idnits 2.17.1 draft-ietf-dime-rfc4005bis-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 3, 2012) is 4496 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' == Outdated reference: A later version (-34) exists of draft-ietf-dime-rfc3588bis-29 -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' -- Obsolete informational reference (is this intentional?): RFC 1334 (Obsoleted by RFC 1994) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn 3 Internet-Draft Network Zen 4 Obsoletes: 4005 (if approved) January 3, 2012 5 Intended status: Standards Track 6 Expires: July 6, 2012 8 Diameter Network Access Server Application 9 draft-ietf-dime-rfc4005bis-06 11 Abstract 13 This document describes the Diameter protocol application used for 14 Authentication, Authorization, and Accounting (AAA) services in the 15 Network Access Server (NAS) environment; it obsoletes RFC 4005. When 16 combined with the Diameter Base protocol, Transport Profile, and 17 Extensible Authentication Protocol specifications, this application 18 specification satisfies typical network access services requirements. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on July 6, 2012. 37 Copyright Notice 39 Copyright (c) 2012 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 57 1.3. Advertising Application Support . . . . . . . . . . . . . 6 58 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7 59 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 7 60 2.2. Diameter Session Reauthentication or Reauthorization . . . 7 61 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 8 62 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9 63 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 9 64 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 11 65 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 13 66 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 14 67 3.5. Session-Termination-Request (STR) Command . . . . . . . . 15 68 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 16 69 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 17 70 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 18 71 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 19 72 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 21 73 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 22 74 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 22 75 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 22 76 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 23 77 4.2.1. Call and Session Information . . . . . . . . . . . . . 23 78 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 24 79 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 24 80 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 25 81 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 25 82 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 25 83 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 26 84 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 26 85 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 27 86 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 27 87 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 28 88 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 28 89 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 28 90 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 28 91 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 29 92 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 29 93 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 29 94 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 29 95 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 29 96 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 29 97 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 30 98 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 30 99 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 30 100 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 32 101 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 32 102 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 33 103 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 33 104 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 33 105 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 33 106 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 33 107 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 34 108 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 109 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 35 110 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 35 111 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 35 112 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 35 113 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 35 114 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 35 115 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 36 116 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 36 117 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 36 118 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 37 119 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 37 120 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 37 121 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 37 122 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 38 123 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 38 124 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 38 125 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 38 126 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 38 127 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 39 128 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 39 129 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 39 130 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 39 131 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 39 132 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 40 133 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 40 134 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 40 135 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 40 136 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 41 137 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 41 138 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 41 139 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 41 140 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 42 141 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 42 142 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 42 143 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 43 144 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 43 145 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 44 146 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 44 147 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 44 148 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 45 149 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 46 150 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 46 151 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 46 152 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 48 153 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 48 154 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 48 155 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 49 156 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 50 157 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 50 158 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 50 159 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 50 160 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 50 161 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 51 162 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 51 163 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 51 164 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 51 165 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 52 166 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 52 167 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 52 168 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 53 169 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 55 170 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 56 171 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 58 172 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 173 7. Security Considerations . . . . . . . . . . . . . . . . . . . 59 174 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 60 175 8.1. Normative References . . . . . . . . . . . . . . . . . . . 60 176 8.2. Informative References . . . . . . . . . . . . . . . . . . 61 177 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 63 178 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 63 179 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 64 181 1. Introduction 183 This document describes the Diameter protocol application used for 184 AAA in the Network Access Server (NAS) environment. When combined 185 with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport 186 Profile [RFC3539], and EAP [RFC4072] specifications, this 187 specification satisfies the NAS-related requirements defined in 188 [RFC2989] and [RFC3169]. 190 First, this document describes the operation of a Diameter NAS 191 application. Then it defines the Diameter message Command-Codes. 192 The following sections list the AVPs used in these messages, grouped 193 by common usage. These are session identification, authentication, 194 authorization, tunneling, and accounting. The authorization AVPs are 195 further broken down by service type. 197 1.1. Terminology 199 Section 1.2 of the base Diameter specification 200 [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in 201 this document. Additionally, the following terms and acronyms are 202 used in this application: 204 NAS (Network Access Server) 205 A device that provides an access service for a user to a network. 206 The service may be a network connection or a value-added service 207 such as terminal emulation [RFC2881]. 209 PPP (Point-to-Point Protocol) 210 A multiprotocol serial datalink. PPP is the primary IP datalink 211 used for dial-in NAS connection service [RFC1661]. 213 CHAP (Challenge Handshake Authentication Protocol) 214 An authentication process used in PPP [RFC1994]. 216 PAP (Password Authentication Protocol) 217 A deprecated PPP authentication process, but often used for 218 backward compatibility [RFC1334]. 220 SLIP (Serial Line Interface Protocol) 221 A serial datalink that only supports IP. A design prior to PPP. 223 ARAP (Appletalk Remote Access Protocol) 224 A serial datalink for accessing Appletalk networks [ARAP]. 226 IPX (Internet Packet Exchange) 227 The network protocol used by NetWare networks [IPX]. 229 L2TP (Layer Two Tunneling Protocol) 231 L2TP [RFC3931] provides a dynamic mechanism for tunneling Layer 2 232 "circuits" across a packet-oriented data network. 234 LAC (L2TP Access Concentrator) 236 An L2TP Control Connection Endpoint being used to cross-connect an 237 L2TP session directly to a data link [RFC3931]. 239 LAT (Local Area Transport) 240 A Digital Equipment Corp. LAN protocol for terminal services 241 [LAT]. 243 LCP (Link Control Protocol) 245 One of the three major components of PPP [RFC1661]. LCP is used 246 to automatically agree upon encapsulation format options, handle 247 varying limits on sizes of packets, detect a looped-back link and 248 other common misconfiguration errors, and terminate the link. 249 Other optional facilities provided are authentication of the 250 identity of its peer on the link, and determination when a link is 251 functioning properly and when it is failing. 253 PPTP (Point-to-Point Tunneling Protocol) 255 A protocol which allows PPP to be tunneled through an IP network 256 [RFC2637]. 258 VPN (Virtual Private Network) 259 In this document, this term is used to describe access services 260 that use tunneling methods. 262 1.2. Requirements Language 264 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 265 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 266 document are to be interpreted as described in RFC 2119 [RFC2119]. 268 1.3. Advertising Application Support 270 Diameter applications conforming to this specification MUST advertise 271 support by including the value of one (1) in the Auth-Application-Id 272 of the Capabilities-Exchange-Request (CER), AA-Request (AAR), and AA- 273 Answer (AAA) messages. All other messages use the Base application 274 id value [I-D.ietf-dime-rfc3588bis]. 276 2. NAS Calls, Ports, and Sessions 278 The arrival of a new call or service connection at a port of a 279 Network Access Server (NAS) starts a Diameter NAS message exchange. 280 Information about the call, the identity of the user, and the user's 281 authentication information are packaged into a Diameter AA-Request 282 (AAR) message and sent to a server. 284 The server processes the information and responds with a Diameter AA- 285 Answer (AAA) message that contains authorization information for the 286 NAS, or a failure code (Result-Code AVP). A value of 287 DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication 288 exchange, and several AAR and AAA messages may be exchanged until the 289 transaction completes. 291 Depending on the value of the Auth-Request-Type AVP, the Diameter 292 protocol allows authorization-only requests that contain no 293 authentication information from the client. This capability goes 294 beyond the Call Check capabilities provided by RADIUS (Section 5.6 of 295 [RFC2865]) in that no access decision is requested. As a result, 296 service cannot be started as a result of a response to an 297 authorization-only request without introducing a significant security 298 vulnerability. 300 2.1. Diameter Session Establishment 302 When the authentication or authorization exchange completes 303 successfully, the NAS application SHOULD start a session context. If 304 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 305 exchange continues until a success or error is returned. 307 If accounting is active, the application MUST also send an Accounting 308 message [I-D.ietf-dime-rfc3588bis]. An Accounting-Record-Type of 309 START_RECORD is sent for a new session. If a session fails to start, 310 the EVENT_RECORD message is sent with the reason for the failure 311 described. 313 Note that the return of an unsupportable Accounting-Realtime-Required 314 value [I-D.ietf-dime-rfc3588bis] would result in a failure to 315 establish the session. 