Internet Draft Pat R. Calhoun
Category: Experimental US Robotics Access Corp.
expires in six months Allan Rubens
Merit Network Inc.
June 1996
Enhanced Remote Authentication Dial In User Service (RADIUS)
<draft-calhoun-enh-radius-00.txt>
Status of this Memo
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Abstract
This document describes a protocol for carrying authentication,
authorization, and configuration information between a Network Access
Server which desires to authenticate its links and a shared
Authentication Server. This enhanced protocol is a backward
compatible protocol which attempts to solve many deficiencies with
the existing protocol.
Calhoun expires in six months [Page 1]
DRAFT Enhanced RADIUS June 1996
1. Introduction
Enhanced RADIUS is an extension to the existing RADIUS
specification [1]. This document in itself is not complete and
should be used with the RADIUS Version 1 specification [1].
Since RADIUS Version 1 has a very limited number of available
commands and attributes, the intent of the Enhanced RADIUS
protocol is to allow for future protocol enhancements.
This document will describe the packet headers for the Enhanced
RADIUS protocol as well as any commands and attributes which
MUST be supported. An accompanying document will describe the
documentation required in order to standardize any protocol
extensions.
1.1. Specification of Requirements
In this document, several words are used to signify the
requirements of the specification. These words are often
capitalized.
MUST This word, or the adjective "required", means that the
definition is an absolute requirement of the
specification.
MUST NOT This phrase means that the definition is an absolute
prohibition of the specification.
SHOULD This word, or the adjective "recommended", means that
there may exist valid reasons in particular circumstances
to ignore this item, but the full implications must be
understood and carefully weighed before choosing a
different course.
MAY This word, or the adjective "optional", means that this
item is one of an allowed set of alternatives. An
implementation which does not include this option MUST
be prepared to interoperate with another implementation
which does include the option.
Calhoun expires in six months [Page 2]
DRAFT Enhanced RADIUS June 1996
1.2. Terminology
This document frequently uses the following terms:
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.
2. Packet Format
Exactly one RADIUS packet is encapsulated in the UDP Data field
[3], where the UDP Destination Port field indicates 1645.
When a reply is generated, the source and destination ports are
reversed.
A summary of the Enhanced RADIUS data format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Calhoun expires in six months [Page 3]
DRAFT Enhanced RADIUS June 1996
Code
The Code field is one octet, and identifies the type of RADIUS
packet. When a valid code is received, the packet format to use
is as defined in the RADIUS V1 specification [1]. When a packet
is received with an invalid Code field, it is silently discarded.
When a code of 0xFE (254) is received, it identifies an Enhanced
RADIUS packet as shown above, in which case the Command field is to
be checked. In this case the RADIUS Codes wich follow
(with the exception of 254) are passed in the Command field
instead.
RADIUS Codes (decimal) are assigned as follows:
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
12 Status-Server (experimental)
13 Status-Client (experimental)
254 Enhanced RADIUS packet
Flags
The Flags field is five bits, and is used in order to identify any
options. This field MUST be set to zero unless any options are
used. The following flags are defined globally for all commands:
0x1 - (Bit 12) TimeStamp is included in the Authenticator Field.
Note that additional options in the Flag field may be defined per
Command (see individual commands).
Version
The Version field is three bits, and indicates the version number
which is associated with the packet received. This field MUST be
set to 2.
Command
The Command field is two octet, and identifies the type of RADIUS
packet. When a packet is received with an invalid Code field, a
Command-Unrecognized message SHOULD be returned.
Calhoun expires in six months [Page 4]
DRAFT Enhanced RADIUS June 1996
RADIUS Commands (decimal), in addition to those shown above, are
assigned as follows:
256 Command-Unrecognized
267 NAS-Reboot-Indication
268 NAS-Reboot-Ack
Identifier
The Identifier field is two octets, and aids in matching requests
and replies.
Length
The Length field is two octets. It indicates the length of the
packet including the header fields. Octets outside the range of
the Length field should be treated as padding and should be
ignored on reception.
