idnits 2.17.1 draft-ilgun-radius-accvsa-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-19) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == Unrecognized Status in 'Category: Internet Draft', assuming Proposed Standard (Expected one of 'Standards Track', 'Full Standard', 'Draft Standard', 'Proposed Standard', 'Best Current Practice', 'Informational', 'Experimental', 'Informational', 'Historic'.) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (22 May 1998) is 9464 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ACC97a' -- Possible downref: Non-RFC (?) normative reference: ref. 'ACC97b' ** Downref: Normative reference to an Informational RFC: RFC 1877 (ref. 'COB95') ** Obsolete normative reference: RFC 2138 (ref. 'RIG97a') (Obsoleted by RFC 2865) ** Obsolete normative reference: RFC 2139 (ref. 'RIG97b') (Obsoleted by RFC 2866) ** Downref: Normative reference to an Informational RFC: RFC 1934 (ref. 'SMI96') == Outdated reference: A later version (-16) exists of draft-ietf-pppext-l2tp-06 == Outdated reference: A later version (-08) exists of draft-ietf-radius-tunnel-auth-05 ** Downref: Normative reference to an Informational draft: draft-ietf-radius-tunnel-auth (ref. 'ZOR98') Summary: 13 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Koral Ilgun 3 INTERNET-DRAFT ACC 4 Category: Internet Draft 5 Title: draft-ilgun-radius-accvsa-00.txt 6 Date: 22 May 1998 7 Expires: 27 November 1998 9 ACC's Vendor Specific Attributes 11 Status of this Memo 13 This document is a submission to the RADIUS Working Group of the 14 Internet Engineering Task Force (IETF). Comments should be submitted 15 to the ietf-radius@livingston.com mailing list. 17 Distribution of this memo is unlimited. 19 This document is an Internet-Draft. Internet-Drafts are working 20 documents of the Internet Engineering Task Force (IETF), its areas, 21 and its working groups. Note that other groups may also distribute 22 working documents as Internet-Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as ``work in progress.'' 29 To view the entire list of current Internet-Drafts, please check 30 the "1id-abstracts.txt" listing contained in the Internet-Drafts 31 Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net 32 (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au 33 (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu 34 (US West Coast). 36 Abstract 38 This document describes vendor specific attributes for carrying 39 authentication, authorization and accounting information between 40 ACC's Network Access Server (NAS) and an Authentication/Accounting 41 Server using the Remote Authentication Dial In User Service (RADIUS) 42 protocol described in RFC 2058 and RFC 2059. 44 Table of Contents 46 1. Introduction ........................................... 3 48 2. ACC's Radius Authentication Attributes ................. 3 49 2.1 Acc-Ccp-Option ..................................... 3 50 2.2 Acc-Ip-Gateway-Pri ................................. 4 51 2.3 Acc-Ip-Gateway-Sec ................................. 5 52 2.4 Acc-Route-Policy ................................... 6 53 2.5 Acc-ML-MLX-Admin-State ............................. 7 54 2.6 Acc-ML-Call-Threshold .............................. 8 55 2.7 Acc-ML-Clear-Threshold ............................. 9 56 2.8 Acc-ML-Damping-Factor .............................. 9 57 2.9 Acc-Tunnel-Secret ................................. 10 58 2.10 Acc-Service-Profile ................................ 11 59 2.11 Acc-Request-Type .................................. 12 60 2.12 Acc-Bridging-Support .............................. 13 61 2.13 Acc-Dns-Server-Pri ................................. 14 62 2.14 Acc-Dns-Server-Sec ................................. 15 63 2.15 Acc-Nbns-Server-Pri ................................ 16 64 2.16 Acc-Nbns-Server-Sec ................................ 16 66 3. ACC's Radius Accounting Attributes ....................... 17 67 3.1 Acc-Reason-Code .................................... 18 68 3.2 Acc-Input-Errors ................................... 20 69 3.3 Acc-Output-Errors .................................. 21 70 3.4 Acc-Access-Partition ............................... 21 71 3.5 Acc-Customer-Id .................................... 22 72 3.6 Acc-Clearing-Cause ................................. 23 73 3.7 Acc-Clearing-Location .............................. 25 74 3.8 Acc-Vpsm-Oversubscribed ............................ 26 75 3.9 Acc-Acct-On-Off-Reason ............................. 26 76 3.10 Acc-Tunnel-Port .................................... 27 78 4. Security Considerations .................................. 28 80 5. References ............................................... 28 82 6. Expiration Date .......................................... 29 84 7. Author's Address ......................................... 