idnits 2.17.1 draft-ietf-radius-accounting-v2-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: A forwarding server MUST not modify existing Proxy-State or Class attributes present in the packet. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 1999) is 9112 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'Note 1' on line 1116 ** Obsolete normative reference: RFC 2138 (ref. '1') (Obsoleted by RFC 2865) ** Downref: Normative reference to an Informational RFC: RFC 1321 (ref. '4') ** Obsolete normative reference: RFC 1700 (ref. '5') (Obsoleted by RFC 3232) ** Obsolete normative reference: RFC 2279 (ref. '6') (Obsoleted by RFC 3629) Summary: 9 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 RADIUS Working Group C Rigney 2 INTERNET-DRAFT Livingston 3 expires October 1999 May 1999 5 RADIUS Accounting 6 draft-ietf-radius-accounting-v2-02.txt 8 Status of this Memo 10 This document is an Internet-Draft and is in full conformance with 11 all provisions of Section 10 of RFC2026. 13 This document is a submission to the RADIUS Working Group of the 14 Internet Engineering Task Force (IETF). Comments should be submitted 15 to the ietf-radius@livingston.com mailing list. 17 Distribution of this memo is unlimited. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet- Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 Copyright Notice 37 Copyright (C) The Internet Society (1999). All Rights Reserved. 39 Abstract 41 This document describes a protocol for carrying accounting 42 information between a Network Access Server and a shared Accounting 43 Server. 45 Implementation Note 47 This memo documents the RADIUS Accounting protocol. The early 48 deployment of RADIUS Accounting was done using UDP port number 1646, 49 which conflicts with the "sa-msg-port" service. The officially 50 assigned port number for RADIUS Accounting is 1813. 52 Table of Contents 54 1. Introduction .......................................... 3 55 1.1 Specification of Requirements ................... 4 56 1.2 Terminology ..................................... 4 58 2. Operation ............................................. 4 59 2.1 Proxy ........................................... 5 61 3. Packet Format ......................................... 6 63 4. Packet Types .......................................... 8 64 4.1 Accounting-Request .............................. 8 65 4.2 Accounting-Response ............................. 10 67 5. Attributes ............................................ 11 68 5.1 Acct-Status-Type ................................ 12 69 5.2 Acct-Delay-Time ................................. 13 70 5.3 Acct-Input-Octets ............................... 14 71 5.4 Acct-Output-Octets .............................. 15 72 5.5 Acct-Session-Id ................................. 15 73 5.6 Acct-Authentic .................................. 16 74 5.7 Acct-Session-Time ............................... 17 75 5.8 Acct-Input-Packets .............................. 18 76 5.9 Acct-Output-Packets ............................. 19 77 5.10 Acct-Terminate-Cause ............................ 19 78 5.11 Acct-Multi-Session-Id ........................... 22 79 5.12 Acct-Link-Count ................................. 22 80 5.13 Table of Attributes ............................. 24 82 6. Security Considerations ............................... 26 83 7. Change Log ............................................ 26 84 8. References ............................................ 26 85 9. Acknowledgements ...................................... 26 86 10. Chair's Address ....................................... 27 87 11. Author's Address ...................................... 27 88 12. Full Copyright Statement .............................. 28 90 1. Introduction 92 Managing dispersed serial line and modem pools for large numbers of 93 users can create the need for significant administrative support. 94 Since modem pools are by definition a link to the outside world, they 95 require careful attention to security, authorization and accounting. 96 This can be best achieved by managing a single "database" of users, 97 which allows for authentication (verifying user name and password) as 98 well as configuration information detailing the type of service to 99 deliver to the user (for example, SLIP, PPP, telnet, rlogin). 101 The RADIUS (Remote Authentication Dial In User Service) document [1] 102 specifies the RADIUS protocol used for Authentication and 103 Authorization. This memo extends the use of the RADIUS protocol to 104 cover delivery of accounting information from the Network Access 105 Server (NAS) to a RADIUS accounting server. 107 Key features of RADIUS Accounting are: 109 Client/Server Model 111 A Network Access Server (NAS) operates as a client of the 112 RADIUS accounting server. The client is responsible for 113 passing user accounting information to a designated RADIUS 114 accounting server. 116 The RADIUS accounting server is responsible for receiving the 117 accounting request and returning a response to the client 118 indicating that it has successfully received the request. 