3. Diameter NAS Application Messages
This section defines the Diameter message Command Code [RFC6733] values that MUST be supported by all Diameter implementations conforming to this specification. The Command Codes are as follows: +-----------------------------------+---------+------+--------------+ | Command Name | Abbrev. | Code | Reference | +-----------------------------------+---------+------+--------------+ | AA-Request | AAR | 265 | Section 3.1 | | AA-Answer | AAA | 265 | Section 3.2 | | Re-Auth-Request | RAR | 258 | Section 3.3 | | Re-Auth-Answer | RAA | 258 | Section 3.4 | | Session-Termination-Request | STR | 275 | Section 3.5 | | Session-Termination-Answer | STA | 275 | Section 3.6 | | Abort-Session-Request | ASR | 274 | Section 3.7 | | Abort-Session-Answer | ASA | 274 | Section 3.8 | | Accounting-Request | ACR | 271 | Section 3.9 | | Accounting-Answer | ACA | 271 | Section 3.10 | +-----------------------------------+---------+------+--------------+ Note that the message formats in the following subsections use the standard Diameter Command Code Format ([RFC6733], Section 3.2).3.1. AA-Request (AAR) Command
The AA-Request (AAR), which is indicated by setting the Command Code field to 265 and the 'R' bit in the Command Flags field, is used to request authentication and/or authorization for a given NAS user. The type of request is identified through the Auth-Request-Type AVP [RFC6733]. The recommended value for most situations is AUTHORIZE_AUTHENTICATE. If Authentication is requested, the User-Name attribute SHOULD be present, as well as any additional authentication AVPs that would carry the password information. A request for authorization SHOULD only include the information from which the authorization will be performed, such as the User-Name, Called-Station-Id, or Calling- Station-Id AVPs. All requests SHOULD contain AVPs uniquely identifying the source of the call, such as Origin-Host and NAS-Port. Certain networks MAY use different AVPs for authorization purposes. A request for authorization will include some AVPs defined in Section 4.4. It is possible for a single session to be authorized first and then for an authentication request to follow.
This AA-Request message MAY be the result of a multi-round authentication exchange, which occurs when the AA-Answer message is received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. A subsequent AAR message SHOULD be sent, with the User-Password AVP that includes the user's response to the prompt and MUST include any State AVPs that were present in the AAA message. Message Format <AA-Request> ::= < Diameter Header: 265, REQ, PXY > < Session-Id > { Auth-Application-Id } { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Request-Type } [ Destination-Host ] [ NAS-Identifier ] [ NAS-IP-Address ] [ NAS-IPv6-Address ] [ NAS-Port ] [ NAS-Port-Id ] [ NAS-Port-Type ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ Port-Limit ] [ User-Name ] [ User-Password ] [ Service-Type ] [ State ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Auth-Session-State ] [ Callback-Number ] [ Called-Station-Id ] [ Calling-Station-Id ] [ Originating-Line-Info ] [ Connect-Info ] [ CHAP-Auth ] [ CHAP-Challenge ] * [ Framed-Compression ] [ Framed-Interface-Id ] [ Framed-IP-Address ] * [ Framed-IPv6-Prefix ] [ Framed-IP-Netmask ] [ Framed-MTU ] [ Framed-Protocol ] [ ARAP-Password ]
[ ARAP-Security ] * [ ARAP-Security-Data ] * [ Login-IP-Host ] * [ Login-IPv6-Host ] [ Login-LAT-Group ] [ Login-LAT-Node ] [ Login-LAT-Port ] [ Login-LAT-Service ] * [ Tunneling ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]3.2. AA-Answer (AAA) Command
