diff options
author | Martin Willi <martin@strongswan.org> | 2007-08-30 12:52:44 +0000 |
---|---|---|
committer | Martin Willi <martin@strongswan.org> | 2007-08-30 12:52:44 +0000 |
commit | 354242c55a6527fd8f42acc1e8ee65d5e8a3faa4 (patch) | |
tree | 00442a1c06045e3bb3aca6e1e3bfdc5fc4ef5b93 /doc | |
parent | 857ceac9d93b2e8dc6925ac47cede63a547c1bfb (diff) | |
download | strongswan-354242c55a6527fd8f42acc1e8ee65d5e8a3faa4.tar.bz2 strongswan-354242c55a6527fd8f42acc1e8ee65d5e8a3faa4.tar.xz |
added RADIUS, RADIUS-EAP and EAP-MD5 (CHAP) RFCs
Diffstat (limited to 'doc')
-rw-r--r-- | doc/standards/rfc1994.txt | 732 | ||||
-rw-r--r-- | doc/standards/rfc2865.txt | 4259 | ||||
-rw-r--r-- | doc/standards/rfc3579.txt | 2579 |
3 files changed, 7570 insertions, 0 deletions
diff --git a/doc/standards/rfc1994.txt b/doc/standards/rfc1994.txt new file mode 100644 index 000000000..e4a553e59 --- /dev/null +++ b/doc/standards/rfc1994.txt @@ -0,0 +1,732 @@ + + + + + + +Network Working Group W. Simpson +Request for Comments: 1994 DayDreamer +Obsoletes: 1334 August 1996 +Category: Standards Track + + + PPP Challenge Handshake Authentication Protocol (CHAP) + + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Abstract + + The Point-to-Point Protocol (PPP) [1] provides a standard method for + transporting multi-protocol datagrams over point-to-point links. + + PPP also defines an extensible Link Control Protocol, which allows + negotiation of an Authentication Protocol for authenticating its peer + before allowing Network Layer protocols to transmit over the link. + + This document defines a method for Authentication using PPP, which + uses a random Challenge, with a cryptographically hashed Response + which depends upon the Challenge and a secret key. + +Table of Contents + + 1. Introduction .......................................... 1 + 1.1 Specification of Requirements ................... 1 + 1.2 Terminology ..................................... 2 + 2. Challenge-Handshake Authentication Protocol ........... 2 + 2.1 Advantages ...................................... 3 + 2.2 Disadvantages ................................... 3 + 2.3 Design Requirements ............................. 4 + 3. Configuration Option Format ........................... 5 + 4. Packet Format ......................................... 6 + 4.1 Challenge and Response .......................... 7 + 4.2 Success and Failure ............................. 9 + SECURITY CONSIDERATIONS ...................................... 10 + ACKNOWLEDGEMENTS ............................................. 11 + REFERENCES ................................................... 12 + CONTACTS ..................................................... 12 + + + + +Simpson [Page i] + +RFC 1994 PPP CHAP August 1996 + + +1. Introduction + + In order to establish communications over a point-to-point link, each + end of the PPP link must first send LCP packets to configure the data + link during Link Establishment phase. After the link has been + established, PPP provides for an optional Authentication phase before + proceeding to the Network-Layer Protocol phase. + + By default, authentication is not mandatory. If authentication of + the link is desired, an implementation MUST specify the + Authentication-Protocol Configuration Option during Link + Establishment phase. + + These authentication protocols are intended for use primarily by + hosts and routers that connect to a PPP network server via switched + circuits or dial-up lines, but might be applied to dedicated links as + well. The server can use the identification of the connecting host + or router in the selection of options for network layer negotiations. + + This document defines a PPP authentication protocol. The Link + Establishment and Authentication phases, and the Authentication- + Protocol Configuration Option, are defined in The Point-to-Point + Protocol (PPP) [1]. + + +1.1. Specification of Requirements + + In this document, several words are used to signify the requirements + of the specification. These words are often capitalized. + + MUST This word, or the adjective "required", means that the + definition is an absolute requirement of the specification. + + MUST NOT This phrase means that the definition is an absolute + prohibition of the specification. + + SHOULD This word, or the adjective "recommended", means that there + may exist valid reasons in particular circumstances to + ignore this item, but the full implications must be + understood and carefully weighed before choosing a + different course. + + MAY This word, or the adjective "optional", means that this + item is one of an allowed set of alternatives. An + implementation which does not include this option MUST be + prepared to interoperate with another implementation which + does include the option. + + + + +Simpson [Page 1] + +RFC 1994 PPP CHAP August 1996 + + +1.2. Terminology + + This document frequently uses the following terms: + + authenticator + The end of the link requiring the authentication. The + authenticator specifies the authentication protocol to be + used in the Configure-Request during Link Establishment + phase. + + peer The other end of the point-to-point link; the end which is + being authenticated by the authenticator. + + silently discard + This means the implementation discards the packet without + further processing. The implementation SHOULD provide the + capability of logging the error, including the contents of + the silently discarded packet, and SHOULD record the event + in a statistics counter. + + + + +2. Challenge-Handshake Authentication Protocol + + The Challenge-Handshake Authentication Protocol (CHAP) is used to + periodically verify the identity of the peer using a 3-way handshake. + This is done upon initial link establishment, and MAY be repeated + anytime after the link has been established. + + 1. After the Link Establishment phase is complete, the + authenticator sends a "challenge" message to the peer. + + 2. The peer responds with a value calculated using a "one-way + hash" function. + + 3. The authenticator checks the response against its own + calculation of the expected hash value. If the values match, + the authentication is acknowledged; otherwise the connection + SHOULD be terminated. + + 4. At random intervals, the authenticator sends a new challenge to + the peer, and repeats steps 1 to 3. + + + + + + + + +Simpson [Page 2] + +RFC 1994 PPP CHAP August 1996 + + +2.1. Advantages + + CHAP provides protection against playback attack by the peer through + the use of an incrementally changing identifier and a variable + challenge value. The use of repeated challenges is intended to limit + the time of exposure to any single attack. The authenticator is in + control of the frequency and timing of the challenges. + + This authentication method depends upon a "secret" known only to the + authenticator and that peer. The secret is not sent over the link. + + Although the authentication is only one-way, by negotiating CHAP in + both directions the same secret set may easily be used for mutual + authentication. + + Since CHAP may be used to authenticate many different systems, name + fields may be used as an index to locate the proper secret in a large + table of secrets. This also makes it possible to support more than + one name/secret pair per system, and to change the secret in use at + any time during the session. + + +2.2. Disadvantages + + CHAP requires that the secret be available in plaintext form. + Irreversably encrypted password databases commonly available cannot + be used. + + It is not as useful for large installations, since every possible + secret is maintained at both ends of the link. + + Implementation Note: To avoid sending the secret over other links + in the network, it is recommended that the challenge and response + values be examined at a central server, rather than each network + access server. Otherwise, the secret SHOULD be sent to such + servers in a reversably encrypted form. Either case requires a + trusted relationship, which is outside the scope of this + specification. + + + + + + + + + + + + + +Simpson [Page 3] + +RFC 1994 PPP CHAP August 1996 + + +2.3. Design Requirements + + The CHAP algorithm requires that the length of the secret MUST be at + least 1 octet. The secret SHOULD be at least as large and + unguessable as a well-chosen password. It is preferred that the + secret be at least the length of the hash value for the hashing + algorithm chosen (16 octets for MD5). This is to ensure a + sufficiently large range for the secret to provide protection against + exhaustive search attacks. + + The one-way hash algorithm is chosen such that it is computationally + infeasible to determine the secret from the known challenge and + response values. + + Each challenge value SHOULD be unique, since repetition of a + challenge value in conjunction with the same secret would permit an + attacker to reply with a previously intercepted response. Since it + is expected that the same secret MAY be used to authenticate with + servers in disparate geographic regions, the challenge SHOULD exhibit + global and temporal uniqueness. + + Each challenge value SHOULD also be unpredictable, least an attacker + trick a peer into responding to a predicted future challenge, and + then use the response to masquerade as that peer to an authenticator. + + Although protocols such as CHAP are incapable of protecting against + realtime active wiretapping attacks, generation of unique + unpredictable challenges can protect against a wide range of active + attacks. + + A discussion of sources of uniqueness and probability of divergence + is included in the Magic-Number Configuration Option [1]. + + + + + + + + + + + + + + + + + + + +Simpson [Page 4] + +RFC 1994 PPP CHAP August 1996 + + +3. Configuration Option Format + + A summary of the Authentication-Protocol Configuration Option format + to negotiate the Challenge-Handshake Authentication Protocol is shown + below. The fields are transmitted from left to right. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Authentication-Protocol | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Algorithm | + +-+-+-+-+-+-+-+-+ + + Type + + 3 + + Length + + 5 + + Authentication-Protocol + + c223 (hex) for Challenge-Handshake Authentication Protocol. + + Algorithm + + The Algorithm field is one octet and indicates the authentication + method to be used. Up-to-date values are specified in the most + recent "Assigned Numbers" [2]. One value is required to be + implemented: + + 5 CHAP with MD5 [3] + + + + + + + + + + + + + + + + + + + +Simpson [Page 5] + +RFC 1994 PPP CHAP August 1996 + + +4. Packet Format + + Exactly one Challenge-Handshake Authentication Protocol packet is + encapsulated in the Information field of a PPP Data Link Layer frame + where the protocol field indicates type hex c223 (Challenge-Handshake + Authentication Protocol). A summary of the CHAP packet format is + shown below. The fields are transmitted from left to right. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Data ... + +-+-+-+-+ + + Code + + The Code field is one octet and identifies the type of CHAP + packet. CHAP Codes are assigned as follows: + + 1 Challenge + 2 Response + 3 Success + 4 Failure + + Identifier + + The Identifier field is one octet and aids in matching challenges, + responses and replies. + + Length + + The Length field is two octets and indicates the length of the + CHAP packet including the Code, Identifier, Length and Data + fields. Octets outside the range of the Length field should be + treated as Data Link Layer padding and should be ignored on + reception. + + Data + + The Data field is zero or more octets. The format of the Data + field is determined by the Code field. + + + + + + + + + + +Simpson [Page 6] + +RFC 1994 PPP CHAP August 1996 + + +4.1. Challenge and Response + + Description + + The Challenge packet is used to begin the Challenge-Handshake + Authentication Protocol. The authenticator MUST transmit a CHAP + packet with the Code field set to 1 (Challenge). Additional + Challenge packets MUST be sent until a valid Response packet is + received, or an optional retry counter expires. + + A Challenge packet MAY also be transmitted at any time during the + Network-Layer Protocol phase to ensure that the connection has not + been altered. + + The peer SHOULD expect Challenge packets during the Authentication + phase and the Network-Layer Protocol phase. Whenever a Challenge + packet is received, the peer MUST transmit a CHAP packet with the + Code field set to 2 (Response). + + Whenever a Response packet is received, the authenticator compares + the Response Value with its own calculation of the expected value. + Based on this comparison, the authenticator MUST send a Success or + Failure packet (described below). + + Implementation Notes: Because the Success might be lost, the + authenticator MUST allow repeated Response packets during the + Network-Layer Protocol phase after completing the + Authentication phase. To prevent discovery of alternative + Names and Secrets, any Response packets received having the + current Challenge Identifier MUST return the same reply Code + previously returned for that specific Challenge (the message + portion MAY be different). Any Response packets received + during any other phase MUST be silently discarded. + + When the Failure is lost, and the authenticator terminates the + link, the LCP Terminate-Request and Terminate-Ack provide an + alternative indication that authentication failed. + + + + + + + + + + + + + + +Simpson [Page 7] + +RFC 1994 PPP CHAP August 1996 + + + A summary of the Challenge and Response packet format is shown below. + The fields are transmitted from left to right. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value-Size | Value ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Name ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Code + + 1 for Challenge; + + 2 for Response. + + Identifier + + The Identifier field is one octet. The Identifier field MUST be + changed each time a Challenge is sent. + + The Response Identifier MUST be copied from the Identifier field + of the Challenge which caused the Response. + + Value-Size + + This field is one octet and indicates the length of the Value + field. + + Value + + The Value field is one or more octets. The most significant octet + is transmitted first. + + The Challenge Value is a variable stream of octets. The + importance of the uniqueness of the Challenge Value and its + relationship to the secret is described above. The Challenge + Value MUST be changed each time a Challenge is sent. The length + of the Challenge Value depends upon the method used to generate + the octets, and is independent of the hash algorithm used. + + The Response Value is the one-way hash calculated over a stream of + octets consisting of the Identifier, followed by (concatenated + with) the "secret", followed by (concatenated with) the Challenge + Value. The length of the Response Value depends upon the hash + algorithm used (16 octets for MD5). + + + + +Simpson [Page 8] + +RFC 1994 PPP CHAP August 1996 + + + Name + + The Name field is one or more octets representing the + identification of the system transmitting the packet. There are + no limitations on the content of this field. For example, it MAY + contain ASCII character strings or globally unique identifiers in + ASN.1 syntax. The Name should not be NUL or CR/LF terminated. + The size is determined from the Length field. + + +4.2. Success and Failure + + Description + + If the Value received in a Response is equal to the expected + value, then the implementation MUST transmit a CHAP packet with + the Code field set to 3 (Success). + + If the Value received in a Response is not equal to the expected + value, then the implementation MUST transmit a CHAP packet with + the Code field set to 4 (Failure), and SHOULD take action to + terminate the link. + + A summary of the Success and Failure packet format is shown below. + The fields are transmitted from left to right. + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Message ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + 3 for Success; + + 4 for Failure. + + Identifier + + The Identifier field is one octet and aids in matching requests + and replies. The Identifier field MUST be copied from the + Identifier field of the Response which caused this reply. + + + + + + + + +Simpson [Page 9] + +RFC 1994 PPP CHAP August 1996 + + + Message + + The Message field is zero or more octets, and its contents are + implementation dependent. It is intended to be human readable, + and MUST NOT affect operation of the protocol. It is recommended + that the message contain displayable ASCII characters 32 through + 126 decimal. Mechanisms for extension to other character sets are + the topic of future research. The size is determined from the + Length field. + + + +Security Considerations + + Security issues are the primary topic of this RFC. + + The interaction of the authentication protocols within PPP are highly + implementation dependent. This is indicated by the use of SHOULD + throughout the document. + + For example, upon failure of authentication, some implementations do + not terminate the link. Instead, the implementation limits the kind + of traffic in the Network-Layer Protocols to a filtered subset, which + in turn allows the user opportunity to update secrets or send mail to + the network administrator indicating a problem. + + There is no provision for re-tries of failed authentication. + However, the LCP state machine can renegotiate the authentication + protocol at any time, thus allowing a new attempt. It is recommended + that any counters used for authentication failure not be reset until + after successful authentication, or subsequent termination of the + failed link. + + There is no requirement that authentication be full duplex or that + the same protocol be used in both directions. It is perfectly + acceptable for different protocols to be used in each direction. + This will, of course, depend on the specific protocols negotiated. + + The secret SHOULD NOT be the same in both directions. This allows an + attacker to replay the peer's challenge, accept the computed + response, and use that response to authenticate. + + In practice, within or associated with each PPP server, there is a + database which associates "user" names with authentication + information ("secrets"). It is not anticipated that a particular + named user would be authenticated by multiple methods. This would + make the user vulnerable to attacks which negotiate the least secure + method from among a set (such as PAP rather than CHAP). If the same + + + +Simpson [Page 10] + +RFC 1994 PPP CHAP August 1996 + + + secret was used, PAP would reveal the secret to be used later with + CHAP. + + Instead, for each user name there should be an indication of exactly + one method used to authenticate that user name. If a user needs to + make use of different authentication methods under different + circumstances, then distinct user names SHOULD be employed, each of + which identifies exactly one authentication method. + + Passwords and other secrets should be stored at the respective ends + such that access to them is as limited as possible. Ideally, the + secrets should only be accessible to the process requiring access in + order to perform the authentication. + + The secrets should be distributed with a mechanism that limits the + number of entities that handle (and thus gain knowledge of) the + secret. Ideally, no unauthorized person should ever gain knowledge + of the secrets. Such a mechanism is outside the scope of this + specification. + + +Acknowledgements + + David Kaufman, Frank Heinrich, and Karl Auerbach used a challenge + handshake at SDC when designing one of the protocols for a "secure" + network in the mid-1970s. Tom Bearson built a prototype Sytek + product ("Poloneous"?) on the challenge-response notion in the 1982- + 83 timeframe. Another variant is documented in the various IBM SNA + manuals. Yet another variant was implemented by Karl Auerbach in the + Telebit NetBlazer circa 1991. + + Kim Toms and Barney Wolff provided useful critiques of earlier + versions of this document. + + Special thanks to Dave Balenson, Steve Crocker, James Galvin, and + Steve Kent, for their extensive explanations and suggestions. Now, + if only we could get them to agree with each other. + + + + + + + + + + + + + + +Simpson [Page 11] + +RFC 1994 PPP CHAP August 1996 + + +References + + [1] Simpson, W., Editor, "The Point-to-Point Protocol (PPP)", STD + 51, RFC 1661, DayDreamer, July 1994. + + [2] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC + 1700, USC/Information Sciences Institute, October 1994. + + [3] Rivest, R., and S. Dusse, "The MD5 Message-Digest Algorithm", + MIT Laboratory for Computer Science and RSA Data Security, + Inc., RFC 1321, April 1992. + + + +Contacts + + Comments should be submitted to the ietf-ppp@merit.edu mailing list. + + This document was reviewed by the Point-to-Point Protocol Working + Group of the Internet Engineering Task Force (IETF). The working + group can be contacted via the current chair: + + Karl Fox + Ascend Communications + 3518 Riverside Drive, Suite 101 + Columbus, Ohio 43221 + + karl@MorningStar.com + karl@Ascend.com + + + Questions about this memo can also be directed to: + + William Allen Simpson + DayDreamer + Computer Systems Consulting Services + 1384 Fontaine + Madison Heights, Michigan 48071 + + wsimpson@UMich.edu + wsimpson@GreenDragon.com (preferred) + + + + + + + + + + +Simpson [Page 12] + + diff --git a/doc/standards/rfc2865.txt b/doc/standards/rfc2865.txt new file mode 100644 index 000000000..10ec2310f --- /dev/null +++ b/doc/standards/rfc2865.txt @@ -0,0 +1,4259 @@ + + + + + + +Network Working Group C. Rigney +Request for Comments: 2865 S. Willens +Obsoletes: 2138 Livingston +Category: Standards Track A. Rubens + Merit + W. Simpson + Daydreamer + June 2000 + + + Remote Authentication Dial In User Service (RADIUS) + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2000). All Rights Reserved. + +IESG Note: + + This protocol is widely implemented and used. Experience has shown + that it can suffer degraded performance and lost data when used in + large scale systems, in part because it does not include provisions + for congestion control. Readers of this document may find it + beneficial to track the progress of the IETF's AAA working group, + which may develop a successor protocol that better addresses the + scaling and congestion control issues. + +Abstract + + This document describes a protocol for carrying authentication, + authorization, and configuration information between a Network Access + Server which desires to authenticate its links and a shared + Authentication Server. + +Implementation Note + + This memo documents the RADIUS protocol. The early deployment of + RADIUS was done using UDP port number 1645, which conflicts with the + "datametrics" service. The officially assigned port number for + RADIUS is 1812. + + + + +Rigney, et al. Standards Track [Page 1] + +RFC 2865 RADIUS June 2000 + + +Table of Contents + + 1. Introduction .......................................... 3 + 1.1 Specification of Requirements ................... 4 + 1.2 Terminology ..................................... 5 + 2. Operation ............................................. 5 + 2.1 Challenge/Response .............................. 7 + 2.2 Interoperation with PAP and CHAP ................ 8 + 2.3 Proxy ........................................... 8 + 2.4 Why UDP? ........................................ 11 + 2.5 Retransmission Hints ............................ 12 + 2.6 Keep-Alives Considered Harmful .................. 13 + 3. Packet Format ......................................... 13 + 4. Packet Types .......................................... 17 + 4.1 Access-Request .................................. 17 + 4.2 Access-Accept ................................... 18 + 4.3 Access-Reject ................................... 20 + 4.4 Access-Challenge ................................ 21 + 5. Attributes ............................................ 22 + 5.1 User-Name ....................................... 26 + 5.2 User-Password ................................... 27 + 5.3 CHAP-Password ................................... 28 + 5.4 NAS-IP-Address .................................. 29 + 5.5 NAS-Port ........................................ 30 + 5.6 Service-Type .................................... 31 + 5.7 Framed-Protocol ................................. 33 + 5.8 Framed-IP-Address ............................... 34 + 5.9 Framed-IP-Netmask ............................... 34 + 5.10 Framed-Routing .................................. 35 + 5.11 Filter-Id ....................................... 36 + 5.12 Framed-MTU ...................................... 37 + 5.13 Framed-Compression .............................. 37 + 5.14 Login-IP-Host ................................... 38 + 5.15 Login-Service ................................... 39 + 5.16 Login-TCP-Port .................................. 40 + 5.17 (unassigned) .................................... 41 + 5.18 Reply-Message ................................... 41 + 5.19 Callback-Number ................................. 42 + 5.20 Callback-Id ..................................... 42 + 5.21 (unassigned) .................................... 43 + 5.22 Framed-Route .................................... 43 + 5.23 Framed-IPX-Network .............................. 44 + 5.24 State ........................................... 45 + 5.25 Class ........................................... 46 + 5.26 Vendor-Specific ................................. 47 + 5.27 Session-Timeout ................................. 48 + 5.28 Idle-Timeout .................................... 49 + 5.29 Termination-Action .............................. 49 + + + +Rigney, et al. Standards Track [Page 2] + +RFC 2865 RADIUS June 2000 + + + 5.30 Called-Station-Id ............................... 50 + 5.31 Calling-Station-Id .............................. 51 + 5.32 NAS-Identifier .................................. 52 + 5.33 Proxy-State ..................................... 53 + 5.34 Login-LAT-Service ............................... 54 + 5.35 Login-LAT-Node .................................. 55 + 5.36 Login-LAT-Group ................................. 56 + 5.37 Framed-AppleTalk-Link ........................... 57 + 5.38 Framed-AppleTalk-Network ........................ 58 + 5.39 Framed-AppleTalk-Zone ........................... 58 + 5.40 CHAP-Challenge .................................. 59 + 5.41 NAS-Port-Type ................................... 60 + 5.42 Port-Limit ...................................... 61 + 5.43 Login-LAT-Port .................................. 62 + 5.44 Table of Attributes ............................. 63 + 6. IANA Considerations ................................... 64 + 6.1 Definition of Terms ............................. 64 + 6.2 Recommended Registration Policies ............... 65 + 7. Examples .............................................. 66 + 7.1 User Telnet to Specified Host ................... 66 + 7.2 Framed User Authenticating with CHAP ............ 67 + 7.3 User with Challenge-Response card ............... 68 + 8. Security Considerations ............................... 71 + 9. Change Log ............................................ 