120 The RADIUS accounting server can act as a proxy client to other 121 kinds of accounting servers. 123 Network Security 125 Transactions between the client and RADIUS accounting server 126 are authenticated through the use of a shared secret, which is 127 never sent over the network. 129 Extensible Protocol 131 All transactions are comprised of variable length Attribute- 132 Length-Value 3-tuples. New attribute values can be added 133 without disturbing existing implementations of the protocol. 135 1.1. Specification of Requirements 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in RFC 2119 [2]. These 140 key words mean the same thing whether capitalized or not. 142 1.2. Terminology 144 This document uses the following terms: 146 service The NAS provides a service to the dial-in user, such as PPP 147 or Telnet. 149 session Each service provided by the NAS to a dial-in user 150 constitutes a session, with the beginning of the session 151 defined as the point where service is first provided and 152 the end of the session defined as the point where service 153 is ended. A user may have multiple sessions in parallel or 154 series if the NAS supports that, with each session 155 generating a separate start and stop accounting record with 156 its own Acct-Session-Id. 158 silently discard 159 This means the implementation discards the packet without 160 further processing. The implementation SHOULD provide the 161 capability of logging the error, including the contents of 162 the silently discarded packet, and SHOULD record the event 163 in a statistics counter. 165 2. Operation 167 When a client is configured to use RADIUS Accounting, at the start of 168 service delivery it will generate an Accounting Start packet 169 describing the type of service being delivered and the user it is 170 being delivered to, and will send that to the RADIUS Accounting 171 server, which will send back an acknowledgement that the packet has 172 been received. At the end of service delivery the client will 173 generate an Accounting Stop packet describing the type of service 174 that was delivered and optionally statistics such as elapsed time, 175 input and output octets, or input and output packets. It will send 176 that to the RADIUS Accounting server, which will send back an 177 acknowledgement that the packet has been received. 179 The Accounting-Request (whether for Start or Stop) is submitted to 180 the RADIUS accounting server via the network. It is recommended that 181 the client continue attempting to send the Accounting-Request packet 182 until it receives an acknowledgement, using some form of backoff. If 183 no response is returned within a length of time, the request is re- 184 sent a number of times. The client can also forward requests to an 185 alternate server or servers in the event that the primary server is 186 down or unreachable. An alternate server can be used either after a 187 number of tries to the primary server fail, or in a round-robin 188 fashion. Retry and fallback algorithms are the topic of current 189 research and are not specified in detail in this document. 191 The RADIUS accounting server MAY make requests of other servers in 192 order to satisfy the request, in which case it acts as a client. 194 If the RADIUS accounting server is unable to successfully record the 195 accounting packet it MUST NOT send an Accounting-Response 196 acknowledgment to the client. 198 2.1. Proxy 200 See the "RADIUS" RFC [1] for information on Proxy RADIUS. Proxy 201 Accounting RADIUS works the same way, as illustrated by the following 202 example. 204 1. The NAS sends an accounting-request to the forwarding server. 206 2. The forwarding server logs the accounting-request (if desired), 207 adds its Proxy-State (if desired) after any other Proxy-State 208 attributes, updates the Request Authenticator, and forwards the 209 request to the remote server. 211 3. The remote server logs the accounting-request (if desired), 212 copies all Proxy-State attributes in order and unmodified from 213 the request to the response packet, and sends the accounting- 214 response to the forwarding server. 216 4 The forwarding server strips the last Proxy-State (if it added 217 one in step 2), updates the Response Authenticator and sends 218 the accounting-response to the NAS. 220 A forwarding server MUST not modify existing Proxy-State or Class 221 attributes present in the packet. 223 A forwarding server may either perform its forwarding function in a 224 pass through manner, where it sends retransmissions on as soon as it 225 gets them, or it may take responsibility for retransmissions, for 226 example in cases where the network link between forwarding and remote 227 server has very different characteristics than the link between NAS 228 and forwarding server. 230 Extreme care should be used when implementing a proxy server that 231 takes responsibility for retransmissions so that its retransmission 232 policy is robust and scalable. 