317 2.2. Diameter Session Reauthentication or Reauthorization 319 The Diameter Base protocol allows users to be periodically 320 reauthenticated and/or reauthorized. In such instances, the 321 Session-Id AVP in the AAR message MUST be the same as the one present 322 in the original authentication/authorization message. 324 A Diameter server informs the NAS of the maximum time allowed before 325 reauthentication or reauthorization via the Authorization-Lifetime 326 AVP [I-D.ietf-dime-rfc3588bis]. A NAS MAY reauthenticate and/or 327 reauthorize before the end, but A NAS MUST reauthenticate and/or 328 reauthorize at the end of the period provided by the Authorization- 329 Lifetime AVP. The failure of a reauthentication exchange will 330 terminate the service. 332 Furthermore, it is possible for Diameter servers to issue an 333 unsolicited reauthentication and/or reauthorization request (e.g., 334 Re-Auth-Request (RAR) message [I-D.ietf-dime-rfc3588bis]) to the NAS. 335 Upon receipt of such a message, the NAS MUST respond to the request 336 with a Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis]. 338 If the RAR properly identifies an active session, the NAS will 339 initiate a new local reauthentication or authorization sequence as 340 indicated by the Re-Auth-Request-Type value. This will cause the NAS 341 to send a new AAR message using the existing Session-Id. The server 342 will respond with an AAA message to specify the new service 343 parameters. 345 If accounting is active, every change of authentication or 346 authorization SHOULD generate an accounting message. If the NAS 347 service is a continuation of the prior user context, then an 348 Accounting-Record-Type of INTERIM_RECORD indicating the new session 349 attributes and cumulative status would be appropriate. If a new user 350 or a significant change in authorization is detected by the NAS, then 351 the service may send two messages of the types STOP_RECORD and 352 START_RECORD. Accounting may change the subsession identifiers 353 (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- 354 sessions. A service may also use a different Session-Id value for 355 accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]). 357 However, the Diameter Session-ID AVP value used for the initial 358 authorization exchange MUST be used to generate an STR message when 359 the session context is terminated. 361 2.3. Diameter Session Termination 363 When a NAS receives an indication that a user's session is being 364 disconnected by the client (e.g., an LCP Terminate-Request message 365 [RFC1661] is received) or an administrative command, the NAS MUST 366 issue a Session-Termination-Request (STR) [I-D.ietf-dime-rfc3588bis] 367 to its Diameter Server. This will ensure that any resources 368 maintained on the servers are freed appropriately. 370 Furthermore, a NAS that receives an Abort-Session-Request (ASR) 371 [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session 372 identified is active and disconnect the PPP (or tunneling) session. 374 If accounting is active, an Accounting STOP_RECORD message 375 [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the 376 session context. 378 More information on Diameter Session Termination can be found in 379 Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis]. 381 3. Diameter NAS Application Messages 383 This section defines the Diameter message Command-Code 384 [I-D.ietf-dime-rfc3588bis] values that MUST be supported by all 385 Diameter implementations conforming to this specification. The 386 Command Codes are as follows: 388 +-----------------------------------+---------+------+--------------+ 389 | Command Name | Abbrev. | Code | Reference | 390 +-----------------------------------+---------+------+--------------+ 391 | AA-Request | AAR | 265 | Section 3.1 | 392 | AA-Answer | AAA | 265 | Section 3.2 | 393 | Re-Auth-Request | RAR | 258 | Section 3.3 | 394 | Re-Auth-Answer | RAA | 258 | Section 3.4 | 395 | Session-Termination-Request | STR | 275 | Section 3.5 | 396 | Session-Termination-Answer | STA | 275 | Section 3.6 | 397 | Abort-Session-Request | ASR | 274 | Section 3.7 | 398 | Abort-Session-Answer | ASA | 274 | Section 3.8 | 399 | Accounting-Request | ACR | 271 | Section 3.9 | 400 | Accounting-Answer | ACA | 271 | Section 3.10 | 401 +-----------------------------------+---------+------+--------------+ 403 3.1. AA-Request (AAR) Command 405 The AA-Request (AAR), which is indicated by setting the Command-Code 406 field to 265 and the 'R' bit in the Command Flags field, is used to 407 request authentication and/or authorization for a given NAS user. 408 The type of request is identified through the Auth-Request-Type AVP 409 [I-D.ietf-dime-rfc3588bis] The recommended value for most situations 410 is AUTHORIZE_AUTHENTICATE. 412 If Authentication is requested, the User-Name attribute SHOULD be 413 present, as well as any additional authentication AVPs that would 414 carry the password information. A request for authorization SHOULD 415 only include the information from which the authorization will be 416 performed, such as the User-Name, Called-Station-Id, or Calling- 417 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 418 identifying the source of the call, such as Origin-Host and NAS-Port. 419 Certain networks MAY use different AVPs for authorization purposes. 420 A request for authorization will include some AVPs defined in 421 Section 4.4. 423 It is possible for a single session to be authorized first and then 424 for an authentication request to follow. 426 This AA-Request message MAY be the result of a multi-round 427 authentication exchange, which occurs when the AA-Answer message is 428 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. 429 A subsequent AAR message SHOULD be sent, with the User-Password AVP 430 that includes the user's response to the prompt, and MUST include any 431 State AVPs that were present in the AAA message. 433 Message Format 435 ::= < Diameter Header: 265, REQ, PXY > 436 < Session-Id > 437 { Auth-Application-Id } 438 { Origin-Host } 439 { Origin-Realm } 440 { Destination-Realm } 441 { Auth-Request-Type } 442 [ Destination-Host ] 443 [ NAS-Identifier ] 444 [ NAS-IP-Address ] 445 [ NAS-IPv6-Address ] 446 [ NAS-Port ] 447 [ NAS-Port-Id ] 448 [ NAS-Port-Type ] 449 [ Origin-AAA-Protocol ] 450 [ Origin-State-Id ] 451 [ Port-Limit ] 452 [ User-Name ] 453 [ User-Password ] 454 [ Service-Type ] 455 [ State ] 456 [ Authorization-Lifetime ] 457 [ Auth-Grace-Period ] 458 [ Auth-Session-State ] 459 [ Callback-Number ] 460 [ Called-Station-Id ] 461 [ Calling-Station-Id ] 462 [ Originating-Line-Info ] 463 [ Connect-Info ] 464 [ CHAP-Auth ] 465 [ CHAP-Challenge ] 467 * [ Framed-Compression ] 468 [ Framed-Interface-Id ] 469 [ Framed-IP-Address ] 470 * [ Framed-IPv6-Prefix ] 471 [ Framed-IP-Netmask ] 472 [ Framed-MTU ] 473 [ Framed-Protocol ] 474 [ ARAP-Password ] 475 [ ARAP-Security ] 476 * [ ARAP-Security-Data ] 477 * [ Login-IP-Host ] 478 * [ Login-IPv6-Host ] 479 [ Login-LAT-Group ] 480 [ Login-LAT-Node ] 481 [ Login-LAT-Port ] 482 [ Login-LAT-Service ] 483 * [ Tunneling ] 484 * [ Proxy-Info ] 485 * [ Route-Record ] 486 * [ AVP ] 488 3.2. AA-Answer (AAA) Command 490 The AA-Answer (AAA) message is indicated by setting the Command-Code 491 field to 265 and clearing the 'R' bit in the Command Flags field. It 492 is sent in response to the AA-Request (AAR) message. If 493 authorization was requested, a successful response will include the 494 authorization AVPs appropriate for the service being provided, as 495 defined in Section 4.4. 497 For authentication exchanges requiring more than a single round trip, 498 the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. 499 An AAA message with this result code MAY include one Reply-Message or 500 more and MAY include zero or one State AVPs. 502 If the Reply-Message AVP was present, the network access server 503 SHOULD send the text to the user's client to display to the user, 504 instructing the client to prompt the user for a response. For 505 example, this capability can be achieved in PPP via PAP. If the 506 access client is unable to prompt the user for a new response, it 507 MUST treat the AA-Answer (AAA) with the Reply-Message AVP as an error 508 and deny access. 510 Message Format 512 ::= < Diameter Header: 265, PXY > 513 < Session-Id > 514 { Auth-Application-Id } 515 { Auth-Request-Type } 516 { Result-Code } 517 { Origin-Host } 518 { Origin-Realm } 519 [ User-Name ] 520 [ Service-Type ] 521 * [ Class ] 522 * [ Configuration-Token ] 523 [ Acct-Interim-Interval ] 524 [ Error-Message ] 525 [ Error-Reporting-Host ] 526 * [ Failed-AVP ] 527 [ Idle-Timeout ] 528 [ Authorization-Lifetime ] 529 [ Auth-Grace-Period ] 530 [ Auth-Session-State ] 531 [ Re-Auth-Request-Type ] 532 [ Multi-Round-Time-Out ] 533 [ Session-Timeout ] 534 [ State ] 535 * [ Reply-Message ] 536 [ Origin-AAA-Protocol ] 537 [ Origin-State-Id ] 538 * [ Filter-Id ] 539 [ Password-Retry ] 540 [ Port-Limit ] 541 [ Prompt ] 542 [ ARAP-Challenge-Response ] 543 [ ARAP-Features ] 544 [ ARAP-Security ] 545 * [ ARAP-Security-Data ] 546 [ ARAP-Zone-Access ] 547 [ Callback-Id ] 548 [ Callback-Number ] 549 [ Framed-Appletalk-Link ] 550 * [ Framed-Appletalk-Network ] 551 [ Framed-Appletalk-Zone ] 552 * [ Framed-Compression ] 553 [ Framed-Interface-Id ] 554 [ Framed-IP-Address ] 555 * [ Framed-IPv6-Prefix ] 556 [ Framed-IPv6-Pool ] 557 * [ Framed-IPv6-Route ] 558 [ Framed-IP-Netmask ] 559 * [ Framed-Route ] 560 [ Framed-Pool ] 561 [ Framed-IPX-Network ] 562 [ Framed-MTU ] 564 [ Framed-Protocol ] 565 [ Framed-Routing ] 566 * [ Login-IP-Host ] 567 * [ Login-IPv6-Host ] 568 [ Login-LAT-Group ] 569 [ Login-LAT-Node ] 570 [ Login-LAT-Port ] 571 [ Login-LAT-Service ] 572 [ Login-Service ] 573 [ Login-TCP-Port ] 574 * [ NAS-Filter-Rule ] 575 * [ QoS-Filter-Rule ] 576 * [ Tunneling ] 577 * [ Redirect-Host ] 578 [ Redirect-Host-Usage ] 579 [ Redirect-Max-Cache-Time ] 580 * [ Proxy-Info ] 581 * [ AVP ] 583 3.3. Re-Auth-Request (RAR) Command 585 A Diameter server may initiate a re-authentication and/or re- 586 authorization service for a particular session by issuing a Re-Auth- 587 Request (RAR) message [I-D.ietf-dime-rfc3588bis]. 589 For example, for pre-paid services, the Diameter server that 590 originally authorized a session may need some confirmation that the 591 user is still using the services. 593 If a NAS receives an RAR message with Session-Id equal to a currently 594 active session and a Re-Auth-Type that includes authentication, it 595 MUST initiate a re-authentication toward the user, if the service 596 supports this particular feature. 598 Message Format 600 ::= < Diameter Header: 258, REQ, PXY > 601 < Session-Id > 602 { Origin-Host } 603 { Origin-Realm } 604 { Destination-Realm } 605 { Destination-Host } 606 { Auth-Application-Id } 607 { Re-Auth-Request-Type } 608 [ User-Name ] 609 [ Origin-AAA-Protocol ] 610 [ Origin-State-Id ] 611 [ NAS-Identifier ] 612 [ NAS-IP-Address ] 613 [ NAS-IPv6-Address ] 614 [ NAS-Port ] 615 [ NAS-Port-Id ] 616 [ NAS-Port-Type ] 617 [ Service-Type ] 618 [ Framed-IP-Address ] 619 [ Framed-IPv6-Prefix ] 620 [ Framed-Interface-Id ] 621 [ Called-Station-Id ] 622 [ Calling-Station-Id ] 623 [ Originating-Line-Info ] 624 [ Acct-Session-Id ] 625 [ Acct-Multi-Session-Id ] 626 [ State ] 627 * [ Class ] 628 [ Reply-Message ] 629 * [ Proxy-Info ] 630 * [ Route-Record ] 631 * [ AVP ] 633 3.4. Re-Auth-Answer (RAA) Command 635 The Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis] is sent 636 in response to the RAR. The Result-Code AVP MUST be present and 637 indicates the disposition of the request. 639 A successful RAA transaction MUST be followed by an AAR message. 641 Message Format 643 ::= < Diameter Header: 258, PXY > 644 < Session-Id > 645 { Result-Code } 646 { Origin-Host } 647 { Origin-Realm } 648 [ User-Name ] 649 [ Origin-AAA-Protocol ] 650 [ Origin-State-Id ] 651 [ Error-Message ] 652 [ Error-Reporting-Host ] 653 * [ Failed-AVP ] 654 * [ Redirected-Host ] 655 [ Redirected-Host-Usage ] 656 [ Redirected-Host-Cache-Time ] 657 [ Service-Type ] 658 * [ Configuration-Token ] 659 [ Idle-Timeout ] 660 [ Authorization-Lifetime ] 661 [ Auth-Grace-Period ] 662 [ Re-Auth-Request-Type ] 663 [ State ] 664 * [ Class ] 665 * [ Reply-Message ] 666 [ Prompt ] 667 * [ Proxy-Info ] 668 * [ AVP ] 670 3.5. Session-Termination-Request (STR) Command 672 The Session-Termination-Request (STR) message 673 [I-D.ietf-dime-rfc3588bis] is sent by the NAS to inform the Diameter 674 Server that an authenticated and/or authorized session is being 675 terminated. 677 Message Format 679 ::= < Diameter Header: 275, REQ, PXY > 680 < Session-Id > 681 { Origin-Host } 682 { Origin-Realm } 683 { Destination-Realm } 684 { Auth-Application-Id } 685 { Termination-Cause } 686 [ User-Name ] 687 [ Destination-Host ] 688 * [ Class ] 689 [ Origin-AAA-Protocol ] 690 [ Origin-State-Id ] 691 * [ Proxy-Info ] 692 * [ Route-Record ] 693 * [ AVP ] 695 3.6. Session-Termination-Answer (STA) Command 697 The Session-Termination-Answer (STA) message 698 [I-D.ietf-dime-rfc3588bis] is sent by the Diameter Server to 699 acknowledge the notification that the session has been terminated. 700 The Result-Code AVP MUST be present and MAY contain an indication 701 that an error occurred while the STR was being serviced. 703 Upon sending or receiving the STA, the Diameter Server MUST release 704 all resources for the session indicated by the Session-Id AVP. Any 705 intermediate server in the Proxy-Chain MAY also release any 706 resources, if necessary. 708 Message Format 710 ::= < Diameter Header: 275, PXY > 711 < Session-Id > 712 { Result-Code } 713 { Origin-Host } 714 { Origin-Realm } 715 [ User-Name ] 716 * [ Class ] 717 [ Error-Message ] 718 [ Error-Reporting-Host ] 719 * [ Failed-AVP ] 720 [ Origin-AAA-Protocol ] 721 [ Origin-State-Id ] 722 * [ Redirect-Host ] 723 [ Redirect-Host-Usase ] 724 [ Redirect-Max-Cache-Time ] 725 * [ Proxy-Info ] 726 * [ AVP ] 728 3.7. Abort-Session-Request (ASR) Command 730 The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis] 731 may be sent by any server to the NAS providing session service, to 732 request that the session identified by the Session-Id be stopped. 