The AA-Answer (AAA) message is indicated by setting the Command Code field to 265 and clearing the 'R' bit in the Command Flags field. It is sent in response to the AA-Request (AAR) message. If authorization was requested, a successful response will include the authorization AVPs appropriate for the service being provided, as defined in Section 4.4. For authentication exchanges requiring more than a single round trip, the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH. An AAA message with this result code MAY include one Reply-Message or more and MAY include zero or one State AVPs. If the Reply-Message AVP was present, the network access server SHOULD send the text to the user's client to display to the user, instructing the client to prompt the user for a response. For example, this can be achieved in PPP via PAP. If it is impossible to deliver the text prompt to the user, the Diameter NAS Application client MUST treat the AA-Answer (AAA) with the Reply-Message AVP as an error and deny access. Message Format <AA-Answer> ::= < Diameter Header: 265, PXY > < Session-Id > { Auth-Application-Id } { Auth-Request-Type } { Result-Code } { Origin-Host } { Origin-Realm } [ User-Name ] [ Service-Type ] * [ Class ]
* [ Configuration-Token ] [ Acct-Interim-Interval ] [ Error-Message ] [ Error-Reporting-Host ] * [ Failed-AVP ] [ Idle-Timeout ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Auth-Session-State ] [ Re-Auth-Request-Type ] [ Multi-Round-Time-Out ] [ Session-Timeout ] [ State ] * [ Reply-Message ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] * [ Filter-Id ] [ Password-Retry ] [ Port-Limit ] [ Prompt ] [ ARAP-Challenge-Response ] [ ARAP-Features ] [ ARAP-Security ] * [ ARAP-Security-Data ] [ ARAP-Zone-Access ] [ Callback-Id ] [ Callback-Number ] [ Framed-Appletalk-Link ] * [ Framed-Appletalk-Network ] [ Framed-Appletalk-Zone ] * [ Framed-Compression ] [ Framed-Interface-Id ] [ Framed-IP-Address ] * [ Framed-IPv6-Prefix ] [ Framed-IPv6-Pool ] * [ Framed-IPv6-Route ] [ Framed-IP-Netmask ] * [ Framed-Route ] [ Framed-Pool ] [ Framed-IPX-Network ] [ Framed-MTU ] [ Framed-Protocol ] [ Framed-Routing ] * [ Login-IP-Host ] * [ Login-IPv6-Host ] [ Login-LAT-Group ] [ Login-LAT-Node ] [ Login-LAT-Port ]
[ Login-LAT-Service ] [ Login-Service ] [ Login-TCP-Port ] * [ NAS-Filter-Rule ] * [ QoS-Filter-Rule ] * [ Tunneling ] * [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ AVP ]3.3. Re-Auth-Request (RAR) Command
A Diameter server can initiate reauthentication and/or reauthorization for a particular session by issuing a Re-Auth-Request (RAR) message [RFC6733]. For example, for prepaid services, the Diameter server that originally authorized a session may need some confirmation that the user is still using the services. If a NAS receives an RAR message with Session-Id equal to a currently active session and a Re-Auth-Type that includes authentication, it MUST initiate a reauthentication toward the user, if the service supports this particular feature. Message Format <RA-Request> ::= < Diameter Header: 258, REQ, PXY > < Session-Id > { Origin-Host } { Origin-Realm } { Destination-Realm } { Destination-Host } { Auth-Application-Id } { Re-Auth-Request-Type } [ User-Name ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ NAS-Identifier ] [ NAS-IP-Address ] [ NAS-IPv6-Address ] [ NAS-Port ] [ NAS-Port-Id ] [ NAS-Port-Type ] [ Service-Type ] [ Framed-IP-Address ]
[ Framed-IPv6-Prefix ] [ Framed-Interface-Id ] [ Called-Station-Id ] [ Calling-Station-Id ] [ Originating-Line-Info ] [ Acct-Session-Id ] [ Acct-Multi-Session-Id ] [ State ] * [ Class ] [ Reply-Message ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]3.4. Re-Auth-Answer (RAA) Command
The Re-Auth-Answer (RAA) message [RFC6733] is sent in response to the RAR. The Result-Code AVP MUST be present and indicates the disposition of the request. A successful RAA transaction MUST be followed by an AAR message. Message Format <RA-Answer> ::= < Diameter Header: 258, PXY > < Session-Id > { Result-Code } { Origin-Host } { Origin-Realm } [ User-Name ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ Error-Message ] [ Error-Reporting-Host ] * [ Failed-AVP ] * [ Redirected-Host ] [ Redirected-Host-Usage ] [ Redirected-Host-Cache-Time ] [ Service-Type ] * [ Configuration-Token ] [ Idle-Timeout ] [ Authorization-Lifetime ] [ Auth-Grace-Period ] [ Re-Auth-Request-Type ] [ State ] * [ Class ] * [ Reply-Message ] [ Prompt ]