234 3. Packet Format 236 Exactly one RADIUS Accounting packet is encapsulated in the UDP Data 237 field [3], where the UDP Destination Port field indicates 1813 238 (decimal). 240 When a reply is generated, the source and destination ports are 241 reversed. 243 This memo documents the RADIUS Accounting protocol. The early 244 deployment of RADIUS Accounting was done using UDP port number 1646, 245 which conflicts with the "sa-msg-port" service. The officially 246 assigned port number for RADIUS Accounting is 1813. 248 A summary of the RADIUS data format is shown below. The fields are 249 transmitted from left to right. 251 0 1 2 3 252 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 254 | Code | Identifier | Length | 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 | | 257 | Authenticator | 258 | | 259 | | 260 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 261 | Attributes ... 262 +-+-+-+-+-+-+-+-+-+-+-+-+- 264 Code 266 The Code field is one octet, and identifies the type of RADIUS 267 packet. When a packet is received with an invalid Code field, it is 268 silently discarded. 270 RADIUS Accounting Codes (decimal) are assigned as follows: 272 4 Accounting-Request 273 5 Accounting-Response 275 Identifier 277 The Identifier field is one octet, and aids in matching requests and 278 replies. The RADIUS server can detect a duplicate request if it has 279 the same client source IP address and source UDP port and Identifier 280 within a short span of time. 282 Length 284 The Length field is two octets. It indicates the length of the 285 packet including the Code, Identifier, Length, Authenticator and 286 Attribute fields. Octets outside the range of the Length field MUST 287 be treated as padding and ignored on reception. If the packet is 288 shorter than the Length field indicates, it MUST be silently 289 discarded. The minimum length is 20 and maximum length is 4095. 291 Authenticator 293 The Authenticator field is sixteen (16) octets. The most significant 294 octet is transmitted first. This value is used to authenticate the 295 messages between the client and RADIUS accounting server. 297 Request Authenticator 299 In Accounting-Request Packets, the Authenticator value is a 16 300 octet MD5 [4] checksum, called the Request Authenticator. 302 The NAS and RADIUS accounting server share a secret. The Request 303 Authenticator field in Accounting-Request packets contains a one- 304 way MD5 hash calculated over a stream of octets consisting of the 305 Code + Identifier + Length + 16 zero octets + request attributes + 306 shared secret (where + indicates concatenation). The 16 octet MD5 307 hash value is stored in the Authenticator field of the 308 Accounting-Request packet. 310 Note that the Request Authenticator of an Accounting-Request can 311 not be done the same way as the Request Authenticator of a RADIUS 312 Access-Request, because there is no User-Password attribute in an 313 Accounting-Request. 315 Response Authenticator 317 The Authenticator field in an Accounting-Response packet is called 318 the Response Authenticator, and contains a one-way MD5 hash 319 calculated over a stream of octets consisting of the Accounting- 320 Response Code, Identifier, Length, the Request Authenticator field 321 from the Accounting-Request packet being replied to, and the 322 response attributes if any, followed by the shared secret. The 323 resulting 16 octet MD5 hash value is stored in the Authenticator 324 field of the Accounting-Response packet. 326 Attributes 328 Attributes may have multiple instances, in such a case the order of 329 attributes of the same type SHOULD be preserved. The order of 330 attributes of different types is not required to be preserved. 332 4. Packet Types 334 The RADIUS packet type is determined by the Code field in the first 335 octet of the packet. 337 4.1. Accounting-Request 339 Description 341 Accounting-Request packets are sent from a client (typically a 342 Network Access Server or its proxy) to a RADIUS accounting server, 343 and convey information used to provide accounting for a service 344 provided to a user. The client transmits a RADIUS packet with the 345 Code field set to 4 (Accounting-Request). 347 Upon receipt of an Accounting-Request, the server MUST transmit an 348 Accounting-Response reply if it successfully records the 349 accounting packet, and MUST NOT transmit any reply if it fails to 350 record the accounting packet. 352 Any attribute valid in a RADIUS Access-Request or Access-Accept 353 packet is valid in a RADIUS Accounting-Request packet, except that 354 the following attributes MUST NOT be present in an Accounting- 355 Request: User-Password, CHAP-Password, Reply-Message, State. 356 Either NAS-IP-Address or NAS-Identifier MUST be present in a 357 RADIUS Accounting-Request. It SHOULD contain a NAS-Port or NAS- 358 Port-Type attribute or both unless the service does not involve a 359 port or the NAS does not distinguish among its ports. 