idnits 2.17.1 draft-ietf-dime-rfc4005bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC4005, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 16, 2010) is 4904 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' == Outdated reference: A later version (-34) exists of draft-ietf-dime-rfc3588bis-25 -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 1334 (Obsoleted by RFC 1994) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn 3 Internet-Draft Network Zen 4 Obsoletes: 4005 (if approved) November 16, 2010 5 Intended status: Standards Track 6 Expires: May 20, 2011 8 Diameter Network Access Server Application 9 draft-ietf-dime-rfc4005bis-02 11 Abstract 13 This document describes the Diameter protocol application used for 14 Authentication, Authorization, and Accounting (AAA) services in the 15 Network Access Server (NAS) environment. When combined with the 16 Diameter Base protocol, Transport Profile, and Extensible 17 Authentication Protocol specifications, this application 18 specification satisfies typical network access services requirements. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on May 20, 2011. 37 Copyright Notice 39 Copyright (c) 2010 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 57 1.3. Advertising Application Support . . . . . . . . . . . . . 6 58 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 6 59 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 60 2.2. Diameter Session Reauthentication or Reauthorization . . . 7 61 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 62 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 8 63 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 64 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 65 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 66 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 67 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 68 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 69 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 70 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 71 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 72 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 73 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 74 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 75 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 76 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 77 4.2.1. Call and Session Information . . . . . . . . . . . . . 23 78 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 79 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24 80 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 81 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 82 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 83 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 84 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 85 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 86 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 87 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 88 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 89 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28 90 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28 91 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 92 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 93 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 94 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29 95 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29 96 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29 97 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 98 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 99 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30 100 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 31 101 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32 102 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 103 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33 104 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33 105 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 106 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33 107 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 108 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 109 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 34 110 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35 111 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 112 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35 113 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35 114 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35 115 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 35 116 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36 117 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36 118 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 36 119 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37 120 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37 121 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37 122 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 123 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38 124 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 125 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38 126 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38 127 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 128 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39 129 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39 130 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39 131 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39 132 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40 133 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40 134 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40 135 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40 136 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 40 137 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 138 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 139 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41 140 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 41 141 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42 142 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42 143 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43 144 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43 145 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 146 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44 147 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44 148 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45 149 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46 150 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46 151 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46 152 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 153 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48 154 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48 155 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 156 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 157 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50 158 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50 159 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50 160 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50 161 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51 162 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51 163 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51 164 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51 165 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52 166 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52 167 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52 168 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53 169 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55 170 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56 171 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58 172 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 173 6.1. Command Codes . . . . . . . . . . . . . . . . . . . . . . 59 174 6.2. AVP Codes . . . . . . . . . . . . . . . . . . . . . . . . 60 175 6.3. Application Identifier . . . . . . . . . . . . . . . . . . 60 176 6.4. CHAP-Algorithm AVP Values . . . . . . . . . . . . . . . . 60 177 6.5. Accounting-Auth-Method AVP Values . . . . . . . . . . . . 60 178 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 179 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 180 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 181 8.2. Informative References . . . . . . . . . . . . . . . . . . 62 182 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 183 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 184 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 186 1. Introduction 188 This document describes the Diameter protocol application used for 189 AAA in the Network Access Server (NAS) environment. When combined 190 with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport 191 Profile [RFC3539], and EAP [RFC4072] specifications, this 192 specification satisfies the NAS-related requirements defined in 193 [RFC2989] and [RFC3169]. 195 First, this document describes the operation of a Diameter NAS 196 application. Then it defines the Diameter message Command-Codes. 197 The following sections list the AVPs used in these messages, grouped 198 by common usage. These are session identification, authentication, 199 authorization, tunneling, and accounting. The authorization AVPs are 200 further broken down by service type. 202 1.1. Terminology 204 Section 1.2 of the base Diameter specification 205 [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in 206 this document. Additionally, the following terms and acronyms are 207 used in this application: 209 NAS (Network Access Server) 210 A device that provides an access service for a user to a network. 211 The service may be a network connection or a value-added service 212 such as terminal emulation [RFC2881]. 214 PPP (Point-to-Point Protocol) 215 A multiprotocol serial datalink. PPP is the primary IP datalink 216 used for dial-in NAS connection service [RFC1661]. 218 CHAP (Challenge Handshake Authentication Protocol) 219 An authentication process used in PPP [RFC1994]. 221 PAP (Password Authentication Protocol) 222 A deprecated PPP authentication process, but often used for 223 backward compatibility [RFC1334]. 225 SLIP (Serial Line Interface Protocol) 226 A serial datalink that only supports IP. A design prior to PPP. 228 ARAP (Appletalk Remote Access Protocol) 229 A serial datalink for accessing Appletalk networks [ARAP]. 231 IPX (Internet Packet Exchange) 232 The network protocol used by NetWare networks [IPX]. 234 LAT (Local Area Transport 235 A Digital Equipment Corp. LAN protocol for terminal services 236 [LAT]. 238 VPN (Virtual Private Network) 239 In this document, this term is used to describe access services 240 that use tunneling methods. 242 1.2. Requirements Language 244 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 245 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 246 document are to be interpreted as described in RFC 2119 [RFC2119]. 248 1.3. Advertising Application Support 250 Diameter applications conforming to this specification MUST advertise 251 support by including the value of one (1) in the Auth-Application-Id 252 of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- 253 Answer (AAA) messages. All other messages are defined by RFC 3588 254 and use the Base application id value. 256 2. NAS Calls, Ports, and Sessions 258 The arrival of a new call or service connection at a port of a 259 Network Access Server (NAS) starts a Diameter NAS message exchange. 260 Information about the call, the identity of the user, and the user's 261 authentication information are packaged into a Diameter AA-Request 262 (AAR) message and sent to a server. 264 The server processes the information and responds with a Diameter AA- 265 Answer (AAA) message that contains authorization information for the 266 NAS, or a failure code (Result-Code AVP). A value of 267 DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication 268 exchange, and several AAR and AAA messages may be exchanged until the 269 transaction completes. 271 Depending on the value of the Auth-Request-Type AVP, the Diameter 272 protocol allows authorization-only requests that contain no 273 authentication information from the client. This capability goes 274 beyond the Call Check capabilities provided by RADIUS (Section 5.6 of 275 [RFC2865]) in that no access decision is requested. As a result, 276 service cannot be started as a result of a response to an 277 authorization-only request without introducing a significant security 278 vulnerability. 280 2.1. Diameter Session Establishment 282 When the authentication or authorization exchange completes 283 successfully, the NAS application SHOULD start a session context. If 284 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 285 exchange continues until a success or error is returned. 287 If accounting is active, the application MUST also send an Accounting 288 message [I-D.ietf-dime-rfc3588bis]. An Accounting-Record-Type of 289 START_RECORD is sent for a new session. If a session fails to start, 290 the EVENT_RECORD message is sent with the reason for the failure 291 described. 293 Note that the return of an unsupportable Accounting-Realtime-Required 294 value [I-D.ietf-dime-rfc3588bis] would result in a failure to 295 establish the session. 297 2.2. Diameter Session Reauthentication or Reauthorization 299 The Diameter Base protocol allows users to be periodically 300 reauthenticated and/or reauthorized. In such instances, the 301 Session-Id AVP in the AAR message MUST be the same as the one present 302 in the original authentication/authorization message. 304 A Diameter server informs the NAS of the maximum time allowed before 305 reauthentication or reauthorization via the Authorization-Lifetime 306 AVP [I-D.ietf-dime-rfc3588bis]. A NAS MAY reauthenticate and/or 307 reauthorize before the end, but A NAS MUST reauthenticate and/or 308 reauthorize at the end of the period provided by the Authorization- 309 Lifetime AVP. The failure of a reauthentication exchange will 310 terminate the service. 312 Furthermore, it is possible for Diameter servers to issue an 313 unsolicited reauthentication and/or reauthorization request (e.g., 314 Re-Auth-Request (RAR) message [I-D.ietf-dime-rfc3588bis]) to the NAS. 315 Upon receipt of such a message, the NAS MUST respond to the request 316 with a Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis]. 