29 86 1. Introduction 88 The Remote Authentication Dial In User Service (RADIUS) protocol is 89 specified by the RADIUS Working Group of the Internet Engineering 90 Task Force (IETF). There are two specifications that make up the 91 RADIUS protocol suite: Authentication [RIG97a] and Accounting 92 [RIG97b]. These protocols aim to centralize authentication, 93 configuration, and accounting of dial-in services to an independent 94 server. 96 ACC has implemented RADIUS authentication and accounting for its 97 Network Access Server family of router products. This document 98 provides details of ACC's RADIUS implementation, in particular the 99 use of Vendor Specific Attributes (VSA's). It is intended as a guide 100 for using the RADIUS protocol for ACC products. ACC's vendor- 101 specific attributes use a vendor Id of 5. For more information on 102 ACC's RADIUS implementation, see the white paper [ACC97b]. 104 2. ACC's Radius Authentication Attributes 106 The table below indicates how the authentication vendor-specific 107 attributes are used in the access request and response packets. 109 +-------------------------+--------+---------+--------+--------+ 110 | Attribute Name | Number | Request | Accept | Reject | 111 +-------------------------+--------+---------+--------+--------+ 112 | Acc-Ccp-Option | 2 | | X | | 113 | Acc-Ip-Gateway-Pri | 7 | | X | | 114 | Acc-Ip-Gateway-Sec | 8 | | X | | 115 | Acc-Route-Policy | 9 | | X | | 116 | Acc-ML-MLX-Admin-State | 10 | | X | | 117 | Acc-ML-Call-Threshold | 11 | | X | | 118 | Acc-ML-Clear-Threshold | 12 | | X | | 119 | Acc-ML-Damping-Factor | 13 | | X | | 120 | Acc-Tunnel-Secret | 14 | | X | | 121 | Acc-Service-Profile | 17 | | X | | 122 | Acc-Request-Type | 18 | X | | | 123 | Acc-Bridging-Support | 19 | | X | | 124 | Acc-Dns-Server-Pri | 23 | | X | | 125 | Acc-Dns-Server-Sec | 24 | | X | | 126 | Acc-Nbns-Server-Pri | 25 | | X | | 127 | Acc-Nbns-Server-Sec | 26 | | X | | 128 +-------------------------+--------+---------+--------+--------+ 130 2.1 Acc-Ccp-Option 132 Description 133 This attribute indicates if PPP CCP [RAN96] compression 134 negotiation is to be attempted on the dial-in link. It may be used 135 in Access-Accept packets only. 137 A summary of the Acc-Ccp-Option Attribute format within the ACC 138 vendor- specific attribute is shown below. The fields are transmitted 139 left-to-right. 141 0 1 2 3 142 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 | Type | Length | Value 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 146 Value (cont) | 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 149 Type 151 2 for Acc-Ccp-Option 153 Length 155 6 157 Value 159 The value field is four octets. 161 1 Disabled 162 2 Enabled 164 2.2 Acc-Ip-Gateway-Pri 166 Description 168 This attribute defines the next hop IP address where the dial-in 169 user's data packets should be directed to. This address could be 170 a router that is directly attached to a VPN (Virtual Private 171 Network) customer's network or to a router that forwards the 172 packet to its final destination based on the Source IP Address. It 173 may be used in Access-Accept packets only. 175 A summary of the Acc-Ip-Gateway-Pri Attribute format within the ACC 176 vendor- specific attribute is shown below. The fields are transmitted 177 left-to-right. 179 0 1 2 3 180 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 | Type | Length | Address 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 Address (cont) | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 Type 189 7 for Acc-Ip-Gateway-Pri 191 Length 193 6 195 Address 197 The Address field is a four octet IP Address. 199 2.3 Acc-Ip-Gateway-Sec 201 Description 203 Similar to Acc-Ip-Gateway-Pri described in Section 2.2, this 204 attribute defines the next hop IP address in case the Acc-Ip- 205 Gateway-Pri is unreachable. It may be used in Access-Accept 206 packets only. 208 A summary of the Acc-Ip-Gateway-Sec Attribute format within the ACC 209 vendor- specific attribute is shown below. The fields are transmitted 210 left-to-right. 212 0 1 2 3 213 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 | Type | Length | Address 216 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 217 Address (cont) | 218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 220 Type 222 8 for Acc-Ip-Gateway-Sec 224 Length 226 6 228 Address 230 The Address field is a four octet IP Address. 232 2.4 Acc-Route-Policy 234 Description 236 This attribute indicates the route policy to be used with Access 237 Partitioning [ACC97a]. Access Partitioning gives carriers the 238 ability to partition dial-in resources and assign these partitions 239 to dial-in Virtual Private Networks. If the Acc-Route-Policy 240 attribute is set to Direct (2) two dial-in links belonging to the 241 same Access Partition can route directly to each other without 242 going through the IP home gateway. If this attribute is not 243 defined or set to Funnel (1), it means all packets received from 244 the dial-in user of this access partition will be forwarded to the 245 designated home gateway. It may be used in Access-Accept packets 246 only. 248 A summary of the Acc-Route-Policy Attribute format within the ACC 249 vendor- specific attribute is shown below. The fields are transmitted 250 left-to-right. 