* [ Proxy-Info ] * [ AVP ]3.5. Session-Termination-Request (STR) Command
The Session-Termination-Request (STR) message [RFC6733] is sent by the NAS to inform the Diameter server that an authenticated and/or authorized session is being terminated. Message Format <ST-Request> ::= < Diameter Header: 275, REQ, PXY > < Session-Id > { Origin-Host } { Origin-Realm } { Destination-Realm } { Auth-Application-Id } { Termination-Cause } [ User-Name ] [ Destination-Host ] * [ Class ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]3.6. Session-Termination-Answer (STA) Command
The Session-Termination-Answer (STA) message [RFC6733] is sent by the Diameter server to acknowledge the notification that the session has been terminated. The Result-Code AVP MUST be present and MAY contain an indication that an error occurred while the STR was being serviced. Upon sending the STA, the Diameter server MUST release all resources for the session indicated by the Session-Id AVP. Any intermediate server in the Proxy-Chain MAY also release any resources, if necessary.
Message Format <ST-Answer> ::= < Diameter Header: 275, PXY > < Session-Id > { Result-Code } { Origin-Host } { Origin-Realm } [ User-Name ] * [ Class ] [ Error-Message ] [ Error-Reporting-Host ] * [ Failed-AVP ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] * [ Redirect-Host ] [ Redirect-Host-Usage ] [ Redirect-Max-Cache-Time ] * [ Proxy-Info ] * [ AVP ]3.7. Abort-Session-Request (ASR) Command
The Abort-Session-Request (ASR) message [RFC6733] can be sent by any Diameter server to the NAS providing session service to request that the session identified by the Session-Id be stopped. Message Format <AS-Request> ::= < Diameter Header: 274, REQ, PXY > < Session-Id > { Origin-Host } { Origin-Realm } { Destination-Realm } { Destination-Host } { Auth-Application-Id } [ User-Name ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ NAS-Identifier ] [ NAS-IP-Address ] [ NAS-IPv6-Address ] [ NAS-Port ] [ NAS-Port-Id ] [ NAS-Port-Type ] [ Service-Type ] [ Framed-IP-Address ] [ Framed-IPv6-Prefix ] [ Framed-Interface-Id ]
[ Called-Station-Id ] [ Calling-Station-Id ] [ Originating-Line-Info ] [ Acct-Session-Id ] [ Acct-Multi-Session-Id ] [ State ] * [ Class ] * [ Reply-Message ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]3.8. Abort-Session-Answer (ASA) Command
The ASA message [RFC6733] is sent in response to the ASR. The Result-Code AVP MUST be present and indicates the disposition of the request. If the session identified by Session-Id in the ASR was successfully terminated, the Result-Code is set to DIAMETER_SUCCESS. If the session is not currently active, the Result-Code AVP is set to DIAMETER_UNKNOWN_SESSION_ID. If the access device does not stop the session for any other reason, the Result-Code AVP is set to DIAMETER_UNABLE_TO_COMPLY. Message Format <AS-Answer> ::= < Diameter Header: 274, PXY > < Session-Id > { Result-Code } { Origin-Host } { Origin-Realm } [ User-Name ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ State] [ Error-Message ] [ Error-Reporting-Host ] * [ Failed-AVP ] * [ Redirected-Host ] [ Redirected-Host-Usage ] [ Redirected-Max-Cache-Time ] * [ Proxy-Info ] * [ AVP ]
3.9. Accounting-Request (ACR) Command
