the transmit speed 1118 listed first (the speed at which the NAS modem transmits), then a 1119 slash (/), then the receive speed, and then other optional 1120 information. 1122 For example: "28800 V42BIS/LAPM" or "52000/31200 V90" 1124 If sent in an ACR message with the value of the Accounting-Record- 1125 Type AVP set to STOP, this attribute may summarize statistics 1126 relating to session quality. For example, in IEEE 802.11, the 1127 Connect-Info AVP may contain information on the number of link layer 1128 retransmissions. The exact format of this attribute is 1129 implementation specific. 1131 4.2.8. Originating-Line-Info AVP 1133 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1134 and is sent by the NAS system to convey information about the origin 1135 of the call from an SS7 system. 1137 The originating line information (OLI) element indicates the nature 1138 and/or characteristics of the line from which a call originated 1139 (e.g., pay phone, hotel, cellular). Telephone companies are starting 1140 to offer OLI to their customers as an option over Primary Rate 1141 Interface (PRI). Internet Service Providers (ISPs) can use OLI in 1142 addition to Called-Station-Id and Calling-Station-Id attributes to 1143 differentiate customer calls and to define different services. 1145 The Value field contains two octets (00 - 99). ANSI T1.113 and 1146 BELLCORE 394 can be used for additional information about these 1147 values and their use. For information on the currently assigned 1148 values, see [ANITypes]. 1150 4.2.9. Reply-Message AVP 1152 The Reply-Message AVP (AVP Code 18) is of type UTF8String and 1153 contains text that MAY be displayed to the user. When used in an AA- 1154 Answer message with a successful Result-Code AVP, it indicates 1155 success. When found in an AAA message with a Result-Code other than 1156 DIAMETER_SUCCESS, the AVP contains a failure message. 1158 The Reply-Message AVP MAY contain text to prompt the user before 1159 another AA-Request attempt. When used in an AA-Answer message 1160 containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH 1161 or in an Re-Auth-Request message, it MAY contain text to prompt the 1162 user for a response. 1164 4.3. NAS Authentication AVPs 1166 This section defines the AVPs necessary to carry the authentication 1167 information in the Diameter protocol. The functionality defined here 1168 provides a RADIUS-like AAA service over a more reliable and secure 1169 transport, as defined in the base protocol 1170 [I-D.ietf-dime-rfc3588bis]. 1172 The following table gives the possible flag values for the session 1173 level AVPs and specifies whether the AVP MAY be encrypted. 1175 +---------------------+ 1176 | AVP Flag rules | 1177 |----+-----+----+-----|----+ 1178 | | |SHLD| MUST| | 1179 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1180 -----------------------------------------|----+-----+----+-----|----| 1181 User-Password 4.3.1 | M | P | | V | Y | 1182 Password-Retry 4.3.2 | M | P | | V | Y | 1183 Prompt 4.3.3 | M | P | | V | Y | 1184 CHAP-Auth 4.3.4 | M | P | | V | Y | 1185 CHAP-Algorithm 4.3.5 | M | P | | V | Y | 1186 CHAP-Ident 4.3.6 | M | P | | V | Y | 1187 CHAP-Response 4.3.7 | M | P | | V | Y | 1188 CHAP-Challenge 4.3.8 | M | P | | V | Y | 1189 ARAP-Password 4.3.9 | M | P | | V | Y | 1190 ARAP-Challenge-Response 4.3.10 | M | P | | V | Y | 1191 ARAP-Security 4.3.11 | M | P | | V | Y | 1192 ARAP-Security-Data 4.3.12 | M | P | | V | Y | 1193 -----------------------------------------|----+-----+----+-----|----| 1195 4.3.1. User-Password AVP 1197 The User-Password AVP (AVP Code 2) is of type OctetString and 1198 contains the password of the user to be authenticated, or the user's 1199 input in a multi-round authentication exchange. 1201 The User-Password AVP contains a user password or one-time password 1202 and therefore represents sensitive information. As required in 1203 [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using 1204 IPsec or TLS. Unless this AVP is used for one-time passwords, the 1205 User-Password AVP SHOULD NOT be used in untrusted proxy environments 1206 without encrypting it by using end-to-end security techniques. 1208 The clear-text password (prior to encryption) MUST NOT be longer than 1209 128 bytes in length. 1211 4.3.2. Password-Retry AVP 1213 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1214 included in the AA-Answer if the Result-Code indicates an 1215 authentication failure. The value of this AVP indicates how many 1216 authentication attempts a user is permitted before being 1217 disconnected. This AVP is primarily intended for use when the 1218 Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. 1220 4.3.3. Prompt AVP 1222 The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present 1223 in the AA-Answer message. When present, it is used by the NAS to 1224 determine whether the user's response, when entered, should be 1225 echoed. 1227 The supported values are listed in [RADIUSTypes] 1229 4.3.4. CHAP-Auth AVP 1231 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1232 information necessary to authenticate a user using the PPP Challenge- 1233 Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth 1234 AVP is found in a message, the CHAP-Challenge AVP Section 4.3.8 MUST 1235 be present as well. The optional AVPs containing the CHAP response 1236 depend upon the value of the CHAP-Algorithm AVP Section 4.3.8. The 1237 grouped AVP has the following ABNF grammar: 1239 CHAP-Auth ::= < AVP Header: 402 > 1240 { CHAP-Algorithm } 1241 { CHAP-Ident } 1242 [ CHAP-Response ] 1243 * [ AVP ] 1245 4.3.5. CHAP-Algorithm AVP 1247 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1248 contains the algorithm identifier used in the computation of the CHAP 1249 response [RFC1994]. The following values are currently supported: 1251 CHAP with MD5 5 The CHAP response is computed by using the procedure 1252 described in [RFC1994] This algorithm requires that the CHAP- 1253 Response AVP Section 4.3.7 MUST be present in the CHAP-Auth AVP 1254 Section 4.3.4. 1256 4.3.6. CHAP-Ident AVP 1258 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1259 the 1 octet CHAP Identifier used in the computation of the CHAP 1260 response [RFC1994] 1262 4.3.7. CHAP-Response AVP 1264 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1265 contains the 16 octet authentication data provided by the user in 1266 response to the CHAP challenge [RFC1994]. 1268 4.3.8. CHAP-Challenge AVP 1270 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1271 contains the CHAP Challenge sent by the NAS to the CHAP peer 1272 [RFC1994]. 1274 4.3.9. ARAP-Password AVP 1276 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1277 only present when the Framed-Protocol AVP (Section 4.4.10.1) is 1278 included in the message and is set to ARAP. This AVP MUST NOT be 1279 present if either the User-Password or the CHAP-Auth AVP is present. 1280 See [RFC2869] for more information on the contents of this AVP. 1282 4.3.10. ARAP-Challenge-Response AVP 1284 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1285 and is only present when the Framed-Protocol AVP (Section 4.4.10.1) 1286 is included in the message and is set to ARAP. This AVP contains an 1287 8 octet response to the dial-in client's challenge. The RADIUS 1288 server calculates this value by taking the dial-in client's challenge 1289 from the high-order 8 octets of the ARAP-Password AVP and performing 1290 DES encryption on this value with the authenticating user's password 1291 as the key. If the user's password is fewer than 8 octets in length, 1292 the password is padded at the end with NULL octets to a length of 1293 8before it is used as a key. 1295 4.3.11. ARAP-Security AVP 1297 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be 1298 present in the AA-Answer message if the Framed-Protocol AVP 1299 (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code 1300 AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1301 DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the 1302 contents of this AVP. 1304 4.3.12. ARAP-Security-Data AVP 1306 The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and 1307 MAY be present in the AA-Request or AA-Answer message if the Framed- 1308 Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the 1309 Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1310 DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module 1311 challenge or response associated with the ARAP Security Module 1312 specified in the ARAP-Security AVP (Section 4.3.11). 1314 4.4. NAS Authorization AVPs 1316 This section contains the authorization AVPs supported in the NAS 1317 Application. The Service-Type AVP SHOULD be present in all messages 1318 and, based on its value, additional AVPs defined in this section and 1319 Section 4.5 MAY be present. 1321 The following table gives the possible flag values for the session 1322 level AVPs and specifies whether the AVP MAY be encrypted. 