734 Message Format 736 ::= < Diameter Header: 274, REQ, PXY > 737 < Session-Id > 738 { Origin-Host } 739 { Origin-Realm } 740 { Destination-Realm } 741 { Destination-Host } 742 { Auth-Application-Id } 743 [ User-Name ] 744 [ Origin-AAA-Protocol ] 745 [ Origin-State-Id ] 746 [ NAS-Identifier ] 747 [ NAS-IP-Address ] 748 [ NAS-IPv6-Address ] 749 [ NAS-Port ] 750 [ NAS-Port-Id ] 751 [ NAS-Port-Type ] 752 [ Service-Type ] 753 [ Framed-IP-Address ] 754 [ Framed-IPv6-Prefix ] 755 [ Framed-Interface-Id ] 756 [ Called-Station-Id ] 757 [ Calling-Station-Id ] 758 [ Originating-Line-Info ] 759 [ Acct-Session-Id ] 760 [ Acct-Multi-Session-Id ] 761 [ State ] 762 * [ Class ] 763 * [ Reply-Message ] 764 * [ Proxy-Info ] 765 * [ Route-Record ] 766 * [ AVP ] 768 3.8. Abort-Session-Answer (ASA) Command 770 The ASA message [I-D.ietf-dime-rfc3588bis] is sent in response to the 771 ASR. The Result-Code AVP MUST be present and indicates the 772 disposition of the request. 774 If the session identified by Session-Id in the ASR was successfully 775 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 776 is not currently active, the Result-Code AVP is set to 777 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 778 session for any other reason, the Result-Code AVP is set to 779 DIAMETER_UNABLE_TO_COMPLY. 781 Message Format 783 ::= < Diameter Header: 274, PXY > 784 < Session-Id > 785 { Result-Code } 786 { Origin-Host } 787 { Origin-Realm } 788 [ User-Name ] 789 [ Origin-AAA-Protocol ] 790 [ Origin-State-Id ] 791 [ State] 792 [ Error-Message ] 793 [ Error-Reporting-Host ] 794 * [ Failed-AVP ] 795 * [ Redirected-Host ] 796 [ Redirected-Host-Usage ] 797 [ Redirected-Max-Cache-Time ] 798 * [ Proxy-Info ] 799 * [ AVP ] 801 3.9. Accounting-Request (ACR) Command 803 The ACR message [I-D.ietf-dime-rfc3588bis] is sent by the NAS to 804 report its session information to a target server downstream. 806 The Acct-Application-Id AVP MUST be present. 808 The AVPs listed in the Base protocol specification 809 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 810 appropriate. NAS service-specific accounting AVPs SHOULD be present 811 as described in Section 4.6 and the rest of this specification. 813 Message Format 815 ::= < Diameter Header: 271, REQ, PXY > 816 < Session-Id > 817 { Origin-Host } 818 { Origin-Realm } 819 { Destination-Realm } 820 { Accounting-Record-Type } 821 { Accounting-Record-Number } 822 { Acct-Application-Id } 823 [ User-Name ] 824 [ Accounting-Sub-Session-Id ] 825 [ Acct-Session-Id ] 826 [ Acct-Multi-Session-Id ] 827 [ Origin-AAA-Protocol ] 828 [ Origin-State-Id ] 830 [ Destination-Host ] 831 [ Event-Timestamp ] 832 [ Acct-Delay-Time ] 833 [ NAS-Identifier ] 834 [ NAS-IP-Address ] 835 [ NAS-IPv6-Address ] 836 [ NAS-Port ] 837 [ NAS-Port-Id ] 838 [ NAS-Port-Type ] 839 * [ Class ] 840 [ Service-Type ] 841 [ Termination-Cause ] 842 [ Accounting-Input-Octets ] 843 [ Accounting-Input-Packets ] 844 [ Accounting-Output-Octets ] 845 [ Accounting-Output-Packets ] 846 [ Acct-Authentic ] 847 [ Accounting-Auth-Method ] 848 [ Acct-Link-Count ] 849 [ Acct-Session-Time ] 850 [ Acct-Tunnel-Connection ] 851 [ Acct-Tunnel-Packets-Lost ] 852 [ Callback-Id ] 853 [ Callback-Number ] 854 [ Called-Station-Id ] 855 [ Calling-Station-Id ] 856 * [ Connection-Info ] 857 [ Originating-Line-Info ] 858 [ Authorization-Lifetime ] 859 [ Session-Timeout ] 860 [ Idle-Timeout ] 861 [ Port-Limit ] 862 [ Accounting-Realtime-Required ] 863 [ Acct-Interim-Interval ] 864 * [ Filter-Id ] 865 * [ NAS-Filter-Rule ] 866 * [ Qos-Filter-Rule ] 867 [ Framed-AppleTalk-Link ] 868 [ Framed-AppleTalk-Network ] 869 [ Framed-AppleTalk-Zone ] 870 [ Framed-Compression ] 871 [ Framed-Interface-Id ] 872 [ Framed-IP-Address ] 873 [ Framed-IP-Netmask ] 874 * [ Framed-IPv6-Prefix ] 875 [ Framed-IPv6-Pool ] 876 * [ Framed-IPv6-Route ] 877 [ Framed-IPX-Network ] 879 [ Framed-MTU ] 880 [ Framed-Pool ] 881 [ Framed-Protocol ] 882 * [ Framed-Route ] 883 [ Framed-Routing ] 884 * [ Login-IP-Host ] 885 * [ Login-IPv6-Host ] 886 [ Login-LAT-Group ] 887 [ Login-LAT-Node ] 888 [ Login-LAT-Port ] 889 [ Login-LAT-Service ] 890 [ Login-Service ] 891 [ Login-TCP-Port ] 892 * [ Tunneling ] 893 * [ Proxy-Info ] 894 * [ Route-Record ] 895 * [ AVP ] 897 3.10. Accounting-Answer (ACA) Command 899 The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an 900 Accounting-Request command. The Accounting-Answer command contains 901 the same Session-Id as the Request. If the Accounting-Request was 902 protected by end-to-end security, then the corresponding ACA message 903 MUST be protected as well. 905 Only the target Diameter Server or home Diameter Server SHOULD 906 respond with the Accounting-Answer command. 908 Either the Acct-Application-Id AVP MUST be present, as it was in the 909 request. 911 The AVPs listed in the Base protocol specification 912 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 913 appropriate. NAS service-specific accounting AVPs SHOULD be present 914 as described in Section 4.6 and the rest of this specification. 916 Message Format 918 ::= < Diameter Header: 271, PXY > 919 < Session-Id > 920 { Result-Code } 921 { Origin-Host } 922 { Origin-Realm } 923 { Accounting-Record-Type } 924 { Accounting-Record-Number } 925 { Acct-Application-Id } 926 [ User-Name ] 927 [ Accounting-Sub-Session-Id ] 928 [ Acct-Session-Id ] 929 [ Acct-Multi-Session-Id ] 930 [ Event-Timestamp ] 931 [ Error-Message ] 932 [ Error-Reporting-Host ] 933 * [ Failed-AVP ] 934 [ Origin-AAA-Protocol ] 935 [ Origin-State-Id ] 936 [ NAS-Identifier ] 937 [ NAS-IP-Address ] 938 [ NAS-IPv6-Address ] 939 [ NAS-Port ] 940 [ NAS-Port-Id ] 941 [ NAS-Port-Type ] 942 [ Service-Type ] 943 [ Termination-Cause ] 944 [ Accounting-Realtime-Required ] 945 [ Acct-Interim-Interval ] 946 * [ Class ] 947 * [ Proxy-Info ] 948 * [ AVP ] 950 4. Diameter NAS Application AVPs 952 The following sections define a new derived AVP data format, a set of 953 application-specific AVPs and describe the use of AVPs defined in 954 other documents by the Diameter NAS Application. 956 4.1. Derived AVP Data Formats 958 4.1.1. QoSFilterRule 960 The QosFilterRule format is derived from the OctetString AVP Base 961 Format. It uses the ASCII charset. Packets may be marked or metered 962 based on the following information: 964 o Direction (in or out) 966 o Source and destination IP address (possibly masked) 968 o Protocol 970 o Source and destination port (lists or ranges) 972 o DSCP values (no mask or range) 974 Rules for the appropriate direction are evaluated in order; the first 975 matched rule terminates the evaluation. Each packet is evaluated 976 once. If no rule matches, the packet is treated as best effort. An 977 access device unable to interpret or apply a QoS rule SHOULD NOT 978 terminate the session. 980 QoSFilterRule filters MUST follow the following format: 982 action dir proto from src to dst [options] 983 where 985 action 986 tag Mark packet with a specific DSCP [RFC2474] 987 meter Meter traffic 989 dir The format is as described under IPFilterRule 990 [I-D.ietf-dime-rfc3588bis] 992 proto The format is as described under IPFilterRule 993 [I-D.ietf-dime-rfc3588bis] 995 src and dst The format is as described under IPFilterRule 996 [I-D.ietf-dime-rfc3588bis] 998 The options are described in Section 4.4.9. 1000 The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the 1001 ipfw.c code may provide a useful base for implementations. 1003 4.2. NAS Session AVPs 1005 Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that 1006 are implemented in Diameter. 1008 4.2.1. Call and Session Information 1010 This section describes the AVPs specific to Diameter applications 1011 that are needed to identify the call and session context and status 1012 information. On a request, this information allows the server to 1013 qualify the session. 1015 These AVPs are used in addition to the following AVPs from the base 1016 protocol specification [I-D.ietf-dime-rfc3588bis]: 1018 Session-Id 1019 Auth-Application-Id 1020 Origin-Host 1021 Origin-Realm 1022 Auth-Request-Type 1023 Termination-Cause 1025 The following table gives the possible flag values for the session 1026 level AVPs and specifies whether the AVP MAY be encrypted. 1028 +----------+ 1029 | AVP Flag | 1030 | rules | 1031 |----+-----+ 1032 |MUST| MUST| 1033 Attribute Name Section Defined | | NOT| 1034 -----------------------------------------|----+-----| 1035 NAS-Port 4.2.2 | M | V | 1036 NAS-Port-Id 4.2.3 | M | V | 1037 NAS-Port-Type 4.2.4 | M | V | 1038 Called-Station-Id 4.2.5 | M | V | 1039 Calling-Station-Id 4.2.6 | M | V | 1040 Connect-Info 4.2.7 | M | V | 1041 Originating-Line-Info 4.2.8 | | V | 1042 Reply-Message 4.2.9 | M | V | 1043 -----------------------------------------|----+-----| 1045 4.2.2. NAS-Port AVP 1047 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1048 physical or virtual port number of the NAS which is authenticating 1049 the user. Note that "port" is meant in its sense as a service 1050 connection on the NAS, not as an IP protocol identifier. 1052 Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD 1053 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1054 differentiates among its ports. 1056 4.2.3. NAS-Port-Id AVP 1058 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1059 of ASCII text identifying the port of the NAS authenticating the 1060 user. Note that "port" is meant in its sense as a service connection 1061 on the NAS, not as an IP protocol identifier. 1063 Either the NAS-Port-Id or the NAS-Port (Section 4.2.2) SHOULD be 1064 present in the AA-Request (AAR, Section 3.1) command if the NAS 1065 differentiates among its ports. NAS-Port-Id is intended for use by 1066 NASes that cannot conveniently number their ports. 1068 4.2.4. NAS-Port-Type AVP 1070 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1071 contains the type of the port on which the NAS is authenticating the 1072 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1073 number ranges for different service types concurrently. 1075 The currently supported values of the NAS-Port-Type AVP are listed in 1076 [RADIUSTypes]. 1078 4.2.5. Called-Station-Id AVP 1080 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and 1081 allows the NAS to send the ASCII string describing the Layer 2 1082 address the user contacted in the request. For dialup access, this 1083 can be a phone number obtained by using the Dialed Number 1084 Identification Service (DNIS) or a similar technology. Note that 1085 this may be different from the phone number the call comes in on. 1086 For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC 1087 address formatted as described in [RFC3580]. 1089 If the Called-Station-Id AVP is present in an AAR message, Auth- 1090 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1091 absent, the Diameter Server MAY perform authorization based on this 1092 AVP. This can be used by a NAS to request whether a call should be 1093 answered based on the DNIS result. 1095 The codification of this field's allowed usage range is outside the 1096 scope of this specification. 1098 4.2.6. Calling-Station-Id AVP 1100 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 1101 allows the NAS to send the ASCII string describing the Layer 2 1102 address from which the user connected in the request. For dialup 1103 access, this is the phone number the call came from, using Automatic 1104 Number Identification (ANI) or a similar technology. For use with 1105 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 1106 address, formated as described in [RFC3580]. 1108 If the Calling-Station-Id AVP is present in an AAR message, the Auth- 1109 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1110 absent, the Diameter Server MAY perform authorization based on the 1111 value of this AVP. This can be used by a NAS to request whether a 1112 call should be answered based on the Layer 2 address (ANI, MAC 1113 Address, etc.) 1115 The codification of this field's allowed usage range is outside the 1116 scope of this specification. 1118 4.2.7. Connect-Info AVP 1120 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1121 in the AA-Request message or an ACR message with the value of the 1122 Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, 1123 it indicates the nature of the user's connection. The connection 1124 speed SHOULD be included at the beginning of the first Connect-Info 1125 AVP in the message. If the transmit and receive connection speeds 1126 differ, both may be included in the first AVP with the transmit speed 1127 listed first (the speed at which the NAS modem transmits), then a 1128 slash (/), then the receive speed, and then other optional 1129 information. 1131 For example: "28800 V42BIS/LAPM" or "52000/31200 V90" 1133 If sent in an ACR message with the value of the Accounting-Record- 1134 Type AVP set to STOP, this attribute may summarize statistics 1135 relating to session quality. For example, in IEEE 802.11, the 1136 Connect-Info AVP may contain information on the number of link layer 1137 retransmissions. The exact format of this attribute is 1138 implementation specific. 1140 4.2.8. Originating-Line-Info AVP 1142 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1143 and is sent by the NAS system to convey information about the origin 1144 of the call from an SS7 system. 1146 The Originating Line Information (OLI) element indicates the nature 1147 and/or characteristics of the line from which a call originated 1148 (e.g., pay phone, hotel, cellular). Telephone companies are starting 1149 to offer OLI to their customers as an option over Primary Rate 1150 Interface (PRI). Internet Service Providers (ISPs) can use OLI in 1151 addition to Called-Station-Id and Calling-Station-Id attributes to 1152 differentiate customer calls and to define different services. 1154 The Value field contains two octets (00 - 99). ANSI T1.113 and 1155 BELLCORE 394 can be used for additional information about these 1156 values and their use. For information on the currently assigned 1157 values, see [ANITypes]. 1159 4.2.9. Reply-Message AVP 1161 The Reply-Message AVP (AVP Code 18) is of type UTF8String and 1162 contains text that MAY be displayed to the user. When used in an AA- 1163 Answer message with a successful Result-Code AVP, it indicates 1164 success. When found in an AAA message with a Result-Code other than 1165 DIAMETER_SUCCESS, the AVP contains a failure message. 