RFC 3576 Dynamic Authorization Extensions to Radius 中文版本




 
 
Network Working Group                                           M. Chiba
Request for Comments: 3576                                    G. Dommety
Category: Informational                                        M. Eklund
翻译:twingao/00814                                  Cisco Systems, Inc.
                                                               D. Mitton
                                                  Circular Logic, UnLtd.
                                                                B. Aboba
                                                   Microsoft Corporation
                                                               July 2003


                     对RADIUS协议的动态认证扩展

备忘录状态

   本文不是在制定一个Internet标准,只是向互联网社区提供相关信息,本文可
   以不受限制地传播。



版权说明
   Copyright (C) The Internet Society (2003).  All Rights Reserved.
摘要
   本文描述了对一种对RADIUS协议进行的扩展,该扩展当前已经在部署。该扩展
   允许动态更改用户会话,像NAS产品已经实现的那样。该扩展包括断开用户连接
   和更改已经应用于用户会话的授权。
 
 
 
 
 
 
 
Chiba, et al.                Informational                      [Page 1]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

目录
   1.  介绍 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
       1.1.  Applicability. . . . . . . . . . . . . . . . . . . . . .  3
       1.2.  Requirements Language  . . . . . . . . . . . . . . . . .  5
       1.3.  术语 . . . . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  简介 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
       2.1.  中断消息(DM) . . . . . . . . . . . . . . . . . . . . .  5
       2.2.  授权更改消息(CoA). . . . . . . . . . . . . . . . . . .  6
       2.3.  报文格式 . . . . . . . . . . . . . . . . . . . . . . . .  7
   3.  属性 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
       3.1.  Error-Cause. . . . . . . . . . . . . . . . . . . . . . . 13
       3.2.  属性列表 . . . . . . . . . . . . . . . . . . . . . . . . 16
   4.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 20
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 21
       5.1.  Authorization Issues . . . . . . . . . . . . . . . . . . 21
       5.2.  Impersonation. . . . . . . . . . . . . . . . . . . . . . 22
       5.3.  IPsec Usage Guidelines . . . . . . . . . . . . . . . . . 22
       5.4.  Replay Protection. . . . . . . . . . . . . . . . . . . . 25
   6.  Example Traces . . . . . . . . . . . . . . . . . . . . . . . . 26
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
       7.1.  Normative References . . . . . . . . . . . . . . . . . . 26
       7.2.  Informative References . . . . . . . . . . . . . . . . . 27
   8.  Intellectual Property Statement. . . . . . . . . . . . . . . . 28
   9.  Acknowledgements.  . . . . . . . . . . . . . . . . . . . . . . 28
   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29
   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 30
 
 
 
 
 
 
 
 
 
 
 

Chiba, et al.                Informational                      [Page 2]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

1.  介绍
   定义在[RFC2865]中的RADIUS协议不支持主动由RADIUS服务器发送往NAS的消
   息。
   然而,有很多想要更改已经建立的会话特性的实例,不想使用初始的会话特
   性。例如:管理员想能够中断正在进行的用户会话。或者,用户想更改授权级
   别,这需要给用户会话增加或者删除授权属性。
   为了克服这些限制,某些厂商已经实现了额外的RADIUS命令以能够支持RADIUS
   服务器主动发送消息给NAS。这些扩展命令提供Disconnect和
   Change-of-Authorization(CoA)消息。Disconnect消息是用户会话立即中
   断,而CoA消息修改会话的授权属性,如数据过滤属性。
1.1.  适应性
   公开推荐该协议做为Informational RFC而不是standards-track RFC,因为
   because of problems that cannot be fixed without creating
   incompatibilities with deployed implementations. 这包括安全弱点,也包
   括从CoA命令设计的语意不明确。当推荐进行修改时,他们不能强制,因为这会
   导致和已经存在的实现不兼容。
   该协议已经存在的实现不支持授权检查。所以一个和其它ISP共享NAS的ISP可能
   中断或者更改另一个ISP用户的授权。为了补救这个问题,推荐进行“Reverse
   Path Forwarding”检查。详细情况请参看5.1章节。
   已存在的实现utilize per-packet authentication and integrity
   protection algorithms with known weaknesses [MD5Attack].为了提供更强
   的每报文认证和完整的保护,推荐使用IPSec,详细情况请参见5.3章节。
 
 
 
Chiba, et al.                Informational                      [Page 3]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   已存在的实现缺乏重放保护,为了支持重发保护,在IPSec重放保护没有实施
   时,推荐所有的消息中都加上Event-Timestamp属性。实现应该配置成为如果消
   息中缺少Event-Timestamp属性就静默丢弃。详细情况请参见5.4章节。
   
   The approach taken with CoA commands in existing implementations
   results in a semantic ambiguity.  Existing implementations of the
   CoA-Request identify the affected session, as well as supply the
   authorization changes.  Since RADIUS Attributes included within
   existing implementations of the CoA-Request can be used for session
   identification or authorization change, it may not be clear which
   function a given attribute is serving.
   The problem does not exist within [Diameter], in which authorization
   change is requested by a command using Attribute Value Pairs (AVPs)
   solely for identification, resulting in initiation of a standard
   Request/Response sequence where authorization changes are supplied.
   As a result, in no command can Diameter AVPs have multiple potential
   meanings.
   由于在处理change-of-authorization请求上RADIUS协议和Diameter协议有所不
   同,
   Due to differences in handling change-of-authorization requests in
   RADIUS and Diameter, it may be difficult or impossible for a
   Diameter/RADIUS gateway to successfully translate existing
   implementations of this specification to equivalent messages in
   Diameter.  For example, a Diameter command changing any attribute
   used for identification within existing CoA-Request implementations
   cannot be translated, since such an authorization change is
   impossible to carry out in existing implementations.  Similarly,
   translation between existing implementations of Disconnect-Request or
   CoA-Request messages and Diameter is tricky because a Disconnect-
   Request or CoA-Request message will need to be translated to multiple
   Diameter commands.
   To simplify translation between RADIUS and Diameter, a Service-Type
   Attribute with value "Authorize Only" can (optionally) be included
   within a Disconnect-Request or CoA-Request.  Such a Request contains
   only identification attributes.  A NAS supporting the "Authorize
   Only" Service-Type within a Disconnect-Request or CoA-Request
   responds with a NAK containing a Service-Type Attribute with value
   "Authorize Only" and an Error-Cause Attribute with value "Request
   Initiated".  The NAS will then send an Access-Request containing a
   Service-Type Attribute with a value of "Authorize Only".  This usage
   sequence is akin to what occurs in Diameter and so is more easily
   translated by a Diameter/RADIUS gateway.
 