1324 +---------------------+ 1325 | AVP Flag rules | 1326 |----+-----+----+-----|----+ 1327 | | |SHLD| MUST| | 1328 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1329 -----------------------------------------|----+-----+----+-----|----| 1330 Service-Type 4.4.1 | M | P | | V | Y | 1331 Callback-Number 4.4.2 | M | P | | V | Y | 1332 Callback-Id 4.4.3 | M | P | | V | Y | 1333 Idle-Timeout 4.4.4 | M | P | | V | Y | 1334 Port-Limit 4.4.5 | M | P | | V | Y | 1335 NAS-Filter-Rule 4.4.6 | M | P | | V | Y | 1336 Filter-Id 4.4.7 | M | P | | V | Y | 1337 Configuration-Token 4.4.8 | M | | | P,V | | 1338 QoS-Filter-Rule 4.4.9 | | | | | | 1339 Framed-Protocol 4.4.10.1 | M | P | | V | Y | 1340 Framed-Routing 4.4.10.2 | M | P | | V | Y | 1341 Framed-MTU 4.4.10.3 | M | P | | V | Y | 1342 Framed-Compression 4.4.10.4 | M | P | | V | Y | 1343 Framed-IP-Address 4.4.10.5.1 | M | P | | V | Y | 1344 Framed-IP-Netmask 4.4.10.5.2 | M | P | | V | Y | 1345 Framed-Route 4.4.10.5.3 | M | P | | V | Y | 1346 Framed-Pool 4.4.10.5.4 | M | P | | V | Y | 1347 Framed-Interface-Id 4.4.10.5.5 | M | P | | V | Y | 1348 Framed-IPv6-Prefix 4.4.10.5.6 | M | P | | V | Y | 1349 Framed-IPv6-Route 4.4.10.5.7 | M | P | | V | Y | 1350 Framed-IPv6-Pool 4.4.10.5.8 | M | P | | V | Y | 1351 Framed-IPX-Network 4.4.10.6.1 | M | P | | V | Y | 1352 Framed-Appletalk-Link 4.4.10.7.1 | M | P | | V | Y | 1353 Framed-Appletalk-Network 4.4.10.7.2 | M | P | | V | Y | 1354 Framed-Appletalk-Zone 4.4.10.7.3 | M | P | | V | Y | 1355 ARAP-Features 4.4.10.8.1 | M | P | | V | Y | 1356 ARAP-Zone-Access 4.4.10.8.2 | M | P | | V | Y | 1357 Login-IP-Host 4.4.11.1 | M | P | | V | Y | 1358 Login-IPv6-Host 4.4.11.2 | M | P | | V | Y | 1359 Login-Service 4.4.11.3 | M | P | | V | Y | 1360 Login-TCP-Port 4.4.11.4.1 | M | P | | V | Y | 1361 Login-LAT-Service 4.4.11.5.1 | M | P | | V | Y | 1362 Login-LAT-Node 4.4.11.5.2 | M | P | | V | Y | 1363 Login-LAT-Group 4.4.11.5.3 | M | P | | V | Y | 1364 Login-LAT-Port 4.4.11.5.4 | M | P | | V | Y | 1365 -----------------------------------------|----+-----+----+-----|----| 1367 4.4.1. Service-Type AVP 1369 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1370 the type of service the user has requested or the type of service to 1371 be provided. One such AVP MAY be present in an authentication and/or 1372 authorization request or response. A NAS is not required to 1373 implement all of these service types. It MUST treat unknown or 1374 unsupported Service-Types received in a response as a failure and end 1375 the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1377 When used in a request, the Service-Type AVP SHOULD be considered a 1378 hint to the server that the NAS believes the user would prefer the 1379 kind of service indicated. The server is not required to honor the 1380 hint. Furthermore, if the service specified by the server is 1381 supported, but not compatible with the current mode of access, the 1382 NAS MUST fail to start the session. The NAS MUST also generate the 1383 appropriate error message(s). 1385 The complete list of defined values that the Service-Type AVP can 1386 take can be found in [RFC2865] and [RADIUSTypes], but the following 1387 values require further qualification here: 1389 Login (1) 1390 The user should be connected to a host. The message MAY 1391 include additional AVPs as defined in Section 4.4.11.4 or 1392 Section 4.4.11.5. 1394 Framed (2) 1395 A Framed Protocol, such as PPP or SLIP, should be started for 1396 the User. The message MAY include additional AVPs defined in 1397 Section 4.4.10, or Section 4.5 for tunneling services. 1399 Callback Login (3) 1400 The user should be disconnected and called back, then connected 1401 to a host. The message MAY include additional AVPs defined in 1402 this Section. 1404 Callback Framed (4) 1405 The user should be disconnected and called back, and then a 1406 Framed Protocol, such as PPP or SLIP, should be started for the 1407 User. The message MAY include additional AVPs defined in 1408 Section 4.4.10, or Section 4.5 for tunneling services. 1410 4.4.2. Callback-Number AVP 1412 The Callback-Number AVP (AVP Code 19) is of type UTF8String and 1413 contains a dialing string to be used for callback. It MAY be used in 1414 an authentication and/or authorization request as a hint to the 1415 server that a Callback service is desired, but the server is not 1416 required to honor the hint in the corresponding response. 1418 The codification of this field's allowed usage range is outside the 1419 scope of this specification. 1421 4.4.3. Callback-Id AVP 1423 The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains 1424 the name of a place to be called, to be interpreted by the NAS. This 1425 AVP MAY be present in an authentication and/or authorization 1426 response. 1428 This AVP is not roaming-friendly as it assumes that the Callback-Id 1429 is configured on the NAS. Using the Callback-Number AVP 1430 Section 4.4.2 is therefore preferable. 1432 4.4.4. Idle-Timeout AVP 1434 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1435 maximum number of consecutive seconds of idle connection allowable to 1436 the user before termination of the session or before a prompt is 1437 issued. The default is none, or system specific. 1439 4.4.5. Port-Limit AVP 1441 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1442 maximum number of ports the NAS provides to the user. It MAY be used 1443 in an authentication and/or authorization request as a hint to the 1444 server that multilink PPP [RFC1990] service is desired, but the 1445 server is not required to honor the hint in the corresponding 1446 response. 1448 4.4.6. NAS-Filter-Rule AVP 1450 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule and 1451 provides filter rules that need to be configured on the NAS for the 1452 user. One or more of these AVPs MAY be present in an authorization 1453 response. 1455 4.4.7. Filter-Id AVP 1457 The Filter-Id AVP (AVP Code 11) is of type UTF8String and contains 1458 the name of the filter list for this user. Zero or more Filter-Id 1459 AVPs MAY be sent in an authorization answer. 1461 Identifying a filter list by name allows the filter to be used on 1462 different NASes without regard to filter-list implementation details. 1463 However, this AVP is not roaming-friendly, as filter naming differs 1464 from one service provider to another. 1466 In environments where backward compatibility with RADIUS is not 1467 required, it is RECOMMENDED that the NAS-Filter-Rule AVP 1468 Section 4.4.6 be used instead. 1470 4.4.8. Configuration-Token AVP 1472 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1473 is sent by a Diameter Server to a Diameter Proxy Agent or Translation 1474 Agent in an AA-Answer command to indicate a type of user profile to 1475 be used. It should not be sent to a Diameter Client (NAS). 1477 The format of the Data field of this AVP is site specific. 1479 4.4.9. QoS-Filter-Rule AVP 1481 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule 1482 Section 4.1.1 and provides QoS filter rules that need to be 1483 configured on the NAS for the user. One or more such AVPs MAY be 1484 present in an authorization response. 1486 DSCP If action is set to tag Section 4.1.1 this option MUST 1487 be included in the rule. 1489 Color values are defined in [RFC2474]. Exact matching of DSCP 1490 values is required (no masks or ranges). 1492 metering The metering option 1493 provides Assured Forwarding, as defined in [RFC2597]. and MUST 1494 be present if the action is set to meter Section 4.1.1 The rate 1495 option is the throughput, in bits per second, used by the 1496 access device to mark packets. Traffic over the rate is marked 1497 with the color_over codepoint, and traffic under the rate is 1498 marked with the color_under codepoint. The color_under and 1499 color_over options contain the drop preferences and MUST 1500 conform to the recommended codepoint keywords described in 1501 [RFC2597] (e.g., AF13). 1503 The metering option also supports the strict limit on traffic 1504 required by Expedited Forwarding, as defined in [RFC3246]. The 1505 color_over option may contain the keyword "drop" to prevent 1506 forwarding of traffic that exceeds the rate parameter. 1508 4.4.10. Framed Access Authorization AVPs 1510 This section lists the authorization AVPs necessary to support framed 1511 access, such as PPP and SLIP. AVPs defined in this section MAY be 1512 present in a message if the Service-Type AVP was set to "Framed" or 1513 "Callback Framed". 1515 4.4.10.1. Framed-Protocol AVP 1517 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1518 contains the framing to be used for framed access. This AVP MAY be 1519 present in both requests and responses. The supported values are 1520 listed in [RADIUSTypes]. 1522 4.4.10.2. Framed-Routing AVP 1524 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1525 contains the routing method for the user when the user is a router to 1526 a network. This AVP SHOULD only be present in authorization 1527 responses. The supported values are listed in [RADIUSTypes]. 1529 4.4.10.3. Framed-MTU AVP 1531 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1532 the Maximum Transmission Unit (MTU) to be configured for the user, 1533 when it is not negotiated by some other means (such as PPP). This 1534 AVP SHOULD only be present in authorization responses. The MTU value 1535 MUST be in the range from 64 to 65535. 1537 4.4.10.4. Framed-Compression AVP 1539 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1540 contains the compression protocol to be used for the link. It MAY be 1541 used in an authorization request as a hint to the server that a 1542 specific compression type is desired, but the server is not required 1543 to honor the hint in the corresponding response. 1545 More than one compression protocol AVP MAY be sent. The NAS is 1546 responsible for applying the proper compression protocol to the 1547 appropriate link traffic. 1549 The supported values are listed in [RADIUSTypes]. 1551 4.4.10.5. IP Access Authorization AVPs 1553 The AVPs defined in this section are used when the user requests, or 1554 is being granted, access service to IP. 1556 4.4.10.5.1. Framed-IP-Address AVP 1558 The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type 1559 OctetString and contains an IPv4 address of the type specified in the 1560 attribute value to be configured for the user. It MAY be used in an 1561 authorization request as a hint to the server that a specific address 1562 is desired, but the server is not required to honor the hint in the 1563 corresponding response. 