1167 The Reply-Message AVP MAY contain text to prompt the user before 1168 another AA-Request attempt. When used in an AA-Answer message 1169 containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH 1170 or in an Re-Auth-Request message, it MAY contain text to prompt the 1171 user for a response. 1173 4.3. NAS Authentication AVPs 1175 This section defines the AVPs necessary to carry the authentication 1176 information in the Diameter protocol. The functionality defined here 1177 provides a RADIUS-like AAA service [RFC2865] over a more reliable and 1178 secure transport, as defined in the base protocol 1179 [I-D.ietf-dime-rfc3588bis]. 1181 The following table gives the possible flag values for the session 1182 level AVPs and specifies whether the AVP MAY be encrypted. 1184 +----------+ 1185 | AVP Flag | 1186 | rules | 1187 |----+-----| 1188 |MUST| MUST| 1189 Attribute Name Section Defined | | NOT| 1190 -----------------------------------------|----+-----| 1191 User-Password 4.3.1 | M | V | 1192 Password-Retry 4.3.2 | M | V | 1193 Prompt 4.3.3 | M | V | 1194 CHAP-Auth 4.3.4 | M | V | 1195 CHAP-Algorithm 4.3.5 | M | V | 1196 CHAP-Ident 4.3.6 | M | V | 1197 CHAP-Response 4.3.7 | M | V | 1198 CHAP-Challenge 4.3.8 | M | V | 1199 ARAP-Password 4.3.9 | M | V | 1200 ARAP-Challenge-Response 4.3.10 | M | V | 1201 ARAP-Security 4.3.11 | M | V | 1202 ARAP-Security-Data 4.3.12 | M | V | 1203 -----------------------------------------|----+-----| 1205 4.3.1. User-Password AVP 1207 The User-Password AVP (AVP Code 2) is of type OctetString and 1208 contains the password of the user to be authenticated, or the user's 1209 input in a multi-round authentication exchange. 1211 The User-Password AVP contains a user password or one-time password 1212 and therefore represents sensitive information. As required in 1213 [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using 1214 IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one- 1215 time passwords, the User-Password AVP SHOULD NOT be used in untrusted 1216 proxy environments without encrypting it by using end-to-end security 1217 techniques. 1219 The clear-text password (prior to encryption) MUST NOT be longer than 1220 128 bytes in length. 1222 4.3.2. Password-Retry AVP 1224 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1225 included in the AA-Answer if the Result-Code indicates an 1226 authentication failure. The value of this AVP indicates how many 1227 authentication attempts a user is permitted before being 1228 disconnected. This AVP is primarily intended for use when the 1229 Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. 1231 4.3.3. Prompt AVP 1233 The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present 1234 in the AA-Answer message. When present, it is used by the NAS to 1235 determine whether the user's response, when entered, should be 1236 echoed. 1238 The supported values are listed in [RADIUSTypes] 1240 4.3.4. CHAP-Auth AVP 1242 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1243 information necessary to authenticate a user using the PPP Challenge- 1244 Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth 1245 AVP is found in a message, the CHAP-Challenge AVP Section 4.3.8 MUST 1246 be present as well. The optional AVPs containing the CHAP response 1247 depend upon the value of the CHAP-Algorithm AVP Section 4.3.8. The 1248 grouped AVP has the following ABNF grammar: 1250 CHAP-Auth ::= < AVP Header: 402 > 1251 { CHAP-Algorithm } 1252 { CHAP-Ident } 1253 [ CHAP-Response ] 1254 * [ AVP ] 1256 4.3.5. CHAP-Algorithm AVP 1258 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1259 contains the algorithm identifier used in the computation of the CHAP 1260 response [RFC1994]. The following values are currently supported: 1262 CHAP with MD5 5 The CHAP response is computed by using the procedure 1263 described in [RFC1994] This algorithm requires that the CHAP- 1264 Response AVP Section 4.3.7 MUST be present in the CHAP-Auth AVP 1265 Section 4.3.4. 1267 4.3.6. CHAP-Ident AVP 1269 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1270 the 1 octet CHAP Identifier used in the computation of the CHAP 1271 response [RFC1994] 1273 4.3.7. CHAP-Response AVP 1275 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1276 contains the 16 octet authentication data provided by the user in 1277 response to the CHAP challenge [RFC1994]. 1279 4.3.8. CHAP-Challenge AVP 1281 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1282 contains the CHAP Challenge sent by the NAS to the CHAP peer 1283 [RFC1994]. 1285 4.3.9. ARAP-Password AVP 1287 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1288 only present when the Framed-Protocol AVP (Section 4.4.10.1) is 1289 included in the message and is set to ARAP. This AVP MUST NOT be 1290 present if either the User-Password or the CHAP-Auth AVP is present. 1291 See [RFC2869] for more information on the contents of this AVP. 1293 4.3.10. ARAP-Challenge-Response AVP 1295 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1296 and is only present when the Framed-Protocol AVP (Section 4.4.10.1) 1297 is included in the message and is set to ARAP. This AVP contains an 1298 8 octet response to the dial-in client's challenge. The Diameter 1299 server calculates this value by taking the dial-in client's challenge 1300 from the high-order 8 octets of the ARAP-Password AVP and performing 1301 DES encryption on this value with the authenticating user's password 1302 as the key. If the user's password is fewer than 8 octets in length, 1303 the password is padded at the end with NULL octets to a length of 8 1304 before it is used as a key. 1306 4.3.11. ARAP-Security AVP 1308 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be 1309 present in the AA-Answer message if the Framed-Protocol AVP 1310 (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code 1311 AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1312 DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the 1313 contents of this AVP. 1315 4.3.12. ARAP-Security-Data AVP 1317 The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and 1318 MAY be present in the AA-Request or AA-Answer message if the Framed- 1319 Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the 1320 Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1321 DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module 1322 challenge or response associated with the ARAP Security Module 1323 specified in the ARAP-Security AVP (Section 4.3.11). 1325 4.4. NAS Authorization AVPs 1327 This section contains the authorization AVPs supported in the NAS 1328 Application. The Service-Type AVP SHOULD be present in all messages 1329 and, based on its value, additional AVPs defined in this section and 1330 Section 4.5 MAY be present. 1332 The following table gives the possible flag values for the session 1333 level AVPs and specifies whether the AVP MAY be encrypted. 1335 +----------+ 1336 | AVP Flag | 1337 | rules | 1338 |----+-----| 1339 |MUST| MUST| 1340 Attribute Name Section Defined | | NOT| 1341 -----------------------------------------|----+-----| 1342 Service-Type 4.4.1 | M | V | 1343 Callback-Number 4.4.2 | M | V | 1344 Callback-Id 4.4.3 | M | V | 1345 Idle-Timeout 4.4.4 | M | V | 1346 Port-Limit 4.4.5 | M | V | 1347 NAS-Filter-Rule 4.4.6 | M | V | 1348 Filter-Id 4.4.7 | M | V | 1349 Configuration-Token 4.4.8 | M | P,V | 1350 QoS-Filter-Rule 4.4.9 | | | 1351 Framed-Protocol 4.4.10.1 | M | V | 1352 Framed-Routing 4.4.10.2 | M | V | 1353 Framed-MTU 4.4.10.3 | M | V | 1354 Framed-Compression 4.4.10.4 | M | V | 1355 Framed-IP-Address 4.4.10.5.1 | M | V | 1356 Framed-IP-Netmask 4.4.10.5.2 | M | V | 1357 Framed-Route 4.4.10.5.3 | M | V | 1358 Framed-Pool 4.4.10.5.4 | M | V | 1359 Framed-Interface-Id 4.4.10.5.5 | M | V | 1360 Framed-IPv6-Prefix 4.4.10.5.6 | M | V | 1361 Framed-IPv6-Route 4.4.10.5.7 | M | V | 1362 Framed-IPv6-Pool 4.4.10.5.8 | M | V | 1363 Framed-IPX-Network 4.4.10.6.1 | M | V | 1364 Framed-Appletalk-Link 4.4.10.7.1 | M | V | 1365 Framed-Appletalk-Network 4.4.10.7.2 | M | V | 1366 Framed-Appletalk-Zone 4.4.10.7.3 | M | V | 1367 ARAP-Features 4.4.10.8.1 | M | V | 1368 ARAP-Zone-Access 4.4.10.8.2 | M | V | 1369 Login-IP-Host 4.4.11.1 | M | V | 1370 Login-IPv6-Host 4.4.11.2 | M | V | 1371 Login-Service 4.4.11.3 | M | V | 1372 Login-TCP-Port 4.4.11.4.1 | M | V | 1373 Login-LAT-Service 4.4.11.5.1 | M | V | 1374 Login-LAT-Node 4.4.11.5.2 | M | V | 1375 Login-LAT-Group 4.4.11.5.3 | M | V | 1376 Login-LAT-Port 4.4.11.5.4 | M | V | 1377 -----------------------------------------|----+-----| 1379 4.4.1. Service-Type AVP 1381 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1382 the type of service the user has requested or the type of service to 1383 be provided. One such AVP MAY be present in an authentication and/or 1384 authorization request or response. A NAS is not required to 1385 implement all of these service types. It MUST treat unknown or 1386 unsupported Service-Types received in a response as a failure and end 1387 the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1389 When used in a request, the Service-Type AVP SHOULD be considered a 1390 hint to the server that the NAS believes the user would prefer the 1391 kind of service indicated. The server is not required to honor the 1392 hint. Furthermore, if the service specified by the server is 1393 supported, but not compatible with the current mode of access, the 1394 NAS MUST fail to start the session. The NAS MUST also generate the 1395 appropriate error message(s). 1397 The complete list of defined values that the Service-Type AVP can 1398 take can be found in [RFC2865] and [RADIUSTypes], but the following 1399 values require further qualification here: 1401 Login (1) 1402 The user should be connected to a host. The message MAY 1403 include additional AVPs as defined in Section 4.4.11.4 or 1404 Section 4.4.11.5. 1406 Framed (2) 1407 A Framed Protocol, such as PPP or SLIP, should be started for 1408 the User. The message MAY include additional AVPs defined in 1409 Section 4.4.10, or Section 4.5 for tunneling services. 1411 Callback Login (3) 1412 The user should be disconnected and called back, then connected 1413 to a host. The message MAY include additional AVPs defined in 1414 this Section. 1416 Callback Framed (4) 1417 The user should be disconnected and called back, and then a 1418 Framed Protocol, such as PPP or SLIP, should be started for the 1419 User. The message MAY include additional AVPs defined in 1420 Section 4.4.10, or Section 4.5 for tunneling services. 1422 4.4.2. Callback-Number AVP 1424 The Callback-Number AVP (AVP Code 19) is of type UTF8String and 1425 contains a dialing string to be used for callback. It MAY be used in 1426 an authentication and/or authorization request as a hint to the 1427 server that a Callback service is desired, but the server is not 1428 required to honor the hint in the corresponding response. 1430 The codification of this field's allowed usage range is outside the 1431 scope of this specification. 1433 4.4.3. Callback-Id AVP 1435 The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains 1436 the name of a place to be called, to be interpreted by the NAS. This 1437 AVP MAY be present in an authentication and/or authorization 1438 response. 1440 This AVP is not roaming-friendly as it assumes that the Callback-Id 1441 is configured on the NAS. Using the Callback-Number AVP 1442 Section 4.4.2 is therefore preferable. 1444 4.4.4. Idle-Timeout AVP 1446 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1447 maximum number of consecutive seconds of idle connection allowable to 1448 the user before termination of the session or before a prompt is 1449 issued. The default is none, or system specific. 1451 4.4.5. Port-Limit AVP 1453 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1454 maximum number of ports the NAS provides to the user. It MAY be used 1455 in an authentication and/or authorization request as a hint to the 1456 server that multilink PPP [RFC1990] service is desired, but the 1457 server is not required to honor the hint in the corresponding 1458 response. 1460 4.4.6. NAS-Filter-Rule AVP 1462 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule and 1463 provides filter rules that need to be configured on the NAS for the 1464 user. One or more of these AVPs MAY be present in an authorization 1465 response. 1467 4.4.7. Filter-Id AVP 1469 The Filter-Id AVP (AVP Code 11) is of type UTF8String and contains 1470 the name of the filter list for this user. Zero or more Filter-Id 1471 AVPs MAY be sent in an authorization answer. 1473 Identifying a filter list by name allows the filter to be used on 1474 different NASes without regard to filter-list implementation details. 1475 However, this AVP is not roaming-friendly, as filter naming differs 1476 from one service provider to another. 1478 In environments where backward compatibility with RADIUS is not 1479 required, it is RECOMMENDED that the NAS-Filter-Rule AVP 1480 Section 4.4.6 be used instead. 1482 4.4.8. Configuration-Token AVP 1484 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1485 is sent by a Diameter Server to a Diameter Proxy Agent in an AA- 1486 Answer command to indicate a type of user profile to be used. It 1487 should not be sent to a Diameter Client (NAS). 1489 The format of the Data field of this AVP is site specific. 1491 4.4.9. QoS-Filter-Rule AVP 1493 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule 1494 Section 4.1.1 and provides QoS filter rules that need to be 1495 configured on the NAS for the user. One or more such AVPs MAY be 1496 present in an authorization response. 1498 DSCP If action is set to tag Section 4.1.1 this option MUST 1499 be included in the rule. 1501 Color values are defined in [RFC2474]. Exact matching of DSCP 1502 values is required (no masks or ranges). 1504 metering The metering option 1505 provides Assured Forwarding, as defined in [RFC2597]. and MUST 1506 be present if the action is set to meter Section 4.1.1 The rate 1507 option is the throughput, in bits per second, used by the 1508 access device to mark packets. Traffic over the rate is marked 1509 with the color_over codepoint, and traffic under the rate is 1510 marked with the color_under codepoint. The color_under and 1511 color_over options contain the drop preferences and MUST 1512 conform to the recommended codepoint keywords described in 1513 [RFC2597] (e.g., AF13). 1515 The metering option also supports the strict limit on traffic 1516 required by Expedited Forwarding, as defined in [RFC3246]. The 1517 color_over option may contain the keyword "drop" to prevent 1518 forwarding of traffic that exceeds the rate parameter. 