71 + 10. References ............................................ 73 + 11. Acknowledgements ...................................... 74 + 12. Chair's Address ....................................... 74 + 13. Authors' Addresses .................................... 75 + 14. Full Copyright Statement .............................. 76 + +1. Introduction + + This document obsoletes RFC 2138 [1]. A summary of the changes + between this document and RFC 2138 is available in the "Change Log" + appendix. + + Managing dispersed serial line and modem pools for large numbers of + users can create the need for significant administrative support. + Since modem pools are by definition a link to the outside world, they + require careful attention to security, authorization and accounting. + This can be best achieved by managing a single "database" of users, + which allows for authentication (verifying user name and password) as + well as configuration information detailing the type of service to + deliver to the user (for example, SLIP, PPP, telnet, rlogin). + + + + + + + +Rigney, et al. Standards Track [Page 3] + +RFC 2865 RADIUS June 2000 + + + Key features of RADIUS are: + + Client/Server Model + + A Network Access Server (NAS) operates as a client of RADIUS. The + client is responsible for passing user information to designated + RADIUS servers, and then acting on the response which is returned. + + RADIUS servers are responsible for receiving user connection + requests, authenticating the user, and then returning all + configuration information necessary for the client to deliver + service to the user. + + A RADIUS server can act as a proxy client to other RADIUS servers + or other kinds of authentication servers. + + Network Security + + Transactions between the client and RADIUS server are + authenticated through the use of a shared secret, which is never + sent over the network. In addition, any user passwords are sent + encrypted between the client and RADIUS server, to eliminate the + possibility that someone snooping on an unsecure network could + determine a user's password. + + Flexible Authentication Mechanisms + + The RADIUS server can support a variety of methods to authenticate + a user. When it is provided with the user name and original + password given by the user, it can support PPP PAP or CHAP, UNIX + login, and other authentication mechanisms. + + Extensible Protocol + + All transactions are comprised of variable length Attribute- + Length-Value 3-tuples. New attribute values can be added without + disturbing existing implementations of the protocol. + +1.1. Specification of Requirements + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in BCP 14 [2]. These key + words mean the same thing whether capitalized or not. + + An implementation is not compliant if it fails to satisfy one or more + of the must or must not requirements for the protocols it implements. + An implementation that satisfies all the must, must not, should and + + + +Rigney, et al. Standards Track [Page 4] + +RFC 2865 RADIUS June 2000 + + + should not requirements for its protocols is said to be + "unconditionally compliant"; one that satisfies all the must and must + not requirements but not all the should or should not requirements + for its protocols is said to be "conditionally compliant". + + A NAS that does not implement a given service MUST NOT implement the + RADIUS attributes for that service. For example, a NAS that is + unable to offer ARAP service MUST NOT implement the RADIUS attributes + for ARAP. A NAS MUST treat a RADIUS access-accept authorizing an + unavailable service as an access-reject instead. + +1.2. Terminology + + This document frequently uses the following terms: + + service The NAS provides a service to the dial-in user, such as PPP + or Telnet. + + session Each service provided by the NAS to a dial-in user + constitutes a session, with the beginning of the session + defined as the point where service is first provided and + the end of the session defined as the point where service + is ended. A user may have multiple sessions in parallel or + series if the NAS supports that. + + silently discard + This means the implementation discards the packet without + further processing. The implementation SHOULD provide the + capability of logging the error, including the contents of + the silently discarded packet, and SHOULD record the event + in a statistics counter. + +2. Operation + + When a client is configured to use RADIUS, any user of the client + presents authentication information to the client. This might be + with a customizable login prompt, where the user is expected to enter + their username and password. Alternatively, the user might use a + link framing protocol such as the Point-to-Point Protocol (PPP), + which has authentication packets which carry this information. + + Once the client has obtained such information, it may choose to + authenticate using RADIUS. To do so, the client creates an "Access- + Request" containing such Attributes as the user's name, the user's + password, the ID of the client and the Port ID which the user is + accessing. When a password is present, it is hidden using a method + based on the RSA Message Digest Algorithm MD5 [3]. + + + + +Rigney, et al. Standards Track [Page 5] + +RFC 2865 RADIUS June 2000 + + + The Access-Request is submitted to the RADIUS server via the network. + If no response is returned within a length of time, the request is + re-sent a number of times. The client can also forward requests to + an alternate server or servers in the event that the primary server + is down or unreachable. An alternate server can be used either after + a number of tries to the primary server fail, or in a round-robin + fashion. Retry and fallback algorithms are the topic of current + research and are not specified in detail in this document. + + Once the RADIUS server receives the request, it validates the sending + client. A request from a client for which the RADIUS server does not + have a shared secret MUST be silently discarded. If the client is + valid, the RADIUS server consults a database of users to find the + user whose name matches the request. The user entry in the database + contains a list of requirements which must be met to allow access for + the user. This always includes verification of the password, but can + also specify the client(s) or port(s) to which the user is allowed + access. + + The RADIUS server MAY make requests of other servers in order to + satisfy the request, in which case it acts as a client. + + If any Proxy-State attributes were present in the Access-Request, + they MUST be copied unmodified and in order into the response packet. + Other Attributes can be placed before, after, or even between the + Proxy-State attributes. + + If any condition is not met, the RADIUS server sends an "Access- + Reject" response indicating that this user request is invalid. If + desired, the server MAY include a text message in the Access-Reject + which MAY be displayed by the client to the user. No other + Attributes (except Proxy-State) are permitted in an Access-Reject. + + If all conditions are met and the RADIUS server wishes to issue a + challenge to which the user must respond, the RADIUS server sends an + "Access-Challenge" response. It MAY include a text message to be + displayed by the client to the user prompting for a response to the + challenge, and MAY include a State attribute. + + If the client receives an Access-Challenge and supports + challenge/response it MAY display the text message, if any, to the + user, and then prompt the user for a response. The client then re- + submits its original Access-Request with a new request ID, with the + User-Password Attribute replaced by the response (encrypted), and + including the State Attribute from the Access-Challenge, if any. + Only 0 or 1 instances of the State Attribute SHOULD be + + + + + +Rigney, et al. Standards Track [Page 6] + +RFC 2865 RADIUS June 2000 + + + present in a request. The server can respond to this new Access- + Request with either an Access-Accept, an Access-Reject, or another + Access-Challenge. + + If all conditions are met, the list of configuration values for the + user are placed into an "Access-Accept" response. These values + include the type of service (for example: SLIP, PPP, Login User) and + all necessary values to deliver the desired service. For SLIP and + PPP, this may include values such as IP address, subnet mask, MTU, + desired compression, and desired packet filter identifiers. For + character mode users, this may include values such as desired + protocol and host. + +2.1. Challenge/Response + + In challenge/response authentication, the user is given an + unpredictable number and challenged to encrypt it and give back the + result. Authorized users are equipped with special devices such as + smart cards or software that facilitate calculation of the correct + response with ease. Unauthorized users, lacking the appropriate + device or software and lacking knowledge of the secret key necessary + to emulate such a device or software, can only guess at the response. + + The Access-Challenge packet typically contains a Reply-Message + including a challenge to be displayed to the user, such as a numeric + value unlikely ever to be repeated. Typically this is obtained from + an external server that knows what type of authenticator is in the + possession of the authorized user and can therefore choose a random + or non-repeating pseudorandom number of an appropriate radix and + length. + + The user then enters the challenge into his device (or software) and + it calculates a response, which the user enters into the client which + forwards it to the RADIUS server via a second Access-Request. If the + response matches the expected response the RADIUS server replies with + an Access-Accept, otherwise an Access-Reject. + + Example: The NAS sends an Access-Request packet to the RADIUS Server + with NAS-Identifier, NAS-Port, User-Name, User-Password (which may + just be a fixed string like "challenge" or ignored). The server + sends back an Access-Challenge packet with State and a Reply-Message + along the lines of "Challenge 12345678, enter your response at the + prompt" which the NAS displays. The NAS prompts for the response and + sends a NEW Access-Request to the server (with a new ID) with NAS- + Identifier, NAS-Port, User-Name, User-Password (the response just + entered by the user, encrypted), and the same State Attribute that + + + + + +Rigney, et al. Standards Track [Page 7] + +RFC 2865 RADIUS June 2000 + + + came with the Access-Challenge. The server then sends back either an + Access-Accept or Access-Reject based on whether the response matches + the required value, or it can even send another Access-Challenge. + +2.2. Interoperation with PAP and CHAP + + For PAP, the NAS takes the PAP ID and password and sends them in an + Access-Request packet as the User-Name and User-Password. The NAS MAY + include the Attributes Service-Type = Framed-User and Framed-Protocol + = PPP as a hint to the RADIUS server that PPP service is expected. + + For CHAP, the NAS generates a random challenge (preferably 16 octets) + and sends it to the user, who returns a CHAP response along with a + CHAP ID and CHAP username. The NAS then sends an Access-Request + packet to the RADIUS server with the CHAP username as the User-Name + and with the CHAP ID and CHAP response as the CHAP-Password + (Attribute 3). The random challenge can either be included in the + CHAP-Challenge attribute or, if it is 16 octets long, it can be + placed in the Request Authenticator field of the Access-Request + packet. The NAS MAY include the Attributes Service-Type = Framed- + User and Framed-Protocol = PPP as a hint to the RADIUS server that + PPP service is expected. + + The RADIUS server looks up a password based on the User-Name, + encrypts the challenge using MD5 on the CHAP ID octet, that password, + and the CHAP challenge (from the CHAP-Challenge attribute if present, + otherwise from the Request Authenticator), and compares that result + to the CHAP-Password. If they match, the server sends back an + Access-Accept, otherwise it sends back an Access-Reject. + + If the RADIUS server is unable to perform the requested + authentication it MUST return an Access-Reject. For example, CHAP + requires that the user's password be available in cleartext to the + server so that it can encrypt the CHAP challenge and compare that to + the CHAP response. If the password is not available in cleartext to + the RADIUS server then the server MUST send an Access-Reject to the + client. + +2.3. Proxy + + With proxy RADIUS, one RADIUS server receives an authentication (or + accounting) request from a RADIUS client (such as a NAS), forwards + the request to a remote RADIUS server, receives the reply from the + remote server, and sends that reply to the client, possibly with + changes to reflect local administrative policy. A common use for + proxy RADIUS is roaming. Roaming permits two or more administrative + entities to allow each other's users to dial in to either entity's + network for service. + + + +Rigney, et al. Standards Track [Page 8] + +RFC 2865 RADIUS June 2000 + + + The NAS sends its RADIUS access-request to the "forwarding server" + which forwards it to the "remote server". The remote server sends a + response (Access-Accept, Access-Reject, or Access-Challenge) back to + the forwarding server, which sends it back to the NAS. The User-Name + attribute MAY contain a Network Access Identifier [8] for RADIUS + Proxy operations. The choice of which server receives the forwarded + request SHOULD be based on the authentication "realm". The + authentication realm MAY be the realm part of a Network Access + Identifier (a "named realm"). Alternatively, the choice of which + server receives the forwarded request MAY be based on whatever other + criteria the forwarding server is configured to use, such as Called- + Station-Id (a "numbered realm"). + + A RADIUS server can function as both a forwarding server and a remote + server, serving as a forwarding server for some realms and a remote + server for other realms. One forwarding server can act as a + forwarder for any number of remote servers. A remote server can have + any number of servers forwarding to it and can provide authentication + for any number of realms. One forwarding server can forward to + another forwarding server to create a chain of proxies, although care + must be taken to avoid introducing loops. + + The following scenario illustrates a proxy RADIUS communication + between a NAS and the forwarding and remote RADIUS servers: + + 1. A NAS sends its access-request to the forwarding server. + + 2. The forwarding server forwards the access-request to the remote + server. + + 3. The remote server sends an access-accept, access-reject or + access-challenge back to the forwarding server. For this example, + an access-accept is sent. + + 4. The forwarding server sends the access-accept to the NAS. + + The forwarding server MUST treat any Proxy-State attributes already + in the packet as opaque data. Its operation MUST NOT depend on the + content of Proxy-State attributes added by previous servers. + + If there are any Proxy-State attributes in the request received from + the client, the forwarding server MUST include those Proxy-State + attributes in its reply to the client. The forwarding server MAY + include the Proxy-State attributes in the access-request when it + forwards the request, or MAY omit them in the forwarded request. If + the forwarding server omits the Proxy-State attributes in the + forwarded access-request, it MUST attach them to the response before + sending it to the client. + + + +Rigney, et al. Standards Track [Page 9] + +RFC 2865 RADIUS June 2000 + + + We now examine each step in more detail. + + 1. A NAS sends its access-request to the forwarding server. The + forwarding server decrypts the User-Password, if present, using + the shared secret it knows for the NAS. If a CHAP-Password + attribute is present in the packet and no CHAP-Challenge attribute + is present, the forwarding server MUST leave the Request- + Authenticator untouched or copy it to a CHAP-Challenge attribute. + + '' The forwarding server MAY add one Proxy-State attribute to the + packet. (It MUST NOT add more than one.) If it adds a Proxy- + State, the Proxy-State MUST appear after any other Proxy-States in + the packet. The forwarding server MUST NOT modify any other + Proxy-States that were in the packet (it may choose not to forward + them, but it MUST NOT change their contents). The forwarding + server MUST NOT change the order of any attributes of the same + type, including Proxy-State. + + 2. The forwarding server encrypts the User-Password, if present, + using the secret it shares with the remote server, sets the + Identifier as needed, and forwards the access-request to the + remote server. + + 3. The remote server (if the final destination) verifies the user + using User-Password, CHAP-Password, or such method as future + extensions may dictate, and returns an access-accept, access- + reject or access-challenge back to the forwarding server. For + this example, an access-accept is sent. The remote server MUST + copy all Proxy-State attributes (and only the Proxy-State + attributes) in order from the access-request to the response + packet, without modifying them. + + 4. The forwarding server verifies the Response Authenticator using + the secret it shares with the remote server, and silently discards + the packet if it fails verification. If the packet passes + verification, the forwarding server removes the last Proxy-State + (if it attached one), signs the Response Authenticator using the + secret it shares with the NAS, restores the Identifier to match + the one in the original request by the NAS, and sends the access- + accept to the NAS. + + A forwarding server MAY need to modify attributes to enforce local + policy. Such policy is outside the scope of this document, with the + following restrictions. A forwarding server MUST not modify existing + Proxy-State, State, or Class attributes present in the packet. + + + + + + +Rigney, et al. Standards Track [Page 10] + +RFC 2865 RADIUS June 2000 + + + Implementers of forwarding servers should consider carefully which + values it is willing to accept for Service-Type. Careful + consideration must be given to the effects of passing along Service- + Types of NAS-Prompt or Administrative in a proxied Access-Accept, and + implementers may wish to provide mechanisms to block those or other + service types, or other attributes. Such mechanisms are outside the + scope of this document. + +2.4. Why UDP? + + A frequently asked question is why RADIUS uses UDP instead of TCP as + a transport protocol. UDP was chosen for strictly technical reasons. + + There are a number of issues which must be understood. RADIUS is a + transaction based protocol which has several interesting + characteristics: + + 1. If the request to a primary Authentication server fails, a + secondary server must be queried. + + To meet this requirement, a copy of the request must be kept above + the transport layer to allow for alternate transmission. This + means that retransmission timers are still required. + + 2. The timing requirements of this particular protocol are + significantly different than TCP provides. + + At one extreme, RADIUS does not require a "responsive" detection + of lost data. The user is willing to wait several seconds for the + authentication to complete. The generally aggressive TCP + retransmission (based on average round trip time) is not required, + nor is the acknowledgement overhead of TCP. + + At the other extreme, the user is not willing to wait several + minutes for authentication. Therefore the reliable delivery of + TCP data two minutes later is not useful. The faster use of an + alternate server allows the user to gain access before giving up. + + 3. The stateless nature of this protocol simplifies the use of UDP. + + Clients and servers come and go. Systems are rebooted, or are + power cycled independently. Generally this does not cause a + problem and with creative timeouts and detection of lost TCP + connections, code can be written to handle anomalous events. UDP + however completely eliminates any of this special handling. Each + client and server can open their UDP transport just once and leave + it open through all types of failure events on the network. + + + + +Rigney, et al. Standards Track [Page 11] + +RFC 2865 RADIUS June 2000 + + + 4. UDP simplifies the server implementation. + + In the earliest implementations of RADIUS, the server was single + threaded. This means that a single request was received, + processed, and returned. This was found to be unmanageable in + environments where the back-end security mechanism took real time + (1 or more seconds). The server request queue would fill and in + environments where hundreds of people were being authenticated + every minute, the request turn-around time increased to longer + than users were willing to wait (this was especially severe when a + specific lookup in a database or over DNS took 30 or more + seconds). The obvious solution was to make the server multi- + threaded. Achieving this was simple with UDP. Separate processes + were spawned to serve each request and these processes could + respond directly to the client NAS with a simple UDP packet to the + original transport of the client. + + It's not all a panacea. As noted, using UDP requires one thing which + is built into TCP: with UDP we must artificially manage + retransmission timers to the same server, although they don't require + the same attention to timing provided by TCP. This one penalty is a + small price to pay for the advantages of UDP in this protocol. + + Without TCP we would still probably be using tin cans connected by + string. But for this particular protocol, UDP is a better choice. + +2.5. Retransmission Hints + + If the RADIUS server and alternate RADIUS server share the same + shared secret, it is OK to retransmit the packet to the alternate + RADIUS server with the same ID and Request Authenticator, because the + content of the attributes haven't changed. If you want to use a new + Request Authenticator when sending to the alternate server, you may. + + If you change the contents of the User-Password attribute (or any + other attribute), you need a new Request Authenticator and therefore + a new ID. + + If the NAS is retransmitting a RADIUS request to the same server as + before, and the attributes haven't changed, you MUST use the same + Request Authenticator, ID, and source port. If any attributes have + changed, you MUST use a new Request Authenticator and ID. + + A NAS MAY use the same ID across all servers, or MAY keep track of + IDs separately for each server, it is up to the implementer. If a + NAS needs more than 256 IDs for outstanding requests, it MAY use + + + + + +Rigney, et al. Standards Track [Page 12] + +RFC 2865 RADIUS June 2000 + + + additional source ports to send requests from, and keep track of IDs + for each source port. This allows up to 16 million or so outstanding + requests at one time to a single server. + +2.6. Keep-Alives Considered Harmful + + Some implementers have adopted the practice of sending test RADIUS + requests to see if a server is alive. This practice is strongly + discouraged, since it adds to load and harms scalability without + providing any additional useful information. Since a RADIUS request + is contained in a single datagram, in the time it would take you to + send a ping you could just send the RADIUS request, and getting a + reply tells you that the RADIUS server is up. If you do not have a + RADIUS request to send, it does not matter if the server is up or + not, because you are not using it. + + If you want to monitor your RADIUS server, use SNMP. That's what + SNMP is for. + +3. Packet Format + + Exactly one RADIUS packet is encapsulated in the UDP Data field [4], + where the UDP Destination Port field indicates 1812 (decimal). + + When a reply is generated, the source and destination ports are + reversed. + + This memo documents the RADIUS protocol. The early deployment of + RADIUS was done using UDP port number 1645, which conflicts with the + "datametrics" service. The officially assigned port number for + RADIUS is 1812. + + + + + + + + + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 13] + +RFC 2865 RADIUS June 2000 + + + A summary of the RADIUS data format is shown below. The fields are + transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + The Code field is one octet, and identifies the type of RADIUS + packet. When a packet is received with an invalid Code field, it + is silently discarded. + + RADIUS Codes (decimal) are assigned as follows: + + 1 Access-Request + 2 Access-Accept + 3 Access-Reject + 4 Accounting-Request + 5 Accounting-Response + 11 Access-Challenge + 12 Status-Server (experimental) + 13 Status-Client (experimental) + 255 Reserved + + Codes 4 and 5 are covered in the RADIUS Accounting document [5]. + Codes 12 and 13 are reserved for possible use, but are not further + mentioned here. + + Identifier + + The Identifier field is one octet, and aids in matching requests + and replies. The RADIUS server can detect a duplicate request if + it has the same client source IP address and source UDP port and + Identifier within a short span of time. + + + + + + + +Rigney, et al. Standards Track [Page 14] + +RFC 2865 RADIUS June 2000 + + + Length + + The Length field is two octets. It indicates the length of the + packet including the Code, Identifier, Length, Authenticator and + Attribute fields. Octets outside the range of the Length field + MUST be treated as padding and ignored on reception. If the + packet is shorter than the Length field indicates, it MUST be + silently discarded. The minimum length is 20 and maximum length + is 4096. + + Authenticator + + The Authenticator field is sixteen (16) octets. The most + significant octet is transmitted first. This value is used to + authenticate the reply from the RADIUS server, and is used in the + password hiding algorithm. + + Request Authenticator + + In Access-Request Packets, the Authenticator value is a 16 + octet random number, called the Request Authenticator. The + value SHOULD be unpredictable and unique over the lifetime of a + secret (the password shared between the client and the RADIUS + server), since repetition of a request value in conjunction + with the same secret would permit an attacker to reply with a + previously intercepted response. Since it is expected that the + same secret MAY be used to authenticate with servers in + disparate geographic regions, the Request Authenticator field + SHOULD exhibit global and temporal uniqueness. + + The Request Authenticator value in an Access-Request packet + SHOULD also be unpredictable, lest an attacker trick a server + into responding to a predicted future request, and then use the + response to masquerade as that server to a future Access- + Request. + + Although protocols such as RADIUS are incapable of protecting + against theft of an authenticated session via realtime active + wiretapping attacks, generation of unique unpredictable + requests can protect against a wide range of active attacks + against