datatracker.ietf.org
Sign in
Version 5.6.2.p1, 2014-07-22
Report a bug

Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
RFC 5176

Document type: RFC - Informational (January 2008; Errata)
Obsoletes RFC 3576
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5176 (Informational)
Responsible AD: Dan Romascanu
Send notices to: radext-chairs@tools.ietf.org

Network Working Group                                           M. Chiba
Request for Comments: 5176                                    G. Dommety
Obsoletes: 3576                                                M. Eklund
Category: Informational                              Cisco Systems, Inc.
                                                               D. Mitton
                                           RSA, Security Division of EMC
                                                                B. Aboba
                                                   Microsoft Corporation
                                                            January 2008

                  Dynamic Authorization Extensions to
          Remote Authentication Dial In User Service (RADIUS)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This document describes a currently deployed extension to the Remote
   Authentication Dial In User Service (RADIUS) protocol, allowing
   dynamic changes to a user session, as implemented by network access
   server products.  This includes support for disconnecting users and
   changing authorizations applicable to a user session.

Chiba, et al.                Informational                      [Page 1]
RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008

Table of Contents

   1. Introduction ....................................................2
      1.1. Applicability ..............................................3
      1.2. Requirements Language ......................................4
      1.3. Terminology ................................................4
   2. Overview ........................................................4
      2.1. Disconnect Messages (DMs) ..................................5
      2.2. Change-of-Authorization (CoA) Messages .....................5
      2.3. Packet Format ..............................................6
   3. Attributes .....................................................10
      3.1. Proxy State ...............................................12
      3.2. Authorize Only ............................................13
      3.3. State .....................................................14
      3.4. Message-Authenticator .....................................15
      3.5. Error-Cause ...............................................16
      3.6. Table of Attributes .......................................20
   4. Diameter Considerations ........................................24
   5. IANA Considerations ............................................26
   6. Security Considerations ........................................26
      6.1. Authorization Issues ......................................26
      6.2. IPsec Usage Guidelines ....................................27
      6.3. Replay Protection .........................................28
   7. Example Traces .................................................28
   8. References .....................................................29
      8.1. Normative References ......................................29
      8.2. Informative References ....................................30
   9. Acknowledgments ................................................30
   Appendix A ........................................................31

1.  Introduction

   The RADIUS protocol, defined in [RFC2865], does not support
   unsolicited messages sent from the RADIUS server to the Network
   Access Server (NAS).

   However, there are many instances in which it is desirable for
   changes to be made to session characteristics, without requiring the
   NAS to initiate the exchange.  For example, it may be desirable for
   administrators to be able to terminate user session(s) in progress.
   Alternatively, if the user changes authorization level, this may
   require that authorization attributes be added/deleted from user
   session(s).

   To overcome these limitations, several vendors have implemented
   additional RADIUS commands in order to enable unsolicited messages to
   be sent to the NAS.  These extended commands provide support for
   Disconnect and Change-of-Authorization (CoA) packets.  Disconnect

Chiba, et al.                Informational                      [Page 2]
RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008

   packets cause user session(s) to be terminated immediately, whereas
   CoA packets modify session authorization attributes such as data
   filters.

1.1.  Applicability

   This protocol is being recommended for publication as an
   Informational RFC rather than as a standards-track RFC because of

[include full document text]