The ACR message [RFC6733] is sent by the NAS to report its session information to a target server downstream. The Acct-Application-Id AVP MUST be present. The AVPs listed in the Diameter Base protocol specification [RFC6733] MUST be assumed to be present, as appropriate. NAS service-specific accounting AVPs SHOULD be present as described in Section 4.6 and the rest of this specification. Message Format <AC-Request> ::= < Diameter Header: 271, REQ, PXY > < Session-Id > { Origin-Host } { Origin-Realm } { Destination-Realm } { Accounting-Record-Type } { Accounting-Record-Number } { Acct-Application-Id } [ User-Name ] [ Accounting-Sub-Session-Id ] [ Acct-Session-Id ] [ Acct-Multi-Session-Id ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ Destination-Host ] [ Event-Timestamp ] [ Acct-Delay-Time ] [ NAS-Identifier ] [ NAS-IP-Address ] [ NAS-IPv6-Address ] [ NAS-Port ] [ NAS-Port-Id ] [ NAS-Port-Type ] * [ Class ] [ Service-Type ] [ Termination-Cause ] [ Accounting-Input-Octets ] [ Accounting-Input-Packets ] [ Accounting-Output-Octets ] [ Accounting-Output-Packets ] [ Acct-Authentic ] [ Accounting-Auth-Method ] [ Acct-Link-Count ] [ Acct-Session-Time ]
[ Acct-Tunnel-Connection ] [ Acct-Tunnel-Packets-Lost ] [ Callback-Id ] [ Callback-Number ] [ Called-Station-Id ] [ Calling-Station-Id ] * [ Connection-Info ] [ Originating-Line-Info ] [ Authorization-Lifetime ] [ Session-Timeout ] [ Idle-Timeout ] [ Port-Limit ] [ Accounting-Realtime-Required ] [ Acct-Interim-Interval ] * [ Filter-Id ] * [ NAS-Filter-Rule ] * [ QoS-Filter-Rule ] [ Framed-Appletalk-Link ] [ Framed-Appletalk-Network ] [ Framed-Appletalk-Zone ] [ Framed-Compression ] [ Framed-Interface-Id ] [ Framed-IP-Address ] [ Framed-IP-Netmask ] * [ Framed-IPv6-Prefix ] [ Framed-IPv6-Pool ] * [ Framed-IPv6-Route ] [ Framed-IPX-Network ] [ Framed-MTU ] [ Framed-Pool ] [ Framed-Protocol ] * [ Framed-Route ] [ Framed-Routing ] * [ Login-IP-Host ] * [ Login-IPv6-Host ] [ Login-LAT-Group ] [ Login-LAT-Node ] [ Login-LAT-Port ] [ Login-LAT-Service ] [ Login-Service ] [ Login-TCP-Port ] * [ Tunneling ] * [ Proxy-Info ] * [ Route-Record ] * [ AVP ]
3.10. Accounting-Answer (ACA) Command
The ACA message [RFC6733] is used to acknowledge an Accounting- Request command. The Accounting-Answer command contains the same Session-Id as the Request. Only the target Diameter server or home Diameter server SHOULD respond with the Accounting-Answer command. The Acct-Application-Id AVP MUST be present. The AVPs listed in the Diameter Base protocol specification [RFC6733] MUST be assumed to be present, as appropriate. NAS service-specific accounting AVPs SHOULD be present as described in Section 4.6 and the rest of this specification. Message Format <AC-Answer> ::= < Diameter Header: 271, PXY > < Session-Id > { Result-Code } { Origin-Host } { Origin-Realm } { Accounting-Record-Type } { Accounting-Record-Number } { Acct-Application-Id } [ User-Name ] [ Accounting-Sub-Session-Id ] [ Acct-Session-Id ] [ Acct-Multi-Session-Id ] [ Event-Timestamp ] [ Error-Message ] [ Error-Reporting-Host ] * [ Failed-AVP ] [ Origin-AAA-Protocol ] [ Origin-State-Id ] [ NAS-Identifier ] [ NAS-IP-Address ] [ NAS-IPv6-Address ] [ NAS-Port ] [ NAS-Port-Id ] [ NAS-Port-Type ] [ Service-Type ] [ Termination-Cause ] [ Accounting-Realtime-Required ]
[ Acct-Interim-Interval ] * [ Class ] * [ Proxy-Info ] * [ AVP ]4. Diameter NAS Application AVPs
The following sections define a new derived AVP data format, define a set of application-specific AVPs, and describe the use of AVPs defined in other documents by the Diameter NAS Application.4.1. Derived AVP Data Formats
4.1.1. QoSFilterRule
The QosFilterRule format is derived from the OctetString AVP Base Format. It uses the US-ASCII charset. Packets may be marked or metered based on the following information: o Direction (in or out) o Source and destination IP address (possibly masked) o Protocol o Source and destination port (lists or ranges) o Differentiated Services Code Point (DSCP) values (no mask or range) Rules for the appropriate direction are evaluated in order; the first matched rule terminates the evaluation. Each packet is evaluated once. If no rule matches, the packet is treated as best effort. An access device unable to interpret or apply a QoS rule SHOULD NOT terminate the session.
