idnits 2.17.1 draft-ietf-dime-rfc4005bis-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 7 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (February 4, 2012) is 4465 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ANITypes' == Outdated reference: A later version (-34) exists of draft-ietf-dime-rfc3588bis-29 -- Possible downref: Non-RFC (?) normative reference: ref. 'RADIUSTypes' -- Obsolete informational reference (is this intentional?): RFC 1334 (Obsoleted by RFC 1994) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group G. Zorn, Ed. 3 Internet-Draft Network Zen 4 Obsoletes: 4005 (if approved) February 4, 2012 5 Intended status: Standards Track 6 Expires: August 7, 2012 8 Diameter Network Access Server Application 9 draft-ietf-dime-rfc4005bis-07 11 Abstract 13 This document describes the Diameter protocol application used for 14 Authentication, Authorization, and Accounting (AAA) services in the 15 Network Access Server (NAS) environment; it obsoletes RFC 4005. When 16 combined with the Diameter Base protocol, Transport Profile, and 17 Extensible Authentication Protocol specifications, this application 18 specification satisfies typical network access services requirements. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 7, 2012. 37 Copyright Notice 39 Copyright (c) 2012 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.2. Requirements Language . . . . . . . . . . . . . . . . . . 6 57 1.3. Advertising Application Support . . . . . . . . . . . . . 6 58 1.4. Application Identification . . . . . . . . . . . . . . . . 7 59 1.5. Accounting Model . . . . . . . . . . . . . . . . . . . . . 7 60 2. NAS Calls, Ports, and Sessions . . . . . . . . . . . . . . . . 7 61 2.1. Diameter Session Establishment . . . . . . . . . . . . . . 8 62 2.2. Diameter Session Reauthentication or Reauthorization . . . 8 63 2.3. Diameter Session Termination . . . . . . . . . . . . . . . 9 64 3. Diameter NAS Application Messages . . . . . . . . . . . . . . 9 65 3.1. AA-Request (AAR) Command . . . . . . . . . . . . . . . . . 10 66 3.2. AA-Answer (AAA) Command . . . . . . . . . . . . . . . . . 12 67 3.3. Re-Auth-Request (RAR) Command . . . . . . . . . . . . . . 14 68 3.4. Re-Auth-Answer (RAA) Command . . . . . . . . . . . . . . . 15 69 3.5. Session-Termination-Request (STR) Command . . . . . . . . 16 70 3.6. Session-Termination-Answer (STA) Command . . . . . . . . . 17 71 3.7. Abort-Session-Request (ASR) Command . . . . . . . . . . . 18 72 3.8. Abort-Session-Answer (ASA) Command . . . . . . . . . . . . 19 73 3.9. Accounting-Request (ACR) Command . . . . . . . . . . . . . 20 74 3.10. Accounting-Answer (ACA) Command . . . . . . . . . . . . . 22 75 4. Diameter NAS Application AVPs . . . . . . . . . . . . . . . . 23 76 4.1. Derived AVP Data Formats . . . . . . . . . . . . . . . . . 23 77 4.1.1. QoSFilterRule . . . . . . . . . . . . . . . . . . . . 23 78 4.2. NAS Session AVPs . . . . . . . . . . . . . . . . . . . . . 24 79 4.2.1. Call and Session Information . . . . . . . . . . . . . 24 80 4.2.2. NAS-Port AVP . . . . . . . . . . . . . . . . . . . . . 25 81 4.2.3. NAS-Port-Id AVP . . . . . . . . . . . . . . . . . . . 25 82 4.2.4. NAS-Port-Type AVP . . . . . . . . . . . . . . . . . . 26 83 4.2.5. Called-Station-Id AVP . . . . . . . . . . . . . . . . 26 84 4.2.6. Calling-Station-Id AVP . . . . . . . . . . . . . . . . 26 85 4.2.7. Connect-Info AVP . . . . . . . . . . . . . . . . . . . 27 86 4.2.8. Originating-Line-Info AVP . . . . . . . . . . . . . . 27 87 4.2.9. Reply-Message AVP . . . . . . . . . . . . . . . . . . 28 88 4.3. NAS Authentication AVPs . . . . . . . . . . . . . . . . . 28 89 4.3.1. User-Password AVP . . . . . . . . . . . . . . . . . . 29 90 4.3.2. Password-Retry AVP . . . . . . . . . . . . . . . . . . 29 91 4.3.3. Prompt AVP . . . . . . . . . . . . . . . . . . . . . . 29 92 4.3.4. CHAP-Auth AVP . . . . . . . . . . . . . . . . . . . . 29 93 4.3.5. CHAP-Algorithm AVP . . . . . . . . . . . . . . . . . . 30 94 4.3.6. CHAP-Ident AVP . . . . . . . . . . . . . . . . . . . . 30 95 4.3.7. CHAP-Response AVP . . . . . . . . . . . . . . . . . . 30 96 4.3.8. CHAP-Challenge AVP . . . . . . . . . . . . . . . . . . 30 97 4.3.9. ARAP-Password AVP . . . . . . . . . . . . . . . . . . 30 98 4.3.10. ARAP-Challenge-Response AVP . . . . . . . . . . . . . 30 99 4.3.11. ARAP-Security AVP . . . . . . . . . . . . . . . . . . 31 100 4.3.12. ARAP-Security-Data AVP . . . . . . . . . . . . . . . . 31 101 4.4. NAS Authorization AVPs . . . . . . . . . . . . . . . . . . 31 102 4.4.1. Service-Type AVP . . . . . . . . . . . . . . . . . . . 33 103 4.4.2. Callback-Number AVP . . . . . . . . . . . . . . . . . 33 104 4.4.3. Callback-Id AVP . . . . . . . . . . . . . . . . . . . 34 105 4.4.4. Idle-Timeout AVP . . . . . . . . . . . . . . . . . . . 34 106 4.4.5. Port-Limit AVP . . . . . . . . . . . . . . . . . . . . 34 107 4.4.6. NAS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 34 108 4.4.7. Filter-Id AVP . . . . . . . . . . . . . . . . . . . . 34 109 4.4.8. Configuration-Token AVP . . . . . . . . . . . . . . . 35 110 4.4.9. QoS-Filter-Rule AVP . . . . . . . . . . . . . . . . . 35 111 4.4.10. Framed Access Authorization AVPs . . . . . . . . . . . 36 112 4.4.10.1. Framed-Protocol AVP . . . . . . . . . . . . . . . 36 113 4.4.10.2. Framed-Routing AVP . . . . . . . . . . . . . . . 36 114 4.4.10.3. Framed-MTU AVP . . . . . . . . . . . . . . . . . 36 115 4.4.10.4. Framed-Compression AVP . . . . . . . . . . . . . 36 116 4.4.10.5. IP Access Authorization AVPs . . . . . . . . . . 36 117 4.4.10.5.1. Framed-IP-Address AVP . . . . . . . . . . . . 37 118 4.4.10.5.2. Framed-IP-Netmask AVP . . . . . . . . . . . . 37 119 4.4.10.5.3. Framed-Route AVP . . . . . . . . . . . . . . 37 120 4.4.10.5.4. Framed-Pool AVP . . . . . . . . . . . . . . . 38 121 4.4.10.5.5. Framed-Interface-Id AVP . . . . . . . . . . . 38 122 4.4.10.5.6. Framed-IPv6-Prefix AVP . . . . . . . . . . . 38 123 4.4.10.5.7. Framed-IPv6-Route AVP . . . . . . . . . . . . 38 124 4.4.10.5.8. Framed-IPv6-Pool AVP . . . . . . . . . . . . 39 125 4.4.10.6. IPX Access AVPs . . . . . . . . . . . . . . . . . 39 126 4.4.10.6.1. Framed-IPX-Network AVP . . . . . . . . . . . 39 127 4.4.10.7. AppleTalk Network Access AVPs . . . . . . . . . . 39 128 4.4.10.7.1. Framed-AppleTalk-Link AVP . . . . . . . . . . 39 129 4.4.10.7.2. Framed-AppleTalk-Network AVP . . . . . . . . 40 130 4.4.10.7.3. Framed-AppleTalk-Zone AVP . . . . . . . . . . 40 131 4.4.10.8. AppleTalk Remote Access AVPs . . . . . . . . . . 40 132 4.4.10.8.1. ARAP-Features AVP . . . . . . . . . . . . . . 40 133 4.4.10.8.2. ARAP-Zone-Access AVP . . . . . . . . . . . . 40 134 4.4.11. Non-Framed Access Authorization AVPs . . . . . . . . . 41 135 4.4.11.1. Login-IP-Host AVP . . . . . . . . . . . . . . . . 41 136 4.4.11.2. Login-IPv6-Host AVP . . . . . . . . . . . . . . . 41 137 4.4.11.3. Login-Service AVP . . . . . . . . . . . . . . . . 41 138 4.4.11.4. TCP Services . . . . . . . . . . . . . . . . . . 42 139 4.4.11.4.1. Login-TCP-Port AVP . . . . . . . . . . . . . 42 140 4.4.11.5. LAT Services . . . . . . . . . . . . . . . . . . 42 141 4.4.11.5.1. Login-LAT-Service AVP . . . . . . . . . . . . 42 142 4.4.11.5.2. Login-LAT-Node AVP . . . . . . . . . . . . . 43 143 4.4.11.5.3. Login-LAT-Group AVP . . . . . . . . . . . . . 43 144 4.4.11.5.4. Login-LAT-Port AVP . . . . . . . . . . . . . 43 146 4.5. NAS Tunneling AVPs . . . . . . . . . . . . . . . . . . . . 44 147 4.5.1. Tunneling AVP . . . . . . . . . . . . . . . . . . . . 44 148 4.5.2. Tunnel-Type AVP . . . . . . . . . . . . . . . . . . . 45 149 4.5.3. Tunnel-Medium-Type AVP . . . . . . . . . . . . . . . . 45 150 4.5.4. Tunnel-Client-Endpoint AVP . . . . . . . . . . . . . . 45 151 4.5.5. Tunnel-Server-Endpoint AVP . . . . . . . . . . . . . . 46 152 4.5.6. Tunnel-Password AVP . . . . . . . . . . . . . . . . . 47 153 4.5.7. Tunnel-Private-Group-Id AVP . . . . . . . . . . . . . 47 154 4.5.8. Tunnel-Assignment-Id AVP . . . . . . . . . . . . . . . 47 155 4.5.9. Tunnel-Preference AVP . . . . . . . . . . . . . . . . 49 156 4.5.10. Tunnel-Client-Auth-Id AVP . . . . . . . . . . . . . . 49 157 4.5.11. Tunnel-Server-Auth-Id AVP . . . . . . . . . . . . . . 49 158 4.6. NAS Accounting AVPs . . . . . . . . . . . . . . . . . . . 50 159 4.6.1. Accounting-Input-Octets AVP . . . . . . . . . . . . . 51 160 4.6.2. Accounting-Output-Octets AVP . . . . . . . . . . . . . 51 161 4.6.3. Accounting-Input-Packets AVP . . . . . . . . . . . . . 51 162 4.6.4. Accounting-Output-Packets AVP . . . . . . . . . . . . 51 163 4.6.5. Acct-Session-Time AVP . . . . . . . . . . . . . . . . 51 164 4.6.6. Acct-Authentic AVP . . . . . . . . . . . . . . . . . . 52 165 4.6.7. Accounting-Auth-Method AVP . . . . . . . . . . . . . . 52 166 4.6.8. Acct-Delay-Time AVP . . . . . . . . . . . . . . . . . 52 167 4.6.9. Acct-Link-Count AVP . . . . . . . . . . . . . . . . . 52 168 4.6.10. Acct-Tunnel-Connection AVP . . . . . . . . . . . . . . 53 169 4.6.11. Acct-Tunnel-Packets-Lost AVP . . . . . . . . . . . . . 53 170 5. AVP Occurrence Tables . . . . . . . . . . . . . . . . . . . . 53 171 5.1. AA-Request/Answer AVP Table . . . . . . . . . . . . . . . 54 172 5.2. Accounting AVP Tables . . . . . . . . . . . . . . . . . . 56 173 5.2.1. Framed Access Accounting AVP Table . . . . . . . . . . 57 174 5.2.2. Non-Framed Access Accounting AVP Table . . . . . . . . 59 175 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 176 7. Security Considerations . . . . . . . . . . . . . . . . . . . 60 177 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 61 178 8.1. Normative References . . . . . . . . . . . . . . . . . . . 61 179 8.2. Informative References . . . . . . . . . . . . . . . . . . 62 180 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 64 181 A.1. RFC 4005 . . . . . . . . . . . . . . . . . . . . . . . . . 64 182 A.2. RFC 4005bis . . . . . . . . . . . . . . . . . . . . . . . 65 184 1. Introduction 186 This document describes the Diameter protocol application used for 187 AAA in the Network Access Server (NAS) environment. When combined 188 with the Diameter Base protocol [I-D.ietf-dime-rfc3588bis], Transport 189 Profile [RFC3539], and EAP [RFC4072] specifications, this 190 specification satisfies the NAS-related requirements defined in 191 [RFC2989] and [RFC3169]. 193 First, this document describes the operation of a Diameter NAS 194 application. Then it defines the Diameter message Command-Codes. 195 The following sections list the AVPs used in these messages, grouped 196 by common usage. These are session identification, authentication, 197 authorization, tunneling, and accounting. The authorization AVPs are 198 further broken down by service type. 200 1.1. Terminology 202 Section 1.2 of the base Diameter specification 203 [I-D.ietf-dime-rfc3588bis] defines most of the terminology used in 204 this document. Additionally, the following terms and acronyms are 205 used in this application: 207 NAS (Network Access Server) 208 A device that provides an access service for a user to a network. 209 The service may be a network connection or a value-added service 210 such as terminal emulation [RFC2881]. 212 PPP (Point-to-Point Protocol) 213 A multiprotocol serial datalink. PPP is the primary IP datalink 214 used for dial-in NAS connection service [RFC1661]. 216 CHAP (Challenge Handshake Authentication Protocol) 217 An authentication process used in PPP [RFC1994]. 219 PAP (Password Authentication Protocol) 220 A deprecated PPP authentication process, but often used for 221 backward compatibility [RFC1334]. 223 SLIP (Serial Line Interface Protocol) 224 A serial datalink that only supports IP. A design prior to PPP. 226 ARAP (Appletalk Remote Access Protocol) 227 A serial datalink for accessing Appletalk networks [ARAP]. 229 IPX (Internet Packet Exchange) 230 The network protocol used by NetWare networks [IPX]. 232 L2TP (Layer Two Tunneling Protocol) 234 L2TP [RFC3931] provides a dynamic mechanism for tunneling Layer 2 235 "circuits" across a packet-oriented data network. 237 LAC (L2TP Access Concentrator) 239 An L2TP Control Connection Endpoint being used to cross-connect an 240 L2TP session directly to a data link [RFC3931]. 242 LAT (Local Area Transport) 243 A Digital Equipment Corp. LAN protocol for terminal services 244 [LAT]. 246 LCP (Link Control Protocol) 248 One of the three major components of PPP [RFC1661]. LCP is used 249 to automatically agree upon encapsulation format options, handle 250 varying limits on sizes of packets, detect a looped-back link and 251 other common misconfiguration errors, and terminate the link. 252 Other optional facilities provided are authentication of the 253 identity of its peer on the link, and determination when a link is 254 functioning properly and when it is failing. 256 PPTP (Point-to-Point Tunneling Protocol) 258 A protocol which allows PPP to be tunneled through an IP network 259 [RFC2637]. 261 VPN (Virtual Private Network) 262 In this document, this term is used to describe access services 263 that use tunneling methods. 265 1.2. Requirements Language 267 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 268 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 269 document are to be interpreted as described in RFC 2119 [RFC2119]. 271 1.3. Advertising Application Support 273 Diameter applications conforming to this specification MUST advertise 274 support by including the value of one (1) in the Auth-Application-Id 275 of the Capabilities-Exchange-Request (CER) message. 277 1.4. Application Identification 279 The Auth-Application-Id AVP MUST be set to the value one (1) in the 280 following messages 282 o AA-Request (Section 3.1) 284 o Re-Auth-Request(Section 3.3) 286 o Session-Termination-Request (Section 3.5) 288 o Abort-Session-Request (Section 3.7) 290 1.5. Accounting Model 292 It is RECOMMENDED that the coupled accounting model (Section 9.3 of 293 [I-D.ietf-dime-rfc3588bis]) be used with this application; therefore, 294 the value of the Acct-Application-Id AVP in the Accounting-Request 295 (Section 3.10) and Accounting-Answer (Section 3.9) messages SHOULD be 296 set to one (1). 298 2. NAS Calls, Ports, and Sessions 300 The arrival of a new call or service connection at a port of a 301 Network Access Server (NAS) starts a Diameter NAS message exchange. 302 Information about the call, the identity of the user, and the user's 303 authentication information are packaged into a Diameter AA-Request 304 (AAR) message and sent to a server. 306 The server processes the information and responds with a Diameter AA- 307 Answer (AAA) message that contains authorization information for the 308 NAS, or a failure code (Result-Code AVP). A value of 309 DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication 310 exchange, and several AAR and AAA messages may be exchanged until the 311 transaction completes. 