252 0 1 2 3 253 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 255 | Type | Length | Value 256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 257 Value (cont) | 258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 Type 262 9 for Acc-Route-Policy 264 Length 266 6 268 Value 269 The value field is four octets. 271 1 Funnel 272 2 Direct 274 2.5 Acc-ML-MLX-Admin-State 276 Description 278 If the standard Port-Limit attribute is configured for the dial-in 279 user on the RADIUS server, the ACC NAS attempts to place the 280 dial-in user in a multilink group. The Port-Limit attribute 281 defines the maximum number of members the multilink group can 282 have. All members of the multilink group must have the same dial- 283 in user name. When the first member of a multilink group calls in, 284 a multilink group is created on receipt of the access-accept with 285 the Port-Limit attribute configured. The multilink group exists 286 for as long as there is a call up in the multilink group. When the 287 last call in the multilink group is cleared, the multilink group 288 is deleted. When subsequent links in the multilink group call in, 289 they are added to the multilink group. The multilink group uses 290 the IETF standard PPP Multilink protocol [SKL96]. The MLX (also 291 known as MP+ [SMI96]) administrative state, call threshold, clear 292 threshold and damping factor values of the multilink group can 293 also be set using the ACC VSAs described in 2.5, 2.6, 2.7 and 2.8 295 The Acc-ML-MLX-Admin-State attribute indicates if PPP MLX (RFC 296 1934) negotiation is to be attempted on the dial-in link. It may 297 be used in Access-Accept packets only. 299 A summary of the Acc-ML-MLX-Admin-State Attribute format within the 300 ACC vendor-specific attribute is shown below. The fields are 301 transmitted left-to-right. 303 0 1 2 3 304 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 306 | Type | Length | Value 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 308 Value (cont) | 309 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 311 Type 313 10 for Acc-ML-MLX-Admin-State 315 Length 317 6 319 Value 321 The value field is four octets. 323 1 Enabled 324 2 Disabled 326 2.6 Acc-ML-Call-Threshold 328 Description 330 This attribute indicates the call threshold value to be used with 331 the multilink group that is to be configured. It may be used in 332 Access-Accept packets only. See Section 2.5 for more information 333 about this attribute. 335 A summary of the Acc-ML-Call-Threshold Attribute format within the 336 ACC vendor-specific attribute is shown below. The fields are 337 transmitted left-to-right. 339 0 1 2 3 340 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 342 | Type | Length | Value 343 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 344 Value (cont) | 345 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 347 Type 349 11 for Acc-ML-Call-Threshold 351 Length 353 6 355 Value 357 The value field is four octets. The minimum value is 0 and 358 maximum value is 101. 360 2.7 Acc-ML-Clear-Threshold 362 Description 364 This attribute indicates the clear threshold value to be used with 365 the multilink group that is to be configured. It may be used in 366 Access-Accept packets only. 368 A summary of the Acc-ML-Clear-Threshold Attribute format within the 369 ACC vendor-specific attribute is shown below. The fields are 370 transmitted left-to-right. See Section 2.5 for more information 371 about this attribute. 373 0 1 2 3 374 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 375 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 376 | Type | Length | Value 377 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 378 Value (cont) | 379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 381 Type 383 12 for Acc-ML-Clear-Threshold 385 Length 387 6 389 Value 391 The value field is four octets. The minimum value is 0 and 392 maximum value is 100. 394 2.8 Acc-ML-Damping-Factor 396 Description 398 This attribute indicates the damping factor value to be used with 399 the multilink group that is to be configured. It may be used in 400 Access-Accept packets only. See Section 2.5 for more information 401 about this attribute. 403 A summary of the Acc-ML-Damping-Factor Attribute format within the 404 ACC vendor-specific attribute is shown below. The fields are 405 transmitted left-to-right. 407 0 1 2 3 408 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 410 | Type | Length | Value 411 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 412 Value (cont) | 413 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 415 Type 417 13 for Acc-ML-Damping-Factor 419 Length 421 6 423 Value 425 The value field is four octets. The minimum value is 0 and 426 maximum value is 64. 