 
Chiba, et al.                Informational                      [Page 4]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

1.2.  Requirements Language
   In this document, several words are used to signify the requirements
   of the specification.  These words are often capitalized.  The key
   words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
   are to be interpreted as described in [RFC2119].
1.3.  Terminology
   This document frequently uses the following terms:
   Network Access Server (NAS): The device providing access to the
                                network.
   service:                     The NAS provides a service to the user,
                                such as IEEE 802 or PPP.
   session:                     Each service provided by the NAS to a
                                user constitutes a session, with the
                                beginning of the session defined as the
                                point where service is first provided
                                and the end of the session defined as
                                the point where service is ended.  A
                                user may have multiple sessions in
                                parallel or series if the NAS supports
                                that.
   silently discard:            This means the implementation discards
                                the packet without further processing.
                                The implementation SHOULD provide the
                                capability of logging the error,
                                including the contents of the silently
                                discarded packet, and SHOULD record the
                                event in a statistics counter.
2.  概述
   本节描述了Disconnect和Coa消息最通用的实现特性。
2.1.  中断消息(DM)
   为了中断NAS上的用户会话,中断请求报文由RADIUS服务器发送。并丢弃所有关
   联会话的上下文。中断请求报文发送到UDP端口3799,and identifies the NAS
   as well as the user session to be terminated by inclusion of the
   identification attributes described in Section 3.
 
Chiba, et al.                Informational                      [Page 5]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   +----------+   Disconnect-Request     +----------+
   |          |   <--------------------  |          |
   |    NAS   |                          |  RADIUS  |
   |          |   Disconnect-Response    |  Server  |
   |          |   ---------------------> |          |
   +----------+                          +----------+
   NAS回应由RADIUS服务器发送的中断请求报文,如果所有的关联会话上下文被丢
   弃并且用户会话不再连接,NAS回应Disconnect-ACK报文,如果NAS不能中断会
   话和丢弃所有的关联会话上下文,NAS则发送Disconnect-NAK报文。如果
   Disconnect-Request报文中包含值为“Authorize Only”的Service-Type属
   性,则NAS必须(MUST)回应Disconnect-NAK报文,Disconnect-ACK报文必须不
   能(MUST NOT)发送。如果Disconnect-Request报文中包含不支持的
   Service-Type属性,则NAS必须(MUST)回应Disconnect-NAK报文,该报文可以
   (MAY)包含值为“Unsupported Service”的Error-Cause属性。
   Disconnect-ACK报文可以(MAY)包含值为6(Admin-Reset)的
   Acct-Terminate-Cause属性(属性类型49,定义在[RFC2866])。
2.2.  更改授权消息(CoA)
   CoA-Request报文包含了动态更改会话授权的信息。通常使用在更改数据过滤
   上。数据过滤可以是关于入口或者出口的,在额外的标识属性(标识入口或者
   出口的??)中发送,在3章节描述。使用的端口和报文格式(在2.3节描述)
   和Disconnect-Request消息相同。
   下列属性可以(MAY)在CoA-Request报文中发送:
   Filter-ID (11) - 表示应用在会话中的数据过滤列表的名称。
   +----------+      CoA-Request         +----------+
   |          |  <--------------------   |          |
   |   NAS    |                          |  RADIUS  |
   |          |     CoA-Response         |  Server  |
   |          |   ---------------------> |          |
   +----------+                          +----------+
   NAS在回应由RADIUS服务器发送的CoA-Request报文时,如果NAS能够成功地更改
   用户会话的授权信息。NAS发送CoA-ACK报文。如果请求不成功时发送CoA-NAK报
   文。如果CoA-Request报文中包含值为“Authorize Only”的Service-Type属
   性,则NAS必须(MUST)回应CoA-NAK报文,CoA-ACK报文必须不能(MUST NOT)
   发送。如果CoA-Request报文中包含不支持的Service-Type属性,则NAS必须
   (MUST)回应CoA-NAK报文,该报文可以(MAY)包含值为“Unsupported
   Service”的Error-Cause属性。
  

Chiba, et al.                Informational                      [Page 6]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003
 
2.3.  报文格式
   Disconnect-Request或者CoA-Request消息使用UDP端口3799做为目的端口,回
   应时,源端口和目的端口对调,准确地讲,RADIUS报文是封装在UDP报文的数据
   域中。
   报文格式如下所示。各个域的数据是从左向右传输的。
   报文格式由以下域组成:代码域,标识符域,长度域,认证字域和属性域,属
   性域的格式为类型/长度/值(TLV)。所有的域都和RADIUS [RFC2865]描述的一
   样。认证字域必须(MUST)和计费请求报文一样的方式计算。
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |  Identifier   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                         Authenticator                         |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Attributes ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-
   代码
      代码域占位1个字节,表示RADIUS报文的类型,接收到无效的代码域必须
      (MUST)静默丢弃,本次扩展的RADIUS代码(十进制)如下:
      40 - Disconnect-Request [RFC2882]
      41 - Disconnect-ACK [RFC2882]
      42 - Disconnect-NAK [RFC2882]
      43 - CoA-Request [RFC2882]
      44 - CoA-ACK [RFC2882]
      45 - CoA-NAK [RFC2882]
 

Chiba, et al.                Informational                      [Page 7]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   标识符
      标识符域占位一个字节,用于匹配请求和回应报文。如果在一个很短的时间
      内接收到相同的源IP地址、源UDP端口号和相同的标识符域的请求报文,
      RADIUS服务器就可以认为是重复的请求报文。
      不像RADIUS协议,Disconnect-Request和CoA-Request消息的重发的责任在
      RADIUS服务器。如果发送这些消息后,RADIUS服务器没有接收到回应,将重
      发消息。
      当属性域的内容发生改变或者是已经收到前一个请求的有效的回应,标识符
      域必须(MUST)改变。如果仅仅是由于重传而内容没有变化时,标识符必须
      (MUST)保持不变。
      如果RADIUS服务器向同一个客户端重发Disconnect-Request和CoA-Request
      消息,并且属性没有修改,则请求认证字,标识符和源端口必须(MUST)使
      用原来的值。如果有任何属性发生变化,必须(MUST)使用新的请求认证字
      和标识符。
      需要注意的是,如果包含Event-Timestamp属性的话,重发报文时该属性会
      被修改,属性内容改变时需要一个新的标识符和请求认证字。
      如果向主代理的请求失败,如果备代理可以获得的话,必须查找(must)备
      代理,失败算法相关论述在[AAATransport]中描述。既然是一个新的请求,
      那么必须(MUST)使用新的请求认证字和标识符。当然,如果RADIUS服务器
      直接发送给客户端,失败机制将没有用处,因为Disconnect和CoA消息需要
      发送给会话驻留的NAS。
   长度
      Length域占位两个字节。它包含了报文中的Code域,Identifier域,
      Length域,Authenticator域和属性域的总长度。在长度域限定的范围之外
      的字节必须(MUST)作为填充字节,在接收时不予处理。如果包的实际长度
      小于长度域中给出的值,该包必须(MUST)被静默丢弃。报文的最小长度是
      20,最大长度是4096。
 