authentication. + + The NAS and RADIUS server share a secret. That shared secret + followed by the Request Authenticator is put through a one-way + MD5 hash to create a 16 octet digest value which is xored with + the password entered by the user, and the xored result placed + + + + + +Rigney, et al. Standards Track [Page 15] + +RFC 2865 RADIUS June 2000 + + + in the User-Password attribute in the Access-Request packet. + See the entry for User-Password in the section on Attributes + for a more detailed description. + + Response Authenticator + + The value of the Authenticator field in Access-Accept, Access- + Reject, and Access-Challenge packets is called the Response + Authenticator, and contains a one-way MD5 hash calculated over + a stream of octets consisting of: the RADIUS packet, beginning + with the Code field, including the Identifier, the Length, the + Request Authenticator field from the Access-Request packet, and + the response Attributes, followed by the shared secret. That + is, ResponseAuth = + MD5(Code+ID+Length+RequestAuth+Attributes+Secret) where + + denotes concatenation. + + Administrative Note + + The secret (password shared between the client and the RADIUS + server) SHOULD be at least as large and unguessable as a well- + chosen password. It is preferred that the secret be at least 16 + octets. This is to ensure a sufficiently large range for the + secret to provide protection against exhaustive search attacks. + The secret MUST NOT be empty (length 0) since this would allow + packets to be trivially forged. + + A RADIUS server MUST use the source IP address of the RADIUS UDP + packet to decide which shared secret to use, so that RADIUS + requests can be proxied. + + When using a forwarding proxy, the proxy must be able to alter the + packet as it passes through in each direction - when the proxy + forwards the request, the proxy MAY add a Proxy-State Attribute, + and when the proxy forwards a response, it MUST remove its Proxy- + State Attribute if it added one. Proxy-State is always added or + removed after any other Proxy-States, but no other assumptions + regarding its location within the list of attributes can be made. + Since Access-Accept and Access-Reject replies are authenticated on + the entire packet contents, the stripping of the Proxy-State + attribute invalidates the signature in the packet - so the proxy + has to re-sign it. + + Further details of RADIUS proxy implementation are outside the + scope of this document. + + + + + + +Rigney, et al. Standards Track [Page 16] + +RFC 2865 RADIUS June 2000 + + +4. Packet Types + + The RADIUS Packet type is determined by the Code field in the first + octet of the Packet. + +4.1. Access-Request + + Description + + Access-Request packets are sent to a RADIUS server, and convey + information used to determine whether a user is allowed access to + a specific NAS, and any special services requested for that user. + An implementation wishing to authenticate a user MUST transmit a + RADIUS packet with the Code field set to 1 (Access-Request). + + Upon receipt of an Access-Request from a valid client, an + appropriate reply MUST be transmitted. + + An Access-Request SHOULD contain a User-Name attribute. It MUST + contain either a NAS-IP-Address attribute or a NAS-Identifier + attribute (or both). + + An Access-Request MUST contain either a User-Password or a CHAP- + Password or a State. An Access-Request MUST NOT contain both a + User-Password and a CHAP-Password. If future extensions allow + other kinds of authentication information to be conveyed, the + attribute for that can be used in an Access-Request instead of + User-Password or CHAP-Password. + + An Access-Request SHOULD contain a NAS-Port or NAS-Port-Type + attribute or both unless the type of access being requested does + not involve a port or the NAS does not distinguish among its + ports. + + An Access-Request MAY contain additional attributes as a hint to + the server, but the server is not required to honor the hint. + + When a User-Password is present, it is hidden using a method based + on the RSA Message Digest Algorithm MD5 [3]. + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 17] + +RFC 2865 RADIUS June 2000 + + + A summary of the Access-Request packet format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Request Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + 1 for Access-Request. + + Identifier + + The Identifier field MUST be changed whenever the content of the + Attributes field changes, and whenever a valid reply has been + received for a previous request. For retransmissions, the + Identifier MUST remain unchanged. + + Request Authenticator + + The Request Authenticator value MUST be changed each time a new + Identifier is used. + + Attributes + + The Attribute field is variable in length, and contains the list + of Attributes that are required for the type of service, as well + as any desired optional Attributes. + +4.2. Access-Accept + + Description + + Access-Accept packets are sent by the RADIUS server, and provide + specific configuration information necessary to begin delivery of + service to the user. If all Attribute values received in an + Access-Request are acceptable then the RADIUS implementation MUST + transmit a packet with the Code field set to 2 (Access-Accept). + + + + +Rigney, et al. Standards Track [Page 18] + +RFC 2865 RADIUS June 2000 + + + On reception of an Access-Accept, the Identifier field is matched + with a pending Access-Request. The Response Authenticator field + MUST contain the correct response for the pending Access-Request. + Invalid packets are silently discarded. + + A summary of the Access-Accept packet format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Response Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + 2 for Access-Accept. + + Identifier + + The Identifier field is a copy of the Identifier field of the + Access-Request which caused this Access-Accept. + + Response Authenticator + + The Response Authenticator value is calculated from the Access- + Request value, as described earlier. + + Attributes + + The Attribute field is variable in length, and contains a list of + zero or more Attributes. + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 19] + +RFC 2865 RADIUS June 2000 + + +4.3. Access-Reject + + Description + + If any value of the received Attributes is not acceptable, then + the RADIUS server MUST transmit a packet with the Code field set + to 3 (Access-Reject). It MAY include one or more Reply-Message + Attributes with a text message which the NAS MAY display to the + user. + + A summary of the Access-Reject packet format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Response Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + 3 for Access-Reject. + + Identifier + + The Identifier field is a copy of the Identifier field of the + Access-Request which caused this Access-Reject. + + Response Authenticator + + The Response Authenticator value is calculated from the Access- + Request value, as described earlier. + + Attributes + + The Attribute field is variable in length, and contains a list of + zero or more Attributes. + + + + + + + +Rigney, et al. Standards Track [Page 20] + +RFC 2865 RADIUS June 2000 + + +4.4. Access-Challenge + + Description + + If the RADIUS server desires to send the user a challenge + requiring a response, then the RADIUS server MUST respond to the + Access-Request by transmitting a packet with the Code field set to + 11 (Access-Challenge). + + The Attributes field MAY have one or more Reply-Message + Attributes, and MAY have a single State Attribute, or none. + Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-State + attributes MAY also be included. No other Attributes defined in + this document are permitted in an Access-Challenge. + + On receipt of an Access-Challenge, the Identifier field is matched + with a pending Access-Request. Additionally, the Response + Authenticator field MUST contain the correct response for the + pending Access-Request. Invalid packets are silently discarded. + + If the NAS does not support challenge/response, it MUST treat an + Access-Challenge as though it had received an Access-Reject + instead. + + If the NAS supports challenge/response, receipt of a valid + Access-Challenge indicates that a new Access-Request SHOULD be + sent. The NAS MAY display the text message, if any, to the user, + and then prompt the user for a response. It then sends its + original Access-Request with a new request ID and Request + Authenticator, with the User-Password Attribute replaced by the + user's response (encrypted), and including the State Attribute + from the Access-Challenge, if any. Only 0 or 1 instances of the + State Attribute can be present in an Access-Request. + + A NAS which supports PAP MAY forward the Reply-Message to the + dialing client and accept a PAP response which it can use as + though the user had entered the response. If the NAS cannot do + so, it MUST treat the Access-Challenge as though it had received + an Access-Reject instead. + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 21] + +RFC 2865 RADIUS June 2000 + + + A summary of the Access-Challenge packet format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Code | Identifier | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Response Authenticator | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attributes ... + +-+-+-+-+-+-+-+-+-+-+-+-+- + + Code + + 11 for Access-Challenge. + + Identifier + + The Identifier field is a copy of the Identifier field of the + Access-Request which caused this Access-Challenge. + + Response Authenticator + + The Response Authenticator value is calculated from the Access- + Request value, as described earlier. + + Attributes + + The Attributes field is variable in length, and contains a list of + zero or more Attributes. + +5. Attributes + + RADIUS Attributes carry the specific authentication, authorization, + information and configuration details for the request and reply. + + The end of the list of Attributes is indicated by the Length of the + RADIUS packet. + + Some Attributes MAY be included more than once. The effect of this + is Attribute specific, and is specified in each Attribute + description. A summary table is provided at the end of the + "Attributes" section. + + + + +Rigney, et al. Standards Track [Page 22] + +RFC 2865 RADIUS June 2000 + + + If multiple Attributes with the same Type are present, the order of + Attributes with the same Type MUST be preserved by any proxies. The + order of Attributes of different Types is not required to be + preserved. A RADIUS server or client MUST NOT have any dependencies + on the order of attributes of different types. A RADIUS server or + client MUST NOT require attributes of the same type to be contiguous. + + Where an Attribute's description limits which kinds of packet it can + be contained in, this applies only to the packet types defined in + this document, namely Access-Request, Access-Accept, Access-Reject + and Access-Challenge (Codes 1, 2, 3, and 11). Other documents + defining other packet types may also use Attributes described here. + To determine which Attributes are allowed in Accounting-Request and + Accounting-Response packets (Codes 4 and 5) refer to the RADIUS + Accounting document [5]. + + Likewise where packet types defined here state that only certain + Attributes are permissible in them, future memos defining new + Attributes should indicate which packet types the new Attributes may + be present in. + + A summary of the Attribute format is shown below. The fields are + transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | Value ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + The Type field is one octet. Up-to-date values of the RADIUS Type + field are specified in the most recent "Assigned Numbers" RFC [6]. + Values 192-223 are reserved for experimental use, values 224-240 + are reserved for implementation-specific use, and values 241-255 + are reserved and should not be used. + + A RADIUS server MAY ignore Attributes with an unknown Type. + + A RADIUS client MAY ignore Attributes with an unknown Type. + + + + + + + + + + +Rigney, et al. Standards Track [Page 23] + +RFC 2865 RADIUS June 2000 + + + This specification concerns the following values: + + 1 User-Name + 2 User-Password + 3 CHAP-Password + 4 NAS-IP-Address + 5 NAS-Port + 6 Service-Type + 7 Framed-Protocol + 8 Framed-IP-Address + 9 Framed-IP-Netmask + 10 Framed-Routing + 11 Filter-Id + 12 Framed-MTU + 13 Framed-Compression + 14 Login-IP-Host + 15 Login-Service + 16 Login-TCP-Port + 17 (unassigned) + 18 Reply-Message + 19 Callback-Number + 20 Callback-Id + 21 (unassigned) + 22 Framed-Route + 23 Framed-IPX-Network + 24 State + 25 Class + 26 Vendor-Specific + 27 Session-Timeout + 28 Idle-Timeout + 29 Termination-Action + 30 Called-Station-Id + 31 Calling-Station-Id + 32 NAS-Identifier + 33 Proxy-State + 34 Login-LAT-Service + 35 Login-LAT-Node + 36 Login-LAT-Group + 37 Framed-AppleTalk-Link + 38 Framed-AppleTalk-Network + 39 Framed-AppleTalk-Zone + 40-59 (reserved for accounting) + 60 CHAP-Challenge + 61 NAS-Port-Type + 62 Port-Limit + 63 Login-LAT-Port + + + + + +Rigney, et al. Standards Track [Page 24] + +RFC 2865 RADIUS June 2000 + + + Length + + The Length field is one octet, and indicates the length of this + Attribute including the Type, Length and Value fields. If an + Attribute is received in an Access-Request but with an invalid + Length, an Access-Reject SHOULD be transmitted. If an Attribute + is received in an Access-Accept, Access-Reject or Access-Challenge + packet with an invalid length, the packet MUST either be treated + as an Access-Reject or else silently discarded. + + Value + + The Value field is zero or more octets and contains information + specific to the Attribute. The format and length of the Value + field is determined by the Type and Length fields. + + Note that none of the types in RADIUS terminate with a NUL (hex + 00). In particular, types "text" and "string" in RADIUS do not + terminate with a NUL (hex 00). The Attribute has a length field + and does not use a terminator. Text contains UTF-8 encoded 10646 + [7] characters and String contains 8-bit binary data. Servers and + servers and clients MUST be able to deal with embedded nulls. + RADIUS implementers using C are cautioned not to use strcpy() when + handling strings. + + The format of the value field is one of five data types. Note + that type "text" is a subset of type "string". + + text 1-253 octets containing UTF-8 encoded 10646 [7] + characters. Text of length zero (0) MUST NOT be sent; + omit the entire attribute instead. + + string 1-253 octets containing binary data (values 0 through + 255 decimal, inclusive). Strings of length zero (0) + MUST NOT be sent; omit the entire attribute instead. + + address 32 bit value, most significant octet first. + + integer 32 bit unsigned value, most significant octet first. + + time 32 bit unsigned value, most significant octet first -- + seconds since 00:00:00 UTC, January 1, 1970. The + standard Attributes do not use this data type but it is + presented here for possible use in future attributes. + + + + + + + +Rigney, et al. Standards Track [Page 25] + +RFC 2865 RADIUS June 2000 + + +5.1. User-Name + + Description + + This Attribute indicates the name of the user to be authenticated. + It MUST be sent in Access-Request packets if available. + + It MAY be sent in an Access-Accept packet, in which case the + client SHOULD use the name returned in the Access-Accept packet in + all Accounting-Request packets for this session. If the Access- + Accept includes Service-Type = Rlogin and the User-Name attribute, + a NAS MAY use the returned User-Name when performing the Rlogin + function. + + A summary of the User-Name Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 1 for User-Name. + + Length + + >= 3 + + String + + The String field is one or more octets. The NAS may limit the + maximum length of the User-Name but the ability to handle at least + 63 octets is recommended. + + The format of the username MAY be one of several forms: + + text Consisting only of UTF-8 encoded 10646 [7] characters. + + network access identifier + A Network Access Identifier as described in RFC 2486 + [8]. + + distinguished name + A name in ASN.1 form used in Public Key authentication + systems. + + + +Rigney, et al. Standards Track [Page 26] + +RFC 2865 RADIUS June 2000 + + +5.2. User-Password + + Description + + This Attribute indicates the password of the user to be + authenticated, or the user's input following an Access-Challenge. + It is only used in Access-Request packets. + + On transmission, the password is hidden. The password is first + padded at the end with nulls to a multiple of 16 octets. A one- + way MD5 hash is calculated over a stream of octets consisting of + the shared secret followed by the Request Authenticator. This + value is XORed with the first 16 octet segment of the password and + placed in the first 16 octets of the String field of the User- + Password Attribute. + + If the password is longer than 16 characters, a second one-way MD5 + hash is calculated over a stream of octets consisting of the + shared secret followed by the result of the first xor. That hash + is XORed with the second 16 octet segment of the password and + placed in the second 16 octets of the String field of the User- + Password Attribute. + + If necessary, this operation is repeated, with each xor result + being used along with the shared secret to generate the next hash + to xor the next segment of the password, to no more than 128 + characters. + + The method is taken from the book "Network Security" by Kaufman, + Perlman and Speciner [9] pages 109-110. A more precise + explanation of the method follows: + + Call the shared secret S and the pseudo-random 128-bit Request + Authenticator RA. Break the password into 16-octet chunks p1, p2, + etc. with the last one padded at the end with nulls to a 16-octet + boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need + intermediate values b1, b2, etc. + + b1 = MD5(S + RA) c(1) = p1 xor b1 + b2 = MD5(S + c(1)) c(2) = p2 xor b2 + . . + . . + . . + bi = MD5(S + c(i-1)) c(i) = pi xor bi + + The String will contain c(1)+c(2)+...+c(i) where + denotes + concatenation. + + + + +Rigney, et al. Standards Track [Page 27] + +RFC 2865 RADIUS June 2000 + + + On receipt, the process is reversed to yield the original + password. + + A summary of the User-Password Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 2 for User-Password. + + Length + + At least 18 and no larger than 130. + + String + + The String field is between 16 and 128 octets long, inclusive. + +5.3. CHAP-Password + + Description + + This Attribute indicates the response value provided by a PPP + Challenge-Handshake Authentication Protocol (CHAP) user in + response to the challenge. It is only used in Access-Request + packets. + + The CHAP challenge value is found in the CHAP-Challenge Attribute + (60) if present in the packet, otherwise in the Request + Authenticator field. + + A summary of the CHAP-Password Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | CHAP Ident | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + + + + + +Rigney, et al. Standards Track [Page 28] + +RFC 2865 RADIUS June 2000 + + + Type + + 3 for CHAP-Password. + + Length + + 19 + + CHAP Ident + + This field is one octet, and contains the CHAP Identifier from the + user's CHAP Response. + + String + + The String field is 16 octets, and contains the CHAP Response from + the user. + +5.4. NAS-IP-Address + + Description + + This Attribute indicates the identifying IP Address of the NAS + which is requesting authentication of the user, and SHOULD be + unique to the NAS within the scope of the RADIUS server. NAS-IP- + Address is only used in Access-Request packets. Either NAS-IP- + Address or NAS-Identifier MUST be present in an Access-Request + packet. + + Note that NAS-IP-Address MUST NOT be used to select the shared + secret used to authenticate the request. The source IP address of + the Access-Request packet MUST be used to select the shared + secret. + + A summary of the NAS-IP-Address Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Address + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Address (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 4 for NAS-IP-Address. + + + +Rigney, et al. Standards Track [Page 29] + +RFC 2865 RADIUS June 2000 + + + Length + + 6 + + Address + + The Address field is four octets. + +5.5. NAS-Port + + Description + + This Attribute indicates the physical port number of the NAS which + is authenticating the user. It is only used in Access-Request + packets. Note that this is using "port" in its sense of a + physical connection on the NAS, not in the sense of a TCP or UDP + port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD + be present in an Access-Request packet, if the NAS differentiates + among its ports. + + A summary of the NAS-Port Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 5 for NAS-Port. + + Length + + 6 + + Value + + The Value field is four octets. + + + + + + + + + +Rigney, et al. Standards Track [Page 30] + +RFC 2865 RADIUS June 2000 + + +5.6. Service-Type + + Description + + This Attribute indicates the type of service the user has + requested, or the type of service to be provided. It MAY be used + in both Access-Request and Access-Accept packets. A NAS is not + required to implement all of these service types, and MUST treat + unknown or unsupported Service-Types as though an Access-Reject + had been received instead. + + A summary of the Service-Type Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 6 for Service-Type. + + Length + + 6 + + Value + + The Value field is four octets. + + 1 Login + 2 Framed + 3 Callback Login + 4 Callback Framed + 5 Outbound + 6 Administrative + 7 NAS Prompt + 8 Authenticate Only + 9 Callback NAS Prompt + 10 Call Check + 11 Callback Administrative + + + + + + +Rigney, et al. Standards Track [Page 31] + +RFC 2865 RADIUS June 2000 + + + The service types are defined as follows when used in an Access- + Accept. When used in an Access-Request, they MAY be considered to + be a hint to the RADIUS server that the NAS has reason to believe + the user would prefer the kind of service indicated, but the + server is not required to honor the hint. + + Login The user should be connected to a host. + + Framed A Framed Protocol should be started for the + User, such as PPP or SLIP. + + Callback Login The user should be disconnected and called + back, then connected to a host. + + Callback Framed The user should be disconnected and called + back, then a Framed Protocol should be started + for the User, such as PPP or SLIP. + + Outbound The user should be granted access to outgoing + devices. + + Administrative The user should be granted access to the + administrative interface to the NAS from which + privileged commands can be executed. + + NAS Prompt The user should be provided a command prompt + on the NAS from which non-privileged commands + can be executed. + + Authenticate Only Only Authentication is requested, and no + authorization information needs to be returned + in the Access-Accept (typically used by proxy + servers rather than the NAS itself). + + Callback NAS Prompt The user should be disconnected and called + back, then provided a command prompt on the + NAS from which non-privileged commands can be + executed. + + Call Check Used by the NAS in an Access-Request packet to + indicate that a call is being received and + that the RADIUS server should send back an + Access-Accept to answer the call, or an + Access-Reject to not accept the call, + typically based on the Called-Station-Id or + Calling-Station-Id attributes. It is + + + + + +Rigney, et al. Standards Track [Page 32] + +RFC 2865 RADIUS June 2000 + + + recommended that such Access-Requests use the + value of Calling-Station-Id as the value of + the User-Name. + + Callback Administrative + The user should be disconnected and called + back, then granted access to the + administrative interface to the NAS from which + privileged commands can be executed. + +5.7. Framed-Protocol + + Description + + This Attribute indicates the framing to be used for framed access. + It MAY be used in both Access-Request and Access-Accept packets. + + A summary of the Framed-Protocol Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 7 for Framed-Protocol. + + Length + + 6 + + Value + + The Value field is four octets. + + 1 PPP + 2 SLIP + 3 AppleTalk Remote Access Protocol (ARAP) + 4 Gandalf proprietary SingleLink/MultiLink protocol + 5 Xylogics proprietary IPX/SLIP + 6 X.75 Synchronous + + + + + +Rigney, et al. Standards Track [Page 33] + +RFC 2865 RADIUS June 2000 + + +5.8. Framed-IP-Address + + Description + + This Attribute indicates the address to be configured for the + user. It MAY be used in Access-Accept packets. It MAY be used in + an Access-Request packet as a hint by the NAS to the server that + it would prefer that address, but the server is not required to + honor the hint. + + A summary of the Framed-IP-Address Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Address + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Address (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 8 for Framed-IP-Address. + + Length + + 6 + + Address + + The Address field is four octets. The value 0xFFFFFFFF indicates + that the NAS Should allow the user to select an address (e.g. + Negotiated). The value 0xFFFFFFFE indicates that the NAS should + select an address for the user (e.g. Assigned from a pool of + addresses kept by the NAS). Other valid values indicate that the + NAS should use that value as the user's IP address. + +5.9. Framed-IP-Netmask + + Description + + This Attribute indicates the IP netmask to be configured for the + user when the user is a router to a network. It MAY be used in + Access-Accept packets. It MAY be used in an Access-Request packet + as a hint by the NAS to the server that it would prefer that + netmask, but the server is not required to honor the hint. + + + + +Rigney, et al. Standards Track [Page 34] + +RFC 2865 RADIUS June 2000 + + + A summary of the Framed-IP-Netmask Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Address + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Address (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 9 for Framed-IP-Netmask. + + Length + + 6 + + Address + + The Address field is four octets specifying the IP netmask of the + user. + +5.10. Framed-Routing + + Description + + This Attribute indicates the routing method for the user, when the + user is a router to a network. It is only used in Access-Accept + packets. + + A summary of the Framed-Routing Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 10 for Framed-Routing. + + + + + +Rigney, et al. Standards Track [Page 35] + +RFC 2865 RADIUS June 2000 + + + Length + + 6 + + Value + + The Value field is four octets. + + 0 None + 1 Send routing packets + 2 Listen for routing packets + 3 Send and Listen + +5.11. Filter-Id + + Description + + This Attribute indicates the name of the filter list for this + user. Zero or more Filter-Id attributes MAY be sent in an + Access-Accept packet. + + Identifying a filter list by name allows the filter to be used on + different NASes without regard to filter-list implementation + details. + + A summary of the