318 If the RAR properly identifies an active session, the NAS will 319 initiate a new local reauthentication or authorization sequence as 320 indicated by the Re-Auth-Request-Type value. This will cause the NAS 321 to send a new AAR message using the existing Session-Id. The server 322 will respond with an AAA message to specify the new service 323 parameters. 325 If accounting is active, every change of authentication or 326 authorization SHOULD generate an accounting message. If the NAS 327 service is a continuation of the prior user context, then an 328 Accounting-Record-Type of INTERIM_RECORD indicating the new session 329 attributes and cumulative status would be appropriate. If a new user 330 or a significant change in authorization is detected by the NAS, then 331 the service may send two messages of the types STOP_RECORD and 332 START_RECORD. Accounting may change the subsession identifiers 333 (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- 334 sessions. A service may also use a different Session-Id value for 335 accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]). 337 However, the Diameter Session-ID AVP value used for the initial 338 authorization exchange MUST be used to generate an STR message when 339 the session context is terminated. 341 2.3. Diameter Session Termination 343 When a NAS receives an indication that a user's session is being 344 disconnected by the client (e.g., LCP Terminate is received) or an 345 administrative command, the NAS MUST issue a Session-Termination- 346 Request (STR) [I-D.ietf-dime-rfc3588bis] to its Diameter Server. 347 This will ensure that any resources maintained on the servers are 348 freed appropriately. 350 Furthermore, a NAS that receives an Abort-Session-Request (ASR) 351 [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session 352 identified is active and disconnect the PPP (or tunneling) session. 354 If accounting is active, an Accounting STOP_RECORD message 355 [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the 356 session context. 358 More information on Diameter Session Termination can be found in 359 Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis]. 361 3. Diameter NAS Application Messages 363 This section defines the Diameter message Command-Code 364 [I-D.ietf-dime-rfc3588bis] values that MUST be supported by all 365 Diameter implementations conforming to this specification. The 366 Command Codes are as follows: 368 +-----------------------------------+---------+------+--------------+ 369 | Command Name | Abbrev. | Code | Reference | 370 +-----------------------------------+---------+------+--------------+ 371 | AA-Request | AAR | 265 | Section 3.1 | 372 | AA-Answer | AAA | 265 | Section 3.2 | 373 | Re-Auth-Request | RAR | 258 | Section 3.3 | 374 | Re-Auth-Answer | RAA | 258 | Section 3.4 | 375 | Session-Termination-Request | STR | 275 | Section 3.5 | 376 | Session-Termination-Answer | STA | 275 | Section 3.6 | 377 | Abort-Session-Request | ASR | 274 | Section 3.7 | 378 | Abort-Session-Answer | ASA | 274 | Section 3.8 | 379 | Accounting-Request | ACR | 271 | Section 3.9 | 380 | Accounting-Answer | ACA | 271 | Section 3.10 | 381 +-----------------------------------+---------+------+--------------+ 383 3.1. AA-Request (AAR) Command 385 The AA-Request (AAR), which is indicated by setting the Command-Code 386 field to 265 and the 'R' bit in the Command Flags field, is used to 387 request authentication and/or authorization for a given NAS user. 388 The type of request is identified through the Auth-Request-Type AVP 389 [I-D.ietf-dime-rfc3588bis] The recommended value for most situations 390 is AUTHORIZE_AUTHENTICATE. 392 If Authentication is requested, the User-Name attribute SHOULD be 393 present, as well as any additional authentication AVPs that would 394 carry the password information. A request for authorization SHOULD 395 only include the information from which the authorization will be 396 performed, such as the User-Name, Called-Station-Id, or Calling- 397 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 398 identifying the source of the call, such as Origin-Host and NAS-Port. 399 Certain networks MAY use different AVPs for authorization purposes. 400 A request for authorization will include some AVPs defined in 401 Section 4.4. 403 It is possible for a single session to be authorized first and then 404 for an authentication request to follow. 406 This AA-Request message MAY be the result of a multi-round 407 authentication exchange, which occurs when the AA-Answer message is 408 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. 409 A subsequent AAR message SHOULD be sent, with the User-Password AVP 410 that includes the user's response to the prompt, and MUST include any 411 State AVPs that were present in the AAA message. 413 Message Format 415 ::= < Diameter Header: 265, REQ, PXY > 416 < Session-Id > 417 { Auth-Application-Id } 418 { Origin-Host } 419 { Origin-Realm } 420 { Destination-Realm } 421 { Auth-Request-Type } 422 [ Destination-Host ] 423 [ NAS-Identifier ] 424 [ NAS-IP-Address ] 425 [ NAS-IPv6-Address ] 426 [ NAS-Port ] 427 [ NAS-Port-Id ] 428 [ NAS-Port-Type ] 429 [ Origin-AAA-Protocol ] 430 [ Origin-State-Id ] 431 [ Port-Limit ] 432 [ User-Name ] 433 [ User-Password ] 434 [ Service-Type ] 435 [ State ] 436 [ Authorization-Lifetime ] 437 [ Auth-Grace-Period ] 438 [ Auth-Session-State ] 439 [ Callback-Number ] 440 [ Called-Station-Id ] 441 [ Calling-Station-Id ] 442 [ Originating-Line-Info ] 443 [ Connect-Info ] 444 [ CHAP-Auth ] 445 [ CHAP-Challenge ] 446 * [ Framed-Compression ] 447 [ Framed-Interface-Id ] 448 [ Framed-IP-Address ] 449 * [ Framed-IPv6-Prefix ] 450 [ Framed-IP-Netmask ] 451 [ Framed-MTU ] 452 [ Framed-Protocol ] 453 [ ARAP-Password ] 454 [ ARAP-Security ] 455 * [ ARAP-Security-Data ] 456 * [ Login-IP-Host ] 457 * [ Login-IPv6-Host ] 458 [ Login-LAT-Group ] 459 [ Login-LAT-Node ] 460 [ Login-LAT-Port ] 461 [ Login-LAT-Service ] 462 * [ Tunneling ] 463 * [ Proxy-Info ] 464 * [ Route-Record ] 465 * [ AVP ] 467 3.2. AA-Answer (AAA) Command 469 The AA-Answer (AAA) message is indicated by setting the Command-Code 470 field to 265 and clearing the 'R' bit in the Command Flags field. It 471 is sent in response to the AA-Request (AAR) message. If 472 authorization was requested, a successful response will include the 473 authorization AVPs appropriate for the service being provided, as 474 defined in Section 4.4. 476 For authentication exchanges requiring more than a single round trip, 477 the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. 478 An AAA message with this result code MAY include one Reply-Message or 479 more and MAY include zero or one State AVPs. 481 If the Reply-Message AVP was present, the network access server 482 SHOULD send the text to the user's client to display to the user, 483 instructing the client to prompt the user for a response. For 484 example, this capability can be achieved in PPP via PAP. If the 485 access client is unable to prompt the user for a new response, it 486 MUST treat the AA-Answer (AAA) with the Reply-Message AVP as an error 487 and deny access. 489 Message Format 491 ::= < Diameter Header: 265, PXY > 492 < Session-Id > 493 { Auth-Application-Id } 494 { Auth-Request-Type } 495 { Result-Code } 496 { Origin-Host } 497 { Origin-Realm } 498 [ User-Name ] 499 [ Service-Type ] 500 * [ Class ] 501 * [ Configuration-Token ] 502 [ Acct-Interim-Interval ] 503 [ Error-Message ] 504 [ Error-Reporting-Host ] 505 * [ Failed-AVP ] 506 [ Idle-Timeout ] 507 [ Authorization-Lifetime ] 508 [ Auth-Grace-Period ] 509 [ Auth-Session-State ] 510 [ Re-Auth-Request-Type ] 511 [ Multi-Round-Time-Out ] 513 [ Session-Timeout ] 514 [ State ] 515 * [ Reply-Message ] 516 [ Origin-AAA-Protocol ] 517 [ Origin-State-Id ] 518 * [ Filter-Id ] 519 [ Password-Retry ] 520 [ Port-Limit ] 521 [ Prompt ] 522 [ ARAP-Challenge-Response ] 523 [ ARAP-Features ] 524 [ ARAP-Security ] 525 * [ ARAP-Security-Data ] 526 [ ARAP-Zone-Access ] 527 [ Callback-Id ] 528 [ Callback-Number ] 529 [ Framed-Appletalk-Link ] 530 * [ Framed-Appletalk-Network ] 531 [ Framed-Appletalk-Zone ] 532 * [ Framed-Compression ] 533 [ Framed-Interface-Id ] 534 [ Framed-IP-Address ] 535 * [ Framed-IPv6-Prefix ] 536 [ Framed-IPv6-Pool ] 537 * [ Framed-IPv6-Route ] 538 [ Framed-IP-Netmask ] 539 * [ Framed-Route ] 540 [ Framed-Pool ] 541 [ Framed-IPX-Network ] 542 [ Framed-MTU ] 543 [ Framed-Protocol ] 544 [ Framed-Routing ] 545 * [ Login-IP-Host ] 546 * [ Login-IPv6-Host ] 547 [ Login-LAT-Group ] 548 [ Login-LAT-Node ] 549 [ Login-LAT-Port ] 550 [ Login-LAT-Service ] 551 [ Login-Service ] 552 [ Login-TCP-Port ] 553 * [ NAS-Filter-Rule ] 554 * [ QoS-Filter-Rule ] 555 * [ Tunneling ] 556 * [ Redirect-Host ] 557 [ Redirect-Host-Usage ] 558 [ Redirect-Max-Cache-Time ] 559 * [ Proxy-Info ] 560 * [ AVP ] 562 3.3. Re-Auth-Request (RAR) Command 564 A Diameter server may initiate a re-authentication and/or re- 565 authorization service for a particular session by issuing a Re-Auth- 566 Request (RAR) message [I-D.ietf-dime-rfc3588bis]. 568 For example, for pre-paid services, the Diameter server that 569 originally authorized a session may need some confirmation that the 570 user is still using the services. 572 If a NAS receives an RAR message with Session-Id equal to a currently 573 active session and a Re-Auth-Type that includes authentication, it 574 MUST initiate a re-authentication toward the user, if the service 575 supports this particular feature. 577 Message Format 579 ::= < Diameter Header: 258, REQ, PXY > 580 < Session-Id > 581 { Origin-Host } 582 { Origin-Realm } 583 { Destination-Realm } 584 { Destination-Host } 585 { Auth-Application-Id } 586 { Re-Auth-Request-Type } 587 [ User-Name ] 588 [ Origin-AAA-Protocol ] 589 [ Origin-State-Id ] 590 [ NAS-Identifier ] 591 [ NAS-IP-Address ] 592 [ NAS-IPv6-Address ] 593 [ NAS-Port ] 594 [ NAS-Port-Id ] 595 [ NAS-Port-Type ] 596 [ Service-Type ] 597 [ Framed-IP-Address ] 598 [ Framed-IPv6-Prefix ] 599 [ Framed-Interface-Id ] 600 [ Called-Station-Id ] 601 [ Calling-Station-Id ] 602 [ Originating-Line-Info ] 603 [ Acct-Session-Id ] 604 [ Acct-Multi-Session-Id ] 605 [ State ] 606 * [ Class ] 607 [ Reply-Message ] 608 * [ Proxy-Info ] 609 * [ Route-Record ] 610 * [ AVP ] 612 3.4. Re-Auth-Answer (RAA) Command 614 The Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis] is sent 615 in response to the RAR. The Result-Code AVP MUST be present and 616 indicates the disposition of the request. 618 A successful RAA transaction MUST be followed by an AAR message. 620 Message Format 622 ::= < Diameter Header: 258, PXY > 623 < Session-Id > 624 { Result-Code } 625 { Origin-Host } 626 { Origin-Realm } 627 [ User-Name ] 628 [ Origin-AAA-Protocol ] 629 [ Origin-State-Id ] 630 [ Error-Message ] 631 [ Error-Reporting-Host ] 632 * [ Failed-AVP ] 633 * [ Redirected-Host ] 634 [ Redirected-Host-Usage ] 635 [ Redirected-Host-Cache-Time ] 636 [ Service-Type ] 637 * [ Configuration-Token ] 638 [ Idle-Timeout ] 639 [ Authorization-Lifetime ] 640 [ Auth-Grace-Period ] 641 [ Re-Auth-Request-Type ] 642 [ State ] 643 * [ Class ] 644 * [ Reply-Message ] 645 [ Prompt ] 646 * [ Proxy-Info ] 647 * [ AVP ] 649 3.5. Session-Termination-Request (STR) Command 651 The Session-Termination-Request (STR) message 652 [I-D.ietf-dime-rfc3588bis] is sent by the NAS to inform the Diameter 653 Server that an authenticated and/or authorized session is being 654 terminated. 656 Message Format 658 ::= < Diameter Header: 275, REQ, PXY > 659 < Session-Id > 660 { Origin-Host } 661 { Origin-Realm } 662 { Destination-Realm } 663 { Auth-Application-Id } 664 { Termination-Cause } 665 [ User-Name ] 666 [ Destination-Host ] 667 * [ Class ] 668 [ Origin-AAA-Protocol ] 669 [ Origin-State-Id ] 670 * [ Proxy-Info ] 671 * [ Route-Record ] 672 * [ AVP ] 674 3.6. Session-Termination-Answer (STA) Command 676 The Session-Termination-Answer (STA) message 677 [I-D.ietf-dime-rfc3588bis] is sent by the Diameter Server to 678 acknowledge the notification that the session has been terminated. 679 The Result-Code AVP MUST be present and MAY contain an indication 680 that an error occurred while the STR was being serviced. 682 Upon sending or receiving the STA, the Diameter Server MUST release 683 all resources for the session indicated by the Session-Id AVP. Any 684 intermediate server in the Proxy-Chain MAY also release any 685 resources, if necessary. 687 Message Format 689 ::= < Diameter Header: 275, PXY > 690 < Session-Id > 691 { Result-Code } 692 { Origin-Host } 693 { Origin-Realm } 694 [ User-Name ] 695 * [ Class ] 696 [ Error-Message ] 697 [ Error-Reporting-Host ] 698 * [ Failed-AVP ] 699 [ Origin-AAA-Protocol ] 700 [ Origin-State-Id ] 701 * [ Redirect-Host ] 702 [ Redirect-Host-Usase ] 703 [ Redirect-Max-Cache-Time ] 704 * [ Proxy-Info ] 705 * [ AVP ] 707 3.7. Abort-Session-Request (ASR) Command 709 The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis] 710 may be sent by any server to the NAS providing session service, to 711 request that the session identified by the Session-Id be stopped. 713 Message Format 715 ::= < Diameter Header: 274, REQ, PXY > 716 < Session-Id > 717 { Origin-Host } 718 { Origin-Realm } 719 { Destination-Realm } 720 { Destination-Host } 721 { Auth-Application-Id } 722 [ User-Name ] 723 [ Origin-AAA-Protocol ] 724 [ Origin-State-Id ] 725 [ NAS-Identifier ] 726 [ NAS-IP-Address ] 727 [ NAS-IPv6-Address ] 728 [ NAS-Port ] 729 [ NAS-Port-Id ] 730 [ NAS-Port-Type ] 731 [ Service-Type ] 732 [ Framed-IP-Address ] 733 [ Framed-IPv6-Prefix ] 734 [ Framed-Interface-Id ] 735 [ Called-Station-Id ] 736 [ Calling-Station-Id ] 737 [ Originating-Line-Info ] 738 [ Acct-Session-Id ] 739 [ Acct-Multi-Session-Id ] 740 [ State ] 741 * [ Class ] 742 * [ Reply-Message ] 743 * [ Proxy-Info ] 744 * [ Route-Record ] 745 * [ AVP ] 747 3.8. Abort-Session-Answer (ASA) Command 749 The ASA message [I-D.ietf-dime-rfc3588bis] is sent in response to the 750 ASR. The Result-Code AVP MUST be present and indicates the 751 disposition of the request. 753 If the session identified by Session-Id in the ASR was successfully 754 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 755 is not currently active, the Result-Code AVP is set to 756 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 757 session for any other reason, the Result-Code AVP is set to 758 DIAMETER_UNABLE_TO_COMPLY. 760 Message Format 762 ::= < Diameter Header: 274, PXY > 763 < Session-Id > 764 { Result-Code } 765 { Origin-Host } 766 { Origin-Realm } 767 [ User-Name ] 768 [ Origin-AAA-Protocol ] 769 [ Origin-State-Id ] 770 [ State] 771 [ Error-Message ] 772 [ Error-Reporting-Host ] 773 * [ Failed-AVP ] 774 * [ Redirected-Host ] 775 [ Redirected-Host-Usage ] 776 [ Redirected-Max-Cache-Time ] 777 * [ Proxy-Info ] 778 * [ AVP ] 780 3.9. Accounting-Request (ACR) Command 782 The ACR message [I-D.ietf-dime-rfc3588bis] is sent by the NAS to 783 report its session information to a target server downstream. 