QoSFilterRule filters MUST follow the following format: action dir proto from src to dst [options] where action tag Mark packet with a specific DSCP [RFC2474] meter Meter traffic dir The format is as described under IPFilterRule [RFC6733] proto The format is as described under IPFilterRule [RFC6733] src and dst The format is as described under IPFilterRule [RFC6733] The options are described in Section 4.4.9. The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the ipfw.c code may provide a useful base for implementations.4.2. NAS Session AVPs
Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that are implemented in Diameter.4.2.1. Call and Session Information
This section describes the AVPs specific to Diameter applications that are needed to identify the call and session context and status information. On a request, this information allows the server to qualify the session. These AVPs are used in addition to the following AVPs from the Diameter Base protocol specification [RFC6733]: Session-Id Auth-Application-Id Origin-Host Origin-Realm Auth-Request-Type Termination-Cause
The following table gives the possible flag values for the session level AVPs. +-----------+ | AVP Flag | | Rules | |-----+-----+ |MUST | MUST| Attribute Name Section Defined | | NOT| -----------------------------------------|-----+-----| NAS-Port 4.2.2 | M | V | NAS-Port-Id 4.2.3 | M | V | NAS-Port-Type 4.2.4 | M | V | Called-Station-Id 4.2.5 | M | V | Calling-Station-Id 4.2.6 | M | V | Connect-Info 4.2.7 | M | V | Originating-Line-Info 4.2.8 | M | V | Reply-Message 4.2.9 | M | V | -----------------------------------------|-----+-----|4.2.2. NAS-Port AVP
The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the physical or virtual port number of the NAS, which authenticates the user. Note that "port" is meant in its sense as a service connection on the NAS, not as an IP protocol identifier; hence, the format and contents of the string that identifies the port are specific to the NAS implementation. Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD be present in the AA-Request (AAR, Section 3.1) command if the NAS differentiates among its ports.4.2.3. NAS-Port-Id AVP
The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists of 7-bit US-ASCII text identifying the port of the NAS authenticating the user. Note that "port" is meant in its sense as a service connection on the NAS, not as an IP protocol identifier. Either the NAS-Port-Id AVP or the NAS-Port AVP (Section 4.2.2) SHOULD be present in the AA-Request (AAR, Section 3.1) command if the NAS differentiates among its ports. NAS-Port-Id is intended for use by NASes that cannot conveniently number their ports.
4.2.4. NAS-Port-Type AVP
The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and contains the type of the port on which the NAS is authenticating the user. This AVP SHOULD be present if the NAS uses the same NAS-Port number ranges for different service types concurrently. The currently supported values of the NAS-Port-Type AVP are listed in [RADIUSAttrVals].4.2.5. Called-Station-Id AVP
The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and contains a 7-bit US-ASCII string sent by the NAS to describe the Layer 2 address the user contacted in the request. For dialup access, this can be a phone number obtained by using the Dialed Number Identification Service (DNIS) or a similar technology. Note that this may be different from the phone number the call comes in on. For use with IEEE 802 access, the Called-Station-Id MAY contain a Media Access Control (MAC) address formatted as described in [RFC3580]. If the Called-Station-Id AVP is present in an AAR message, the Auth- Request-Type AVP is set to AUTHORIZE_ONLY, and the User-Name AVP is absent, the Diameter server MAY perform authorization based on this AVP. This can be used by a NAS to request whether a call should be answered based on the DNIS result. Further codification of this field's allowed content and usage is outside the scope of this specification.4.2.6. Calling-Station-Id AVP
The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and contains a 7-bit US-ASCII string sent by the NAS to describe the Layer 2 address from which the user connected in the request. For dialup access, this is the phone number the call came from, using Automatic Number Identification (ANI) or a similar technology. For use with IEEE 802 access, the Calling-Station-Id AVP MAY contain a MAC address, formatted as described in RFC 3580. If the Calling-Station-Id AVP is present in an AAR message, the Auth- Request-Type AVP is set to AUTHORIZE_ONLY, and the User-Name AVP is absent, the Diameter server MAY perform authorization based on the value of this AVP. This can be used by a NAS to request whether a call should be answered based on the Layer 2 address (ANI, MAC Address, etc.)