Filter-Id Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | Text ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 11 for Filter-Id. + + Length + + >= 3 + + Text + + The Text field is one or more octets, and its contents are + implementation dependent. It is intended to be human readable and + MUST NOT affect operation of the protocol. It is recommended that + the message contain UTF-8 encoded 10646 [7] characters. + + + +Rigney, et al. Standards Track [Page 36] + +RFC 2865 RADIUS June 2000 + + +5.12. Framed-MTU + + Description + + This Attribute indicates the Maximum Transmission Unit to be + configured for the user, when it is not negotiated by some other + means (such as PPP). It MAY be used in Access-Accept packets. It + MAY be used in an Access-Request packet as a hint by the NAS to + the server that it would prefer that value, but the server is not + required to honor the hint. + + A summary of the Framed-MTU Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 12 for Framed-MTU. + + Length + + 6 + + Value + + The Value field is four octets. Despite the size of the field, + values range from 64 to 65535. + +5.13. Framed-Compression + + Description + + This Attribute indicates a compression protocol to be used for the + link. It MAY be used in Access-Accept packets. It MAY be used in + an Access-Request packet as a hint to the server that the NAS + would prefer to use that compression, but the server is not + required to honor the hint. + + More than one compression protocol Attribute MAY be sent. It is + the responsibility of the NAS to apply the proper compression + protocol to appropriate link traffic. + + + +Rigney, et al. Standards Track [Page 37] + +RFC 2865 RADIUS June 2000 + + + A summary of the Framed-Compression Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 13 for Framed-Compression. + + Length + + 6 + + Value + + The Value field is four octets. + + 0 None + 1 VJ TCP/IP header compression [10] + 2 IPX header compression + 3 Stac-LZS compression + +5.14. Login-IP-Host + + Description + + This Attribute indicates the system with which to connect the user, + when the Login-Service Attribute is included. It MAY be used in + Access-Accept packets. It MAY be used in an Access-Request packet as + a hint to the server that the NAS would prefer to use that host, but + the server is not required to honor the hint. + + A summary of the Login-IP-Host Attribute format is shown below. The + fields are transmitted from left to right. + + + + + + + + + + + +Rigney, et al. Standards Track [Page 38] + +RFC 2865 RADIUS June 2000 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Address + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Address (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 14 for Login-IP-Host. + + Length + + 6 + + Address + + The Address field is four octets. The value 0xFFFFFFFF indicates + that the NAS SHOULD allow the user to select an address. The + value 0 indicates that the NAS SHOULD select a host to connect the + user to. Other values indicate the address the NAS SHOULD connect + the user to. + +5.15. Login-Service + + Description + + This Attribute indicates the service to use to connect the user to + the login host. It is only used in Access-Accept packets. + + A summary of the Login-Service Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 15 for Login-Service. + + + + + + +Rigney, et al. Standards Track [Page 39] + +RFC 2865 RADIUS June 2000 + + + Length + + 6 + + Value + + The Value field is four octets. + + 0 Telnet + 1 Rlogin + 2 TCP Clear + 3 PortMaster (proprietary) + 4 LAT + 5 X25-PAD + 6 X25-T3POS + 8 TCP Clear Quiet (suppresses any NAS-generated connect string) + +5.16. Login-TCP-Port + + Description + + This Attribute indicates the TCP port with which the user is to be + connected, when the Login-Service Attribute is also present. It + is only used in Access-Accept packets. + + A summary of the Login-TCP-Port Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 16 for Login-TCP-Port. + + Length + + 6 + + Value + + The Value field is four octets. Despite the size of the field, + values range from 0 to 65535. + + + +Rigney, et al. Standards Track [Page 40] + +RFC 2865 RADIUS June 2000 + + +5.17. (unassigned) + + Description + + ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED. + +5.18. Reply-Message + + Description + + This Attribute indicates text which MAY be displayed to the user. + + When used in an Access-Accept, it is the success message. + + When used in an Access-Reject, it is the failure message. It MAY + indicate a dialog message to prompt the user before another + Access-Request attempt. + + When used in an Access-Challenge, it MAY indicate a dialog message + to prompt the user for a response. + + Multiple Reply-Message's MAY be included and if any are displayed, + they MUST be displayed in the same order as they appear in the + packet. + + A summary of the Reply-Message Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | Text ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 18 for Reply-Message. + + Length + + >= 3 + + Text + + The Text field is one or more octets, and its contents are + implementation dependent. It is intended to be human readable, + and MUST NOT affect operation of the protocol. It is recommended + that the message contain UTF-8 encoded 10646 [7] characters. + + + +Rigney, et al. Standards Track [Page 41] + +RFC 2865 RADIUS June 2000 + + +5.19. Callback-Number + + Description + + This Attribute indicates a dialing string to be used for callback. + It MAY be used in Access-Accept packets. It MAY be used in an + Access-Request packet as a hint to the server that a Callback + service is desired, but the server is not required to honor the + hint. + + A summary of the Callback-Number Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 19 for Callback-Number. + + Length + + >= 3 + + String + + The String field is one or more octets. The actual format of the + information is site or application specific, and a robust + implementation SHOULD support the field as undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.20. Callback-Id + + Description + + This Attribute indicates the name of a place to be called, to be + interpreted by the NAS. It MAY be used in Access-Accept packets. + + + + + + + + + +Rigney, et al. Standards Track [Page 42] + +RFC 2865 RADIUS June 2000 + + + A summary of the Callback-Id Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 20 for Callback-Id. + + Length + + >= 3 + + String + + The String field is one or more octets. The actual format of the + information is site or application specific, and a robust + implementation SHOULD support the field as undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.21. (unassigned) + + Description + + ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED. + +5.22. Framed-Route + + Description + + This Attribute provides routing information to be configured for + the user on the NAS. It is used in the Access-Accept packet and + can appear multiple times. + + A summary of the Framed-Route Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | Text ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + + +Rigney, et al. Standards Track [Page 43] + +RFC 2865 RADIUS June 2000 + + + Type + + 22 for Framed-Route. + + Length + + >= 3 + + Text + + The Text field is one or more octets, and its contents are + implementation dependent. It is intended to be human readable and + MUST NOT affect operation of the protocol. It is recommended that + the message contain UTF-8 encoded 10646 [7] characters. + + For IP routes, it SHOULD contain a destination prefix in dotted + quad form optionally followed by a slash and a decimal length + specifier stating how many high order bits of the prefix to use. + That is followed by a space, a gateway address in dotted quad + form, a space, and one or more metrics separated by spaces. For + example, "192.168.1.0/24 192.168.1.1 1 2 -1 3 400". The length + specifier may be omitted, in which case it defaults to 8 bits for + class A prefixes, 16 bits for class B prefixes, and 24 bits for + class C prefixes. For example, "192.168.1.0 192.168.1.1 1". + + Whenever the gateway address is specified as "0.0.0.0" the IP + address of the user SHOULD be used as the gateway address. + +5.23. Framed-IPX-Network + + Description + + This Attribute indicates the IPX Network number to be configured + for the user. It is used in Access-Accept packets. + + A summary of the Framed-IPX-Network Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + + + + + +Rigney, et al. Standards Track [Page 44] + +RFC 2865 RADIUS June 2000 + + + Type + + 23 for Framed-IPX-Network. + + Length + + 6 + + Value + + The Value field is four octets. The value 0xFFFFFFFE indicates + that the NAS should select an IPX network for the user (e.g. + assigned from a pool of one or more IPX networks kept by the NAS). + Other values should be used as the IPX network for the link to the + user. + +5.24. State + + Description + + This Attribute is available to be sent by the server to the client + in an Access-Challenge and MUST be sent unmodified from the client + to the server in the new Access-Request reply to that challenge, + if any. + + This Attribute is available to be sent by the server to the client + in an Access-Accept that also includes a Termination-Action + Attribute with the value of RADIUS-Request. If the NAS performs + the Termination-Action by sending a new Access-Request upon + termination of the current session, it MUST include the State + attribute unchanged in that Access-Request. + + In either usage, the client MUST NOT interpret the attribute + locally. A packet must have only zero or one State Attribute. + Usage of the State Attribute is implementation dependent. + + A summary of the State Attribute format is shown below. The fields + are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 24 for State. + + + +Rigney, et al. Standards Track [Page 45] + +RFC 2865 RADIUS June 2000 + + + Length + + >= 3 + + String + + The String field is one or more octets. The actual format of the + information is site or application specific, and a robust + implementation SHOULD support the field as undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.25. Class + + Description + + This Attribute is available to be sent by the server to the client + in an Access-Accept and SHOULD be sent unmodified by the client to + the accounting server as part of the Accounting-Request packet if + accounting is supported. The client MUST NOT interpret the + attribute locally. + + A summary of the Class Attribute format is shown below. The fields + are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 25 for Class. + + Length + + >= 3 + + String + + The String field is one or more octets. The actual format of the + information is site or application specific, and a robust + implementation SHOULD support the field as undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + + + +Rigney, et al. Standards Track [Page 46] + +RFC 2865 RADIUS June 2000 + + +5.26. Vendor-Specific + + Description + + This Attribute is available to allow vendors to support their own + extended Attributes not suitable for general usage. It MUST not + affect the operation of the RADIUS protocol. + + Servers not equipped to interpret the vendor-specific information + sent by a client MUST ignore it (although it may be reported). + Clients which do not receive desired vendor-specific information + SHOULD make an attempt to operate without it, although they may do + so (and report they are doing so) in a degraded mode. + + A summary of the Vendor-Specific Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Vendor-Id + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Vendor-Id (cont) | String... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 26 for Vendor-Specific. + + Length + + >= 7 + + Vendor-Id + + The high-order octet is 0 and the low-order 3 octets are the SMI + Network Management Private Enterprise Code of the Vendor in + network byte order, as defined in the "Assigned Numbers" RFC [6]. + + String + + The String field is one or more octets. The actual format of the + information is site or application specific, and a robust + implementation SHOULD support the field as undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + + + + +Rigney, et al. Standards Track [Page 47] + +RFC 2865 RADIUS June 2000 + + + It SHOULD be encoded as a sequence of vendor type / vendor length + / value fields, as follows. The Attribute-Specific field is + dependent on the vendor's definition of that attribute. An + example encoding of the Vendor-Specific attribute using this + method follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Vendor-Id + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Vendor-Id (cont) | Vendor type | Vendor length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attribute-Specific... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Multiple subattributes MAY be encoded within a single Vendor- + Specific attribute, although they do not have to be. + +5.27. Session-Timeout + + Description + + This Attribute sets the maximum number of seconds of service to be + provided to the user before termination of the session or prompt. + This Attribute is available to be sent by the server to the client + in an Access-Accept or Access-Challenge. + + A summary of the Session-Timeout Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 27 for Session-Timeout. + + Length + + 6 + + + + + +Rigney, et al. Standards Track [Page 48] + +RFC 2865 RADIUS June 2000 + + + Value + + The field is 4 octets, containing a 32-bit unsigned integer with + the maximum number of seconds this user should be allowed to + remain connected by the NAS. + +5.28. Idle-Timeout + + Description + + This Attribute sets the maximum number of consecutive seconds of + idle connection allowed to the user before termination of the + session or prompt. This Attribute is available to be sent by the + server to the client in an Access-Accept or Access-Challenge. + + A summary of the Idle-Timeout Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 28 for Idle-Timeout. + + Length + + 6 + + Value + + The field is 4 octets, containing a 32-bit unsigned integer with + the maximum number of consecutive seconds of idle time this user + should be permitted before being disconnected by the NAS. + +5.29. Termination-Action + + Description + + This Attribute indicates what action the NAS should take when the + specified service is completed. It is only used in Access-Accept + packets. + + + + +Rigney, et al. Standards Track [Page 49] + +RFC 2865 RADIUS June 2000 + + + A summary of the Termination-Action Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 29 for Termination-Action. + + Length + + 6 + + Value + + The Value field is four octets. + + 0 Default + 1 RADIUS-Request + + If the Value is set to RADIUS-Request, upon termination of the + specified service the NAS MAY send a new Access-Request to the + RADIUS server, including the State attribute if any. + +5.30. Called-Station-Id + + Description + + This Attribute allows the NAS to send in the Access-Request packet + the phone number that the user called, using Dialed Number + Identification (DNIS) or similar technology. Note that this may + be different from the phone number the call comes in on. It is + only used in Access-Request packets. + + A summary of the Called-Station-Id Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + + +Rigney, et al. Standards Track [Page 50] + +RFC 2865 RADIUS June 2000 + + + Type + + 30 for Called-Station-Id. + + Length + + >= 3 + + String + + The String field is one or more octets, containing the phone + number that the user's call came in on. + + The actual format of the information is site or application + specific. UTF-8 encoded 10646 [7] characters are recommended, but + a robust implementation SHOULD support the field as + undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.31. Calling-Station-Id + + Description + + This Attribute allows the NAS to send in the Access-Request packet + the phone number that the call came from, using Automatic Number + Identification (ANI) or similar technology. It is only used in + Access-Request packets. + + A summary of the Calling-Station-Id Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 31 for Calling-Station-Id. + + Length + + >= 3 + + + + + +Rigney, et al. Standards Track [Page 51] + +RFC 2865 RADIUS June 2000 + + + String + + The String field is one or more octets, containing the phone + number that the user placed the call from. + + The actual format of the information is site or application + specific. UTF-8 encoded 10646 [7] characters are recommended, but + a robust implementation SHOULD support the field as + undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.32. NAS-Identifier + + Description + + This Attribute contains a string identifying the NAS originating + the Access-Request. It is only used in Access-Request packets. + Either NAS-IP-Address or NAS-Identifier MUST be present in an + Access-Request packet. + + Note that NAS-Identifier MUST NOT be used to select the shared + secret used to authenticate the request. The source IP address of + the Access-Request packet MUST be used to select the shared + secret. + + A summary of the NAS-Identifier Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 32 for NAS-Identifier. + + Length + + >= 3 + + + + + + + + +Rigney, et al. Standards Track [Page 52] + +RFC 2865 RADIUS June 2000 + + + String + + The String field is one or more octets, and should be unique to + the NAS within the scope of the RADIUS server. For example, a + fully qualified domain name would be suitable as a NAS-Identifier. + + The actual format of the information is site or application + specific, and a robust implementation SHOULD support the field as + undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.33. Proxy-State + + Description + + This Attribute is available to be sent by a proxy server to + another server when forwarding an Access-Request and MUST be + returned unmodified in the Access-Accept, Access-Reject or + Access-Challenge. When the proxy server receives the response to + its request, it MUST remove its own Proxy-State (the last Proxy- + State in the packet) before forwarding the response to the NAS. + + If a Proxy-State Attribute is added to a packet when forwarding + the packet, the Proxy-State Attribute MUST be added after any + existing Proxy-State attributes. + + The content of any Proxy-State other than the one added by the + current server should be treated as opaque octets and MUST NOT + affect operation of the protocol. + + Usage of the Proxy-State Attribute is implementation dependent. A + description of its function is outside the scope of this + specification. + + A summary of the Proxy-State Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 33 for Proxy-State. + + + +Rigney, et al. Standards Track [Page 53] + +RFC 2865 RADIUS June 2000 + + + Length + + >= 3 + + String + + The String field is one or more octets. The actual format of the + information is site or application specific, and a robust + implementation SHOULD support the field as undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.34. Login-LAT-Service + + Description + + This Attribute indicates the system with which the user is to be + connected by LAT. It MAY be used in Access-Accept packets, but + only when LAT is specified as the Login-Service. It MAY be used + in an Access-Request packet as a hint to the server, but the + server is not required to honor the hint. + + Administrators use the service attribute when dealing with + clustered systems, such as a VAX or Alpha cluster. In such an + environment several different time sharing hosts share the same + resources (disks, printers, etc.), and administrators often + configure each to offer access (service) to each of the shared + resources. In this case, each host in the cluster advertises its + services through LAT broadcasts. + + Sophisticated users often know which service providers (machines) + are faster and tend to use a node name when initiating a LAT + connection. Alternately, some administrators want particular + users to use certain machines as a primitive form of load + balancing (although LAT knows how to do load balancing itself). + + A summary of the Login-LAT-Service Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + + + + + +Rigney, et al. Standards Track [Page 54] + +RFC 2865 RADIUS June 2000 + + + Type + + 34 for Login-LAT-Service. + + Length + + >= 3 + + String + + The String field is one or more octets, and contains the identity + of the LAT service to use. The LAT Architecture allows this + string to contain $ (dollar), - (hyphen), . (period), _ + (underscore), numerics, upper and lower case alphabetics, and the + ISO Latin-1 character set extension [11]. All LAT string + comparisons are case insensitive. + +5.35. Login-LAT-Node + + Description + + This Attribute indicates the Node with which the user is to be + automatically connected by LAT. It MAY be used in Access-Accept + packets, but only when LAT is specified as the Login-Service. It + MAY be used in an Access-Request packet as a hint to the server, + but the server is not required to honor the hint. + + A summary of the Login-LAT-Node Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 35 for Login-LAT-Node. + + Length + + >= 3 + + + + + + + + +Rigney, et al. Standards Track [Page 55] + +RFC 2865 RADIUS June 2000 + + + String + + The String field is one or more octets, and contains the identity + of the LAT Node to connect the user to. The LAT Architecture + allows this string to contain $ (dollar), - (hyphen), . (period), + _ (underscore), numerics, upper and lower case alphabetics, and + the ISO Latin-1 character set extension. All LAT string + comparisons are case insensitive. + +5.36. Login-LAT-Group + + Description + + This Attribute contains a string identifying the LAT group codes + which this user is authorized to use. It MAY be used in Access- + Accept packets, but only when LAT is specified as the Login- + Service. It MAY be used in an Access-Request packet as a hint to + the server, but the server is not required to honor the hint. + + LAT supports 256 different group codes, which LAT uses as a form + of access rights. LAT encodes the group codes as a 256 bit + bitmap. + + Administrators can assign one or more of the group code bits at + the LAT service provider; it will only accept LAT connections that + have these group codes set in the bit map. The administrators + assign a bitmap of authorized group codes to each user; LAT gets + these from the operating system, and uses these in its requests to + the service providers. + + A summary of the Login-LAT-Group Attribute format is shown below. + The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 36 for Login-LAT-Group. + + Length + + 34 + + + + + +Rigney, et al. Standards Track [Page 56] + +RFC 2865 RADIUS June 2000 + + + String + + The String field is a 32 octet bit map, most significant octet + first. A robust implementation SHOULD support the field as + undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.37. Framed-AppleTalk-Link + + Description + + This Attribute indicates the AppleTalk network number which should + be used for the serial link to the user, which is another + AppleTalk router. It is only used in Access-Accept packets. It + is never used when the user is not another router. + + A summary of the Framed-AppleTalk-Link Attribute format is shown + below. The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 37 for Framed-AppleTalk-Link. + + Length + + 6 + + Value + + The Value field is four octets. Despite the size of the field, + values range from 0 to 65535. The special value of 0 indicates + that this is an unnumbered serial link. A value of 1-65535 means + that the serial line between the NAS and the user should be + assigned that value as an AppleTalk network number. + + + + + + + +Rigney, et al. Standards Track [Page 57] + +RFC 2865 RADIUS June 2000 + + +5.38. Framed-AppleTalk-Network + + Description + + This Attribute indicates the AppleTalk Network number which the + NAS should probe to allocate an AppleTalk node for the user. It + is only used in Access-Accept packets. It is never used when the + user is another router. Multiple instances of this Attribute + indicate that the NAS may probe using any of the network numbers + specified. + + A summary of the Framed-AppleTalk-Network Attribute format is shown + below. The fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 38 for Framed-AppleTalk-Network. + + Length + + 6 + + Value + + The Value field is four octets. Despite the size of the field, + values range from 0 to 65535. The special value 0 indicates that + the NAS should assign a network for the user, using its default + cable range. A value between 1 and 65535 (inclusive) indicates + the AppleTalk Network the NAS should probe to find an address for + the user. + +5.39. Framed-AppleTalk-Zone + + Description + + This Attribute indicates the AppleTalk Default Zone to be used for + this user. It is only used in Access-Accept packets. Multiple + instances of this attribute in the same packet are not allowed. + + + + + +Rigney, et al. Standards Track [Page 58] + +RFC 2865 RADIUS June 2000 + + + A summary of the Framed-AppleTalk-Zone Attribute format is shown + below. The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 39 for Framed-AppleTalk-Zone. + + Length + + >= 3 + + String + + The name of the Default AppleTalk Zone to be used for this user. + A robust implementation SHOULD support the field as + undistinguished octets. + + The codification of the range of allowed usage of this field is + outside the scope of this specification. + +5.40. CHAP-Challenge + + Description + + This Attribute contains the CHAP Challenge sent by the NAS to a + PPP Challenge-Handshake Authentication Protocol (CHAP) user. It + is only used in Access-Request packets. + + If the CHAP challenge value is 16 octets long it MAY be placed in + the Request Authenticator field instead of using this attribute. + + A summary of the CHAP-Challenge Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + + + + + +Rigney, et al. Standards Track [Page 59] + +RFC 2865 RADIUS June 2000 + + + Type + + 60 for CHAP-Challenge. + + Length + + >= 7 + + String + + The String field contains the CHAP Challenge. + +5.41. NAS-Port-Type + + Description + + This Attribute indicates the type of the physical port of the NAS + which is authenticating the user. It can be used instead of or in + addition to the NAS-Port (5) attribute. It is only used in + Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or + both SHOULD be present in an Access-Request packet, if the NAS + differentiates among its ports. + + A summary of the NAS-Port-Type Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 61 for NAS-Port-Type. + + Length + + 6 + + Value + + The Value field is four octets. "Virtual" refers to a connection + to the NAS via some transport protocol, instead of through a + physical port. For example, if a user telnetted into a NAS to + + + + +Rigney, et al. Standards Track [Page 60] + +RFC 2865 RADIUS June 2000 + + + authenticate himself as an Outbound-User, the Access-Request might + include NAS-Port-Type = Virtual as a hint to the RADIUS server + that the user was not on a physical port. + + 0 Async + 1 Sync + 2 ISDN Sync + 3 ISDN Async V.120 + 4 ISDN Async V.110 + 5 Virtual + 6 PIAFS + 7 HDLC Clear Channel + 8 X.25 + 9 X.75 + 10 G.3 Fax + 11 SDSL - Symmetric DSL + 12 ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase + Modulation + 13 ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone + 14 IDSL - ISDN Digital Subscriber Line + 15 Ethernet + 16 xDSL - Digital Subscriber Line of unknown type + 17 Cable + 18 Wireless - Other + 19 Wireless - IEEE 802.11 + + PIAFS is a form of wireless ISDN commonly used in Japan, and + stands for PHS (Personal Handyphone System) Internet Access Forum + Standard (PIAFS). + +5.42. Port-Limit + + Description + + This Attribute sets the maximum number of ports to be provided to + the user by the NAS. This Attribute MAY be sent by the server to + the client in an Access-Accept packet. It is intended for use in + conjunction with Multilink PPP [12] or similar uses. It MAY also + be sent by the NAS to the server as a hint that that many ports + are desired for use, but the server is not required to honor the + hint. + + A summary of the Port-Limit Attribute format is shown below. The + fields are transmitted from left to right. + + + + + + + +Rigney, et al. Standards Track [Page 61] + +RFC 2865 RADIUS June 2000 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Value + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Value (cont) | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 62 for Port-Limit. + + Length + + 6 + + Value + + The field is 4 octets, containing a 32-bit unsigned integer with + the maximum number of ports this user should be allowed to connect + to on the NAS. + +5.43. Login-LAT-Port + + Description + + This Attribute indicates the Port with which the user is to be + connected by LAT. It MAY be used in Access-Accept packets, but + only when LAT is specified as the Login-Service. It MAY be used + in an Access-Request packet as a hint to the server, but the + server is not required to honor the hint. + + A summary of the Login-LAT-Port Attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + | Type | Length | String ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- + + Type + + 63 for Login-LAT-Port. + + Length + + >= 3 + + + +Rigney, et al. Standards Track [Page 62] + +RFC 2865 RADIUS June 2000 + + + String + + The String field is one or more octets, and contains the identity + of the LAT port to use. The LAT Architecture allows this string + to contain $ (dollar), - (hyphen), . (period), _ (underscore), + numerics, upper and lower case alphabetics, and the ISO Latin-1 + character set extension. All LAT string comparisons are case + insensitive. + +5.44. Table of Attributes + + The following table provides a guide to which attributes may be found + in which kinds of packets, and in what quantity. + + Request Accept Reject Challenge # Attribute + 0-1 0-1 0 0 1 User-Name + 0-1 0 0 0 2 User-Password [Note 1] + 0-1 0 0 0 3 CHAP-Password [Note 1] + 0-1 0 0 0 4 NAS-IP-Address [Note 2] + 0-1 0 0 0 5 NAS-Port + 0-1 0-1 0 0 6 Service-Type + 0-1 0-1 0 0 7 Framed-Protocol + 0-1 0-1 0 0 8 Framed-IP-Address + 0-1 0-1 0 0 9 Framed-IP-Netmask + 0 0-1 0 0 10 Framed-Routing + 0 0+ 0 0 11 Filter-Id + 0-1 0-1 0 0 12 Framed-MTU + 0+ 0+ 0 0 13 Framed-Compression + 0+ 0+ 0 0 14 Login-IP-Host + 0 0-1 0 0 15 Login-Service + 0 0-1 0 0 16 Login-TCP-Port + 0 0+ 0+ 0+ 18 Reply-Message + 0-1 0-1 0 0 19 Callback-Number + 0 0-1 0 0 20 Callback-Id + 0 0+ 0 0 22 Framed-Route + 0 0-1 0 0 23 Framed-IPX-Network + 0-1 0-1 0 0-1 24 State [Note 1] + 0 0+ 0 0 25 Class + 0+ 0+ 0 0+ 26 Vendor-Specific + 0 0-1 0 0-1 27 Session-Timeout + 0 0-1 0 0-1 28 Idle-Timeout + 0 0-1 0 0 29 Termination-Action + 0-1 0 0 0 30 Called-Station-Id + 0-1 0 0 0 31 Calling-Station-Id + 0-1 0 0 0 32 NAS-Identifier [Note 2] + 0+ 0+ 0+ 0+ 33 Proxy-State + 0-1 0-1 0 0 34 Login-LAT-Service + 0-1 0-1 0 0 35 Login-LAT-Node + + + +Rigney, et al. Standards Track [Page 63] + +RFC 2865 RADIUS June 2000 + + + 0-1 0-1 0 0 36 Login-LAT-Group + 0 0-1 0 0 37 Framed-AppleTalk-Link + 0 0+ 0 0 38 Framed-AppleTalk-Network + 0 0-1 0 0 39 Framed-AppleTalk-Zone + 0-1 0 0 0 60 CHAP-Challenge + 0-1 0 0 0 61 NAS-Port-Type + 0-1 0-1 0 0 62 Port-Limit + 0-1 0-1 0 0 63 Login-LAT-Port + Request Accept Reject Challenge # Attribute + + [Note 1] An Access-Request MUST contain either a User-Password or a + CHAP-Password or State. An Access-Request MUST NOT contain both a + User-Password and a CHAP-Password. If future extensions allow other + kinds of authentication information to be conveyed, the attribute for + that can be used in an Access-Request instead of User-Password or + CHAP-Password. + + [Note 2] An Access-Request MUST contain either a NAS-IP-Address or a + NAS-Identifier (or both). + + The following table defines the meaning of the above table entries. + +0 This attribute MUST NOT be present in packet. +0+ Zero or more instances of this attribute MAY be present in packet. +0-1 Zero or one instance of this attribute MAY be present in packet. +1 Exactly one instance of this attribute MUST be present in packet. + +6. IANA Considerations + + This section provides guidance to the Internet Assigned Numbers + Authority (IANA) regarding registration of values related to the + RADIUS protocol, in accordance with BCP 26 [13]. + + There are three name spaces in RADIUS that require registration: + Packet Type Codes, Attribute Types, and Attribute Values (for certain + Attributes). + + RADIUS is not intended as a general-purpose Network Access Server + (NAS) management protocol, and allocations should not be made for + purposes unrelated to Authentication, Authorization or Accounting. + +6.1. Definition of Terms + + The following terms are used here with the meanings defined in + BCP 26: "name space", "assigned value", "registration". + + + + + + +Rigney, et al. Standards Track [Page 64] + +RFC 2865 RADIUS June 2000 + + + The following policies are used here with the meanings defined in + BCP 26: "Private Use", "First Come First Served", "Expert Review", + "Specification Required", "IETF Consensus", "Standards Action". + +6.2. Recommended Registration Policies + + For registration requests where a Designated Expert should be + consulted, the IESG Area Director for Operations should appoint the + Designated Expert. + + For registration requests requiring Expert Review, the ietf-radius + mailing list should be consulted. + + Packet Type Codes have a range from 1 to 254, of which 1-5,11-13 have + been allocated. Because a new Packet Type has considerable impact on + interoperability, a new Packet Type Code requires Standards Action, + and should be allocated starting at 14. + + Attribute Types have a range from 1 to 255, and are the scarcest + resource in RADIUS, thus must be allocated with care. Attributes + 1-53,55,60-88,90-91 have been allocated, with 17 and 21 available for + re-use. Attributes 17, 21, 54, 56-59, 89, 92-191 may be allocated + following Expert Review, with Specification Required. Release of + blocks of Attribute Types (more than 3 at a time for a given purpose) + should require IETF Consensus. It is recommended that attributes 17 + and 21 be used only after all others are exhausted. + + Note that RADIUS defines a mechanism for Vendor-Specific extensions + (Attribute 26) and the use of that should be encouraged instead of + allocation of global attribute types, for functions specific only to + one vendor's implementation of RADIUS, where no interoperability is + deemed useful. + + As stated in the "Attributes" section above: + + "[Attribute Type] Values 192-223 are reserved for experimental + use, values 224-240 are reserved for implementation-specific use, + and values 241-255 are reserved and should not be used." + + Therefore Attribute values 192-240 are considered Private Use, and + values 241-255 require Standards Action. + + Certain attributes (for example, NAS-Port-Type) in RADIUS define a + list of values to correspond with various meanings. There can be 4 + billion (2^32) values for each attribute. Adding additional values to + the list can be done on a First Come, First Served basis by the IANA. + + + + + +Rigney, et al. Standards Track [Page 65] + +RFC 2865 RADIUS June 2000 + + +7. Examples + + A few examples are presented to illustrate the flow of packets and + use of typical attributes. These examples are not intended to be + exhaustive, many others are possible. Hexadecimal dumps of the + example packets are given in network byte order, using the shared + secret "xyzzy5461". + +7.1. User Telnet to Specified Host + + The NAS at 192.168.1.16 sends an Access-Request UDP packet to the + RADIUS Server for a user named nemo logging in on port 3 with + password "arctangent". + + The Request Authenticator is a 16 octet random number generated by + the NAS. + + The User-Password is 16 octets of password padded at end with nulls, + XORed with MD5(shared secret|Request Authenticator). + + 01 00 00 38 0f 40 3f 94 73 97 80 57 bd 83 d5 cb + 98 f4 22 7a 01 06 6e 65 6d 6f 02 12 0d be 70 8d + 93 d4 13 ce 31 96 e4 3f 78 2a 0a ee 04 06 c0 a8 + 01 10 05 06 00 00 00 03 + + 1 Code = Access-Request (1) + 1 ID = 0 + 2 Length = 56 + 16 Request Authenticator + + Attributes: + 6 User-Name = "nemo" + 18 User-Password + 6 NAS-IP-Address = 192.168.1.16 + 6 NAS-Port = 3 + + The RADIUS server authenticates nemo, and sends an Access-Accept UDP + packet to the NAS telling it to telnet nemo to host 192.168.1.3. + + The Response Authenticator is a 16-octet MD5 checksum of the code + (2), id (0), Length (38), the Request Authenticator from above, the + attributes in this reply, and the shared secret. + + + + + + + + + +Rigney, et al. Standards Track [Page 66] + +RFC 2865 RADIUS June 2000 + + + 02 00 00 26 86 fe 22 0e 76 24 ba 2a 10 05 f6 bf + 9b 55 e0 b2 06 06 00 00 00 01 0f 06 00 00 00 00 + 0e 06 c0 a8 01 03 + + 1 Code = Access-Accept (2) + 1 ID = 0 (same as in Access-Request) + 2 Length = 38 + 16 Response Authenticator + + Attributes: + 6 Service-Type (6) = Login (1) + 6 Login-Service (15) = Telnet (0) + 6 Login-IP-Host (14) = 192.168.1.3 + +7.2. Framed User Authenticating with CHAP + + The NAS at 192.168.1.16 sends an Access-Request UDP packet to the + RADIUS Server for a user named flopsy logging in on port 20 with PPP, + authenticating using CHAP. The NAS sends along the Service-Type and + Framed-Protocol attributes as a hint to the RADIUS server that this + user is looking for PPP, although the NAS is not required to do so. + + The Request Authenticator is a 16 octet random number generated by + the NAS, and is also used as the CHAP Challenge. + + The CHAP-Password consists of a 1 octet CHAP ID, in this case 22, + followed by the 16 octet CHAP response. + + 01 01 00 47 2a ee 86 f0 8d 0d 55 96 9c a5 97 8e + 0d 33 67 a2 01 08 66 6c 6f 70 73 79 03 13 16 e9 + 75 57 c3 16 18 58 95 f2 93 ff 63 44 07 72 75 04 + 06 c0 a8 01 10 05 06 00 00 00 14 06 06 00 00 00 + 02 07 06 00 00 00 01 + + 1 Code = 1 (Access-Request) + 1 ID = 1 + 2 Length = 71 + 16 Request Authenticator + + Attributes: + 8 User-Name (1) = "flopsy" + 19 CHAP-Password (3) + 6 NAS-IP-Address (4) = 192.168.1.16 + 6 NAS-Port (5) = 20 + 6 Service-Type (6) = Framed (2) + 6 Framed-Protocol (7) = PPP (1) + + + + + +Rigney, et al. Standards Track [Page 67] + +RFC 2865 RADIUS June 2000 + + + The RADIUS server authenticates flopsy, and sends an Access-Accept + UDP packet to the NAS telling it to start PPP service and assign an + address for the user out of its dynamic address pool. + + The Response Authenticator is a 16-octet MD5 checksum of the code + (2), id (1), Length (56), the Request Authenticator from above, the + attributes in this reply, and the shared secret. + + 02 01 00 38 15 ef bc 7d ab 26 cf a3 dc 34 d9 c0 + 3c 86 01 a4 06 06 00 00 00 02 07 06 00 00 00 01 + 08 06 ff ff ff fe 0a 06 00 00 00 02 0d 06 00 00 + 00 01 0c 06 00 00 05 dc + + 1 Code = Access-Accept (2) + 1 ID = 1 (same as in Access-Request) + 2 Length = 56 + 16 Response Authenticator + + Attributes: + 6 Service-Type (6) = Framed (2) + 6 Framed-Protocol (7) = PPP (1) + 6 Framed-IP-Address (8) = 255.255.255.254 + 6 Framed-Routing (10) = None (0) + 6 Framed-Compression (13) = VJ TCP/IP Header Compression (1) + 6 Framed-MTU (12) = 1500 + +7.3. User with Challenge-Response card + + The NAS at 192.168.1.16 sends an Access-Request UDP packet to the + RADIUS Server for a user named mopsy logging in on port 7. The user + enters the dummy password "challenge" in this example. The challenge + and response generated by the smart card for this example are + "32769430" and "99101462". + + The Request Authenticator is a 16 octet random number generated by + the NAS. + + The User-Password is 16 octets of password, in this case "challenge", + padded at the end with nulls, XORed with MD5(shared secret|Request + Authenticator). + + 01 02 00 39 f3 a4 7a 1f 6a 6d 76 71 0b 94 7a b9 + 30 41 a0 39 01 07 6d 6f 70 73 79 02 12 33 65 75 + 73 77 82 89 b5 70 88 5e 15 08 48 25 c5 04 06 c0 + a8 01 10 05 06 00 00 00 07 + + + + + + +Rigney, et al. Standards Track [Page 68] + +RFC 2865 RADIUS June 2000 + + + 1 Code = Access-Request (1) + 1 ID = 2 + 2 Length = 57 + 16 Request Authenticator + + Attributes: + 7 User-Name (1) = "mopsy" + 18 User-Password (2) + 6 NAS-IP-Address (4) = 192.168.1.16 + 6 NAS-Port (5) = 7 + + The RADIUS server decides to challenge mopsy, sending back a + challenge string and looking for a response. The RADIUS server + therefore and sends an Access-Challenge UDP packet to the NAS. + + The Response Authenticator is a 16-octet MD5 checksum of the code + (11), id (2), length (78), the Request Authenticator from above, the + attributes in this reply, and the shared secret. + + The Reply-Message is "Challenge 32769430. Enter response at prompt." + + The State is a magic cookie to be returned along with user's + response; in this example 8 octets of data (33 32 37 36 39 34 33 30 + in hex). + + 0b 02 00 4e 36 f3 c8 76 4a e8 c7 11 57 40 3c 0c + 71 ff 9c 45 12 30 43 68 61 6c 6c 65 6e 67 65 20 + 33 32 37 36 39 34 33 30 2e 20 20 45 6e 74 65 72 + 20 72 65 73 70 6f 6e 73 65 20 61 74 20 70 72 6f + 6d 70 74 2e 18 0a 33 32 37 36 39 34 33 30 + + 1 Code = Access-Challenge (11) + 1 ID = 2 (same as in Access-Request) + 2 Length = 78 + 16 Response Authenticator + + Attributes: + 48 Reply-Message (18) + 10 State (24) + + The user enters his response, and the NAS send a new Access-Request + with that response, and includes the State Attribute. + + The Request Authenticator is a new 16 octet random number. + + The User-Password is 16 octets of the user's response, in this case + "99101462", padded at the end with nulls, XORed with MD5(shared + secret|Request Authenticator). + + + +Rigney, et al. Standards Track [Page 69] + +RFC 2865 RADIUS June 2000 + + + The state is the magic cookie from the Access-Challenge packet, + unchanged. + + 01 03 00 43 b1 22 55 6d 42 8a 13 d0 d6 25 38 07 + c4 57 ec f0 01 07 6d 6f 70 73 79 02 12 69 2c 1f + 20 5f c0 81 b9 19 b9 51 95 f5 61 a5 81 04 06 c0 + a8 01 10 05 06 00 00 00 07 18 10 33 32 37 36 39 + 34 33 30 + + 1 Code = Access-Request (1) + 1 ID = 3 (Note that this changes.) + 2 Length = 67 + 16 Request Authenticator + + Attributes: + 7 User-Name = "mopsy" + 18 User-Password + 6 NAS-IP-Address (4) = 192.168.1.16 + 6 NAS-Port (5) = 7 + 10 State (24) + + The Response was incorrect (for the sake of example), so the RADIUS + server tells the NAS to reject the login attempt. + + The Response Authenticator is a 16 octet MD5 checksum of the code + (3), id (3), length(20), the Request Authenticator from above, the + attributes in this reply (in this case, none), and the shared secret. + + 03 03 00 14 a4 2f 4f ca 45 91 6c 4e 09 c8 34 0f + 9e 74 6a a0 + + 1 Code = Access-Reject (3) + 1 ID = 3 (same as in Access-Request) + 2 Length = 20 + 16 Response Authenticator + + Attributes: + (none, although a Reply-Message could be sent) + + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 70] + +RFC 2865 RADIUS June 2000 + + +8. Security Considerations + + Security issues are the primary topic of this document. + + In practice, within or associated with each RADIUS server, there is a + database which associates "user" names with authentication + information ("secrets"). It is not anticipated that a particular + named user would be authenticated by multiple methods. This would + make the user vulnerable to attacks which negotiate the least secure + method from among a set. Instead, for each named user there should + be an indication of exactly one method used to authenticate that user + name. If a user needs to make use of different authentication + methods under different circumstances, then distinct user names + SHOULD be employed, each of which identifies exactly one + authentication method. + + Passwords and other secrets should be stored at the respective ends + such that access to them is as limited as possible. Ideally, the + secrets should only be accessible to the process requiring access in + order to perform the authentication. + + The secrets should be distributed with a mechanism that limits the + number of entities that handle (and thus gain knowledge of) the + secret. Ideally, no unauthorized person should ever gain knowledge + of the secrets. It is possible to achieve this with SNMP Security + Protocols [14], but such a mechanism is outside the scope of this + specification. + + Other distribution methods are currently undergoing research and + experimentation. The SNMP Security document [14] also has an + excellent overview of threats to network protocols. + + The User-Password hiding mechanism described in Section 5.2 has not + been subjected to significant amounts of cryptanalysis in the + published literature. Some in the IETF community are concerned that + this method might not provide sufficient confidentiality protection + [15] to passwords transmitted using RADIUS. Users should evaluate + their threat environment and consider whether additional security + mechanisms should be employed. + +9. Change Log + + The following changes have been made from RFC 2138: + + Strings should use UTF-8 instead of US-ASCII and should be handled as + 8-bit data. + + Integers and dates are now defined as 32 bit unsigned values. + + + +Rigney, et al. Standards Track [Page 71] + +RFC 2865 RADIUS June 2000 + + + Updated list of attributes that can be included in Access-Challenge + to be consistent with the table of attributes. + + User-Name mentions Network Access Identifiers. + + User-Name may now be sent in Access-Accept for use with accounting + and Rlogin. + + Values added for Service-Type, Login-Service, Framed-Protocol, + Framed-Compression, and NAS-Port-Type. + + NAS-Port can now use all 32 bits. + + Examples now include hexadecimal displays of the packets. + + Source UDP port must be used in conjunction with the Request + Identifier when identifying duplicates. + + Multiple subattributes may be allowed in a Vendor-Specific attribute. + + An Access-Request is now required to contain either a NAS-IP-Address + or NAS-Identifier (or may contain both). + + Added notes under "Operations" with more information on proxy, + retransmissions, and keep-alives. + + If multiple Attributes with the same Type are present, the order of + Attributes with the same Type MUST be preserved by any proxies. + + Clarified Proxy-State. + + Clarified that Attributes must not depend on position within the + packet, as long as Attributes of the same type are kept in order. + + Added IANA Considerations section. + + Updated section on "Proxy" under "Operations". + + Framed-MTU can now be sent in Access-Request as a hint. + + Updated Security Considerations. + + Text strings identified as a subset of string, to clarify use of + UTF-8. + + + + + + + +Rigney, et al. Standards Track [Page 72] + +RFC 2865 RADIUS June 2000 + + +10. References + + [1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote + Authentication Dial In User Service (RADIUS)", RFC 2138, April + 1997. + + [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March, 1997. + + [3] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", + RFC 1321, April 1992. + + [4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August + 1980. + + [5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. + + [6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC + 1700, October 1994. + + [7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC + 2279, January 1998. + + [8] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC + 2486, January 1999. + + [9] Kaufman, C., Perlman, R., and Speciner, M., "Network Security: + Private Communications in a Public World", Prentice Hall, March + 1995, ISBN 0-13-061466-1. + + [10] Jacobson, V., "Compressing TCP/IP headers for low-speed serial + links", RFC 1144, February 1990. + + [11] ISO 8859. International Standard -- Information Processing -- + 8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin + Alphabet No. 1, ISO 8859-1:1987. + + [12] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. + Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990, August + 1996. + + [13] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, October + 1998. + + [14] Galvin, J., McCloghrie, K. and J. Davin, "SNMP Security + Protocols", RFC 1352, July 1992. + + + + +Rigney, et al. Standards Track [Page 73] + +RFC 2865 RADIUS June 2000 + + + [15] Dobbertin, H., "The Status of MD5 After a Recent Attack", + CryptoBytes Vol.2 No.2, Summer 1996. + +11. Acknowledgements + + RADIUS was originally developed by Steve Willens of Livingston + Enterprises for their PortMaster series of Network Access Servers. + +12. Chair's Address + + The working group can be contacted via the current chair: + + Carl Rigney + Livingston Enterprises + 4464 Willow Road + Pleasanton, California 94588 + + Phone: +1 925 737 2100 + EMail: cdr@telemancy.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 74] + +RFC 2865 RADIUS June 2000 + + +13. Authors' Addresses + + Questions about this memo can also be directed to: + + Carl Rigney + Livingston Enterprises + 4464 Willow Road + Pleasanton, California 94588 + + Phone: +1 925 737 2100 + EMail: cdr@telemancy.com + + + Allan C. Rubens + Merit Network, Inc. + 4251 Plymouth Road + Ann Arbor, Michigan 48105-2785 + + EMail: acr@merit.edu + + + William Allen Simpson + Daydreamer + Computer Systems Consulting Services + 1384 Fontaine + Madison Heights, Michigan 48071 + + EMail: wsimpson@greendragon.com + + + Steve Willens + Livingston Enterprises + 4464 Willow Road + Pleasanton, California 94588 + + EMail: steve@livingston.com + + + + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 75] + +RFC 2865 RADIUS June 2000 + + +14. Full Copyright Statement + + Copyright (C) The Internet Society (2000). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Rigney, et al. Standards Track [Page 76] + diff --git a/doc/standards/rfc3579.txt b/doc/standards/rfc3579.txt new file mode 100644 index 000000000..5eb72c700 --- /dev/null +++ b/doc/standards/rfc3579.txt @@ -0,0 +1,2579 @@ + + + + + + +Network Working Group B. Aboba +Request for Comments: 3579 Microsoft +Updates: 2869 P. Calhoun +Category: Informational Airespace + September 2003 + + + RADIUS (Remote Authentication Dial In User Service) + Support For Extensible Authentication Protocol (EAP) + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + This document defines Remote Authentication Dial In User Service + (RADIUS) support for the Extensible Authentication Protocol (EAP), an + authentication framework which supports multiple authentication + mechanisms. In the proposed scheme, the Network Access Server (NAS) + forwards EAP packets to and from the RADIUS server, encapsulated + within EAP-Message attributes. This has the advantage of allowing + the NAS to support any EAP authentication method, without the need + for method-specific code, which resides on the RADIUS server. While + EAP was originally developed for use with PPP, it is now also in use + with IEEE 802. + + This document updates RFC 2869. + + + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 1] + +RFC 3579 RADIUS & EAP September 2003 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1.1. Specification of Requirements. . . . . . . . . . . . . . 3 + 1.2. Terminology. . . . . . . . . . . . . . . . . . . . . . . 3 + 2. RADIUS Support for EAP . . . . . . . . . . . . . . . . . . . . 4 + 2.1. Protocol Overview. . . . . . . . . . . . . . . . . . . . 5 + 2.2. Invalid Packets. . . . . . . . . . . . . . . . . . . . . 9 + 2.3. Retransmission . . . . . . . . . . . . . . . . . . . . . 10 + 2.4. Fragmentation. . . . . . . . . . . . . . . . . . . . . . 10 + 2.5. Alternative uses . . . . . . . . . . . . . . . . . . . . 11 + 2.6. Usage Guidelines . . . . . . . . . . . . . . . . . . . . 11 + 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 3.1. EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 15 + 3.2. Message-Authenticator. . . . . . . . . . . . . . . . . . 16 + 3.3. Table of Attributes. . . . . . . . . . . . . . . . . . . 18 + 4. Security Considerations. . . . . . . . . . . . . . . . . . . . 19 + 4.1. Security Requirements. . . . . . . . . . . . . . . . . . 19 + 4.2. Security Protocol. . . . . . . . . . . . . . . . . . . . 20 + 4.3. Security Issues. . . . . . . . . . . . . . . . . . . . . 22 + 5. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 30 + 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 + 6.1. Normative References . . . . . . . . . . . . . . . . . . 30 + 6.2. Informative References . . . . . . . . . . . . . . . . . 32 + Appendix A - Examples. . . . . . . . . . . . . . . . . . . . . . . 34 + Appendix B - Change Log. . . . . . . . . . . . . . . . . . . . . . 43 + Intellectual Property Statement. . . . . . . . . . . . . . . . . . 