313 Depending on the value of the Auth-Request-Type AVP, the Diameter 314 protocol allows authorization-only requests that contain no 315 authentication information from the client. This capability goes 316 beyond the Call Check capabilities provided by RADIUS (Section 5.6 of 317 [RFC2865]) in that no access decision is requested. As a result, 318 service cannot be started as a result of a response to an 319 authorization-only request without introducing a significant security 320 vulnerability. 322 2.1. Diameter Session Establishment 324 When the authentication or authorization exchange completes 325 successfully, the NAS application SHOULD start a session context. If 326 the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the 327 exchange continues until a success or error is returned. 329 If accounting is active, the application MUST also send an Accounting 330 message [I-D.ietf-dime-rfc3588bis]. An Accounting-Record-Type of 331 START_RECORD is sent for a new session. If a session fails to start, 332 the EVENT_RECORD message is sent with the reason for the failure 333 described. 335 Note that the return of an unsupportable Accounting-Realtime-Required 336 value [I-D.ietf-dime-rfc3588bis] would result in a failure to 337 establish the session. 339 2.2. Diameter Session Reauthentication or Reauthorization 341 The Diameter Base protocol allows users to be periodically 342 reauthenticated and/or reauthorized. In such instances, the 343 Session-Id AVP in the AAR message MUST be the same as the one present 344 in the original authentication/authorization message. 346 A Diameter server informs the NAS of the maximum time allowed before 347 reauthentication or reauthorization via the Authorization-Lifetime 348 AVP [I-D.ietf-dime-rfc3588bis]. A NAS MAY reauthenticate and/or 349 reauthorize before the end, but A NAS MUST reauthenticate and/or 350 reauthorize at the end of the period provided by the Authorization- 351 Lifetime AVP. The failure of a reauthentication exchange will 352 terminate the service. 354 Furthermore, it is possible for Diameter servers to issue an 355 unsolicited reauthentication and/or reauthorization request (e.g., 356 Re-Auth-Request (RAR) message [I-D.ietf-dime-rfc3588bis]) to the NAS. 357 Upon receipt of such a message, the NAS MUST respond to the request 358 with a Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis]. 360 If the RAR properly identifies an active session, the NAS will 361 initiate a new local reauthentication or authorization sequence as 362 indicated by the Re-Auth-Request-Type value. This will cause the NAS 363 to send a new AAR message using the existing Session-Id. The server 364 will respond with an AAA message to specify the new service 365 parameters. 367 If accounting is active, every change of authentication or 368 authorization SHOULD generate an accounting message. If the NAS 369 service is a continuation of the prior user context, then an 370 Accounting-Record-Type of INTERIM_RECORD indicating the new session 371 attributes and cumulative status would be appropriate. If a new user 372 or a significant change in authorization is detected by the NAS, then 373 the service may send two messages of the types STOP_RECORD and 374 START_RECORD. Accounting may change the subsession identifiers 375 (Acct-Session-ID, or Acct-Sub-Session-Id) to indicate such sub- 376 sessions. A service may also use a different Session-Id value for 377 accounting (see Section 9.6 of [I-D.ietf-dime-rfc3588bis]). 379 However, the Diameter Session-ID AVP value used for the initial 380 authorization exchange MUST be used to generate an STR message when 381 the session context is terminated. 383 2.3. Diameter Session Termination 385 When a NAS receives an indication that a user's session is being 386 disconnected by the client (e.g., an LCP Terminate-Request message 387 [RFC1661] is received) or an administrative command, the NAS MUST 388 issue a Session-Termination-Request (STR) [I-D.ietf-dime-rfc3588bis] 389 to its Diameter Server. This will ensure that any resources 390 maintained on the servers are freed appropriately. 392 Furthermore, a NAS that receives an Abort-Session-Request (ASR) 393 [I-D.ietf-dime-rfc3588bis] MUST issue an ASA if the session 394 identified is active and disconnect the PPP (or tunneling) session. 396 If accounting is active, an Accounting STOP_RECORD message 397 [I-D.ietf-dime-rfc3588bis] MUST be sent upon termination of the 398 session context. 400 More information on Diameter Session Termination can be found in 401 Sections 8.4 and 8.5 of [I-D.ietf-dime-rfc3588bis]. 403 3. Diameter NAS Application Messages 405 This section defines the Diameter message Command-Code 406 [I-D.ietf-dime-rfc3588bis] values that MUST be supported by all 407 Diameter implementations conforming to this specification. The 408 Command Codes are as follows: 410 +-----------------------------------+---------+------+--------------+ 411 | Command Name | Abbrev. | Code | Reference | 412 +-----------------------------------+---------+------+--------------+ 413 | AA-Request | AAR | 265 | Section 3.1 | 414 | AA-Answer | AAA | 265 | Section 3.2 | 415 | Re-Auth-Request | RAR | 258 | Section 3.3 | 416 | Re-Auth-Answer | RAA | 258 | Section 3.4 | 417 | Session-Termination-Request | STR | 275 | Section 3.5 | 418 | Session-Termination-Answer | STA | 275 | Section 3.6 | 419 | Abort-Session-Request | ASR | 274 | Section 3.7 | 420 | Abort-Session-Answer | ASA | 274 | Section 3.8 | 421 | Accounting-Request | ACR | 271 | Section 3.9 | 422 | Accounting-Answer | ACA | 271 | Section 3.10 | 423 +-----------------------------------+---------+------+--------------+ 425 3.1. AA-Request (AAR) Command 427 The AA-Request (AAR), which is indicated by setting the Command-Code 428 field to 265 and the 'R' bit in the Command Flags field, is used to 429 request authentication and/or authorization for a given NAS user. 430 The type of request is identified through the Auth-Request-Type AVP 431 [I-D.ietf-dime-rfc3588bis] The recommended value for most situations 432 is AUTHORIZE_AUTHENTICATE. 434 If Authentication is requested, the User-Name attribute SHOULD be 435 present, as well as any additional authentication AVPs that would 436 carry the password information. A request for authorization SHOULD 437 only include the information from which the authorization will be 438 performed, such as the User-Name, Called-Station-Id, or Calling- 439 Station-Id AVPs. All requests SHOULD contain AVPs uniquely 440 identifying the source of the call, such as Origin-Host and NAS-Port. 441 Certain networks MAY use different AVPs for authorization purposes. 442 A request for authorization will include some AVPs defined in 443 Section 4.4. 445 It is possible for a single session to be authorized first and then 446 for an authentication request to follow. 448 This AA-Request message MAY be the result of a multi-round 449 authentication exchange, which occurs when the AA-Answer message is 450 received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. 451 A subsequent AAR message SHOULD be sent, with the User-Password AVP 452 that includes the user's response to the prompt, and MUST include any 453 State AVPs that were present in the AAA message. 455 Message Format 457 ::= < Diameter Header: 265, REQ, PXY > 458 < Session-Id > 459 { Auth-Application-Id } 460 { Origin-Host } 461 { Origin-Realm } 462 { Destination-Realm } 463 { Auth-Request-Type } 464 [ Destination-Host ] 465 [ NAS-Identifier ] 466 [ NAS-IP-Address ] 467 [ NAS-IPv6-Address ] 468 [ NAS-Port ] 469 [ NAS-Port-Id ] 470 [ NAS-Port-Type ] 471 [ Origin-AAA-Protocol ] 472 [ Origin-State-Id ] 473 [ Port-Limit ] 474 [ User-Name ] 475 [ User-Password ] 476 [ Service-Type ] 477 [ State ] 478 [ Authorization-Lifetime ] 479 [ Auth-Grace-Period ] 480 [ Auth-Session-State ] 481 [ Callback-Number ] 482 [ Called-Station-Id ] 483 [ Calling-Station-Id ] 484 [ Originating-Line-Info ] 485 [ Connect-Info ] 486 [ CHAP-Auth ] 487 [ CHAP-Challenge ] 488 * [ Framed-Compression ] 489 [ Framed-Interface-Id ] 490 [ Framed-IP-Address ] 491 * [ Framed-IPv6-Prefix ] 492 [ Framed-IP-Netmask ] 493 [ Framed-MTU ] 494 [ Framed-Protocol ] 495 [ ARAP-Password ] 496 [ ARAP-Security ] 497 * [ ARAP-Security-Data ] 498 * [ Login-IP-Host ] 499 * [ Login-IPv6-Host ] 500 [ Login-LAT-Group ] 501 [ Login-LAT-Node ] 502 [ Login-LAT-Port ] 503 [ Login-LAT-Service ] 504 * [ Tunneling ] 505 * [ Proxy-Info ] 506 * [ Route-Record ] 507 * [ AVP ] 509 3.2. AA-Answer (AAA) Command 511 The AA-Answer (AAA) message is indicated by setting the Command-Code 512 field to 265 and clearing the 'R' bit in the Command Flags field. It 513 is sent in response to the AA-Request (AAR) message. If 514 authorization was requested, a successful response will include the 515 authorization AVPs appropriate for the service being provided, as 516 defined in Section 4.4. 518 For authentication exchanges requiring more than a single round trip, 519 the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. 520 An AAA message with this result code MAY include one Reply-Message or 521 more and MAY include zero or one State AVPs. 523 If the Reply-Message AVP was present, the network access server 524 SHOULD send the text to the user's client to display to the user, 525 instructing the client to prompt the user for a response. For 526 example, this capability can be achieved in PPP via PAP. If the 527 access client is unable to prompt the user for a new response, it 528 MUST treat the AA-Answer (AAA) with the Reply-Message AVP as an error 529 and deny access. 531 Message Format 533 ::= < Diameter Header: 265, PXY > 534 < Session-Id > 535 { Auth-Application-Id } 536 { Auth-Request-Type } 537 { Result-Code } 538 { Origin-Host } 539 { Origin-Realm } 540 [ User-Name ] 541 [ Service-Type ] 542 * [ Class ] 543 * [ Configuration-Token ] 544 [ Acct-Interim-Interval ] 545 [ Error-Message ] 546 [ Error-Reporting-Host ] 547 * [ Failed-AVP ] 548 [ Idle-Timeout ] 549 [ Authorization-Lifetime ] 550 [ Auth-Grace-Period ] 551 [ Auth-Session-State ] 552 [ Re-Auth-Request-Type ] 553 [ Multi-Round-Time-Out ] 555 [ Session-Timeout ] 556 [ State ] 557 * [ Reply-Message ] 558 [ Origin-AAA-Protocol ] 559 [ Origin-State-Id ] 560 * [ Filter-Id ] 561 [ Password-Retry ] 562 [ Port-Limit ] 563 [ Prompt ] 564 [ ARAP-Challenge-Response ] 565 [ ARAP-Features ] 566 [ ARAP-Security ] 567 * [ ARAP-Security-Data ] 568 [ ARAP-Zone-Access ] 569 [ Callback-Id ] 570 [ Callback-Number ] 571 [ Framed-Appletalk-Link ] 572 * [ Framed-Appletalk-Network ] 573 [ Framed-Appletalk-Zone ] 574 * [ Framed-Compression ] 575 [ Framed-Interface-Id ] 576 [ Framed-IP-Address ] 577 * [ Framed-IPv6-Prefix ] 578 [ Framed-IPv6-Pool ] 579 * [ Framed-IPv6-Route ] 580 [ Framed-IP-Netmask ] 581 * [ Framed-Route ] 582 [ Framed-Pool ] 583 [ Framed-IPX-Network ] 584 [ Framed-MTU ] 585 [ Framed-Protocol ] 586 [ Framed-Routing ] 587 * [ Login-IP-Host ] 588 * [ Login-IPv6-Host ] 589 [ Login-LAT-Group ] 590 [ Login-LAT-Node ] 591 [ Login-LAT-Port ] 592 [ Login-LAT-Service ] 593 [ Login-Service ] 594 [ Login-TCP-Port ] 595 * [ NAS-Filter-Rule ] 596 * [ QoS-Filter-Rule ] 597 * [ Tunneling ] 598 * [ Redirect-Host ] 599 [ Redirect-Host-Usage ] 600 [ Redirect-Max-Cache-Time ] 601 * [ Proxy-Info ] 602 * [ AVP ] 604 3.3. Re-Auth-Request (RAR) Command 606 A Diameter server may initiate a re-authentication and/or re- 607 authorization service for a particular session by issuing a Re-Auth- 608 Request (RAR) message [I-D.ietf-dime-rfc3588bis]. 610 For example, for pre-paid services, the Diameter server that 611 originally authorized a session may need some confirmation that the 612 user is still using the services. 614 If a NAS receives an RAR message with Session-Id equal to a currently 615 active session and a Re-Auth-Type that includes authentication, it 616 MUST initiate a re-authentication toward the user, if the service 617 supports this particular feature. 619 Message Format 621 ::= < Diameter Header: 258, REQ, PXY > 622 < Session-Id > 623 { Origin-Host } 624 { Origin-Realm } 625 { Destination-Realm } 626 { Destination-Host } 627 { Auth-Application-Id } 628 { Re-Auth-Request-Type } 629 [ User-Name ] 630 [ Origin-AAA-Protocol ] 631 [ Origin-State-Id ] 632 [ NAS-Identifier ] 633 [ NAS-IP-Address ] 634 [ NAS-IPv6-Address ] 635 [ NAS-Port ] 636 [ NAS-Port-Id ] 637 [ NAS-Port-Type ] 638 [ Service-Type ] 639 [ Framed-IP-Address ] 640 [ Framed-IPv6-Prefix ] 641 [ Framed-Interface-Id ] 642 [ Called-Station-Id ] 643 [ Calling-Station-Id ] 644 [ Originating-Line-Info ] 645 [ Acct-Session-Id ] 646 [ Acct-Multi-Session-Id ] 647 [ State ] 648 * [ Class ] 649 [ Reply-Message ] 650 * [ Proxy-Info ] 651 * [ Route-Record ] 652 * [ AVP ] 654 3.4. Re-Auth-Answer (RAA) Command 656 The Re-Auth-Answer (RAA) message [I-D.ietf-dime-rfc3588bis] is sent 657 in response to the RAR. The Result-Code AVP MUST be present and 658 indicates the disposition of the request. 660 A successful RAA transaction MUST be followed by an AAR message. 662 Message Format 664 ::= < Diameter Header: 258, PXY > 665 < Session-Id > 666 { Result-Code } 667 { Origin-Host } 668 { Origin-Realm } 669 [ User-Name ] 670 [ Origin-AAA-Protocol ] 671 [ Origin-State-Id ] 672 [ Error-Message ] 673 [ Error-Reporting-Host ] 674 * [ Failed-AVP ] 675 * [ Redirected-Host ] 676 [ Redirected-Host-Usage ] 677 [ Redirected-Host-Cache-Time ] 678 [ Service-Type ] 679 * [ Configuration-Token ] 680 [ Idle-Timeout ] 681 [ Authorization-Lifetime ] 682 [ Auth-Grace-Period ] 683 [ Re-Auth-Request-Type ] 684 [ State ] 685 * [ Class ] 686 * [ Reply-Message ] 687 [ Prompt ] 688 * [ Proxy-Info ] 689 * [ AVP ] 691 3.5. Session-Termination-Request (STR) Command 693 The Session-Termination-Request (STR) message 694 [I-D.ietf-dime-rfc3588bis] is sent by the NAS to inform the Diameter 695 Server that an authenticated and/or authorized session is being 696 terminated. 698 Message Format 700 ::= < Diameter Header: 275, REQ, PXY > 701 < Session-Id > 702 { Origin-Host } 703 { Origin-Realm } 704 { Destination-Realm } 705 { Auth-Application-Id } 706 { Termination-Cause } 707 [ User-Name ] 708 [ Destination-Host ] 709 * [ Class ] 710 [ Origin-AAA-Protocol ] 711 [ Origin-State-Id ] 712 * [ Proxy-Info ] 713 * [ Route-Record ] 714 * [ AVP ] 716 3.6. Session-Termination-Answer (STA) Command 718 The Session-Termination-Answer (STA) message 719 [I-D.ietf-dime-rfc3588bis] is sent by the Diameter Server to 720 acknowledge the notification that the session has been terminated. 721 The Result-Code AVP MUST be present and MAY contain an indication 722 that an error occurred while the STR was being serviced. 724 Upon sending or receiving the STA, the Diameter Server MUST release 725 all resources for the session indicated by the Session-Id AVP. Any 726 intermediate server in the Proxy-Chain MAY also release any 727 resources, if necessary. 