1565 Two values have special significance: 0xFFFFFFFF and 0xFFFFFFFE. The 1566 value 0xFFFFFFFF indicates that the NAS should allow the user to 1567 select an address (i.e., negotiated). The value 0xFFFFFFFE indicates 1568 that the NAS should select an address for the user (e.g., assigned 1569 from a pool of addresses kept by the NAS). 1571 4.4.10.5.2. Framed-IP-Netmask AVP 1573 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1574 contains the four octets of the IPv4 netmask to be configured for the 1575 user when the user is a router to a network. It MAY be used in an 1576 authorization request as a hint to the server that a specific netmask 1577 is desired, but the server is not required to honor the hint in the 1578 corresponding response. This AVP MUST be present in a response if 1579 the request included this AVP with a value of 0xFFFFFFFF. 1581 4.4.10.5.3. Framed-Route AVP 1583 The Framed-Route AVP (AVP Code 22) is of type UTF8String and contains 1584 the ASCII routing information to be configured for the user on the 1585 NAS. Zero or more of these AVPs MAY be present in an authorization 1586 response. 1588 The string MUST contain a destination prefix in dotted quad form 1589 optionally followed by a slash and a decimal length specifier stating 1590 how many high-order bits of the prefix should be used. This is 1591 followed by a space, a gateway address in dotted quad form, a space, 1592 and one or more metrics separated by spaces; for example, 1594 "192.0.2.0/24 192.0.2.1 1" 1596 The length specifier may be omitted, in which case it should default 1597 to 8 bits for class A prefixes, to 16 bits for class B prefixes, and 1598 to 24 bits for class C prefixes; for example, 1600 "192.0.2.0 192.0.2.1 1" 1602 Whenever the gateway address is specified as "0.0.0.0" the IP address 1603 of the user SHOULD be used as the gateway address. 1605 4.4.10.5.4. Framed-Pool AVP 1607 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1608 the name of an assigned address pool that SHOULD be used to assign an 1609 address for the user. If a NAS does not support multiple address 1610 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1611 used for IP addresses but can be used for other protocols if the NAS 1612 supports pools for those protocols. 1614 Although specified as type OctetString for compatibility with RADIUS 1615 [RFC2865], the encoding of the Data field SHOULD also conform to the 1616 rules for the UTF8String Data Format. 1618 4.4.10.5.5. Framed-Interface-Id AVP 1620 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1621 contains the IPv6 interface identifier to be configured for the user. 1622 It MAY be used in authorization requests as a hint to the server that 1623 a specific interface id is desired, but the server is not required to 1624 honor the hint in the corresponding response. 1626 4.4.10.5.6. Framed-IPv6-Prefix AVP 1628 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1629 contains the IPv6 prefix to be configured for the user. One or more 1630 AVPs MAY be used in authorization requests as a hint to the server 1631 that specific IPv6 prefixes are desired, but the server is not 1632 required to honor the hint in the corresponding response. 1634 4.4.10.5.7. Framed-IPv6-Route AVP 1636 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String and 1637 contains the ASCII routing information to be configured for the user 1638 on the NAS. Zero or more of these AVPs MAY be present in an 1639 authorization response. 1641 The string MUST contain an IPv6 address prefix followed by a slash 1642 and a decimal length specifier stating how many high order bits of 1643 the prefix should be used. This is followed by a space, a gateway 1644 address in hexadecimal notation, a space, and one or more metrics 1645 separated by spaces; for example, 1647 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1" 1649 Whenever the gateway address is the IPv6 unspecified address, the IP 1650 address of the user SHOULD be used as the gateway address, such as 1651 in: 1653 "2000:0:0:106::/64 :: 1" 1655 4.4.10.5.8. Framed-IPv6-Pool AVP 1657 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and 1658 contains the name of an assigned pool that SHOULD be used to assign 1659 an IPv6 prefix for the user. If the access device does not support 1660 multiple prefix pools, it MUST ignore this AVP. 1662 Although specified as type OctetString for compatibility with RADIUS 1663 [RFC3162], the encoding of the Data field SHOULD also conform to the 1664 rules for the UTF8String Data Format. 1666 4.4.10.6. IPX Access AVPs 1668 The AVPs defined in this section are used when the user requests, or 1669 is being granted, access to an IPX network service [IPX]. 1671 4.4.10.6.1. Framed-IPX-Network AVP 1673 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32 and 1674 contains the IPX Network number to be configured for the user. It 1675 MAY be used in an authorization request as a hint to the server that 1676 a specific address is desired, but the server is not required to 1677 honor the hint in the corresponding response. 1679 Two addresses have special significance: 0xFFFFFFFF and 0xFFFFFFFE. 1680 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1681 select an address (i.e., Negotiated). The value 0xFFFFFFFE indicates 1682 that the NAS should select an address for the user (e.g., assign it 1683 from a pool of one or more IPX networks kept by the NAS). 1685 4.4.10.7. AppleTalk Network Access AVPs 1687 The AVPs defined in this section are used when the user requests, or 1688 is being granted, access to an AppleTalk network [AppleTalk]. 1690 4.4.10.7.1. Framed-AppleTalk-Link AVP 1692 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1693 contains the AppleTalk network number that should be used for the 1694 serial link to the user, which is another AppleTalk router. This AVP 1695 MUST only be present in an authorization response and is never used 1696 when the user is not another router. 1698 Despite the size of the field, values range from 0 to 65,535. The 1699 special value of 0 indicates an unnumbered serial link. A value of 1 1700 to 65,535 means that the serial line between the NAS and the user 1701 should be assigned that value as an AppleTalk network number. 1703 4.4.10.7.2. Framed-AppleTalk-Network AVP 1705 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1706 and contains the AppleTalk Network number that the NAS should probe 1707 to allocate an AppleTalk node for the user. This AVP MUST only be 1708 present in an authorization response and is never used when the user 1709 is not another router. Multiple instances of this AVP indicate that 1710 the NAS may probe, using any of the network numbers specified. 1712 Despite the size of the field, values range from 0 to 65,535. The 1713 special value 0 indicates that the NAS should assign a network for 1714 the user, using its default cable range. A value between 1 and 1715 65,535 (inclusive) indicates to the AppleTalk Network that the NAS 1716 should probe to find an address for the user. 1718 4.4.10.7.3. Framed-AppleTalk-Zone AVP 1720 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1721 and contains the AppleTalk Default Zone to be used for this user. 1722 This AVP MUST only be present in an authorization response. Multiple 1723 instances of this AVP in the same message are not allowed. 1725 The codification of this field's allowed range is outside the scope 1726 of this specification. 1728 4.4.10.8. AppleTalk Remote Access AVPs 1730 The AVPs defined in this section are used when the user requests, or 1731 is being granted, access to the AppleTalk network via the AppleTalk 1732 Remote Access Protocol [ARAP] They are only present if the Framed- 1733 Protocol AVP Section 4.4.10.1 is set to ARAP. Section 2.2 of RFC 1734 2869 [RFC2869] describes the operational use of these attributes. 1736 4.4.10.8.1. ARAP-Features AVP 1738 The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be 1739 present in the AA-Accept message if the Framed-Protocol AVP is set to 1740 the value of ARAP. See [RFC2869] for more information about the 1741 format of this AVP. 1743 4.4.10.8.2. ARAP-Zone-Access AVP 1745 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY 1746 be present in the AA-Accept message if the Framed-Protocol AVP is set 1747 to the value of ARAP. 1749 The supported values are listed in [RADIUSTypes] and defined in 1750 [RFC2869]. 1752 4.4.11. Non-Framed Access Authorization AVPs 1754 This section contains the authorization AVPs that are needed to 1755 support terminal server functionality. AVPs defined in this section 1756 MAY be present in a message if the Service-Type AVP was set to 1757 "Login" or "Callback Login". 1759 4.4.11.1. Login-IP-Host AVP 1761 The Login-IP-Host AVP (AVP Code 14) [RFC2865] is of type OctetString 1762 and contains the IPv4 address of a host with which to connect the 1763 user when the Login-Service AVP is included. It MAY be used in an 1764 AA-Request command as a hint to the Diameter Server that a specific 1765 host is desired, but the Diameter Server is not required to honor the 1766 hint in the AA-Answer. 1768 Two addresses have special significance: all ones and 0. The value 1769 of all ones indicates that the NAS SHOULD allow the user to select an 1770 address. The value 0 indicates that the NAS SHOULD select a host to 1771 connect the user to. 1773 4.4.11.2. Login-IPv6-Host AVP 1775 The Login-IPv6-Host AVP (AVP Code 98) [RFC3162] is of type 1776 OctetString and contains the IPv6 address of a host with which to 1777 connect the user when the Login-Service AVP is included. It MAY be 1778 used in an AA-Request command as a hint to the Diameter Server that a 1779 specific host is desired, but the Diameter Server is not required to 1780 honor the hint in the AA-Answer. 