428 2.9 Acc-Tunnel-Secret 430 Description 432 This attribute sets the shared secret to support the CHAP style 433 endpoint authentication used by L2TP [VAL97]. The purpose for this 434 attribute is same as Tunnel-Password [ZOR98], except that Acc- 435 Tunnel-Secret is sent in clear. Therefore, Acc-Tunnel-Secret 436 should only be used if the RADIUS server does not support salt 437 encryption. It may be used in Access-Accept packets only. 439 A summary of the Acc-Tunnel-Secret Attribute format within the ACC 440 vendor- specific attribute is shown below. The fields are transmitted 441 left-to-right. 443 0 1 2 444 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 445 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 446 | Type | Length | String... 447 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 449 Type 450 14 for Acc-Tunnel-Secret 452 Length 454 >= 3 456 String 458 The String field is one or more octets. It is the clear text 459 tunnel secret. 461 2.10 Acc-Service-Profile 463 Description 465 This attribute the service profile to be used on the dial-in link. 466 It may be used in Access-Accept packets only. 468 With the addition of Acc-Service-Profile VSA, RADIUS can identify 469 the Service Profile to be assigned to a dial-in user. This 470 attribute should only be present in an access accept message when 471 the NAS has queried RADIUS prior to answering the call. In this 472 case all RADIUS has is the called number. The service profile 473 identified by this VSA must exist on the NAS in its locally 474 configured Service Profile database. For the regular routing case 475 the service profile indicates that dial-in calls to be routed 476 based on the Destination IP Address received from a dial-in user. 477 This service is used primarily to provide carrier-based Internet 478 access. For the called number routing case, the service profile 479 forces IP dial-in calls to be specifically directed to a VPN 480 customer's network. A service profile may also indicate that 481 Layer 2 Tunneling should be performed for a given dial-in user. 483 A summary of the Acc-Service-Profile Attribute format within the ACC 484 vendor- specific attribute is shown below. The fields are transmitted 485 left-to-right. 487 0 1 2 488 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 489 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 490 | Type | Length | String... 491 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 493 Type 495 17 for Acc-Service-Profile 497 Length 499 >= 3 501 String 503 The String field is one or more octets. It is the name of the 504 service profile. 506 2.11 Acc-Request-Type 508 Description 510 This attribute indicates the type of the Access-Request or 511 Accounting-Request packet. It may be used in Access-Request and 512 Accounting-Request packets only. The attribute values from 1 to 4 513 are used in Access-Request packets, whereas 5 and 6 are used in 514 Accounting-Request packets. 516 An ACC NAS may send an Access-Request packet to the RADIUS server 517 before it answers the call. In this case the User-Name attribute 518 includes the Called Number and the Acc-Request-Type attribute 519 contains the value 1, i.e. Ring-Indication. A special-purpose 520 RADIUS server (or proxy) receiving this message may accept or 521 reject the call based on its policy, e.g. it may reject the call 522 if the quota assigned for this Called Number has been exceeded. 523 This is useful when an ISP or TELCO outsources their dial-in ports 524 to separate customers and partitions the customers by 525 differentiating them based on the number they call in. ACC's VPSM 526 server product is an example for this type of operation. 528 A value of 2 in the Acc-Request-Type field indicates that the NAS 529 is attempting to authorize an outgoing call. A value of 3 530 indicates that the type of access request is for user 531 authentication, which is the default behavior for the RADIUS 532 authentication. A value of 4 indicates that a tunnel 533 authentication is requested by the LAC (L2TP Access Concentrator) 534 in response to a tunnel request from an LNS (L2TP Network Server). 536 This attribute may also be present in Accounting-Request packets. 537 A value of 5 indicates that the Accounting-Request is for a PPP 538 session, whereas a value of 6 indicates that the Accounting- 539 Request is for a tunnel session. The latter case also indicates 540 that this accounting information is being provided for a dial-in 541 session that is not authenticated at the LAC end of the tunnel, 542 but possibly authenticated at the LNS end. 544 A summary of the Acc-Request-Type Attribute format within the ACC 545 vendor- specific attribute is shown below. The fields are transmitted 546 left-to-right. 548 0 1 2 3 549 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 550 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 551 | Type | Length | Value 552 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 553 Value (cont) | 554 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 556 Type 558 18 for Acc-Request-Type 560 Length 562 6 564 Value 566 The value field is four octets. 