Internet Engineering Task Force (IETF) G. Zorn, Ed. Request for Comments: 7155 Network Zen Obsoletes: 4005 April 2014 Category: Standards Track ISSN: 2070-1721 Diameter Network Access Server ApplicationAbstract
This document describes the Diameter protocol application used for Authentication, Authorization, and Accounting services in the Network Access Server (NAS) environment; it obsoletes RFC 4005. When combined with the Diameter Base protocol, Transport Profile, and Extensible Authentication Protocol specifications, this application specification satisfies typical network access services requirements. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7155. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................4 1.1. Changes from RFC 4005 ......................................5 1.2. Terminology ................................................6 1.3. Requirements Language ......................................7 1.4. Advertising Application Support ............................8 1.5. Application Identification .................................8 1.6. Accounting Model ...........................................8 2. NAS Calls, Ports, and Sessions ..................................8 2.1. Diameter Session Establishment .............................9 2.2. Diameter Session Reauthentication or Reauthorization .......9 2.3. Diameter Session Termination ..............................10 3. Diameter NAS Application Messages ..............................11 3.1. AA-Request (AAR) Command ..................................11 3.2. AA-Answer (AAA) Command ...................................13 3.3. Re-Auth-Request (RAR) Command .............................15 3.4. Re-Auth-Answer (RAA) Command ..............................16 3.5. Session-Termination-Request (STR) Command .................17 3.6. Session-Termination-Answer (STA) Command ..................17 3.7. Abort-Session-Request (ASR) Command .......................18 3.8. Abort-Session-Answer (ASA) Command ........................19 3.9. Accounting-Request (ACR) Command ..........................20 3.10. Accounting-Answer (ACA) Command ..........................22 4. Diameter NAS Application AVPs ..................................23 4.1. Derived AVP Data Formats ..................................23 4.1.1. QoSFilterRule ......................................23 4.2. NAS Session AVPs ..........................................24 4.2.1. Call and Session Information .......................24 4.2.2. NAS-Port AVP .......................................25 4.2.3. NAS-Port-Id AVP ....................................25 4.2.4. NAS-Port-Type AVP ..................................26 4.2.5. Called-Station-Id AVP ..............................26 4.2.6. Calling-Station-Id AVP .............................26 4.2.7. Connect-Info AVP ...................................27 4.2.8. Originating-Line-Info AVP ..........................27 4.2.9. Reply-Message AVP ..................................28 4.3. NAS Authentication AVPs ...................................28 4.3.1. User-Password AVP ..................................29 4.3.2. Password-Retry AVP .................................29 4.3.3. Prompt AVP .........................................29 4.3.4. CHAP-Auth AVP ......................................29 4.3.5. CHAP-Algorithm AVP .................................30 4.3.6. CHAP-Ident AVP .....................................30 4.3.7. CHAP-Response AVP ..................................30 4.3.8. CHAP-Challenge AVP .................................30 4.3.9. ARAP-Password AVP ..................................30 4.3.10. ARAP-Challenge-Response AVP .......................31
4.3.11. ARAP-Security AVP .................................31 4.3.12. ARAP-Security-Data AVP ............................31 4.4. NAS Authorization AVPs ....................................31 4.4.1. Service-Type AVP ...................................33 4.4.2. Callback-Number AVP ................................34 4.4.3. Callback-Id AVP ....................................34 4.4.4. Idle-Timeout AVP ...................................34 4.4.5. Port-Limit AVP .....................................34 4.4.6. NAS-Filter-Rule AVP ................................35 4.4.7. Filter-Id AVP ......................................35 4.4.8. Configuration-Token AVP ............................35 4.4.9. QoS-Filter-Rule AVP ................................35 4.4.10. Framed Access Authorization AVPs ..................36 4.4.10.1. Framed-Protocol AVP ......................36 4.4.10.2. Framed-Routing AVP .......................36 4.4.10.3. Framed-MTU AVP ...........................37 4.4.10.4. Framed-Compression AVP ...................37 4.4.10.5. IP Access Authorization AVPs .............37 4.4.10.5.1. Framed-IP-Address AVP .........37 4.4.10.5.2. Framed-IP-Netmask AVP .........37 4.4.10.5.3. Framed-Route AVP ..............38 4.4.10.5.4. Framed-Pool AVP ...............38 4.4.10.5.5. Framed-Interface-Id AVP .......38 4.4.10.5.6. Framed-IPv6-Prefix AVP ........39 4.4.10.5.7. Framed-IPv6-Route AVP .........39 4.4.10.5.8. Framed-IPv6-Pool AVP ..........39 4.4.10.6. IPX Access AVPs ..........................39 4.4.10.6.1. Framed-IPX-Network AVP ........40 4.4.10.7. AppleTalk Network Access AVPs ............40 4.4.10.7.1. Framed-Appletalk-Link AVP .....40 4.4.10.7.2. Framed-Appletalk-Network AVP ..40 4.4.10.7.3. Framed-Appletalk-Zone AVP .....41 4.4.10.8. AppleTalk Remote Access AVPs .............41 4.4.10.8.1. ARAP-Features AVP .............41 4.4.10.8.2. ARAP-Zone-Access AVP ..........41 4.4.11. Non-Framed Access Authorization AVPs ..............41 4.4.11.1. Login-IP-Host AVP ........................41 4.4.11.2. Login-IPv6-Host AVP ......................42 4.4.11.3. Login-Service AVP ........................42 4.4.11.4. TCP Services .............................42 4.4.11.4.1. Login-TCP-Port AVP ............42 4.4.11.5. LAT Services .............................43 4.4.11.5.1. Login-LAT-Service AVP .........43 4.4.11.5.2. Login-LAT-Node AVP ............43 4.4.11.5.3. Login-LAT-Group AVP ...........44 4.4.11.5.4. Login-LAT-Port AVP ............44 4.5. NAS Tunneling AVPs ........................................45 4.5.1. Tunneling AVP ......................................45
4.5.2. Tunnel-Type AVP ....................................46 4.5.3. Tunnel-Medium-Type AVP .............................46 4.5.4. Tunnel-Client-Endpoint AVP .........................46 4.5.5. Tunnel-Server-Endpoint AVP .........................47 4.5.6. Tunnel-Password AVP ................................48 4.5.7. Tunnel-Private-Group-Id AVP ........................48 4.5.8. Tunnel-Assignment-Id AVP ...........................48 4.5.9. Tunnel-Preference AVP ..............................50 4.5.10. Tunnel-Client-Auth-Id AVP .........................50 4.5.11. Tunnel-Server-Auth-Id AVP .........................50 4.6. NAS Accounting AVPs .......................................51 4.6.1. Accounting-Input-Octets AVP ........................52 4.6.2. Accounting-Output-Octets AVP .......................52 4.6.3. Accounting-Input-Packets AVP .......................52 4.6.4. Accounting-Output-Packets AVP ......................53 4.6.5. Acct-Session-Time AVP ..............................53 4.6.6. Acct-Authentic AVP .................................53 4.6.7. Accounting-Auth-Method AVP .........................53 4.6.8. Acct-Delay-Time AVP ................................53 4.6.9. Acct-Link-Count AVP ................................54 4.6.10. Acct-Tunnel-Connection AVP ........................55 4.6.11. Acct-Tunnel-Packets-Lost AVP ......................55 5. AVP Occurrence Tables ..........................................55 5.1. AA-Request / AA-Answer AVP Table ..........................56 5.2. Accounting AVP Tables .....................................58 5.2.1. Framed Access Accounting AVP Table .................59 5.2.2. Non-Framed Access Accounting AVP Table .............61 6. Unicode Considerations .........................................62 7. IANA Considerations ............................................63 8. Security Considerations ........................................63 8.1. Authentication Considerations .............................63 8.2. AVP Considerations ........................................64 9. References .....................................................65 9.1. Normative References ......................................65 9.2. Informative References ....................................65 Appendix A. Acknowledgements ......................................69 A.1. This Document ..............................................69 A.2. RFC 4005 ...................................................691. Introduction
This document describes the Diameter protocol application used for Authentication, Authorization, and Accounting in the Network Access Server (NAS) environment. When combined with the Diameter Base protocol [RFC6733], Transport Profile [RFC3539], and Extensible Authentication Protocol (EAP) [RFC4072] specifications, this specification satisfies the NAS-related requirements defined in [RFC2989] and [RFC3169].