361 If the Accounting-Request packet includes a Framed-IP-Address, 362 that attribute MUST contain the IP address of the user. If the 363 Access-Accept used the special values for Framed-IP-Address 364 telling the NAS to assign or negotiate an IP address for the user, 365 the Framed-IP-Address (if any) in the Accounting-Request MUST 366 contain the actual IP address assigned or negotiated. 368 A summary of the Accounting-Request packet format is shown below. 370 The fields are transmitted from left to right. 372 0 1 2 3 373 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 374 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 375 | Code | Identifier | Length | 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 377 | | 378 | Request Authenticator | 379 | | 380 | | 381 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 382 | Attributes ... 383 +-+-+-+-+-+-+-+-+-+-+-+-+- 385 Code 387 4 for Accounting-Request. 389 Identifier 391 The Identifier field MUST be changed whenever the content of the 392 Attributes field changes, and whenever a valid reply has been 393 received for a previous request. For retransmissions where the 394 contents are identical, the Identifier MUST remain unchanged. 396 Note that if Acct-Delay-Time is included in the attributes of an 397 Accounting-Request then the Acct-Delay-Time value will be updated 398 when the packet is retransmitted, changing the content of the 399 Attributes field and requiring a new Identifier and Request 400 Authenticator. 402 Request Authenticator 404 The Request Authenticator of an Accounting-Request contains a 16- 405 octet MD5 hash value calculated according to the method described 406 in "Request Authenticator" above. 408 Attributes 410 The Attributes field is variable in length, and contains a list of 411 Attributes. 413 4.2. Accounting-Response 415 Description 417 Accounting-Response packets are sent by the RADIUS accounting 418 server to the client to acknowledge that the Accounting-Request 419 has been received and recorded successfully. If the Accounting- 420 Request was recorded successfully then the RADIUS accounting 421 server MUST transmit a packet with the Code field set to 5 422 (Accounting-Response). On reception of an Accounting-Response by 423 the client, the Identifier field is matched with a pending 424 Accounting-Request. The Response Authenticator field MUST contain 425 the correct response for the pending Accounting-Request. Invalid 426 packets are silently discarded. 428 A RADIUS Accounting-Response is not required to have any 429 attributes in it. 431 A summary of the Accounting-Response packet format is shown below. 432 The fields are transmitted from left to right. 434 0 1 2 3 435 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 436 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 437 | Code | Identifier | Length | 438 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 439 | | 440 | Response Authenticator | 441 | | 442 | | 443 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 444 | Attributes ... 445 +-+-+-+-+-+-+-+-+-+-+-+-+- 447 Code 449 5 for Accounting-Response. 451 Identifier 453 The Identifier field is a copy of the Identifier field of the 454 Accounting-Request which caused this Accounting-Response. 456 Response Authenticator 458 The Response Authenticator of an Accounting-Response contains a 459 16-octet MD5 hash value calculated according to the method 460 described in "Response Authenticator" above. 462 Attributes 464 The Attributes field is variable in length, and contains a list of 465 zero or more Attributes. 467 5. Attributes 469 RADIUS Attributes carry the specific authentication, authorization 470 and accounting details for the request and response. 472 Some attributes MAY be included more than once. The effect of this 473 is attribute specific, and is specified in each attribute 474 description. 476 The end of the list of attributes is indicated by the Length of the 477 RADIUS packet. 479 A summary of the attribute format is shown below. The fields are 480 transmitted from left to right. 482 0 1 2 483 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 484 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 485 | Type | Length | Value ... 486 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 488 Type 490 The Type field is one octet. Up-to-date values of the RADIUS Type 491 field are specified in the most recent "Assigned Numbers" RFC [5]. 492 Values 192-223 are reserved for experimental use, values 224-240 493 are reserved for implementation-specific use, and values 241-255 494 are reserved and should not be used. This specification concerns 495 the following values: 497 1-39 (refer to RADIUS document [1]) 498 40 Acct-Status-Type 499 41 Acct-Delay-Time 500 42 Acct-Input-Octets 501 43 Acct-Output-Octets 502 44 Acct-Session-Id 503 45 Acct-Authentic 504 46 Acct-Session-Time 505 47 Acct-Input-Packets 506 48 Acct-Output-Packets 507 49 Acct-Terminate-Cause 508 50 Acct-Multi-Session-Id 509 51 Acct-Link-Count 510 60+ (refer to RADIUS document [1]) 512 Length 514 The Length field is one octet, and indicates the length of this 515 attribute including the Type, Length and Value fields. If an 516 attribute is received in an Accounting-Request with an invalid 517 Length, the entire request MUST be silently discarded. 