Further codification of this field's allowed content and usage is outside the scope of this specification.4.2.7. Connect-Info AVP
The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent in the AA-Request message or an ACR message with the value of the Accounting-Record-Type AVP set to STOP. When sent in the AA-Request, it indicates the nature of the user's connection. The connection speed SHOULD be included at the beginning of the first Connect-Info AVP in the message. If the transmit and receive connection speeds differ, both may be included in the first AVP with the transmit speed listed first (the speed at which the NAS modem transmits), then a slash (/), then the receive speed, and then other optional information. For example: "28800 V42BIS/LAPM" or "52000/31200 V90" If sent in an ACR message with the value of the Accounting-Record- Type AVP set to STOP, this attribute may summarize statistics relating to session quality. For example, in IEEE 802.11, the Connect-Info AVP may contain information on the number of link layer retransmissions. The exact format of this attribute is implementation specific.4.2.8. Originating-Line-Info AVP
The Originating-Line-Info AVP (AVP Code 94) is of type OctetString and is sent by the NAS system to convey information about the origin of the call from a Signaling System 7 (SS7). The Originating Line Information (OLI) element indicates the nature and/or characteristics of the line from which a call originated (e.g., pay phone, hotel phone, cellular phone). Telephone companies are starting to offer OLI to their customers as an option over Primary Rate Interface (PRI). Internet Service Providers (ISPs) can use OLI in addition to Called-Station-Id and Calling-Station-Id attributes to differentiate customer calls and to define different services. The Value field contains two octets (00 - 99). ANSI T1.113 and BELLCORE 394 can be used for additional information about these values and their use. For information on the currently assigned values, see [ANITypes].
4.2.9. Reply-Message AVP
The Reply-Message AVP (AVP Code 18) is of type UTF8String and contains text that MAY be displayed to the user. When used in an AA- Answer message with a successful Result-Code AVP, it indicates success. When found in an AAA message with a Result-Code other than DIAMETER_SUCCESS, the AVP contains a failure message. The Reply-Message AVP MAY contain text to prompt the user before another AA-Request attempt. When used in an AA-Answer message containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH or in a Re-Auth-Request message, it MAY contain text to prompt the user for a response.4.3. NAS Authentication AVPs
This section defines the AVPs necessary to carry the authentication information in the Diameter protocol. The functionality defined here provides a RADIUS-like Authentication, Authorization, and Accounting service [RFC2865] over a more reliable and secure transport, as defined in the Diameter Base protocol [RFC6733]. The following table gives the possible flag values for the session level AVPs. +----------+ | AVP Flag | | Rules | |----+-----| |MUST| MUST| Attribute Name Section Defined | | NOT| -----------------------------------------|----+-----| User-Password 4.3.1 | M | V | Password-Retry 4.3.2 | M | V | Prompt 4.3.3 | M | V | CHAP-Auth 4.3.4 | M | V | CHAP-Algorithm 4.3.5 | M | V | CHAP-Ident 4.3.6 | M | V | CHAP-Response 4.3.7 | M | V | CHAP-Challenge 4.3.8 | M | V | ARAP-Password 4.3.9 | M | V | ARAP-Challenge-Response 4.3.10 | M | V | ARAP-Security 4.3.11 | M | V | ARAP-Security-Data 4.3.12 | M | V | -----------------------------------------|----+-----|
4.3.1. User-Password AVP
The User-Password AVP (AVP Code 2) is of type OctetString and contains the password of the user to be authenticated or the user's input in a multi-round authentication exchange. The User-Password AVP contains a user password or one-time password and therefore represents sensitive information. As required by the Diameter Base protocol [RFC6733], Diameter messages are encrypted by using IPsec [RFC4301] or Transport Layer Security (TLS) [RFC5246]. Unless this AVP is used for one-time passwords, the User-Password AVP SHOULD NOT be used in untrusted proxy environments without encrypting it by using end-to-end security techniques. The clear-text password (prior to encryption) MUST NOT be longer than 128 bytes in length.4.3.2. Password-Retry AVP