First, this document describes the operation of a Diameter NAS application. Then, it defines the Diameter message command codes. The following sections list the AVPs used in these messages, grouped by common usage. These are session identification, authentication, authorization, tunneling, and accounting. The authorization AVPs are further broken down by service type.1.1. Changes from RFC 4005
This document obsoletes [RFC4005] and is not backward compatible with that document. An overview of some of the major changes is given below. o All of the material regarding RADIUS/Diameter protocol interactions has been removed; however, where AVPs are derived from RADIUS Attributes, the range and format of those Attribute values have been retained for ease of transition. o The Command Code Format (CCF) [RFC6733] for the Accounting-Request and Accounting-Answer messages has been changed to explicitly require the inclusion of the Acct-Application-Id AVP and exclude the Vendor-Specific-Application-Id AVP. Normally, this type of change would require the allocation of a new command code (see Section 1.3.3 of [RFC6733]) and consequently, a new application- id. However, the presence of an instance of the Acct-Application- Id AVP was required in [RFC4005], as well: The Accounting-Request (ACR) message [BASE] is sent by the NAS to report its session information to a target server downstream. Either the Acct-Application-Id or the Vendor-Specific- Application-Id AVP MUST be present. If the Vendor-Specific- Application-Id grouped AVP is present, it must have an Acct- Application-Id inside. Thus, though the syntax of the commands has changed, the semantics have not (with the caveat that the Acct-Application-Id AVP can no longer be contained in the Vendor-Specific-Application-Id AVP). o The lists of RADIUS attribute values have been deleted in favor of references to the appropriate IANA registries. o The accounting model to be used is now specified (see Section 1.6).
There are many other miscellaneous fixes that have been introduced in this document that may not be considered significant, but they are useful nonetheless. Examples are fixes to example IP addresses, addition of clarifying references, etc. Errata reports filed against [RFC4005] at the time of writing have been reviewed and incorporated as necessary. A comprehensive list of changes is not shown here for practical reasons.1.2. Terminology
Section 1.2 of the Diameter Base protocol specification [RFC6733] defines most of the terminology used in this document. Additionally, the following terms and acronyms are used in this application: NAS (Network Access Server) A device that provides an access service for a user to a network. The service may be a network connection or a value-added service such as terminal emulation [RFC2881]. PPP (Point-to-Point Protocol) A multiprotocol serial datalink. PPP is the primary IP datalink used for dial-in NAS connection service [RFC1661]. CHAP (Challenge Handshake Authentication Protocol) An authentication process used in PPP [RFC1994]. PAP (Password Authentication Protocol) A deprecated PPP authentication process, but often used for backward compatibility [RFC1334]. SLIP (Serial Line Internet Protocol) A serial datalink that only supports IP. A design prior to PPP. ARAP (AppleTalk Remote Access Protocol) A serial datalink for accessing AppleTalk networks [ARAP]. IPX (Internetwork Packet Exchange) The network protocol used by NetWare networks [IPX].
L2TP (Layer Two Tunneling Protocol) L2TP [RFC3931] provides a dynamic mechanism for tunneling Layer 2 "circuits" across a packet-oriented data network. LAC (L2TP Access Concentrator) An L2TP Control Connection Endpoint being used to cross-connect an L2TP session directly to a datalink [RFC3931]. LAT (Local Area Transport) A Digital Equipment Corp. LAN protocol for terminal services [LAT]. LCP (Link Control Protocol) One of the three major components of PPP [RFC1661]. LCP is used to automatically agree upon encapsulation format options, handle varying limits on sizes of packets, detect a looped-back link and other common misconfiguration errors, and terminate the link. Other optional facilities provided are authentication of the identity of its peer on the link, and determination when a link is functioning properly and when it is failing. PPTP (Point-to-Point Tunneling Protocol) A protocol that allows PPP to be tunneled through an IP network [RFC2637]. VPN (Virtual Private Network) In this document, this term is used to describe access services that use tunneling methods.1.3. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The use of "MUST" and "MUST NOT" in the AVP Flag Rules columns of AVP Tables in this document refers to AVP flags ([RFC6733], Section 4.1) that: o MUST be set to 1 in the AVP Header ("MUST" column) and o MUST NOT be set to 1 ("MUST NOT" column)1.4. Advertising Application Support
Diameter nodes conforming to this specification MUST advertise support by including the value of one (1) in the Auth-Application-Id of the Capabilities-Exchange-Request (CER) message [RFC6733].1.5. Application Identification