1782 Two addresses have special significance, 1783 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1784 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1785 allow the user to select an address. The value 0 indicates that the 1786 NAS SHOULD select a host to connect the user to. 1788 4.4.11.3. Login-Service AVP 1790 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1791 contains the service that should be used to connect the user to the 1792 login host. This AVP SHOULD only be present in authorization 1793 responses. The supported values are listed in [RFC2869]. 1795 4.4.11.4. TCP Services 1797 The AVP described in the following section MAY be present if the 1798 Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear 1799 Quiet. 1801 4.4.11.4.1. Login-TCP-Port AVP 1803 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1804 contains the TCP port with which the user is to be connected when the 1805 Login-Service AVP is also present. This AVP SHOULD only be present 1806 in authorization responses. The value MUST NOT be greater than 1807 65,535. 1809 4.4.11.5. LAT Services 1811 The AVPs described in this section MAY be present if the Login- 1812 Service AVP is set to LAT [LAT]. 1814 4.4.11.5.1. Login-LAT-Service AVP 1816 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1817 contains the system with which the user is to be connected by LAT. 1818 It MAY be used in an authorization request as a hint to the server 1819 that a specific service is desired, but the server is not required to 1820 honor the hint in the corresponding response. This AVP MUST only be 1821 present in the response if the Login-Service AVP states that LAT is 1822 desired. 1824 Administrators use this service attribute when dealing with clustered 1825 systems, such as a VAX or Alpha cluster. In these environments, 1826 several different time-sharing hosts share the same resources (disks, 1827 printers, etc.), and administrators often configure each host to 1828 offer access (service) to each of the shared resources. In this 1829 case, each host in the cluster advertises its services through LAT 1830 broadcasts. 1832 Sophisticated users often know which service providers (machines) are 1833 faster and tend to use a node name when initiating a LAT connection. 1834 Some administrators want particular users to use certain machines as 1835 a primitive form of load balancing (although LAT knows how to do load 1836 balancing itself). 1838 The String field contains the identity of the LAT service to use. 1839 The LAT Architecture allows this string to contain $ (dollar), - 1840 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1841 alphabetics, and the ISO Latin-1 character set extension 1842 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1844 4.4.11.5.2. Login-LAT-Node AVP 1846 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1847 contains the Node with which the user is to be automatically 1848 connected by LAT. It MAY be used in an authorization request as a 1849 hint to the server that a specific LAT node is desired, but the 1850 server is not required to honor the hint in the corresponding 1851 response. This AVP MUST only be present in a response if the Login- 1852 Service-Type AVP is set to LAT. 1854 The String field contains the identity of the LAT service to use. 1855 The LAT Architecture allows this string to contain $ (dollar), - 1856 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1857 alphabetics, and the ISO Latin-1 character set extension 1858 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1860 4.4.11.5.3. Login-LAT-Group AVP 1862 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1863 contains a string identifying the LAT group codes this user is 1864 authorized to use. It MAY be used in an authorization request as a 1865 hint to the server that a specific group is desired, but the server 1866 is not required to honor the hint in the corresponding response. 1867 This AVP MUST only be present in a response if the Login-Service-Type 1868 AVP is set to LAT. 1870 LAT supports 256 different group codes, which LAT uses as a form of 1871 access rights. LAT encodes the group codes as a 256-bit bitmap. 1873 Administrators can assign one or more of the group code bits at the 1874 LAT service provider; it will only accept LAT connections that have 1875 these group codes set in the bitmap. The administrators assign a 1876 bitmap of authorized group codes to each user. LAT gets these from 1877 the operating system and uses them in its requests to the service 1878 providers. 1880 The codification of the range of allowed usage of this field is 1881 outside the scope of this specification. 1883 4.4.11.5.4. Login-LAT-Port AVP 1885 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1886 contains the Port with which the user is to be connected by LAT. It 1887 MAY be used in an authorization request as a hint to the server that 1888 a specific port is desired, but the server is not required to honor 1889 the hint in the corresponding response. This AVP MUST only be 1890 present in a response if the Login-Service-Type AVP is set to LAT. 1892 The String field contains the identity of the LAT service to use. 1893 The LAT Architecture allows this string to contain $ (dollar), - 1894 (hyphen), . (period), _ (underscore), numerics, upper- and lower-case 1895 alphabetics, and the ISO Latin-1 character set extension 1896 [ISO.8859-1.1987]. 1898 All LAT string comparisons are case insensitive. 1900 4.5. NAS Tunneling AVPs 1902 Some NASes support compulsory tunnel services in which the incoming 1903 connection data is conveyed by an encapsulation method to a gateway 1904 elsewhere in the network. This is typically transparent to the 1905 service user, and the tunnel characteristics may be described by the 1906 remote AAA server, based on the user's authorization information. 1907 Several tunnel characteristics may be returned, and the NAS 1908 implementation may choose one. See [RFC2868] and [RFC2867] for 1909 further information. 1911 The following table gives the possible flag values for the session 1912 level AVPs and specifies whether the AVP MAY be encrypted. 1914 +---------------------+ 1915 | AVP Flag rules | 1916 |----+-----+----+-----|----+ 1917 | | |SHLD| MUST| | 1918 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1919 -----------------------------------------|----+-----+----+-----|----| 1920 Tunneling 4.5.1 | M | P | | V | N | 1921 Tunnel-Type 4.5.2 | M | P | | V | Y | 1922 Tunnel-Medium-Type 4.5.3 | M | P | | V | Y | 1923 Tunnel-Client-Endpoint 4.5.4 | M | P | | V | Y | 1924 Tunnel-Server-Endpoint 4.5.5 | M | P | | V | Y | 1925 Tunnel-Password 4.5.6 | M | P | | V | Y | 1926 Tunnel-Private-Group-Id 4.5.7 | M | P | | V | Y | 1927 Tunnel-Assignment-Id 4.5.8 | M | P | | V | Y | 1928 Tunnel-Preference 4.5.9 | M | P | | V | Y | 1929 Tunnel-Client-Auth-Id 4.5.10 | M | P | | V | Y | 1930 Tunnel-Server-Auth-Id 4.5.11 | M | P | | V | Y | 1931 -----------------------------------------|----+-----+----+-----|----| 1933 4.5.1. Tunneling AVP 1935 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1936 following AVPs, used to describe a compulsory tunnel service 1937 ([RFC2868], [RFC2867]). Its data field has the following ABNF 1938 grammar: 1940 Tunneling ::= < AVP Header: 401 > 1941 { Tunnel-Type } 1942 { Tunnel-Medium-Type } 1943 { Tunnel-Client-Endpoint } 1944 { Tunnel-Server-Endpoint } 1945 [ Tunnel-Preference ] 1946 [ Tunnel-Client-Auth-Id ] 1947 [ Tunnel-Server-Auth-Id ] 1948 [ Tunnel-Assignment-Id ] 1949 [ Tunnel-Password ] 1950 [ Tunnel-Private-Group-Id ] 1952 4.5.2. Tunnel-Type AVP 1954 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1955 the tunneling protocol(s) to be used (in the case of a tunnel 1956 initiator) or in use (in the case of a tunnel terminator). It MAY be 1957 used in an authorization request as a hint to the server that a 1958 specific tunnel type is desired, but the server is not required to 1959 honor the hint in the corresponding response. 1961 The Tunnel-Type AVP SHOULD also be included in ACR messages. 1963 A tunnel initiator is not required to implement any of these tunnel 1964 types. If a tunnel initiator receives a response that contains only 1965 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1966 as though a response were received with the Result-Code indicating a 1967 failure. 1969 The supported values are listed in [RADIUSTypes]. 1971 4.5.3. Tunnel-Medium-Type AVP 1973 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1974 contains the transport medium to use when creating a tunnel for 1975 protocols (such as L2TP [RFC2661]) that can operate over multiple 1976 transports. It MAY be used in an authorization request as a hint to 1977 the server that a specific medium is desired, but the server is not 1978 required to honor the hint in the corresponding response. 1980 The supported values are listed in [RADIUSTypes]. 1982 4.5.4. Tunnel-Client-Endpoint AVP 1984 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String 1985 and contains the address of the initiator end of the tunnel. It MAY 1986 be used in an authorization request as a hint to the server that a 1987 specific endpoint is desired, but the server is not required to honor 1988 the hint in the corresponding response. This AVP SHOULD be included 1989 in the corresponding ACR messages, in which case it indicates the 1990 address from which the tunnel was initiated. This AVP, along with 1991 the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs 1992 ([I-D.ietf-dime-rfc3588bis], Section 8.8), can be used to provide a 1993 globally unique means to identify a tunnel for accounting and 1994 auditingpurposes. 