44 + Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 44 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 45 + Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 46 + +1. Introduction + + The Remote Authentication Dial In User Service (RADIUS) is an + authentication, authorization and accounting protocol used to control + network access. RADIUS authentication and authorization is specified + in [RFC2865], and RADIUS accounting is specified in [RFC2866]; RADIUS + over IPv6 is specified in [RFC3162]. + + The Extensible Authentication Protocol (EAP), defined in [RFC2284], + is an authentication framework which supports multiple authentication + mechanisms. EAP may be used on dedicated links, switched circuits, + and wired as well as wireless links. + + To date, EAP has been implemented with hosts and routers that connect + via switched circuits or dial-up lines using PPP [RFC1661]. It has + also been implemented with bridges supporting [IEEE802]. EAP + encapsulation on IEEE 802 wired media is described in [IEEE8021X]. + + + +Aboba & Calhoun Informational [Page 2] + +RFC 3579 RADIUS & EAP September 2003 + + + RADIUS attributes are comprised of variable length Type-Length-Value + 3-tuples. New attribute values can be added without disturbing + existing implementations of the protocol. This specification + describes RADIUS attributes supporting the Extensible Authentication + Protocol (EAP): EAP-Message and Message-Authenticator. These + attributes now have extensive field experience. The purpose of this + document is to provide clarification and resolve interoperability + issues. + + As noted in [RFC2865], a Network Access Server (NAS) that does not + implement a given service MUST NOT implement the RADIUS attributes + for that service. This implies that a NAS that is unable to offer + EAP service MUST NOT implement the RADIUS attributes for EAP. A NAS + MUST treat a RADIUS Access-Accept requesting an unavailable service + as an Access-Reject instead. + +1.1. Specification of Requirements + + In this document, several words are used to signify the requirements + of the specification. These words are often capitalized. The key + words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", + "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document + are to be interpreted as described in [RFC2119]. + +1.2. Terminology + + This document frequently uses the following terms: + + authenticator + The end of the link requiring the authentication. Also + known as the Network Access Server (NAS) or RADIUS client. + Within IEEE 802.1X terminology, the term Authenticator is + used. + + peer The other end of the point-to-point link (PPP), + point-to-point LAN segment (IEEE 802.1X) or wireless link, + which is being authenticated by the authenticator. In IEEE + 802.1X, this end is known as the Supplicant. + + authentication server + An authentication server is an entity that provides an + authentication service to an authenticator (NAS). This + service verifies from the credentials provided by the peer, + the claim of identity made by the peer; it also may provide + credentials allowing the peer to verify the identity of the + authentication server. Within this document it is assumed + that the NAS operates as a pass-through, forwarding EAP + packets between the RADIUS server and the EAP peer. + + + +Aboba & Calhoun Informational [Page 3] + +RFC 3579 RADIUS & EAP September 2003 + + + Therefore the RADIUS server operates as an authentication + server. + + silently discard + This means the implementation discards the packet without + further processing. The implementation SHOULD provide the + capability of logging the error, including the contents of + the silently discarded packet, and SHOULD record the event + in a statistics counter. + + displayable message + This is interpreted to be a human readable string of + characters, and MUST NOT affect operation of the protocol. + The message encoding MUST follow the UTF-8 transformation + format [RFC2279]. + + Network Access Server (NAS) + The device providing access to the network. Also known as + the Authenticator (IEEE 802.1X or EAP terminology) or + RADIUS client. + + service The NAS provides a service to the user, such as IEEE 802 or + PPP. + + session Each service provided by the NAS to a peer constitutes a + session, with the beginning of the session defined as the + point where service is first provided and the end of the + session defined as the point where service is ended. A + peer may have multiple sessions in parallel or series if + the NAS supports that, with each session generating a + separate start and stop accounting record. + +2. RADIUS Support for EAP + + The Extensible Authentication Protocol (EAP), described in [RFC2284], + provides a standard mechanism for support of additional + authentication methods without the NAS to be upgraded to support each + new method. Through the use of EAP, support for a number of + authentication schemes may be added, including smart cards, Kerberos + [RFC1510], Public Key [RFC2716], One Time Passwords [RFC2284], and + others. + + One of the advantages of the EAP architecture is its flexibility. + EAP is used to select a specific authentication mechanism. Rather + than requiring the NAS to be updated to support each new + authentication method, EAP permits the use of an authentication + server implementing authentication methods, with the NAS acting as a + pass-through for some or all methods and peers. + + + +Aboba & Calhoun Informational [Page 4] + +RFC 3579 RADIUS & EAP September 2003 + + + A NAS MAY authenticate local peers while at the same time acting as a + pass-through for non-local peers and authentication methods it does + not implement locally. A NAS implementing this specification is not + required to use RADIUS to authenticate every peer. However, once the + NAS begins acting as a pass-through for a particular session, it can + no longer perform local authentication for that session. + + In order to support EAP within RADIUS, two new attributes, + EAP-Message and Message-Authenticator, are introduced in this + document. This section describes how these new attributes may be + used for providing EAP support within RADIUS. + +2.1. Protocol Overview + + In RADIUS/EAP, RADIUS is used to shuttle RADIUS-encapsulated EAP + Packets between the NAS and an authentication server. + + The authenticating peer and the NAS begin the EAP conversation by + negotiating use of EAP. Once EAP has been negotiated, the NAS SHOULD + send an initial EAP-Request message to the authenticating peer. This + will typically be an EAP-Request/Identity, although it could be an + EAP-Request for an authentication method (Types 4 and greater). A + NAS MAY be configured to initiate with a default authentication + method. This is useful in cases where the identity is determined by + another means (such as Called-Station-Id, Calling-Station-Id and/or + Originating-Line-Info); where a single authentication method is + required, which includes its own identity exchange; where identity + hiding is desired, so that the identity is not requested until after + a protected channel has been set up. + + The peer replies with an EAP-Response. The NAS MAY determine from + the Response that it should proceed with local authentication. + Alternatively, the NAS MAY act as a pass-through, encapsulating the + EAP-Response within EAP-Message attribute(s) sent to the RADIUS + server within a RADIUS Access-Request packet. If the NAS sends an + EAP-Request/Identity message as the initial packet, the peer responds + with an EAP-Response/Identity. The NAS may determine that the peer + is local and proceed with local authentication. If no match is found + against the list of local users, the NAS encapsulates the + EAP-Response/Identity message within an EAP-Message attribute, + enclosed within an Access-Request packet. + + On receiving a valid Access-Request packet containing EAP-Message + attribute(s), a RADIUS server compliant with this specification and + wishing to authenticate with EAP MUST respond with an + Access-Challenge packet containing EAP-Message attribute(s). If the + RADIUS server does not support EAP or does not wish to authenticate + with EAP, it MUST respond with an Access-Reject. + + + +Aboba & Calhoun Informational [Page 5] + +RFC 3579 RADIUS & EAP September 2003 + + + EAP-Message attribute(s) encapsulate a single EAP packet which the + NAS decapsulates and passes on to the authenticating peer. The peer + then responds with an EAP-Response packet, which the NAS encapsulates + within an Access-Request containing EAP-Message attribute(s). EAP is + a 'lock step' protocol, so that other than the initial Request, a new + Request cannot be sent prior to receiving a valid Response. + + The conversation continues until either a RADIUS Access-Reject or + Access-Accept packet is received from the RADIUS server. Reception + of a RADIUS Access-Reject packet MUST result in the NAS denying + access to the authenticating peer. A RADIUS Access-Accept packet + successfully ends the authentication phase. The NAS MUST NOT + "manufacture" a Success or Failure packet as the result of a timeout. + After a suitable number of timeouts have elapsed, the NAS SHOULD + instead end the EAP conversation. + + Using RADIUS, the NAS can act as a pass-through for an EAP + conversation between the peer and authentication server, without + needing to implement the EAP method used between them. Where the NAS + initiates the conversation by sending an EAP-Request for an + authentication method, it may not be required that the NAS fully + implement the EAP method reflected in the initial EAP-Request. + Depending on the initial method, it may be sufficient for the NAS to + be configured with the initial packet to be sent to the peer, and for + the NAS to act as a pass-through for subsequent messages. Note that + since the NAS only encapsulates the EAP-Response in its initial + Access-Request, the initial EAP-Request within the authentication + method is not available to the RADIUS server. For the RADIUS server + to be able to continue the conversation, either the initial + EAP-Request is vestigial, so that the RADIUS server need not be aware + of it, or the relevant information from the initial EAP-Request (such + as a nonce) is reflected in the initial EAP-Response, so that the + RADIUS server can obtain it without having received the initial + EAP-Request. + + Where the initial EAP-Request sent by the NAS is for an + authentication Type (4 or greater), the peer MAY respond with a Nak + indicating that it would prefer another authentication method that is + not implemented locally. In this case, the NAS SHOULD send + Access-Request encapsulating the received EAP-Response/Nak. This + provides the RADIUS server with a hint about the authentication + method(s) preferred by the peer, although it does not provide + information on the Type of the original Request. It also provides + the server with the Identifier used in the initial EAP-Request, so + that Identifier conflicts can be avoided. + + + + + + +Aboba & Calhoun Informational [Page 6] + +RFC 3579 RADIUS & EAP September 2003 + + + In order to evaluate whether the alternatives preferred by the + authenticating peer are allowed, the RADIUS server will typically + respond with an Access-Challenge containing EAP-Message attribute(s) + encapsulating an EAP-Request/Identity (Type 1). This allows the + RADIUS server to determine the peer identity, so as to be able to + retrieve the associated authentication policy. Alternatively, an + EAP-Request for an authentication method (Type 4 or greater) could be + sent. Since the RADIUS server may not be aware of the Type of the + initial EAP-Request, it is possible for the RADIUS server to choose + an unacceptable method, and for the peer to respond with another Nak. + + In order to permit non-EAP aware RADIUS proxies to forward the + Access-Request packet, if the NAS initially sends an + EAP-Request/Identity message to the peer, the NAS MUST copy the + contents of the Type-Data field of the EAP-Response/Identity received + from the peer into the User-Name attribute and MUST include the + Type-Data field of the EAP-Response/Identity in the User-Name + attribute in every subsequent Access-Request. Since RADIUS proxies + are assumed to act as a pass-through, they cannot be expected to + parse an EAP-Response/Identity encapsulated within EAP-Message + attribute(s). If the NAS initially sends an EAP-Request for an + authentication method, and the peer identity cannot be determined + from the EAP-Response, then the User-Name attribute SHOULD be + determined by another means. As noted in [RFC2865] Section 5.6, it + is recommended that Access-Requests use the value of the + Calling-Station-Id as the value of the User-Name attribute. + + Having the NAS send the initial EAP-Request packet has a number of + advantages: + + [1] It saves a round trip between the NAS and RADIUS server. + + [2] An Access-Request is only sent to the RADIUS server if the + authenticating peer sends an EAP-Response, confirming that it + supports EAP. In situations where peers may be EAP unaware, + initiating a RADIUS Access-Request on a "carrier sense" or + "media up" indication may result in many authentication + exchanges that cannot complete successfully. For example, on + wired networks [IEEE8021X] Supplicants typically do not initiate + the 802.1X conversation with an EAPOL-Start. Therefore an IEEE + 802.1X-enabled bridge may not be able to determine whether the + peer supports EAP until it receives a Response to the initial + EAP-Request. + + [3] It allows some peers to be authenticated locally. + + + + + + +Aboba & Calhoun Informational [Page 7] + +RFC 3579 RADIUS & EAP September 2003 + + + Although having the NAS send the initial EAP-Request packet has + substantial advantages, this technique cannot be universally + employed. There are circumstances in which the peer identity is + already known (such as when authentication and accounting is handled + based on Called-Station-Id, Calling-Station-Id and/or + Originating-Line-Info), but where the appropriate EAP method may vary + based on that identity. + + Rather than sending an initial EAP-Request packet to the + authenticating peer, on detecting the presence of the peer, the NAS + MAY send an Access-Request packet to the RADIUS server containing an + EAP-Message attribute signifying EAP-Start. The RADIUS server will + typically respond with an Access-Challenge containing EAP-Message + attribute(s) encapsulating an EAP-Request/Identity (Type 1). + However, an EAP-Request for an authentication method (Type 4 or + greater) can also be sent by the server. + + EAP-Start is indicated by sending an EAP-Message attribute with a + length of 2 (no data). The Calling-Station-Id SHOULD be included in + the User-Name attribute. This may result in a RADIUS Access-Request + being sent by the NAS to the RADIUS server without first confirming + that the peer supports EAP. Since this technique can result in a + large number of uncompleted RADIUS conversations, in situations where + EAP unaware peers are common, or where peer support for EAP cannot be + determined on initial contact (e.g. [IEEE8021X] Supplicants not + initiating the conversation with an EAPOL-Start) it SHOULD NOT be + employed by default. + + For proxied RADIUS requests, there are two methods of processing. If + the domain is determined based on the Calling-Station-Id, + Called-Station-Id and/or Originating-Line-Info, the RADIUS server may + proxy the initial RADIUS Access-Request/EAP-Start. If the realm is + determined based on the peer identity, the local RADIUS server MUST + respond with a RADIUS Access-Challenge including an EAP-Message + attribute encapsulating an EAP-Request/Identity packet. The response + from the authenticating peer SHOULD be proxied to the final + authentication server. + + If an Access-Request is sent to a RADIUS server which does not + support the EAP-Message attribute, then an Access-Reject MUST be sent + in response. On receiving an Access-Reject, the NAS MUST deny access + to the authenticating peer. + + + + + + + + + +Aboba & Calhoun Informational [Page 8] + +RFC 3579 RADIUS & EAP September 2003 + + +2.2. Invalid Packets + + While acting as a pass-through, the NAS MUST validate the EAP header + fields (Code, Identifier, Length) prior to forwarding an EAP packet + to or from the RADIUS server. On receiving an EAP packet from the + peer, the NAS checks the Code (2) and Length fields, and matches the + Identifier value against the current Identifier, supplied by the + RADIUS server in the most recently validated EAP-Request. On + receiving an EAP packet from the RADIUS server (encapsulated within + an Access-Challenge), the NAS checks the Code (1) and Length fields, + then updates the current Identifier value. Pending EAP Responses + that do not match the current Identifier value are silently discarded + by the NAS. + + Since EAP method fields (Type, Type-Data) are typically not validated + by a NAS operating as a pass-through, despite these checks it is + possible for a NAS to forward an invalid EAP packet to or from the + RADIUS server. A RADIUS server receiving EAP-Message attribute(s) it + does not understand SHOULD make the determination of whether the + error is fatal or non-fatal based on the EAP Type. A RADIUS server + determining that a fatal error has occurred MUST send an + Access-Reject containing an EAP-Message attribute encapsulating + EAP-Failure. + + A RADIUS server determining that a non-fatal error has occurred MAY + send an Access-Challenge to the NAS including EAP-Message + attribute(s) as well as an Error-Cause attribute [RFC3576] with value + 202 (decimal), "Invalid EAP Packet (Ignored)". The Access-Challenge + SHOULD encapsulate within EAP-Message attribute(s) the most recently + sent EAP-Request packet (including the same Identifier value). On + receiving such an Access-Challenge, a NAS implementing previous + versions of this specification will decapsulate the EAP-Request and + send it to the peer, which will retransmit the EAP-Response. + + A NAS compliant with this specification, on receiving an + Access-Challenge with an Error-Cause attribute of value 202 (decimal) + SHOULD discard the EAP-Response packet most recently transmitted to + the RADIUS server and check whether additional EAP-Response packets + have been received matching the current Identifier value. If so, a + new EAP-Response packet, if available, MUST be sent to the RADIUS + server within an Access-Request, and the EAP-Message attribute(s) + included within the Access-Challenge are silently discarded. If no + EAP-Response packet is available, then the EAP-Request encapsulated + within the Access-Challenge is sent to the peer, and the + retransmission timer is reset. + + + + + + +Aboba & Calhoun Informational [Page 9] + +RFC 3579 RADIUS & EAP September 2003 + + + In order to provide protection against Denial of Service (DoS) + attacks, it is advisable for the NAS to allocate a finite buffer for + EAP packets received from the peer, and to discard packets according + to an appropriate policy once that buffer has been exceeded. Also, + the RADIUS server is advised to permit only a modest number of + invalid EAP packets within a single session, prior to terminating the + session with an Access-Reject. By default a value of 5 invalid EAP + packets is recommended. + +2.3. Retransmission + + As noted in [RFC2284], if an EAP packet is lost in transit between + the authenticating peer and the NAS (or vice versa), the NAS will + retransmit. + + It may be necessary to adjust retransmission strategies and + authentication timeouts in certain cases. For example, when a token + card is used additional time may be required to allow the user to + find the card and enter the token. Since the NAS will typically not + have knowledge of the required parameters, these need to be provided + by the RADIUS server. This can be accomplished by inclusion of + Session-Timeout attribute within the Access-Challenge packet. + + If Session-Timeout is present in an Access-Challenge packet that also + contains an EAP-Message, the value of the Session-Timeout is used to + set the EAP retransmission timer for that EAP Request, and that + Request alone. Once the EAP-Request has been sent, the NAS sets the + retransmission timer, and if it expires without having received an + EAP-Response corresponding to the Request, then the EAP-Request is + retransmitted. + +2.4. Fragmentation + + Using the EAP-Message attribute, it is possible for the RADIUS server + to encapsulate an EAP packet that is larger than the MTU on the link + between the NAS and the peer. Since it is not possible for the + RADIUS server to use MTU discovery to ascertain the link MTU, the + Framed-MTU attribute may be included in an Access-Request packet + containing an EAP-Message attribute so as to provide the RADIUS + server with this information. A RADIUS server having received a + Framed-MTU attribute in an Access-Request packet MUST NOT send any + subsequent packet in this EAP conversation containing EAP-Message + attributes whose values, when concatenated, exceed the length + specified by the Framed-MTU value, taking the link type (specified by + the NAS-Port-Type attribute) into account. For example, as noted in + [RFC3580] Section 3.10, for a NAS-Port-Type value of IEEE 802.11, the + + + + + +Aboba & Calhoun Informational [Page 10] + +RFC 3579 RADIUS & EAP September 2003 + + + RADIUS server may send an EAP packet as large as Framed-MTU minus + four (4) octets, taking into account the additional overhead for the + IEEE 802.1X Version (1), Type (1) and Body Length (2) fields. + +2.5. Alternative Uses + + Currently the conversation between security servers and the RADIUS + server is often proprietary because of lack of standardization. In + order to increase standardization and provide interoperability + between RADIUS vendors and security vendors, it is recommended that + RADIUS- encapsulated EAP be used for this conversation. + + This has the advantage of allowing the RADIUS server to support EAP + without the need for authentication-specific code within the RADIUS + server. Authentication-specific code can then reside on a security + server instead. + + In the case where RADIUS-encapsulated EAP is used in a conversation + between a RADIUS server and a security server, the security server + will typically return an Access-Accept message without inclusion of + the expected attributes currently returned in an Access-Accept. This + means that the RADIUS server MUST add these attributes prior to + sending an Access-Accept message to the NAS. + +2.6. Usage Guidelines + +2.6.1. Identifier Space + + In EAP, each session has its own unique Identifier space. RADIUS + server implementations MUST be able to distinguish between EAP + packets with the same Identifier existing within distinct sessions, + originating on the same NAS. For this purpose, sessions can be + distinguished based on NAS and session identification attributes. + NAS identification attributes include NAS-Identifier, + NAS-IPv6-Address and NAS-IPv4-Address. Session identification + attributes include User-Name, NAS-Port, NAS-Port-Type, NAS-Port-Id, + Called-Station-Id, Calling-Station-Id and Originating-Line-Info. + +2.6.2. Role Reversal + + Since EAP is a peer-to-peer protocol, an independent and simultaneous + authentication may take place in the reverse direction. Both peers + may act as authenticators and authenticatees at the same time. + + However, role reversal is not supported by this specification. A + RADIUS server MUST respond to an Access-Request encapsulating an + EAP-Request with an Access-Reject. In order to avoid retransmissions + + + + +Aboba & Calhoun Informational [Page 11] + +RFC 3579 RADIUS & EAP September 2003 + + + by the peer, the Access-Reject SHOULD include an EAP-Response/Nak + packet indicating no preferred method, encapsulated within + EAP-Message attribute(s). + +2.6.3. Conflicting Messages + + The NAS MUST make its access control decision based solely on the + RADIUS Packet Type (Access-Accept/Access-Reject). The access control + decision MUST NOT be based on the contents of the EAP packet + encapsulated in one or more EAP-Message attributes, if present. + + Access-Accept packets SHOULD have only one EAP-Message attribute in + them, containing EAP Success; similarly, Access-Reject packets SHOULD + have only one EAP-Message attribute in them, containing EAP Failure. + + Where the encapsulated EAP packet does not match the result implied + by the RADIUS Packet Type, the combination is likely to cause + confusion, because the NAS and peer will arrive at different + conclusions as to the outcome of the authentication. + + For example, if the NAS receives an Access-Reject with an + encapsulated EAP Success, it will not grant access to the peer. + However, on receiving the EAP Success, the peer will be lead to + believe that it authenticated successfully. + + If the NAS receives an Access-Accept with an encapsulated EAP + Failure, it will grant access to the peer. However, on receiving an + EAP Failure, the peer will be lead to believe that it failed + authentication. If no EAP-Message attribute is included within an + Access-Accept or Access-Reject, then the peer may not be informed as + to the outcome of the authentication, while the NAS will take action + to allow or deny access. + + As described in [RFC2284], the EAP Success and Failure packets are + not acknowledged, and these packets terminate the EAP conversation. + As a result, if these packets are encapsulated within an + Access-Challenge, no response will be received, and therefore the NAS + will send no further Access-Requests to the RADIUS server for the + session. As a result, the RADIUS server will not indicate to the NAS + whether to allow or deny access, while the peer will be informed as + to the outcome of the authentication. + + + + + + + + + + +Aboba & Calhoun Informational [Page 12] + +RFC 3579 RADIUS & EAP September 2003 + + + To avoid these conflicts, the following combinations SHOULD NOT be + sent by a RADIUS server: + + Access-Accept/EAP-Message/EAP Failure + Access-Accept/no EAP-Message attribute + Access-Accept/EAP-Start + Access-Reject/EAP-Message/EAP Success + Access-Reject/no EAP-Message attribute + Access-Reject/EAP-Start + Access-Challenge/EAP-Message/EAP Success + Access-Challenge/EAP-Message/EAP Failure + Access-Challenge/no EAP-Message attribute + Access-Challenge/EAP-Start + + Since the responsibility for avoiding conflicts lies with the RADIUS + server, the NAS MUST NOT "manufacture" EAP packets in order to + correct contradictory messages that it receives. This behavior, + originally mandated within [IEEE8021X], will be deprecated in the + future. + +2.6.4. Priority + + A RADIUS Access-Accept or Access-Reject packet may contain EAP- + Message attribute(s). In order to ensure the correct processing of + RADIUS packets, the NAS MUST first process the attributes, including + the EAP-Message attribute(s), prior to processing the Accept/Reject + indication. + +2.6.5. Displayable Messages + + The Reply-Message attribute, defined in [RFC2865], Section 5.18, + indicates text which may be displayed to the peer. This is similar + in concept to EAP Notification, defined in [RFC2284]. When sending a + displayable message to a NAS during an EAP conversation, the RADIUS + server MUST encapsulate displayable messages within + EAP-Message/EAP-Request/Notification attribute(s). Reply-Message + attribute(s) MUST NOT be included in any RADIUS message containing an + EAP-Message attribute. An EAP-Message/EAP-Request/Notification + SHOULD NOT be included within an Access-Accept or Access-Reject + packet. + + In some existing implementations, a NAS receiving Reply-Message + attribute(s) copies the Text field(s) into the Type-Data field of an + EAP-Request/Notification packet, fills in the Identifier field, and + sends this to the peer. However, several issues arise from this: + + + + + + +Aboba & Calhoun Informational [Page 13] + +RFC 3579 RADIUS & EAP September 2003 + + + [1] Unexpected Responses. On receiving an EAP-Request/Notification, + the peer will send an EAP-Response/Notification, and the NAS + will pass this on to the RADIUS server, encapsulated within + EAP-Message attribute(s). However, the RADIUS server may not be + expecting an Access-Request containing an + EAP-Message/EAP-Response/Notification attribute. + + For example, consider what happens when a Reply-Message is + included within an Access-Accept or Access-Reject packet with no + EAP-Message attribute(s) present. If the value of the + Reply-Message attribute is copied into the Type-Data of an + EAP-Request/Notification and sent to the peer, this will result + in an Access-Request containing an + EAP-Message/EAP-Response/Notification attribute being sent by + the NAS to the RADIUS server. Since an Access-Accept or + Access-Reject packet terminates the RADIUS conversation, such an + Access-Request would not be expected, and could be interpreted + as the start of another conversation. + + [2] Identifier conflicts. While the EAP-Request/Notification is an + EAP packet containing an Identifier field, the Reply-Message + attribute does not contain