729 Message Format 731 ::= < Diameter Header: 275, PXY > 732 < Session-Id > 733 { Result-Code } 734 { Origin-Host } 735 { Origin-Realm } 736 [ User-Name ] 737 * [ Class ] 738 [ Error-Message ] 739 [ Error-Reporting-Host ] 740 * [ Failed-AVP ] 741 [ Origin-AAA-Protocol ] 742 [ Origin-State-Id ] 743 * [ Redirect-Host ] 744 [ Redirect-Host-Usase ] 745 [ Redirect-Max-Cache-Time ] 746 * [ Proxy-Info ] 747 * [ AVP ] 749 3.7. Abort-Session-Request (ASR) Command 751 The Abort-Session-Request (ASR) message [I-D.ietf-dime-rfc3588bis] 752 may be sent by any server to the NAS providing session service, to 753 request that the session identified by the Session-Id be stopped. 755 Message Format 757 ::= < Diameter Header: 274, REQ, PXY > 758 < Session-Id > 759 { Origin-Host } 760 { Origin-Realm } 761 { Destination-Realm } 762 { Destination-Host } 763 { Auth-Application-Id } 764 [ User-Name ] 765 [ Origin-AAA-Protocol ] 766 [ Origin-State-Id ] 767 [ NAS-Identifier ] 768 [ NAS-IP-Address ] 769 [ NAS-IPv6-Address ] 770 [ NAS-Port ] 771 [ NAS-Port-Id ] 772 [ NAS-Port-Type ] 773 [ Service-Type ] 774 [ Framed-IP-Address ] 775 [ Framed-IPv6-Prefix ] 776 [ Framed-Interface-Id ] 777 [ Called-Station-Id ] 778 [ Calling-Station-Id ] 779 [ Originating-Line-Info ] 780 [ Acct-Session-Id ] 781 [ Acct-Multi-Session-Id ] 782 [ State ] 783 * [ Class ] 784 * [ Reply-Message ] 785 * [ Proxy-Info ] 786 * [ Route-Record ] 787 * [ AVP ] 789 3.8. Abort-Session-Answer (ASA) Command 791 The ASA message [I-D.ietf-dime-rfc3588bis] is sent in response to the 792 ASR. The Result-Code AVP MUST be present and indicates the 793 disposition of the request. 795 If the session identified by Session-Id in the ASR was successfully 796 terminated, Result-Code is set to DIAMETER_SUCCESS. If the session 797 is not currently active, the Result-Code AVP is set to 798 DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the 799 session for any other reason, the Result-Code AVP is set to 800 DIAMETER_UNABLE_TO_COMPLY. 802 Message Format 804 ::= < Diameter Header: 274, PXY > 805 < Session-Id > 806 { Result-Code } 807 { Origin-Host } 808 { Origin-Realm } 809 [ User-Name ] 810 [ Origin-AAA-Protocol ] 811 [ Origin-State-Id ] 812 [ State] 813 [ Error-Message ] 814 [ Error-Reporting-Host ] 815 * [ Failed-AVP ] 816 * [ Redirected-Host ] 817 [ Redirected-Host-Usage ] 818 [ Redirected-Max-Cache-Time ] 819 * [ Proxy-Info ] 820 * [ AVP ] 822 3.9. Accounting-Request (ACR) Command 824 The ACR message [I-D.ietf-dime-rfc3588bis] is sent by the NAS to 825 report its session information to a target server downstream. 827 The Acct-Application-Id AVP MUST be present. 829 The AVPs listed in the Base protocol specification 830 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 831 appropriate. NAS service-specific accounting AVPs SHOULD be present 832 as described in Section 4.6 and the rest of this specification. 834 Message Format 836 ::= < Diameter Header: 271, REQ, PXY > 837 < Session-Id > 838 { Origin-Host } 839 { Origin-Realm } 840 { Destination-Realm } 841 { Accounting-Record-Type } 842 { Accounting-Record-Number } 843 { Acct-Application-Id } 844 [ User-Name ] 845 [ Accounting-Sub-Session-Id ] 846 [ Acct-Session-Id ] 847 [ Acct-Multi-Session-Id ] 848 [ Origin-AAA-Protocol ] 849 [ Origin-State-Id ] 851 [ Destination-Host ] 852 [ Event-Timestamp ] 853 [ Acct-Delay-Time ] 854 [ NAS-Identifier ] 855 [ NAS-IP-Address ] 856 [ NAS-IPv6-Address ] 857 [ NAS-Port ] 858 [ NAS-Port-Id ] 859 [ NAS-Port-Type ] 860 * [ Class ] 861 [ Service-Type ] 862 [ Termination-Cause ] 863 [ Accounting-Input-Octets ] 864 [ Accounting-Input-Packets ] 865 [ Accounting-Output-Octets ] 866 [ Accounting-Output-Packets ] 867 [ Acct-Authentic ] 868 [ Accounting-Auth-Method ] 869 [ Acct-Link-Count ] 870 [ Acct-Session-Time ] 871 [ Acct-Tunnel-Connection ] 872 [ Acct-Tunnel-Packets-Lost ] 873 [ Callback-Id ] 874 [ Callback-Number ] 875 [ Called-Station-Id ] 876 [ Calling-Station-Id ] 877 * [ Connection-Info ] 878 [ Originating-Line-Info ] 879 [ Authorization-Lifetime ] 880 [ Session-Timeout ] 881 [ Idle-Timeout ] 882 [ Port-Limit ] 883 [ Accounting-Realtime-Required ] 884 [ Acct-Interim-Interval ] 885 * [ Filter-Id ] 886 * [ NAS-Filter-Rule ] 887 * [ Qos-Filter-Rule ] 888 [ Framed-AppleTalk-Link ] 889 [ Framed-AppleTalk-Network ] 890 [ Framed-AppleTalk-Zone ] 891 [ Framed-Compression ] 892 [ Framed-Interface-Id ] 893 [ Framed-IP-Address ] 894 [ Framed-IP-Netmask ] 895 * [ Framed-IPv6-Prefix ] 896 [ Framed-IPv6-Pool ] 897 * [ Framed-IPv6-Route ] 898 [ Framed-IPX-Network ] 900 [ Framed-MTU ] 901 [ Framed-Pool ] 902 [ Framed-Protocol ] 903 * [ Framed-Route ] 904 [ Framed-Routing ] 905 * [ Login-IP-Host ] 906 * [ Login-IPv6-Host ] 907 [ Login-LAT-Group ] 908 [ Login-LAT-Node ] 909 [ Login-LAT-Port ] 910 [ Login-LAT-Service ] 911 [ Login-Service ] 912 [ Login-TCP-Port ] 913 * [ Tunneling ] 914 * [ Proxy-Info ] 915 * [ Route-Record ] 916 * [ AVP ] 918 3.10. Accounting-Answer (ACA) Command 920 The ACA message [I-D.ietf-dime-rfc3588bis] is used to acknowledge an 921 Accounting-Request command. The Accounting-Answer command contains 922 the same Session-Id as the Request. If the Accounting-Request was 923 protected by end-to-end security, then the corresponding ACA message 924 MUST be protected as well. 926 Only the target Diameter Server or home Diameter Server SHOULD 927 respond with the Accounting-Answer command. 929 Either the Acct-Application-Id AVP MUST be present, as it was in the 930 request. 932 The AVPs listed in the Base protocol specification 933 [I-D.ietf-dime-rfc3588bis] MUST be assumed to be present, as 934 appropriate. NAS service-specific accounting AVPs SHOULD be present 935 as described in Section 4.6 and the rest of this specification. 937 Message Format 939 ::= < Diameter Header: 271, PXY > 940 < Session-Id > 941 { Result-Code } 942 { Origin-Host } 943 { Origin-Realm } 944 { Accounting-Record-Type } 945 { Accounting-Record-Number } 946 { Acct-Application-Id } 947 [ User-Name ] 948 [ Accounting-Sub-Session-Id ] 949 [ Acct-Session-Id ] 950 [ Acct-Multi-Session-Id ] 951 [ Event-Timestamp ] 952 [ Error-Message ] 953 [ Error-Reporting-Host ] 954 * [ Failed-AVP ] 955 [ Origin-AAA-Protocol ] 956 [ Origin-State-Id ] 957 [ NAS-Identifier ] 958 [ NAS-IP-Address ] 959 [ NAS-IPv6-Address ] 960 [ NAS-Port ] 961 [ NAS-Port-Id ] 962 [ NAS-Port-Type ] 963 [ Service-Type ] 964 [ Termination-Cause ] 965 [ Accounting-Realtime-Required ] 966 [ Acct-Interim-Interval ] 967 * [ Class ] 968 * [ Proxy-Info ] 969 * [ AVP ] 971 4. Diameter NAS Application AVPs 973 The following sections define a new derived AVP data format, a set of 974 application-specific AVPs and describe the use of AVPs defined in 975 other documents by the Diameter NAS Application. 977 4.1. Derived AVP Data Formats 979 4.1.1. QoSFilterRule 981 The QosFilterRule format is derived from the OctetString AVP Base 982 Format. It uses the ASCII charset. Packets may be marked or metered 983 based on the following information: 985 o Direction (in or out) 987 o Source and destination IP address (possibly masked) 989 o Protocol 991 o Source and destination port (lists or ranges) 993 o DSCP values (no mask or range) 995 Rules for the appropriate direction are evaluated in order; the first 996 matched rule terminates the evaluation. Each packet is evaluated 997 once. If no rule matches, the packet is treated as best effort. An 998 access device unable to interpret or apply a QoS rule SHOULD NOT 999 terminate the session. 1001 QoSFilterRule filters MUST follow the following format: 1003 action dir proto from src to dst [options] 1004 where 1006 action 1007 tag Mark packet with a specific DSCP [RFC2474] 1008 meter Meter traffic 1010 dir The format is as described under IPFilterRule 1011 [I-D.ietf-dime-rfc3588bis] 1013 proto The format is as described under IPFilterRule 1014 [I-D.ietf-dime-rfc3588bis] 1016 src and dst The format is as described under IPFilterRule 1017 [I-D.ietf-dime-rfc3588bis] 1019 The options are described in Section 4.4.9. 1021 The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the 1022 ipfw.c code may provide a useful base for implementations. 1024 4.2. NAS Session AVPs 1026 Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that 1027 are implemented in Diameter. 1029 4.2.1. Call and Session Information 1031 This section describes the AVPs specific to Diameter applications 1032 that are needed to identify the call and session context and status 1033 information. On a request, this information allows the server to 1034 qualify the session. 1036 These AVPs are used in addition to the following AVPs from the base 1037 protocol specification [I-D.ietf-dime-rfc3588bis]: 1039 Session-Id 1040 Auth-Application-Id 1041 Origin-Host 1042 Origin-Realm 1043 Auth-Request-Type 1044 Termination-Cause 1046 The following table gives the possible flag values for the session 1047 level AVPs and specifies whether the AVP MAY be encrypted. 1049 +----------+ 1050 | AVP Flag | 1051 | rules | 1052 |----+-----+ 1053 |MUST| MUST| 1054 Attribute Name Section Defined | | NOT| 1055 -----------------------------------------|----+-----| 1056 NAS-Port 4.2.2 | M | V | 1057 NAS-Port-Id 4.2.3 | M | V | 1058 NAS-Port-Type 4.2.4 | M | V | 1059 Called-Station-Id 4.2.5 | M | V | 1060 Calling-Station-Id 4.2.6 | M | V | 1061 Connect-Info 4.2.7 | M | V | 1062 Originating-Line-Info 4.2.8 | | V | 1063 Reply-Message 4.2.9 | M | V | 1064 -----------------------------------------|----+-----| 1066 4.2.2. NAS-Port AVP 1068 The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the 1069 physical or virtual port number of the NAS which is authenticating 1070 the user. Note that "port" is meant in its sense as a service 1071 connection on the NAS, not as an IP protocol identifier. 1073 Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD 1074 be present in the AA-Request (AAR, Section 3.1) command if the NAS 1075 differentiates among its ports. 1077 4.2.3. NAS-Port-Id AVP 1079 The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists 1080 of ASCII text identifying the port of the NAS authenticating the 1081 user. Note that "port" is meant in its sense as a service connection 1082 on the NAS, not as an IP protocol identifier. 1084 Either the NAS-Port-Id or the NAS-Port (Section 4.2.2) SHOULD be 1085 present in the AA-Request (AAR, Section 3.1) command if the NAS 1086 differentiates among its ports. NAS-Port-Id is intended for use by 1087 NASes that cannot conveniently number their ports. 1089 4.2.4. NAS-Port-Type AVP 1091 The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and 1092 contains the type of the port on which the NAS is authenticating the 1093 user. This AVP SHOULD be present if the NAS uses the same NAS-Port 1094 number ranges for different service types concurrently. 1096 The currently supported values of the NAS-Port-Type AVP are listed in 1097 [RADIUSTypes]. 1099 4.2.5. Called-Station-Id AVP 1101 The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and 1102 allows the NAS to send the ASCII string describing the Layer 2 1103 address the user contacted in the request. For dialup access, this 1104 can be a phone number obtained by using the Dialed Number 1105 Identification Service (DNIS) or a similar technology. Note that 1106 this may be different from the phone number the call comes in on. 1107 For use with IEEE 802 access, the Called-Station-Id MAY contain a MAC 1108 address formatted as described in [RFC3580]. 1110 If the Called-Station-Id AVP is present in an AAR message, Auth- 1111 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1112 absent, the Diameter Server MAY perform authorization based on this 1113 AVP. This can be used by a NAS to request whether a call should be 1114 answered based on the DNIS result. 1116 The codification of this field's allowed usage range is outside the 1117 scope of this specification. 1119 4.2.6. Calling-Station-Id AVP 1121 The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and 1122 allows the NAS to send the ASCII string describing the Layer 2 1123 address from which the user connected in the request. For dialup 1124 access, this is the phone number the call came from, using Automatic 1125 Number Identification (ANI) or a similar technology. For use with 1126 IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC 1127 address, formated as described in [RFC3580]. 1129 If the Calling-Station-Id AVP is present in an AAR message, the Auth- 1130 Request-Type AVP is set to AUTHORIZE_ONLY and the User-Name AVP is 1131 absent, the Diameter Server MAY perform authorization based on the 1132 value of this AVP. This can be used by a NAS to request whether a 1133 call should be answered based on the Layer 2 address (ANI, MAC 1134 Address, etc.) 1136 The codification of this field's allowed usage range is outside the 1137 scope of this specification. 1139 4.2.7. Connect-Info AVP 1141 The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent 1142 in the AA-Request message or an ACR message with the value of the 1143 Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, 1144 it indicates the nature of the user's connection. The connection 1145 speed SHOULD be included at the beginning of the first Connect-Info 1146 AVP in the message. If the transmit and receive connection speeds 1147 differ, both may be included in the first AVP with the transmit speed 1148 listed first (the speed at which the NAS modem transmits), then a 1149 slash (/), then the receive speed, and then other optional 1150 information. 1152 For example: "28800 V42BIS/LAPM" or "52000/31200 V90" 1154 If sent in an ACR message with the value of the Accounting-Record- 1155 Type AVP set to STOP, this attribute may summarize statistics 1156 relating to session quality. For example, in IEEE 802.11, the 1157 Connect-Info AVP may contain information on the number of link layer 1158 retransmissions. The exact format of this attribute is 1159 implementation specific. 1161 4.2.8. Originating-Line-Info AVP 1163 The Originating-Line-Info AVP (AVP Code 94) is of type OctetString 1164 and is sent by the NAS system to convey information about the origin 1165 of the call from an SS7 system. 1167 The Originating Line Information (OLI) element indicates the nature 1168 and/or characteristics of the line from which a call originated 1169 (e.g., pay phone, hotel, cellular). Telephone companies are starting 1170 to offer OLI to their customers as an option over Primary Rate 1171 Interface (PRI). Internet Service Providers (ISPs) can use OLI in 1172 addition to Called-Station-Id and Calling-Station-Id attributes to 1173 differentiate customer calls and to define different services. 1175 The Value field contains two octets (00 - 99). ANSI T1.113 and 1176 BELLCORE 394 can be used for additional information about these 1177 values and their use. For information on the currently assigned 1178 values, see [ANITypes]. 