1520 4.4.10. Framed Access Authorization AVPs 1522 This section lists the authorization AVPs necessary to support framed 1523 access, such as PPP and SLIP. AVPs defined in this section MAY be 1524 present in a message if the Service-Type AVP was set to "Framed" or 1525 "Callback Framed". 1527 4.4.10.1. Framed-Protocol AVP 1529 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1530 contains the framing to be used for framed access. This AVP MAY be 1531 present in both requests and responses. The supported values are 1532 listed in [RADIUSTypes]. 1534 4.4.10.2. Framed-Routing AVP 1536 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1537 contains the routing method for the user when the user is a router to 1538 a network. This AVP SHOULD only be present in authorization 1539 responses. The supported values are listed in [RADIUSTypes]. 1541 4.4.10.3. Framed-MTU AVP 1543 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1544 the Maximum Transmission Unit (MTU) to be configured for the user, 1545 when it is not negotiated by some other means (such as PPP). This 1546 AVP SHOULD only be present in authorization responses. The MTU value 1547 MUST be in the range from 64 to 65535. 1549 4.4.10.4. Framed-Compression AVP 1551 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1552 contains the compression protocol to be used for the link. It MAY be 1553 used in an authorization request as a hint to the server that a 1554 specific compression type is desired, but the server is not required 1555 to honor the hint in the corresponding response. 1557 More than one compression protocol AVP MAY be sent. The NAS is 1558 responsible for applying the proper compression protocol to the 1559 appropriate link traffic. 1561 The supported values are listed in [RADIUSTypes]. 1563 4.4.10.5. IP Access Authorization AVPs 1565 The AVPs defined in this section are used when the user requests, or 1566 is being granted, access service to IP. 1568 4.4.10.5.1. Framed-IP-Address AVP 1570 The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type 1571 OctetString and contains an IPv4 address of the type specified in the 1572 attribute value to be configured for the user. It MAY be used in an 1573 authorization request as a hint to the server that a specific address 1574 is desired, but the server is not required to honor the hint in the 1575 corresponding response. 1577 Two values have special significance: 0xFFFFFFFF and 0xFFFFFFFE. The 1578 value 0xFFFFFFFF indicates that the NAS should allow the user to 1579 select an address (i.e., negotiated). The value 0xFFFFFFFE indicates 1580 that the NAS should select an address for the user (e.g., assigned 1581 from a pool of addresses kept by the NAS). 1583 4.4.10.5.2. Framed-IP-Netmask AVP 1585 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1586 contains the four octets of the IPv4 netmask to be configured for the 1587 user when the user is a router to a network. It MAY be used in an 1588 authorization request as a hint to the server that a specific netmask 1589 is desired, but the server is not required to honor the hint in the 1590 corresponding response. This AVP MUST be present in a response if 1591 the request included this AVP with a value of 0xFFFFFFFF. 1593 4.4.10.5.3. Framed-Route AVP 1595 The Framed-Route AVP (AVP Code 22) is of type UTF8String and contains 1596 the ASCII routing information to be configured for the user on the 1597 NAS. Zero or more of these AVPs MAY be present in an authorization 1598 response. 1600 The string MUST contain a destination prefix in dotted quad form 1601 optionally followed by a slash and a decimal length specifier stating 1602 how many high-order bits of the prefix should be used. This is 1603 followed by a space, a gateway address in dotted quad form, a space, 1604 and one or more metrics separated by spaces; for example, 1606 "192.0.2.0/24 192.0.2.1 1" 1608 The length specifier may be omitted, in which case it should default 1609 to 8 bits for class A prefixes, to 16 bits for class B prefixes, and 1610 to 24 bits for class C prefixes; for example, 1612 "192.0.2.0 192.0.2.1 1" 1614 Whenever the gateway address is specified as "0.0.0.0" the IP address 1615 of the user SHOULD be used as the gateway address. 1617 4.4.10.5.4. Framed-Pool AVP 1619 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1620 the name of an assigned address pool that SHOULD be used to assign an 1621 address for the user. If a NAS does not support multiple address 1622 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1623 used for IP addresses but can be used for other protocols if the NAS 1624 supports pools for those protocols. 1626 Although specified as type OctetString for compatibility with RADIUS 1627 [RFC2865], the encoding of the Data field SHOULD also conform to the 1628 rules for the UTF8String Data Format. 1630 4.4.10.5.5. Framed-Interface-Id AVP 1632 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1633 contains the IPv6 interface identifier to be configured for the user. 1634 It MAY be used in authorization requests as a hint to the server that 1635 a specific interface id is desired, but the server is not required to 1636 honor the hint in the corresponding response. 1638 4.4.10.5.6. Framed-IPv6-Prefix AVP 1640 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1641 contains the IPv6 prefix to be configured for the user. One or more 1642 AVPs MAY be used in authorization requests as a hint to the server 1643 that specific IPv6 prefixes are desired, but the server is not 1644 required to honor the hint in the corresponding response. 1646 4.4.10.5.7. Framed-IPv6-Route AVP 1648 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String and 1649 contains the ASCII routing information to be configured for the user 1650 on the NAS. Zero or more of these AVPs MAY be present in an 1651 authorization response. 1653 The string MUST contain an IPv6 address prefix followed by a slash 1654 and a decimal length specifier stating how many high order bits of 1655 the prefix should be used. This is followed by a space, a gateway 1656 address in hexadecimal notation, a space, and one or more metrics 1657 separated by spaces; for example, 1659 "2001:db8::/32 2001:db8:106:a00:20ff:fe99:a998 1" 1661 Whenever the gateway address is the IPv6 unspecified address, the IP 1662 address of the user SHOULD be used as the gateway address, such as 1663 in: 1665 "2001:db8::/32 :: 1" 1667 4.4.10.5.8. Framed-IPv6-Pool AVP 1669 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and 1670 contains the name of an assigned pool that SHOULD be used to assign 1671 an IPv6 prefix for the user. If the access device does not support 1672 multiple prefix pools, it MUST ignore this AVP. 1674 Although specified as type OctetString for compatibility with RADIUS 1675 [RFC3162], the encoding of the Data field SHOULD also conform to the 1676 rules for the UTF8String Data Format. 1678 4.4.10.6. IPX Access AVPs 1680 The AVPs defined in this section are used when the user requests, or 1681 is being granted, access to an IPX network service [IPX]. 1683 4.4.10.6.1. Framed-IPX-Network AVP 1685 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32 and 1686 contains the IPX Network number to be configured for the user. It 1687 MAY be used in an authorization request as a hint to the server that 1688 a specific address is desired, but the server is not required to 1689 honor the hint in the corresponding response. 1691 Two addresses have special significance: 0xFFFFFFFF and 0xFFFFFFFE. 1692 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1693 select an address (i.e., Negotiated). The value 0xFFFFFFFE indicates 1694 that the NAS should select an address for the user (e.g., assign it 1695 from a pool of one or more IPX networks kept by the NAS). 1697 4.4.10.7. AppleTalk Network Access AVPs 1699 The AVPs defined in this section are used when the user requests, or 1700 is being granted, access to an AppleTalk network [AppleTalk]. 1702 4.4.10.7.1. Framed-AppleTalk-Link AVP 1704 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1705 contains the AppleTalk network number that should be used for the 1706 serial link to the user, which is another AppleTalk router. This AVP 1707 MUST only be present in an authorization response and is never used 1708 when the user is not another router. 1710 Despite the size of the field, values range from 0 to 65,535. The 1711 special value of 0 indicates an unnumbered serial link. A value of 1 1712 to 65,535 means that the serial line between the NAS and the user 1713 should be assigned that value as an AppleTalk network number. 1715 4.4.10.7.2. Framed-AppleTalk-Network AVP 1717 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1718 and contains the AppleTalk Network number that the NAS should probe 1719 to allocate an AppleTalk node for the user. This AVP MUST only be 1720 present in an authorization response and is never used when the user 1721 is not another router. Multiple instances of this AVP indicate that 1722 the NAS may probe, using any of the network numbers specified. 1724 Despite the size of the field, values range from 0 to 65,535. The 1725 special value 0 indicates that the NAS should assign a network for 1726 the user, using its default cable range. A value between 1 and 1727 65,535 (inclusive) indicates to the AppleTalk Network that the NAS 1728 should probe to find an address for the user. 1730 4.4.10.7.3. Framed-AppleTalk-Zone AVP 1732 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1733 and contains the AppleTalk Default Zone to be used for this user. 1734 This AVP MUST only be present in an authorization response. Multiple 1735 instances of this AVP in the same message are not allowed. 1737 The codification of this field's allowed range is outside the scope 1738 of this specification. 1740 4.4.10.8. AppleTalk Remote Access AVPs 1742 The AVPs defined in this section are used when the user requests, or 1743 is being granted, access to the AppleTalk network via the AppleTalk 1744 Remote Access Protocol [ARAP]. They are only present if the Framed- 1745 Protocol AVP Section 4.4.10.1 is set to ARAP. Section 2.2 of RFC 1746 2869 [RFC2869] describes the operational use of these attributes. 1748 4.4.10.8.1. ARAP-Features AVP 1750 The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be 1751 present in the AA-Accept message if the Framed-Protocol AVP is set to 1752 the value of ARAP. See [RFC2869] for more information about the 1753 format of this AVP. 1755 4.4.10.8.2. ARAP-Zone-Access AVP 1757 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY 1758 be present in the AA-Accept message if the Framed-Protocol AVP is set 1759 to the value of ARAP. 1761 The supported values are listed in [RADIUSTypes] and defined in 1762 [RFC2869]. 1764 4.4.11. Non-Framed Access Authorization AVPs 1766 This section contains the authorization AVPs that are needed to 1767 support terminal server functionality. AVPs defined in this section 1768 MAY be present in a message if the Service-Type AVP was set to 1769 "Login" or "Callback Login". 1771 4.4.11.1. Login-IP-Host AVP 1773 The Login-IP-Host AVP (AVP Code 14) [RFC2865] is of type OctetString 1774 and contains the IPv4 address of a host with which to connect the 1775 user when the Login-Service AVP is included. It MAY be used in an 1776 AA-Request command as a hint to the Diameter Server that a specific 1777 host is desired, but the Diameter Server is not required to honor the 1778 hint in the AA-Answer. 1780 Two addresses have special significance: all ones and 0. The value 1781 of all ones indicates that the NAS SHOULD allow the user to select an 1782 address. The value 0 indicates that the NAS SHOULD select a host to 1783 connect the user to. 1785 4.4.11.2. Login-IPv6-Host AVP 1787 The Login-IPv6-Host AVP (AVP Code 98) [RFC3162] is of type 1788 OctetString and contains the IPv6 address of a host with which to 1789 connect the user when the Login-Service AVP is included. It MAY be 1790 used in an AA-Request command as a hint to the Diameter Server that a 1791 specific host is desired, but the Diameter Server is not required to 1792 honor the hint in the AA-Answer. 1794 Two addresses have special significance, 1795 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1796 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1797 allow the user to select an address. The value 0 indicates that the 1798 NAS SHOULD select a host to connect the user to. 1800 4.4.11.3. Login-Service AVP 1802 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1803 contains the service that should be used to connect the user to the 1804 login host. This AVP SHOULD only be present in authorization 1805 responses. The supported values are listed in [RFC2869]. 1807 4.4.11.4. TCP Services 1809 The AVP described in the following section MAY be present if the 1810 Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear 1811 Quiet. 1813 4.4.11.4.1. Login-TCP-Port AVP 1815 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1816 contains the TCP port with which the user is to be connected when the 1817 Login-Service AVP is also present. This AVP SHOULD only be present 1818 in authorization responses. The value MUST NOT be greater than 1819 65,535. 1821 4.4.11.5. LAT Services 1823 The AVPs described in this section MAY be present if the Login- 1824 Service AVP is set to LAT [LAT]. 1826 4.4.11.5.1. Login-LAT-Service AVP 1828 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1829 contains the system with which the user is to be connected by LAT. 1830 It MAY be used in an authorization request as a hint to the server 1831 that a specific service is desired, but the server is not required to 1832 honor the hint in the corresponding response. This AVP MUST only be 1833 present in the response if the Login-Service AVP states that LAT is 1834 desired. 1836 Administrators use this service attribute when dealing with clustered 1837 systems. In these environments, several different time-sharing hosts 1838 share the same resources (disks, printers, etc.), and administrators 1839 often configure each host to offer access (service) to each of the 1840 shared resources. In this case, each host in the cluster advertises 1841 its services through LAT broadcasts. 