When used in this application, the Auth-Application-Id AVP MUST be set to the value one (1) in the following messages o AA-Request (Section 3.1) o Re-Auth-Request(Section 3.3) o Session-Termination-Request (Section 3.5) o Abort-Session-Request (Section 3.7)1.6. Accounting Model
It is RECOMMENDED that the coupled accounting model (RFC 6733, Section 9.3) be used with this application; therefore, the value of the Acct-Application-Id AVP in the Accounting-Request (Section 3.9) and Accounting-Answer (Section 3.10) messages SHOULD be set to one (1).2. NAS Calls, Ports, and Sessions
The arrival of a new call or service connection at a port of a Network Access Server (NAS) starts a Diameter NAS Application message exchange. Information about the call, the identity of the user, and the user's authentication information are packaged into a Diameter AA-Request (AAR) message and sent to a server. The server processes the information and responds with a Diameter AA- Answer (AAA) message that contains authorization information for the NAS or a failure code (Result-Code AVP). A value of
DIAMETER_MULTI_ROUND_AUTH indicates an additional authentication exchange, and several AAR and AAA messages may be exchanged until the transaction completes.2.1. Diameter Session Establishment
When the authentication or authorization exchange completes successfully, the NAS application SHOULD start a session context. If the Result-Code of DIAMETER_MULTI_ROUND_AUTH is returned, the exchange continues until a success or error is returned. If accounting is active, the application MUST also send an Accounting message [RFC6733]. An Accounting-Record-Type of START_RECORD is sent for a new session. If a session fails to start, the EVENT_RECORD message is sent with the reason for the failure described. Note that the return of an unsupportable Accounting-Realtime-Required value [RFC6733] would result in a failure to establish the session.2.2. Diameter Session Reauthentication or Reauthorization
The Diameter Base protocol allows users to be periodically reauthenticated and/or reauthorized. In such instances, the Session- Id AVP in the AAR message MUST be the same as the one present in the original authentication/authorization message. A Diameter server informs the NAS of the maximum time allowed before reauthentication or reauthorization via the Authorization-Lifetime AVP [RFC6733]. A NAS MAY reauthenticate and/or reauthorize before the end, but a NAS MUST reauthenticate and/or reauthorize at the end of the period provided by the Authorization-Lifetime AVP. The failure of a reauthentication exchange will terminate the service. Furthermore, it is possible for Diameter servers to issue an unsolicited reauthentication and/or reauthorization request (e.g., Re-Auth-Request (RAR) message [RFC6733]) to the NAS. Upon receipt of such a message, the NAS MUST respond to the request with a Re-Auth- Answer (RAA) message [RFC6733]. If the RAR properly identifies an active session, the NAS will initiate a new local reauthentication or authorization sequence as indicated by the Re-Auth-Request-Type value. This will cause the NAS to send a new AAR message using the existing Session-Id. The server will respond with an AAA message to specify the new service parameters.
If accounting is active, every change of authentication or authorization SHOULD generate an accounting message. If the NAS service is a continuation of the prior user context, then an Accounting-Record-Type of INTERIM_RECORD indicating the new session attributes and cumulative status would be appropriate. If a new user or a significant change in authorization is detected by the NAS, then the service may send two messages of the types STOP_RECORD and START_RECORD. Accounting may change the subsession identifiers (Acct-Session-Id, or Acct-Sub-Session-Id) to indicate such subsessions. A service may also use a different Session-Id value for accounting (see Section 9.6 of [RFC6733]). However, the Diameter Session-Id AVP value used for the initial authorization exchange MUST be used to generate an STR message when the session context is terminated.2.3. Diameter Session Termination
When a NAS receives an indication that a user's session is being disconnected by the client (e.g., an LCP Terminate-Request message [RFC1661] is received) or an administrative command, the NAS MUST issue a Session-Termination-Request (STR) [RFC6733] to its Diameter server. This will ensure that any resources maintained on the servers are freed appropriately. Furthermore, a NAS that receives an Abort-Session-Request (ASR) [RFC6733] MUST issue an Abort-Session-Answer (ASA) if the session identified is active and disconnect the PPP (or tunneling) session. If accounting is active, an Accounting STOP_RECORD message [RFC6733] MUST be sent upon termination of the session context. More information on Diameter Session Termination can be found in Sections 8.4 and 8.5 of [RFC6733].