1180 4.2.9. Reply-Message AVP 1182 The Reply-Message AVP (AVP Code 18) is of type UTF8String and 1183 contains text that MAY be displayed to the user. When used in an AA- 1184 Answer message with a successful Result-Code AVP, it indicates 1185 success. When found in an AAA message with a Result-Code other than 1186 DIAMETER_SUCCESS, the AVP contains a failure message. 1188 The Reply-Message AVP MAY contain text to prompt the user before 1189 another AA-Request attempt. When used in an AA-Answer message 1190 containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH 1191 or in an Re-Auth-Request message, it MAY contain text to prompt the 1192 user for a response. 1194 4.3. NAS Authentication AVPs 1196 This section defines the AVPs necessary to carry the authentication 1197 information in the Diameter protocol. The functionality defined here 1198 provides a RADIUS-like AAA service [RFC2865] over a more reliable and 1199 secure transport, as defined in the base protocol 1200 [I-D.ietf-dime-rfc3588bis]. 1202 The following table gives the possible flag values for the session 1203 level AVPs and specifies whether the AVP MAY be encrypted. 1205 +----------+ 1206 | AVP Flag | 1207 | rules | 1208 |----+-----| 1209 |MUST| MUST| 1210 Attribute Name Section Defined | | NOT| 1211 -----------------------------------------|----+-----| 1212 User-Password 4.3.1 | M | V | 1213 Password-Retry 4.3.2 | M | V | 1214 Prompt 4.3.3 | M | V | 1215 CHAP-Auth 4.3.4 | M | V | 1216 CHAP-Algorithm 4.3.5 | M | V | 1217 CHAP-Ident 4.3.6 | M | V | 1218 CHAP-Response 4.3.7 | M | V | 1219 CHAP-Challenge 4.3.8 | M | V | 1220 ARAP-Password 4.3.9 | M | V | 1221 ARAP-Challenge-Response 4.3.10 | M | V | 1222 ARAP-Security 4.3.11 | M | V | 1223 ARAP-Security-Data 4.3.12 | M | V | 1224 -----------------------------------------|----+-----| 1226 4.3.1. User-Password AVP 1228 The User-Password AVP (AVP Code 2) is of type OctetString and 1229 contains the password of the user to be authenticated, or the user's 1230 input in a multi-round authentication exchange. 1232 The User-Password AVP contains a user password or one-time password 1233 and therefore represents sensitive information. As required in 1234 [I-D.ietf-dime-rfc3588bis], Diameter messages are encrypted by using 1235 IPsec [RFC4301] or TLS [RFC5246]. Unless this AVP is used for one- 1236 time passwords, the User-Password AVP SHOULD NOT be used in untrusted 1237 proxy environments without encrypting it by using end-to-end security 1238 techniques. 1240 The clear-text password (prior to encryption) MUST NOT be longer than 1241 128 bytes in length. 1243 4.3.2. Password-Retry AVP 1245 The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be 1246 included in the AA-Answer if the Result-Code indicates an 1247 authentication failure. The value of this AVP indicates how many 1248 authentication attempts a user is permitted before being 1249 disconnected. This AVP is primarily intended for use when the 1250 Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP. 1252 4.3.3. Prompt AVP 1254 The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present 1255 in the AA-Answer message. When present, it is used by the NAS to 1256 determine whether the user's response, when entered, should be 1257 echoed. 1259 The supported values are listed in [RADIUSTypes] 1261 4.3.4. CHAP-Auth AVP 1263 The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the 1264 information necessary to authenticate a user using the PPP Challenge- 1265 Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth 1266 AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8) 1267 MUST be present as well. The optional AVPs containing the CHAP 1268 response depend upon the value of the CHAP-Algorithm AVP 1269 (Section 4.3.8). The grouped AVP has the following ABNF grammar: 1271 CHAP-Auth ::= < AVP Header: 402 > 1272 { CHAP-Algorithm } 1273 { CHAP-Ident } 1274 [ CHAP-Response ] 1275 * [ AVP ] 1277 4.3.5. CHAP-Algorithm AVP 1279 The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and 1280 contains the algorithm identifier used in the computation of the CHAP 1281 response [RFC1994]. The following values are currently supported: 1283 CHAP with MD5 5 The CHAP response is computed by using the procedure 1284 described in [RFC1994] This algorithm requires that the CHAP- 1285 Response AVP (Section 4.3.7) MUST be present in the CHAP-Auth AVP 1286 (Section 4.3.4). 1288 4.3.6. CHAP-Ident AVP 1290 The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains 1291 the 1 octet CHAP Identifier used in the computation of the CHAP 1292 response [RFC1994] 1294 4.3.7. CHAP-Response AVP 1296 The CHAP-Response AVP (AVP Code 405) is of type OctetString and 1297 contains the 16 octet authentication data provided by the user in 1298 response to the CHAP challenge [RFC1994]. 1300 4.3.8. CHAP-Challenge AVP 1302 The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and 1303 contains the CHAP Challenge sent by the NAS to the CHAP peer 1304 [RFC1994]. 1306 4.3.9. ARAP-Password AVP 1308 The ARAP-Password AVP (AVP Code 70) is of type OctetString and is 1309 only present when the Framed-Protocol AVP (Section 4.4.10.1) is 1310 included in the message and is set to ARAP. This AVP MUST NOT be 1311 present if either the User-Password or the CHAP-Auth AVP is present. 1312 See [RFC2869] for more information on the contents of this AVP. 1314 4.3.10. ARAP-Challenge-Response AVP 1316 The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString 1317 and is only present when the Framed-Protocol AVP (Section 4.4.10.1) 1318 is included in the message and is set to ARAP. This AVP contains an 1319 8 octet response to the dial-in client's challenge. The Diameter 1320 server calculates this value by taking the dial-in client's challenge 1321 from the high-order 8 octets of the ARAP-Password AVP and performing 1322 DES encryption on this value with the authenticating user's password 1323 as the key. If the user's password is fewer than 8 octets in length, 1324 the password is padded at the end with NULL octets to a length of 8 1325 before it is used as a key. 1327 4.3.11. ARAP-Security AVP 1329 The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be 1330 present in the AA-Answer message if the Framed-Protocol AVP 1331 (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code 1332 AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1333 DIAMETER_MULTI_ROUND_AUTH. See [RFC2869] for more information on the 1334 contents of this AVP. 1336 4.3.12. ARAP-Security-Data AVP 1338 The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and 1339 MAY be present in the AA-Request or AA-Answer message if the Framed- 1340 Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the 1341 Result-Code AVP ([I-D.ietf-dime-rfc3588bis], Section 7.1) is set to 1342 DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module 1343 challenge or response associated with the ARAP Security Module 1344 specified in the ARAP-Security AVP (Section 4.3.11). 1346 4.4. NAS Authorization AVPs 1348 This section contains the authorization AVPs supported in the NAS 1349 Application. The Service-Type AVP SHOULD be present in all messages 1350 and, based on its value, additional AVPs defined in this section and 1351 Section 4.5 MAY be present. 1353 The following table gives the possible flag values for the session- 1354 level AVPs and specifies whether the AVP MAY be encrypted. 1356 +----------+ 1357 | AVP Flag | 1358 | rules | 1359 |----+-----| 1360 |MUST| MUST| 1361 Attribute Name Section Defined | | NOT| 1362 -----------------------------------------|----+-----| 1363 Service-Type 4.4.1 | M | V | 1364 Callback-Number 4.4.2 | M | V | 1365 Callback-Id 4.4.3 | M | V | 1366 Idle-Timeout 4.4.4 | M | V | 1367 Port-Limit 4.4.5 | M | V | 1368 NAS-Filter-Rule 4.4.6 | M | V | 1369 Filter-Id 4.4.7 | M | V | 1370 Configuration-Token 4.4.8 | M | P,V | 1371 QoS-Filter-Rule 4.4.9 | | | 1372 Framed-Protocol 4.4.10.1 | M | V | 1373 Framed-Routing 4.4.10.2 | M | V | 1374 Framed-MTU 4.4.10.3 | M | V | 1375 Framed-Compression 4.4.10.4 | M | V | 1376 Framed-IP-Address 4.4.10.5.1 | M | V | 1377 Framed-IP-Netmask 4.4.10.5.2 | M | V | 1378 Framed-Route 4.4.10.5.3 | M | V | 1379 Framed-Pool 4.4.10.5.4 | M | V | 1380 Framed-Interface-Id 4.4.10.5.5 | M | V | 1381 Framed-IPv6-Prefix 4.4.10.5.6 | M | V | 1382 Framed-IPv6-Route 4.4.10.5.7 | M | V | 1383 Framed-IPv6-Pool 4.4.10.5.8 | M | V | 1384 Framed-IPX-Network 4.4.10.6.1 | M | V | 1385 Framed-Appletalk-Link 4.4.10.7.1 | M | V | 1386 Framed-Appletalk-Network 4.4.10.7.2 | M | V | 1387 Framed-Appletalk-Zone 4.4.10.7.3 | M | V | 1388 ARAP-Features 4.4.10.8.1 | M | V | 1389 ARAP-Zone-Access 4.4.10.8.2 | M | V | 1390 Login-IP-Host 4.4.11.1 | M | V | 1391 Login-IPv6-Host 4.4.11.2 | M | V | 1392 Login-Service 4.4.11.3 | M | V | 1393 Login-TCP-Port 4.4.11.4.1 | M | V | 1394 Login-LAT-Service 4.4.11.5.1 | M | V | 1395 Login-LAT-Node 4.4.11.5.2 | M | V | 1396 Login-LAT-Group 4.4.11.5.3 | M | V | 1397 Login-LAT-Port 4.4.11.5.4 | M | V | 1398 -----------------------------------------|----+-----| 1400 4.4.1. Service-Type AVP 1402 The Service-Type AVP (AVP Code 6) is of type Enumerated and contains 1403 the type of service the user has requested or the type of service to 1404 be provided. One such AVP MAY be present in an authentication and/or 1405 authorization request or response. A NAS is not required to 1406 implement all of these service types. It MUST treat unknown or 1407 unsupported Service-Types received in a response as a failure and end 1408 the session with a DIAMETER_INVALID_AVP_VALUE Result-Code. 1410 When used in a request, the Service-Type AVP SHOULD be considered a 1411 hint to the server that the NAS believes the user would prefer the 1412 kind of service indicated. The server is not required to honor the 1413 hint. Furthermore, if the service specified by the server is 1414 supported, but not compatible with the current mode of access, the 1415 NAS MUST fail to start the session. The NAS MUST also generate the 1416 appropriate error message(s). 1418 The complete list of defined values that the Service-Type AVP can 1419 take can be found in [RFC2865] and [RADIUSTypes], but the following 1420 values require further qualification here: 1422 Login (1) 1423 The user should be connected to a host. The message MAY 1424 include additional AVPs as defined in Section 4.4.11.4 or 1425 Section 4.4.11.5. 1427 Framed (2) 1428 A Framed Protocol, such as PPP or SLIP, should be started for 1429 the User. The message MAY include additional AVPs defined in 1430 Section 4.4.10, or Section 4.5 for tunneling services. 1432 Callback Login (3) 1433 The user should be disconnected and called back, then connected 1434 to a host. The message MAY include additional AVPs defined in 1435 this Section. 1437 Callback Framed (4) 1438 The user should be disconnected and called back, and then a 1439 Framed Protocol, such as PPP or SLIP, should be started for the 1440 User. The message MAY include additional AVPs defined in 1441 Section 4.4.10, or Section 4.5 for tunneling services. 1443 4.4.2. Callback-Number AVP 1445 The Callback-Number AVP (AVP Code 19) is of type UTF8String and 1446 contains a dialing string to be used for callback. It MAY be used in 1447 an authentication and/or authorization request as a hint to the 1448 server that a Callback service is desired, but the server is not 1449 required to honor the hint in the corresponding response. 1451 The codification of this field's allowed usage range is outside the 1452 scope of this specification. 1454 4.4.3. Callback-Id AVP 1456 The Callback-Id AVP (AVP Code 20) is of type UTF8String and contains 1457 the name of a place to be called, to be interpreted by the NAS. This 1458 AVP MAY be present in an authentication and/or authorization 1459 response. 1461 This AVP is not roaming-friendly as it assumes that the Callback-Id 1462 is configured on the NAS. Using the Callback-Number AVP 1463 (Section 4.4.2) is therefore preferable. 1465 4.4.4. Idle-Timeout AVP 1467 The Idle-Timeout AVP (AVP Code 28) is of type Unsigned32 and sets the 1468 maximum number of consecutive seconds of idle connection allowable to 1469 the user before termination of the session or before a prompt is 1470 issued. The default is none, or system specific. 1472 4.4.5. Port-Limit AVP 1474 The Port-Limit AVP (AVP Code 62) is of type Unsigned32 and sets the 1475 maximum number of ports the NAS provides to the user. It MAY be used 1476 in an authentication and/or authorization request as a hint to the 1477 server that multilink PPP [RFC1990] service is desired, but the 1478 server is not required to honor the hint in the corresponding 1479 response. 1481 4.4.6. NAS-Filter-Rule AVP 1483 The NAS-Filter-Rule AVP (AVP Code 400) is of type IPFilterRule and 1484 provides filter rules that need to be configured on the NAS for the 1485 user. One or more of these AVPs MAY be present in an authorization 1486 response. 1488 4.4.7. Filter-Id AVP 1490 The Filter-Id AVP (AVP Code 11) is of type UTF8String and contains 1491 the name of the filter list for this user. Zero or more Filter-Id 1492 AVPs MAY be sent in an authorization answer. 1494 Identifying a filter list by name allows the filter to be used on 1495 different NASes without regard to filter-list implementation details. 1496 However, this AVP is not roaming-friendly, as filter naming differs 1497 from one service provider to another. 1499 In environments where backward compatibility with RADIUS is not 1500 required, it is RECOMMENDED that the NAS-Filter-Rule AVP 1501 (Section 4.4.6) be used instead. 1503 4.4.8. Configuration-Token AVP 1505 The Configuration-Token AVP (AVP Code 78) is of type OctetString and 1506 is sent by a Diameter Server to a Diameter Proxy Agent in an AA- 1507 Answer command to indicate a type of user profile to be used. It 1508 should not be sent to a Diameter Client (NAS). 1510 The format of the Data field of this AVP is site specific. 1512 4.4.9. QoS-Filter-Rule AVP 1514 The QoS-Filter-Rule AVP (AVP Code 407) is of type QoSFilterRule 1515 (Section 4.1.1) and provides QoS filter rules that need to be 1516 configured on the NAS for the user. One or more such AVPs MAY be 1517 present in an authorization response. 1519 The use of this AVP is NOT RECOMMENDED; the AVPs defined by Korhonen, 1520 et al. [RFC5777] SHOULD be used instead. 1522 DSCP If action is set to tag (Section 4.1.1) this option 1523 MUST be included in the rule. 1525 Color values are defined in [RFC2474]. Exact matching of DSCP 1526 values is required (no masks or ranges). 