1843 Sophisticated users often know which service providers (machines) are 1844 faster and tend to use a node name when initiating a LAT connection. 1845 Some administrators want particular users to use certain machines as 1846 a primitive form of load balancing (although LAT knows how to do load 1847 balancing itself). 1849 The String field contains the identity of the LAT service to use. 1850 The LAT Architecture allows this string to contain $ (dollar), - 1851 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1852 alphabetics, and the ISO Latin-1 character set extension 1853 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1855 4.4.11.5.2. Login-LAT-Node AVP 1857 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1858 contains the Node with which the user is to be automatically 1859 connected by LAT. It MAY be used in an authorization request as a 1860 hint to the server that a specific LAT node is desired, but the 1861 server is not required to honor the hint in the corresponding 1862 response. This AVP MUST only be present in a response if the Login- 1863 Service-Type AVP is set to LAT. 1865 The String field contains the identity of the LAT service to use. 1866 The LAT Architecture allows this string to contain $ (dollar), - 1867 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1868 alphabetics, and the ISO Latin-1 character set extension 1869 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1871 4.4.11.5.3. Login-LAT-Group AVP 1873 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1874 contains a string identifying the LAT group codes this user is 1875 authorized to use. It MAY be used in an authorization request as a 1876 hint to the server that a specific group is desired, but the server 1877 is not required to honor the hint in the corresponding response. 1878 This AVP MUST only be present in a response if the Login-Service-Type 1879 AVP is set to LAT. 1881 LAT supports 256 different group codes, which LAT uses as a form of 1882 access rights. LAT encodes the group codes as a 256-bit bitmap. 1884 Administrators can assign one or more of the group code bits at the 1885 LAT service provider; it will only accept LAT connections that have 1886 these group codes set in the bitmap. The administrators assign a 1887 bitmap of authorized group codes to each user. LAT gets these from 1888 the operating system and uses them in its requests to the service 1889 providers. 1891 The codification of the range of allowed usage of this field is 1892 outside the scope of this specification. 1894 4.4.11.5.4. Login-LAT-Port AVP 1896 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1897 contains the Port with which the user is to be connected by LAT. It 1898 MAY be used in an authorization request as a hint to the server that 1899 a specific port is desired, but the server is not required to honor 1900 the hint in the corresponding response. This AVP MUST only be 1901 present in a response if the Login-Service-Type AVP is set to LAT. 1903 The String field contains the identity of the LAT service to use. 1904 The LAT Architecture allows this string to contain $ (dollar), - 1905 (hyphen), . (period), _ (underscore), numerics, upper- and lower-case 1906 alphabetics, and the ISO Latin-1 character set extension 1907 [ISO.8859-1.1987]. 1909 All LAT string comparisons are case insensitive. 1911 4.5. NAS Tunneling AVPs 1913 Some NASes support compulsory tunnel services in which the incoming 1914 connection data is conveyed by an encapsulation method to a gateway 1915 elsewhere in the network. This is typically transparent to the 1916 service user, and the tunnel characteristics may be described by the 1917 remote AAA server, based on the user's authorization information. 1918 Several tunnel characteristics may be returned, and the NAS 1919 implementation may choose one. See [RFC2868] and [RFC2867] for 1920 further information. 1922 The following table gives the possible flag values for the session 1923 level AVPs and specifies whether the AVP MAY be encrypted. 1925 +----------+ 1926 | AVP Flag | 1927 | rules | 1928 |----+-----| 1929 |MUST| MUST| 1930 Attribute Name Section Defined | | NOT | 1931 -----------------------------------------|----+-----| 1932 Tunneling 4.5.1 | M | V | 1933 Tunnel-Type 4.5.2 | M | V | 1934 Tunnel-Medium-Type 4.5.3 | M | V | 1935 Tunnel-Client-Endpoint 4.5.4 | M | V | 1936 Tunnel-Server-Endpoint 4.5.5 | M | V | 1937 Tunnel-Password 4.5.6 | M | V | 1938 Tunnel-Private-Group-Id 4.5.7 | M | V | 1939 Tunnel-Assignment-Id 4.5.8 | M | V | 1940 Tunnel-Preference 4.5.9 | M | V | 1941 Tunnel-Client-Auth-Id 4.5.10 | M | V | 1942 Tunnel-Server-Auth-Id 4.5.11 | M | V | 1943 -----------------------------------------|----+-----| 1945 4.5.1. Tunneling AVP 1947 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1948 following AVPs, used to describe a compulsory tunnel service 1949 ([RFC2868], [RFC2867]). Its data field has the following ABNF 1950 grammar: 1952 Tunneling ::= < AVP Header: 401 > 1953 { Tunnel-Type } 1954 { Tunnel-Medium-Type } 1955 { Tunnel-Client-Endpoint } 1956 { Tunnel-Server-Endpoint } 1957 [ Tunnel-Preference ] 1958 [ Tunnel-Client-Auth-Id ] 1959 [ Tunnel-Server-Auth-Id ] 1960 [ Tunnel-Assignment-Id ] 1961 [ Tunnel-Password ] 1962 [ Tunnel-Private-Group-Id ] 1964 4.5.2. Tunnel-Type AVP 1966 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1967 the tunneling protocol(s) to be used (in the case of a tunnel 1968 initiator) or in use (in the case of a tunnel terminator). It MAY be 1969 used in an authorization request as a hint to the server that a 1970 specific tunnel type is desired, but the server is not required to 1971 honor the hint in the corresponding response. 1973 The Tunnel-Type AVP SHOULD also be included in ACR messages. 1975 A tunnel initiator is not required to implement any of these tunnel 1976 types. If a tunnel initiator receives a response that contains only 1977 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 1978 as though a response were received with the Result-Code indicating a 1979 failure. 1981 The supported values are listed in [RADIUSTypes]. 1983 4.5.3. Tunnel-Medium-Type AVP 1985 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 1986 contains the transport medium to use when creating a tunnel for 1987 protocols (such as L2TP [RFC3931]) that can operate over multiple 1988 transports. It MAY be used in an authorization request as a hint to 1989 the server that a specific medium is desired, but the server is not 1990 required to honor the hint in the corresponding response. 1992 The supported values are listed in [RADIUSTypes]. 1994 4.5.4. Tunnel-Client-Endpoint AVP 1996 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String 1997 and contains the address of the initiator end of the tunnel. It MAY 1998 be used in an authorization request as a hint to the server that a 1999 specific endpoint is desired, but the server is not required to honor 2000 the hint in the corresponding response. This AVP SHOULD be included 2001 in the corresponding ACR messages, in which case it indicates the 2002 address from which the tunnel was initiated. This AVP, along with 2003 the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs 2004 ([I-D.ietf-dime-rfc3588bis], Section 8.8), can be used to provide a 2005 globally unique means to identify a tunnel for accounting and 2006 auditingpurposes. 2008 If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 2009 (1), then this string is either the fully qualified domain name 2010 (FQDN) of the tunnel client machine, or a "dotted-decimal" IP 2011 address. Implementations MUST support the dotted-decimal format and 2012 SHOULD support the FQDN format for IP addresses. 2014 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2015 FQDN of the tunnel client machine, or a text representation of the 2016 address in either the preferred or alternate form [RFC3516]. 2017 Conforming implementations MUST support the preferred form and SHOULD 2018 support both the alternate text form and the FQDN format for IPv6 2019 addresses. 2021 If Tunnel-Medium-Type is neither IPv4 nor IPv6, then this string is a 2022 tag referring to configuration data local to the Diameter client that 2023 describes the interface or medium-specific client address to use. 2025 4.5.5. Tunnel-Server-Endpoint AVP 2027 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String 2028 and contains the address of the server end of the tunnel. It MAY be 2029 used in an authorization request as a hint to the server that a 2030 specific endpoint is desired, but the server is not required to honor 2031 the hint in the corresponding response. 2033 This AVP SHOULD be included in the corresponding ACR messages, in 2034 which case it indicates the address from which the tunnel was 2035 initiated. This AVP, along with the Tunnel-Client-Endpoint 2036 (Section 4.5.4) and Session-Id AVP ([I-D.ietf-dime-rfc3588bis], 2037 Section 8.8), can be used to provide a globally unique means to 2038 identify a tunnel for accounting and auditing purposes. 2040 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2041 fully qualified domain name (FQDN) of the tunnel server machine, or a 2042 "dotted-decimal" IP address. Implementations MUST support the 2043 dotted-decimal format and SHOULD support the FQDN format for IP 2044 addresses. 2046 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2047 FQDN of the tunnel server machine, or a text representation of the 2048 address in either the preferred or alternate form [RFC3516]. 2049 Implementations MUST support the preferred form and SHOULD support 2050 both the alternate text form and the FQDN format for IPv6 addresses. 2052 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2053 referring to configuration data local to the Diameter client that 2054 describes the interface or medium-specific server address to use. 2056 4.5.6. Tunnel-Password AVP 2058 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2059 contain a password to be used to authenticate to a remote server. 2061 The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2062 environments without encrypting it by using end-to-end security 2063 techniques. 2065 4.5.7. Tunnel-Private-Group-Id AVP 2067 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString 2068 and contains the group Id for a particular tunneled session. The 2069 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2070 request if the tunnel initiator can predetermine the group resulting 2071 from a particular connection. It SHOULD be included in the 2072 authorization response if this tunnel session is to be treated as 2073 belonging to a particular private group. Private groups may be used 2074 to associate a tunneled session with a particular group of users. 2075 For example, it MAY be used to facilitate routing of unregistered IP 2076 addresses through a particular interface. This AVP SHOULD be 2077 included in the ACR messages that pertain to the tunneled session. 2079 4.5.8. Tunnel-Assignment-Id AVP 2081 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2082 is used to indicate to the tunnel initiator the particular tunnel to 2083 which a session is to be assigned. Some tunneling protocols, such as 2084 PPTP [RFC2637] and L2TP [RFC3931], allow for sessions between the 2085 same two tunnel endpoints to be multiplexed over the same tunnel and 2086 also for a given session to use its own dedicated tunnel. This 2087 attribute provides a mechanism for Diameter to inform the tunnel 2088 initiator (for example, a LAC) whether to assign the session to a 2089 multiplexed tunnel or to a separate tunnel. Furthermore, it allows 2090 for sessions sharing multiplexed tunnels to be assigned to different 2091 multiplexed tunnels. 2093 A particular tunneling implementation may assign differing 2094 characteristics to particular tunnels. For example, different 2095 tunnels may be assigned different QoS parameters. Such tunnels may 2096 be used to carry either individual or multiple sessions. The Tunnel- 2097 Assignment-Id attribute thus allows the Diameter server to indicate 2098 that a particular session is to be assigned to a tunnel providing an 2099 appropriate level of service. It is expected that any QoS-related 2100 Diameter tunneling attributes defined in the future accompanying this 2101 one will be associated by the tunnel initiator with the Id given by 2102 this attribute. In the meantime, any semantic given to a particular 2103 Id string is a matter left to local configuration in the tunnel 2104 initiator. 2106 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2107 the tunnel initiator. The Id it specifies is only intended to be of 2108 local use to Diameter and the tunnel initiator. The Id assigned by 2109 the tunnel initiator is not conveyed to the tunnel peer. 2111 This attribute MAY be included in authorization responses. The 2112 tunnel initiator receiving this attribute MAY choose to ignore it and 2113 to assign the session to an arbitrary multiplexed or non-multiplexed 2114 tunnel between the desired endpoints. This AVP SHOULD also be 2115 included in the Accounting-Request messages pertaining to the 2116 tunneled session. 2118 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2119 should assign a session to a tunnel in the following manner: 2121 o If this AVP is present and a tunnel exists between the specified 2122 endpoints with the specified Id, then the session should be 2123 assigned to that tunnel. 2125 o If this AVP is present and no tunnel exists between the specified 2126 endpoints with the specified Id, then a new tunnel should be 2127 established for the session and the specified Id should be 2128 associated with the new tunnel. 2130 o If this AVP is not present, then the session is assigned to an 2131 unnamed tunnel. If an unnamed tunnel does not yet exist between 2132 the specified endpoints, then it is established and used for this 2133 session and for subsequent ones established without the Tunnel- 2134 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2135 session for which a Tunnel-Assignment-Id AVP was not specified to 2136 a named tunnel (i.e., one that was initiated by a session 2137 specifying this AVP). 2139 Note that the same Id may be used to name different tunnels if these 2140 tunnels are between different endpoints. 