519 Value 521 The Value field is zero or more octets and contains information 522 specific to the attribute. The format and length of the Value 523 field is determined by the Type and Length fields. 525 Note that a "string" in RADIUS does not terminate with a NUL (hex 526 00). The Attribute has a length field and does not use a 527 terminator. Strings may contain UTF-8 [6] characters or 8-bit 528 binary data and servers and servers and clients MUST be able to 529 deal with embedded nulls. RADIUS implementers using C are 530 cautioned not to use strcpy() when handling strings. 532 The format of the value field is one of four data types. 534 string 1-253 octets. Strings of length zero (0) MUST NOT be 535 sent; omit the entire attribute instead. 537 address 32 bit value, most significant octet first. 539 integer 32 bit unsigned value, most significant octet first. 541 time 32 bit unsigned value, most significant octet first -- 542 seconds since 00:00:00 UTC, January 1, 1970. The 543 standard Attributes do not use this data type but it is 544 presented here for possible use within future 545 attributes. 547 5.1. Acct-Status-Type 549 Description 551 This attribute indicates whether this Accounting-Request marks the 552 beginning of the user service (Start) or the end (Stop). 554 It MAY be used by the client to mark the start of accounting (for 555 example, upon booting) by specifying Accounting-On and to mark the 556 end of accounting (for example, just before a scheduled reboot) by 557 specifying Accounting-Off. 559 A summary of the Acct-Status-Type attribute format is shown below. 560 The fields are transmitted from left to right. 562 0 1 2 3 563 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 564 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 565 | Type | Length | Value 566 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 567 Value (cont) | 568 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 570 Type 572 40 for Acct-Status-Type. 574 Length 576 6 578 Value 580 The Value field is four octets. 582 1 Start 583 2 Stop 584 3 Interim-Update 585 7 Accounting-On 586 8 Accounting-Off 587 9-14 Reserved for Tunnel Accounting 588 15 Reserved for Failed 590 5.2. Acct-Delay-Time 592 Description 594 This attribute indicates how many seconds the client has been 595 trying to send this record for, and can be subtracted from the 596 time of arrival on the server to find the approximate time of the 597 event generating this Accounting-Request. (Network transit time 598 is ignored.) 600 Note that changing the Acct-Delay-Time causes the Identifier to 601 change; see the discussion under Identifier above. 603 A summary of the Acct-Delay-Time attribute format is shown below. 604 The fields are transmitted from left to right. 606 0 1 2 3 607 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 608 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 609 | Type | Length | Value 610 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 611 Value (cont) | 612 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 614 Type 616 41 for Acct-Delay-Time. 618 Length 620 6 622 Value 624 The Value field is four octets. 626 5.3. Acct-Input-Octets 628 Description 630 This attribute indicates how many octets have been received from 631 the port over the course of this service being provided, and can 632 only be present in Accounting-Request records where the Acct- 633 Status-Type is set to Stop. 635 A summary of the Acct-Input-Octets attribute format is shown below. 636 The fields are transmitted from left to right. 638 0 1 2 3 639 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 640 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 641 | Type | Length | Value 642 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 643 Value (cont) | 644 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 646 Type 648 42 for Acct-Input-Octets. 650 Length 652 6 654 Value 656 The Value field is four octets. 658 5.4. Acct-Output-Octets 660 Description 662 This attribute indicates how many octets have been sent to the 663 port in the course of delivering this service, and can only be 664 present in Accounting-Request records where the Acct-Status-Type 665 is set to Stop. 667 A summary of the Acct-Output-Octets attribute format is shown below. 668 The fields are transmitted from left to right. 670 0 1 2 3 671 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 672 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 673 | Type | Length | Value 674 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 675 Value (cont) | 676 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 678 Type 680 43 for Acct-Output-Octets. 682 Length 684 6 686 Value 688 The Value field is four octets. 