1528 metering The metering option 1529 provides Assured Forwarding, as defined in [RFC2597]. and MUST 1530 be present if the action is set to meter (Section 4.1.1) The 1531 rate option is the throughput, in bits per second, used by the 1532 access device to mark packets. Traffic over the rate is marked 1533 with the color_over codepoint, and traffic under the rate is 1534 marked with the color_under codepoint. The color_under and 1535 color_over options contain the drop preferences and MUST 1536 conform to the recommended codepoint keywords described in 1537 [RFC2597] (e.g., AF13). 1539 The metering option also supports the strict limit on traffic 1540 required by Expedited Forwarding, as defined in [RFC3246]. The 1541 color_over option may contain the keyword "drop" to prevent 1542 forwarding of traffic that exceeds the rate parameter. 1544 4.4.10. Framed Access Authorization AVPs 1546 This section lists the authorization AVPs necessary to support framed 1547 access, such as PPP and SLIP. AVPs defined in this section MAY be 1548 present in a message if the Service-Type AVP was set to "Framed" or 1549 "Callback Framed". 1551 4.4.10.1. Framed-Protocol AVP 1553 The Framed-Protocol AVP (AVP Code 7) is of type Enumerated and 1554 contains the framing to be used for framed access. This AVP MAY be 1555 present in both requests and responses. The supported values are 1556 listed in [RADIUSTypes]. 1558 4.4.10.2. Framed-Routing AVP 1560 The Framed-Routing AVP (AVP Code 10) is of type Enumerated and 1561 contains the routing method for the user when the user is a router to 1562 a network. This AVP SHOULD only be present in authorization 1563 responses. The supported values are listed in [RADIUSTypes]. 1565 4.4.10.3. Framed-MTU AVP 1567 The Framed-MTU AVP (AVP Code 12) is of type Unsigned32 and contains 1568 the Maximum Transmission Unit (MTU) to be configured for the user, 1569 when it is not negotiated by some other means (such as PPP). This 1570 AVP SHOULD only be present in authorization responses. The MTU value 1571 MUST be in the range from 64 to 65535. 1573 4.4.10.4. Framed-Compression AVP 1575 The Framed-Compression AVP (AVP Code 13) is of type Enumerated and 1576 contains the compression protocol to be used for the link. It MAY be 1577 used in an authorization request as a hint to the server that a 1578 specific compression type is desired, but the server is not required 1579 to honor the hint in the corresponding response. 1581 More than one compression protocol AVP MAY be sent. The NAS is 1582 responsible for applying the proper compression protocol to the 1583 appropriate link traffic. 1585 The supported values are listed in [RADIUSTypes]. 1587 4.4.10.5. IP Access Authorization AVPs 1589 The AVPs defined in this section are used when the user requests, or 1590 is being granted, access service to IP. 1592 4.4.10.5.1. Framed-IP-Address AVP 1594 The Framed-IP-Address AVP (AVP Code 8) [RFC2865] is of type 1595 OctetString and contains an IPv4 address of the type specified in the 1596 attribute value to be configured for the user. It MAY be used in an 1597 authorization request as a hint to the server that a specific address 1598 is desired, but the server is not required to honor the hint in the 1599 corresponding response. 1601 Two values have special significance: 0xFFFFFFFF and 0xFFFFFFFE. The 1602 value 0xFFFFFFFF indicates that the NAS should allow the user to 1603 select an address (i.e., negotiated). The value 0xFFFFFFFE indicates 1604 that the NAS should select an address for the user (e.g., assigned 1605 from a pool of addresses kept by the NAS). 1607 4.4.10.5.2. Framed-IP-Netmask AVP 1609 The Framed-IP-Netmask AVP (AVP Code 9) is of type OctetString and 1610 contains the four octets of the IPv4 netmask to be configured for the 1611 user when the user is a router to a network. It MAY be used in an 1612 authorization request as a hint to the server that a specific netmask 1613 is desired, but the server is not required to honor the hint in the 1614 corresponding response. This AVP MUST be present in a response if 1615 the request included this AVP with a value of 0xFFFFFFFF. 1617 4.4.10.5.3. Framed-Route AVP 1619 The Framed-Route AVP (AVP Code 22) is of type UTF8String and contains 1620 the ASCII routing information to be configured for the user on the 1621 NAS. Zero or more of these AVPs MAY be present in an authorization 1622 response. 1624 The string MUST contain a destination prefix in dotted quad form 1625 optionally followed by a slash and a decimal length specifier stating 1626 how many high-order bits of the prefix should be used. This is 1627 followed by a space, a gateway address in dotted quad form, a space, 1628 and one or more metrics separated by spaces; for example, 1630 "192.0.2.0/24 192.0.2.1 1" 1632 The length specifier may be omitted, in which case it should default 1633 to 8 bits for class A prefixes, to 16 bits for class B prefixes, and 1634 to 24 bits for class C prefixes; for example, 1636 "192.0.2.0 192.0.2.1 1" 1638 Whenever the gateway address is specified as "0.0.0.0" the IP address 1639 of the user SHOULD be used as the gateway address. 1641 4.4.10.5.4. Framed-Pool AVP 1643 The Framed-Pool AVP (AVP Code 88) is of type OctetString and contains 1644 the name of an assigned address pool that SHOULD be used to assign an 1645 address for the user. If a NAS does not support multiple address 1646 pools, the NAS SHOULD ignore this AVP. Address pools are usually 1647 used for IP addresses but can be used for other protocols if the NAS 1648 supports pools for those protocols. 1650 Although specified as type OctetString for compatibility with RADIUS 1651 [RFC2865], the encoding of the Data field SHOULD also conform to the 1652 rules for the UTF8String Data Format. 1654 4.4.10.5.5. Framed-Interface-Id AVP 1656 The Framed-Interface-Id AVP (AVP Code 96) is of type Unsigned64 and 1657 contains the IPv6 interface identifier to be configured for the user. 1658 It MAY be used in authorization requests as a hint to the server that 1659 a specific interface id is desired, but the server is not required to 1660 honor the hint in the corresponding response. 1662 4.4.10.5.6. Framed-IPv6-Prefix AVP 1664 The Framed-IPv6-Prefix AVP (AVP Code 97) is of type OctetString and 1665 contains the IPv6 prefix to be configured for the user. One or more 1666 AVPs MAY be used in authorization requests as a hint to the server 1667 that specific IPv6 prefixes are desired, but the server is not 1668 required to honor the hint in the corresponding response. 1670 4.4.10.5.7. Framed-IPv6-Route AVP 1672 The Framed-IPv6-Route AVP (AVP Code 99) is of type UTF8String and 1673 contains the ASCII routing information to be configured for the user 1674 on the NAS. Zero or more of these AVPs MAY be present in an 1675 authorization response. 1677 The string MUST contain an IPv6 address prefix followed by a slash 1678 and a decimal length specifier stating how many high order bits of 1679 the prefix should be used. This is followed by a space, a gateway 1680 address in hexadecimal notation, a space, and one or more metrics 1681 separated by spaces; for example, 1683 "2001:db8::/32 2001:db8:106:a00:20ff:fe99:a998 1" 1685 Whenever the gateway address is the IPv6 unspecified address, the IP 1686 address of the user SHOULD be used as the gateway address, such as 1687 in: 1689 "2001:db8::/32 :: 1" 1691 4.4.10.5.8. Framed-IPv6-Pool AVP 1693 The Framed-IPv6-Pool AVP (AVP Code 100) is of type OctetString and 1694 contains the name of an assigned pool that SHOULD be used to assign 1695 an IPv6 prefix for the user. If the access device does not support 1696 multiple prefix pools, it MUST ignore this AVP. 1698 Although specified as type OctetString for compatibility with RADIUS 1699 [RFC3162], the encoding of the Data field SHOULD also conform to the 1700 rules for the UTF8String Data Format. 1702 4.4.10.6. IPX Access AVPs 1704 The AVPs defined in this section are used when the user requests, or 1705 is being granted, access to an IPX network service [IPX]. 1707 4.4.10.6.1. Framed-IPX-Network AVP 1709 The Framed-IPX-Network AVP (AVP Code 23) is of type Unsigned32 and 1710 contains the IPX Network number to be configured for the user. It 1711 MAY be used in an authorization request as a hint to the server that 1712 a specific address is desired, but the server is not required to 1713 honor the hint in the corresponding response. 1715 Two addresses have special significance: 0xFFFFFFFF and 0xFFFFFFFE. 1716 The value 0xFFFFFFFF indicates that the NAS should allow the user to 1717 select an address (i.e., Negotiated). The value 0xFFFFFFFE indicates 1718 that the NAS should select an address for the user (e.g., assign it 1719 from a pool of one or more IPX networks kept by the NAS). 1721 4.4.10.7. AppleTalk Network Access AVPs 1723 The AVPs defined in this section are used when the user requests, or 1724 is being granted, access to an AppleTalk network [AppleTalk]. 1726 4.4.10.7.1. Framed-AppleTalk-Link AVP 1728 The Framed-AppleTalk-Link AVP (AVP Code 37) is of type Unsigned32 and 1729 contains the AppleTalk network number that should be used for the 1730 serial link to the user, which is another AppleTalk router. This AVP 1731 MUST only be present in an authorization response and is never used 1732 when the user is not another router. 1734 Despite the size of the field, values range from 0 to 65,535. The 1735 special value of 0 indicates an unnumbered serial link. A value of 1 1736 to 65,535 means that the serial line between the NAS and the user 1737 should be assigned that value as an AppleTalk network number. 1739 4.4.10.7.2. Framed-AppleTalk-Network AVP 1741 The Framed-AppleTalk-Network AVP (AVP Code 38) is of type Unsigned32 1742 and contains the AppleTalk Network number that the NAS should probe 1743 to allocate an AppleTalk node for the user. This AVP MUST only be 1744 present in an authorization response and is never used when the user 1745 is not another router. Multiple instances of this AVP indicate that 1746 the NAS may probe, using any of the network numbers specified. 1748 Despite the size of the field, values range from 0 to 65,535. The 1749 special value 0 indicates that the NAS should assign a network for 1750 the user, using its default cable range. A value between 1 and 1751 65,535 (inclusive) indicates to the AppleTalk Network that the NAS 1752 should probe to find an address for the user. 1754 4.4.10.7.3. Framed-AppleTalk-Zone AVP 1756 The Framed-AppleTalk-Zone AVP (AVP Code 39) is of type OctetString 1757 and contains the AppleTalk Default Zone to be used for this user. 1758 This AVP MUST only be present in an authorization response. Multiple 1759 instances of this AVP in the same message are not allowed. 1761 The codification of this field's allowed range is outside the scope 1762 of this specification. 1764 4.4.10.8. AppleTalk Remote Access AVPs 1766 The AVPs defined in this section are used when the user requests, or 1767 is being granted, access to the AppleTalk network via the AppleTalk 1768 Remote Access Protocol [ARAP]. They are only present if the Framed- 1769 Protocol AVP (Section 4.4.10.1) is set to ARAP. Section 2.2 of RFC 1770 2869 [RFC2869] describes the operational use of these attributes. 1772 4.4.10.8.1. ARAP-Features AVP 1774 The ARAP-Features AVP (AVP Code 71) is of type OctetString and MAY be 1775 present in the AA-Accept message if the Framed-Protocol AVP is set to 1776 the value of ARAP. See [RFC2869] for more information about the 1777 format of this AVP. 1779 4.4.10.8.2. ARAP-Zone-Access AVP 1781 The ARAP-Zone-Access AVP (AVP Code 72) is of type Enumerated and MAY 1782 be present in the AA-Accept message if the Framed-Protocol AVP is set 1783 to the value of ARAP. 1785 The supported values are listed in [RADIUSTypes] and defined in 1786 [RFC2869]. 1788 4.4.11. Non-Framed Access Authorization AVPs 1790 This section contains the authorization AVPs that are needed to 1791 support terminal server functionality. AVPs defined in this section 1792 MAY be present in a message if the Service-Type AVP was set to 1793 "Login" or "Callback Login". 1795 4.4.11.1. Login-IP-Host AVP 1797 The Login-IP-Host AVP (AVP Code 14) [RFC2865] is of type OctetString 1798 and contains the IPv4 address of a host with which to connect the 1799 user when the Login-Service AVP is included. It MAY be used in an 1800 AA-Request command as a hint to the Diameter Server that a specific 1801 host is desired, but the Diameter Server is not required to honor the 1802 hint in the AA-Answer. 1804 Two addresses have special significance: all ones and 0. The value 1805 of all ones indicates that the NAS SHOULD allow the user to select an 1806 address. The value 0 indicates that the NAS SHOULD select a host to 1807 connect the user to. 1809 4.4.11.2. Login-IPv6-Host AVP 1811 The Login-IPv6-Host AVP (AVP Code 98) [RFC3162] is of type 1812 OctetString and contains the IPv6 address of a host with which to 1813 connect the user when the Login-Service AVP is included. It MAY be 1814 used in an AA-Request command as a hint to the Diameter Server that a 1815 specific host is desired, but the Diameter Server is not required to 1816 honor the hint in the AA-Answer. 1818 Two addresses have special significance, 1819 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF and 0. The value 1820 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF indicates that the NAS SHOULD 1821 allow the user to select an address. The value 0 indicates that the 1822 NAS SHOULD select a host to connect the user to. 1824 4.4.11.3. Login-Service AVP 1826 The Login-Service AVP (AVP Code 15) is of type Enumerated and 1827 contains the service that should be used to connect the user to the 1828 login host. This AVP SHOULD only be present in authorization 1829 responses. The supported values are listed in [RFC2869]. 1831 4.4.11.4. TCP Services 1833 The AVP described in the following section MAY be present if the 1834 Login-Service AVP is set to Telnet, Rlogin, TCP Clear, or TCP Clear 1835 Quiet. 1837 4.4.11.4.1. Login-TCP-Port AVP 1839 The Login-TCP-Port AVP (AVP Code 16) is of type Unsigned32 and 1840 contains the TCP port with which the user is to be connected when the 1841 Login-Service AVP is also present. This AVP SHOULD only be present 1842 in authorization responses. The value MUST NOT be greater than 1843 65,535. 1845 4.4.11.5. LAT Services 1847 The AVPs described in this section MAY be present if the Login- 1848 Service AVP is set to LAT [LAT]. 1850 4.4.11.5.1. Login-LAT-Service AVP 1852 The Login-LAT-Service AVP (AVP Code 34) is of type OctetString and 1853 contains the system with which the user is to be connected by LAT. 1854 It MAY be used in an authorization request as a hint to the server 1855 that a specific service is desired, but the server is not required to 1856 honor the hint in the corresponding response. This AVP MUST only be 1857 present in the response if the Login-Service AVP states that LAT is 1858 desired. 