2142 4.5.9. Tunnel-Preference AVP 2144 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2145 used to identify the relative preference assigned to each tunnel when 2146 more than one set of tunneling AVPs is returned within separate 2147 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2148 hint to the server that a specific preference is desired, but the 2149 server is not required to honor the hint in the corresponding 2150 response. 2152 For example, suppose that AVPs describing two tunnels are returned by 2153 the server, one with a Tunnel-Type of PPTP and the other with a 2154 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2155 the Tunnel-Types returned, it will initiate a tunnel of that type. 2156 If, however, it supports both tunnel protocols, it SHOULD use the 2157 value of the Tunnel-Preference AVP to decide which tunnel should be 2158 started. The tunnel with the lowest numerical value in the Value 2159 field of this AVP SHOULD be given the highest preference. The values 2160 assigned to two or more instances of the Tunnel-Preference AVP within 2161 a given authorization response MAY be identical. In this case, the 2162 tunnel initiator SHOULD use locally configured metrics to decide 2163 which set of AVPs to use. 2165 4.5.10. Tunnel-Client-Auth-Id AVP 2167 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2168 specifies the name used by the tunnel initiator during the 2169 authentication phase of tunnel establishment. It MAY be used in an 2170 authorization request as a hint to the server that a specific 2171 preference is desired, but the server is not required to honor the 2172 hint in the corresponding response. This AVP MUST be present in the 2173 authorization response if an authentication name other than the 2174 default is desired. This AVP SHOULD be included in the ACR messages 2175 pertaining to the tunneled session. 2177 4.5.11. Tunnel-Server-Auth-Id AVP 2179 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2180 specifies the name used by the tunnel terminator during the 2181 authentication phase of tunnel establishment. It MAY be used in an 2182 authorization request as a hint to the server that a specific 2183 preference is desired, but the server is not required to honor the 2184 hint in the corresponding response. This AVP MUST be present in the 2185 authorization response if an authentication name other than the 2186 default is desired. This AVP SHOULD be included in the ACR messages 2187 pertaining to the tunneled session. 2189 4.6. NAS Accounting AVPs 2191 Applications implementing this specification use Diameter Accounting 2192 (as defined in [I-D.ietf-dime-rfc3588bis]) and the AVPs in the 2193 following section. Service-specific AVP usage is defined in the 2194 tables in Section 5. 2196 If accounting is active, Accounting Request (ACR) messages SHOULD be 2197 sent after the completion of any Authentication or Authorization 2198 transaction and at the end of a Session. The value of the 2199 Accounting-Record-Type AVP [I-D.ietf-dime-rfc3588bis] indicates the 2200 type of event. All other AVPs identify the session and provide 2201 additional information relevant to the event. 2203 The successful completion of the first Authentication or 2204 Authorization transaction SHOULD cause a START_RECORD to be sent. If 2205 additional Authentications or Authorizations occur in later 2206 transactions, the first exchange should generate a START_RECORD, and 2207 the later an INTERIM_RECORD. For a given session, there MUST only be 2208 one set of matching START and STOP records, with any number of 2209 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2210 a session wasn't started. 2212 The following table gives the possible flag values for the session 2213 level AVPs and specifies whether the AVP MAY be encrypted. 2215 +----------+ 2216 | AVP Flag | 2217 | rules | 2218 |----+-----| 2219 Section |MUST| MUST| 2220 Attribute Name Defined | | NOT| 2221 -----------------------------------------|----+-----| 2222 Accounting-Input-Octets 4.6.1 | M | V | 2223 Accounting-Output-Octets 4.6.2 | M | V | 2224 Accounting-Input-Packets 4.6.3 | M | V | 2225 Accounting-Output-Packets 4.6.4 | M | V | 2226 Acct-Session-Time 4.6.5 | M | V | 2227 Acct-Authentic 4.6.6 | M | V | 2228 Accounting-Auth-Method 4.6.7 | M | V | 2229 Acct-Delay-Time 4.6.8 | M | V | 2230 Acct-Link-Count 4.6.9 | M | V | 2231 Acct-Tunnel-Connection 4.6.10 | M | V | 2232 Acct-Tunnel-Packets-Lost 4.6.11 | M | V | 2233 -----------------------------------------|----+-----| 2235 4.6.1. Accounting-Input-Octets AVP 2237 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 2238 and contains the number of octets received from the user. 2240 For NAS usage, this AVP indicates how many octets have been received 2241 from the port in the course of this session. It can only be present 2242 in ACR messages with an Accounting-Record-Type 2243 [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. 2245 4.6.2. Accounting-Output-Octets AVP 2247 The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 2248 and contains the number of octets sent to the user. 2250 For NAS usage, this AVP indicates how many octets have been sent to 2251 the port in the course of this session. It can only be present in 2252 ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2253 STOP_RECORD. 2255 4.6.3. Accounting-Input-Packets AVP 2257 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and 2258 contains the number of packets received from the user. 2260 For NAS usage, this AVP indicates how many packets have been received 2261 from the port over the course of a session being provided to a Framed 2262 User. It can only be present in ACR messages with an Accounting- 2263 Record-Type of INTERIM_RECORD or STOP_RECORD. 2265 4.6.4. Accounting-Output-Packets AVP 2267 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 2268 and contains the number of IP packets sent to the user. 2270 For NAS usage, this AVP indicates how many packets have been sent to 2271 the port over the course of a session being provided to a Framed 2272 User. It can only be present in ACR messages with an Accounting- 2273 Record-Type of INTERIM_RECORD or STOP_RECORD. 2275 4.6.5. Acct-Session-Time AVP 2277 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and 2278 indicates the length of the current session in seconds. It can only 2279 be present in ACR messages with an Accounting-Record-Type of 2280 INTERIM_RECORD or STOP_RECORD. 2282 4.6.6. Acct-Authentic AVP 2284 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and 2285 specifies how the user was authenticated. The supported values are 2286 listed in [RADIUSTypes]. 2288 4.6.7. Accounting-Auth-Method AVP 2290 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2291 A NAS MAY include this AVP in an Accounting-Request message to 2292 indicate the method used to authenticate the user. (Note that this 2293 AVP is semantically equivalent, and the supported values are 2294 identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS 2295 attribute [RFC2548]). 2297 4.6.8. Acct-Delay-Time AVP 2299 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2300 indicates the number of seconds the Diameter client has been trying 2301 to send the Accounting-Request (ACR). The accounting server may 2302 subtract this value from the time when the ACR arrives at the server 2303 to calculate the approximate time of the event that caused the ACR to 2304 be generated. 2306 This AVP is not used for retransmissions at the transport level (TCP 2307 or SCTP). Rather, it may be used when an ACR command cannot be 2308 transmitted because there is no appropriate peer to transmit it to or 2309 was rejected because it could not be delivered. In these cases, the 2310 command MAY be buffered and transmitted later, when an appropriate 2311 peer-connection is available or after sufficient time has passed that 2312 the destination-host may be reachable and operational. If the ACR is 2313 re-sent in this way, the Acct-Delay-Time AVP SHOULD be included. The 2314 value of this AVP indicates the number of seconds that elapsed 2315 between the time of the first attempt at transmission and the current 2316 attempt. 2318 4.6.9. Acct-Link-Count AVP 2320 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2321 indicates the total number of links that have been active (current or 2322 closed) in a given multilink session at the time the accounting 2323 record is generated. This AVP MAY be included in Accounting-Requests 2324 for any session that may be part of a multilink service. 2326 The Acct-Link-Count AVP may be used to make it easier for an 2327 accounting server to know when it has all the records for a given 2328 multilink service. When the number of Accounting-Requests received 2329 with Accounting-Record-Type = STOP_RECORD and with the same Acct- 2330 Multi-Session-Id and unique Session-Ids equals the largest value of 2331 Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD 2332 Accounting-Requests for that multilink service have been received. 2334 The following example, showing eight Accounting-Requests, illustrates 2335 how the Acct-Link-Count AVP is used. In the table below, only the 2336 relevant AVPs are shown, although additional AVPs containing 2337 accounting information will be present in the Accounting-Requests. 2339 Acct-Multi- Accounting- Acct- 2340 Session-Id Session-Id Record-Type Link-Count 2341 -------------------------------------------------------- 2342 "...10" "...10" START_RECORD 1 2343 "...10" "...11" START_RECORD 2 2344 "...10" "...11" STOP_RECORD 2 2345 "...10" "...12" START_RECORD 3 2346 "...10" "...13" START_RECORD 4 2347 "...10" "...12" STOP_RECORD 4 2348 "...10" "...13" STOP_RECORD 4 2349 "...10" "...10" STOP_RECORD 4 2351 4.6.10. Acct-Tunnel-Connection AVP 2353 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString 2354 and contains the identifier assigned to the tunnel session. This 2355 AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and 2356 Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a 2357 means to uniquely identify a tunnel session for auditing purposes. 2359 The format of the identifier in this AVP depends upon the value of 2360 the Tunnel-Type AVP (Section 4.5.2). For example, to identify an 2361 L2TP tunnel connection fully, the L2TP Tunnel Id and Call Id might be 2362 encoded in this field. The exact encoding of this field is 2363 implementation dependent. 2365 4.6.11. Acct-Tunnel-Packets-Lost AVP 2367 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2368 and contains the number of packets lost on a given tunnel. 2370 5. AVP Occurrence Tables 2372 The following tables present the AVPs used by NAS applications in NAS 2373 messages and specify in which Diameter messages they may or may not 2374 be present. Messages and AVPs defined in the base Diameter protocol 2375 [I-D.ietf-dime-rfc3588bis] are not described in this document. Note 2376 that AVPs that can only be present within a Grouped AVP are not 2377 represented in this table. 2379 The tables use the following symbols: 2381 0 The AVP MUST NOT be present in the message. 2382 0+ Zero or more instances of the AVP MAY be present in the 2383 message. 2384 0-1 Zero or one instance of the AVP MAY be present in the 2385 message. 2386 1 Exactly one instance of the AVP MUST be present in the 2387 message. 2389 5.1. AA-Request/Answer AVP Table 2391 The table in this section is limited to the Command Codes defined in 2392 this specification. 2394 +-----------+ 2395 | Command | 2396 |-----+-----+ 2397 AVP Name | AAR | AAA | 2398 ------------------------------|-----+-----+ 2399 Acct-Interim-Interval | 0 | 0-1 | 2400 ARAP-Challenge-Response | 0 | 0-1 | 2401 ARAP-Features | 0 | 0-1 | 2402 ARAP-Password | 0-1 | 0 | 2403 ARAP-Security | 0-1 | 0-1 | 2404 ARAP-Security-Data | 0+ | 0+ | 2405 ARAP-Zone-Access | 0 | 0-1 | 2406 Auth-Application-Id | 1 | 1 | 2407 Auth-Grace-Period | 0-1 | 0-1 | 2408 Auth-Request-Type | 1 | 1 | 2409 Auth-Session-State | 0-1 | 0-1 | 2410 Authorization-Lifetime | 0-1 | 0-1 | 2411 ------------------------------|-----+-----+ 2412 +-----------+ 2413 | Command | 2414 |-----+-----+ 2415 Attribute Name | AAR | AAA | 2416 ------------------------------|-----+-----+ 2417 Callback-Id | 0 | 0-1 | 2418 Callback-Number | 0-1 | 0-1 | 2419 Called-Station-Id | 0-1 | 0 | 2420 Calling-Station-Id | 0-1 | 0 | 2421 CHAP-Auth | 0-1 | 0 | 2422 CHAP-Challenge | 0-1 | 0 | 2423 Class | 0 | 0+ | 2424 Configuration-Token | 0 | 0+ | 2425 Connect-Info | 0+ | 0 | 2426 Destination-Host | 0-1 | 0 | 2427 Destination-Realm | 1 | 0 | 2428 Error-Message | 0 | 0-1 | 2429 Error-Reporting-Host | 0 | 0-1 | 2430 Failed-AVP | 0+ | 0+ | 2431 Filter-Id | 0 | 0+ | 2432 Framed-Appletalk-Link | 0 | 0-1 | 2433 Framed-Appletalk-Network | 0 | 0+ | 2434 Framed-Appletalk-Zone | 0 | 0-1 | 2435 Framed-Compression | 0+ | 0+ | 2436 Framed-Interface-Id | 0-1 | 0-1 | 2437 Framed-IP-Address | 0-1 | 0-1 | 2438 Framed-IP-Netmask | 0-1 | 0-1 | 2439 Framed-IPv6-Prefix | 0+ | 0+ | 2440 Framed-IPv6-Pool | 0 | 0-1 | 2441 Framed-IPv6-Route | 0 | 0+ | 2442 Framed-IPX-Network | 0 | 0-1 | 2443 Framed-MTU | 0-1 | 0-1 | 2444 Framed-Pool | 0 | 0-1 | 2445 Framed-Protocol | 0-1 | 0-1 | 2446 Framed-Route | 0 | 0+ | 2447 Framed-Routing | 0 | 0-1 | 2448 Idle-Timeout | 0 | 0-1 | 2449 Login-IP-Host | 0+ | 0+ | 2450 Login-IPv6-Host | 0+ | 0+ | 2451 Login-LAT-Group | 0-1 | 0-1 | 2452 Login-LAT-Node | 0-1 | 0-1 | 2453 Login-LAT-Port | 0-1 | 0-1 | 2454 Login-LAT-Service | 0-1 | 0-1 | 2455 Login-Service | 0 | 0-1 | 2456 Login-TCP-Port | 0 | 0-1 | 2457 Multi-Round-Time-Out | 0 | 0-1 | 2458 ------------------------------|-----+-----+ 2459 +-----------+ 2460 | Command | 2461 |-----+-----+ 2462 Attribute Name | AAR | AAA | 2463 ------------------------------|-----+-----+ 2464 NAS-Filter-Rule | 0 | 0+ | 2465 NAS-Identifier | 0-1 | 0 | 2466 NAS-IP-Address | 0-1 | 0 | 2467 NAS-IPv6-Address | 0-1 | 0 | 2468 NAS-Port | 0-1 | 0 | 2469 NAS-Port-Id | 0-1 | 0 | 2470 NAS-Port-Type | 0-1 | 0 | 2471 Origin-AAA-Protocol | 0-1 | 0-1 | 2472 Origin-Host | 1 | 1 | 2473 Origin-Realm | 1 | 1 | 2474 Origin-State-Id | 0-1 | 0-1 | 2475 Originating-Line-Info | 0-1 | 0 | 2476 Password-Retry | 0 | 0-1 | 2477 Port-Limit | 0-1 | 0-1 | 2478 Prompt | 0 | 0-1 | 2479 Proxy-Info | 0+ | 0+ | 2480 QoS-Filter-Rule | 0 | 0+ | 2481 Re-Auth-Request-Type | 0 | 0-1 | 2482 Redirect-Host | 0 | 0+ | 2483 Redirect-Host-Usage | 0 | 0-1 | 2484 Redirect-Max-Cache-Time | 0 | 0-1 | 2485 Reply-Message | 0 | 0+ | 2486 Result-Code | 0 | 1 | 2487 Route-Record | 0+ | 0 | 2488 Service-Type | 0-1 | 0-1 | 2489 Session-Id | 1 | 1 | 2490 Session-Timeout | 0 | 0-1 | 2491 State | 0-1 | 0-1 | 2492 Tunneling | 0+ | 0+ | 2493 User-Name | 0-1 | 0-1 | 2494 User-Password | 0-1 | 0 | 2495 ------------------------------|-----+-----+ 2497 5.2. Accounting AVP Tables 2499 The tables in this section are used to show which AVPs defined in 2500 this document are to be present and used in NAS application 2501 Accounting messages. These AVPs are defined in this document, as 2502 well as in [I-D.ietf-dime-rfc3588bis] and [RFC2866]. 