1996 If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 1997 (1), then this string is either the fully qualified domain name 1998 (FQDN) of the tunnel client machine, or a "dotted-decimal" IP 1999 address. Implementations MUST support the dotted-decimal format and 2000 SHOULD support the FQDN format for IP addresses. 2002 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2003 FQDN of the tunnel client machine, or a text representation of the 2004 address in either the preferred or alternate form [RFC3516]. 2005 Conforming implementations MUST support the preferred form and SHOULD 2006 support both the alternate text form and the FQDN format for IPv6 2007 addresses. 2009 If Tunnel-Medium-Type is neither IPv4 nor IPv6, then this string is a 2010 tag referring to configuration data local to the Diameter client that 2011 describes the interface or medium-specific client address to use. 2013 4.5.5. Tunnel-Server-Endpoint AVP 2015 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String 2016 and contains the address of the server end of the tunnel. It MAY be 2017 used in an authorization request as a hint to the server that a 2018 specific endpoint is desired, but the server is not required to honor 2019 the hint in the corresponding response. 2021 This AVP SHOULD be included in the corresponding ACR messages, in 2022 which case it indicates the address from which the tunnel was 2023 initiated. This AVP, along with the Tunnel-Client-Endpoint 2024 (Section 4.5.4) and Session-Id AVP ([I-D.ietf-dime-rfc3588bis], 2025 Section 8.8), can be used to provide a globally unique means to 2026 identify a tunnel for accounting and auditing purposes. 2028 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2029 fully qualified domain name (FQDN) of the tunnel server machine, or a 2030 "dotted-decimal" IP address. Implementations MUST support the 2031 dotted-decimal format and SHOULD support the FQDN format for IP 2032 addresses. 2034 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2035 FQDN of the tunnel server machine, or a text representation of the 2036 address in either the preferred or alternate form [RFC3516]. 2037 Implementations MUST support the preferred form and SHOULD support 2038 both the alternate text form and the FQDN format for IPv6 addresses. 2040 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2041 referring to configuration data local to the Diameter client that 2042 describes the interface or medium-specific server address to use. 2044 4.5.6. Tunnel-Password AVP 2046 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2047 contain a password to be used to authenticate to a remote server. 2049 The Tunnel-Password AVP contains sensitive information. This value 2050 is not protected in the same manner as RADIUS [RFC2868]. Diameter 2051 messages are secured by using IPsec or TLS 2052 [I-D.ietf-dime-rfc3588bis]. The Tunnel-Password AVP SHOULD NOT be 2053 used in untrusted proxy environments without encrypting it by using 2054 end-to-end security techniques. 2056 4.5.7. Tunnel-Private-Group-Id AVP 2058 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString 2059 and contains the group Id for a particular tunneled session. The 2060 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2061 request if the tunnel initiator can predetermine the group resulting 2062 from a particular connection. It SHOULD be included in the 2063 authorization response if this tunnel session is to be treated as 2064 belonging to a particular private group. Private groups may be used 2065 to associate a tunneled session with a particular group of users. 2066 For example, it MAY be used to facilitate routing of unregistered IP 2067 addresses through a particular interface. This AVP SHOULD be 2068 included in the ACR messages that pertain to the tunneled session. 2070 4.5.8. Tunnel-Assignment-Id AVP 2072 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2073 is used to indicate to the tunnel initiator the particular tunnel to 2074 which a session is to be assigned. Some tunneling protocols, such as 2075 PPTP [RFC2637] and L2TP [RFC2661], allow for sessions between the 2076 same two tunnel endpoints to be multiplexed over the same tunnel and 2077 also for a given session to use its own dedicated tunnel. This 2078 attribute provides a mechanism for Diameter to inform the tunnel 2079 initiator (e.g., PAC, LAC) whether to assign the session to a 2080 multiplexed tunnel or to a separate tunnel. Furthermore, it allows 2081 for sessions sharing multiplexed tunnels to be assigned to different 2082 multiplexed tunnels. 2084 A particular tunneling implementation may assign differing 2085 characteristics to particular tunnels. For example, different 2086 tunnels may be assigned different QoS parameters. Such tunnels may 2087 be used to carry either individual or multiple sessions. The Tunnel- 2088 Assignment-Id attribute thus allows the Diameter server to indicate 2089 that a particular session is to be assigned to a tunnel providing an 2090 appropriate level of service. It is expected that any QoS-related 2091 Diameter tunneling attributes defined in the future accompanying this 2092 one will be associated by the tunnel initiator with the Id given by 2093 this attribute. In the meantime, any semantic given to a particular 2094 Id string is a matter left to local configuration in the tunnel 2095 initiator. 2097 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2098 the tunnel initiator. The Id it specifies is only intended to be of 2099 local use to Diameter and the tunnel initiator. The Id assigned by 2100 the tunnel initiator is not conveyed to the tunnel peer. 2102 This attribute MAY be included in authorization responses. The 2103 tunnel initiator receiving this attribute MAY choose to ignore it and 2104 to assign the session to an arbitrary multiplexed or non-multiplexed 2105 tunnel between the desired endpoints. This AVP SHOULD also be 2106 included in the Accounting-Request messages pertaining to the 2107 tunneled session. 2109 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2110 should assign a session to a tunnel in the following manner: 2112 o If this AVP is present and a tunnel exists between the specified 2113 endpoints with the specified Id, then the session should be 2114 assigned to that tunnel. 2116 o If this AVP is present and no tunnel exists between the specified 2117 endpoints with the specified Id, then a new tunnel should be 2118 established for the session and the specified Id should be 2119 associated with the new tunnel. 2121 o If this AVP is not present, then the session is assigned to an 2122 unnamed tunnel. If an unnamed tunnel does not yet exist between 2123 the specified endpoints, then it is established and used for this 2124 session and for subsequent ones established without the Tunnel- 2125 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2126 session for which a Tunnel-Assignment-Id AVP was not specified to 2127 a named tunnel (i.e., one that was initiated by a session 2128 specifying this AVP). 2130 Note that the same Id may be used to name different tunnels if these 2131 tunnels are between different endpoints. 2133 4.5.9. Tunnel-Preference AVP 2135 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2136 used to identify the relative preference assigned to each tunnel when 2137 more than one set of tunneling AVPs is returned within separate 2138 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2139 hint to the server that a specific preference is desired, but the 2140 server is not required to honor the hint in the corresponding 2141 response. 2143 For example, suppose that AVPs describing two tunnels are returned by 2144 the server, one with a Tunnel-Type of PPTP and the other with a 2145 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2146 the Tunnel-Types returned, it will initiate a tunnel of that type. 2147 If, however, it supports both tunnel protocols, it SHOULD use the 2148 value of the Tunnel-Preference AVP to decide which tunnel should be 2149 started. The tunnel with the lowest numerical value in the Value 2150 field of this AVP SHOULD be given the highest preference. The values 2151 assigned to two or more instances of the Tunnel-Preference AVP within 2152 a given authorization response MAY be identical. In this case, the 2153 tunnel initiator SHOULD use locally configured metrics to decidewhich 2154 set of AVPs to use. 2156 4.5.10. Tunnel-Client-Auth-Id AVP 2158 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2159 specifies the name used by the tunnel initiator during the 2160 authentication phase of tunnel establishment. It MAY be used in an 2161 authorization request as a hint to the server that a specific 2162 preference is desired, but the server is not required to honor the 2163 hint in the corresponding response. This AVP MUST be present in the 2164 authorization response if an authentication name other than the 2165 default is desired. This AVP SHOULD be included in the ACR messages 2166 pertaining to the tunneled session. 2168 4.5.11. Tunnel-Server-Auth-Id AVP 2170 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2171 specifies the name used by the tunnel terminator during the 2172 authentication phase of tunnel establishment. It MAY be used in an 2173 authorization request as a hint to the server that a specific 2174 preference is desired, but the server is not required to honor the 2175 hint in the corresponding response. This AVP MUST be present in the 2176 authorization response if an authentication name other than the 2177 default is desired. This AVP SHOULD be included in the ACR messages 2178 pertaining to the tunneled session. 