1860 Administrators use this service attribute when dealing with clustered 1861 systems. In these environments, several different time-sharing hosts 1862 share the same resources (disks, printers, etc.), and administrators 1863 often configure each host to offer access (service) to each of the 1864 shared resources. In this case, each host in the cluster advertises 1865 its services through LAT broadcasts. 1867 Sophisticated users often know which service providers (machines) are 1868 faster and tend to use a node name when initiating a LAT connection. 1869 Some administrators want particular users to use certain machines as 1870 a primitive form of load balancing (although LAT knows how to do load 1871 balancing itself). 1873 The String field contains the identity of the LAT service to use. 1874 The LAT Architecture allows this string to contain $ (dollar), - 1875 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1876 alphabetics, and the ISO Latin-1 character set extension 1877 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1879 4.4.11.5.2. Login-LAT-Node AVP 1881 The Login-LAT-Node AVP (AVP Code 35) is of type OctetString and 1882 contains the Node with which the user is to be automatically 1883 connected by LAT. It MAY be used in an authorization request as a 1884 hint to the server that a specific LAT node is desired, but the 1885 server is not required to honor the hint in the corresponding 1886 response. This AVP MUST only be present in a response if the Login- 1887 Service-Type AVP is set to LAT. 1889 The String field contains the identity of the LAT service to use. 1890 The LAT Architecture allows this string to contain $ (dollar), - 1891 (hyphen), . (period), _ (underscore), numerics, upper- and lowercase 1892 alphabetics, and the ISO Latin-1 character set extension 1893 [ISO.8859-1.1987]. All LAT string comparisons are case insensitive. 1895 4.4.11.5.3. Login-LAT-Group AVP 1897 The Login-LAT-Group AVP (AVP Code 36) is of type OctetString and 1898 contains a string identifying the LAT group codes this user is 1899 authorized to use. It MAY be used in an authorization request as a 1900 hint to the server that a specific group is desired, but the server 1901 is not required to honor the hint in the corresponding response. 1902 This AVP MUST only be present in a response if the Login-Service-Type 1903 AVP is set to LAT. 1905 LAT supports 256 different group codes, which LAT uses as a form of 1906 access rights. LAT encodes the group codes as a 256-bit bitmap. 1908 Administrators can assign one or more of the group code bits at the 1909 LAT service provider; it will only accept LAT connections that have 1910 these group codes set in the bitmap. The administrators assign a 1911 bitmap of authorized group codes to each user. LAT gets these from 1912 the operating system and uses them in its requests to the service 1913 providers. 1915 The codification of the range of allowed usage of this field is 1916 outside the scope of this specification. 1918 4.4.11.5.4. Login-LAT-Port AVP 1920 The Login-LAT-Port AVP (AVP Code 63) is of type OctetString and 1921 contains the Port with which the user is to be connected by LAT. It 1922 MAY be used in an authorization request as a hint to the server that 1923 a specific port is desired, but the server is not required to honor 1924 the hint in the corresponding response. This AVP MUST only be 1925 present in a response if the Login-Service-Type AVP is set to LAT. 1927 The String field contains the identity of the LAT service to use. 1928 The LAT Architecture allows this string to contain $ (dollar), - 1929 (hyphen), . (period), _ (underscore), numerics, upper- and lower-case 1930 alphabetics, and the ISO Latin-1 character set extension 1931 [ISO.8859-1.1987]. 1933 All LAT string comparisons are case insensitive. 1935 4.5. NAS Tunneling AVPs 1937 Some NASes support compulsory tunnel services in which the incoming 1938 connection data is conveyed by an encapsulation method to a gateway 1939 elsewhere in the network. This is typically transparent to the 1940 service user, and the tunnel characteristics may be described by the 1941 remote AAA server, based on the user's authorization information. 1942 Several tunnel characteristics may be returned, and the NAS 1943 implementation may choose one. See [RFC2868] and [RFC2867] for 1944 further information. 1946 The following table gives the possible flag values for the session 1947 level AVPs and specifies whether the AVP MAY be encrypted. 1949 +----------+ 1950 | AVP Flag | 1951 | rules | 1952 |----+-----| 1953 |MUST| MUST| 1954 Attribute Name Section Defined | | NOT | 1955 -----------------------------------------|----+-----| 1956 Tunneling 4.5.1 | M | V | 1957 Tunnel-Type 4.5.2 | M | V | 1958 Tunnel-Medium-Type 4.5.3 | M | V | 1959 Tunnel-Client-Endpoint 4.5.4 | M | V | 1960 Tunnel-Server-Endpoint 4.5.5 | M | V | 1961 Tunnel-Password 4.5.6 | M | V | 1962 Tunnel-Private-Group-Id 4.5.7 | M | V | 1963 Tunnel-Assignment-Id 4.5.8 | M | V | 1964 Tunnel-Preference 4.5.9 | M | V | 1965 Tunnel-Client-Auth-Id 4.5.10 | M | V | 1966 Tunnel-Server-Auth-Id 4.5.11 | M | V | 1967 -----------------------------------------|----+-----| 1969 4.5.1. Tunneling AVP 1971 The Tunneling AVP (AVP Code 401) is of type Grouped and contains the 1972 following AVPs, used to describe a compulsory tunnel service 1973 ([RFC2868], [RFC2867]). Its data field has the following ABNF 1974 grammar: 1976 Tunneling ::= < AVP Header: 401 > 1977 { Tunnel-Type } 1978 { Tunnel-Medium-Type } 1979 { Tunnel-Client-Endpoint } 1980 { Tunnel-Server-Endpoint } 1981 [ Tunnel-Preference ] 1982 [ Tunnel-Client-Auth-Id ] 1983 [ Tunnel-Server-Auth-Id ] 1984 [ Tunnel-Assignment-Id ] 1985 [ Tunnel-Password ] 1986 [ Tunnel-Private-Group-Id ] 1988 4.5.2. Tunnel-Type AVP 1990 The Tunnel-Type AVP (AVP Code 64) is of type Enumerated and contains 1991 the tunneling protocol(s) to be used (in the case of a tunnel 1992 initiator) or in use (in the case of a tunnel terminator). It MAY be 1993 used in an authorization request as a hint to the server that a 1994 specific tunnel type is desired, but the server is not required to 1995 honor the hint in the corresponding response. 1997 The Tunnel-Type AVP SHOULD also be included in ACR messages. 1999 A tunnel initiator is not required to implement any of these tunnel 2000 types. If a tunnel initiator receives a response that contains only 2001 unknown or unsupported Tunnel-Types, the tunnel initiator MUST behave 2002 as though a response were received with the Result-Code indicating a 2003 failure. 2005 The supported values are listed in [RADIUSTypes]. 2007 4.5.3. Tunnel-Medium-Type AVP 2009 The Tunnel-Medium-Type AVP (AVP Code 65) is of type Enumerated and 2010 contains the transport medium to use when creating a tunnel for 2011 protocols (such as L2TP [RFC3931]) that can operate over multiple 2012 transports. It MAY be used in an authorization request as a hint to 2013 the server that a specific medium is desired, but the server is not 2014 required to honor the hint in the corresponding response. 2016 The supported values are listed in [RADIUSTypes]. 2018 4.5.4. Tunnel-Client-Endpoint AVP 2020 The Tunnel-Client-Endpoint AVP (AVP Code 66) is of type UTF8String 2021 and contains the address of the initiator end of the tunnel. It MAY 2022 be used in an authorization request as a hint to the server that a 2023 specific endpoint is desired, but the server is not required to honor 2024 the hint in the corresponding response. This AVP SHOULD be included 2025 in the corresponding ACR messages, in which case it indicates the 2026 address from which the tunnel was initiated. This AVP, along with 2027 the Tunnel-Server-Endpoint (Section 4.5.5) and Session-Id AVPs 2028 ([I-D.ietf-dime-rfc3588bis], Section 8.8), can be used to provide a 2029 globally unique means to identify a tunnel for accounting and 2030 auditingpurposes. 2032 If the value of the Tunnel-Medium-Type AVP (Section 4.5.3) is IPv4 2033 (1), then this string is either the fully qualified domain name 2034 (FQDN) of the tunnel client machine, or a "dotted-decimal" IP 2035 address. Implementations MUST support the dotted-decimal format and 2036 SHOULD support the FQDN format for IP addresses. 2038 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2039 FQDN of the tunnel client machine, or a text representation of the 2040 address in either the preferred or alternate form [RFC3516]. 2041 Conforming implementations MUST support the preferred form and SHOULD 2042 support both the alternate text form and the FQDN format for IPv6 2043 addresses. 2045 If Tunnel-Medium-Type is neither IPv4 nor IPv6, then this string is a 2046 tag referring to configuration data local to the Diameter client that 2047 describes the interface or medium-specific client address to use. 2049 4.5.5. Tunnel-Server-Endpoint AVP 2051 The Tunnel-Server-Endpoint AVP (AVP Code 67) is of type UTF8String 2052 and contains the address of the server end of the tunnel. It MAY be 2053 used in an authorization request as a hint to the server that a 2054 specific endpoint is desired, but the server is not required to honor 2055 the hint in the corresponding response. 2057 This AVP SHOULD be included in the corresponding ACR messages, in 2058 which case it indicates the address from which the tunnel was 2059 initiated. This AVP, along with the Tunnel-Client-Endpoint 2060 (Section 4.5.4) and Session-Id AVP ([I-D.ietf-dime-rfc3588bis], 2061 Section 8.8), can be used to provide a globally unique means to 2062 identify a tunnel for accounting and auditing purposes. 2064 If Tunnel-Medium-Type is IPv4 (1), then this string is either the 2065 fully qualified domain name (FQDN) of the tunnel server machine, or a 2066 "dotted-decimal" IP address. Implementations MUST support the 2067 dotted-decimal format and SHOULD support the FQDN format for IP 2068 addresses. 2070 If Tunnel-Medium-Type is IPv6 (2), then this string is either the 2071 FQDN of the tunnel server machine, or a text representation of the 2072 address in either the preferred or alternate form [RFC3516]. 2073 Implementations MUST support the preferred form and SHOULD support 2074 both the alternate text form and the FQDN format for IPv6 addresses. 2076 If Tunnel-Medium-Type is not IPv4 or IPv6, this string is a tag 2077 referring to configuration data local to the Diameter client that 2078 describes the interface or medium-specific server address to use. 2080 4.5.6. Tunnel-Password AVP 2082 The Tunnel-Password AVP (AVP Code 69) is of type OctetString and may 2083 contain a password to be used to authenticate to a remote server. 2085 The Tunnel-Password AVP SHOULD NOT be used in untrusted proxy 2086 environments without encrypting it by using end-to-end security 2087 techniques. 2089 4.5.7. Tunnel-Private-Group-Id AVP 2091 The Tunnel-Private-Group-Id AVP (AVP Code 81) is of type OctetString 2092 and contains the group Id for a particular tunneled session. The 2093 Tunnel-Private-Group-Id AVP MAY be included in an authorization 2094 request if the tunnel initiator can predetermine the group resulting 2095 from a particular connection. It SHOULD be included in the 2096 authorization response if this tunnel session is to be treated as 2097 belonging to a particular private group. Private groups may be used 2098 to associate a tunneled session with a particular group of users. 2099 For example, it MAY be used to facilitate routing of unregistered IP 2100 addresses through a particular interface. This AVP SHOULD be 2101 included in the ACR messages that pertain to the tunneled session. 2103 4.5.8. Tunnel-Assignment-Id AVP 2105 The Tunnel-Assignment-Id AVP (AVP Code 82) is of type OctetString and 2106 is used to indicate to the tunnel initiator the particular tunnel to 2107 which a session is to be assigned. Some tunneling protocols, such as 2108 PPTP [RFC2637] and L2TP [RFC3931], allow for sessions between the 2109 same two tunnel endpoints to be multiplexed over the same tunnel and 2110 also for a given session to use its own dedicated tunnel. This 2111 attribute provides a mechanism for Diameter to inform the tunnel 2112 initiator (for example, a LAC) whether to assign the session to a 2113 multiplexed tunnel or to a separate tunnel. Furthermore, it allows 2114 for sessions sharing multiplexed tunnels to be assigned to different 2115 multiplexed tunnels. 2117 A particular tunneling implementation may assign differing 2118 characteristics to particular tunnels. For example, different 2119 tunnels may be assigned different QoS parameters. Such tunnels may 2120 be used to carry either individual or multiple sessions. The Tunnel- 2121 Assignment-Id attribute thus allows the Diameter server to indicate 2122 that a particular session is to be assigned to a tunnel providing an 2123 appropriate level of service. It is expected that any QoS-related 2124 Diameter tunneling attributes defined in the future accompanying this 2125 one will be associated by the tunnel initiator with the Id given by 2126 this attribute. In the meantime, any semantic given to a particular 2127 Id string is a matter left to local configuration in the tunnel 2128 initiator. 2130 The Tunnel-Assignment-Id AVP is of significance only to Diameter and 2131 the tunnel initiator. The Id it specifies is only intended to be of 2132 local use to Diameter and the tunnel initiator. The Id assigned by 2133 the tunnel initiator is not conveyed to the tunnel peer. 2135 This attribute MAY be included in authorization responses. The 2136 tunnel initiator receiving this attribute MAY choose to ignore it and 2137 to assign the session to an arbitrary multiplexed or non-multiplexed 2138 tunnel between the desired endpoints. This AVP SHOULD also be 2139 included in the Accounting-Request messages pertaining to the 2140 tunneled session. 2142 If a tunnel initiator supports the Tunnel-Assignment-Id AVP, then it 2143 should assign a session to a tunnel in the following manner: 2145 o If this AVP is present and a tunnel exists between the specified 2146 endpoints with the specified Id, then the session should be 2147 assigned to that tunnel. 2149 o If this AVP is present and no tunnel exists between the specified 2150 endpoints with the specified Id, then a new tunnel should be 2151 established for the session and the specified Id should be 2152 associated with the new tunnel. 2154 o If this AVP is not present, then the session is assigned to an 2155 unnamed tunnel. If an unnamed tunnel does not yet exist between 2156 the specified endpoints, then it is established and used for this 2157 session and for subsequent ones established without the Tunnel- 2158 Assignment-Id attribute. A tunnel initiator MUST NOT assign a 2159 session for which a Tunnel-Assignment-Id AVP was not specified to 2160 a named tunnel (i.e., one that was initiated by a session 2161 specifying this AVP). 