568 1 Ring Indication 569 2 Dial Request 570 3 User Authentication 571 4 Tunnel Authentication 572 5 User Accounting 573 6 Tunnel Accounting 575 2.12 Acc-Bridging-Support 577 Description 579 This attribute indicates if Transparent (Ethernet) Bridging should 580 be enabled on the dial-in link. It may be used in Access-Accept 581 packets only. 583 A summary of the Acc-Bridging-Support Attribute format within the ACC 584 vendor-specific attribute is shown below. The fields are transmitted 585 left-to-right. 587 0 1 2 3 588 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 589 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 590 | Type | Length | Value 591 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 592 Value (cont) | 593 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 595 Type 597 19 for Acc-Bridging-Support 599 Length 601 6 603 Value 605 The value field is four octets. 607 1 Disabled 608 2 Enabled 610 2.13 Acc-Dns-Server-Pri 612 Description 614 This attribute indicates the primary DNS (Domain Name System) 615 Server Address to be provided to the dial-in user during IPCP 616 negotiation. The IPCP protocol (RFC 1332) [MCG92] provides the 617 option of negotiating the IP addresses of the primary and 618 secondary DNS and NBNS (NetBIOS Name Server) servers. The support 619 for these options is specified by RFC 1877 [COB95]. The Acc-Dns- 620 Server-Pri attribute may be used in Access-Accept packets only. 622 A summary of the Acc-Dns-Server-Pri attribute format within the ACC 623 vendor-specific attribute is shown below. The fields are transmitted 624 left-to-right. 626 0 1 2 3 627 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 628 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 629 | Type | Length | Value 630 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 631 Value (cont) | 632 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 633 Type 635 23 for Acc-Dns-Server-Pri 637 Length 639 6 641 Value 643 The value field is four octets. 645 2.14 Acc-Dns-Server-Sec 647 Description 649 This attribute indicates the secondary DNS (Domain Name System) 650 Server Address to be provided to the dial-in user during IPCP 651 negotiation. The IPCP protocol (RFC 1332) [MCG92] provides the 652 option of negotiating the IP addresses of the primary and 653 secondary DNS and NBNS (NetBIOS Name Server) servers. The support 654 for these options is specified by RFC 1877 [COB95]. The Acc-Dns- 655 Server-Sec attribute may be used in Access-Accept packets only. 657 A summary of the Acc-Dns-Server-Sec attribute format within the ACC 658 vendor-specific attribute is shown below. The fields are transmitted 659 left-to-right. 661 0 1 2 3 662 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 663 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 664 | Type | Length | Value 665 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 666 Value (cont) | 667 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 669 Type 671 24 for Acc-Dns-Server-Sec 673 Length 675 6 677 Value 678 The value field is four octets. 680 2.15 Acc-Nbns-Server-Pri 682 Description 684 This attribute indicates the primary NBNS (NetBIOS Name Server) 685 Address to be provided to the dial-in user during IPCP 686 negotiation. The IPCP protocol (RFC 1332) [MCG92] provides the 687 option of negotiating the IP addresses of the primary and 688 secondary DNS (Domain Name System) and NBNS (NetBIOS Name Server) 689 servers. The support for these options is specified by RFC 1877 690 [COB95]. The Acc-Nbns-Server-Pri attribute may be used in 691 Access-Accept packets only. 693 A summary of the Acc-Nbns-Server-Pri attribute format within the ACC 694 vendor-specific attribute is shown below. The fields are transmitted 695 left-to-right. 697 0 1 2 3 698 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 699 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 700 | Type | Length | Value 701 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 702 Value (cont) | 703 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 705 Type 707 25 for Acc-Nbns-Server-Pri 709 Length 711 6 713 Value 715 The value field is four octets. 717 2.16 Acc-Nbns-Server-Sec 719 Description 721 This attribute indicates the secondary NBNS (NetBIOS Name Server) 722 Address to be provided to the dial-in user during IPCP 723 negotiation. The IPCP protocol (RFC 1332) [MCG92] provides the 724 option of negotiating the IP addresses of the primary and 725 secondary DNS (Domain Name System) and NBNS (NetBIOS Name Server) 726 servers. The support for these options is specified by RFC 1877 727 [COB95]. The Acc-Nbns-Server-Sec attribute may be used in 728 Access-Accept packets only. 730 A summary of the Acc-Nbns-Server-Sec attribute format within the ACC 731 vendor-specific attribute is shown below. The fields are transmitted 732 left-to-right. 