2180 4.6. NAS Accounting AVPs 2182 Applications implementing this specification use Diameter Accounting 2183 (as defined in [I-D.ietf-dime-rfc3588bis]) and the AVPs in the 2184 following section. Service-specific AVP usage is defined in the 2185 tables in Section 5. 2187 If accounting is active, Accounting Request (ACR) messages SHOULD be 2188 sent after the completion of any Authentication or Authorization 2189 transaction and at the end of a Session. The value of the 2190 Accounting-Record-Type AVP [I-D.ietf-dime-rfc3588bis] indicates the 2191 type of event. All other AVPs identify the session and provide 2192 additional information relevant to the event. 2194 The successful completion of the first Authentication or 2195 Authorization transaction SHOULD cause a START_RECORD to be sent. If 2196 additional Authentications or Authorizations occur in later 2197 transactions, the first exchange should generate a START_RECORD, and 2198 the later an INTERIM_RECORD. For a given session, there MUST only be 2199 one set of matching START and STOP records, with any number of 2200 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2201 a session wasn't started. 2203 The following table gives the possible flag values for the session 2204 level AVPs and specifies whether the AVP MAY be encrypted. 2206 +---------------------+ 2207 | AVP Flag rules | 2208 |----+-----+----+-----|----+ 2209 Section | | |SHLD| MUST| | 2210 Attribute Name Defined |MUST| MAY | NOT| NOT|Encr| 2211 -----------------------------------------|----+-----+----+-----|----| 2212 Accounting-Input-Octets 4.6.1 | M | P | | V | Y | 2213 Accounting-Output-Octets 4.6.2 | M | P | | V | Y | 2214 Accounting-Input-Packets 4.6.3 | M | P | | V | Y | 2215 Accounting-Output-Packets 4.6.4 | M | P | | V | Y | 2216 Acct-Session-Time 4.6.5 | M | P | | V | Y | 2217 Acct-Authentic 4.6.6 | M | P | | V | Y | 2218 Accounting-Auth-Method 4.6.7 | M | P | | V | Y | 2219 Acct-Delay-Time 4.6.8 | M | P | | V | Y | 2220 Acct-Link-Count 4.6.9 | M | P | | V | Y | 2221 Acct-Tunnel-Connection 4.6.10 | M | P | | V | Y | 2222 Acct-Tunnel-Packets-Lost 4.6.11 | M | P | | V | Y | 2223 -----------------------------------------|----+-----+----+-----|----| 2225 4.6.1. Accounting-Input-Octets AVP 2227 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 2228 and contains the number of octets received from the user. 2230 For NAS usage, this AVP indicates how many octets have been received 2231 from the port in the course of this session. It can only be present 2232 in ACR messages with an Accounting-Record-Type 2233 [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. 2235 4.6.2. Accounting-Output-Octets AVP 2237 The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 2238 and contains the number of octets sent to the user. 2240 For NAS usage, this AVP indicates how many octets have been sent to 2241 the port in the course of this session. It can only be present in 2242 ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2243 STOP_RECORD. 2245 4.6.3. Accounting-Input-Packets AVP 2247 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and 2248 contains the number of packets received from the user. 2250 For NAS usage, this AVP indicates how many packets have been received 2251 from the port over the course of a session being provided to a Framed 2252 User. It can only be present in ACR messages with an Accounting- 2253 Record-Type of INTERIM_RECORD or STOP_RECORD. 2255 4.6.4. Accounting-Output-Packets AVP 2257 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 2258 and contains the number of IP packets sent to the user. 2260 For NAS usage, this AVP indicates how many packets have been sent to 2261 the port over the course of a session being provided to a Framed 2262 User. It can only be present in ACR messages with an Accounting- 2263 Record-Type of INTERIM_RECORD or STOP_RECORD. 2265 4.6.5. Acct-Session-Time AVP 2267 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and 2268 indicates the length of the current session in seconds. It can only 2269 be present in ACR messages with an Accounting-Record-Type of 2270 INTERIM_RECORD or STOP_RECORD. 2272 4.6.6. Acct-Authentic AVP 2274 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and 2275 specifies how the user was authenticated. The supported values are 2276 listed in [RADIUSTypes]. 2278 4.6.7. Accounting-Auth-Method AVP 2280 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2281 A NAS MAY include this AVP in an Accounting-Request message to 2282 indicate the method used to authenticate the user. (Note that this 2283 AVP is semantically equivalent, and the supported values are 2284 identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS 2285 attribute [RFC2548]). 2287 4.6.8. Acct-Delay-Time AVP 2289 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2290 indicates the number of seconds the Diameter client has been trying 2291 to send the Accounting-Request (ACR). The accounting server may 2292 subtract this value from the time when the ACR arrives at the server 2293 to calculate the approximate time of the event that caused the ACR to 2294 be generated. 2296 This AVP is not used for retransmissions at the transport level (TCP 2297 or SCTP). Rather, it may be used when an ACR command cannot be 2298 transmitted because there is no appropriate peer to transmit it to or 2299 was rejected because it could not be delivered. In these cases, the 2300 command MAY be buffered and transmitted later, when an appropriate 2301 peer-connection is available or after sufficient time has passed that 2302 the destination-host may be reachable and operational. If the ACR is 2303 re-sent in this way, the Acct-Delay-Time AVP SHOULD be included. The 2304 value of this AVP indicates the number of seconds that elapsed 2305 between the time of the first attempt at transmission and the current 2306 attempt. 2308 4.6.9. Acct-Link-Count AVP 2310 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2311 indicates the total number of links that have been active (current or 2312 closed) in a given multilink session at the time the accounting 2313 record is generated. This AVP MAY be included in Accounting-Requests 2314 for any session that may be part of a multilink service. 2316 The Acct-Link-Count AVP may be used to make it easier for an 2317 accounting server to know when it has all the records for a given 2318 multilink service. When the number of Accounting-Requests received 2319 with Accounting-Record-Type = STOP_RECORD and with the same Acct- 2320 Multi-Session-Id and unique Session-Ids equals the largest value of 2321 Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD 2322 Accounting-Requests for that multilink service have been received. 2324 The following example, showing eight Accounting-Requests, illustrates 2325 how the Acct-Link-Count AVP is used. In the table below, only the 2326 relevant AVPs are shown, although additional AVPs containing 2327 accounting information will be present in the Accounting-Requests. 2329 Acct-Multi- Accounting- Acct- 2330 Session-Id Session-Id Record-Type Link-Count 2331 -------------------------------------------------------- 2332 "...10" "...10" START_RECORD 1 2333 "...10" "...11" START_RECORD 2 2334 "...10" "...11" STOP_RECORD 2 2335 "...10" "...12" START_RECORD 3 2336 "...10" "...13" START_RECORD 4 2337 "...10" "...12" STOP_RECORD 4 2338 "...10" "...13" STOP_RECORD 4 2339 "...10" "...10" STOP_RECORD 4 2341 4.6.10. Acct-Tunnel-Connection AVP 2343 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString 2344 and contains the identifier assigned to the tunnel session. This 2345 AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and 2346 Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a 2347 means to uniquely identify a tunnel session for auditing purposes. 2349 The format of the identifier in this AVP depends upon the value of 2350 the Tunnel-Type AVP (Section 4.5.2). For example, to identify an 2351 L2TP tunnel connection fully, the L2TP Tunnel Id and Call Id might be 2352 encoded in this field. The exact encoding of this field is 2353 implementation dependent. 2355 4.6.11. Acct-Tunnel-Packets-Lost AVP 2357 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2358 and contains the number of packets lost on a given tunnel. 2360 5. AVP Occurrence Tables 2362 The following tables present the AVPs used by NAS applications in NAS 2363 messages and specify in which Diameter messages they may or may not 2364 be present. Messages and AVPs defined in the base Diameter protocol 2365 [I-D.ietf-dime-rfc3588bis] are not described in this document. Note 2366 that AVPs that can only be present within a Grouped AVP are not 2367 represented in this table. 2369 The table uses the following symbols: 2371 0 The AVP MUST NOT be present in the message. 2372 0+ Zero or more instances of the AVP MAY be present in the 2373 message. 2374 0-1 Zero or one instance of the AVP MAY be present in the 2375 message. 2376 1 Exactly one instance of the AVP MUST be present in the 2377 message. 2379 5.1. AA-Request/Answer AVP Table 2381 The table in this section is limited to the Command Codes defined in 2382 this specification. 