2163 Note that the same Id may be used to name different tunnels if these 2164 tunnels are between different endpoints. 2166 4.5.9. Tunnel-Preference AVP 2168 The Tunnel-Preference AVP (AVP Code 83) is of type Unsigned32 and is 2169 used to identify the relative preference assigned to each tunnel when 2170 more than one set of tunneling AVPs is returned within separate 2171 Grouped-AVP AVPs. It MAY be used in an authorization request as a 2172 hint to the server that a specific preference is desired, but the 2173 server is not required to honor the hint in the corresponding 2174 response. 2176 For example, suppose that AVPs describing two tunnels are returned by 2177 the server, one with a Tunnel-Type of PPTP and the other with a 2178 Tunnel-Type of L2TP. If the tunnel initiator supports only one of 2179 the Tunnel-Types returned, it will initiate a tunnel of that type. 2180 If, however, it supports both tunnel protocols, it SHOULD use the 2181 value of the Tunnel-Preference AVP to decide which tunnel should be 2182 started. The tunnel with the lowest numerical value in the Value 2183 field of this AVP SHOULD be given the highest preference. The values 2184 assigned to two or more instances of the Tunnel-Preference AVP within 2185 a given authorization response MAY be identical. In this case, the 2186 tunnel initiator SHOULD use locally configured metrics to decide 2187 which set of AVPs to use. 2189 4.5.10. Tunnel-Client-Auth-Id AVP 2191 The Tunnel-Client-Auth-Id AVP (AVP Code 90) is of type UTF8String and 2192 specifies the name used by the tunnel initiator during the 2193 authentication phase of tunnel establishment. It MAY be used in an 2194 authorization request as a hint to the server that a specific 2195 preference is desired, but the server is not required to honor the 2196 hint in the corresponding response. This AVP MUST be present in the 2197 authorization response if an authentication name other than the 2198 default is desired. This AVP SHOULD be included in the ACR messages 2199 pertaining to the tunneled session. 2201 4.5.11. Tunnel-Server-Auth-Id AVP 2203 The Tunnel-Server-Auth-Id AVP (AVP Code 91) is of type UTF8String and 2204 specifies the name used by the tunnel terminator during the 2205 authentication phase of tunnel establishment. It MAY be used in an 2206 authorization request as a hint to the server that a specific 2207 preference is desired, but the server is not required to honor the 2208 hint in the corresponding response. This AVP MUST be present in the 2209 authorization response if an authentication name other than the 2210 default is desired. This AVP SHOULD be included in the ACR messages 2211 pertaining to the tunneled session. 2213 4.6. NAS Accounting AVPs 2215 Applications implementing this specification use Diameter Accounting 2216 (as defined in [I-D.ietf-dime-rfc3588bis]) and the AVPs in the 2217 following section. Service-specific AVP usage is defined in the 2218 tables in Section 5. 2220 If accounting is active, Accounting Request (ACR) messages SHOULD be 2221 sent after the completion of any Authentication or Authorization 2222 transaction and at the end of a Session. The value of the 2223 Accounting-Record-Type AVP [I-D.ietf-dime-rfc3588bis] indicates the 2224 type of event. All other AVPs identify the session and provide 2225 additional information relevant to the event. 2227 The successful completion of the first Authentication or 2228 Authorization transaction SHOULD cause a START_RECORD to be sent. If 2229 additional Authentications or Authorizations occur in later 2230 transactions, the first exchange should generate a START_RECORD, and 2231 the later an INTERIM_RECORD. For a given session, there MUST only be 2232 one set of matching START and STOP records, with any number of 2233 INTERIM_RECORDS in between, or one EVENT_RECORD indicating the reason 2234 a session wasn't started. 2236 The following table gives the possible flag values for the session 2237 level AVPs and specifies whether the AVP MAY be encrypted. 2239 +----------+ 2240 | AVP Flag | 2241 | rules | 2242 |----+-----| 2243 Section |MUST| MUST| 2244 Attribute Name Defined | | NOT| 2245 -----------------------------------------|----+-----| 2246 Accounting-Input-Octets 4.6.1 | M | V | 2247 Accounting-Output-Octets 4.6.2 | M | V | 2248 Accounting-Input-Packets 4.6.3 | M | V | 2249 Accounting-Output-Packets 4.6.4 | M | V | 2250 Acct-Session-Time 4.6.5 | M | V | 2251 Acct-Authentic 4.6.6 | M | V | 2252 Accounting-Auth-Method 4.6.7 | M | V | 2253 Acct-Delay-Time 4.6.8 | M | V | 2254 Acct-Link-Count 4.6.9 | M | V | 2255 Acct-Tunnel-Connection 4.6.10 | M | V | 2256 Acct-Tunnel-Packets-Lost 4.6.11 | M | V | 2257 -----------------------------------------|----+-----| 2259 4.6.1. Accounting-Input-Octets AVP 2261 The Accounting-Input-Octets AVP (AVP Code 363) is of type Unsigned64 2262 and contains the number of octets received from the user. 2264 For NAS usage, this AVP indicates how many octets have been received 2265 from the port in the course of this session. It can only be present 2266 in ACR messages with an Accounting-Record-Type 2267 [I-D.ietf-dime-rfc3588bis] of INTERIM_RECORD or STOP_RECORD. 2269 4.6.2. Accounting-Output-Octets AVP 2271 The Accounting-Output-Octets AVP (AVP Code 364) is of type Unsigned64 2272 and contains the number of octets sent to the user. 2274 For NAS usage, this AVP indicates how many octets have been sent to 2275 the port in the course of this session. It can only be present in 2276 ACR messages with an Accounting-Record-Type of INTERIM_RECORD or 2277 STOP_RECORD. 2279 4.6.3. Accounting-Input-Packets AVP 2281 The Accounting-Input-Packets (AVP Code 365) is of type Unsigned64 and 2282 contains the number of packets received from the user. 2284 For NAS usage, this AVP indicates how many packets have been received 2285 from the port over the course of a session being provided to a Framed 2286 User. It can only be present in ACR messages with an Accounting- 2287 Record-Type of INTERIM_RECORD or STOP_RECORD. 2289 4.6.4. Accounting-Output-Packets AVP 2291 The Accounting-Output-Packets (AVP Code 366) is of type Unsigned64 2292 and contains the number of IP packets sent to the user. 2294 For NAS usage, this AVP indicates how many packets have been sent to 2295 the port over the course of a session being provided to a Framed 2296 User. It can only be present in ACR messages with an Accounting- 2297 Record-Type of INTERIM_RECORD or STOP_RECORD. 2299 4.6.5. Acct-Session-Time AVP 2301 The Acct-Session-Time AVP (AVP Code 46) is of type Unsigned32 and 2302 indicates the length of the current session in seconds. It can only 2303 be present in ACR messages with an Accounting-Record-Type of 2304 INTERIM_RECORD or STOP_RECORD. 2306 4.6.6. Acct-Authentic AVP 2308 The Acct-Authentic AVP (AVP Code 45) is of type Enumerated and 2309 specifies how the user was authenticated. The supported values are 2310 listed in [RADIUSTypes]. 2312 4.6.7. Accounting-Auth-Method AVP 2314 The Accounting-Auth-Method AVP (AVP Code 406) is of type Enumerated. 2315 A NAS MAY include this AVP in an Accounting-Request message to 2316 indicate the method used to authenticate the user. (Note that this 2317 AVP is semantically equivalent, and the supported values are 2318 identical, to the Microsoft MS-Acct-Auth-Type vendor-specific RADIUS 2319 attribute [RFC2548]). 2321 4.6.8. Acct-Delay-Time AVP 2323 The Acct-Delay-Time AVP (AVP Code 41) is of type Unsigned32 and 2324 indicates the number of seconds the Diameter client has been trying 2325 to send the Accounting-Request (ACR). The accounting server may 2326 subtract this value from the time when the ACR arrives at the server 2327 to calculate the approximate time of the event that caused the ACR to 2328 be generated. 2330 This AVP is not used for retransmissions at the transport level (TCP 2331 or SCTP). Rather, it may be used when an ACR command cannot be 2332 transmitted because there is no appropriate peer to transmit it to or 2333 was rejected because it could not be delivered. In these cases, the 2334 command MAY be buffered and transmitted later, when an appropriate 2335 peer-connection is available or after sufficient time has passed that 2336 the destination-host may be reachable and operational. If the ACR is 2337 re-sent in this way, the Acct-Delay-Time AVP SHOULD be included. The 2338 value of this AVP indicates the number of seconds that elapsed 2339 between the time of the first attempt at transmission and the current 2340 attempt. 2342 4.6.9. Acct-Link-Count AVP 2344 The Acct-Link-Count AVP (AVP Code 51) is of type Unsigned32 and 2345 indicates the total number of links that have been active (current or 2346 closed) in a given multilink session at the time the accounting 2347 record is generated. This AVP MAY be included in Accounting-Requests 2348 for any session that may be part of a multilink service. 2350 The Acct-Link-Count AVP may be used to make it easier for an 2351 accounting server to know when it has all the records for a given 2352 multilink service. When the number of Accounting-Requests received 2353 with Accounting-Record-Type = STOP_RECORD and with the same Acct- 2354 Multi-Session-Id and unique Session-Ids equals the largest value of 2355 Acct-Link-Count seen in those Accounting-Requests, all STOP_RECORD 2356 Accounting-Requests for that multilink service have been received. 2358 The following example, showing eight Accounting-Requests, illustrates 2359 how the Acct-Link-Count AVP is used. In the table below, only the 2360 relevant AVPs are shown, although additional AVPs containing 2361 accounting information will be present in the Accounting-Requests. 2363 Acct-Multi- Accounting- Acct- 2364 Session-Id Session-Id Record-Type Link-Count 2365 -------------------------------------------------------- 2366 "...10" "...10" START_RECORD 1 2367 "...10" "...11" START_RECORD 2 2368 "...10" "...11" STOP_RECORD 2 2369 "...10" "...12" START_RECORD 3 2370 "...10" "...13" START_RECORD 4 2371 "...10" "...12" STOP_RECORD 4 2372 "...10" "...13" STOP_RECORD 4 2373 "...10" "...10" STOP_RECORD 4 2375 4.6.10. Acct-Tunnel-Connection AVP 2377 The Acct-Tunnel-Connection AVP (AVP Code 68) is of type OctetString 2378 and contains the identifier assigned to the tunnel session. This 2379 AVP, along with the Tunnel-Client-Endpoint (Section 4.5.4) and 2380 Tunnel-Server-Endpoint (Section 4.5.5) AVPs, may be used to provide a 2381 means to uniquely identify a tunnel session for auditing purposes. 2383 The format of the identifier in this AVP depends upon the value of 2384 the Tunnel-Type AVP (Section 4.5.2). For example, to identify an 2385 L2TP tunnel connection fully, the L2TP Tunnel Id and Call Id might be 2386 encoded in this field. The exact encoding of this field is 2387 implementation dependent. 2389 4.6.11. Acct-Tunnel-Packets-Lost AVP 2391 The Acct-Tunnel-Packets-Lost AVP (AVP Code 86) is of type Unsigned32 2392 and contains the number of packets lost on a given tunnel. 2394 5. AVP Occurrence Tables 2396 The following tables present the AVPs used by NAS applications in NAS 2397 messages and specify in which Diameter messages they may or may not 2398 be present. Messages and AVPs defined in the base Diameter protocol 2399 [I-D.ietf-dime-rfc3588bis] are not described in this document. Note 2400 that AVPs that can only be present within a Grouped AVP are not 2401 represented in this table. 2403 The tables use the following symbols: 2405 0 The AVP MUST NOT be present in the message. 2406 0+ Zero or more instances of the AVP MAY be present in the 2407 message. 2408 0-1 Zero or one instance of the AVP MAY be present in the 2409 message. 2410 1 Exactly one instance of the AVP MUST be present in the 2411 message. 2413 5.1. AA-Request/Answer AVP Table 2415 The table in this section is limited to the Command Codes defined in 2416 this specification. 2418 +-----------+ 2419 | Command | 2420 |-----+-----+ 2421 AVP Name | AAR | AAA | 2422 ------------------------------|-----+-----+ 2423 Acct-Interim-Interval | 0 | 0-1 | 2424 ARAP-Challenge-Response | 0 | 0-1 | 2425 ARAP-Features | 0 | 0-1 | 2426 ARAP-Password | 0-1 | 0 | 2427 ARAP-Security | 0-1 | 0-1 | 2428 ARAP-Security-Data | 0+ | 0+ | 2429 ARAP-Zone-Access | 0 | 0-1 | 2430 Auth-Application-Id | 1 | 1 | 2431 Auth-Grace-Period | 0-1 | 0-1 | 2432 Auth-Request-Type | 1 | 1 | 2433 Auth-Session-State | 0-1 | 0-1 | 2434 Authorization-Lifetime | 0-1 | 0-1 | 2435 ------------------------------|-----+-----+ 2436 +-----------+ 2437 | Command | 2438 |-----+-----+ 2439 Attribute Name | AAR | AAA | 2440 ------------------------------|-----+-----+ 2441 Callback-Id | 0 | 0-1 | 2442 Callback-Number | 0-1 | 0-1 | 2443 Called-Station-Id | 0-1 | 0 | 2444 Calling-Station-Id | 0-1 | 0 | 2445 CHAP-Auth | 0-1 | 0 | 2446 CHAP-Challenge | 0-1 | 0 | 2447 Class | 0 | 0+ | 2448 Configuration-Token | 0 | 0+ | 2449 Connect-Info | 0+ | 0 | 2450 Destination-Host | 0-1 | 0 | 2451 Destination-Realm | 1 | 0 | 2452 Error-Message | 0 | 0-1 | 2453 Error-Reporting-Host | 0 | 0-1 | 2454 Failed-AVP | 0+ | 0+ | 2455 Filter-Id | 0 | 0+ | 2456 Framed-Appletalk-Link | 0 | 0-1 | 2457 Framed-Appletalk-Network | 0 | 0+ | 2458 Framed-Appletalk-Zone | 0 | 0-1 | 2459 Framed-Compression | 0+ | 0+ | 2460 Framed-Interface-Id | 0-1 | 0-1 | 2461 Framed-IP-Address | 0-1 | 0-1 | 2462 Framed-IP-Netmask | 0-1 | 0-1 | 2463 Framed-IPv6-Prefix | 0+ | 0+ | 2464 Framed-IPv6-Pool | 0 | 0-1 | 2465 Framed-IPv6-Route | 0 | 0+ | 2466 Framed-IPX-Network | 0 | 0-1 | 2467 Framed-MTU | 0-1 | 0-1 | 2468 Framed-Pool | 0 | 0-1 | 2469 Framed-Protocol | 0-1 | 0-1 | 2470 Framed-Route | 0 | 0+ | 2471 Framed-Routing | 0 | 0-1 | 2472 Idle-Timeout | 0 | 0-1 | 2473 Login-IP-Host | 0+ | 0+ | 2474 Login-IPv6-Host | 0+ | 0+ | 2475 Login-LAT-Group | 0-1 | 0-1 | 2476 Login-LAT-Node | 0-1 | 0-1 | 2477 Login-LAT-Port | 0-1 | 0-1 | 2478 Login-LAT-Service | 0-1 | 0-1 | 2479 Login-Service | 0 | 0-1 | 2480 Login-TCP-Port | 0 | 0-1 | 2481 Multi-Round-Time-Out | 0 | 0-1 | 2482 ------------------------------|-----+-----+ 2483 +-----------+ 2484 | Command | 2485 |-----+-----+ 2486 Attribute Name | AAR | AAA | 2487 ------------------------------|-----+-----+ 2488 NAS-Filter-Rule | 0 | 0+ | 2489 NAS-Identifier | 0-1 | 0 | 2490 NAS-IP-Address | 0-1 | 0 | 2491 NAS-IPv6-Address | 0-1 | 0 | 2492 NAS-Port | 0-1 | 0 | 2493 NAS-Port-Id | 0-1 | 0 | 2494 NAS-Port-Type | 0-1 | 0 | 2495 Origin-AAA-Protocol | 0-1 | 0-1 | 2496 Origin-Host | 1 | 1 | 2497 Origin-Realm | 1 | 1 | 2498 Origin-State-Id | 0-1 | 0-1 | 2499 Originating-Line-Info | 0-1 | 0 | 2500 Password-Retry | 0 | 0-1 | 2501 Port-Limit | 0-1 | 0-1 | 2502 Prompt | 0 | 0-1 | 2503 Proxy-Info | 0+ | 0+ | 2504 QoS-Filter-Rule | 0 | 0+ | 2505 Re-Auth-Request-Type | 0 | 0-1 | 2506 Redirect-Host | 0 | 0+ | 2507 Redirect-Host-Usage | 0 | 0-1 | 2508 Redirect-Max-Cache-Time | 0 | 0-1 | 2509 Reply-Message | 0 | 0+ | 2510 Result-Code | 0 | 1 | 2511 Route-Record | 0+ | 0 | 2512 Service-Type | 0-1 | 0-1 | 2513 Session-Id | 1 | 1 | 2514 Session-Timeout | 0 | 0-1 | 2515 State | 0-1 | 0-1 | 2516 Tunneling | 0+ | 0+ | 2517 User-Name | 0-1 | 0-1 | 2518 User-Password | 0-1 | 0 | 2519 ------------------------------|-----+-----+ 2521 5.2. Accounting AVP Tables 2523 The tables in this section are used to show which AVPs defined in 2524 this document are to be present and used in NAS application 2525 Accounting messages. These AVPs are defined in this document, as 2526 well as in [I-D.ietf-dime-rfc3588bis] and [RFC2866]. 