 
Chiba, et al.                Informational                      [Page 8]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   认证字
      认证字域占位16个字节。最重要的字节先传输。该域的值用来鉴别客户端和
      RADIUS计费服务器之间的消息。
   请求认证字
      在请求报文中,认证字域是一个占位16个字节的MD5校验码,称为请求认证
      字。请求认证字计算方法和计费请求报文相同。
      需要注意的是,由于在Disconnect-Request和CoA-Request报文中没有
      User-Password属性,Disconnect和CoA-Disconnect的请求认证字不能使用
      和RADIUS接入请求报文一样计算方法。
   回应认证字
      在回应报文(即,Disconnect-ACK,Disconnect-NAK,CoA-ACK或者
      CoA-NAK)中的认证字称为回应认证字。它包含对一个由Code+Identifier+
      Length+对应的请求包的请求认证字+回应属性(如果有的话)+共享密钥构
      成的字节流进行某种方式的MD5哈希计算得出的16个字节的hash值。这个占
      位16个字节的MD5哈希值被存储在回应报文的Authenticator域中。
   管理提示:共享密钥(在客户端和RADIUS服务器之间的共享密钥)的长度应该
   (SHOULD)至少大到不可能猜测的程度。RADIUS服务器必须(MUST)根据
   RADIUS的UDP报文的源IP地址决定使用那个共享密钥,因此,RADIUS请求才可以
   被代理。
   属性
      在Disconnect和CoA-Request消息中,所有的属性都是强制性的。如果
      CoA-Request报文包含一个或者多个不支持的属性或者不支持的属性值,则
      NAS必须(MUST)回应CoA-NAK;如果Disconnect-Request报文包含一个或者
      多个不支持的属性或者不支持的属性值,则NAS必须(MUST)回应
      Disconnect-NAK。由CoA-Request报文引起的状态改变必须(MUST)是个原
      子事务。如果请求成功,发送CoA-ACK报文,此时所有请求的授权更改都必
      须(MUST)实现。如果CoA-Request没有成功,必须(MUST)发送CoA-NAK,
      所有请求的授权更改必须都不能(MUST NOT)实现。同样的,如果
      Disconnect-Request不成功,状态改变必须不能(MUST NOT)发生,并且必
      须(MUST)发送Disconnect-NAK报文。
     
 
Chiba, et al.                Informational                      [Page 9]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

      包括本规范在内的属性可以(may)用来认证,授权或者其它目的,NAS使用
      属性做RADIUS认证和计费,这些属性可以(may)不支持包含在
      Disconnect-Request或者CoA-Request消息中,在属性语意上有不同,
      This is true even for attributes specified within [RFC2865],
      [RFC2868], [RFC2869] or [RFC3162] as allowable within
      Access-Accept messages.
      既然可能导致无法预测的结果,除了在3.2节中说明的属性,其它属性不应
      该(SHOULD NOT)包含在Disconnect或者CoA消息中。
      当使用转发代理时,代理必须(must)能够在报文通过的每个方向上更改报
      文。当代理转发Disconnect或者CoA-Request报文时,代理可以(MAY)增加
      Proxy-State属性,当代理转发回应报文时,代理必须(MUST)移除它增加
      的Proxy-State属性(如果它曾经增加过)。Proxy-State属性总是在其它的
      Proxy-State属性后增加或者移除,没有其它关于该属性在属性列表中位置
      的要求。由于是基于整个报文内容鉴别Disconnect和CoA回应报文的,
      Proxy-State属性的变化会使得原来的签名无效,因此代理需要重新计算,
      转发代理必须不能(MUST NOT)修改报文中已经存在的Proxy-State,State
      或者Class属性。
      如果从服务接收到的Disconnect-Request或者CoA-Request报文中有任何
      Proxy-State属性,转发代理必须(MUST)在回应服务器时包含这些
      Proxy-State属性。当转发请求报文时,转发代理可以(MAY)在
      Disconnect-Request或者CoA-Request报文中包含Proxy-State属性,也可以
      (MAY)在转发时略去这些属性,如果转发代理略去请求报文中的
      Proxy-State属性,必须(MUST)在发送回服务器之前将它们重新附加到回
      应报文中。
 
 
 
 
Chiba, et al.                Informational                     [Page 10]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

3.  属性
   在Disconnect-Request和CoA-Request报文中,某些属性用来唯一标识NAS和NAS
   中用户的会话。为了Disconnect-Request或者CoA-Request成功处理,所有包含
   在请求消息中的标识属性必须(MUST)匹配,否则应该(SHOULD)发送
   Disconnect-NAK或者CoA-NAK报文。如果存在的话,会话标识属性:User-Name
   和Acct-Session-Id属性必须(MUST)匹配,其它的会话标识属性也应该
   (SHOULD)匹配。当有检测到一个会话标识属性错误,应该(SHOULD)发送
   Disconnect-NAK或者CoA-NAK报文。使用NAS或者会话标识属性匹配唯一或者多
   个会话的讨论超出了本文的范围。标识属性包括NAS和会话标识属性,如下表所示:
   NAS标识属性
   Attribute             #    Reference  Description
   ---------            ---   ---------  -----------
   NAS-IP-Address        4    [RFC2865]  The IPv4 address of the NAS.
   NAS-Identifier       32    [RFC2865]  String identifying the NAS.
   NAS-IPv6-Address     95    [RFC3162]  The IPv6 address of the NAS.
 
 
 
 
 
 
 
 
 
 
 
 
 
Chiba, et al.                Informational                     [Page 11]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   会话标识属性
   Attribute              #    Reference  Description
   ---------             ---   ---------  -----------
   User-Name              1    [RFC2865]  The name of the user
                                          associated with the session.
   NAS-Port               5    [RFC2865]  The port on which the
                                          session is terminated.
   Framed-IP-Address      8    [RFC2865]  The IPv4 address associated
                                          with the session.
   Called-Station-Id     30    [RFC2865]  The link address to which
                                          the session is connected.
   Calling-Station-Id    31    [RFC2865]  The link address from which
                                          the session is connected.
   Acct-Session-Id       44    [RFC2866]  The identifier uniquely
                                          identifying the session
                                          on the NAS.
   Acct-Multi-Session-Id 50    [RFC2866]  The identifier uniquely
                                          identifying related sessions.
   NAS-Port-Type         61    [RFC2865]  The type of port used.
   NAS-Port-Id           87    [RFC2869]  String identifying the port
                                          where the session is.
   Originating-Line-Info 94    [NASREQ]   Provides information on the
                                          characteristics of the line
                                          from which a session
                                          originated.
   Framed-Interface-Id   96    [RFC3162]  The IPv6 Interface Identifier
                                          associated with the session;
                                          always sent with
                                          Framed-IPv6-Prefix.
   Framed-IPv6-Prefix    97    [RFC3162]  The IPv6 prefix associated
                                          with the session, always sent
                                          with Framed-Interface-Id.
   从5.1节的安全考虑,User-Name属性应该包(SHOULD)含在
   Disconnect-Request或CoA-Request报文中;也可以(MAY)包含一个或者多个
   其它的会话标识属性。从5.2节的安全考虑,NAS-IP-Address或者
   NAS-IPv6-Address属性应该(SHOULD)包含在Disconnect-Request或
   CoA-Request报文中;也可以(MAY)包含NAS-Identifier属性。
   如果在CoA-Request报文中指明的一个或者多个授权更改不能实施,或者一个或
   者多个属性或者属性值不支持的话,必须(MUST)发送CoA-NAK报文。同样地,
   如果Disconnect-Request报文中有一个或者多个不支持的属性或者属性值,那
   么必须(MUST)发送Disconnect-NAK报文。
 