785 Either the Acct-Application-Id AVP or the Vendor-Specific- 786 Application-Id AVP MUST be present. If the Vendor-Specific- 787 Application-Id grouped AVP is present, it must have an Acct- 788 Application-Id inside. 790 The AVPs listed in the Base protocol specification 791 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 792 appropriate. NAS service-specific accounting AVPs SHOULD be present 793 as described in Section 4.6 and the rest of this specification. 795 Message Format 797 ::= < Diameter Header: 271, REQ, PXY > 798 < Session-Id > 799 { Origin-Host } 800 { Origin-Realm } 801 { Destination-Realm } 802 { Accounting-Record-Type } 803 { Accounting-Record-Number } 804 [ Acct-Application-Id ] 805 [ Vendor-Specific-Application-Id ] 806 [ User-Name ] 807 [ Accounting-Sub-Session-Id ] 809 [ Acct-Session-Id ] 810 [ Acct-Multi-Session-Id ] 811 [ Origin-AAA-Protocol ] 812 [ Origin-State-Id ] 813 [ Destination-Host ] 814 [ Event-Timestamp ] 815 [ Acct-Delay-Time ] 816 [ NAS-Identifier ] 817 [ NAS-IP-Address ] 818 [ NAS-IPv6-Address ] 819 [ NAS-Port ] 820 [ NAS-Port-Id ] 821 [ NAS-Port-Type ] 822 * [ Class ] 823 [ Service-Type ] 824 [ Termination-Cause ] 825 [ Accounting-Input-Octets ] 826 [ Accounting-Input-Packets ] 827 [ Accounting-Output-Octets ] 828 [ Accounting-Output-Packets ] 829 [ Acct-Authentic ] 830 [ Accounting-Auth-Method ] 831 [ Acct-Link-Count ] 832 [ Acct-Session-Time ] 833 [ Acct-Tunnel-Connection ] 834 [ Acct-Tunnel-Packets-Lost ] 835 [ Callback-Id ] 836 [ Callback-Number ] 837 [ Called-Station-Id ] 838 [ Calling-Station-Id ] 839 * [ Connection-Info ] 840 [ Originating-Line-Info ] 841 [ Authorization-Lifetime ] 842 [ Session-Timeout ] 843 [ Idle-Timeout ] 844 [ Port-Limit ] 845 [ Accounting-Realtime-Required ] 846 [ Acct-Interim-Interval ] 847 * [ Filter-Id ] 848 * [ NAS-Filter-Rule ] 849 * [ Qos-Filter-Rule ] 850 [ Framed-AppleTalk-Link ] 851 [ Framed-AppleTalk-Network ] 852 [ Framed-AppleTalk-Zone ] 853 [ Framed-Compression ] 854 [ Framed-Interface-Id ] 855 [ Framed-IP-Address ] 856 [ Framed-IP-Netmask ] 858 * [ Framed-IPv6-Prefix ] 859 [ Framed-IPv6-Pool ] 860 * [ Framed-IPv6-Route ] 861 [ Framed-IPX-Network ] 862 [ Framed-MTU ] 863 [ Framed-Pool ] 864 [ Framed-Protocol ] 865 * [ Framed-Route ] 866 [ Framed-Routing ] 867 * [ Login-IP-Host ] 868 * [ Login-IPv6-Host ] 869 [ Login-LAT-Group ] 870 [ Login-LAT-Node ] 871 [ Login-LAT-Port ] 872 [ Login-LAT-Service ] 873 [ Login-Service ] 874 [ Login-TCP-Port ] 875 * [ Tunneling ] 876 * [ Proxy-Info ] 877 * [ Route-Record ] 878 * [ AVP ] 880 3.10. Accounting-Answer (ACA) Command 882 The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an 883 Accounting-Request command. The Accounting-Answer command contains 884 the same Session-Id as the Request. If the Accounting-Request was 885 protected by end-to-end security, then the corresponding ACA message 886 MUST be protected as well. 888 Only the target Diameter Server or home Diameter Server SHOULD 889 respond with the Accounting-Answer command. 891 Either the Acct-Application-Id AVP or the Vendor-Specific- 892 Application-Id AVP MUST be present, as it was in the request. 894 The AVPs listed in the Base protocol specification 895 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 896 appropriate. NAS service-specific accounting AVPs SHOULD be present 897 as described in Section 4.6 and the rest of this specification. 899 Message Format 901 ::= < Diameter Header: 271, PXY > 902 < Session-Id > 903 { Result-Code } 904 { Origin-Host } 905 { Origin-Realm } 906 { Accounting-Record-Type } 907 { Accounting-Record-Number } 908 [ Acct-Application-Id ] 909 [ Vendor-Specific-Application-Id ] 910 [ User-Name ] 911 [ Accounting-Sub-Session-Id ] 912 [ Acct-Session-Id ] 913 [ Acct-Multi-Session-Id ] 914 [ Event-Timestamp ] 915 [ Error-Message ] 916 [ Error-Reporting-Host ] 917 * [ Failed-AVP ] 918 [ Origin-AAA-Protocol ] 919 [ Origin-State-Id ] 920 [ NAS-Identifier ] 921 [ NAS-IP-Address ] 922 [ NAS-IPv6-Address ] 923 [ NAS-Port ] 924 [ NAS-Port-Id ] 925 [ NAS-Port-Type ] 926 [ Service-Type ] 927 [ Termination-Cause ] 928 [ Accounting-Realtime-Required ] 929 [ Acct-Interim-Interval ] 930 * [ Class ] 931 * [ Proxy-Info ] 932 * [ AVP ] 934 4. Diameter NAS Application AVPs 936 The following sections define a new derived AVP data format, a set of 937 application-specific AVPs and describe the use of AVPs defined in 938 other documents by the Diameter NAS Application. 940 4.1. Derived AVP Data Formats 942 4.1.1. QoSFilterRule 944 The QosFilterRule format is derived from the OctetString AVP Base 945 Format. It uses the ASCII charset. Packets may be marked or metered 946 based on the following information: 948 o Direction (in or out) 950 o Source and destination IP address (possibly masked) 952 o Protocol 954 o Source and destination port (lists or ranges) 956 o DSCP values (no mask or range) 958 Rules for the appropriate direction are evaluated in order; the first 959 matched rule terminates the evaluation. Each packet is evaluated 960 once. If no rule matches, the packet is treated as best effort. An 961 access device unable to interpret or apply a QoS rule SHOULD NOT 962 terminate the session. 964 QoSFilterRule filters MUST follow the following format: 966 action dir proto from src to dst [options] 967 where 969 action 970 tag Mark packet with a specific DSCP [RFC2474] 971 meter Meter traffic 973 dir The format is as described under IPFilterRule 974 [I-D.ietf-dime-rfc3588bis] 976 proto The format is as described under IPFilterRule 977 [I-D.ietf-dime-rfc3588bis] 979 src and dst The format is as described under IPFilterRule 980 [I-D.ietf-dime-rfc3588bis] 982 The options are described in Section 4.4.9. 984 The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the 985 ipfw.c code may provide a useful base for implementations. 987 4.2. NAS Session AVPs 989 Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that 990 are implemented in Diameter. 992 4.2.1. Call and Session Information 994 This section describes the AVPs specific to Diameter applications 995 that are needed to identify the call and session context and status 996 information. On a request, this information allows the server to 997 qualify the session. 999 These AVPs are used in addition to the following AVPs from the base 1000 protocol specification [I-D.ietf-dime-rfc3588bis]: 1002 Session-Id 1003 Auth-Application-Id 1004 Origin-Host 1005 Origin-Realm 1006 Auth-Request-Type 1007 Termination-Cause 1009 The following table gives the possible flag values for the session 1010 level AVPs and specifies whether the AVP MAY be encrypted. 1012 +---------------------+ 1013 | AVP Flag rules | 1014 |----+-----+----+-----|----+ 1015 | | |SHLD| MUST| | 1016 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1017 -----------------------------------------|----+-----+----+-----|----| 1018 NAS-Port 4.2.2 | M | P | | V | Y | 1019 NAS-Port-Id 4.2.3 | M | P | | V | Y | 1020 NAS-Port-Type 4.2.4 | M | P | | V | Y | 1021 Called-Station-Id 4.2.5 | M | P | | V | Y | 1022 Calling-Station-Id 4.2.6 | M | P | | V | Y | 1023 Connect-Info 4.2.7 | M | P | | V | Y | 1024 Originating-Line-Info 4.2.8 | | M,P | | V | Y | 1025 Reply-Message 4.2.9 | M | P | | V | Y | 1026 -----------------------------------------|----+-----+----+-----|----| 1028 4.2.2. NAS-Port AVP 1030 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1031 physical or virtual port number of the NAS which is authenticating 1032 the user. Note that "port" is meant in its sense as a service 1033 connection on the NAS, not as an IP protocol identifier. 1035 Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD 1036 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1037 differentiates among its ports. 1039 4.2.3. NAS-Port-Id AVP 1041 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1042 of ASCII text identifying the port of the NAS authenticating the 1043 user. Note that "port" is meant in its sense as a service connection 1044 on the NAS, not as an IP protocol identifier. 1046 Either the NAS-Port-Id or the NAS-Port (Section 4.2.2) SHOULD be 1047 present in the AA-Request (AAR, Section 3.1) command if the NAS 1048 differentiates among its ports. NAS-Port-Id is intended for use by 1049 NASes that cannot conveniently number their ports. 1051 4.2.4. NAS-Port-Type AVP 1053 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1054 contains the type of the port on which the NAS is authenticating the 1055 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1056 number ranges for different service types concurrently. 1058 The currently supported values of the NAS-Port-Type AVP are listed in 1059 [RADIUSTypes]. 1061 4.2.5. Called-Station-Id AVP 1063 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and 1064 allows the NAS to send the ASCII string describing the Layer 2 1065 address the user contacted in the request. For dialup access, this 1066 can be a phone number obtained by using the Dialed Number 1067 Identification Service (DNIS) or a similar technology. Note that 1068 this may be different from the phone number the call comes in on. 1069 For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC 1070 address formatted as described in [RFC3580]. It SHOULD only be 1071 present in authentication and/or authorization requests. 1073 If the Called-Station-Id AVP is present in an AAR message, Auth- 1074 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1075 absent, the Diameter Server MAY perform authorization based on this 1076 AVP. This can be used by a NAS to request whether a call should be 1077 answered based on the DNIS. 1079 The codification of this field's allowed usage range is outside the 1080 scope of this specification. 1082 4.2.6. Calling-Station-Id AVP 1084 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 1085 allows the NAS to send the ASCII string describing the Layer 2 1086 address from which the user connected in the request. For dialup 1087 access, this is the phone number the call came from, using Automatic 1088 Number Identification (ANI) or a similar technology. For use with 1089 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 1090 address, formated as described in [RFC3580]. It SHOULD only be 1091 present in authentication and/or authorization requests. 1093 If the Calling-Station-Id AVP is present in an AAR message, the Auth- 1094 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1095 absent, the Diameter Server MAY perform authorization based on the 1096 value of this AVP. This can be used by a NAS to request whether a 1097 call should be answered based on the Layer 2 address (ANI, MAC 1098 Address, etc.) 1100 The codification of this field's allowed usage range is outside the 1101 scope of this specification. 1103 4.2.7. Connect-Info AVP 1105 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1106 in the AA-Request message or an ACR message with the value of the 1107 Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, 1108 it indicates the nature of the user's connection. The connection 1109 speed SHOULD be included at the beginning of the first Connect-Info 1110 AVP in the message. If the transmit and receive connection speeds 1111 differ, both may be included in the first AVP with the transmit speed 1112 listed first (the speed at which the NAS modem transmits), then a 1113 slash (/), then the receive speed, and then other optional 1114 information. 1116 For example: "28800 V42BIS/LAPM" or "52000/31200 V90" 1118 If sent in an ACR message with the value of the Accounting-Record- 1119 Type AVP set to STOP, this attribute may summarize statistics 1120 relating to session quality. For example, in IEEE 802.11, the 1121 Connect-Info AVP may contain information on the number of link layer 1122 retransmissions. The exact format of this attribute is 1123 implementation specific. 1125 4.2.8. Originating-Line-Info AVP 1127 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1128 and is sent by the NAS system to convey information about the origin 1129 of the call from an SS7 system. 1131 The originating line information (OLI) element indicates the nature 1132 and/or characteristics of the line from which a call originated 1133 (e.g., pay phone, hotel, cellular). Telephone companies are starting 1134 to offer OLI to their customers as an option over Primary Rate 1135 Interface (PRI). Internet Service Providers (ISPs) can use OLI in 1136 addition to Called-Station-Id and Calling-Station-Id attributes to 1137 differentiate customer calls and to define different services. 1139 The Value field contains two octets (00 - 99). ANSI T1.113 and 1140 BELLCORE 394 can be used for additional information about these 1141 values and their use. For information on the currently assigned 1142 values, see [ANITypes]. 1144 4.2.9. Reply-Message AVP 1146 The Reply-Message AVP (AVP Code 18) is of type UTF8String and 1147 contains text that MAY be displayed to the user. When used in an AA- 1148 Answer message with a successful Result-Code AVP, it indicates 1149 success. When found in an AAA message with a Result-Code other than 1150 DIAMETER_SUCCESS, the AVP contains a failure message. 1152 The Reply-Message AVP MAY contain text to prompt the user before 1153 another AA-Request attempt. When used in an AA-Answer message 1154 containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH 1155 or in an Re-Auth-Request message, it MAY contain text to prompt the 1156 user for a response. 1158 4.3. NAS Authentication AVPs 1160 This section defines the AVPs necessary to carry the authentication 1161 information in the Diameter protocol. The functionality defined here 1162 provides a RADIUS-like AAA service [RFC2865] over a more reliable and 1163 secure transport, as defined in the base protocol 1164 [I-D.ietf-dime-rfc3588bis]. 1166 The following table gives the possible flag values for the session 1167 level AVPs and specifies whether the AVP MAY be encrypted. 1169 +---------------------+ 1170 | AVP Flag rules | 1171 |----+-----+----+-----|----+ 1172 | | |SHLD| MUST| | 1173 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1174 -----------------------------------------|----+-----+----+-----|----| 1175 User-Password 4.3.1 | M | P | | V | Y | 1176 Password-Retry 4.3.2 | M | P | | V | Y | 1177 Prompt 4.3.3 | M | P | | V | Y | 1178 CHAP-Auth 4.3.4 | M | P | | V | Y | 1179 CHAP-Algorithm 4.3.5 | M | P | | V | Y | 1180 CHAP-Ident 4.3.6 | M | P | | V | Y | 1181 CHAP-Response 4.3.7 | M | P | | V | Y | 1182 CHAP-Challenge 4.3.8 | M | P | | V | Y | 1183 ARAP-Password 4.3.9 | M | P | | V | Y | 1184 ARAP-Challenge-Response 4.3.10 | M | P | | V | Y | 1185 ARAP-Security 4.3.11 | M | P | | V | Y | 1186 ARAP-Security-Data 4.3.12 | M | P | | V | Y | 1187 -----------------------------------------|----+-----+----+-----|----| 1189 4.3.1. User-Password AVP 1191 The User-Password AVP (AVP Code 2) is of type OctetString and 1192 contains the password of the user to be authenticated, or the user's 1193 input in a multi-round authentication exchange. 