2528 5.2.1. Framed Access Accounting AVP Table 2530 The table in this section is used when the Service-Type AVP 2531 (Section 4.4.1) specifies Framed Access. 2533 +-----------+ 2534 | Command | 2535 |-----+-----+ 2536 Attribute Name | ACR | ACA | 2537 ---------------------------------------|-----+-----+ 2538 Accounting-Auth-Method | 0-1 | 0 | 2539 Accounting-Input-Octets | 1 | 0 | 2540 Accounting-Input-Packets | 1 | 0 | 2541 Accounting-Output-Octets | 1 | 0 | 2542 Accounting-Output-Packets | 1 | 0 | 2543 Accounting-Record-Number | 0-1 | 0-1 | 2544 Accounting-Record-Type | 1 | 1 | 2545 Accounting-Realtime-Required | 0-1 | 0-1 | 2546 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2547 Acct-Application-Id | 0-1 | 0-1 | 2548 Acct-Session-Id | 1 | 0-1 | 2549 Acct-Multi-Session-Id | 0-1 | 0-1 | 2550 Acct-Authentic | 1 | 0 | 2551 Acct-Delay-Time | 0-1 | 0 | 2552 Acct-Interim-Interval | 0-1 | 0-1 | 2553 Acct-Link-Count | 0-1 | 0 | 2554 Acct-Session-Time | 1 | 0 | 2555 Acct-Tunnel-Connection | 0-1 | 0 | 2556 Acct-Tunnel-Packets-Lost | 0-1 | 0 | 2557 Authorization-Lifetime | 0-1 | 0 | 2558 Callback-Id | 0-1 | 0 | 2559 Callback-Number | 0-1 | 0 | 2560 Called-Station-Id | 0-1 | 0 | 2561 Calling-Station-Id | 0-1 | 0 | 2562 Class | 0+ | 0+ | 2563 Connection-Info | 0+ | 0 | 2564 Destination-Host | 0-1 | 0 | 2565 Destination-Realm | 1 | 0 | 2566 Event-Timestamp | 0-1 | 0-1 | 2567 Error-Message | 0 | 0-1 | 2568 Error-Reporting-Host | 0 | 0-1 | 2569 Failed-AVP | 0 | 0+ | 2570 ---------------------------------------|-----+-----+ 2571 +-----------+ 2572 | Command | 2573 |-----+-----+ 2574 Attribute Name | ACR | ACA | 2575 ---------------------------------------|-----+-----+ 2576 Framed-AppleTalk-Link | 0-1 | 0 | 2577 Framed-AppleTalk-Network | 0-1 | 0 | 2578 Framed-AppleTalk-Zone | 0-1 | 0 | 2579 Framed-Compression | 0-1 | 0 | 2580 Framed-IP-Address | 0-1 | 0 | 2581 Framed-IP-Netmask | 0-1 | 0 | 2582 Framed-IPv6-Prefix | 0+ | 0 | 2583 Framed-IPv6-Pool | 0-1 | 0 | 2584 Framed-IPX-Network | 0-1 | 0 | 2585 Framed-MTU | 0-1 | 0 | 2586 Framed-Pool | 0-1 | 0 | 2587 Framed-Protocol | 0-1 | 0 | 2588 Framed-Route | 0-1 | 0 | 2589 Framed-Routing | 0-1 | 0 | 2590 NAS-Filter-Rule | 0+ | 0 | 2591 NAS-Identifier | 0-1 | 0-1 | 2592 NAS-IP-Address | 0-1 | 0-1 | 2593 NAS-IPv6-Address | 0-1 | 0-1 | 2594 NAS-Port | 0-1 | 0-1 | 2595 NAS-Port-Id | 0-1 | 0-1 | 2596 NAS-Port-Type | 0-1 | 0-1 | 2597 Origin-AAA-Protocol | 0-1 | 0-1 | 2598 Origin-Host | 1 | 1 | 2599 Origin-Realm | 1 | 1 | 2600 Origin-State-Id | 0-1 | 0-1 | 2601 Originating-Line-Info | 0-1 | 0 | 2602 Proxy-Info | 0+ | 0+ | 2603 QoS-Filter-Rule | 0+ | 0 | 2604 Route-Record | 0+ | 0 | 2605 Result-Code | 0 | 1 | 2606 Service-Type | 0-1 | 0-1 | 2607 Session-Id | 1 | 1 | 2608 Termination-Cause | 0-1 | 0-1 | 2609 Tunnel-Assignment-Id | 0-1 | 0 | 2610 Tunnel-Client-Endpoint | 0-1 | 0 | 2611 Tunnel-Medium-Type | 0-1 | 0 | 2612 Tunnel-Private-Group-Id | 0-1 | 0 | 2613 Tunnel-Server-Endpoint | 0-1 | 0 | 2614 Tunnel-Type | 0-1 | 0 | 2615 User-Name | 0-1 | 0-1 | 2616 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2617 ---------------------------------------|-----+-----+ 2619 5.2.2. Non-Framed Access Accounting AVP Table 2621 The table in this section is used when the Service-Type AVP 2622 (Section 4.4.1) specifies Non-Framed Access. 2624 +-----------+ 2625 | Command | 2626 |-----+-----+ 2627 Attribute Name | ACR | ACA | 2628 ---------------------------------------|-----+-----+ 2629 Accounting-Auth-Method | 0-1 | 0 | 2630 Accounting-Input-Octets | 1 | 0 | 2631 Accounting-Output-Octets | 1 | 0 | 2632 Accounting-Record-Type | 1 | 1 | 2633 Accounting-Record-Number | 0-1 | 0-1 | 2634 Accounting-Realtime-Required | 0-1 | 0-1 | 2635 Accounting-Sub-Session-Id | 0-1 | 0-1 | 2636 Acct-Application-Id | 0-1 | 0-1 | 2637 Acct-Session-Id | 1 | 0-1 | 2638 Acct-Multi-Session-Id | 0-1 | 0-1 | 2639 Acct-Authentic | 1 | 0 | 2640 Acct-Delay-Time | 0-1 | 0 | 2641 Acct-Interim-Interval | 0-1 | 0-1 | 2642 Acct-Link-Count | 0-1 | 0 | 2643 Acct-Session-Time | 1 | 0 | 2644 Authorization-Lifetime | 0-1 | 0 | 2645 Callback-Id | 0-1 | 0 | 2646 Callback-Number | 0-1 | 0 | 2647 Called-Station-Id | 0-1 | 0 | 2648 Calling-Station-Id | 0-1 | 0 | 2649 Class | 0+ | 0+ | 2650 Connection-Info | 0+ | 0 | 2651 Destination-Host | 0-1 | 0 | 2652 Destination-Realm | 1 | 0 | 2653 Event-Timestamp | 0-1 | 0-1 | 2654 Error-Message | 0 | 0-1 | 2655 Error-Reporting-Host | 0 | 0-1 | 2656 Failed-AVP | 0 | 0+ | 2657 Login-IP-Host | 0+ | 0 | 2658 Login-IPv6-Host | 0+ | 0 | 2659 Login-LAT-Service | 0-1 | 0 | 2660 Login-LAT-Node | 0-1 | 0 | 2661 Login-LAT-Group | 0-1 | 0 | 2662 Login-LAT-Port | 0-1 | 0 | 2663 Login-Service | 0-1 | 0 | 2664 Login-TCP-Port | 0-1 | 0 | 2665 ---------------------------------------|-----+-----+ 2666 +-----------+ 2667 | Command | 2668 |-----+-----+ 2669 Attribute Name | ACR | ACA | 2670 ---------------------------------------|-----+-----+ 2671 NAS-Identifier | 0-1 | 0-1 | 2672 NAS-IP-Address | 0-1 | 0-1 | 2673 NAS-IPv6-Address | 0-1 | 0-1 | 2674 NAS-Port | 0-1 | 0-1 | 2675 NAS-Port-Id | 0-1 | 0-1 | 2676 NAS-Port-Type | 0-1 | 0-1 | 2677 Origin-AAA-Protocol | 0-1 | 0-1 | 2678 Origin-Host | 1 | 1 | 2679 Origin-Realm | 1 | 1 | 2680 Origin-State-Id | 0-1 | 0-1 | 2681 Originating-Line-Info | 0-1 | 0 | 2682 Proxy-Info | 0+ | 0+ | 2683 QoS-Filter-Rule | 0+ | 0 | 2684 Route-Record | 0+ | 0 | 2685 Result-Code | 0 | 1 | 2686 Session-Id | 1 | 1 | 2687 Service-Type | 0-1 | 0-1 | 2688 Termination-Cause | 0-1 | 0-1 | 2689 User-Name | 0-1 | 0-1 | 2690 Vendor-Specific-Application-Id | 0-1 | 0-1 | 2691 ---------------------------------------|-----+-----+ 2693 6. IANA Considerations 2695 This document does not request any action by IANA. 2697 7. Security Considerations 2699 This document describes the extension of Diameter for the NAS 2700 application. The security considerations of the Diameter protocol 2701 itself have been discussed in [I-D.ietf-dime-rfc3588bis]. Use of 2702 this application of Diameter MUST take into consideration the 2703 security issues and requirements of the Base protocol. 2705 This document does not contain a security protocol but does discuss 2706 how PPP authentication protocols can be carried within the Diameter 2707 protocol. The PPP authentication protocols described are PAP and 2708 CHAP. 2710 The use of PAP SHOULD be discouraged, as it exposes users' passwords 2711 to possibly non-trusted entities. However, PAP is also frequently 2712 used for use with One-Time Passwords, which do not expose a security 2713 risk. 2715 This document also describes how CHAP can be carried within the 2716 Diameter protocol, which is required for RADIUS backward 2717 compatibility. The CHAP protocol, as used in a RADIUS environment, 2718 facilitates authentication replay attacks. 2720 The use of the EAP authentication protocols [RFC4072] can offer 2721 better security, given a method suitable for the circumstances. 2723 8. References 2725 8.1. Normative References 2727 [ANITypes] NANPA Number Resource Info, "ANI 2728 Assignments", . 2732 [I-D.ietf-dime-rfc3588bis] Fajardo, V., Arkko, J., Loughney, J., and 2733 G. Zorn, "Diameter Base Protocol", 2734 draft-ietf-dime-rfc3588bis-29 (work in 2735 progress), August 2011. 2737 [RADIUSTypes] IANA, "RADIUS Types", . 2740 [RFC1994] Simpson, W., "PPP Challenge Handshake 2741 Authentication Protocol (CHAP)", 2742 RFC 1994, August 1996. 2744 [RFC2119] Bradner, S., "Key words for use in RFCs 2745 to Indicate Requirement Levels", BCP 14, 2746 RFC 2119, March 1997. 2748 [RFC2865] Rigney, C., Willens, S., Rubens, A., and 2749 W. Simpson, "Remote Authentication Dial 2750 In User Service (RADIUS)", RFC 2865, 2751 June 2000. 2753 [RFC3162] Aboba, B., Zorn, G., and D. Mitton, 2754 "RADIUS and IPv6", RFC 3162, August 2001. 2756 [RFC3516] Nerenberg, L., "IMAP4 Binary Content 2757 Extension", RFC 3516, April 2003. 2759 [RFC3539] Aboba, B. and J. Wood, "Authentication, 2760 Authorization and Accounting (AAA) 2761 Transport Profile", RFC 3539, June 2003. 2763 8.2. Informative References 2765 [ARAP] Apple Computer, "Apple Remote Access 2766 Protocol (ARAP) Version 2.0 External 2767 Reference Specification", R0612LL/B , 2768 September 1994. 2770 [AppleTalk] Sidhu, G., Andrews, R., and A. 2771 Oppenheimer, "Inside AppleTalk", Second 2772 Edition Apple Computer, 1990. 2774 [IPX] Novell, Inc., "NetWare System Technical 2775 Interface Overview", #883-000780-001, 2776 June 1989. 2778 [ISO.8859-1.1987] International Organization for 2779 Standardization, "Information technology 2780 - 8-bit single byte coded graphic - 2781 character sets - Part 1: Latin alphabet 2782 No. 1, JTC1/SC2", ISO Standard 8859-1, 2783 1987. 2785 [LAT] Digital Equipment Corp., "Local Area 2786 Transport (LAT) Specification V5.0", AA- 2787 NL26A-TE, June 1989. 2789 [RFC1334] Lloyd, B. and W. Simpson, "PPP 2790 Authentication Protocols", RFC 1334, 2791 October 1992. 2793 [RFC1661] Simpson, W., "The Point-to-Point Protocol 2794 (PPP)", STD 51, RFC 1661, July 1994. 2796 [RFC1990] Sklower, K., Lloyd, B., McGregor, G., 2797 Carr, D., and T. Coradetti, "The PPP 2798 Multilink Protocol (MP)", RFC 1990, 2799 August 1996. 2801 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. 2802 Black, "Definition of the Differentiated 2803 Services Field (DS Field) in the IPv4 and 2804 IPv6 Headers", RFC 2474, December 1998. 2806 [RFC2548] Zorn, G., "Microsoft Vendor-specific 2807 RADIUS Attributes", RFC 2548, March 1999. 2809 [RFC2597] Heinanen, J., Baker, F., Weiss, W., and 2810 J. Wroclawski, "Assured Forwarding PHB 2811 Group", RFC 2597, June 1999. 2813 [RFC2637] Hamzeh, K., Pall, G., Verthein, W., 2814 Taarud, J., Little, W., and G. Zorn, 2815 "Point-to-Point Tunneling Protocol", 2816 RFC 2637, July 1999. 2818 [RFC2866] Rigney, C., "RADIUS Accounting", 2819 RFC 2866, June 2000. 2821 [RFC2867] Zorn, G., Aboba, B., and D. Mitton, 2822 "RADIUS Accounting Modifications for 2823 Tunnel Protocol Support", RFC 2867, 2824 June 2000. 2826 [RFC2868] Zorn, G., Leifer, D., Rubens, A., 2827 Shriver, J., Holdrege, M., and I. Goyret, 2828 "RADIUS Attributes for Tunnel Protocol 2829 Support", RFC 2868, June 2000. 2831 [RFC2869] Rigney, C., Willats, W., and P. Calhoun, 2832 "RADIUS Extensions", RFC 2869, June 2000. 2834 [RFC2881] Mitton, D. and M. Beadles, "Network 2835 Access Server Requirements Next 2836 Generation (NASREQNG) NAS Model", 2837 RFC 2881, July 2000. 2839 [RFC2989] Aboba, B., Calhoun, P., Glass, S., 2840 Hiller, T., McCann, P., Shiino, H., 2841 Walsh, P., Zorn, G., Dommety, G., 2842 Perkins, C., Patil, B., Mitton, D., 2843 Manning, S., Beadles, M., Chen, X., 2844 Sivalingham, S., Hameed, A., Munson, M., 2845 Jacobs, S., Lim, B., Hirschman, B., Hsu, 2846 R., Koo, H., Lipford, M., Campbell, E., 2847 Xu, Y., Baba, S., and E. Jaques, 2848 "Criteria for Evaluating AAA Protocols 2849 for Network Access", RFC 2989, 2850 November 2000. 2852 [RFC3169] Beadles, M. and D. Mitton, "Criteria for 2853 Evaluating Network Access Server 2854 Protocols", RFC 3169, September 2001. 2856 [RFC3246] Davie, B., Charny, A., Bennet, J., 2857 Benson, K., Le Boudec, J., Courtney, W., 2858 Davari, S., Firoiu, V., and D. Stiliadis, 2859 "An Expedited Forwarding PHB (Per-Hop 2860 Behavior)", RFC 3246, March 2002. 2862 [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, 2863 G., and J. Roese, "IEEE 802.1X Remote 2864 Authentication Dial In User Service 2865 (RADIUS) Usage Guidelines", RFC 3580, 2866 September 2003. 2868 [RFC3931] Lau, J., Townsley, M., and I. Goyret, 2869 "Layer Two Tunneling Protocol - Version 3 2870 (L2TPv3)", RFC 3931, March 2005. 2872 [RFC4072] Eronen, P., Hiller, T., and G. Zorn, 2873 "Diameter Extensible Authentication 2874 Protocol (EAP) Application", RFC 4072, 2875 August 2005. 2877 [RFC4301] Kent, S. and K. Seo, "Security 2878 Architecture for the Internet Protocol", 2879 RFC 4301, December 2005. 2881 [RFC5246] Dierks, T. and E. Rescorla, "The 2882 Transport Layer Security (TLS) Protocol 2883 Version 1.2", RFC 5246, August 2008. 2885 [RFC5777] Korhonen, J., Tschofenig, H., 2886 Arumaithurai, M., Jones, M., and A. Lior, 2887 "Traffic Classification and Quality of 2888 Service (QoS) Attributes for Diameter", 2889 RFC 5777, February 2010. 2891 Appendix A. Acknowledgements 2893 A.1. RFC 4005 2895 The authors would like to thank Carl Rigney, Allan C. Rubens, William 2896 Allen Simpson, and Steve Willens for their work on the original 2897 RADIUS protocol, from which many of the concepts in this 2898 specification were derived. Thanks, also, to Carl Rigney for 2899 [RFC2866] and [RFC2869]; Ward Willats for [RFC2869]; Glen Zorn, 2900 Bernard Aboba, and Dave Mitton for [RFC2867] and [RFC3162]; and Dory 2901 Leifer, John Shriver, Matt Holdrege, Allan Rubens, Glen Zorn and 2902 Ignacio Goyret for their work on [RFC2868]. This document stole text 2903 and concepts from both [RFC2868] and [RFC2869]. Thanks go to Carl 2904 Williams for providing IPv6-specific text. 2906 The authors would also like to acknowledge the following people for 2907 their contributions in the development of the Diameter protocol: 2908 Bernard Aboba, Jari Arkko, William Bulley, Kuntal Chowdhury, Daniel 2909 C. Fox, Lol Grant, Nancy Greene, Jeff Hagg, Peter Heitman, Paul 2910 Krumviede, Fergal Ladley, Ryan Moats, Victor Muslin, Kenneth Peirce, 2911 Sumit Vakil, John R. Vollbrecht, and Jeff Weisberg. 2913 Finally, Pat Calhoun would like to thank Sun Microsystems, as most of 2914 the effort put into this document was done while he was in their 2915 employ. 2917 A.2. RFC 4005bis 2919 The vast majority of the text in this document was taken directly 2920 from RFC 4005; the editor owes a debt of gratitude to the authors 2921 thereof (especially Dave Mitton, who somehow managed to make nroff 2922 paginate the AVP Occurance Tables correctly!). 2924 Thanks (in no particular order) to Jai-Jin Lim, Liu Hans, Sebastien 2925 Decugis, Jouni Korhonen, Mark Jones, Hannes Tschofenig and Stefan 2926 Winter for their useful reviews and helpful comments. 2928 Author's Address 2930 Glen Zorn (editor) 2931 Network Zen 2932 227/358 Thanon Sanphawut 2933 Bang Na, Bangkok 10260 2934 Thailand 2936 Phone: +66 (0) 87-040-4617 2937 EMail: glenzorn@gmail.com