Chiba, et al.                Informational                     [Page 12]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003
   当值为“Authorize Only”的Service-Type属性包含在CoA-Request或
   Disconnect-Request报文中时,必须不能包含(MUST NOT)表示授权更改的属
   性,只允许包含标识属性。如果在CoA-Request报文没有包含NAS或者会话标识
   属性,必须(MUST)发送CoA-NAK报文;可以(MAY)包含一个值为
   “Unsupported Attribute”的Error-Cause属性。同样地,如果在
   Disconnect-Request报文没有包含NAS或者会话标识属性,必须(MUST)发送
   Disconnect-NAK报文;可以(MAY)包含一个值为“Unsupported Attribute”
   的Error-Cause属性。
3.1.  Error-Cause
   描述
      可能某种原因,NAS不能实现Disconnect-Request或CoA-Request消息,
      Error-Cause属性提供了该问题的详细原因。它可以(MAY)包含在
      Disconnect-ACK,Disconnect-NAK和CoA-NAK消息中。
      Error-Cause属性的格式如下所示。各个域是按照自左向右的顺序传输的。
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |             Value
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
              Value (cont)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   类型
      101 代表Error-Cause
   长度
      6
   值
      值域占位4个字节,包含了表示错误原因的整数。值0-199和300-399保留,
      值200-299表示成功完成,因此这些值只可能出现在Disconnect-ACK或者
      CoA-ACK消息中,一定不能(MUST NOT)在Disconnect-NAK或CoA-NAK消息中
      发送。值400-499表示由RADIUS服务器引起的致命错误,因此这些值可以
      (MAY)出现在CoA-NAK或Disconnect-NAK消息中,必须不能(MUST NOT)出
      现在CoA-ACK或Disconnect-ACK消息中,值500-599表示发生NAS或者RADIUS
      代理上的致命错误,因此它们可以(MAY)在CoA-NAK和Disconnect-NAK消息
      中发送,必须不能(MUST NOT)在CoA-ACK或Disconnect-ACK消息中发送。
      Error-Cause属性值应该(SHOULD)有RADIUS记录下来,Error-Code属性值
      (十进制)包括如下:
     

Chiba, et al.                Informational                     [Page 13]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003
 
    #     Value
   ---    -----
   201    Residual Session Context Removed(残留的会话上下文已经被删除)
   202    Invalid EAP Packet (Ignored)(无效的EAP报文)
   401    Unsupported Attribute(不支持的属性)
   402    Missing Attribute(丢失属性)
   403    NAS Identification Mismatch(NAS标识不匹配)
   404    Invalid Request(无效的请求)
   405    Unsupported Service(不支持的业务)
   406    Unsupported Extension(不支持扩展)
   501    Administratively Prohibited(管理禁止)
   502    Request Not Routable (Proxy)(请求不可路由)
   503    Session Context Not Found(会话上下文不能找到)
   504    Session Context Not Removable(会话上下文不能移除)
   505    Other Proxy Processing Error(其它代理处理错误)
   506    Resources Unavailable(资源不可获得)
   507    Request Initiated(请求??)
   值“会话上下文已经被删除”在Disconnect-Request报文的回应报文中发送,
   如果用户会话不再活动,但残留的会话上下文被发现并且成功移除,该值只能
   在Disconnect-ACK报文中发送,必须不能(MUST NOT)在CoA-ACK,
   Disconnect-NAK或CoA-NAK报文中发送。
   值“无效的EAP报文”是一个非致命错误,被协议的实现必须不能(MUST NOT)
   发送该值。
   值“不支持的属性”是一个致命错误,如果请求报文包含了一个不支持的属性
   (如Vendor-Specific或EAP-Message属性)。
   
   值“丢失属性”是一个致命错误,如果请求报文中丢失了重要的属性(如NAS或
   者会话标识属性)。
   值“NAS标识不匹配”是一个致命错误,如果接收到的一个或者多个NAS标识属性(参看
   第3节)和NAS的标识不匹配。
 

Chiba, et al.                Informational                     [Page 14]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   值“无效的请求”是一个致命错误,如果请求的其它方面无效的话,如果一个
   或者多个属性(如EAP-Message属性)格式不正确。
   值“不支持的业务”是一个致命错误,如果请求报文中的Service-Type属性发
   送了无效的或者不支持的值。
   值“不支持扩展”是个致命的错误,由于缺少对扩展的支持,如Disconnect
   和/或CoA消息,试图转发请求报文给NAS时,代理接收到ICMP端口不可达消息,
   通常会发送该值。
   值“管理禁止”是个致命错误,如果NAS被配置禁止处理对某个特定会话的请求
   消息。
   值“请求不可路由”是个致命的错误,它可以(MAY)由RADIUS代理发送,但必
   须不能(MUST NOT)由NAS发送。表示RADIUS代理不能决定如何路由请求报文给
   NAS。例如:如果需要的表项不在代理的域路由表中。
   值“会话上下文不能找到”是个致命错误,如果请求报文中表示的会话上下文
   在NAS不存在。
   "Session Context Not Removable" is a fatal error sent in response to
   a Disconnect-Request if the NAS was able to locate the session
   context, but could not remove it for some reason.  It MUST NOT be
   sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a
   Disconnect-NAK.
   "Other Proxy Processing Error" is a fatal error sent in response to a
   Request that could not be processed by a proxy, for reasons other
   than routing.
   "Resources Unavailable" is a fatal error sent when a Request could
   not be honored due to lack of available NAS resources (memory, non-
   volatile storage, etc.).
   "Request Initiated" is a fatal error sent in response to a Request
   including a Service-Type Attribute with a value of "Authorize Only".
   It indicates that the Disconnect-Request or CoA-Request has not been
   honored, but that a RADIUS Access-Request including a Service-Type
   Attribute with value "Authorize Only" is being sent to the RADIUS
   server.
 