690 5.5. Acct-Session-Id 692 Description 694 This attribute is a unique Accounting ID to make it easy to match 695 start and stop records in a log file. The start and stop records 696 for a given session MUST have the same Acct-Session-Id. An 697 Accounting-Request packet MUST have an Acct-Session-Id. An 698 Access-Request packet MAY have an Acct-Session-Id; if it does, 699 then the NAS MUST use the same Acct-Session-Id in the Accounting- 700 Request packets for that session. 702 It is strongly recommended that the Acct-Session-Id be a printable 703 UTF-8 string. For example, one implementation uses a string with 704 an 8-digit upper case hexadecimal number, the first two digits 705 increment on each reboot (wrapping every 256 reboots) and the next 706 6 digits counting from 0 for the first person logging in after a 707 reboot up to 2^24-1, about 16 million. Other encodings are 708 possible. 710 A summary of the Acct-Session-Id attribute format is shown below. 711 The fields are transmitted from left to right. 713 0 1 2 714 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 715 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 716 | Type | Length | String ... 717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 719 Type 721 44 for Acct-Session-Id. 723 Length 725 >= 3 727 String 729 The String field SHOULD be a string of printable UTF-8 characters. 731 5.6. Acct-Authentic 733 Description 735 This attribute MAY be included in an Accounting-Request to 736 indicate how the user was authenticated, whether by RADIUS, the 737 NAS itself, or another remote authentication protocol. Users who 738 are delivered service without being authenticated SHOULD NOT 739 generate Accounting records. 741 A summary of the Acct-Authentic attribute format is shown below. The 742 fields are transmitted from left to right. 744 0 1 2 3 745 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 746 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 747 | Type | Length | Value 748 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 749 Value (cont) | 750 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 752 Type 754 45 for Acct-Authentic. 756 Length 758 6 760 Value 762 The Value field is four octets. 764 1 RADIUS 765 2 Local 766 3 Remote 768 5.7. Acct-Session-Time 770 Description 772 This attribute indicates how many seconds the user has received 773 service for, and can only be present in Accounting-Request records 774 where the Acct-Status-Type is set to Stop. 776 A summary of the Acct-Session-Time attribute format is shown below. 777 The fields are transmitted from left to right. 779 0 1 2 3 780 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 781 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 782 | Type | Length | Value 783 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 784 Value (cont) | 785 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 787 Type 789 46 for Acct-Session-Time. 791 Length 793 6 795 Value 797 The Value field is four octets. 799 5.8. Acct-Input-Packets 801 Description 803 This attribute indicates how many packets have been received from 804 the port over the course of this service being provided to a 805 Framed User, and can only be present in Accounting-Request records 806 where the Acct-Status-Type is set to Stop. 808 A summary of the Acct-Input-packets attribute format is shown below. 809 The fields are transmitted from left to right. 811 0 1 2 3 812 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 813 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 814 | Type | Length | Value 815 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 816 Value (cont) | 817 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 819 Type 821 47 for Acct-Input-Packets. 823 Length 825 6 827 Value 829 The Value field is four octets. 831 5.9. Acct-Output-Packets 833 Description 835 This attribute indicates how many packets have been sent to the 836 port in the course of delivering this service to a Framed User, 837 and can only be present in Accounting-Request records where the 838 Acct-Status-Type is set to Stop. 840 A summary of the Acct-Output-Packets attribute format is shown below. 841 The fields are transmitted from left to right. 843 0 1 2 3 844 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 845 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 846 | Type | Length | Value 847 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 848 Value (cont) | 849 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 851 Type 853 48 for Acct-Output-Packets. 855 Length 857 6 859 Value 861 The Value field is four octets. 863 5.10. Acct-Terminate-Cause 865 Description 867 This attribute indicates how the session was terminated, and can 868 only be present in Accounting-Request records where the Acct- 869 Status-Type is set to Stop. 871 A summary of the Acct-Terminate-Cause attribute format is shown 872 below. The fields are transmitted from left to right. 