1195 The User-Password AVP contains a user password or one-time password 1196 and therefore represents sensitive information. As required in 1197 [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using 1198 IPsec or TLS. Unless this AVP is used for one-time passwords, the 1199 User-Password AVP SHOULD NOT be used in untrusted proxy environments 1200 without encrypting it by using end-to-end security techniques. 1202 The clear-text password (prior to encryption) MUST NOT be longer than 1203 128 bytes in length. 1205 4.3.2. Password-Retry AVP 1207 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1208 included in the AA-Answer if the Result-Code indicates an 1209 authentication failure. The value of this AVP indicates how many 1210 authentication attempts a user is permitted before being 1211 disconnected. This AVP is primarily intended for use when the 1212 Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. 1214 4.3.3. Prompt AVP 1216 The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present 1217 in the AA-Answer message. When present, it is used by the NAS to 1218 determine whether the user's response, when entered, should be 1219 echoed. 1221 The supported values are listed in [RADIUSTypes] 1223 4.3.4. CHAP-Auth AVP 1225 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1226 information necessary to authenticate a user using the PPP Challenge- 1227 Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth 1228 AVP is found in a message, the CHAP-Challenge AVP Section 4.3.8 MUST 1229 be present as well. The optional AVPs containing the CHAP response 1230 depend upon the value of the CHAP-Algorithm AVP Section 4.3.8. The 1231 grouped AVP has the following ABNF grammar: 1233 CHAP-Auth ::= < AVP Header: 402 > 1234 { CHAP-Algorithm } 1235 { CHAP-Ident } 1236 [ CHAP-Response ] 1238 * [ AVP ] 1240 4.3.5. CHAP-Algorithm AVP 1242 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1243 contains the algorithm identifier used in the computation of the CHAP 1244 response [RFC1994]. The following values are currently supported: 1246 CHAP with MD5 5 The CHAP response is computed by using the procedure 1247 described in [RFC1994] This algorithm requires that the CHAP- 1248 Response AVP Section 4.3.7 MUST be present in the CHAP-Auth AVP 1249 Section 4.3.4. 1251 4.3.6. CHAP-Ident AVP 1253 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1254 the 1 octet CHAP Identifier used in the computation of the CHAP 1255 response [RFC1994] 1257 4.3.7. CHAP-Response AVP 1259 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1260 contains the 16 octet authentication data provided by the user in 1261 response to the CHAP challenge [RFC1994]. 1263 4.3.8. CHAP-Challenge AVP 1265 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1266 contains the CHAP Challenge sent by the NAS to the CHAP peer 1267 [RFC1994]. 1269 4.3.9. ARAP-Password AVP 1271 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1272 only present when the Framed-Protocol AVP (Section 4.4.10.1) is 1273 included in the message and is set to ARAP. This AVP MUST NOT be 1274 present if either the User-Password or the CHAP-Auth AVP is present. 1275 See [RFC2869] for more information on the contents of this AVP. 1277 4.3.10. ARAP-Challenge-Response AVP 1279 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1280 and is only present when the Framed-Protocol AVP (Section 4.4.10.1) 1281 is included in the message and is set to ARAP. This AVP contains an 1282 8 octet response to the dial-in client's challenge. The Diameter 1283 server calculates this value by taking the dial-in client's challenge 1284 from the high-order 8 octets of the ARAP-Password AVP and performing 1285 DES encryption on this value with the authenticating user's password 1286 as the key. If the user's password is fewer than 8 octets in length, 1287 the password is padded at the end with NULL octets to a length of 8 1288 before it is used as a key. 1290 4.3.11. ARAP-Security AVP 1292 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be 1293 present in the AA-Answer message if the Framed-Protocol AVP 1294 (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code 1295 AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1296 DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the 1297 contents of this AVP. 1299 4.3.12. ARAP-Security-Data AVP 1301 The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and 1302 MAY be present in the AA-Request or AA-Answer message if the Framed- 1303 Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the 1304 Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1305 DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module 1306 challenge or response associated with the ARAP Security Module 1307 specified in the ARAP-Security AVP (Section 4.3.11). 1309 4.4. NAS Authorization AVPs 1311 This section contains the authorization AVPs supported in the NAS 1312 Application. The Service-Type AVP SHOULD be present in all messages 1313 and, based on its value, additional AVPs defined in this section and 1314 Section 4.5 MAY be present. 1316 The following table gives the possible flag values for the session 1317 level AVPs and specifies whether the AVP MAY be encrypted. 1319 +---------------------+ 1320 | AVP Flag rules | 1321 |----+-----+----+-----|----+ 1322 | | |SHLD| MUST| | 1323 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1324 -----------------------------------------|----+-----+----+-----|----| 1325 Service-Type 4.4.1 | M | P | | V | Y | 1326 Callback-Number 4.4.2 | M | P | | V | Y | 1327 Callback-Id 4.4.3 | M | P | | V | Y | 1328 Idle-Timeout 4.4.4 | M | P | | V | Y | 1329 Port-Limit 4.4.5 | M | P | | V | Y | 1330 NAS-Filter-Rule 4.4.6 | M | P | | V | Y | 1331 Filter-Id 4.4.7 | M | P | | V | Y | 1332 Configuration-Token 4.4.8 | M | | | P,V | | 1333 QoS-Filter-Rule 4.4.9 | | | | | | 1334 Framed-Protocol 4.4.10.1 | M | P | | V | Y | 1335 Framed-Routing 4.4.10.2 | M | P | | V | Y | 1336 Framed-MTU 4.4.10.3 | M | P | | V | Y | 1337 Framed-Compression 4.4.10.4 | M | P | | V | Y | 1338 Framed-IP-Address 4.4.10.5.1 | M | P | | V | Y | 1339 Framed-IP-Netmask 4.4.10.5.2 | M | P | | V | Y | 1340 Framed-Route 4.4.10.5.3 | M | P | | V | Y | 1341 Framed-Pool 4.4.10.5.4 | M | P | | V | Y | 1342 Framed-Interface-Id 4.4.10.5.5 | M | P | | V | Y | 1343 Framed-IPv6-Prefix 4.4.10.5.6 | M | P | | V | Y | 1344 Framed-IPv6-Route 4.4.10.5.7 | M | P | | V | Y | 1345 Framed-IPv6-Pool 4.4.10.5.8 | M | P | | V | Y | 1346 Framed-IPX-Network 4.4.10.6.1 | M | P | | V | Y | 1347 Framed-Appletalk-Link 4.4.10.7.1 | M | P | | V | Y | 1348 Framed-Appletalk-Network 4.4.10.7.2 | M | P | | V | Y | 1349 Framed-Appletalk-Zone 4.4.10.7.3 | M | P | | V | Y | 1350 ARAP-Features 4.4.10.8.1 | M | P | | V | Y | 1351 ARAP-Zone-Access 4.4.10.8.2 | M | P | | V | Y | 1352 Login-IP-Host 4.4.11.1 | M | P | | V | Y | 1353 Login-IPv6-Host 4.4.11.2 | M | P | | V | Y | 1354 Login-Service 4.4.11.3 | M | P | | V | Y | 1355 Login-TCP-Port 4.4.11.4.1 | M | P | | V | Y | 1356 Login-LAT-Service 4.4.11.5.1 | M | P | | V | Y | 1357 Login-LAT-Node 4.4.11.5.2 | M | P | | V | Y | 1358 Login-LAT-Group 4.4.11.5.3 | M | P | | V | Y | 1359 Login-LAT-Port 4.4.11.5.4 | M | P | | V | Y | 1360 -----------------------------------------|----+-----+----+-----|----| 1362 4.4.1. Service-Type AVP 1364 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1365 the type of service the user has requested or the type of service to 1366 be provided. One such AVP MAY be present in an authentication and/or 1367 authorization request or response. A NAS is not required to 1368 implement all of these service types. It MUST treat unknown or 1369 unsupported Service-Types received in a response as a failure and end 1370 the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1372 When used in a request, the Service-Type AVP SHOULD be considered a 1373 hint to the server that the NAS believes the user would prefer the 1374 kind of service indicated. The server is not required to honor the 1375 hint. Furthermore, if the service specified by the server is 1376 supported, but not compatible with the current mode of access, the 1377 NAS MUST fail to start the session. The NAS MUST also generate the 1378 appropriate error message(s). 1380 The complete list of defined values that the Service-Type AVP can 1381 take can be found in [RFC2865] and [RADIUSTypes], but the following 1382 values require further qualification here: 1384 Login (1) 1385 The user should be connected to a host. The message MAY 1386 include additional AVPs as defined in Section 4.4.11.4 or 1387 Section 4.4.11.5. 1389 Framed (2) 1390 A Framed Protocol, such as PPP or SLIP, should be started for 1391 the User. The message MAY include additional AVPs defined in 1392 Section 4.4.10, or Section 4.5 for tunneling services. 1394 Callback Login (3) 1395 The user should be disconnected and called back, then connected 1396 to a host. The message MAY include additional AVPs defined in 1397 this Section. 1399 Callback Framed (4) 1400 The user should be disconnected and called back, and then a 1401 Framed Protocol, such as PPP or SLIP, should be started for the 1402 User. The message MAY include additional AVPs defined in 1403 Section 4.4.10, or Section 4.5 for tunneling services. 1405 4.4.2. Callback-Number AVP 1407 The Callback-Number AVP (AVP Code 19) is of type UTF8String and 1408 contains a dialing string to be used for callback. It MAY be used in 1409 an authentication and/or authorization request as a hint to the 1410 server that a Callback service is desired, but the server is not 1411 required to honor the hint in the corresponding response. 1413 The codification of this field's allowed usage range is outside the 1414 scope of this specification. 1416 4.4.3. Callback-Id AVP 1418 The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains 1419 the name of a place to be called, to be interpreted by the NAS. This 1420 AVP MAY be present in an authentication and/or authorization 1421 response. 1423 This AVP is not roaming-friendly as it assumes that the Callback-Id 1424 is configured on the NAS. Using the Callback-Number AVP 1425 Section 4.4.2 is therefore preferable. 1427 4.4.4. Idle-Timeout AVP 1429 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1430 maximum number of consecutive seconds of idle connection allowable to 1431 the user before termination of the session or before a prompt is 1432 issued. The default is none, or system specific. 1434 4.4.5. Port-Limit AVP 1436 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1437 maximum number of ports the NAS provides to the user. It MAY be used 1438 in an authentication and/or authorization request as a hint to the 1439 server that multilink PPP [RFC1990] service is desired, but the 1440 server is not required to honor the hint in the corresponding 1441 response. 1443 4.4.6. NAS-Filter-Rule AVP 1445 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule and 1446 provides filter rules that need to be configured on the NAS for the 1447 user. One or more of these AVPs MAY be present in an authorization 1448 response. 1450 4.4.7. Filter-Id AVP 1452 The Filter-Id AVP (AVP Code 11) is of type UTF8String and contains 1453 the name of the filter list for this user. Zero or more Filter-Id 1454 AVPs MAY be sent in an authorization answer. 1456 Identifying a filter list by name allows the filter to be used on 1457 different NASes without regard to filter-list implementation details. 1458 However, this AVP is not roaming-friendly, as filter naming differs 1459 from one service provider to another. 1461 In environments where backward compatibility with RADIUS is not 1462 required, it is RECOMMENDED that the NAS-Filter-Rule AVP 1463 Section 4.4.6 be used instead. 1465 4.4.8. Configuration-Token AVP 1467 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1468 is sent by a Diameter Server to a Diameter Proxy Agent in an AA- 1469 Answer command to indicate a type of user profile to be used. It 1470 should not be sent to a Diameter Client (NAS). 1472 The format of the Data field of this AVP is site specific. 1474 4.4.9. QoS-Filter-Rule AVP 1476 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule 1477 Section 4.1.1 and provides QoS filter rules that need to be 1478 configured on the NAS for the user. One or more such AVPs MAY be 1479 present in an authorization response. 1481 DSCP If action is set to tag Section 4.1.1 this option MUST 1482 be included in the rule. 1484 Color values are defined in [RFC2474]. Exact matching of DSCP 1485 values is required (no masks or ranges). 1487 metering The metering option 1488 provides Assured Forwarding, as defined in [RFC2597]. and MUST 1489 be present if the action is set to meter Section 4.1.1 The rate 1490 option is the throughput, in bits per second, used by the 1491 access device to mark packets. Traffic over the rate is marked 1492 with the color_over codepoint, and traffic under the rate is 1493 marked with the color_under codepoint. The color_under and 1494 color_over options contain the drop preferences and MUST 1495 conform to the recommended codepoint keywords described in 1496 [RFC2597] (e.g., AF13). 1498 The metering option also supports the strict limit on traffic 1499 required by Expedited Forwarding, as defined in [RFC3246]. The 1500 color_over option may contain the keyword "drop" to prevent 1501 forwarding of traffic that exceeds the rate parameter. 1503 4.4.10. Framed Access Authorization AVPs 1505 This section lists the authorization AVPs necessary to support framed 1506 access, such as PPP and SLIP. AVPs defined in this section MAY be 1507 present in a message if the Service-Type AVP was set to "Framed" or 1508 "Callback Framed". 1510 4.4.10.1. Framed-Protocol AVP 1512 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1513 contains the framing to be used for framed access. This AVP MAY be 1514 present in both requests and responses. The supported values are 1515 listed in [RADIUSTypes]. 1517 4.4.10.2. Framed-Routing AVP 1519 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1520 contains the routing method for the user when the user is a router to 1521 a network. This AVP SHOULD only be present in authorization 1522 responses. The supported values are listed in [RADIUSTypes]. 1524 4.4.10.3. Framed-MTU AVP 1526 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1527 the Maximum Transmission Unit (MTU) to be configured for the user, 1528 when it is not negotiated by some other means (such as PPP). This 1529 AVP SHOULD only be present in authorization responses. The MTU value 1530 MUST be in the range from 64 to 65535. 