 
Chiba, et al.                Informational                     [Page 15]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

3.2.  属性列表
   下表列出了哪个属性可以出现在哪种类型的报文中,以及可以出现几次:
   Change-of-Authorization消息
   Request   ACK      NAK   #   Attribute
   0-1       0        0     1   User-Name [Note 1]
   0-1       0        0     4   NAS-IP-Address [Note 1]
   0-1       0        0     5   NAS-Port [Note 1]
   0-1       0        0-1   6   Service-Type [Note 6]
   0-1       0        0     7   Framed-Protocol [Note 3]
   0-1       0        0     8   Framed-IP-Address [Note 1]
   0-1       0        0     9   Framed-IP-Netmask [Note 3]
   0-1       0        0    10   Framed-Routing [Note 3]
   0+        0        0    11   Filter-ID [Note 3]
   0-1       0        0    12   Framed-MTU [Note 3]
   0+        0        0    13   Framed-Compression [Note 3]
   0+        0        0    14   Login-IP-Host [Note 3]
   0-1       0        0    15   Login-Service [Note 3]
   0-1       0        0    16   Login-TCP-Port [Note 3]
   0+        0        0    18   Reply-Message [Note 2]
   0-1       0        0    19   Callback-Number [Note 3]
   0-1       0        0    20   Callback-Id [Note 3]
   0+        0        0    22   Framed-Route [Note 3]
   0-1       0        0    23   Framed-IPX-Network [Note 3]
   0-1       0-1      0-1  24   State [Note 7]
   0+        0        0    25   Class [Note 3]
   0+        0        0    26   Vendor-Specific [Note 3]
   0-1       0        0    27   Session-Timeout [Note 3]
   0-1       0        0    28   Idle-Timeout [Note 3]
   0-1       0        0    29   Termination-Action [Note 3]
   0-1       0        0    30   Called-Station-Id [Note 1]
   0-1       0        0    31   Calling-Station-Id [Note 1]
   0-1       0        0    32   NAS-Identifier [Note 1]
   0+        0+       0+   33   Proxy-State
   0-1       0        0    34   Login-LAT-Service [Note 3]
   0-1       0        0    35   Login-LAT-Node [Note 3]
   0-1       0        0    36   Login-LAT-Group [Note 3]
   0-1       0        0    37   Framed-AppleTalk-Link [Note 3]
   0+        0        0    38   Framed-AppleTalk-Network [Note 3]
   0-1       0        0    39   Framed-AppleTalk-Zone [Note 3]
   0-1       0        0    44   Acct-Session-Id [Note 1]
   0-1       0        0    50   Acct-Multi-Session-Id [Note 1]
   0-1       0-1      0-1  55   Event-Timestamp
   0-1       0        0    61   NAS-Port-Type [Note 1]
   Request   ACK      NAK   #   Attribute
 
Chiba, et al.                Informational                     [Page 16]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   Request   ACK      NAK   #   Attribute
   0-1       0        0    62   Port-Limit [Note 3]
   0-1       0        0    63   Login-LAT-Port [Note 3]
   0+        0        0    64   Tunnel-Type [Note 5]
   0+        0        0    65   Tunnel-Medium-Type [Note 5]
   0+        0        0    66   Tunnel-Client-Endpoint [Note 5]
   0+        0        0    67   Tunnel-Server-Endpoint [Note 5]
   0+        0        0    69   Tunnel-Password [Note 5]
   0-1       0        0    71   ARAP-Features [Note 3]
   0-1       0        0    72   ARAP-Zone-Access [Note 3]
   0+        0        0    78   Configuration-Token [Note 3]
   0+        0-1      0    79   EAP-Message [Note 2]
   0-1       0-1      0-1  80   Message-Authenticator
   0+        0        0    81   Tunnel-Private-Group-ID [Note 5]
   0+        0        0    82   Tunnel-Assignment-ID [Note 5]
   0+        0        0    83   Tunnel-Preference [Note 5]
   0-1       0        0    85   Acct-Interim-Interval [Note 3]
   0-1       0        0    87   NAS-Port-Id [Note 1]
   0-1       0        0    88   Framed-Pool [Note 3]
   0+        0        0    90   Tunnel-Client-Auth-ID [Note 5]
   0+        0        0    91   Tunnel-Server-Auth-ID [Note 5]
   0-1       0        0    94   Originating-Line-Info [Note 1]
   0-1       0        0    95   NAS-IPv6-Address [Note 1]
   0-1       0        0    96   Framed-Interface-Id [Note 1]
   0+        0        0    97   Framed-IPv6-Prefix [Note 1]
   0+        0        0    98   Login-IPv6-Host [Note 3]
   0+        0        0    99   Framed-IPv6-Route [Note 3]
   0-1       0        0   100   Framed-IPv6-Pool [Note 3]
   0         0        0+  101   Error-Cause
   Request   ACK      NAK   #   Attribute
   Disconnect消息
   Request   ACK      NAK   #   Attribute
   0-1       0        0     1   User-Name [Note 1]
   0-1       0        0     4   NAS-IP-Address [Note 1]
   0-1       0        0     5   NAS-Port [Note 1]
   0-1       0        0-1   6   Service-Type [Note 6]
   0-1       0        0     8   Framed-IP-Address [Note 1]
   0+        0        0    18   Reply-Message [Note 2]
   0-1       0-1      0-1  24   State [Note 7]
   0+        0        0    25   Class [Note 4]
   0+        0        0    26   Vendor-Specific
   0-1       0        0    30   Called-Station-Id [Note 1]
   0-1       0        0    31   Calling-Station-Id [Note 1]
   0-1       0        0    32   NAS-Identifier [Note 1]
   0+        0+       0+   33   Proxy-State
   Request   ACK      NAK   #   Attribute
 
Chiba, et al.                Informational                     [Page 17]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   Request   ACK      NAK   #   Attribute
   0-1       0        0    44   Acct-Session-Id [Note 1]
   0-1       0-1      0    49   Acct-Terminate-Cause
   0-1       0        0    50   Acct-Multi-Session-Id [Note 1]
   0-1       0-1      0-1  55   Event-Timestamp
   0-1       0        0    61   NAS-Port-Type [Note 1]
   0+        0-1      0    79   EAP-Message [Note 2]
   0-1       0-1      0-1  80   Message-Authenticator
   0-1       0        0    87   NAS-Port-Id [Note 1]
   0-1       0        0    94   Originating-Line-Info [Note 1]
   0-1       0        0    95   NAS-IPv6-Address [Note 1]
   0-1       0        0    96   Framed-Interface-Id [Note 1]
   0+        0        0    97   Framed-IPv6-Prefix [Note 1]
   0         0+       0+  101   Error-Cause
   Request   ACK      NAK   #   Attribute
   [注1]当NAS或会话标识属性包含在Disconnect-Request或CoA-Request消息中
   时,它们只做为标识之用。这些属性必须不能(MUST NOT)用于标识之外的目
   的,(即在CoA-Request消息中请求授权更改)。
   [注2]Reply-Message属性被用来表示显示给用户的消息,该消息只在
   Disconnect-Request或CoA-Request报文成功处理时(后续会发送
   Disconnect-ACK或CoA-ACK报文)显示。当用EAP做为认证方式,
   EAP-Message/Notification-Request属性做为显示给用户的消息,
   Disconnect-ACK或CoA-ACK消息包含EAP-Message/Notification-Response属
   性。
   [注3]当包含在CoA-Request报文中时,这些属性表示授权更改请求,当这些属
   性之一在CoA-Request报文中略去,NAS假定该属性值保持不变,包含在
   CoA-Request报文中的属性替换了所有的已存在的相同属性类型的值。
   [注4]当包含在成功处理的Disconnect-Request中时(后续会发送
   Disconnect-ACK报文),Class属性应该(SHOULD)在由客户端发送往计费服务
   器的计费结束报文中不能被修改。如果Disconnect-Request报文没有成功处
   理,那么Class属性不能被处理。
   [注5]当包含在CoA-Request报文中时,这些属性表示授权更改请求,当在成功
   处理的CoA-Request报文中发送隧道属性,删除所有已存在的隧道属性,以修改
   属性代替。
 