874 0 1 2 3 875 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 876 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 877 | Type | Length | Value 878 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 879 Value (cont) | 880 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 882 Type 884 49 for Acct-Terminate-Cause 886 Length 888 6 890 Value 892 The Value field is four octets, containing an integer specifying 893 the cause of session termination, as follows: 895 1 User Request 896 2 Lost Carrier 897 3 Lost Service 898 4 Idle Timeout 899 5 Session Timeout 900 6 Admin Reset 901 7 Admin Reboot 902 8 Port Error 903 9 NAS Error 904 10 NAS Request 905 11 NAS Reboot 906 12 Port Unneeded 907 13 Port Preempted 908 14 Port Suspended 909 15 Service Unavailable 910 16 Callback 911 17 User Error 912 18 Host Request 914 The termination causes are as follows: 916 User Request User requested termination of service, for 917 example with LCP Terminate or by logging out. 919 Lost Carrier DCD was dropped on the port. 921 Lost Service Service can no longer be provided; for 922 example, user's connection to a host was 923 interrupted. 925 Idle Timeout Idle timer expired. 927 Session Timeout Maximum session length timer expired. 929 Admin Reset Administrator reset the port or session. 931 Admin Reboot Administrator is ending service on the NAS, 932 for example prior to rebooting the NAS. 934 Port Error NAS detected an error on the port which 935 required ending the session. 937 NAS Error NAS detected some error (other than on the 938 port) which required ending the session. 940 NAS Request NAS ended session for a non-error reason not 941 otherwise listed here. 943 NAS Reboot The NAS ended the session in order to reboot 944 non-administratively ("crash"). 946 Port Unneeded NAS ended session because resource usage fell 947 below low-water mark (for example, if a 948 bandwidth-on-demand algorithm decided that 949 the port was no longer needed). 951 Port Preempted NAS ended session in order to allocate the 952 port to a higher priority use. 954 Port Suspended NAS ended session to suspend a virtual 955 session. 957 Service Unavailable NAS was unable to provide requested service. 959 Callback NAS is terminating current session in order 960 to perform callback for a new session. 962 User Error Input from user is in error, causing 963 termination of session. 965 Host Request Login Host terminated session normally. 967 5.11. Acct-Multi-Session-Id 969 Description 971 This attribute is a unique Accounting ID to make it easy to link 972 together multiple related sessions in a log file. Each session 973 linked together would have a unique Acct-Session-Id but the same 974 Acct-Multi-Session-Id. It is strongly recommended that the Acct- 975 Multi-Session-Id be a printable UTF-8 string. 977 A summary of the Acct-Session-Id attribute format is shown below. 978 The fields are transmitted from left to right. 980 0 1 2 981 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 982 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 983 | Type | Length | String ... 984 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 985 Type 987 50 for Acct-Multi-Session-Id. 989 Length 991 >= 3 993 String 995 The String field SHOULD be a string of printable UTF-8 characters. 997 5.12. Acct-Link-Count 999 Description 1001 This attribute gives the count of links which are known to have 1002 been in a given multilink session at the time the accounting 1003 record is generated. The NAS MAY include the Acct-Link-Count 1004 attribute in any Accounting-Request which might have multiple 1005 links. 1007 A summary of the Acct-Link-Count attribute format is show below. The 1008 fields are transmitted from left to right. 1010 0 1 2 3 1011 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1012 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1013 | Type | Length | Value 1014 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1015 Value (cont) | 1016 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1018 Type 1020 51 for Acct-Link-Count. 1022 Length 1024 6 1026 Value 1028 The Value field is four octets, and contains the number of links 1029 seen so far in this Multilink Session. 1031 It may be used to make it easier for an accounting server to know 1032 when it has all the records for a given Multilink session. When 1033 the number of Accounting-Requests received with Acct-Status-Type = 1034 Stop and the same Acct-Multi-Session-Id and unique Acct-Session- 1035 Id's equals the largest value of Acct-Link-Count seen in those 1036 Accounting-Requests, all Stop Accounting-Requests for that 1037 Multilink Session have been received. 1039 An example showing 8 Accounting-Requests should make things 1040 clearer. For clarity only the relevant attributes are shown, but 1041 additional attributes containing accounting information will also 1042 be present in the Accounting-Request. 1044 Multi-Session-Id Session-Id Status-Type Link-Count 1045 "10" "10" Start 1 1046 "10" "11" Start 2 1047 "10" "11" Stop 2 1048 "10" "12" Start 3 1049 "10" "13" Start 4 1050 "10" "12" Stop 4 1051 "10" "13" Stop 4 1052 "10" "10" Stop 4 1054 5.13. Table of Attributes 1056 The following table provides a guide to which attributes may be found 1057 in Accounting-Request packets. No attributes should be found in 1058 Accounting-Response packets except Proxy-State and possibly Vendor- 1059 Specific. 