2384 +-----------+ 2385 | Command | 2386 |-----+-----+ 2387 AVP Name | AAR | AAA | 2388 ------------------------------|-----+-----+ 2389 Acct-Interim-Interval | 0 | 0-1 | 2390 ARAP-Challenge-Response | 0 | 0-1 | 2391 ARAP-Features | 0 | 0-1 | 2392 ARAP-Password | 0-1 | 0 | 2393 ARAP-Security | 0-1 | 0-1 | 2394 ARAP-Security-Data | 0+ | 0+ | 2395 ARAP-Zone-Access | 0 | 0-1 | 2396 Auth-Application-Id | 1 | 1 | 2397 Auth-Grace-Period | 0-1 | 0-1 | 2398 Auth-Request-Type | 1 | 1 | 2399 Auth-Session-State | 0-1 | 0-1 | 2400 Authorization-Lifetime | 0-1 | 0-1 | 2401 ------------------------------|-----+-----+ 2402 +-----------+ 2403 | Command | 2404 |-----+-----+ 2405 Attribute Name | AAR | AAA | 2406 ------------------------------|-----+-----+ 2407 Callback-Id | 0 | 0-1 | 2408 Callback-Number | 0-1 | 0-1 | 2409 Called-Station-Id | 0-1 | 0 | 2410 Calling-Station-Id | 0-1 | 0 | 2411 CHAP-Auth | 0-1 | 0 | 2412 CHAP-Challenge | 0-1 | 0 | 2413 Class | 0 | 0+ | 2414 Configuration-Token | 0 | 0+ | 2415 Connect-Info | 0+ | 0 | 2416 Destination-Host | 0-1 | 0 | 2417 Destination-Realm | 1 | 0 | 2418 Error-Message | 0 | 0-1 | 2419 Error-Reporting-Host | 0 | 0-1 | 2420 Failed-AVP | 0+ | 0+ | 2421 Filter-Id | 0 | 0+ | 2422 Framed-Appletalk-Link | 0 | 0-1 | 2423 Framed-Appletalk-Network | 0 | 0+ | 2424 Framed-Appletalk-Zone | 0 | 0-1 | 2425 Framed-Compression | 0+ | 0+ | 2426 Framed-Interface-Id | 0-1 | 0-1 | 2427 Framed-IP-Address | 0-1 | 0-1 | 2428 Framed-IP-Netmask | 0-1 | 0-1 | 2429 Framed-IPv6-Prefix | 0+ | 0+ | 2430 Framed-IPv6-Pool | 0 | 0-1 | 2431 Framed-IPv6-Route | 0 | 0+ | 2432 Framed-IPX-Network | 0 | 0-1 | 2433 Framed-MTU | 0-1 | 0-1 | 2434 Framed-Pool | 0 | 0-1 | 2435 Framed-Protocol | 0-1 | 0-1 | 2436 Framed-Route | 0 | 0+ | 2437 Framed-Routing | 0 | 0-1 | 2438 Idle-Timeout | 0 | 0-1 | 2439 Login-IP-Host | 0+ | 0+ | 2440 Login-IPv6-Host | 0+ | 0+ | 2441 Login-LAT-Group | 0-1 | 0-1 | 2442 Login-LAT-Node | 0-1 | 0-1 | 2443 Login-LAT-Port | 0-1 | 0-1 | 2444 Login-LAT-Service | 0-1 | 0-1 | 2445 Login-Service | 0 | 0-1 | 2446 Login-TCP-Port | 0 | 0-1 | 2447 Multi-Round-Time-Out | 0 | 0-1 | 2448 ------------------------------|-----+-----+ 2449 +-----------+ 2450 | Command | 2451 |-----+-----+ 2452 Attribute Name | AAR | AAA | 2453 ------------------------------|-----+-----+ 2454 NAS-Filter-Rule | 0 | 0+ | 2455 NAS-Identifier | 0-1 | 0 | 2456 NAS-IP-Address | 0-1 | 0 | 2457 NAS-IPv6-Address | 0-1 | 0 | 2458 NAS-Port | 0-1 | 0 | 2459 NAS-Port-Id | 0-1 | 0 | 2460 NAS-Port-Type | 0-1 | 0 | 2461 Origin-AAA-Protocol | 0-1 | 0-1 | 2462 Origin-Host | 1 | 1 | 2463 Origin-Realm | 1 | 1 | 2464 Origin-State-Id | 0-1 | 0-1 | 2465 Originating-Line-Info | 0-1 | 0 | 2466 Password-Retry | 0 | 0-1 | 2467 Port-Limit | 0-1 | 0-1 | 2468 Prompt | 0 | 0-1 | 2469 Proxy-Info | 0+ | 0+ | 2470 QoS-Filter-Rule | 0 | 0+ | 2471 Re-Auth-Request-Type | 0 | 0-1 | 2472 Redirect-Host | 0 | 0+ | 2473 Redirect-Host-Usage | 0 | 0-1 | 2474 Redirect-Max-Cache-Time | 0 | 0-1 | 2475 Reply-Message | 0 | 0+ | 2476 Result-Code | 0 | 1 | 2477 Route-Record | 0+ | 0 | 2478 Service-Type | 0-1 | 0-1 | 2479 Session-Id | 1 | 1 | 2480 Session-Timeout | 0 | 0-1 | 2481 State | 0-1 | 0-1 | 2482 Tunneling | 0+ | 0+ | 2483 User-Name | 0-1 | 0-1 | 2484 User-Password | 0-1 | 0 | 2485 ------------------------------|-----+-----+ 2487 5.2. Accounting AVP Tables 2489 The tables in this section are used to show which AVPs defined in 2490 this document are to be present and used in NAS application 2491 Accounting messages. These AVPs are defined in this document, as 2492 well as in [I-D.ietf-dime-rfc3588bis] and [RFC2866]. 2494 5.2.1. Framed Access Accounting AVP Table 2496 The table in this section is used when the Service-Type AVP 2497 (Section 4.4.1) specifies Framed Access. 2499 +-----------+ 2500 | Command | 2501 |-----+-----+ 2502 Attribute Name | ACR | ACA | 2503 ---------------------------------------|-----+-----+ 2504 Accounting-Auth-Method | 0-1 | 0 | 2505 Accounting-Input-Octets | 1 | 0 | 2506 Accounting-Input-Packets | 1 | 0 | 2507 Accounting-Output-Octets | 1 | 0 | 2508 Accounting-Output-Packets | 1 | 0 | 2509 Accounting-Record-Number | 0-1 | 0-1 | 2510 Accounting-Record-Type | 1 | 1 | 2511 Accounting-Realtime-Required | 0-1 | 0-1 | 2512 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2513 Acct-Application-Id | 0-1 | 0-1 | 2514 Acct-Session-Id | 1 | 0-1 | 2515 Acct-Multi-Session-Id | 0-1 | 0-1 | 2516 Acct-Authentic | 1 | 0 | 2517 Acct-Delay-Time | 0-1 | 0 | 2518 Acct-Interim-Interval | 0-1 | 0-1 | 2519 Acct-Link-Count | 0-1 | 0 | 2520 Acct-Session-Time | 1 | 0 | 2521 Acct-Tunnel-Connection | 0-1 | 0 | 2522 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2523 Authorization-Lifetime | 0-1 | 0 | 2524 Callback-Id | 0-1 | 0 | 2525 Callback-Number | 0-1 | 0 | 2526 Called-Station-Id | 0-1 | 0 | 2527 Calling-Station-Id | 0-1 | 0 | 2528 Class | 0+ | 0+ | 2529 Connection-Info | 0+ | 0 | 2530 Destination-Host | 0-1 | 0 | 2531 Destination-Realm | 1 | 0 | 2532 Event-Timestamp | 0-1 | 0-1 | 2533 Error-Message | 0 | 0-1 | 2534 Error-Reporting-Host | 0 | 0-1 | 2535 Failed-AVP | 0 | 0+ | 2536 ---------------------------------------|-----+-----+ 2537 +-----------+ 2538 | Command | 2539 |-----+-----+ 2540 Attribute Name | ACR | ACA | 2541 ---------------------------------------|-----+-----+ 2542 Framed-AppleTalk-Link | 0-1 | 0 | 2543 Framed-AppleTalk-Network | 0-1 | 0 | 2544 Framed-AppleTalk-Zone | 0-1 | 0 | 2545 Framed-Compression | 0-1 | 0 | 2546 Framed-IP-Address | 0-1 | 0 | 2547 Framed-IP-Netmask | 0-1 | 0 | 2548 Framed-IPv6-Prefix | 0+ | 0 | 2549 Framed-IPv6-Pool | 0-1 | 0 | 2550 Framed-IPX-Network | 0-1 | 0 | 2551 Framed-MTU | 0-1 | 0 | 2552 Framed-Pool | 0-1 | 0 | 2553 Framed-Protocol | 0-1 | 0 | 2554 Framed-Route | 0-1 | 0 | 2555 Framed-Routing | 0-1 | 0 | 2556 NAS-Filter-Rule | 0+ | 0 | 2557 NAS-Identifier | 0-1 | 0-1 | 2558 NAS-IP-Address | 0-1 | 0-1 | 2559 NAS-IPv6-Address | 0-1 | 0-1 | 2560 NAS-Port | 0-1 | 0-1 | 2561 NAS-Port-Id | 0-1 | 0-1 | 2562 NAS-Port-Type | 0-1 | 0-1 | 2563 Origin-AAA-Protocol | 0-1 | 0-1 | 2564 Origin-Host | 1 | 1 | 2565 Origin-Realm | 1 | 1 | 2566 Origin-State-Id | 0-1 | 0-1 | 2567 Originating-Line-Info | 0-1 | 0 | 2568 Proxy-Info | 0+ | 0+ | 2569 QoS-Filter-Rule | 0+ | 0 | 2570 Route-Record | 0+ | 0 | 2571 Result-Code | 0 | 1 | 2572 Service-Type | 0-1 | 0-1 | 2573 Session-Id | 1 | 1 | 2574 Termination-Cause | 0-1 | 0-1 | 2575 Tunnel-Assignment-Id | 0-1 | 0 | 2576 Tunnel-Client-Endpoint | 0-1 | 0 | 2577 Tunnel-Medium-Type | 0-1 | 0 | 2578 Tunnel-Private-Group-Id | 0-1 | 0 | 2579 Tunnel-Server-Endpoint | 0-1 | 0 | 2580 Tunnel-Type | 0-1 | 0 | 2581 User-Name | 0-1 | 0-1 | 2582 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2583 ---------------------------------------|-----+-----+ 2585 5.2.2. Non-Framed Access Accounting AVP Table 2587 The table in this section is used when the Service-Type AVP 2588 (Section 4.4.1) specifies Non-Framed Access. 2590 +-----------+ 2591 | Command | 2592 |-----+-----+ 2593 Attribute Name | ACR | ACA | 2594 ---------------------------------------|-----+-----+ 2595 Accounting-Auth-Method | 0-1 | 0 | 2596 Accounting-Input-Octets | 1 | 0 | 2597 Accounting-Output-Octets | 1 | 0 | 2598 Accounting-Record-Type | 1 | 1 | 2599 Accounting-Record-Number | 0-1 | 0-1 | 2600 Accounting-Realtime-Required | 0-1 | 0-1 | 2601 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2602 Acct-Application-Id | 0-1 | 0-1 | 2603 Acct-Session-Id | 1 | 0-1 | 2604 Acct-Multi-Session-Id | 0-1 | 0-1 | 2605 Acct-Authentic | 1 | 0 | 2606 Acct-Delay-Time | 0-1 | 0 | 2607 Acct-Interim-Interval | 0-1 | 0-1 | 2608 Acct-Link-Count | 0-1 | 0 | 2609 Acct-Session-Time | 1 | 0 | 2610 Authorization-Lifetime | 0-1 | 0 | 2611 Callback-Id | 0-1 | 0 | 2612 Callback-Number | 0-1 | 0 | 2613 Called-Station-Id | 0-1 | 0 | 2614 Calling-Station-Id | 0-1 | 0 | 2615 Class | 0+ | 0+ | 2616 Connection-Info | 0+ | 0 | 2617 Destination-Host | 0-1 | 0 | 2618 Destination-Realm | 1 | 0 | 2619 Event-Timestamp | 0-1 | 0-1 | 2620 Error-Message | 0 | 0-1 | 2621 Error-Reporting-Host | 0 | 0-1 | 2622 Failed-AVP | 0 | 0+ | 2623 Login-IP-Host | 0+ | 0 | 2624 Login-IPv6-Host | 0+ | 0 | 2625 Login-LAT-Service | 0-1 | 0 | 2626 Login-LAT-Node | 0-1 | 0 | 2627 Login-LAT-Group | 0-1 | 0 | 2628 Login-LAT-Port | 0-1 | 0 | 2629 Login-Service | 0-1 | 0 | 2630 Login-TCP-Port | 0-1 | 0 | 2631 ---------------------------------------|-----+-----+ 2632 +-----------+ 2633 | Command | 2634 |-----+-----+ 2635 Attribute Name | ACR | ACA | 2636 ---------------------------------------|-----+-----+ 2637 NAS-Identifier | 0-1 | 0-1 | 2638 NAS-IP-Address | 0-1 | 0-1 | 2639 NAS-IPv6-Address | 0-1 | 0-1 | 2640 NAS-Port | 0-1 | 0-1 | 2641 NAS-Port-Id | 0-1 | 0-1 | 2642 NAS-Port-Type | 0-1 | 0-1 | 2643 Origin-AAA-Protocol | 0-1 | 0-1 | 2644 Origin-Host | 1 | 1 | 2645 Origin-Realm | 1 | 1 | 2646 Origin-State-Id | 0-1 | 0-1 | 2647 Originating-Line-Info | 0-1 | 0 | 2648 Proxy-Info | 0+ | 0+ | 2649 QoS-Filter-Rule | 0+ | 0 | 2650 Route-Record | 0+ | 0 | 2651 Result-Code | 0 | 1 | 2652 Session-Id | 1 | 1 | 2653 Service-Type | 0-1 | 0-1 | 2654 Termination-Cause | 0-1 | 0-1 | 2655 User-Name | 0-1 | 0-1 | 2656 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2657 ---------------------------------------|-----+-----+ 2659 6. IANA Considerations 2661 This section provides guidance to the Internet Assigned Numbers 2662 Authority (IANA) regarding registration of values related to the 2663 Diameter protocol, in accordance with BCP 26 [RFC5226]. 2665 This document defines values in the namespaces that have been created 2666 and defined in the Diameter Base [I-D.ietf-dime-rfc3588bis]. The 2667 IANA Considerations section of that document details the assignment 2668 criteria. Values assigned in this document, or by future IANA 2669 action, must be coordinated within this shared namespace. 2671 6.1. Command Codes 2673 This specification assigns the value 265 from the Command Code 2674 namespace defined in [I-D.ietf-dime-rfc3588bis]. See Sections 3.1 2675 and 3.2 for the assignment of the namespace in this specification. 