 
Chiba, et al.                Informational                     [Page 18]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   [注6]当包含在Disconnect-Request或CoA-Request消息中时,一个值为
   “Authorize Only”的Service-Type属性表示请求报文只包含了NAS和会话表示
   属性,NAS应该(should)试图通过发送携带值为“Authorize Only”的
   Service-Type属性的接入请求报文重认证。这种用法和Diameter协议的用法类
   似,因此很容易在这两个协议中传输。在CoA-Request和Disconnect-Request消
   息中支持Service-Type属性是可选的,当没有包含Service-Type属性时,请求
   报文可能(may)包含标识和授权属性。如果NAS不支持在Disconnect-Request
   消息中包含值为“Authorize Only”的Service-Type属性,则必须(MUST)回
   应一个不携带Service-Type属性的Disconnect-NAK消息,该消息可能(MAY)包
   含值为“Unsupported Service”的Error-Cause属性。如果NAS不支持在
   CoA-Request消息中包含值为“Authorize Only”的Service-Type属性,则必须
   (MUST)回应一个不携带Service-Type属性的CoA-NAK消息,该消息可能(MAY)包
   含值为“Unsupported Service”的Error-Cause属性。
   支持在Disconnect-Request或CoA-Request消息中携带值为“Authorize Only”
   的Service-Type属性的NAS必须(MUST)分别回应Disconnect-NAK或CoA-NAK消
   息,该消息包含值为“Authorize Only”的Service-Type属性和值为“Request
   Initiated”的Error-Cause属性。NAS然后发送一个携带值为“Authorize
   Only”的Service-Type属性的接入请求报文给RADIUS服务器。该接入请求报文
   应该(SHOULD)包含Disconnect或CoA-Request的NAS属性,如可以合法的包含
   在接入请求报文(在[RFC2865],[RFC2868],[RFC2869]和[RFC3162]定义)中
   的会话属性。如[RFC2869]的第5.19节提到的,Message-Authenticator属性应
   该(SHOULD)包含在没有包含User-Password,CHAP-Password,ARAP-Password
   或EAP-Message属性的接入请求报文中,RADIUS服务器应该(should)发送回接
   入成功回应报文(重新)授权会话或者发送回接入拒绝回应报文拒绝(重新)
   授权会话。
   [注7]State属性用在由RADIUS服务器发送往NAS的Disconnect-Request或
   CoA-Request消息中,必须(MUST)不能更改地在后续ACK或AK消息中由NAS发送
   回服务器。如果携带了State属性的Disconnect-Request或CoA-Request消息中
   携带了值为“Authorize Only”的Service-Type属性。那么如果有State属性的
   话,在后续发往RADIUS服务器的接入请求报文中必须(MUST)携带上没有更改
   的State属性。State属性也用在由RADIUS服务器发往NAS的携带了值为
   “RADIUS-Request”的Termination-Action属性的CoA-Request报文中。如果当
   前会话中断时,客户端根据Termination-Action属性发送了一个新的接入请求
   报文,该报文必须(MUST)携带上没有更改的State属性,在以上的任一个用法
   中,客户端必须不能(MUST NOT)在本地解释State属性。Disconnect-Request
   或CoA-Request报文必须(must)只能有0个或者1个State属性。State属性的用
   法由各实现独立实现。如果RADIUS服务在接入请求报文中不认可State属性,它
   必须(MUST)发送接入拒绝回应报文。
 
Chiba, et al.                Informational                     [Page 19]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   下表说明上表各表项的含义:
   0     该属性必须不能(MUST NOT)出现在该类型报文中。
   0+    0个或者多个该属性的实例可以(MAY)出现在该类型报文中。
   0-1   0个或者1个该属性的实例可以(MAY)出现在该类型报文中。
   1     该属性必须且只能有(MUST)一个实例出现在该类型的报文中。

4.  IANA事项
   本文档使用RADIUS [RFC2865]命名空间,参见
   。本节有六个需要修改的
   地方:RADIUS报文类型代码。这些报文类型分配在[RADIANA]中:
   40 - Disconnect-Request
   41 - Disconnect-ACK
   42 - Disconnect-NAK
   43 - CoA-Request
   44 - CoA-ACK
   45 - CoA-NAK
   分配了一个新的Service-Type属性值“Authorize Only”。本文档也使用了UDP
   [RFC768]名称空间,参见。
   作者要求从注册端口号范围内分配一个端口号。最后本文给Error-Cause属性分
   配了如下的十进制值:
    #     Value
   ---    -----
   201    Residual Session Context Removed
   202    Invalid EAP Packet (Ignored)
   401    Unsupported Attribute
   402    Missing Attribute
   403    NAS Identification Mismatch
   404    Invalid Request
   405    Unsupported Service
   406    Unsupported Extension
   501    Administratively Prohibited
   502    Request Not Routable (Proxy)
 
Chiba, et al.                Informational                     [Page 20]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   503    Session Context Not Found
   504    Session Context Not Removable
   505    Other Proxy Processing Error
   506    Resources Unavailable
   507    Request Initiated
5.  Security Considerations
5.1.  Authorization Issues
   Where a NAS is shared by multiple providers, it is undesirable for
   one provider to be able to send Disconnect-Request or CoA-Requests
   affecting the sessions of another provider.
   A NAS or RADIUS proxy MUST silently discard Disconnect-Request or
   CoA-Request messages from untrusted sources.  By default, a RADIUS
   proxy SHOULD perform a "reverse path forwarding" (RPF) check to
   verify that a Disconnect-Request or CoA-Request originates from an
   authorized RADIUS server.  In addition, it SHOULD be possible to
   explicitly authorize additional sources of Disconnect-Request or
   CoA-Request packets relating to certain classes of sessions.  For
   example, a particular source can be explicitly authorized to send
   CoA-Request messages relating to users within a set of realms.
   To perform the RPF check, the proxy uses the session identification
   attributes included in Disconnect-Request or CoA-Request messages, in
   order to determine the RADIUS server(s) to which an equivalent
   Access-Request could be routed.  If the source address of the
   Disconnect-Request or CoA-Request is within this set, then the
   Request is forwarded; otherwise it MUST be silently discarded.
   Typically the proxy will extract the realm from the Network Access
   Identifier [RFC2486] included within the User-Name Attribute, and
   determine the corresponding RADIUS servers in the proxy routing
   tables.  The RADIUS servers for that realm  are then compared against
   the source address of the packet.  Where no RADIUS proxy is present,
   the RPF check will need to be performed by the NAS itself.
   Since authorization to send a Disconnect-Request or CoA-Request is
   determined based on the source address and the corresponding shared
   secret, the NASes or proxies SHOULD configure a different shared
   secret for each RADIUS server.
 