1532 4.4.10.4. Framed-Compression AVP 1534 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1535 contains the compression protocol to be used for the link. It MAY be 1536 used in an authorization request as a hint to the server that a 1537 specific compression type is desired, but the server is not required 1538 to honor the hint in the corresponding response. 1540 More than one compression protocol AVP MAY be sent. The NAS is 1541 responsible for applying the proper compression protocol to the 1542 appropriate link traffic. 1544 The supported values are listed in [RADIUSTypes]. 1546 4.4.10.5. IP Access Authorization AVPs 1548 The AVPs defined in this section are used when the user requests, or 1549 is being granted, access service to IP. 1551 4.4.10.5.1. Framed-IP-Address AVP 1553 The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type 1554 OctetString and contains an IPv4 address of the type specified in the 1555 attribute value to be configured for the user. It MAY be used in an 1556 authorization request as a hint to the server that a specific address 1557 is desired, but the server is not required to honor the hint in the 1558 corresponding response. 1560 Two values have special significance: 0xFFFFFFFF and 0xFFFFFFFE. The 1561 value 0xFFFFFFFF indicates that the NAS should allow the user to 1562 select an address (i.e., negotiated). The value 0xFFFFFFFE indicates 1563 that the NAS should select an address for the user (e.g., assigned 1564 from a pool of addresses kept by the NAS). 1566 4.4.10.5.2. Framed-IP-Netmask AVP 1568 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1569 contains the four octets of the IPv4 netmask to be configured for the 1570 user when the user is a router to a network. It MAY be used in an 1571 authorization request as a hint to the server that a specific netmask 1572 is desired, but the server is not required to honor the hint in the 1573 corresponding response. This AVP MUST be present in a response if 1574 the request included this AVP with a value of 0xFFFFFFFF. 1576 4.4.10.5.3. Framed-Route AVP 1578 The Framed-Route AVP (AVP Code 22) is of type UTF8String and contains 1579 the ASCII routing information to be configured for the user on the 1580 NAS. Zero or more of these AVPs MAY be present in an authorization 1581 response. 1583 The string MUST contain a destination prefix in dotted quad form 1584 optionally followed by a slash and a decimal length specifier stating 1585 how many high-order bits of the prefix should be used. This is 1586 followed by a space, a gateway address in dotted quad form, a space, 1587 and one or more metrics separated by spaces; for example, 1589 "192.0.2.0/24 192.0.2.1 1" 1591 The length specifier may be omitted, in which case it should default 1592 to 8 bits for class A prefixes, to 16 bits for class B prefixes, and 1593 to 24 bits for class C prefixes; for example, 1595 "192.0.2.0 192.0.2.1 1" 1597 Whenever the gateway address is specified as "0.0.0.0" the IP address 1598 of the user SHOULD be used as the gateway address. 1600 4.4.10.5.4. Framed-Pool AVP 1602 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1603 the name of an assigned address pool that SHOULD be used to assign an 1604 address for the user. If a NAS does not support multiple address 1605 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1606 used for IP addresses but can be used for other protocols if the NAS 1607 supports pools for those protocols. 1609 Although specified as type OctetString for compatibility with RADIUS 1610 [RFC2865], the encoding of the Data field SHOULD also conform to the 1611 rules for the UTF8String Data Format. 1613 4.4.10.5.5. Framed-Interface-Id AVP 1615 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1616 contains the IPv6 interface identifier to be configured for the user. 1617 It MAY be used in authorization requests as a hint to the server that 1618 a specific interface id is desired, but the server is not required to 1619 honor the hint in the corresponding response. 1621 4.4.10.5.6. Framed-IPv6-Prefix AVP 1623 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1624 contains the IPv6 prefix to be configured for the user. One or more 1625 AVPs MAY be used in authorization requests as a hint to the server 1626 that specific IPv6 prefixes are desired, but the server is not 1627 required to honor the hint in the corresponding response. 1629 4.4.10.5.7. Framed-IPv6-Route AVP 1631 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String and 1632 contains the ASCII routing information to be configured for the user 1633 on the NAS. Zero or more of these AVPs MAY be present in an 1634 authorization response. 1636 The string MUST contain an IPv6 address prefix followed by a slash 1637 and a decimal length specifier stating how many high order bits of 1638 the prefix should be used. This is followed by a space, a gateway 1639 address in hexadecimal notation, a space, and one or more metrics 1640 separated by spaces; for example, 1642 "2000:0:0:106::/64 2000::106:a00:20ff:fe99:a998 1" 1644 Whenever the gateway address is the IPv6 unspecified address, the IP 1645 address of the user SHOULD be used as the gateway address, such as 1646 in: 1648 "2000:0:0:106::/64 :: 1" 1650 4.4.10.5.8. Framed-IPv6-Pool AVP 1652 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and 1653 contains the name of an assigned pool that SHOULD be used to assign 1654 an IPv6 prefix for the user. If the access device does not support 1655 multiple prefix pools, it MUST ignore this AVP. 1657 Although specified as type OctetString for compatibility with RADIUS 1658 [RFC3162], the encoding of the Data field SHOULD also conform to the 1659 rules for the UTF8String Data Format. 1661 4.4.10.6. IPX Access AVPs 1663 The AVPs defined in this section are used when the user requests, or 1664 is being granted, access to an IPX network service [IPX]. 1666 4.4.10.6.1. Framed-IPX-Network AVP 1668 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32 and 1669 contains the IPX Network number to be configured for the user. It 1670 MAY be used in an authorization request as a hint to the server that 1671 a specific address is desired, but the server is not required to 1672 honor the hint in the corresponding response. 1674 Two addresses have special significance: 0xFFFFFFFF and 0xFFFFFFFE. 1675 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1676 select an address (i.e., Negotiated). The value 0xFFFFFFFE indicates 1677 that the NAS should select an address for the user (e.g., assign it 1678 from a pool of one or more IPX networks kept by the NAS). 1680 4.4.10.7. AppleTalk Network Access AVPs 1682 The AVPs defined in this section are used when the user requests, or 1683 is being granted, access to an AppleTalk network [AppleTalk]. 1685 4.4.10.7.1. Framed-AppleTalk-Link AVP 1687 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1688 contains the AppleTalk network number that should be used for the 1689 serial link to the user, which is another AppleTalk router. This AVP 1690 MUST only be present in an authorization response and is never used 1691 when the user is not another router. 1693 Despite the size of the field, values range from 0 to 65,535. The 1694 special value of 0 indicates an unnumbered serial link. A value of 1 1695 to 65,535 means that the serial line between the NAS and the user 1696 should be assigned that value as an AppleTalk network number. 1698 4.4.10.7.2. Framed-AppleTalk-Network AVP 1700 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1701 and contains the AppleTalk Network number that the NAS should probe 1702 to allocate an AppleTalk node for the user. This AVP MUST only be 1703 present in an authorization response and is never used when the user 1704 is not another router. Multiple instances of this AVP indicate that 1705 the NAS may probe, using any of the network numbers specified. 1707 Despite the size of the field, values range from 0 to 65,535. The 1708 special value 0 indicates that the NAS should assign a network for 1709 the user, using its default cable range. A value between 1 and 1710 65,535 (inclusive) indicates to the AppleTalk Network that the NAS 1711 should probe to find an address for the user. 1713 4.4.10.7.3. Framed-AppleTalk-Zone AVP 1715 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1716 and contains the AppleTalk Default Zone to be used for this user. 1717 This AVP MUST only be present in an authorization response. Multiple 1718 instances of this AVP in the same message are not allowed. 1720 The codification of this field's allowed range is outside the scope 1721 of this specification. 1723 4.4.10.8. AppleTalk Remote Access AVPs 1725 The AVPs defined in this section are used when the user requests, or 1726 is being granted, access to the AppleTalk network via the AppleTalk 1727 Remote Access Protocol [ARAP] They are only present if the Framed- 1728 Protocol AVP Section 4.4.10.1 is set to ARAP. Section 2.2 of RFC 1729 2869 [RFC2869] describes the operational use of these attributes. 1731 4.4.10.8.1. ARAP-Features AVP 1733 The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be 1734 present in the AA-Accept message if the Framed-Protocol AVP is set to 1735 the value of ARAP. See [RFC2869] for more information about the 1736 format of this AVP. 1738 4.4.10.8.2. ARAP-Zone-Access AVP 1740 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY 1741 be present in the AA-Accept message if the Framed-Protocol AVP is set 1742 to the value of ARAP. 1744 The supported values are listed in [RADIUSTypes] and defined in 1745 [RFC2869]. 1747 4.4.11. Non-Framed Access Authorization AVPs 1749 This section contains the authorization AVPs that are needed to 1750 support terminal server functionality. AVPs defined in this section 1751 MAY be present in a message if the Service-Type AVP was set to 1752 "Login" or "Callback Login". 1754 4.4.11.1. Login-IP-Host AVP 1756 The Login-IP-Host AVP (AVP Code 14) [RFC2865] is of type OctetString 1757 and contains the IPv4 address of a host with which to connect the 1758 user when the Login-Service AVP is included. It MAY be used in an 1759 AA-Request command as a hint to the Diameter Server that a specific 1760 host is desired, but the Diameter Server is not required to honor the 1761 hint in the AA-Answer. 1763 Two addresses have special significance: all ones and 0. The value 1764 of all ones indicates that the NAS SHOULD allow the user to select an 1765 address. The value 0 indicates that the NAS SHOULD select a host to 1766 connect the user to. 1768 4.4.11.2. Login-IPv6-Host AVP 1770 The Login-IPv6-Host AVP (AVP Code 98) [RFC3162] is of type 1771 OctetString and contains the IPv6 address of a host with which to 1772 connect the user when the Login-Service AVP is included. It MAY be 1773 used in an AA-Request command as a hint to the Diameter Server that a 1774 specific host is desired, but the Diameter Server is not required to 1775 honor the hint in the AA-Answer. 1777 Two addresses have special significance, 1778 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1779 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1780 allow the user to select an address. The value 0 indicates that the 1781 NAS SHOULD select a host to connect the user to. 1783 4.4.11.3. Login-Service AVP 1785 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1786 contains the service that should be used to connect the user to the 1787 login host. This AVP SHOULD only be present in authorization 1788 responses. The supported values are listed in [RFC2869]. 1790 4.4.11.4. TCP Services 1792 The AVP described in the following section MAY be present if the 1793 Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear 1794 Quiet. 1796 4.4.11.4.1. Login-TCP-Port AVP 1798 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1799 contains the TCP port with which the user is to be connected when the 1800 Login-Service AVP is also present. This AVP SHOULD only be present 1801 in authorization responses. The value MUST NOT be greater than 1802 65,535. 1804 4.4.11.5. LAT Services 1806 The AVPs described in this section MAY be present if the Login- 1807 Service AVP is set to LAT [LAT]. 1809 4.4.11.5.1. Login-LAT-Service AVP 1811 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1812 contains the system with which the user is to be connected by LAT. 1813 It MAY be used in an authorization request as a hint to the server 1814 that a specific service is desired, but the server is not required to 1815 honor the hint in the corresponding response. This AVP MUST only be 1816 present in the response if the Login-Service AVP states that LAT is 1817 desired. 1819 Administrators use this service attribute when dealing with clustered 1820 systems, such as a VAX or Alpha cluster. In these environments, 1821 several different time-sharing hosts share the same resources (disks, 1822 printers, etc.), and administrators often configure each host to 1823 offer access (service) to each of the shared resources. In this 1824 case, each host in the cluster advertises its services through LAT 1825 broadcasts. 1827 Sophisticated users often know which service providers (machines) are 1828 faster and tend to use a node name when initiating a LAT connection. 1829 Some administrators want particular users to use certain machines as 1830 a primitive form of load balancing (although LAT knows how to do load 1831 balancing itself). 1833 The String field contains the identity of the LAT service to use. 1834 The LAT Architecture allows this string to contain $ (dollar), - 1835 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1836 alphabetics, and the ISO Latin-1 character set extension 1837 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1839 4.4.11.5.2. Login-LAT-Node AVP 1841 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1842 contains the Node with which the user is to be automatically 1843 connected by LAT. It MAY be used in an authorization request as a 1844 hint to the server that a specific LAT node is desired, but the 1845 server is not required to honor the hint in the corresponding 1846 response. This AVP MUST only be present in a response if the Login- 1847 Service-Type AVP is set to LAT. 1849 The String field contains the identity of the LAT service to use. 1850 The LAT Architecture allows this string to contain $ (dollar), - 1851 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1852 alphabetics, and the ISO Latin-1 character set extension 1853 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1855 4.4.11.5.3. Login-LAT-Group AVP 1857 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1858 contains a string identifying the LAT group codes this user is 1859 authorized to use. It MAY be used in an authorization request as a 1860 hint to the server that a specific group is desired, but the server 1861 is not required to honor the hint in the corresponding response. 