734 0 1 2 3 735 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 736 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 737 | Type | Length | Value 738 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 739 Value (cont) | 740 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 742 Type 744 26 for Acc-Nbns-Server-Sec 746 Length 748 6 750 Value 752 The value field is four octets. 754 3. ACC's Radius Accounting Attributes 756 The table below indicates how the accounting vendor-specific 757 attributes are used in the accounting request packets. The attributes 758 with (*) are accounting specific attributes. An X indicates in which 759 type of Accounting-Request packet the attribute may be included. 760 Note that any Accounting-Request packet may include a copy of all the 761 configuration attributes. 763 +-----------------------------+--------+-------+------+---------+ 764 | Attribute Name | Number | Start | Stop | Interim | 765 +-----------------------------+--------+-------+------+---------+ 766 | Acc-Reason-Code (*) | 1 | | X | | 767 | Acc-Ccp-Option | 2 | | | | 768 | Acc-Input-Errors (*) | 3 | | X | X | 769 | Acc-Output-Errors (*) | 4 | | X | X | 770 | Acc-Access-Partition (*) | 5 | X | X | X | 771 | Acc-Customer-Id (*) | 6 | X | X | X | 772 | Acc-Ip-Gateway-Pri | 7 | | | | 773 | Acc-Ip-Gateway-Sec | 8 | | | | 774 | Acc-Route-Policy | 9 | | | | 775 | Acc-ML-MLX-Admin-State | 10 | | | | 776 | Acc-ML-Call-Threshold | 11 | | | | 777 | Acc-ML-Clear-Threshold | 12 | | | | 778 | Acc-ML-Damping-Factor | 13 | | | | 779 | Acc-Clearing-Cause (*) | 15 | | X | | 780 | Acc-Clearing-Location (*) | 16 | | X | | 781 | Acc-Service-Profile | 17 | X | X | X | 782 | Acc-Request-Type | 18 | X | X | X | 783 | Acc-Bridging-Support | 19 | | | | 784 | Acc-Vpsm-Oversubscribed (*) | 20 | X | X | | 785 | Acc-Acct-On-Off-Reason (*) | 21 | | | | 786 | Acc-Tunnel-Port (*) | 22 | X | X | X | 787 +-----------------------------+--------+-------+------+---------+ 789 3.1 Acc-Reason-Code 791 Description 793 This attribute provides an extension to the standard Acct- 794 Terminate-Cause attribute. It provides more detail on the 795 termination reason for a call. 797 A summary of the Acc-Reason-Code Attribute format within the ACC 798 vendor- specific attribute is shown below. The fields are transmitted 799 left-to-right. 801 0 1 2 3 802 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 804 | Type | Length | Value 805 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 806 Value (cont) | 807 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 808 Type 810 1 for Acc-Reason-Code 812 Length 814 6 816 Value 818 The value field is four octets. 820 0 no reason given/no failure 821 1 resource shortage 822 2 session already open 823 3 too many RADIUS users 824 4 no authentication server 825 5 no authentication response 826 6 no accounting server 827 7 no accounting response 828 8 access denied 829 9 temporary buffer shortage 830 10 protocol error 831 11 invalid attribute 832 12 invalid service type 833 13 invalid framed protocol 834 14 invalid attribute value 835 15 invalid user information 836 16 invalid IP address 837 17 invalid integer syntax 838 18 invalid NAS port 839 19 requested by user 840 20 network disconnect 841 21 service interruption 842 22 physical port error 843 23 idle timeout 844 24 session timeout 845 25 administrative reset 846 26 NAS reload or reset 847 27 NAS error 848 28 NAS request 849 29 undefined reason given 850 30 conflicting attributes 851 31 port limit exceeded 852 32 facility not available 853 33 internal configuration error 854 34 bad route specification 855 35 Access Partition bind failure 856 36 security violation 857 37 request type conflict 858 38 configuration disallowed 859 39 missing attribute 860 40 invalid request 861 41 missing parameter 862 42 invalid parameter 863 43 call cleared with cause 864 44 inopportune config request 865 45 invalid config parameter 866 46 missing config parameter 867 47 incompatible service profile 868 48 administrative reset 869 49 administrative reload 870 50 port unneeded 871 51 port preempted 872 52 port suspended 873 53 service unavailable 874 54 callback 875 55 user error 876 56 host request 878 3.2 Acc-Input-Errors 880 Description 882 This attribute indicates the number of receive errors on the 883 physical port the dial- in user was connected to. 885 A summary of the Acc-Input-Errors Attribute format within the ACC 886 vendor- specific attribute is shown below. The fields are transmitted 887 left-to-right. 889 0 1 2 3 890 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 891 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 892 | Type | Length | Value 893 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 894 Value (cont) | 895 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 897 Type 899 3 for Acc-Input-Error 901 Length 903 6 905 Value 907 The value field is four octets. 909 3.3 Acc-Output-Errors 911 Description 913 This attribute indicates the number of send errors on the physical 914 port the dial-in user was connected to. 916 A summary of the Acc-Output-Errors Attribute format within the ACC 917 vendor- specific attribute is shown below. The fields are transmitted 918 left-to-right. 