 
 
 
Chiba, et al.                Informational                     [Page 21]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

5.2.  Impersonation
   [RFC2865] Section 3 states:
      A RADIUS server MUST use the source IP address of the RADIUS UDP
      packet to decide which shared secret to use, so that RADIUS
      requests can be proxied.
   When RADIUS requests are forwarded by a proxy, the NAS-IP-Address or
   NAS-IPv6-Address Attributes will typically not match the source
   address observed by the RADIUS server.  Since the NAS-Identifier
   Attribute need not contain an FQDN, this attribute may not be
   resolvable to the source address observed by the RADIUS server, even
   when no proxy is present.
   As a result, the authenticity check performed by a RADIUS server or
   proxy does not verify the correctness of NAS identification
   attributes.  This makes it possible for a rogue NAS to forge NAS-IP-
   Address, NAS-IPv6-Address or NAS-Identifier Attributes within a
   RADIUS Access-Request in order to impersonate another NAS.  It is
   also possible for a rogue NAS to forge session identification
   attributes such as the Called-Station-Id, Calling-Station-Id, or
   Originating-Line-Info [NASREQ].  This could fool the RADIUS server
   into sending Disconnect-Request or CoA-Request messages containing
   forged session identification attributes to a NAS targeted by an
   attacker.
   To address these vulnerabilities RADIUS proxies SHOULD check whether
   NAS identification attributes (see Section 3.) match the source
   address of packets originating from the NAS.  Where one or more
   attributes do not match, Disconnect-Request or CoA-Request messages
   SHOULD be silently discarded.
   Such a check may not always be possible.  Since the NAS-Identifier
   Attribute need not correspond to an FQDN, it may not be resolvable to
   an IP address to be matched against the source address.  Also, where
   a NAT exists between the RADIUS client and proxy, checking the NAS-
   IP-Address or NAS-IPv6-Address Attributes may not be feasible.
5.3.  IPsec Usage Guidelines
   In addition to security vulnerabilities unique to Disconnect or CoA
   messages, the protocol exchanges described in this document are
   susceptible to the same vulnerabilities as RADIUS [RFC2865].  It is
   RECOMMENDED that IPsec be employed to afford better security.
 
 

Chiba, et al.                Informational                     [Page 22]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   Implementations of this specification SHOULD support IPsec [RFC2401]
   along with IKE [RFC2409] for key management.  IPsec ESP [RFC2406]
   with a non-null transform SHOULD be supported, and IPsec ESP with a
   non-null encryption transform and authentication support SHOULD be
   used to provide per-packet confidentiality, authentication, integrity
   and replay protection.  IKE SHOULD be used for key management.
   Within RADIUS [RFC2865], a shared secret is used for hiding
   Attributes such as User-Password, as well as used in computation of
   the Response Authenticator.  In RADIUS accounting [RFC2866], the
   shared secret is used in computation of both the Request
   Authenticator and the Response Authenticator.
   Since in RADIUS a shared secret is used to provide confidentiality as
   well as integrity protection and authentication, only use of IPsec
   ESP with a non-null transform can provide security services
   sufficient to substitute for RADIUS application-layer security.
   Therefore, where IPsec AH or ESP null is used, it will typically
   still be necessary to configure a RADIUS shared secret.
   Where RADIUS is run over IPsec ESP with a non-null transform, the
   secret shared between the NAS and the RADIUS server MAY NOT be
   configured.  In this case, a shared secret of zero length MUST be
   assumed.  However, a RADIUS server that cannot know whether incoming
   traffic is IPsec-protected MUST be configured with a non-null RADIUS
   shared secret.
   When IPsec ESP is used with RADIUS, per-packet authentication,
   integrity and replay protection MUST be used.  3DES-CBC MUST be
   supported as an encryption transform and AES-CBC SHOULD be supported.
   AES-CBC SHOULD be offered as a preferred encryption transform if
   supported.  HMAC-SHA1-96 MUST be supported as an authentication
   transform.  DES-CBC SHOULD NOT be used as the encryption transform.
   A typical IPsec policy for an IPsec-capable RADIUS client is
   "Initiate IPsec, from me to any destination port UDP 1812".  This
   IPsec policy causes an IPsec SA to be set up by the RADIUS client
   prior to sending RADIUS traffic.  If some RADIUS servers contacted by
   the client do not support IPsec, then a more granular policy will be
   required: "Initiate IPsec, from me to IPsec-Capable-RADIUS-Server,
   destination port UDP 1812."
   For a client implementing this specification, the policy would be
   "Accept IPsec, from any to me, destination port UDP 3799".  This
   causes the RADIUS client to accept (but not require) use of IPsec.
   It may not be appropriate to require IPsec for all RADIUS servers
   connecting to an IPsec-enabled RADIUS client, since some RADIUS
   servers may not support IPsec.
 
Chiba, et al.                Informational                     [Page 23]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept
   IPsec, from any to me, destination port 1812".  This causes the
   RADIUS server to accept (but not require) use of IPsec.  It may not
   be appropriate to require IPsec for all RADIUS clients connecting to
   an IPsec-enabled RADIUS server, since some RADIUS clients may not
   support IPsec.
   For servers implementing this specification, the policy would be
   "Initiate IPsec, from me to any, destination port UDP 3799".  This
   causes the RADIUS server to initiate IPsec when sending RADIUS
   extension traffic to any RADIUS client.  If some RADIUS clients
   contacted by the server do not support IPsec, then a more granular
   policy will be required, such as "Initiate IPsec, from me to IPsec-
   capable-RADIUS-client, destination port UDP 3799".
   Where IPsec is used for security, and no RADIUS shared secret is
   configured, it is important that the RADIUS client and server perform
   an authorization check.  Before enabling a host to act as a RADIUS
   client, the RADIUS server SHOULD check whether the host is authorized
   to provide network access.  Similarly, before enabling a host to act
   as a RADIUS server, the RADIUS client SHOULD check whether the host
   is authorized for that role.
   RADIUS servers can be configured with the IP addresses (for IKE
   Aggressive Mode with pre-shared keys) or FQDNs (for certificate
   authentication) of RADIUS clients.  Alternatively, if a separate
   Certification Authority (CA) exists for RADIUS clients, then the
   RADIUS server can configure this CA as a trust anchor [RFC3280] for
   use with IPsec.
   Similarly, RADIUS clients can be configured with the IP addresses
   (for IKE Aggressive Mode with pre-shared keys) or FQDNs (for
   certificate authentication) of RADIUS servers.  Alternatively, if a
   separate CA exists for RADIUS servers, then the RADIUS client can
   configure this CA as a trust anchor for use with IPsec.
   Since unlike SSL/TLS, IKE does not permit certificate policies to be
   set on a per-port basis, certificate policies need to apply to all
   uses of IPsec on RADIUS clients and servers.  In IPsec deployment
   supporting only certificate authentication, a management station
   initiating an IPsec-protected telnet session to the RADIUS server
   would need to obtain a certificate chaining to the RADIUS client CA.
   Issuing such a certificate might not be appropriate if the management
   station was not authorized as a RADIUS client.
   Where RADIUS clients may obtain their IP address dynamically (such as
   an Access Point supporting DHCP), Main Mode with pre-shared keys
   [RFC2409] SHOULD NOT be used, since this requires use of a group
 