1061 # Attribute 1062 0-1 User-Name 1063 0 User-Password 1064 0 CHAP-Password 1065 0-1 NAS-IP-Address [Note 1] 1066 0-1 NAS-Port 1067 0-1 Service-Type 1068 0-1 Framed-Protocol 1069 0-1 Framed-IP-Address 1070 0-1 Framed-IP-Netmask 1071 0-1 Framed-Routing 1072 0+ Filter-Id 1073 0-1 Framed-MTU 1074 0+ Framed-Compression 1075 0+ Login-IP-Host 1076 0-1 Login-Service 1077 0-1 Login-TCP-Port 1078 0 Reply-Message 1079 0-1 Callback-Number 1080 0-1 Callback-Id 1081 0+ Framed-Route 1082 0-1 Framed-IPX-Network 1083 0 State 1084 0+ Class 1085 0+ Vendor-Specific 1086 0-1 Session-Timeout 1087 0-1 Idle-Timeout 1088 0-1 Termination-Action 1089 0-1 Called-Station-Id 1090 0-1 Calling-Station-Id 1091 0-1 NAS-Identifier [Note 1] 1092 0+ Proxy-State 1093 0-1 Login-LAT-Service 1094 0-1 Login-LAT-Node 1095 0-1 Login-LAT-Group 1096 0-1 Framed-AppleTalk-Link 1097 0-1 Framed-AppleTalk-Network 1098 0-1 Framed-AppleTalk-Zone 1099 1 Acct-Status-Type 1100 0-1 Acct-Delay-Time 1101 0-1 Acct-Input-Octets 1102 0-1 Acct-Output-Octets 1103 1 Acct-Session-Id 1104 0-1 Acct-Authentic 1105 0-1 Acct-Session-Time 1106 0-1 Acct-Input-Packets 1107 0-1 Acct-Output-Packets 1108 0-1 Acct-Terminate-Cause 1109 0+ Acct-Multi-Session-Id 1110 0+ Acct-Link-Count 1111 0 CHAP-Challenge 1112 0-1 NAS-Port-Type 1113 0-1 Port-Limit 1114 0-1 Login-LAT-Port 1116 [Note 1] An Accounting-Request MUST contain either a NAS-IP-Address 1117 or a NAS-Identifier (or both). 1119 The following table defines the above table entries. 1121 0 This attribute MUST NOT be present 1122 0+ Zero or more instances of this attribute MAY be present. 1123 0-1 Zero or one instance of this attribute MAY be present. 1124 1 Exactly one instance of this attribute MUST be present. 1126 6. Security Considerations 1128 Security issues are discussed in sections concerning the 1129 authenticator included in accounting requests and responses, using a 1130 shared secret which is never sent over the network. 1132 7. Change Log 1134 US-ASCII replaced by UTF-8. 1136 Added notes on Proxy. 1138 Framed-IP-Address should contain the actual IP address of the user. 1140 If Acct-Session-ID was sent in an access-request, it must be used in 1141 the accounting-request for that session. 1143 New values added to Acct-Status-Type. 1145 8. References 1147 [1] Rigney, C., Rubens, A., Simpson, W., and Willens, S., "Remote 1148 Authentication Dial In User Service (RADIUS)", RFC 2138, 1149 January 1997. 1151 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1152 Levels." BCP14, RFC 2119, March, 1997. 1154 [3] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1155 1980. 1157 [4] Rivest, R., and Dusse, S., "The MD5 Message-Digest Algorithm", 1158 RFC 1321, April 1992. 1160 [5] Reynolds, J., and Postel, J., "Assigned Numbers", STD 2, RFC 1161 1700, October 1994. 1163 [6] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 1164 2279, January 1998. 1166 9. Acknowledgements 1168 RADIUS and RADIUS Accounting were originally developed by Steve 1169 Willens of Livingston Enterprises for their PortMaster series of 1170 Network Access Servers. 1172 10. Chair's Address 1174 The RADIUS working group can be contacted via the current chair: 1176 Carl Rigney 1177 Livingston Enterprises 1178 4464 Willow Road 1179 Pleasanton, California 94588 1181 Phone: +1 925 737 2100 1182 EMail: cdr@livingston.com 1184 11. Author's Address 1186 Questions about this memo can also be directed to: 1188 Carl Rigney 1189 Livingston Enterprises 1190 4464 Willow Road 1191 Pleasanton, California 94588 1193 EMail: cdr@livingston.com 1195 12. Full Copyright Statement 1197 Copyright (C) The Internet Society (1999). All Rights Reserved. 1199 This document and translations of it may be copied and furnished to 1200 others, and derivative works that comment on or otherwise explain it 1201 or assist in its implmentation may be prepared, copied, published and 1202 distributed, in whole or in part, without restriction of any kind, 1203 provided that the above copyright notice and this paragraph are 1204 included on all such copies and derivative works. However, this 1205 document itself may not be modified in any way, such as by removing 1206 the copyright notice or references to the Internet Society or other 1207 Internet organizations, except as needed for the purpose of 1208 developing Internet standards in which case the procedures for 1209 copyrights defined in the Internet Standards process must be 1210 followed, or as required to translate it into languages other than 1211 English. 1213 The limited permissions granted above are perpetual and will not be 1214 revoked by the Internet Society or its successors or assigns. 1216 This document and the information contained herein is provided on an 1217 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1218 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1219 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1220 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1221 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."