1862 This AVP MUST only be present in a response if the Login-Service-Type 1863 AVP is set to LAT. 1865 LAT supports 256 different group codes, which LAT uses as a form of 1866 access rights. LAT encodes the group codes as a 256-bit bitmap. 1868 Administrators can assign one or more of the group code bits at the 1869 LAT service provider; it will only accept LAT connections that have 1870 these group codes set in the bitmap. The administrators assign a 1871 bitmap of authorized group codes to each user. LAT gets these from 1872 the operating system and uses them in its requests to the service 1873 providers. 1875 The codification of the range of allowed usage of this field is 1876 outside the scope of this specification. 1878 4.4.11.5.4. Login-LAT-Port AVP 1880 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1881 contains the Port with which the user is to be connected by LAT. It 1882 MAY be used in an authorization request as a hint to the server that 1883 a specific port is desired, but the server is not required to honor 1884 the hint in the corresponding response. This AVP MUST only be 1885 present in a response if the Login-Service-Type AVP is set to LAT. 1887 The String field contains the identity of the LAT service to use. 1888 The LAT Architecture allows this string to contain $ (dollar), - 1889 (hyphen), . (period), _ (underscore), numerics, upper- and lower-case 1890 alphabetics, and the ISO Latin-1 character set extension 1891 [ISO.8859-1.1987]. 1893 All LAT string comparisons are case insensitive. 1895 4.5. NAS Tunneling AVPs 1897 Some NASes support compulsory tunnel services in which the incoming 1898 connection data is conveyed by an encapsulation method to a gateway 1899 elsewhere in the network. This is typically transparent to the 1900 service user, and the tunnel characteristics may be described by the 1901 remote AAA server, based on the user's authorization information. 1902 Several tunnel characteristics may be returned, and the NAS 1903 implementation may choose one. See [RFC2868] and [RFC2867] for 1904 further information. 1906 The following table gives the possible flag values for the session 1907 level AVPs and specifies whether the AVP MAY be encrypted. 1909 +---------------------+ 1910 | AVP Flag rules | 1911 |----+-----+----+-----|----+ 1912 | | |SHLD| MUST| | 1913 Attribute Name Section Defined |MUST| MAY | NOT| NOT|Encr| 1914 -----------------------------------------|----+-----+----+-----|----| 1915 Tunneling 4.5.1 | M | P | | V | N | 1916 Tunnel-Type 4.5.2 | M | P | | V | Y | 1917 Tunnel-Medium-Type 4.5.3 | M | P | | V | Y | 1918 Tunnel-Client-Endpoint 4.5.4 | M | P | | V | Y | 1919 Tunnel-Server-Endpoint 4.5.5 | M | P | | V | Y | 1920 Tunnel-Password 4.5.6 | M | P | | V | Y | 1921 Tunnel-Private-Group-Id 4.5.7 | M | P | | V | Y | 1922 Tunnel-Assignment-Id 4.5.8 | M | P | | V | Y | 1923 Tunnel-Preference 4.5.9 | M | P | | V | Y | 1924 Tunnel-Client-Auth-Id 4.5.10 | M | P | | V | Y | 1925 Tunnel-Server-Auth-Id 4.5.11 | M | P | | V | Y | 1926 -----------------------------------------|----+-----+----+-----|----| 1928 4.5.1. Tunneling AVP 1930 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1931 following AVPs, used to describe a compulsory tunnel service 1932 ([RFC2868], [RFC2867]). Its data field has the following ABNF 1933 grammar: 1935 Tunneling ::= < AVP Header: 401 > 1936 { Tunnel-Type } 1937 { Tunnel-Medium-Type } 1938 { Tunnel-Client-Endpoint } 1939 { Tunnel-Server-Endpoint } 1940 [ Tunnel-Preference ] 1941 [ Tunnel-Client-Auth-Id ] 1942 [ Tunnel-Server-Auth-Id ] 1943 [ Tunnel-Assignment-Id ] 1944 [ Tunnel-Password ] 1945 [ Tunnel-Private-Group-Id ] 1947 4.5.2. Tunnel-Type AVP 1949 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1950 the tunneling protocol(s) to be used (in the case of a tunnel 1951 initiator) or in use (in the case of a tunnel terminator). It MAY be 1952 used in an authorization request as a hint to the server that a 1953 specific tunnel type is desired, but the server is not required to 1954 honor the hint in the corresponding response. 1956 The Tunnel-Type AVP SHOULD also be included in ACR messages. 1958 A tunnel initiator is not required to implement any of these tunnel 1959 types. If a tunnel initiator receives a response that contains only 1960 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1961 as though a response were received with the Result-Code indicating a 1962 failure. 1964 The supported values are listed in [RADIUSTypes]. 1966 4.5.3. Tunnel-Medium-Type AVP 1968 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1969 contains the transport medium to use when creating a tunnel for 1970 protocols (such as L2TP [RFC2661]) that can operate over multiple 1971 transports. It MAY be used in an authorization request as a hint to 1972 the server that a specific medium is desired, but the server is not 1973 required to honor the hint in the corresponding response. 1975 The supported values are listed in [RADIUSTypes]. 1977 4.5.4. Tunnel-Client-Endpoint AVP 1979 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String 1980 and contains the address of the initiator end of the tunnel. It MAY 1981 be used in an authorization request as a hint to the server that a 1982 specific endpoint is desired, but the server is not required to honor 1983 the hint in the corresponding response. This AVP SHOULD be included 1984 in the corresponding ACR messages, in which case it indicates the 1985 address from which the tunnel was initiated. This AVP, along with 1986 the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs 1987 ([I-D.ietf-dime-rfc3588bis], Section 8.8), can be used to provide a 1988 globally unique means to identify a tunnel for accounting and 1989 auditingpurposes. 1991 If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 1992 (1), then this string is either the fully qualified domain name 1993 (FQDN) of the tunnel client machine, or a "dotted-decimal" IP 1994 address. Implementations MUST support the dotted-decimal format and 1995 SHOULD support the FQDN format for IP addresses. 1997 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 1998 FQDN of the tunnel client machine, or a text representation of the 1999 address in either the preferred or alternate form [RFC3516]. 2000 Conforming implementations MUST support the preferred form and SHOULD 2001 support both the alternate text form and the FQDN format for IPv6 2002 addresses. 2004 If Tunnel-Medium-Type is neither IPv4 nor IPv6, then this string is a 2005 tag referring to configuration data local to the Diameter client that 2006 describes the interface or medium-specific client address to use. 2008 4.5.5. Tunnel-Server-Endpoint AVP 2010 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String 2011 and contains the address of the server end of the tunnel. It MAY be 2012 used in an authorization request as a hint to the server that a 2013 specific endpoint is desired, but the server is not required to honor 2014 the hint in the corresponding response. 2016 This AVP SHOULD be included in the corresponding ACR messages, in 2017 which case it indicates the address from which the tunnel was 2018 initiated. This AVP, along with the Tunnel-Client-Endpoint 2019 (Section 4.5.4) and Session-Id AVP ([I-D.ietf-dime-rfc3588bis], 2020 Section 8.8), can be used to provide a globally unique means to 2021 identify a tunnel for accounting and auditing purposes. 2023 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2024 fully qualified domain name (FQDN) of the tunnel server machine, or a 2025 "dotted-decimal" IP address. Implementations MUST support the 2026 dotted-decimal format and SHOULD support the FQDN format for IP 2027 addresses. 2029 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2030 FQDN of the tunnel server machine, or a text representation of the 2031 address in either the preferred or alternate form [RFC3516]. 2032 Implementations MUST support the preferred form and SHOULD support 2033 both the alternate text form and the FQDN format for IPv6 addresses. 2035 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2036 referring to configuration data local to the Diameter client that 2037 describes the interface or medium-specific server address to use. 2039 4.5.6. Tunnel-Password AVP 2041 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2042 contain a password to be used to authenticate to a remote server. 2044 The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2045 environments without encrypting it by using end-to-end security 2046 techniques. 2048 4.5.7. Tunnel-Private-Group-Id AVP 2050 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString 2051 and contains the group Id for a particular tunneled session. The 2052 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2053 request if the tunnel initiator can predetermine the group resulting 2054 from a particular connection. It SHOULD be included in the 2055 authorization response if this tunnel session is to be treated as 2056 belonging to a particular private group. Private groups may be used 2057 to associate a tunneled session with a particular group of users. 2058 For example, it MAY be used to facilitate routing of unregistered IP 2059 addresses through a particular interface. This AVP SHOULD be 2060 included in the ACR messages that pertain to the tunneled session. 2062 4.5.8. Tunnel-Assignment-Id AVP 2064 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2065 is used to indicate to the tunnel initiator the particular tunnel to 2066 which a session is to be assigned. Some tunneling protocols, such as 2067 PPTP [RFC2637] and L2TP [RFC2661], allow for sessions between the 2068 same two tunnel endpoints to be multiplexed over the same tunnel and 2069 also for a given session to use its own dedicated tunnel. This 2070 attribute provides a mechanism for Diameter to inform the tunnel 2071 initiator (e.g., PAC, LAC) whether to assign the session to a 2072 multiplexed tunnel or to a separate tunnel. Furthermore, it allows 2073 for sessions sharing multiplexed tunnels to be assigned to different 2074 multiplexed tunnels. 2076 A particular tunneling implementation may assign differing 2077 characteristics to particular tunnels. For example, different 2078 tunnels may be assigned different QoS parameters. Such tunnels may 2079 be used to carry either individual or multiple sessions. The Tunnel- 2080 Assignment-Id attribute thus allows the Diameter server to indicate 2081 that a particular session is to be assigned to a tunnel providing an 2082 appropriate level of service. It is expected that any QoS-related 2083 Diameter tunneling attributes defined in the future accompanying this 2084 one will be associated by the tunnel initiator with the Id given by 2085 this attribute. In the meantime, any semantic given to a particular 2086 Id string is a matter left to local configuration in the tunnel 2087 initiator. 2089 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2090 the tunnel initiator. The Id it specifies is only intended to be of 2091 local use to Diameter and the tunnel initiator. The Id assigned by 2092 the tunnel initiator is not conveyed to the tunnel peer. 2094 This attribute MAY be included in authorization responses. The 2095 tunnel initiator receiving this attribute MAY choose to ignore it and 2096 to assign the session to an arbitrary multiplexed or non-multiplexed 2097 tunnel between the desired endpoints. This AVP SHOULD also be 2098 included in the Accounting-Request messages pertaining to the 2099 tunneled session. 2101 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2102 should assign a session to a tunnel in the following manner: 2104 o If this AVP is present and a tunnel exists between the specified 2105 endpoints with the specified Id, then the session should be 2106 assigned to that tunnel. 2108 o If this AVP is present and no tunnel exists between the specified 2109 endpoints with the specified Id, then a new tunnel should be 2110 established for the session and the specified Id should be 2111 associated with the new tunnel. 2113 o If this AVP is not present, then the session is assigned to an 2114 unnamed tunnel. If an unnamed tunnel does not yet exist between 2115 the specified endpoints, then it is established and used for this 2116 session and for subsequent ones established without the Tunnel- 2117 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2118 session for which a Tunnel-Assignment-Id AVP was not specified to 2119 a named tunnel (i.e., one that was initiated by a session 2120 specifying this AVP). 2122 Note that the same Id may be used to name different tunnels if these 2123 tunnels are between different endpoints. 2125 4.5.9. Tunnel-Preference AVP 2127 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2128 used to identify the relative preference assigned to each tunnel when 2129 more than one set of tunneling AVPs is returned within separate 2130 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2131 hint to the server that a specific preference is desired, but the 2132 server is not required to honor the hint in the corresponding 2133 response. 2135 For example, suppose that AVPs describing two tunnels are returned by 2136 the server, one with a Tunnel-Type of PPTP and the other with a 2137 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2138 the Tunnel-Types returned, it will initiate a tunnel of that type. 2139 If, however, it supports both tunnel protocols, it SHOULD use the 2140 value of the Tunnel-Preference AVP to decide which tunnel should be 2141 started. The tunnel with the lowest numerical value in the Value 2142 field of this AVP SHOULD be given the highest preference. The values 2143 assigned to two or more instances of the Tunnel-Preference AVP within 2144 a given authorization response MAY be identical. In this case, the 2145 tunnel initiator SHOULD use locally configured metrics to decidewhich 2146 set of AVPs to use. 2148 4.5.10. Tunnel-Client-Auth-Id AVP 2150 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2151 specifies the name used by the tunnel initiator during the 2152 authentication phase of tunnel establishment. It MAY be used in an 2153 authorization request as a hint to the server that a specific 2154 preference is desired, but the server is not required to honor the 2155 hint in the corresponding response. This AVP MUST be present in the 2156 authorization response if an authentication name other than the 2157 default is desired. This AVP SHOULD be included in the ACR messages 2158 pertaining to the tunneled session. 