datatracker.ietf.org
Sign in
Version 5.7.1.p2, 2014-10-29
Report a bug

Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes
RFC 5080

Document type: RFC - Proposed Standard (December 2007; No errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5080 (Proposed Standard)
Responsible AD: Dan Romascanu
Send notices to: radext-chairs@tools.ietf.org

Network Working Group                                          D. Nelson
Request for Comments: 5080                          Elbrys Networks, Inc
Updates: 2865, 2866, 2869, 3579                                 A. DeKok
Category: Standards Track                                     FreeRADIUS
                                                           December 2007

       Common Remote Authentication Dial In User Service (RADIUS)
               Implementation Issues and Suggested Fixes

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document describes common issues seen in Remote Authentication
   Dial In User Service (RADIUS) implementations and suggests some
   fixes.  Where applicable, ambiguities and errors in previous RADIUS
   specifications are clarified.

Nelson & DeKok              Standards Track                     [Page 1]
RFC 5080                 RADIUS Issues & Fixes             December 2007

Table of Contents

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Requirements Language ......................................3
   2. Issues ..........................................................3
      2.1. Session Definition .........................................3
           2.1.1. State Attribute .....................................3
           2.1.2. Request-ID Supplementation ..........................6
      2.2. Overload Conditions ........................................7
           2.2.1. Retransmission Behavior .............................7
           2.2.2. Duplicate Detection and Orderly Delivery ...........10
           2.2.3. Server Response to Overload ........................11
      2.3. Accounting Issues .........................................12
           2.3.1. Attributes Allowed in an Interim Update ............12
           2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ..........12
           2.3.3. Request Authenticator ..............................13
           2.3.4. Interim-Accounting-Interval ........................13
           2.3.5. Counter Values in the RADIUS Management
                  Information Base (MIB) .............................14
      2.4. Multiple Filter-ID Attributes .............................15
      2.5. Mandatory and Optional Attributes .........................16
      2.6. Interpretation of Access-Reject ...........................18
           2.6.1. Improper Use of Access-Reject ......................18
           2.6.2. Service Request Denial .............................19
      2.7. Addressing ................................................20
           2.7.1. Link-Local Addresses ...............................20
           2.7.2. Multiple Addresses .................................20
      2.8. Idle-Timeout ..............................................21
      2.9. Unknown Identity ..........................................21
      2.10. Responses After Retransmissions ..........................22
      2.11. Framed-IPv6-Prefix .......................................23
   3. Security Considerations ........................................24
   4. References .....................................................25
      4.1. Normative References ......................................25
      4.2. Informative References ....................................25

1.  Introduction

   The last few years have seen an increase in the deployment of RADIUS
   clients and servers.  This document describes common issues seen in
   RADIUS implementations and suggests some fixes.  Where applicable,
   ambiguities and errors in previous RADIUS specifications are
   clarified.

Nelson & DeKok              Standards Track                     [Page 2]
RFC 5080                 RADIUS Issues & Fixes             December 2007

1.1.  Terminology

   This document uses the following terms:

   Network Access Server (NAS)
      The device providing access to the network.  Also known as the
      Authenticator in IEEE 802.1X or Extensible Authentication Protocol
      (EAP) terminology, or RADIUS client.

   service
      The NAS provides a service to the user, such as network access via
      802.11 or Point to Point Protocol (PPP).

   session
      Each service provided by the NAS to a peer constitutes a session,
      with the beginning of the session defined as the point where

[include full document text]