920 0 1 2 3 921 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 922 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 923 | Type | Length | Value 924 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 925 Value (cont) | 926 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 928 Type 930 4 for Acc-Output-Errors 932 Length 934 6 936 Value 938 The value field is four octets. 940 3.4 Acc-Access-Partition 942 Description 944 This attribute specifies the name of the Access Partition the 945 dial-in user is assigned to. Access Partitioning [ACC97a] gives 946 carriers the ability to partition dial-in resources and assign 947 these partitions to dial-in Virtual Private Networks. 949 A summary of the Acc-Access-Partition Attribute format within the ACC 950 vendor- specific attribute is shown below. The fields are transmitted 951 left-to-right. 953 0 1 2 954 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 955 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 956 | Type | Length | String... 957 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 959 Type 961 5 for Acc-Access-Partition 963 Length 965 >= 3 967 String 969 The String field is one or more octets. 971 3.5 Acc-Customer-Id 973 Description 975 This attribute specifies the Id of the Customer the dial-in user 976 is associated with. 978 A summary of the Acc-Customer-Id Attribute format within the ACC 979 vendor- specific attribute is shown below. The fields are transmitted 980 left-to-right. 982 0 1 2 983 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 984 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 985 | Type | Length | String... 986 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 988 Type 990 6 for Acc-Customer-Id 992 Length 994 >= 3 996 Value 998 The String field is one or more octets. 1000 3.6 Acc-Clearing-Cause 1002 Description 1004 This attribute provides an extension to the Acc-Reason-Code 1005 attribute. It provides more detail if Acc-Reason-Code indicates 1006 Call-Cleared-With-Cause (43). 1008 A summary of the Acc-Clearing-Cause Attribute format within the ACC 1009 vendor- specific attribute is shown below. The fields are transmitted 1010 left-to-right. 1012 0 1 2 3 1013 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1014 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1015 | Type | Length | Value 1016 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1017 Value (cont) | 1018 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1020 Type 1022 15 for Acc-Clearing-Cause 1024 Length 1026 6 1028 Value 1030 The value field is four octets. 1032 0 cause unspecified 1033 1 unassigned number 1034 2 no route to transit network 1035 3 no route to destination 1036 6 channel unacceptable 1037 7 call awarded being delivered 1038 16 normal clearing 1039 17 user busy 1040 18 no user responding 1041 19 user alerted no answer 1042 21 call rejected 1043 22 number changed 1044 26 non selected user clearing 1045 27 destination out of order 1046 28 invalid or incomplete number 1047 29 facility rejected 1048 30 response to status inquiry 1049 31 normal unspecified cause 1050 34 no circuit or channel available 1051 38 network out of order 1052 41 temporary failure 1053 42 switching equipment congestion 1054 43 access information discarded 1055 44 circuit or channel unavailable 1056 45 circuit or channel preempted 1057 47 resources unavailable 1058 49 quality of service unavailable 1059 50 facility not subscribed 1060 52 outgoing calls barred 1061 54 incoming calls barred 1062 57 bearer capability unauthorized 1063 58 bearer capability not available 1064 63 service not available 1065 65 bearer capability not implemented 1066 66 channel type not implemented 1067 69 facility not implemented 1068 70 restricted digital information only 1069 79 service not implemented 1070 81 invalid call reference 1071 82 identified channel does not exist 1072 83 call identity does not exist 1073 84 call identity in use 1074 85 no call suspended 1075 86 suspended call cleared 1076 88 incompatible destination 1077 91 invalid transit network selection 1078 95 invalid message 1079 96 mandatory information element missing 1080 97 message not implemented 1081 98 inopportune message 1082 99 information element not implemented 1083 100 invalid information element contents 1084 101 message incompatible with state 1085 102 recovery on timer expiration 1086 103 mandatory information element length error 1087 111 protocol error 1088 127 interworking 1090 3.7 Acc-Clearing-Location 1092 Description 1094 This attribute provides an extension to the Acc-Reason-Code 1095 attribute. It provides detail on where the call has been cleared. 1097 A summary of the Acc-Clearing-Location Attribute format within the 1098 ACC vendor-specific attribute is shown below. The fields are 1099 transmitted left-to-right. 