2160 4.5.11. Tunnel-Server-Auth-Id AVP 2162 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2163 specifies the name used by the tunnel terminator during the 2164 authentication phase of tunnel establishment. It MAY be used in an 2165 authorization request as a hint to the server that a specific 2166 preference is desired, but the server is not required to honor the 2167 hint in the corresponding response. This AVP MUST be present in the 2168 authorization response if an authentication name other than the 2169 default is desired. This AVP SHOULD be included in the ACR messages 2170 pertaining to the tunneled session. 2172 4.6. NAS Accounting AVPs 2174 Applications implementing this specification use Diameter Accounting 2175 (as defined in [I-D.ietf-dime-rfc3588bis]) and the AVPs in the 2176 following section. Service-specific AVP usage is defined in the 2177 tables in Section 5. 2179 If accounting is active, Accounting Request (ACR) messages SHOULD be 2180 sent after the completion of any Authentication or Authorization 2181 transaction and at the end of a Session. The value of the 2182 Accounting-Record-Type AVP [I-D.ietf-dime-rfc3588bis] indicates the 2183 type of event. All other AVPs identify the session and provide 2184 additional information relevant to the event. 2186 The successful completion of the first Authentication or 2187 Authorization transaction SHOULD cause a START_RECORD to be sent. If 2188 additional Authentications or Authorizations occur in later 2189 transactions, the first exchange should generate a START_RECORD, and 2190 the later an INTERIM_RECORD. For a given session, there MUST only be 2191 one set of matching START and STOP records, with any number of 2192 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2193 a session wasn't started. 2195 The following table gives the possible flag values for the session 2196 level AVPs and specifies whether the AVP MAY be encrypted. 2198 +---------------------+ 2199 | AVP Flag rules | 2200 |----+-----+----+-----|----+ 2201 Section | | |SHLD| MUST| | 2202 Attribute Name Defined |MUST| MAY | NOT| NOT|Encr| 2203 -----------------------------------------|----+-----+----+-----|----| 2204 Accounting-Input-Octets 4.6.1 | M | P | | V | Y | 2205 Accounting-Output-Octets 4.6.2 | M | P | | V | Y | 2206 Accounting-Input-Packets 4.6.3 | M | P | | V | Y | 2207 Accounting-Output-Packets 4.6.4 | M | P | | V | Y | 2208 Acct-Session-Time 4.6.5 | M | P | | V | Y | 2209 Acct-Authentic 4.6.6 | M | P | | V | Y | 2210 Accounting-Auth-Method 4.6.7 | M | P | | V | Y | 2211 Acct-Delay-Time 4.6.8 | M | P | | V | Y | 2212 Acct-Link-Count 4.6.9 | M | P | | V | Y | 2213 Acct-Tunnel-Connection 4.6.10 | M | P | | V | Y | 2214 Acct-Tunnel-Packets-Lost 4.6.11 | M | P | | V | Y | 2215 -----------------------------------------|----+-----+----+-----|----| 2217 4.6.1. Accounting-Input-Octets AVP 2219 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 2220 and contains the number of octets received from the user. 2222 For NAS usage, this AVP indicates how many octets have been received 2223 from the port in the course of this session. It can only be present 2224 in ACR messages with an Accounting-Record-Type 2225 [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. 2227 4.6.2. Accounting-Output-Octets AVP 2229 The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 2230 and contains the number of octets sent to the user. 2232 For NAS usage, this AVP indicates how many octets have been sent to 2233 the port in the course of this session. It can only be present in 2234 ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2235 STOP_RECORD. 2237 4.6.3. Accounting-Input-Packets AVP 2239 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and 2240 contains the number of packets received from the user. 2242 For NAS usage, this AVP indicates how many packets have been received 2243 from the port over the course of a session being provided to a Framed 2244 User. It can only be present in ACR messages with an Accounting- 2245 Record-Type of INTERIM_RECORD or STOP_RECORD. 2247 4.6.4. Accounting-Output-Packets AVP 2249 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 2250 and contains the number of IP packets sent to the user. 2252 For NAS usage, this AVP indicates how many packets have been sent to 2253 the port over the course of a session being provided to a Framed 2254 User. It can only be present in ACR messages with an Accounting- 2255 Record-Type of INTERIM_RECORD or STOP_RECORD. 2257 4.6.5. Acct-Session-Time AVP 2259 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and 2260 indicates the length of the current session in seconds. It can only 2261 be present in ACR messages with an Accounting-Record-Type of 2262 INTERIM_RECORD or STOP_RECORD. 2264 4.6.6. Acct-Authentic AVP 2266 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and 2267 specifies how the user was authenticated. The supported values are 2268 listed in [RADIUSTypes]. 2270 4.6.7. Accounting-Auth-Method AVP 2272 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2273 A NAS MAY include this AVP in an Accounting-Request message to 2274 indicate the method used to authenticate the user. (Note that this 2275 AVP is semantically equivalent, and the supported values are 2276 identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS 2277 attribute [RFC2548]). 2279 4.6.8. Acct-Delay-Time AVP 2281 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2282 indicates the number of seconds the Diameter client has been trying 2283 to send the Accounting-Request (ACR). The accounting server may 2284 subtract this value from the time when the ACR arrives at the server 2285 to calculate the approximate time of the event that caused the ACR to 2286 be generated. 2288 This AVP is not used for retransmissions at the transport level (TCP 2289 or SCTP). Rather, it may be used when an ACR command cannot be 2290 transmitted because there is no appropriate peer to transmit it to or 2291 was rejected because it could not be delivered. In these cases, the 2292 command MAY be buffered and transmitted later, when an appropriate 2293 peer-connection is available or after sufficient time has passed that 2294 the destination-host may be reachable and operational. If the ACR is 2295 re-sent in this way, the Acct-Delay-Time AVP SHOULD be included. The 2296 value of this AVP indicates the number of seconds that elapsed 2297 between the time of the first attempt at transmission and the current 2298 attempt. 2300 4.6.9. Acct-Link-Count AVP 2302 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2303 indicates the total number of links that have been active (current or 2304 closed) in a given multilink session at the time the accounting 2305 record is generated. This AVP MAY be included in Accounting-Requests 2306 for any session that may be part of a multilink service. 2308 The Acct-Link-Count AVP may be used to make it easier for an 2309 accounting server to know when it has all the records for a given 2310 multilink service. When the number of Accounting-Requests received 2311 with Accounting-Record-Type = STOP_RECORD and with the same Acct- 2312 Multi-Session-Id and unique Session-Ids equals the largest value of 2313 Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD 2314 Accounting-Requests for that multilink service have been received. 2316 The following example, showing eight Accounting-Requests, illustrates 2317 how the Acct-Link-Count AVP is used. In the table below, only the 2318 relevant AVPs are shown, although additional AVPs containing 2319 accounting information will be present in the Accounting-Requests. 2321 Acct-Multi- Accounting- Acct- 2322 Session-Id Session-Id Record-Type Link-Count 2323 -------------------------------------------------------- 2324 "...10" "...10" START_RECORD 1 2325 "...10" "...11" START_RECORD 2 2326 "...10" "...11" STOP_RECORD 2 2327 "...10" "...12" START_RECORD 3 2328 "...10" "...13" START_RECORD 4 2329 "...10" "...12" STOP_RECORD 4 2330 "...10" "...13" STOP_RECORD 4 2331 "...10" "...10" STOP_RECORD 4 2333 4.6.10. Acct-Tunnel-Connection AVP 2335 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString 2336 and contains the identifier assigned to the tunnel session. This 2337 AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and 2338 Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a 2339 means to uniquely identify a tunnel session for auditing purposes. 2341 The format of the identifier in this AVP depends upon the value of 2342 the Tunnel-Type AVP (Section 4.5.2). For example, to identify an 2343 L2TP tunnel connection fully, the L2TP Tunnel Id and Call Id might be 2344 encoded in this field. The exact encoding of this field is 2345 implementation dependent. 2347 4.6.11. Acct-Tunnel-Packets-Lost AVP 2349 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2350 and contains the number of packets lost on a given tunnel. 2352 5. AVP Occurrence Tables 2354 The following tables present the AVPs used by NAS applications in NAS 2355 messages and specify in which Diameter messages they may or may not 2356 be present. Messages and AVPs defined in the base Diameter protocol 2357 [I-D.ietf-dime-rfc3588bis] are not described in this document. Note 2358 that AVPs that can only be present within a Grouped AVP are not 2359 represented in this table. 2361 The table uses the following symbols: 2363 0 The AVP MUST NOT be present in the message. 2364 0+ Zero or more instances of the AVP MAY be present in the 2365 message. 2366 0-1 Zero or one instance of the AVP MAY be present in the 2367 message. 2368 1 Exactly one instance of the AVP MUST be present in the 2369 message. 2371 5.1. AA-Request/Answer AVP Table 2373 The table in this section is limited to the Command Codes defined in 2374 this specification. 2376 +-----------+ 2377 | Command | 2378 |-----+-----+ 2379 AVP Name | AAR | AAA | 2380 ------------------------------|-----+-----+ 2381 Acct-Interim-Interval | 0 | 0-1 | 2382 ARAP-Challenge-Response | 0 | 0-1 | 2383 ARAP-Features | 0 | 0-1 | 2384 ARAP-Password | 0-1 | 0 | 2385 ARAP-Security | 0-1 | 0-1 | 2386 ARAP-Security-Data | 0+ | 0+ | 2387 ARAP-Zone-Access | 0 | 0-1 | 2388 Auth-Application-Id | 1 | 1 | 2389 Auth-Grace-Period | 0-1 | 0-1 | 2390 Auth-Request-Type | 1 | 1 | 2391 Auth-Session-State | 0-1 | 0-1 | 2392 Authorization-Lifetime | 0-1 | 0-1 | 2393 ------------------------------|-----+-----+ 2394 +-----------+ 2395 | Command | 2396 |-----+-----+ 2397 Attribute Name | AAR | AAA | 2398 ------------------------------|-----+-----+ 2399 Callback-Id | 0 | 0-1 | 2400 Callback-Number | 0-1 | 0-1 | 2401 Called-Station-Id | 0-1 | 0 | 2402 Calling-Station-Id | 0-1 | 0 | 2403 CHAP-Auth | 0-1 | 0 | 2404 CHAP-Challenge | 0-1 | 0 | 2405 Class | 0 | 0+ | 2406 Configuration-Token | 0 | 0+ | 2407 Connect-Info | 0+ | 0 | 2408 Destination-Host | 0-1 | 0 | 2409 Destination-Realm | 1 | 0 | 2410 Error-Message | 0 | 0-1 | 2411 Error-Reporting-Host | 0 | 0-1 | 2412 Failed-AVP | 0+ | 0+ | 2413 Filter-Id | 0 | 0+ | 2414 Framed-Appletalk-Link | 0 | 0-1 | 2415 Framed-Appletalk-Network | 0 | 0+ | 2416 Framed-Appletalk-Zone | 0 | 0-1 | 2417 Framed-Compression | 0+ | 0+ | 2418 Framed-Interface-Id | 0-1 | 0-1 | 2419 Framed-IP-Address | 0-1 | 0-1 | 2420 Framed-IP-Netmask | 0-1 | 0-1 | 2421 Framed-IPv6-Prefix | 0+ | 0+ | 2422 Framed-IPv6-Pool | 0 | 0-1 | 2423 Framed-IPv6-Route | 0 | 0+ | 2424 Framed-IPX-Network | 0 | 0-1 | 2425 Framed-MTU | 0-1 | 0-1 | 2426 Framed-Pool | 0 | 0-1 | 2427 Framed-Protocol | 0-1 | 0-1 | 2428 Framed-Route | 0 | 0+ | 2429 Framed-Routing | 0 | 0-1 | 2430 Idle-Timeout | 0 | 0-1 | 2431 Login-IP-Host | 0+ | 0+ | 2432 Login-IPv6-Host | 0+ | 0+ | 2433 Login-LAT-Group | 0-1 | 0-1 | 2434 Login-LAT-Node | 0-1 | 0-1 | 2435 Login-LAT-Port | 0-1 | 0-1 | 2436 Login-LAT-Service | 0-1 | 0-1 | 2437 Login-Service | 0 | 0-1 | 2438 Login-TCP-Port | 0 | 0-1 | 2439 Multi-Round-Time-Out | 0 | 0-1 | 2440 ------------------------------|-----+-----+ 2441 +-----------+ 2442 | Command | 2443 |-----+-----+ 2444 Attribute Name | AAR | AAA | 2445 ------------------------------|-----+-----+ 2446 NAS-Filter-Rule | 0 | 0+ | 2447 NAS-Identifier | 0-1 | 0 | 2448 NAS-IP-Address | 0-1 | 0 | 2449 NAS-IPv6-Address | 0-1 | 0 | 2450 NAS-Port | 0-1 | 0 | 2451 NAS-Port-Id | 0-1 | 0 | 2452 NAS-Port-Type | 0-1 | 0 | 2453 Origin-AAA-Protocol | 0-1 | 0-1 | 2454 Origin-Host | 1 | 1 | 2455 Origin-Realm | 1 | 1 | 2456 Origin-State-Id | 0-1 | 0-1 | 2457 Originating-Line-Info | 0-1 | 0 | 2458 Password-Retry | 0 | 0-1 | 2459 Port-Limit | 0-1 | 0-1 | 2460 Prompt | 0 | 0-1 | 2461 Proxy-Info | 0+ | 0+ | 2462 QoS-Filter-Rule | 0 | 0+ | 2463 Re-Auth-Request-Type | 0 | 0-1 | 2464 Redirect-Host | 0 | 0+ | 2465 Redirect-Host-Usage | 0 | 0-1 | 2466 Redirect-Max-Cache-Time | 0 | 0-1 | 2467 Reply-Message | 0 | 0+ | 2468 Result-Code | 0 | 1 | 2469 Route-Record | 0+ | 0 | 2470 Service-Type | 0-1 | 0-1 | 2471 Session-Id | 1 | 1 | 2472 Session-Timeout | 0 | 0-1 | 2473 State | 0-1 | 0-1 | 2474 Tunneling | 0+ | 0+ | 2475 User-Name | 0-1 | 0-1 | 2476 User-Password | 0-1 | 0 | 2477 ------------------------------|-----+-----+ 2479 5.2. Accounting AVP Tables 2481 The tables in this section are used to show which AVPs defined in 2482 this document are to be present and used in NAS application 2483 Accounting messages. These AVPs are defined in this document, as 2484 well as in [I-D.ietf-dime-rfc3588bis] and [RFC2866]. 2486 5.2.1. Framed Access Accounting AVP Table 2488 The table in this section is used when the Service-Type AVP 2489 (Section 4.4.1) specifies Framed Access. 