2504 5.2.1. Framed Access Accounting AVP Table 2506 The table in this section is used when the Service-Type AVP 2507 (Section 4.4.1) specifies Framed Access. 2509 +-----------+ 2510 | Command | 2511 |-----+-----+ 2512 Attribute Name | ACR | ACA | 2513 ---------------------------------------|-----+-----+ 2514 Accounting-Auth-Method | 0-1 | 0 | 2515 Accounting-Input-Octets | 1 | 0 | 2516 Accounting-Input-Packets | 1 | 0 | 2517 Accounting-Output-Octets | 1 | 0 | 2518 Accounting-Output-Packets | 1 | 0 | 2519 Accounting-Record-Number | 0-1 | 0-1 | 2520 Accounting-Record-Type | 1 | 1 | 2521 Accounting-Realtime-Required | 0-1 | 0-1 | 2522 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2523 Acct-Application-Id | 0-1 | 0-1 | 2524 Acct-Session-Id | 1 | 0-1 | 2525 Acct-Multi-Session-Id | 0-1 | 0-1 | 2526 Acct-Authentic | 1 | 0 | 2527 Acct-Delay-Time | 0-1 | 0 | 2528 Acct-Interim-Interval | 0-1 | 0-1 | 2529 Acct-Link-Count | 0-1 | 0 | 2530 Acct-Session-Time | 1 | 0 | 2531 Acct-Tunnel-Connection | 0-1 | 0 | 2532 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2533 Authorization-Lifetime | 0-1 | 0 | 2534 Callback-Id | 0-1 | 0 | 2535 Callback-Number | 0-1 | 0 | 2536 Called-Station-Id | 0-1 | 0 | 2537 Calling-Station-Id | 0-1 | 0 | 2538 Class | 0+ | 0+ | 2539 Connection-Info | 0+ | 0 | 2540 Destination-Host | 0-1 | 0 | 2541 Destination-Realm | 1 | 0 | 2542 Event-Timestamp | 0-1 | 0-1 | 2543 Error-Message | 0 | 0-1 | 2544 Error-Reporting-Host | 0 | 0-1 | 2545 Failed-AVP | 0 | 0+ | 2546 ---------------------------------------|-----+-----+ 2547 +-----------+ 2548 | Command | 2549 |-----+-----+ 2550 Attribute Name | ACR | ACA | 2551 ---------------------------------------|-----+-----+ 2552 Framed-AppleTalk-Link | 0-1 | 0 | 2553 Framed-AppleTalk-Network | 0-1 | 0 | 2554 Framed-AppleTalk-Zone | 0-1 | 0 | 2555 Framed-Compression | 0-1 | 0 | 2556 Framed-IP-Address | 0-1 | 0 | 2557 Framed-IP-Netmask | 0-1 | 0 | 2558 Framed-IPv6-Prefix | 0+ | 0 | 2559 Framed-IPv6-Pool | 0-1 | 0 | 2560 Framed-IPX-Network | 0-1 | 0 | 2561 Framed-MTU | 0-1 | 0 | 2562 Framed-Pool | 0-1 | 0 | 2563 Framed-Protocol | 0-1 | 0 | 2564 Framed-Route | 0-1 | 0 | 2565 Framed-Routing | 0-1 | 0 | 2566 NAS-Filter-Rule | 0+ | 0 | 2567 NAS-Identifier | 0-1 | 0-1 | 2568 NAS-IP-Address | 0-1 | 0-1 | 2569 NAS-IPv6-Address | 0-1 | 0-1 | 2570 NAS-Port | 0-1 | 0-1 | 2571 NAS-Port-Id | 0-1 | 0-1 | 2572 NAS-Port-Type | 0-1 | 0-1 | 2573 Origin-AAA-Protocol | 0-1 | 0-1 | 2574 Origin-Host | 1 | 1 | 2575 Origin-Realm | 1 | 1 | 2576 Origin-State-Id | 0-1 | 0-1 | 2577 Originating-Line-Info | 0-1 | 0 | 2578 Proxy-Info | 0+ | 0+ | 2579 QoS-Filter-Rule | 0+ | 0 | 2580 Route-Record | 0+ | 0 | 2581 Result-Code | 0 | 1 | 2582 Service-Type | 0-1 | 0-1 | 2583 Session-Id | 1 | 1 | 2584 Termination-Cause | 0-1 | 0-1 | 2585 Tunnel-Assignment-Id | 0-1 | 0 | 2586 Tunnel-Client-Endpoint | 0-1 | 0 | 2587 Tunnel-Medium-Type | 0-1 | 0 | 2588 Tunnel-Private-Group-Id | 0-1 | 0 | 2589 Tunnel-Server-Endpoint | 0-1 | 0 | 2590 Tunnel-Type | 0-1 | 0 | 2591 User-Name | 0-1 | 0-1 | 2592 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2593 ---------------------------------------|-----+-----+ 2595 5.2.2. Non-Framed Access Accounting AVP Table 2597 The table in this section is used when the Service-Type AVP 2598 (Section 4.4.1) specifies Non-Framed Access. 2600 +-----------+ 2601 | Command | 2602 |-----+-----+ 2603 Attribute Name | ACR | ACA | 2604 ---------------------------------------|-----+-----+ 2605 Accounting-Auth-Method | 0-1 | 0 | 2606 Accounting-Input-Octets | 1 | 0 | 2607 Accounting-Output-Octets | 1 | 0 | 2608 Accounting-Record-Type | 1 | 1 | 2609 Accounting-Record-Number | 0-1 | 0-1 | 2610 Accounting-Realtime-Required | 0-1 | 0-1 | 2611 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2612 Acct-Application-Id | 0-1 | 0-1 | 2613 Acct-Session-Id | 1 | 0-1 | 2614 Acct-Multi-Session-Id | 0-1 | 0-1 | 2615 Acct-Authentic | 1 | 0 | 2616 Acct-Delay-Time | 0-1 | 0 | 2617 Acct-Interim-Interval | 0-1 | 0-1 | 2618 Acct-Link-Count | 0-1 | 0 | 2619 Acct-Session-Time | 1 | 0 | 2620 Authorization-Lifetime | 0-1 | 0 | 2621 Callback-Id | 0-1 | 0 | 2622 Callback-Number | 0-1 | 0 | 2623 Called-Station-Id | 0-1 | 0 | 2624 Calling-Station-Id | 0-1 | 0 | 2625 Class | 0+ | 0+ | 2626 Connection-Info | 0+ | 0 | 2627 Destination-Host | 0-1 | 0 | 2628 Destination-Realm | 1 | 0 | 2629 Event-Timestamp | 0-1 | 0-1 | 2630 Error-Message | 0 | 0-1 | 2631 Error-Reporting-Host | 0 | 0-1 | 2632 Failed-AVP | 0 | 0+ | 2633 Login-IP-Host | 0+ | 0 | 2634 Login-IPv6-Host | 0+ | 0 | 2635 Login-LAT-Service | 0-1 | 0 | 2636 Login-LAT-Node | 0-1 | 0 | 2637 Login-LAT-Group | 0-1 | 0 | 2638 Login-LAT-Port | 0-1 | 0 | 2639 Login-Service | 0-1 | 0 | 2640 Login-TCP-Port | 0-1 | 0 | 2641 ---------------------------------------|-----+-----+ 2642 +-----------+ 2643 | Command | 2644 |-----+-----+ 2645 Attribute Name | ACR | ACA | 2646 ---------------------------------------|-----+-----+ 2647 NAS-Identifier | 0-1 | 0-1 | 2648 NAS-IP-Address | 0-1 | 0-1 | 2649 NAS-IPv6-Address | 0-1 | 0-1 | 2650 NAS-Port | 0-1 | 0-1 | 2651 NAS-Port-Id | 0-1 | 0-1 | 2652 NAS-Port-Type | 0-1 | 0-1 | 2653 Origin-AAA-Protocol | 0-1 | 0-1 | 2654 Origin-Host | 1 | 1 | 2655 Origin-Realm | 1 | 1 | 2656 Origin-State-Id | 0-1 | 0-1 | 2657 Originating-Line-Info | 0-1 | 0 | 2658 Proxy-Info | 0+ | 0+ | 2659 QoS-Filter-Rule | 0+ | 0 | 2660 Route-Record | 0+ | 0 | 2661 Result-Code | 0 | 1 | 2662 Session-Id | 1 | 1 | 2663 Service-Type | 0-1 | 0-1 | 2664 Termination-Cause | 0-1 | 0-1 | 2665 User-Name | 0-1 | 0-1 | 2666 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2667 ---------------------------------------|-----+-----+ 2669 6. IANA Considerations 2671 This document does not request any action by IANA. 2673 7. Security Considerations 2675 This document describes the extension of Diameter for the NAS 2676 application. The security considerations of the Diameter protocol 2677 itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of 2678 this application of Diameter MUST take into consideration the 2679 security issues and requirements of the Base protocol. 2681 This document does not contain a security protocol but does discuss 2682 how PPP authentication protocols can be carried within the Diameter 2683 protocol. The PPP authentication protocols described are PAP and 2684 CHAP. 2686 The use of PAP SHOULD be discouraged, as it exposes users' passwords 2687 to possibly non-trusted entities. However, PAP is also frequently 2688 used for use with One-Time Passwords, which do not expose a security 2689 risk. 2691 This document also describes how CHAP can be carried within the 2692 Diameter protocol, which is required for RADIUS backward 2693 compatibility. The CHAP protocol, as used in a RADIUS environment, 2694 facilitates authentication replay attacks. 2696 The use of the EAP authentication protocols [RFC4072] can offer 2697 better security, given a method suitable for the circumstances. 2699 8. References 2701 8.1. Normative References 2703 [ANITypes] NANPA Number Resource Info, "ANI 2704 Assignments", . 2708 [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and 2709 G. Zorn, "Diameter Base Protocol", 2710 draft-ietf-dime-rfc3588bis-29 (work in 2711 progress), August 2011. 2713 [RADIUSTypes] IANA, "RADIUS Types", . 2716 [RFC1994] Simpson, W., "PPP Challenge Handshake 2717 Authentication Protocol (CHAP)", 2718 RFC 1994, August 1996. 2720 [RFC2119] Bradner, S., "Key words for use in RFCs 2721 to Indicate Requirement Levels", BCP 14, 2722 RFC 2119, March 1997. 2724 [RFC2865] Rigney, C., Willens, S., Rubens, A., and 2725 W. Simpson, "Remote Authentication Dial 2726 In User Service (RADIUS)", RFC 2865, 2727 June 2000. 2729 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, 2730 "RADIUS and IPv6", RFC 3162, August 2001. 2732 [RFC3516] Nerenberg, L., "IMAP4 Binary Content 2733 Extension", RFC 3516, April 2003. 2735 [RFC3539] Aboba, B. and J. Wood, "Authentication, 2736 Authorization and Accounting (AAA) 2737 Transport Profile", RFC 3539, June 2003. 2739 8.2. Informative References 2741 [ARAP] Apple Computer, "Apple Remote Access 2742 Protocol (ARAP) Version 2.0 External 2743 Reference Specification", R0612LL/B , 2744 September 1994. 2746 [AppleTalk] Sidhu, G., Andrews, R., and A. 2747 Oppenheimer, "Inside AppleTalk", Second 2748 Edition Apple Computer, 1990. 2750 [IPX] Novell, Inc., "NetWare System Technical 2751 Interface Overview", #883-000780-001, 2752 June 1989. 2754 [ISO.8859-1.1987] International Organization for 2755 Standardization, "Information technology 2756 - 8-bit single byte coded graphic - 2757 character sets - Part 1: Latin alphabet 2758 No. 1, JTC1/SC2", ISO Standard 8859-1, 2759 1987. 2761 [LAT] Digital Equipment Corp., "Local Area 2762 Transport (LAT) Specification V5.0", AA- 2763 NL26A-TE, June 1989. 2765 [RFC1334] Lloyd, B. and W. Simpson, "PPP 2766 Authentication Protocols", RFC 1334, 2767 October 1992. 2769 [RFC1661] Simpson, W., "The Point-to-Point Protocol 2770 (PPP)", STD 51, RFC 1661, July 1994. 2772 [RFC1990] Sklower, K., Lloyd, B., McGregor, G., 2773 Carr, D., and T. Coradetti, "The PPP 2774 Multilink Protocol (MP)", RFC 1990, 2775 August 1996. 2777 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. 2778 Black, "Definition of the Differentiated 2779 Services Field (DS Field) in the IPv4 and 2780 IPv6 Headers", RFC 2474, December 1998. 2782 [RFC2548] Zorn, G., "Microsoft Vendor-specific 2783 RADIUS Attributes", RFC 2548, March 1999. 2785 [RFC2597] Heinanen, J., Baker, F., Weiss, W., and 2786 J. Wroclawski, "Assured Forwarding PHB 2787 Group", RFC 2597, June 1999. 2789 [RFC2637] Hamzeh, K., Pall, G., Verthein, W., 2790 Taarud, J., Little, W., and G. Zorn, 2791 "Point-to-Point Tunneling Protocol", 2792 RFC 2637, July 1999. 2794 [RFC2866] Rigney, C., "RADIUS Accounting", 2795 RFC 2866, June 2000. 2797 [RFC2867] Zorn, G., Aboba, B., and D. Mitton, 2798 "RADIUS Accounting Modifications for 2799 Tunnel Protocol Support", RFC 2867, 2800 June 2000. 2802 [RFC2868] Zorn, G., Leifer, D., Rubens, A., 2803 Shriver, J., Holdrege, M., and I. Goyret, 2804 "RADIUS Attributes for Tunnel Protocol 2805 Support", RFC 2868, June 2000. 2807 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, 2808 "RADIUS Extensions", RFC 2869, June 2000. 2810 [RFC2881] Mitton, D. and M. Beadles, "Network 2811 Access Server Requirements Next 2812 Generation (NASREQNG) NAS Model", 2813 RFC 2881, July 2000. 2815 [RFC2989] Aboba, B., Calhoun, P., Glass, S., 2816 Hiller, T., McCann, P., Shiino, H., 2817 Walsh, P., Zorn, G., Dommety, G., 2818 Perkins, C., Patil, B., Mitton, D., 2819 Manning, S., Beadles, M., Chen, X., 2820 Sivalingham, S., Hameed, A., Munson, M., 2821 Jacobs, S., Lim, B., Hirschman, B., Hsu, 2822 R., Koo, H., Lipford, M., Campbell, E., 2823 Xu, Y., Baba, S., and E. Jaques, 2824 "Criteria for Evaluating AAA Protocols 2825 for Network Access", RFC 2989, 2826 November 2000. 2828 [RFC3169] Beadles, M. and D. Mitton, "Criteria for 2829 Evaluating Network Access Server 2830 Protocols", RFC 3169, September 2001. 2832 [RFC3246] Davie, B., Charny, A., Bennet, J., 2833 Benson, K., Le Boudec, J., Courtney, W., 2834 Davari, S., Firoiu, V., and D. Stiliadis, 2835 "An Expedited Forwarding PHB (Per-Hop 2836 Behavior)", RFC 3246, March 2002. 2838 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, 2839 G., and J. Roese, "IEEE 802.1X Remote 2840 Authentication Dial In User Service 2841 (RADIUS) Usage Guidelines", RFC 3580, 2842 September 2003. 2844 [RFC3931] Lau, J., Townsley, M., and I. Goyret, 2845 "Layer Two Tunneling Protocol - Version 3 2846 (L2TPv3)", RFC 3931, March 2005. 2848 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, 2849 "Diameter Extensible Authentication 2850 Protocol (EAP) Application", RFC 4072, 2851 August 2005. 2853 [RFC4301] Kent, S. and K. Seo, "Security 2854 Architecture for the Internet Protocol", 2855 RFC 4301, December 2005. 2857 [RFC5246] Dierks, T. and E. Rescorla, "The 2858 Transport Layer Security (TLS) Protocol 2859 Version 1.2", RFC 5246, August 2008. 2861 Appendix A. Acknowledgements 2863 A.1. RFC 4005 2865 The authors would like to thank Carl Rigney, Allan C. Rubens, William 2866 Allen Simpson, and Steve Willens for their work on the original 2867 RADIUS protocol, from which many of the concepts in this 2868 specification were derived. Thanks, also, to Carl Rigney for 2869 [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, 2870 Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory 2871 Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and 2872 Ignacio Goyret for their work on [RFC2868]. This document stole text 2873 and concepts from both [RFC2868] and [RFC2869]. Thanks go to Carl 2874 Williams for providing IPv6-specific text. 2876 The authors would also like to acknowledge the following people for 2877 their contributions in the development of the Diameter protocol: 2878 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 2879 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 2880 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 2881 Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. 2883 Finally, Pat Calhoun would like to thank Sun Microsystems, as most of 2884 the effort put into this document was done while he was in their 2885 employ. 2887 A.2. RFC 4005bis 2889 The vast majority of the text in this document was lifted directly 2890 from RFC 4005; the editor owes a debt of gratitude to the authors 2891 thereof (especially Dave Mitton, who somehow managed to make nroff 2892 paginate the AVP Occurance Tables correctly!). 2894 Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien 2895 Decugis, Jouni Korhonen and Stefan Winter for their useful reviews 2896 and helpful comments. 2898 Author's Address 2900 Glen Zorn 2901 Network Zen 2902 227/358 Thanon Sanphawut 2903 Bang Na, Bangkok 10260 2904 Thailand 2906 Phone: +66 (0) 87-040-4617 2907 EMail: glenzorn@gmail.com