an Identifier field. As a result, a + NAS receiving a Reply-Message attribute and wishing to translate + this to an EAP-Request/Notification will need to choose an + Identifier value. It is possible that the chosen Identifier + value will conflict with a value chosen by the RADIUS server for + another packet within the EAP conversation, potentially causing + confusion between a new packet and a retransmission. + + To avoid these problems, a NAS receiving a Reply-Message attribute + from the RADIUS server SHOULD silently discard the attribute, rather + than attempting to translate it to an EAP Notification Request. + +3. Attributes + + The NAS-Port or NAS-Port-Id attributes SHOULD be included by the NAS + in Access-Request packets, and either NAS-Identifier, NAS-IP-Address + or NAS-IPv6-Address attributes MUST be included. In order to permit + forwarding of the Access-Reply by EAP-unaware proxies, if a User-Name + attribute was included in an Access-Request, the RADIUS server MUST + include the User-Name attribute in subsequent Access-Accept packets. + Without the User-Name attribute, accounting and billing becomes + difficult to manage. The User-Name attribute within the Access- + Accept packet need not be the same as the User-Name attribute in the + Access-Request. + + + + + + +Aboba & Calhoun Informational [Page 14] + +RFC 3579 RADIUS & EAP September 2003 + + +3.1. EAP-Message + + Description + + This attribute encapsulates EAP [RFC2284] packets so as to allow + the NAS to authenticate peers via EAP without having to understand + the EAP method it is passing through. + + The NAS places EAP messages received from the authenticating peer + into one or more EAP-Message attributes and forwards them to the + RADIUS server within an Access-Request message. If multiple + EAP-Message attributes are contained within an Access-Request or + Access-Challenge packet, they MUST be in order and they MUST be + consecutive attributes in the Access-Request or Access-Challenge + packet. The RADIUS server can return EAP-Message attributes in + Access-Challenge, Access-Accept and Access-Reject packets. + + When RADIUS is used to enable EAP authentication, Access-Request, + Access-Challenge, Access-Accept, and Access-Reject packets SHOULD + contain one or more EAP-Message attributes. Where more than one + EAP-Message attribute is included, it is assumed that the + attributes are to be concatenated to form a single EAP packet. + + Multiple EAP packets MUST NOT be encoded within EAP-Message + attributes contained within a single Access-Challenge, + Access-Accept, Access-Reject or Access-Request packet. + + It is expected that EAP will be used to implement a variety of + authentication methods, including methods involving strong + cryptography. In order to prevent attackers from subverting EAP + by attacking RADIUS/EAP, (for example, by modifying EAP Success or + EAP Failure packets) it is necessary that RADIUS provide + per-packet authentication and integrity protection. + + Therefore the Message-Authenticator attribute MUST be used to + protect all Access-Request, Access-Challenge, Access-Accept, and + Access-Reject packets containing an EAP-Message attribute. + + Access-Request packets including EAP-Message attribute(s) without + a Message-Authenticator attribute SHOULD be silently discarded by + the RADIUS server. A RADIUS server supporting the EAP-Message + attribute MUST calculate the correct value of the + Message-Authenticator and MUST silently discard the packet if it + does not match the value sent. A RADIUS server not supporting the + EAP-Message attribute MUST return an Access-Reject if it receives + an Access-Request containing an EAP-Message attribute. + + + + + +Aboba & Calhoun Informational [Page 15] + +RFC 3579 RADIUS & EAP September 2003 + + + Access-Challenge, Access-Accept, or Access-Reject packets + including EAP-Message attribute(s) without a Message-Authenticator + attribute SHOULD be silently discarded by the NAS. A NAS + supporting the EAP-Message attribute MUST calculate the correct + value of the Message-Authenticator and MUST silently discard the + packet if it does not match the value sent. + + A summary of the EAP-Message attribute format is shown below. The + fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | String... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 79 for EAP-Message + + Length + + >= 3 + + String + + The String field contains an EAP packet, as defined in [RFC2284]. + If multiple EAP-Message attributes are present in a packet their + values should be concatenated; this allows EAP packets longer than + 253 octets to be transported by RADIUS. + +3.2. Message-Authenticator + + Description + + This attribute MAY be used to authenticate and integrity-protect + Access-Requests in order to prevent spoofing. It MAY be used in + any Access-Request. It MUST be used in any Access-Request, + Access-Accept, Access-Reject or Access-Challenge that includes an + EAP-Message attribute. + + A RADIUS server receiving an Access-Request with a + Message-Authenticator attribute present MUST calculate the correct + value of the Message-Authenticator and silently discard the packet + if it does not match the value sent. + + + + + + +Aboba & Calhoun Informational [Page 16] + +RFC 3579 RADIUS & EAP September 2003 + + + A RADIUS client receiving an Access-Accept, Access-Reject or + Access-Challenge with a Message-Authenticator attribute present + MUST calculate the correct value of the Message-Authenticator and + silently discard the packet if it does not match the value sent. + + This attribute is not required in Access-Requests which include + the User-Password attribute, but is useful for preventing attacks + on other types of authentication. This attribute is intended to + thwart attempts by an attacker to setup a "rogue" NAS, and perform + online dictionary attacks against the RADIUS server. It does not + afford protection against "offline" attacks where the attacker + intercepts packets containing (for example) CHAP challenge and + response, and performs a dictionary attack against those packets + offline. + + A summary of the Message-Authenticator attribute format is shown + below. The fields are transmitted from left to right. + + 0 1 2 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | String... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 80 for Message-Authenticator + + Length + + 18 + + String + + When present in an Access-Request packet, Message-Authenticator is + an HMAC-MD5 [RFC2104] hash of the entire Access-Request packet, + including Type, ID, Length and Authenticator, using the shared + secret as the key, as follows. + + Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, + Request Authenticator, Attributes) + + When the message integrity check is calculated the signature + string should be considered to be sixteen octets of zero. + + + + + + + +Aboba & Calhoun Informational [Page 17] + +RFC 3579 RADIUS & EAP September 2003 + + + For Access-Challenge, Access-Accept, and Access-Reject packets, + the Message-Authenticator is calculated as follows, using the + Request-Authenticator from the Access-Request this packet is in + reply to: + + Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, + Request Authenticator, Attributes) + + When the message integrity check is calculated the signature + string should be considered to be sixteen octets of zero. The + shared secret is used as the key for the HMAC-MD5 message + integrity check. The Message-Authenticator is calculated and + inserted in the packet before the Response Authenticator is + calculated. + +3.3. Table of Attributes + + The following table provides a guide to which attributes may be found + in packets including EAP-Message attribute(s), and in what quantity. + The EAP-Message and Message-Authenticator attributes specified in + this document MUST NOT be present in an Accounting-Request. If a + table entry is omitted, the values found in [RFC2548], [RFC2865], + [RFC2868], [RFC2869] and [RFC3162] should be assumed. + +Request Accept Reject Challenge # Attribute +0-1 0-1 0 0 1 User-Name +0 0 0 0 2 User-Password [Note 1] +0 0 0 0 3 CHAP-Password [Note 1] +0 0 0 0 18 Reply-Message +0 0 0 0 60 CHAP-Challenge +0 0 0 0 70 ARAP-Password [Note 1] +0 0 0 0 75 Password-Retry +1+ 1+ 1+ 1+ 79 EAP-Message [Note 1] +1 1 1 1 80 Message-Authenticator [Note 1] +0-1 0 0 0 94 Originating-Line-Info [Note 3] +0 0 0-1 0-1 101 Error-Cause [Note 2] +Request Accept Reject Challenge # Attribute + + [Note 1] An Access-Request that contains either a User-Password or + CHAP-Password or ARAP-Password or one or more EAP-Message attributes + MUST NOT contain more than one type of those four attributes. If it + does not contain any of those four attributes, it SHOULD contain a + Message-Authenticator. If any packet type contains an EAP-Message + attribute it MUST also contain a Message-Authenticator. A RADIUS + server receiving an Access-Request not containing any of those four + attributes and also not containing a Message-Authenticator attribute + SHOULD silently discard it. + + + + +Aboba & Calhoun Informational [Page 18] + +RFC 3579 RADIUS & EAP September 2003 + + + [Note 2] The Error-Cause attribute is defined in [RFC3576]. + + [Note 3] The Originating-Line-Info attribute is defined in [NASREQ]. + + The following table defines the meaning of the above table entries. + + 0 This attribute MUST NOT be present. + 0+ Zero or more instances of this attribute MAY be present. + 0-1 Zero or one instance of this attribute MAY be present. + 1 Exactly one instance of this attribute MUST be present. + 1+ One or more of these attributes MUST be present. + +4. Security Considerations + +4.1. Security Requirements + + RADIUS/EAP is used in order to provide authentication and + authorization for network access. As a result, both the RADIUS and + EAP portions of the conversation are potential targets of an attack. + Threats are discussed in [RFC2607], [RFC2865], and [RFC3162]. + Examples include: + + [1] An adversary may attempt to acquire confidential data and + identities by snooping RADIUS packets. + + [2] An adversary may attempt to modify packets containing RADIUS + messages. + + [3] An adversary may attempt to inject packets into a RADIUS + conversation. + + [4] An adversary may launch a dictionary attack against the RADIUS + shared secret. + + [5] An adversary may launch a known plaintext attack, hoping to + recover the key stream corresponding to a Request Authenticator. + + [6] An adversary may attempt to replay a RADIUS exchange. + + [7] An adversary may attempt to disrupt the EAP negotiation, in + order to weaken the authentication, or gain access to peer + passwords. + + [8] An authenticated NAS may attempt to forge NAS or session + identification attributes, + + [9] A rogue (unauthenticated) NAS may attempt to impersonate a + legitimate NAS. + + + +Aboba & Calhoun Informational [Page 19] + +RFC 3579 RADIUS & EAP September 2003 + + + [10] An attacker may attempt to act as a man-in-the-middle. + + To address these threats, it is necessary to support confidentiality, + data origin authentication, integrity, and replay protection on a + per-packet basis. Bi-directional authentication between the RADIUS + client and server also needs to be provided. There is no requirement + that the identities of RADIUS clients and servers be kept + confidential (e.g., from a passive eavesdropper). + +4.2. Security Protocol + + To address the security vulnerabilities of RADIUS/EAP, + implementations of this specification SHOULD support IPsec [RFC2401] + along with IKE [RFC2409] for key management. IPsec ESP [RFC2406] + with non-null transform SHOULD be supported, and IPsec ESP with a + non-null encryption transform and authentication support SHOULD be + used to provide per-packet confidentiality, authentication, integrity + and replay protection. IKE SHOULD be used for key management. + + Within RADIUS [RFC2865], a shared secret is used for hiding of + attributes such as User-Password, as well as in computation of the + Response Authenticator. In RADIUS accounting [RFC2866], the shared + secret is used in computation of both the Request Authenticator and + the Response Authenticator. + + Since in RADIUS a shared secret is used to provide confidentiality as + well as integrity protection and authentication, only use of IPsec + ESP with a non-null transform can provide security services + sufficient to substitute for RADIUS application-layer security. + Therefore, where IPSEC AH or ESP null is used, it will typically + still be necessary to configure a RADIUS shared secret. + + Where RADIUS is run over IPsec ESP with a non-null transform, the + secret shared between the NAS and the RADIUS server MAY NOT be + configured. In this case, a shared secret of zero length MUST be + assumed. However, a RADIUS server that cannot know whether incoming + traffic is IPsec-protected MUST be configured with a non-null RADIUS + shared secret. + + When IPsec ESP is used with RADIUS, per-packet authentication, + integrity and replay protection MUST be used. 3DES-CBC MUST be + supported as an encryption transform and AES-CBC SHOULD be supported. + AES-CBC SHOULD be offered as a preferred encryption transform if + supported. HMAC-SHA1-96 MUST be supported as an authentication + transform. DES-CBC SHOULD NOT be used as the encryption transform. + + + + + + +Aboba & Calhoun Informational [Page 20] + +RFC 3579 RADIUS & EAP September 2003 + + + A typical IPsec policy for an IPsec-capable RADIUS client is + "Initiate IPsec, from me to any destination port UDP 1812". This + causes an IPsec SA to be set up by the RADIUS client prior to sending + RADIUS traffic. If some RADIUS servers contacted by the client do + not support IPsec, then a more granular policy will be required: + "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server, destination + port UDP 1812". + + For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept + IPsec, from any to me, destination port 1812". This causes the + RADIUS server to accept (but not require) use of IPsec. It may not + be appropriate to require IPsec for all RADIUS clients connecting to + an IPsec-enabled RADIUS server, since some RADIUS clients may not + support IPsec. + + Where IPsec is used for security, and no RADIUS shared secret is + configured, it is important that the RADIUS client and server perform + an authorization check. Before enabling a host to act as a RADIUS + client, the RADIUS server SHOULD check whether the host is authorized + to provide network access. Similarly, before enabling a host to act + as a RADIUS server, the RADIUS client SHOULD check whether the host + is authorized for that role. + + RADIUS servers can be configured with the IP addresses (for IKE + Aggressive Mode with pre-shared keys) or FQDNs (for certificate + authentication) of RADIUS clients. Alternatively, if a separate + Certification Authority (CA) exists for RADIUS clients, then the + RADIUS server can configure this CA as a trust anchor [RFC3280] for + use with IPsec. + + Similarly, RADIUS clients can be configured with the IP addresses + (for IKE Aggressive Mode with pre-shared keys) or FQDNs (for + certificate authentication) of RADIUS servers. Alternatively, if a + separate CA exists for RADIUS servers, then the RADIUS client can + configure this CA as a trust anchor for use with IPsec. + + Since unlike SSL/TLS, IKE does not permit certificate policies to be + set on a per-port basis, certificate policies need to apply to all + uses of IPsec on RADIUS clients and servers. In IPsec deployments + supporting only certificate authentication, a management station + initiating an IPsec-protected telnet session to the RADIUS server + would need to obtain a certificate chaining to the RADIUS client CA. + Issuing such a certificate might not be appropriate if the management + station was not authorized as a RADIUS client. + + Where RADIUS clients may obtain their IP address dynamically (such as + an Access Point supporting DHCP), IKE Main Mode with pre-shared keys + [RFC2409] SHOULD NOT be used, since this requires use of a group + + + +Aboba & Calhoun Informational [Page 21] + +RFC 3579 RADIUS & EAP September 2003 + + + pre-shared key; instead, Aggressive Mode SHOULD be used. IKEv2, a + work in progress, may address this issue in the future. Where RADIUS + client addresses are statically assigned, either Aggressive Mode or + Main Mode MAY be used. With certificate authentication, Main Mode + SHOULD be used. + + Care needs to be taken with IKE Phase 1 Identity Payload selection in + order to enable mapping of identities to pre-shared keys even with + Aggressive Mode. Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity + Payloads are used and addresses are dynamically assigned, mapping of + identities to keys is not possible, so that group pre-shared keys are + still a practical necessity. As a result, the ID_FQDN identity + payload SHOULD be employed in situations where Aggressive mode is + utilized along with pre-shared keys and IP addresses are dynamically + assigned. This approach also has other advantages, since it allows + the RADIUS server and client to configure themselves based on the + fully qualified domain name of their peers. + + Note that with IPsec, security services are negotiated at the + granularity of an IPsec SA, so that RADIUS exchanges requiring a set + of security services different from those negotiated with existing + IPsec SAs will need to negotiate a new IPsec SA. Separate IPsec SAs + are also advisable where quality of service considerations dictate + different handling RADIUS conversations. Attempting to apply + different quality of service to connections handled by the same IPsec + SA can result in reordering, and falling outside the replay window. + For a discussion of the issues, see [RFC2983]. + +4.3. Security Issues + + This section provides more detail on the vulnerabilities identified + in Section 4.1., and how they may be mitigated. Vulnerabilities + include: + + Privacy issues + Spoofing and hijacking + Dictionary attacks + Known plaintext attacks + Replay attacks + Negotiation attacks + Impersonation + Man in the middle attacks + Separation of authenticator and authentication server + Multiple databases + + + + + + + +Aboba & Calhoun Informational [Page 22] + +RFC 3579 RADIUS & EAP September 2003 + + +4.3.1. Privacy Issues + + Since RADIUS messages may contain the User-Name attribute as well as + NAS-IP-Address or NAS-Identifier attributes, an attacker snooping on + RADIUS traffic may be able to determine the geographic location of + peers in real time. In wireless networks, it is often assumed that + RADIUS traffic is physically secure, since it typically travels over + the wired network and that this limits the release of location + information. + + However, it is possible for an authenticated attacker to spoof ARP + packets [RFC826] so as to cause diversion of RADIUS traffic onto the + wireless network. In this way an attacker may obtain RADIUS packets + from which it can glean peer location information, or which it can + subject to a known plaintext or offline dictionary attack. To + address these vulnerabilities, implementations of this specification + SHOULD use IPsec ESP with non-null transform and per-packet + encryption, authentication, integrity and replay protection to + protect both RADIUS authentication [RFC2865] and accounting [RFC2866] + traffic, as described in Section 4.2. + +4.3.2. Spoofing and Hijacking + + Access-Request packets with a User-Password attribute establish the + identity of both the user and the NAS sending the Access-Request, + because of the way the shared secret between the NAS and RADIUS + server is used. Access-Request packets with CHAP-Password or + EAP-Message attributes do not have a User-Password attribute. As a + result, the Message-Authenticator attribute SHOULD be used in + Access-Request packets that do not have a User-Password attribute, in + order to establish the identity of the NAS sending the request. + + An attacker may attempt to inject packets into the conversation + between the NAS and the RADIUS server, or between the RADIUS server + and the security server. RADIUS [RFC2865] does not support + encryption other than attribute hiding. As described in [RFC2865], + only Access-Reply and Access-Challenge packets are integrity + protected. Moreover, the per-packet authentication and integrity + protection mechanism described in [RFC2865] has known weaknesses + [MD5Attack], making it a tempting target for attackers looking to + subvert RADIUS/EAP. + + To provide stronger security, the Message-Authenticator attribute + MUST be used in all RADIUS packets containing an EAP-Message + attribute. Implementations of this specification SHOULD use IPsec + ESP with non-null transform and per-packet encryption, + authentication, integrity and replay protection, as described in + Section 4.2. + + + +Aboba & Calhoun Informational [Page 23] + +RFC 3579 RADIUS & EAP September 2003 + + +4.3.3. Dictionary Attacks + + The RADIUS shared secret is vulnerable to offline dictionary attack, + based on capture of the Response Authenticator or + Message-Authenticator attribute. In order to decrease the level of + vulnerability, [RFC2865] recommends: + + The secret (password shared between the client and the RADIUS + server) SHOULD be at least as large and unguessable as a + well-chosen password. It is preferred that the secret be at least + 16 octets. + + The risk of an offline dictionary attack can be further reduced by + employing IPsec ESP with non-null transform in order to encrypt the + RADIUS conversation, as described in Section 4.2. + +4.3.4. Known Plaintext Attacks + + Since EAP [RFC2284] does not support PAP, the RADIUS User-Password + attribute is not used to carry hidden user passwords within + RADIUS/EAP conversations. The User-Password hiding mechanism, + defined in [RFC2865] utilizes MD5, defined in [RFC1321], in order to + generate a key stream based on the RADIUS shared secret and the + Request Authenticator. Where PAP is in use, it is possible to + collect key streams corresponding to a given Request Authenticator + value, by capturing RADIUS conversations corresponding to a PAP + authentication attempt, using a known password. Since the + User-Password is known, the key stream corresponding to a given + Request Authenticator can be determined and stored. + + Since the key stream may have been determined previously from a known + plaintext attack, if the Request Authenticator repeats, attributes + encrypted using the RADIUS attribute hiding mechanism should be + considered compromised. In addition to the User-Password attribute, + which is not used with EAP, this includes attributes such as + Tunnel-Password [RFC2868, section 3.5] and MS-MPPE-Send-Key and + MS-MPPE-Recv-Key attributes [RFC2548, section 2.4], which include a + Salt field as part of the hiding algorithm. + + To avoid this, [RFC2865], Section 3 advises: + + Since it is expected that the same secret MAY be used to + authenticate with servers in disparate geographic regions, the + Request Authenticator field SHOULD exhibit global and temporal + uniqueness. + + + + + + +Aboba & Calhoun Informational [Page 24] + +RFC 3579 RADIUS & EAP September 2003 + + + Where the Request Authenticator repeats, the Salt field defined in + [RFC2548], Section 2.4 does not provide protection against + compromise. This is because MD5 [RFC1321], rather than HMAC-MD5 + [RFC2104], is used to generate the key stream, which is calculated + from the 128-bit RADIUS shared secret (S), the 128-bit Request + Authenticator (R), and the Salt field (A), using the formula b(1) = + MD5(S + R + A). Since the Salt field is placed at the end, if the + Request Authenticator were to repeat on a network where PAP is in + use, then the salted keystream could be calculated from the + User-Password keystream by continuing the MD5 calculation based on + the Salt field (A), which is sent in the clear. + + Even though EAP does not support PAP authentication, a security + vulnerability can still exist where the same RADIUS shared secret is + used for hiding User-Password as well as other attributes. This can + occur, for example, if the same RADIUS proxy handles authentication + requests for both EAP and PAP. + + The threat can be mitigated by protecting RADIUS with IPsec ESP with + non-null transform, as described in Section 4.2. Where RADIUS shared + secrets are configured, the RADIUS shared secret used by a NAS + supporting EAP MUST NOT be reused by a NAS utilizing the + User-Password attribute, since improper shared secret hygiene could + lead to compromise of hidden attributes. + +4.3.5. Replay Attacks + + The RADIUS protocol provides only limited support for replay + protection. RADIUS Access-Requests include liveness via the 128-bit + Request Authenticator. However, the Request Authenticator is not a + replay counter. Since RADIUS servers may not maintain a cache of + previous Request Authenticators, the Request Authenticator does not + provide replay protection. + + RADIUS accounting [RFC2866] does not support replay protection at the + protocol level. Due to the need to support failover between RADIUS + accounting servers, protocol-based replay protection is not + sufficient to prevent duplicate accounting records. However, once + accepted by the accounting server, duplicate accounting records can + be detected by use of the the Acct-Session-Id [RFC2866, section 5.5] + and Event-Timestamp [RFC2869, section 5.3] attributes. + + Unlike RADIUS authentication, RADIUS accounting does not use the + Request Authenticator as a nonce. Instead, the Request Authenticator + contains an MD5 hash calculated over the Code, Identifier, Length, + and request attributes of the Accounting Request packet, plus the + shared secret. The Response Authenticator also contains an MD5 hash + calculated over the Code, Identifier and Length, the Request + + + +Aboba & Calhoun Informational [Page 25] + +RFC 3579 RADIUS & EAP September 2003 + + + Authenticator field from the Accounting-Request packet being replied + to, the response attributes and the shared secret. + + Since the Accounting Response Authenticator depends in part on the + Accounting Request Authenticator, it is not possible to replay an + Accounting-Response unless the Request Authenticator repeats. While + it is possible to utilize EAP methods such as EAP TLS [RFC2716] which + include liveness checks on both sides, not all EAP messages will + include liveness so that this provides incomplete protection. + + Strong replay protection for RADIUS authentication and accounting can + be provided by enabling IPsec replay protection with RADIUS, as + described in Section 4.2. + +4.3.6. Negotiation Attacks + + In a negotiation attack a rogue NAS, tunnel server, RADIUS proxy or + RADIUS server attempts to cause the authenticating peer to choose a + less secure authentication method. For example, a session that would + normally be authenticated with EAP would instead be authenticated via + CHAP or PAP; alternatively, a connection that would normally be + authenticated via a more secure EAP method such as EAP-TLS [RFC2716] + might be made to occur via a less secure EAP method, such as + MD5-Challenge. The threat posed by rogue devices, once thought to be + remote, has gained currency given compromises of telephone company + switching systems, such as those described in [Masters]. + + Protection