2491 +-----------+ 2492 | Command | 2493 |-----+-----+ 2494 Attribute Name | ACR | ACA | 2495 ---------------------------------------|-----+-----+ 2496 Accounting-Auth-Method | 0-1 | 0 | 2497 Accounting-Input-Octets | 1 | 0 | 2498 Accounting-Input-Packets | 1 | 0 | 2499 Accounting-Output-Octets | 1 | 0 | 2500 Accounting-Output-Packets | 1 | 0 | 2501 Accounting-Record-Number | 0-1 | 0-1 | 2502 Accounting-Record-Type | 1 | 1 | 2503 Accounting-Realtime-Required | 0-1 | 0-1 | 2504 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2505 Acct-Application-Id | 0-1 | 0-1 | 2506 Acct-Session-Id | 1 | 0-1 | 2507 Acct-Multi-Session-Id | 0-1 | 0-1 | 2508 Acct-Authentic | 1 | 0 | 2509 Acct-Delay-Time | 0-1 | 0 | 2510 Acct-Interim-Interval | 0-1 | 0-1 | 2511 Acct-Link-Count | 0-1 | 0 | 2512 Acct-Session-Time | 1 | 0 | 2513 Acct-Tunnel-Connection | 0-1 | 0 | 2514 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2515 Authorization-Lifetime | 0-1 | 0 | 2516 Callback-Id | 0-1 | 0 | 2517 Callback-Number | 0-1 | 0 | 2518 Called-Station-Id | 0-1 | 0 | 2519 Calling-Station-Id | 0-1 | 0 | 2520 Class | 0+ | 0+ | 2521 Connection-Info | 0+ | 0 | 2522 Destination-Host | 0-1 | 0 | 2523 Destination-Realm | 1 | 0 | 2524 Event-Timestamp | 0-1 | 0-1 | 2525 Error-Message | 0 | 0-1 | 2526 Error-Reporting-Host | 0 | 0-1 | 2527 Failed-AVP | 0 | 0+ | 2528 ---------------------------------------|-----+-----+ 2529 +-----------+ 2530 | Command | 2531 |-----+-----+ 2532 Attribute Name | ACR | ACA | 2533 ---------------------------------------|-----+-----+ 2534 Framed-AppleTalk-Link | 0-1 | 0 | 2535 Framed-AppleTalk-Network | 0-1 | 0 | 2536 Framed-AppleTalk-Zone | 0-1 | 0 | 2537 Framed-Compression | 0-1 | 0 | 2538 Framed-IP-Address | 0-1 | 0 | 2539 Framed-IP-Netmask | 0-1 | 0 | 2540 Framed-IPv6-Prefix | 0+ | 0 | 2541 Framed-IPv6-Pool | 0-1 | 0 | 2542 Framed-IPX-Network | 0-1 | 0 | 2543 Framed-MTU | 0-1 | 0 | 2544 Framed-Pool | 0-1 | 0 | 2545 Framed-Protocol | 0-1 | 0 | 2546 Framed-Route | 0-1 | 0 | 2547 Framed-Routing | 0-1 | 0 | 2548 NAS-Filter-Rule | 0+ | 0 | 2549 NAS-Identifier | 0-1 | 0-1 | 2550 NAS-IP-Address | 0-1 | 0-1 | 2551 NAS-IPv6-Address | 0-1 | 0-1 | 2552 NAS-Port | 0-1 | 0-1 | 2553 NAS-Port-Id | 0-1 | 0-1 | 2554 NAS-Port-Type | 0-1 | 0-1 | 2555 Origin-AAA-Protocol | 0-1 | 0-1 | 2556 Origin-Host | 1 | 1 | 2557 Origin-Realm | 1 | 1 | 2558 Origin-State-Id | 0-1 | 0-1 | 2559 Originating-Line-Info | 0-1 | 0 | 2560 Proxy-Info | 0+ | 0+ | 2561 QoS-Filter-Rule | 0+ | 0 | 2562 Route-Record | 0+ | 0 | 2563 Result-Code | 0 | 1 | 2564 Service-Type | 0-1 | 0-1 | 2565 Session-Id | 1 | 1 | 2566 Termination-Cause | 0-1 | 0-1 | 2567 Tunnel-Assignment-Id | 0-1 | 0 | 2568 Tunnel-Client-Endpoint | 0-1 | 0 | 2569 Tunnel-Medium-Type | 0-1 | 0 | 2570 Tunnel-Private-Group-Id | 0-1 | 0 | 2571 Tunnel-Server-Endpoint | 0-1 | 0 | 2572 Tunnel-Type | 0-1 | 0 | 2573 User-Name | 0-1 | 0-1 | 2574 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2575 ---------------------------------------|-----+-----+ 2577 5.2.2. Non-Framed Access Accounting AVP Table 2579 The table in this section is used when the Service-Type AVP 2580 (Section 4.4.1) specifies Non-Framed Access. 2582 +-----------+ 2583 | Command | 2584 |-----+-----+ 2585 Attribute Name | ACR | ACA | 2586 ---------------------------------------|-----+-----+ 2587 Accounting-Auth-Method | 0-1 | 0 | 2588 Accounting-Input-Octets | 1 | 0 | 2589 Accounting-Output-Octets | 1 | 0 | 2590 Accounting-Record-Type | 1 | 1 | 2591 Accounting-Record-Number | 0-1 | 0-1 | 2592 Accounting-Realtime-Required | 0-1 | 0-1 | 2593 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2594 Acct-Application-Id | 0-1 | 0-1 | 2595 Acct-Session-Id | 1 | 0-1 | 2596 Acct-Multi-Session-Id | 0-1 | 0-1 | 2597 Acct-Authentic | 1 | 0 | 2598 Acct-Delay-Time | 0-1 | 0 | 2599 Acct-Interim-Interval | 0-1 | 0-1 | 2600 Acct-Link-Count | 0-1 | 0 | 2601 Acct-Session-Time | 1 | 0 | 2602 Authorization-Lifetime | 0-1 | 0 | 2603 Callback-Id | 0-1 | 0 | 2604 Callback-Number | 0-1 | 0 | 2605 Called-Station-Id | 0-1 | 0 | 2606 Calling-Station-Id | 0-1 | 0 | 2607 Class | 0+ | 0+ | 2608 Connection-Info | 0+ | 0 | 2609 Destination-Host | 0-1 | 0 | 2610 Destination-Realm | 1 | 0 | 2611 Event-Timestamp | 0-1 | 0-1 | 2612 Error-Message | 0 | 0-1 | 2613 Error-Reporting-Host | 0 | 0-1 | 2614 Failed-AVP | 0 | 0+ | 2615 Login-IP-Host | 0+ | 0 | 2616 Login-IPv6-Host | 0+ | 0 | 2617 Login-LAT-Service | 0-1 | 0 | 2618 Login-LAT-Node | 0-1 | 0 | 2619 Login-LAT-Group | 0-1 | 0 | 2620 Login-LAT-Port | 0-1 | 0 | 2621 Login-Service | 0-1 | 0 | 2622 Login-TCP-Port | 0-1 | 0 | 2623 ---------------------------------------|-----+-----+ 2624 +-----------+ 2625 | Command | 2626 |-----+-----+ 2627 Attribute Name | ACR | ACA | 2628 ---------------------------------------|-----+-----+ 2629 NAS-Identifier | 0-1 | 0-1 | 2630 NAS-IP-Address | 0-1 | 0-1 | 2631 NAS-IPv6-Address | 0-1 | 0-1 | 2632 NAS-Port | 0-1 | 0-1 | 2633 NAS-Port-Id | 0-1 | 0-1 | 2634 NAS-Port-Type | 0-1 | 0-1 | 2635 Origin-AAA-Protocol | 0-1 | 0-1 | 2636 Origin-Host | 1 | 1 | 2637 Origin-Realm | 1 | 1 | 2638 Origin-State-Id | 0-1 | 0-1 | 2639 Originating-Line-Info | 0-1 | 0 | 2640 Proxy-Info | 0+ | 0+ | 2641 QoS-Filter-Rule | 0+ | 0 | 2642 Route-Record | 0+ | 0 | 2643 Result-Code | 0 | 1 | 2644 Session-Id | 1 | 1 | 2645 Service-Type | 0-1 | 0-1 | 2646 Termination-Cause | 0-1 | 0-1 | 2647 User-Name | 0-1 | 0-1 | 2648 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2649 ---------------------------------------|-----+-----+ 2651 6. IANA Considerations 2653 This section provides guidance to the Internet Assigned Numbers 2654 Authority (IANA) regarding registration of values related to the 2655 Diameter protocol, in accordance with BCP 26 [RFC5226]. 2657 This document defines values in the namespaces that have been created 2658 and defined in the Diameter Base [I-D.ietf-dime-rfc3588bis]. The 2659 IANA Considerations section of that document details the assignment 2660 criteria. Values assigned in this document, or by future IANA 2661 action, must be coordinated within this shared namespace. 2663 6.1. Command Codes 2665 This specification assigns the value 265 from the Command Code 2666 namespace defined in [I-D.ietf-dime-rfc3588bis]. See Sections 3.1 2667 and 3.2 for the assignment of the namespace in this specification. 2669 6.2. AVP Codes 2671 This specification assigns the values 363 - 366 and 400 - 408 from 2672 the AVP Code namespace defined in [I-D.ietf-dime-rfc3588bis]. See 2673 Section 4 for the assignment of the namespace in this specification. 2674 Note that the values 363 - 366 are jointly, but consistently, 2675 assigned in [RFC4004]. This document also creates one new namespace 2676 to be managed by IANA, as described in Section 6.5 2678 This specification also specifies the use of AVPs in the 0 - 255 2679 range, which are listed in [RADIUSTypes] These values are assigned 2680 according to the policy stated in Section 6 of [RFC2865], as amended 2681 by [RFC3575]. 2683 6.3. Application Identifier 2685 This specification uses the value one (1) in the Application 2686 Identifier namespace as assigned in [I-D.ietf-dime-rfc3588bis]. See 2687 Section 1.3 above for more information. 2689 6.4. CHAP-Algorithm AVP Values 2691 As defined in Section 4.3.4, the CHAP-Algorithm AVP (AVP Code 403) 2692 uses the values of the "PPP AUTHENTICATION ALGORITHMS" namespace 2693 defined in [RFC1994]. 2695 6.5. Accounting-Auth-Method AVP Values 2697 As defined in Section 4.6.7 the Accounting-Auth-Method AVP (AVP Code 2698 406) defines the values 1 - 5. All remaining values are available 2699 for assignment via the IETF Review policy [RFC5226]. 2701 7. Security Considerations 2703 This document describes the extension of Diameter for the NAS 2704 application. The security considerations of the Diameter protocol 2705 itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of 2706 this application of Diameter MUST take into consideration the 2707 security issues and requirements of the Base protocol. 2709 This document does not contain a security protocol but does discuss 2710 how PPP authentication protocols can be carried within the Diameter 2711 protocol. The PPP authentication protocols described are PAP and 2712 CHAP. 2714 The use of PAP SHOULD be discouraged, as it exposes users' passwords 2715 to possibly non-trusted entities. However, PAP is also frequently 2716 used for use with One-Time Passwords, which do not expose a security 2717 risk. 2719 This document also describes how CHAP can be carried within the 2720 Diameter protocol, which is required for RADIUS backward 2721 compatibility. The CHAP protocol, as used in a RADIUS environment, 2722 facilitates authentication replay attacks. 2724 The use of the EAP authentication protocols [RFC4072] can offer 2725 better security, given a method suitable for the circumstances. 2727 8. References 2729 8.1. Normative References 2731 [ANITypes] NANPA Number Resource Info, "ANI 2732 Assignments", . 2736 [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and 2737 G. Zorn, "Diameter Base Protocol", 2738 draft-ietf-dime-rfc3588bis-25 (work in 2739 progress), September 2010. 2741 [RADIUSTypes] IANA, "RADIUS Types", . 2744 [RFC1994] Simpson, W., "PPP Challenge Handshake 2745 Authentication Protocol (CHAP)", 2746 RFC 1994, August 1996. 2748 [RFC2119] Bradner, S., "Key words for use in RFCs 2749 to Indicate Requirement Levels", BCP 14, 2750 RFC 2119, March 1997. 2752 [RFC2865] Rigney, C., Willens, S., Rubens, A., and 2753 W. Simpson, "Remote Authentication Dial 2754 In User Service (RADIUS)", RFC 2865, 2755 June 2000. 2757 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, 2758 "RADIUS and IPv6", RFC 3162, August 2001. 2760 [RFC3516] Nerenberg, L., "IMAP4 Binary Content 2761 Extension", RFC 3516, April 2003. 2763 [RFC3539] Aboba, B. and J. Wood, "Authentication, 2764 Authorization and Accounting (AAA) 2765 Transport Profile", RFC 3539, June 2003. 2767 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines 2768 for Writing an IANA Considerations 2769 Section in RFCs", BCP 26, RFC 5226, 2770 May 2008. 2772 8.2. Informative References 2774 [ARAP] Apple Computer, "Apple Remote Access 2775 Protocol (ARAP) Version 2.0 External 2776 Reference Specification", R0612LL/B , 2777 September 1994. 2779 [AppleTalk] Sidhu, G., Andrews, R., and A. 2780 Oppenheimer, "Inside AppleTalk", Second 2781 Edition Apple Computer, 1990. 2783 [IPX] Novell, Inc., "NetWare System Technical 2784 Interface Overview", #883-000780-001, 2785 June 1989. 2787 [ISO.8859-1.1987] International Organization for 2788 Standardization, "Information technology 2789 - 8-bit single byte coded graphic - 2790 character sets - Part 1: Latin alphabet 2791 No. 1, JTC1/SC2", ISO Standard 8859-1, 2792 1987. 2794 [LAT] Digital Equipment Corp., "Local Area 2795 Transport (LAT) Specification V5.0", AA- 2796 NL26A-TE, June 1989. 2798 [RFC1334] Lloyd, B. and W. Simpson, "PPP 2799 Authentication Protocols", RFC 1334, 2800 October 1992. 2802 [RFC1661] Simpson, W., "The Point-to-Point Protocol 2803 (PPP)", STD 51, RFC 1661, July 1994. 2805 [RFC1990] Sklower, K., Lloyd, B., McGregor, G., 2806 Carr, D., and T. Coradetti, "The PPP 2807 Multilink Protocol (MP)", RFC 1990, 2808 August 1996. 2810 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. 2811 Black, "Definition of the Differentiated 2812 Services Field (DS Field) in the IPv4 and 2813 IPv6 Headers", RFC 2474, December 1998. 2815 [RFC2548] Zorn, G., "Microsoft Vendor-specific 2816 RADIUS Attributes", RFC 2548, March 1999. 2818 [RFC2597] Heinanen, J., Baker, F., Weiss, W., and 2819 J. Wroclawski, "Assured Forwarding PHB 2820 Group", RFC 2597, June 1999. 2822 [RFC2637] Hamzeh, K., Pall, G., Verthein, W., 2823 Taarud, J., Little, W., and G. Zorn, 2824 "Point-to-Point Tunneling Protocol", 2825 RFC 2637, July 1999. 2827 [RFC2661] Townsley, W., Valencia, A., Rubens, A., 2828 Pall, G., Zorn, G., and B. Palter, "Layer 2829 Two Tunneling Protocol "L2TP"", RFC 2661, 2830 August 1999. 2832 [RFC2866] Rigney, C., "RADIUS Accounting", 2833 RFC 2866, June 2000. 2835 [RFC2867] Zorn, G., Aboba, B., and D. Mitton, 2836 "RADIUS Accounting Modifications for 2837 Tunnel Protocol Support", RFC 2867, 2838 June 2000. 2840 [RFC2868] Zorn, G., Leifer, D., Rubens, A., 2841 Shriver, J., Holdrege, M., and I. Goyret, 2842 "RADIUS Attributes for Tunnel Protocol 2843 Support", RFC 2868, June 2000. 2845 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, 2846 "RADIUS Extensions", RFC 2869, June 2000. 2848 [RFC2881] Mitton, D. and M. Beadles, "Network 2849 Access Server Requirements Next 2850 Generation (NASREQNG) NAS Model", 2851 RFC 2881, July 2000. 2853 [RFC2989] Aboba, B., Calhoun, P., Glass, S., 2854 Hiller, T., McCann, P., Shiino, H., 2855 Walsh, P., Zorn, G., Dommety, G., 2856 Perkins, C., Patil, B., Mitton, D., 2857 Manning, S., Beadles, M., Chen, X., 2858 Sivalingham, S., Hameed, A., Munson, M., 2859 Jacobs, S., Lim, B., Hirschman, B., Hsu, 2860 R., Koo, H., Lipford, M., Campbell, E., 2861 Xu, Y., Baba, S., and E. Jaques, 2862 "Criteria for Evaluating AAA Protocols 2863 for Network Access", RFC 2989, 2864 November 2000. 2866 [RFC3169] Beadles, M. and D. Mitton, "Criteria for 2867 Evaluating Network Access Server 2868 Protocols", RFC 3169, September 2001. 2870 [RFC3246] Davie, B., Charny, A., Bennet, J., 2871 Benson, K., Le Boudec, J., Courtney, W., 2872 Davari, S., Firoiu, V., and D. Stiliadis, 2873 "An Expedited Forwarding PHB (Per-Hop 2874 Behavior)", RFC 3246, March 2002. 2876 [RFC3575] Aboba, B., "IANA Considerations for 2877 RADIUS (Remote Authentication Dial In 2878 User Service)", RFC 3575, July 2003. 2880 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, 2881 G., and J. Roese, "IEEE 802.1X Remote 2882 Authentication Dial In User Service 2883 (RADIUS) Usage Guidelines", RFC 3580, 2884 September 2003. 2886 [RFC4004] Calhoun, P., Johansson, T., Perkins, C., 2887 Hiller, T., and P. McCann, "Diameter 2888 Mobile IPv4 Application", RFC 4004, 2889 August 2005. 2891 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, 2892 "Diameter Extensible Authentication 2893 Protocol (EAP) Application", RFC 4072, 2894 August 2005. 2896 Appendix A. Acknowledgements 2898 A.1. RFC 4005 2900 The authors would like to thank Carl Rigney, Allan C. Rubens, William 2901 Allen Simpson, and Steve Willens for their work on the original 2902 RADIUS protocol, from which many of the concepts in this 2903 specification were derived. Thanks, also, to Carl Rigney for 2904 [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, 2905 Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory 2906 Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and 2907 Ignacio Goyret for their work on [RFC2868]. This document stole text 2908 and concepts from both [RFC2868] and [RFC2869]. Thanks go to Carl 2909 Williams for providing IPv6-specific text. 2911 The authors would also like to acknowledge the following people for 2912 their contributions in the development of the Diameter protocol: 2913 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 2914 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 2915 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 2916 Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. 2918 Finally, Pat Calhoun would like to thank Sun Microsystems, as most of 2919 the effort put into this document was done while he was in their 2920 employ. 2922 A.2. RFC 4005bis 2924 The vast majority of the text in this document was lifted directly 2925 fro RFC 4005; the editor owes a debt of gratitude to the authors 2926 thereof (especially Dave Mitton, who somehow managed to make nroff 2927 paginate the AVP Occurance Tables correctly!). 2929 Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien 2930 Decugis and Stefan Winter for their useful reviews and helpful 2931 comments. 2933 Author's Address 2935 Glen Zorn 2936 Network Zen 2937 227/358 Thanon Sanphawut 2938 Bang Na, Bangkok 10260 2939 Thailand 2941 Phone: +66 (0) 87-040-4617 2942 EMail: gwz@net-zen.net