The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be included in the AA-Answer if the Result-Code indicates an authentication failure. The value of this AVP indicates how many authentication attempts a user is permitted before being disconnected. This AVP is primarily intended for use when the Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP.4.3.3. Prompt AVP
The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present in the AA-Answer message. When present, it is used by the NAS to determine whether the user's response, when entered, should be echoed. The supported values are listed in [RADIUSAttrVals].4.3.4. CHAP-Auth AVP
The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the information necessary to authenticate a user using the PPP Challenge- Handshake Authentication Protocol (CHAP) [RFC1994]. If the CHAP-Auth AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8) MUST be present as well. The optional AVPs containing the CHAP response depend upon the value of the CHAP-Algorithm AVP (Section 4.3.8). The grouped AVP has the following ABNF [RFC5234] grammar:
CHAP-Auth ::= < AVP Header: 402 > { CHAP-Algorithm } { CHAP-Ident } [ CHAP-Response ] * [ AVP ]4.3.5. CHAP-Algorithm AVP
The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and contains the algorithm identifier used in the computation of the CHAP response [RFC1994]. The following values are currently supported: CHAP with MD5 5 The CHAP response is computed by using the procedure described in [RFC1994]. This algorithm requires that the CHAP-Response AVP (Section 4.3.7) MUST be present in the CHAP-Auth AVP (Section 4.3.4).4.3.6. CHAP-Ident AVP
The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains the 1 octet CHAP Identifier used in the computation of the CHAP response [RFC1994].4.3.7. CHAP-Response AVP
The CHAP-Response AVP (AVP Code 405) is of type OctetString and contains the 16-octet authentication data provided by the user in response to the CHAP challenge [RFC1994].4.3.8. CHAP-Challenge AVP
The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and contains the CHAP Challenge sent by the NAS to the CHAP peer [RFC1994].4.3.9. ARAP-Password AVP
The ARAP-Password AVP (AVP Code 70) is of type OctetString and is only present when the Framed-Protocol AVP (Section 4.4.10.1) is included in the message and is set to ARAP. This AVP MUST NOT be present if either the User-Password or the CHAP-Auth AVP is present. See [RFC2869] for more information on the contents of this AVP.
4.3.10. ARAP-Challenge-Response AVP
The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString and is only present when the Framed-Protocol AVP (Section 4.4.10.1) is included in the message and is set to ARAP. This AVP contains an 8-octet response to the dial-in client's challenge. The Diameter server calculates this value by taking the dial-in client's challenge from the high-order 8 octets of the ARAP-Password AVP and performing DES encryption on this value with the authenticating user's password as the key. If the user's password is fewer than 8 octets in length, the password is padded at the end with NULL octets to a length of 8 before it is used as a key.4.3.11. ARAP-Security AVP
The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be present in the AA-Answer message if the Framed-Protocol AVP (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code AVP ([RFC6733], Section 7.1) is set to DIAMETER_MULTI_ROUND_AUTH. See RFC 2869 for more information on the contents of this AVP.4.3.12. ARAP-Security-Data AVP
The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and MAY be present in the AA-Request or AA-Answer message if the Framed- Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the Result-Code AVP ([RFC6733], Section 7.1) is set to DIAMETER_MULTI_ROUND_AUTH. This AVP contains the security module challenge or response associated with the ARAP Security Module specified in the ARAP-Security AVP (Section 4.3.11).