against negotiation attacks requires the elimination of + downward negotiations. The RADIUS exchange may be further protected + by use of IPsec, as described in Section 4.2. Alternatively, where + IPsec is not used, the vulnerability can be mitigated via + implementation of per-connection policy on the part of the + authenticating peer, and per-peer policy on the part of the RADIUS + server. For the authenticating peer, authentication policy should be + set on a per-connection basis. Per-connection policy allows an + authenticating peer to negotiate a strong EAP method when connecting + to one service, while negotiating a weaker EAP method for another + service. + + With per-connection policy, an authenticating peer will only attempt + to negotiate EAP for a session in which EAP support is expected. As + a result, there is a presumption that an authenticating peer + selecting EAP requires that level of security. If it cannot be + provided, it is likely that there is some kind of misconfiguration, + or even that the authenticating peer is contacting the wrong server. + Should the NAS not be able to negotiate EAP, or should the + EAP-Request sent by the NAS be of a different EAP type than what is + expected, the authenticating peer MUST disconnect. An authenticating + + + +Aboba & Calhoun Informational [Page 26] + +RFC 3579 RADIUS & EAP September 2003 + + + peer expecting EAP to be negotiated for a session MUST NOT negotiate + a weaker method, such as CHAP or PAP. In wireless networks, the + service advertisement itself may be spoof-able, so that an attacker + could fool the peer into negotiating an authentication method + suitable for a less secure network. + + For a NAS, it may not be possible to determine whether a peer is + required to authenticate with EAP until the peer's identity is known. + For example, for shared-uses NASes it is possible for one reseller to + implement EAP while another does not. Alternatively, some peer might + be authenticated locally by the NAS while other peers are + authenticated via RADIUS. In such cases, if any peers of the NAS + MUST do EAP, then the NAS MUST attempt to negotiate EAP for every + session. This avoids forcing a peer to support more than one + authentication type, which could weaken security. + + If CHAP is negotiated, the NAS will pass the User-Name and + CHAP-Password attributes to the RADIUS server in an Access-Request + packet. If the peer is not required to use EAP, then the RADIUS + server will respond with an Access-Accept or Access-Reject packet as + appropriate. However, if CHAP has been negotiated but EAP is + required, the RADIUS server MUST respond with an Access-Reject, + rather than an Access-Challenge/EAP-Message/EAP-Request packet. The + authenticating peer MUST refuse to renegotiate authentication, even + if the renegotiation is from CHAP to EAP. + + If EAP is negotiated but is not supported by the RADIUS proxy or + server, then the server or proxy MUST respond with an Access-Reject. + In these cases, a PPP NAS MUST send an LCP-Terminate and disconnect + the peer. This is the correct behavior since the authenticating peer + is expecting EAP to be negotiated, and that expectation cannot be + fulfilled. An EAP-capable authenticating peer MUST refuse to + renegotiate the authentication protocol if EAP had initially been + negotiated. Note that problems with a non-EAP capable RADIUS proxy + could prove difficult to diagnose, since a peer connecting from one + location (with an EAP-capable proxy) might be able to successfully + authenticate via EAP, while the same peer connecting at another + location (and encountering an EAP-incapable proxy) might be + consistently disconnected. + +4.3.7. Impersonation + + [RFC2865] Section 3 states: + + A RADIUS server MUST use the source IP address of the RADIUS UDP + packet to decide which shared secret to use, so that RADIUS + requests can be proxied. + + + + +Aboba & Calhoun Informational [Page 27] + +RFC 3579 RADIUS & EAP September 2003 + + + When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or + NAS-IPv6-Address attributes may not match the source address. Since + the NAS-Identifier attribute need not contain an FQDN, this attribute + also may not correspond to the source address, even indirectly, with + or without a proxy present. + + As a result, the authenticity check performed by a RADIUS server or + proxy does not verify the correctness of NAS identification + attributes. This makes it possible for a rogue NAS to forge + NAS-IP-Address, NAS-IPv6-Address or NAS-Identifier attributes within + a RADIUS Access-Request in order to impersonate another NAS. It is + also possible for a rogue NAS to forge session identification + attributes such as Called-Station-Id, Calling-Station-Id, and + Originating-Line-Info. + + This could fool the RADIUS server into subsequently sending + Disconnect or CoA-Request messages [RFC3576] containing forged + session identification attributes to a NAS targeted by an attacker. + + To address these vulnerabilities RADIUS proxies SHOULD check whether + NAS identification attributes (NAS-IP-Address, NAS-IPv6-Address, + NAS-Identifier) match the source address of packets originating from + the NAS. Where a match is not found, an Access-Reject SHOULD be + sent, and an error SHOULD be logged. + + However, such a check may not always be possible. Since the + NAS-Identifier attribute need not correspond to an FQDN, it may not + be resolvable to an IP address to be matched against the source + address. Also, where a NAT exists between the RADIUS client and + proxy, checking the NAS-IP-Address or NAS-IPv6-Address attributes may + not be feasible. + + To allow verification of NAS and session identification parameters, + EAP methods can support the secure exchange of these parameters + between the EAP peer and EAP server. NAS identification attributes + include NAS-IP-Address, NAS-IPv6-Address and Called-Station-Id; + session identification attributes include User-Name and + Calling-Station-Id. The secure exchange of these parameters between + the EAP peer and server enables the RADIUS server to check whether + the attributes provided by the NAS match those provided by the peer; + similarly, the peer can check the parameters provided by the NAS + against those provided by the EAP server. This enables detection of + a rogue NAS. + + + + + + + + +Aboba & Calhoun Informational [Page 28] + +RFC 3579 RADIUS & EAP September 2003 + + +4.3.8. Man in the Middle Attacks + + RADIUS only provides security on a hop-by-hop basis, even where IPsec + is used. As a result, an attacker gaining control of a RADIUS proxy + could attempt to modify EAP packets in transit. To protect against + this, EAP methods SHOULD incorporate their own per-packet integrity + protection and authentication mechanisms. + +4.3.9. Separation of Authenticator and Authentication Server + + As noted in [RFC2716], it is possible for the EAP peer and + authenticator to mutually authenticate, and derive a Master Session + Key (MSK) for a ciphersuite used to protect subsequent data traffic. + This does not present an issue on the peer, since the peer and EAP + client reside on the same machine; all that is required is for the + EAP client module to derive and pass a Transient Session Key (TSK) to + the ciphersuite module. + + The situation is more complex when EAP is used with RADIUS, since the + authenticator and authentication server may not reside on the same + host. + + In the case where the authenticator and authentication server reside + on different machines, there are several implications for security. + First, mutual authentication will occur between the peer and the + authentication server, not between the peer and the authenticator. + This means that it is not possible for the peer to validate the + identity of the NAS or tunnel server that it is speaking to, using + EAP alone. + + As described in Section 4.2, when RADIUS/EAP is used to encapsulate + EAP packets, IPsec SHOULD be used to provide per-packet + authentication, integrity, replay protection and confidentiality. + The Message-Authenticator attribute is also required in RADIUS + Access-Requests containing an EAP-Message attribute sent from the NAS + or tunnel server to the RADIUS server. Since the + Message-Authenticator attribute involves an HMAC-MD5 message + integrity check, it is possible for the RADIUS server to verify the + integrity of the Access-Request as well as the NAS or tunnel server's + identity, even where IPsec is not used. Similarly, Access-Challenge + packets containing an EAP-Message attribute sent from the RADIUS + server to the NAS are also authenticated and integrity protected + using an HMAC-MD5 message integrity check, enabling the NAS or tunnel + server to determine the integrity of the packet and verify the + identity of the RADIUS server, even where IPsec is not used. + Moreover, EAP packets sent using methods that contain their own + integrity protection cannot be successfully modified by a rogue NAS + or tunnel server. + + + +Aboba & Calhoun Informational [Page 29] + +RFC 3579 RADIUS & EAP September 2003 + + + The second issue that arises where the authenticator and + authentication server reside on separate hosts is that the EAP Master + Session Key (MSK) negotiated between the peer and authentication + server will need to be transmitted to the authenticator. Therefore a + mechanism needs to be provided to transmit the MSK from the + authentication server to the NAS or tunnel server that needs it. The + specification of the key transport and wrapping mechanism is outside + the scope of this document. However, it is expected that the + wrapping mechanism will provide confidentiality, integrity and replay + protection, and data origin authentication. + +4.3.10. Multiple Databases + + In many cases a security server will be deployed along with a RADIUS + server in order to provide EAP services. Unless the security server + also functions as a RADIUS server, two separate user databases will + exist, each containing information about the security requirements + for the user. This represents a weakness, since security may be + compromised by a successful attack on either of the servers, or their + databases. With multiple user databases, adding a new user may + require multiple operations, increasing the chances for error. The + problems are further magnified in the case where user information is + also being kept in an LDAP server. In this case, three stores of + user information may exist. + + In order to address these threats, consolidation of databases is + recommended. This can be achieved by having both the RADIUS server + and security server store information in the same database; by having + the security server provide a full RADIUS implementation; or by + consolidating both the security server and the RADIUS server onto + the same machine. + +5. IANA Considerations + + This specification does not create any new registries, or define any + new RADIUS attributes or values. + +6. References + +6.1. Normative References + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC + 1321, April 1992. + + [RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + February 1997. + + + + +Aboba & Calhoun Informational [Page 30] + +RFC 3579 RADIUS & EAP September 2003 + + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", RFC 2279, January 1998. + + [RFC2284] Blunk, L. and J. Vollbrecht, "PPP Extensible + Authentication Protocol (EAP)", RFC 2284, March 1998. + + [RFC2401] Atkinson, R. and S. Kent, "Security Architecture for + the Internet Protocol", RFC 2401, November 1998. + + [RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security + Payload (ESP)", RFC 2406, November 1998. + + [RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange + (IKE)", RFC 2409, November 1998. + + [RFC2486] Aboba, B. and M. Beadles, "The Network Access + Identifier", RFC 2486, January 1999. + + [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, + "Remote Authentication Dial In User Service (RADIUS)", + RFC 2865, June 2000. + + [RFC2988] Paxson, V. and M. Allman, "Computing TCP's + Retransmission Timer", RFC 2988, November 2000. + + [RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IP6", + RFC 3162, August 2001. + + [RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet + X.509 Public Key Infrastructure Certificate and + Certificate Revocation List (CRL) Profile", RFC 3280, + April 2002. + + [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. + Aboba, "Dynamic Authorization Extensions to Remote + Authentication Dial In User Service (RADIUS)", RFC + 3576, July 2003. + + + + + + + + + + + +Aboba & Calhoun Informational [Page 31] + +RFC 3579 RADIUS & EAP September 2003 + + +6.2. Informative References + + [RFC826] Plummer, D., "An Ethernet Address Resolution + Protocol", STD 37, RFC 826, November 1982. + + [RFC1510] Kohl, J. and C. Neuman, "The Kerberos Network + Authentication Service (V5)", RFC 1510, September + 1993. + + [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD + 51, RFC 1661, July 1994. + + [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS + Attributes", RFC 2548, March 1999. + + [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and + Policy Implementation in Roaming", RFC 2607, June + 1999. + + [RFC2716] Aboba, B. and D. Simon,"PPP EAP TLS Authentication + Protocol", RFC 2716, October 1999. + + [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. + + [RFC2867] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting + Modifications for Tunnel Protocol Support", RFC 2867, + June 2000. + + [RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., + Holdrege, M. and I. Goyret, "RADIUS Attributes for + Tunnel Protocol Support", RFC 2868, June 2000. + + [RFC2869] Rigney, C., Willats, W. and P. Calhoun, "RADIUS + Extensions", RFC 2869, June 2000. + + [RFC2983] Black, D. "Differentiated Services and Tunnels", RFC + 2983, October 2000. + + [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J. + Roese, "IEEE 802.1X Remote Authentication Dial In User + Service (RADIUS) Usage Guidelines", RFC 3580, + September 2003. + + [IEEE802] IEEE Standards for Local and Metropolitan Area + Networks: Overview and Architecture, ANSI/IEEE Std + 802, 1990. + + + + + +Aboba & Calhoun Informational [Page 32] + +RFC 3579 RADIUS & EAP September 2003 + + + [IEEE8021X] IEEE Standards for Local and Metropolitan Area + Networks: Port based Network Access Control, IEEE Std + 802.1X-2001, June 2001. + + [MD5Attack] Dobbertin, H., "The Status of MD5 After a Recent + Attack", CryptoBytes Vol.2 No.2, Summer 1996. + + [Masters] Slatalla, M. and J. Quittner, "Masters of Deception." + HarperCollins, New York, 1995. + + [NASREQ] Calhoun, P., et al., "Diameter Network Access Server + Application", Work in Progress. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 33] + +RFC 3579 RADIUS & EAP September 2003 + + +Appendix A - Examples + + The examples below illustrate conversations between an authenticating + peer, NAS, and RADIUS server. The OTP and EAP-TLS protocols are used + only for illustrative purposes; other authentication protocols could + also have been used, although they might show somewhat different + behavior. + + Where the NAS sends an EAP-Request/Identity as the initial packet, + the exchange appears as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + <- EAP-Request/ + Identity +EAP-Response/ +Identity (MyID) -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + (MyID) -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request + OTP/OTP Challenge + <- EAP-Request/ + OTP/OTP Challenge +EAP-Response/ +OTP, OTPpw -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + OTP, OTPpw -> + <- RADIUS + Access-Accept/ + EAP-Message/EAP-Success + (other attributes) + <- EAP-Success + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 34] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case where the NAS initiates with an EAP-Request for EAP TLS + [RFC2716], and the identity is determined based on the contents of + the client certificate, the exchange will appear as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + <- EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start, S bit set) +EAP-Response/ +EAP-Type=EAP-TLS +(TLS client_hello)-> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + EAP-Type=EAP-TLS-> + <-RADIUS Access-Challenge/ + EAP-Message/ + EAP-Request/ + EAP-Type=EAP-TLS + <- EAP-Request/ + EAP-Type=EAP-TLS + (TLS server_hello, + TLS certificate, + [TLS server_key_exchange,] + [TLS certificate_request,] + TLS server_hello_done) +EAP-Response/ +EAP-Type=EAP-TLS +(TLS certificate, +TLS client_key_exchange, +[TLS certificate_verify,] +TLS change_cipher_spec, +TLS finished)-> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + EAP-Type=EAP-TLS-> + <-RADIUS Access-Challenge/ + EAP-Message/ + EAP-Request/ + EAP-Type=EAP-TLS + <- EAP-Request/ + EAP-Type=EAP-TLS + (TLS change_cipher_spec, + TLS finished) + + + + + + + +Aboba & Calhoun Informational [Page 35] + +RFC 3579 RADIUS & EAP September 2003 + + +EAP-Response/ +EAP-Type=EAP-TLS -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + EAP-Type=EAP-TLS-> + <-RADIUS Access-Accept/ + EAP-Message/EAP-Success + (other attributes) + <- EAP-Success + + In the case where the NAS first sends an EAP-Start packet to the + RADIUS server, the conversation would appear as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + RADIUS Access-Request/ + EAP-Message/Start -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request/ + Identity + <- EAP-Request/ + Identity +EAP-Response/ +Identity (MyID) -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + Identity (MyID) -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request/ + OTP/OTP Challenge + <- EAP-Request/ + OTP/OTP Challenge +EAP-Response/ +OTP, OTPpw -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + OTP, OTPpw -> + <- RADIUS + Access-Accept/ + EAP-Message/EAP-Success + (other attributes) + <- EAP-Success + + + + + + + +Aboba & Calhoun Informational [Page 36] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case where the NAS initiates with an EAP-Request for EAP TLS + [RFC2716], but the peer responds with a Nak, indicating that it would + prefer another method not implemented locally on the NAS, the + exchange will appear as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + <- EAP-Request/ + EAP-Type=EAP-TLS + (TLS Start, S bit set) +EAP-Response/ +EAP-Type=Nak +(Alternative(s))-> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + Nak -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request/ + Identity + <- EAP-Request/ + Identity +EAP-Response/ +Identity (MyID) -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + (MyID) -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request + OTP/OTP Challenge + <- EAP-Request/ + OTP/OTP Challenge +EAP-Response/ +OTP, OTPpw -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + OTP, OTPpw -> + <- RADIUS + Access-Accept/ + EAP-Message/EAP-Success + (other attributes) + <- EAP-Success + + + + + + + + +Aboba & Calhoun Informational [Page 37] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case where the authenticating peer attempts to authenticate + the NAS, the conversation would appear as follows: + +Authenticating peer NAS RADIUS Server +------------------- --- ------------- +EAP-Request/ +Challenge, MD5 -> + RADIUS Access-Request/ + EAP-Message/EAP-Request/ + Challenge, MD5 -> + <- RADIUS + Access-Reject/ + EAP-Message/ + EAP-Response/ + Nak (no alternative) + + <- EAP-Response/Nak + (no alternative) +EAP-Failure -> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 38] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case where an invalid EAP Response is inserted by an attacker, + the conversation would appear as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + <- EAP-Request/ + EAP-Type=Foo +EAP-Response/ +EAP-Type=Foo -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + EAP-Type=Foo -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request/ + EAP-Type=Foo + <- EAP-Request/ + EAP-Type=Foo +Attacker spoof: +EAP-Response/ +EAP-Type=Bar -> + +Good guy: +EAP-Response/ +EAP-Type=Foo -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + EAP-Type=Bar -> + + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request/ + EAP-Type=Foo, + Error-Cause="Invalid EAP + Packet (Ignored)" + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + EAP-Type=Foo -> + <- Access-Accept/ + EAP-Message/Success + <- EAP Success + + + + + + + + + + +Aboba & Calhoun Informational [Page 39] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case where the client fails EAP authentication, and an error + message is sent prior to disconnection, the conversation would appear + as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + RADIUS Access-Request/ + EAP-Message/Start -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Response/ + Identity + <- EAP-Request/ + Identity +EAP-Response/ +Identity (MyID) -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + (MyID) -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request + OTP/OTP Challenge + <- EAP-Request/ + OTP/OTP Challenge +EAP-Response/ +OTP, OTPpw -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + OTP, OTPpw -> + <- RADIUS + Access-Challenge/ + EAP-Message/EAP-Request/ + Notification + <- EAP-Request/ + Notification + +EAP-Response/ +Notification -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + Notification -> + <- RADIUS + Access-Reject/ + EAP-Message/EAP-Failure + <- EAP-Failure + (client disconnected) + + + + +Aboba & Calhoun Informational [Page 40] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case that the RADIUS server or proxy does not support EAP- + Message, but no error message is sent, the conversation would appear + as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + RADIUS Access-Request/ + EAP-Message/Start -> + <- RADIUS + Access-Reject + (User Disconnected) + +In the case where the local RADIUS server does support EAP-Message, but +the remote RADIUS server does not, the conversation would appear as +follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + RADIUS Access-Request/ + EAP-Message/Start -> + <- RADIUS + Access-Challenge/ + EAP-Message/ + EAP-Response/ + Identity + <- EAP-Request/ + Identity + +EAP-Response/ +Identity +(MyID) -> + RADIUS Access-Request/ + EAP-Message/EAP-Response/ + (MyID) -> + <- RADIUS + Access-Reject + (proxied from remote + RADIUS server) + (User Disconnected) + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 41] + +RFC 3579 RADIUS & EAP September 2003 + + + In the case where PPP is the link and the authenticating peer does + not support EAP, but where EAP is required for that user, the + conversation would appear as follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + <- PPP LCP Request-EAP + auth +PPP LCP NAK-EAP +auth -> + <- PPP LCP Request-CHAP + auth +PPP LCP ACK-CHAP +auth -> + <- PPP CHAP Challenge +PPP CHAP Response -> + RADIUS Access-Request/ + User-Name, + CHAP-Password -> + <- RADIUS + Access-Reject + <- PPP LCP Terminate + (User Disconnected) + +In the case where PPP is the link, the NAS does not support EAP, but +where EAP is required for that user, the conversation would appear as +follows: + +Authenticating peer NAS RADIUS server +------------------- --- ------------- + <- PPP LCP Request-CHAP + auth + +PP LCP ACK-CHAP +auth -> + <- PPP CHAP Challenge +PPP CHAP Response -> + RADIUS Access-Request/ + User-Name, + CHAP-Password -> + + <- RADIUS + Access-Reject + <- PPP LCP Terminate + (User Disconnected) + + + + + + +Aboba & Calhoun Informational [Page 42] + +RFC 3579 RADIUS & EAP September 2003 + + +Appendix B - Change Log + + The following changes have been made from RFC 2869: + + A NAS may simultaneously support both local authentication and + pass-through; once the NAS enters pass-through mode within a session, + it cannot revert back to local authentication. Also EAP is + explicitly described as a 'lock step' protocol. (Section 2). + + The NAS may initiate with an EAP-Request for an authentication Type. + If the Request is NAK'd, the NAS should send an initial + Access-Request with an EAP-Message attribute containing an + EAP-Response/Nak. + + The RADIUS server may treat an invalid EAP Response as a non-fatal + error (Section 2.2) + + For use with RADIUS/EAP, the Password-Retry (Section 2.3) and + Reply-Message (2.6.5) attributes are deprecated. + + Each EAP session has a unique Identifier space (Section 2.6.1). + + Role reversal is not supported (Section 2.6.2). + + Message combinations (e.g. Access-Accept/EAP-Failure) that conflict + are discouraged (Section 2.6.3). + + Only a single EAP packet may be encapsulated within a RADIUS message + (Section 3.1). + + An Access-Request lacking explicit authentication as well as a + Message- Authenticator attribute SHOULD be silently discarded + (Section 3.3). + + The Originating-Line-Info attribute is supported (Section 3.3). + + IPsec ESP with non-null transform SHOULD be used and the usage model + is described in detail (Section 4.2). + + Additional discussion of security vulnerabilities (Section 4.1) and + potential fixes (Section 4.3). + + Separated normative (Section 6.1) and informative (Section 6.2) + references. + + + + + + + +Aboba & Calhoun Informational [Page 43] + +RFC 3579 RADIUS & EAP September 2003 + + + Added additional examples (Appendix A): a NAS initiating with an + EAP-Request for an authentication Type; attempted role reversal. + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + intellectual property or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; neither does it represent that it + has made any effort to identify any such rights. Information on the + IETF's procedures with respect to rights in standards-track and + standards-related documentation can be found in BCP-11. Copies of + claims of rights made available for publication and any assurances of + licenses to be made available, or the result of an attempt made to + obtain a general license or permission for the use of such + proprietary rights by implementors or users of this specification can + be obtained from the IETF Secretariat. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights which may cover technology that may be required to practice + this standard. Please address the information to the IETF Executive + Director. + +Acknowledgments + + Thanks to Dave Dawson and Karl Fox of Ascend, Glen Zorn of Cisco + Systems, Jari Arkko of Ericsson and Ashwin Palekar, Tim Moore and + Narendra Gidwani of Microsoft for useful discussions of this problem + space. The authors would also like to acknowledge Tony Jeffree, + Chair of IEEE 802.1 for his assistance in resolving RADIUS/EAP issues + in IEEE 802.1X-2001. + + + + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 44] + +RFC 3579 RADIUS & EAP September 2003 + + +Authors' Addresses + + Bernard Aboba + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052 + + Phone: +1 425 706 6605 + Fax: +1 425 936 7329 + EMail: bernarda@microsoft.com + + + Pat R. Calhoun + Airespace + 110 Nortech Parkway + San Jose, California, 95134 + USA + + Phone: +1 408 635 2023 + Fax: +1 408 635 2020 + EMail: pcalhoun@airespace.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 45] + +RFC 3579 RADIUS & EAP September 2003 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assignees. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Aboba & Calhoun Informational [Page 46] + |