1101 0 1 2 3 1102 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1103 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1104 | Type | Length | Value 1105 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1106 Value (cont) | 1107 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1109 Type 1111 16 for Acc-Clearing-Location 1113 Length 1115 6 1117 Value 1119 The value field is four octets 1121 0 local or remote user 1122 1 private network serving local user 1123 2 public network serving local user 1124 3 transit network 1125 4 private network serving remote user 1126 5 public network serving remote user 1127 6 international network 1128 10 beyond interworking point 1130 3.8 Acc-Vpsm-Oversubscribed 1132 Description 1134 This attribute is specific to ACC's VPSM (Virtual Port Service 1135 Manager) server software. VPSM runs as a proxy RADIUS server 1136 between an ACC NAS and a home RADIUS server. If the VPSM server 1137 detects that this connection caused the corresponding Access 1138 Partition quota to be exceeded, the Accounting-Start record for 1139 the connection will include the Acc-Vpsm-Oversubscribed attribute 1140 with a value of 2 (True). 1142 A summary of the Acc-Vpsm-Oversubscribed Attribute format within the 1143 ACC vendor-specific attribute is shown below. The fields are 1144 transmitted left-to-right. 1146 0 1 2 3 1147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1149 | Type | Length | Value 1150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1151 Value (cont) | 1152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1154 Type 1156 20 for Acc-Vpsm-Oversubscribed 1158 Length 1160 6 1162 Value 1164 The value field is four octets. 1166 1 False 1167 2 True 1169 3.9 Acc-Acct-On-Off-Reason 1171 Description 1173 This attribute provides a reason code for why the Accounting-On or 1174 Accounting- Off message is sent. 1176 A summary of the Acc-Acct-On-Off-Reason Attribute format within the 1177 ACC vendor-specific attribute is shown below. The fields are 1178 transmitted left-to-right. 1180 0 1 2 3 1181 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1183 | Type | Length | Value 1184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1185 Value (cont) | 1186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1188 Type 1190 21 for Acc-Acct-On-Off-Reason 1192 Length 1194 6 1196 Value 1198 The value field is four octets. 1200 0 NAS Reset 1201 1 NAS Reload 1202 2 Configuration Reset 1203 3 Configuration Reload 1204 4 Enabled 1205 5 Disabled 1207 3.10 Acc-Tunnel-Port 1209 Description 1211 This attribute indicates the index of the Tunnel Port the dial-in 1212 user is connected to. 1214 A summary of the Acc-Tunnel-Port attribute format within the ACC 1215 vendor-specific attribute is shown below. The fields are transmitted 1216 left-to-right. 1218 0 1 2 3 1219 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1221 | Type | Length | Value 1222 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1223 Value (cont) | 1224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1226 Type 1228 22 for Acc-Tunnel-Port 1230 Length 1232 6 1234 Value 1236 The value field is four octets. 1238 4. Security Considerations 1240 Security issues regarding the RADIUS protocol are discussed in RFC 1241 2138 [RIG97a] and RFC 2139 [RIG97b]. The use of Acc-Tunnel-Secret 1242 attribute is insecure. The Tunnel-Password attribute, defined in 1243 [ZOR98], should be used whenever possible and Acc-Tunnel-Secret 1244 attribute should only be used if the RADIUS server does not support 1245 salt encryption. 1247 5. References 1249 [ACC97a] "Access Partitioning" White Paper, 1250 http://www.acc.com/internet/whitepapers/ 1251 accesspartitioning.html, ACC, August 1997 1253 [ACC97b] "RADIUS Implementation" White Paper, 1254 http://www.acc.com/internet/whitepapers/ 1255 radiusimp.html, ACC, January 1998 1257 [COB95] Cobb, S., PPP Internet Protocol Control Protocol 1258 Extensions for Name Server Addresses, 1259 RFC 1877, Microsoft, December 1995. 1261 [MCG92] McGregor, G., PPP Internet Control Protocol", 1262 RFC 1332, Merit, May 1992. 1264 [RAN96] Rand, D., The PPP Compression Control Protocol (CCP), 1265 RFC 1962, Novell, June 1996. 1267 [RIG97a] Rigney, C., Remote Authentication Dial In User Service 1268 (RADIUS), RFC 2138, Livingston, April 1997. 1270 [RIG97b] Rigney, C., et al, RADIUS Accounting, 1271 RFC 2139, Livingston, April 1997. 1273 [SKL96] Sklower, K., et al, The PPP Multilink Protocol (MP), 1274 RFC 1990, UC Berkeley, August 1996. 1276 [SMI96] Smith, K., Ascend's Multilink Protocol Plus (MP+), 1277 Ascend, RFC 1934, August 1996. 1279 [VAL97] Valencia, et al., Layer Two Tunneling Protocol (L2TP), 1280 draft-ietf-pppext-l2tp-06.txt, June 1997. 1282 [ZOR98] Zorn, G., et al, RADIUS Attributes for Tunnel 1283 Protocol Support, draft-ietf-radius-tunnel-auth-05.txt, 1284 Microsoft-Ascend-Shiva, April 1998. 1286 6. Expiration Date 1288 This document expires November 27, 1998. 1290 7. Author's Address 1292 Koral Ilgun 1293 Advanced Computer Communications 1294 340 Storke Road 1295 Santa Barbara, CA 93117 1297 Phone: (805) 961-0279 1299 EMail: koral@acc.com