Chiba, et al.                Informational                     [Page 24]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   pre-shared key; instead, Aggressive Mode SHOULD be used.  Where
   RADIUS client addresses are statically assigned, either Aggressive
   Mode or Main Mode MAY be used.  With certificate authentication, Main
   Mode SHOULD be used.
   Care needs to be taken with IKE Phase 1 Identity Payload selection in
   order to enable mapping of identities to pre-shared keys, even with
   Aggressive Mode.  Where the ID_IPV4_ADDR or ID_IPV6_ADDR Identity
   Payloads are used and addresses are dynamically assigned, mapping of
   identities to keys is not possible, so that group pre-shared keys are
   still a practical necessity.  As a result, the ID_FQDN identity
   payload SHOULD be employed in situations where Aggressive mode is
   utilized along with pre-shared keys and IP addresses are dynamically
   assigned.  This approach also has other advantages, since it allows
   the RADIUS server and client to configure themselves based on the
   fully qualified domain name of their peers.
   Note that with IPsec, security services are negotiated at the
   granularity of an IPsec SA, so that RADIUS exchanges requiring a set
   of security services different from those negotiated with existing
   IPsec SAs will need to negotiate a new IPsec SA.  Separate IPsec SAs
   are also advisable where quality of service considerations dictate
   different handling RADIUS conversations.  Attempting to apply
   different quality of service to connections handled by the same IPsec
   SA can result in reordering, and falling outside the replay window.
   For a discussion of the issues, see [RFC2983].
5.4.  Replay Protection
   Where IPsec replay protection is not used, the Event-Timestamp (55)
   Attribute [RFC2869] SHOULD be included within all messages.  When
   this attribute is present, both the NAS and the RADIUS server MUST
   check that the Event-Timestamp Attribute is current within an
   acceptable time window.  If the Event-Timestamp Attribute is not
   current, then the message MUST be silently discarded.  This implies
   the need for time synchronization within the network, which can be
   achieved by a variety of means, including secure NTP, as described in
   [NTPAUTH].
   Both the NAS and the RADIUS server SHOULD be configurable to silently
   discard messages lacking an Event-Timestamp Attribute.  A default
   time window of 300 seconds is recommended.
 
 
 
 
Chiba, et al.                Informational                     [Page 25]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

6.  Example Traces
   Disconnect Request with User-Name:
    0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23    .B.....$.-(....#
   16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108    bL5C..U..U...^..
   32: 6d63 6869 6261
   Disconnect Request with Acct-Session-ID:
    0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d    .B..... ~.(.....
   16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a    .SU.......N8w.,.
   32: 3930 3233 3435 3637                        90234567
   Disconnect Request with Framed-IP-Address:
    0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda    .B....."2.(.....
   16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806    3.v[.....*/kQ...
   32: 0a00 0203
7.  References
7.1.  Normative References
   [RFC1305]      Mills, D., "Network Time Protocol (version 3)
                  Specification, Implementation and Analysis", RFC 1305,
                  March 1992.
   [RFC1321]      Rivest, R., "The MD5 Message-Digest Algorithm", RFC
                  1321, April 1992.
   [RFC2104]      Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:
                  Keyed-Hashing for Message Authentication", RFC 2104,
                  February 1997.
   [RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
                  Requirement Levels", BCP 14, RFC 2119, March 1997.
   [RFC2401]      Kent, S. and R. Atkinson, "Security Architecture for
                  the Internet Protocol", RFC 2401, November 1998.
   [RFC2406]      Kent, S. and R. Atkinson, "IP Encapsulating Security
                  Payload (ESP)", RFC 2406, November 1998.
   [RFC2409]      Harkins, D. and D. Carrel, "The Internet Key Exchange
                  (IKE)", RFC 2409, November 1998.
 
 
Chiba, et al.                Informational                     [Page 26]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

   [RFC2434]      Narten, T. and H. Alvestrand, "Guidelines for Writing
                  an IANA Considerations Section in RFCs", BCP 26, RFC
                  2434, October 1998.
   [RFC2486]      Aboba, B. and M. Beadles, "The Network Access
                  Identifier", RFC 2486, January 1999.
   [RFC2865]      Rigney, C., Willens, S., Rubens, A. and W. Simpson,
                  "Remote Authentication Dial In User Service (RADIUS)",
                  RFC 2865, June 2000.
   [RFC2866]      Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
   [RFC2869]      Rigney, C., Willats, W. and P. Calhoun, "RADIUS
                  Extensions", RFC 2869, June 2000.
   [RFC3162]      Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IPv6",
                  RFC 3162, August 2001.
   [RFC3280]      Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
                  X.509 Public Key Infrastructure Certificate and
                  Certificate Revocation List (CRL) Profile", RFC 3280,
                  April 2002.
   [RADIANA]      Aboba, B., "IANA Considerations for RADIUS (Remote
                  Authentication Dial In User Service)", RFC 3575, July
                  2003.
7.2.  Informative References
   [RFC2882]      Mitton, D., "Network Access Server Requirements:
                  Extended RADIUS Practices", RFC 2882, July 2000.
   [RFC2983]      Black, D. "Differentiated Services and Tunnels", RFC
                  2983, October 2000.
   [AAATransport] Aboba,  B. and J. Wood, "Authentication, Authorization
                  and Accounting (AAA) Transport Profile", RFC 3539,
                  June 2003.
   [Diameter]     Calhoun, P., et al., "Diameter Base Protocol", Work in
                  Progress.
   [MD5Attack]    Dobbertin, H., "The Status of MD5 After a Recent
                  Attack", CryptoBytes Vol.2 No.2, Summer 1996.
   [NASREQ]       Calhoun, P., et al., "Diameter Network Access Server
                  Application", Work in Progress.
 
Chiba, et al.                Informational                     [Page 27]

你可能感兴趣的:(RADIUS)