2677 6.2. AVP Codes 2679 This specification assigns the values 363 - 366 and 400 - 408 from 2680 the AVP Code namespace defined in [I-D.ietf-dime-rfc3588bis]. See 2681 Section 4 for the assignment of the namespace in this specification. 2682 Note that the values 363 - 366 are jointly, but consistently, 2683 assigned in [RFC4004]. This document also creates one new namespace 2684 to be managed by IANA, as described in Section 6.5 2686 This specification also specifies the use of AVPs in the 0 - 255 2687 range, which are listed in [RADIUSTypes] These values are assigned 2688 according to the policy stated in Section 6 of [RFC2865], as amended 2689 by [RFC3575]. 2691 6.3. Application Identifier 2693 This specification uses the value one (1) in the Application 2694 Identifier namespace as assigned in [I-D.ietf-dime-rfc3588bis]. See 2695 Section 1.3 above for more information. 2697 6.4. CHAP-Algorithm AVP Values 2699 As defined in Section 4.3.4, the CHAP-Algorithm AVP (AVP Code 403) 2700 uses the values of the "PPP AUTHENTICATION ALGORITHMS" namespace 2701 defined in [RFC1994]. 2703 6.5. Accounting-Auth-Method AVP Values 2705 As defined in Section 4.6.7 the Accounting-Auth-Method AVP (AVP Code 2706 406) defines the values 1 - 5. All remaining values are available 2707 for assignment via the IETF Review policy [RFC5226]. 2709 7. Security Considerations 2711 This document describes the extension of Diameter for the NAS 2712 application. The security considerations of the Diameter protocol 2713 itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of 2714 this application of Diameter MUST take into consideration the 2715 security issues and requirements of the Base protocol. 2717 This document does not contain a security protocol but does discuss 2718 how PPP authentication protocols can be carried within the Diameter 2719 protocol. The PPP authentication protocols described are PAP and 2720 CHAP. 2722 The use of PAP SHOULD be discouraged, as it exposes users' passwords 2723 to possibly non-trusted entities. However, PAP is also frequently 2724 used for use with One-Time Passwords, which do not expose a security 2725 risk. 2727 This document also describes how CHAP can be carried within the 2728 Diameter protocol, which is required for RADIUS backward 2729 compatibility. The CHAP protocol, as used in a RADIUS environment, 2730 facilitates authentication replay attacks. 2732 The use of the EAP authentication protocols [RFC4072] can offer 2733 better security, given a method suitable for the circumstances. 2735 8. References 2737 8.1. Normative References 2739 [ANITypes] NANPA Number Resource Info, "ANI 2740 Assignments", . 2744 [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and 2745 G. Zorn, "Diameter Base Protocol", 2746 draft-ietf-dime-rfc3588bis-25 (work in 2747 progress), September 2010. 2749 [RADIUSTypes] IANA, "RADIUS Types", . 2752 [RFC1994] Simpson, W., "PPP Challenge Handshake 2753 Authentication Protocol (CHAP)", 2754 RFC 1994, August 1996. 2756 [RFC2119] Bradner, S., "Key words for use in RFCs 2757 to Indicate Requirement Levels", BCP 14, 2758 RFC 2119, March 1997. 2760 [RFC2865] Rigney, C., Willens, S., Rubens, A., and 2761 W. Simpson, "Remote Authentication Dial 2762 In User Service (RADIUS)", RFC 2865, 2763 June 2000. 2765 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, 2766 "RADIUS and IPv6", RFC 3162, August 2001. 2768 [RFC3516] Nerenberg, L., "IMAP4 Binary Content 2769 Extension", RFC 3516, April 2003. 2771 [RFC3539] Aboba, B. and J. Wood, "Authentication, 2772 Authorization and Accounting (AAA) 2773 Transport Profile", RFC 3539, June 2003. 2775 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines 2776 for Writing an IANA Considerations 2777 Section in RFCs", BCP 26, RFC 5226, 2778 May 2008. 2780 8.2. Informative References 2782 [ARAP] Apple Computer, "Apple Remote Access 2783 Protocol (ARAP) Version 2.0 External 2784 Reference Specification", R0612LL/B , 2785 September 1994. 2787 [AppleTalk] Sidhu, G., Andrews, R., and A. 2788 Oppenheimer, "Inside AppleTalk", Second 2789 Edition Apple Computer, 1990. 2791 [IPX] Novell, Inc., "NetWare System Technical 2792 Interface Overview", #883-000780-001, 2793 June 1989. 2795 [ISO.8859-1.1987] International Organization for 2796 Standardization, "Information technology 2797 - 8-bit single byte coded graphic - 2798 character sets - Part 1: Latin alphabet 2799 No. 1, JTC1/SC2", ISO Standard 8859-1, 2800 1987. 2802 [LAT] Digital Equipment Corp., "Local Area 2803 Transport (LAT) Specification V5.0", AA- 2804 NL26A-TE, June 1989. 2806 [RFC1334] Lloyd, B. and W. Simpson, "PPP 2807 Authentication Protocols", RFC 1334, 2808 October 1992. 2810 [RFC1661] Simpson, W., "The Point-to-Point Protocol 2811 (PPP)", STD 51, RFC 1661, July 1994. 2813 [RFC1990] Sklower, K., Lloyd, B., McGregor, G., 2814 Carr, D., and T. Coradetti, "The PPP 2815 Multilink Protocol (MP)", RFC 1990, 2816 August 1996. 2818 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. 2819 Black, "Definition of the Differentiated 2820 Services Field (DS Field) in the IPv4 and 2821 IPv6 Headers", RFC 2474, December 1998. 2823 [RFC2548] Zorn, G., "Microsoft Vendor-specific 2824 RADIUS Attributes", RFC 2548, March 1999. 2826 [RFC2597] Heinanen, J., Baker, F., Weiss, W., and 2827 J. Wroclawski, "Assured Forwarding PHB 2828 Group", RFC 2597, June 1999. 2830 [RFC2637] Hamzeh, K., Pall, G., Verthein, W., 2831 Taarud, J., Little, W., and G. Zorn, 2832 "Point-to-Point Tunneling Protocol", 2833 RFC 2637, July 1999. 2835 [RFC2661] Townsley, W., Valencia, A., Rubens, A., 2836 Pall, G., Zorn, G., and B. Palter, "Layer 2837 Two Tunneling Protocol "L2TP"", RFC 2661, 2838 August 1999. 2840 [RFC2866] Rigney, C., "RADIUS Accounting", 2841 RFC 2866, June 2000. 2843 [RFC2867] Zorn, G., Aboba, B., and D. Mitton, 2844 "RADIUS Accounting Modifications for 2845 Tunnel Protocol Support", RFC 2867, 2846 June 2000. 2848 [RFC2868] Zorn, G., Leifer, D., Rubens, A., 2849 Shriver, J., Holdrege, M., and I. Goyret, 2850 "RADIUS Attributes for Tunnel Protocol 2851 Support", RFC 2868, June 2000. 2853 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, 2854 "RADIUS Extensions", RFC 2869, June 2000. 2856 [RFC2881] Mitton, D. and M. Beadles, "Network 2857 Access Server Requirements Next 2858 Generation (NASREQNG) NAS Model", 2859 RFC 2881, July 2000. 2861 [RFC2989] Aboba, B., Calhoun, P., Glass, S., 2862 Hiller, T., McCann, P., Shiino, H., 2863 Walsh, P., Zorn, G., Dommety, G., 2864 Perkins, C., Patil, B., Mitton, D., 2865 Manning, S., Beadles, M., Chen, X., 2866 Sivalingham, S., Hameed, A., Munson, M., 2867 Jacobs, S., Lim, B., Hirschman, B., Hsu, 2868 R., Koo, H., Lipford, M., Campbell, E., 2869 Xu, Y., Baba, S., and E. Jaques, 2870 "Criteria for Evaluating AAA Protocols 2871 for Network Access", RFC 2989, 2872 November 2000. 2874 [RFC3169] Beadles, M. and D. Mitton, "Criteria for 2875 Evaluating Network Access Server 2876 Protocols", RFC 3169, September 2001. 2878 [RFC3246] Davie, B., Charny, A., Bennet, J., 2879 Benson, K., Le Boudec, J., Courtney, W., 2880 Davari, S., Firoiu, V., and D. Stiliadis, 2881 "An Expedited Forwarding PHB (Per-Hop 2882 Behavior)", RFC 3246, March 2002. 2884 [RFC3575] Aboba, B., "IANA Considerations for 2885 RADIUS (Remote Authentication Dial In 2886 User Service)", RFC 3575, July 2003. 2888 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, 2889 G., and J. Roese, "IEEE 802.1X Remote 2890 Authentication Dial In User Service 2891 (RADIUS) Usage Guidelines", RFC 3580, 2892 September 2003. 2894 [RFC4004] Calhoun, P., Johansson, T., Perkins, C., 2895 Hiller, T., and P. McCann, "Diameter 2896 Mobile IPv4 Application", RFC 4004, 2897 August 2005. 2899 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, 2900 "Diameter Extensible Authentication 2901 Protocol (EAP) Application", RFC 4072, 2902 August 2005. 2904 Appendix A. Acknowledgements 2906 A.1. RFC 4005 2908 The authors would like to thank Carl Rigney, Allan C. Rubens, William 2909 Allen Simpson, and Steve Willens for their work on the original 2910 RADIUS protocol, from which many of the concepts in this 2911 specification were derived. Thanks, also, to Carl Rigney for 2912 [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, 2913 Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory 2914 Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and 2915 Ignacio Goyret for their work on [RFC2868]. This document stole text 2916 and concepts from both [RFC2868] and [RFC2869]. Thanks go to Carl 2917 Williams for providing IPv6-specific text. 2919 The authors would also like to acknowledge the following people for 2920 their contributions in the development of the Diameter protocol: 2921 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 2922 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 2923 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 2924 Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. 2926 Finally, Pat Calhoun would like to thank Sun Microsystems, as most of 2927 the effort put into this document was done while he was in their 2928 employ. 2930 A.2. RFC 4005bis 2932 The vast majority of the text in this document was lifted directly 2933 fro RFC 4005; the editor owes a debt of gratitude to the authors 2934 thereof (especially Dave Mitton, who somehow managed to make nroff 2935 paginate the AVP Occurance Tables correctly!). 2937 Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien 2938 Decugis and Stefan Winter for their useful reviews and helpful 2939 comments. 2941 Author's Address 2943 Glen Zorn 2944 Network Zen 2945 227/358 Thanon Sanphawut 2946 Bang Na, Bangkok 10260 2947 Thailand 2949 Phone: +66 (0) 87-040-4617 2950 EMail: gwz@net-zen.net