Authenticator
The Authenticator field is a random 16 octet value. This field adds
randomness to the packets and makes the guessing of the shared
secret much more diffcult to the malicious user.
If the Timestamp option is supported, the first four octets
contains a timestamp of when the packet was sent from the peer.
This allows the protocol to detect replay attacks. The Timestamp
value is the current time relative to a base of 0:0:0 GMT
January 1, 1900.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
When creating a message, the MIC must be set to all zeros before
calculating the MD5 hash. When receiving a message, the receiver
must save the MIC, set the field to all zeroes and perform the
hash function. The resulting value MUST be identical to the
value which was in the message.
3. Command Name and Command Code
Command Name: Command-Unrecognized
Command Code: 256
Calhoun expires in six months [Page 5]
DRAFT Enhanced RADIUS June 1996
Command Name: NAS-Reboot-Indicationr
Command Code: 267
Command Name: NAS-Reboot-Ack
Command Code: 268
4. Command Meanings
The Enhanced RADIUS Packet type is determined by the Command Code
field in the second and third octets of the Packet. This section will
not describe the RADIUS packets already defined in [1].
4.1. Command-Unrecognized
Description
Command-Unrecognized packets are sent by the NAS or the RADIUS
server to inform its peer that a previous packet received is
unrecognized.
Since there certainly will exist a case where an existing device
does not support a new extension to the Enhanced RADIUS protocol,
a device which receives a packet with an unrecognized Command code
SHOULD return a Command-Unrecognized packet.
For backward compatibility with RADIUS Version 1, a device MUST
support the fact that its peer may silently discard the packet.
A summary of the Command-Unrecognized packet format is shown below.
The fields are transmitted from left to right.
Calhoun expires in six months [Page 6]
DRAFT Enhanced RADIUS June 1996
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
254 for Enhanced RADIUS.
Flags
The Flag field is used as described above.
Version
MUST be set to 2
Command
256 for Command-Unrecognized.
Identifier
The Identifier field is a copy of the Identifier field of the
packet which caused this event.
Length
The total length of the message, including the this header.
Calhoun expires in six months [Page 7]
DRAFT Enhanced RADIUS June 1996
Authenticator
The Authenticator field is a random 16 octet value. If the Timestamp
option is supported, the first four octets contains a timestamp of
when the packet was sent from the peer.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
4.2. NAS-Reboot-Indication
Description
The NAS-Reboot-Indication message is sent from the NAS to the RADIUS
Server in order for the NAS to inform the local server that it has
rebooted. The server MUST respond to the message with a successful
acknowledge, indicating its version.
This message is used by both the NAS and the RADIUS Server in order
to exchange protocol version numbers which it supports. The NAS
MUST insert the highest version number which it supports. The
RADIUS Server must respond with the highest version which it
supports, but may not be higher than the version number requested
by the NAS.
In the case of a proxy server, the proxy is responsible for
inserting the highest version number which it supports in the
version field before sending the proxy request to the remote
RADIUS server. The proxy server may then retain the version number
of the remote server as received in the response, and must insert
its highest version number (with the limitations described above)
in the response to the NAS.
The Server may discard this information if it wishes to do so, however
it is envisioned that the Server would retain the NAS' and remote
RADIUS server's version numbers to retain backward and forward
protocol compatibility.
Calhoun expires in six months [Page 8]
DRAFT Enhanced RADIUS June 1996
A NAS MUST support the fact that it may not receive an acknowledge
to this message if the RADIUS Server does not support this version
of the protocol. In this case, if no acknowledge was receive, it
must default to version 1 messages as described in [1].
If a NAS is configured to communicate with more than one RADIUS server
it MUST issue NAS-Reboot-Indications to each such server.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
254 for Enhanced RADIUS
Flags
The Flag field is used as described above.
Version
The version field is used by the NAS to indicate the highest
supported version of the RADIUS protocol. This will allow the NAS
and RADIUS Server to be able to negotiate a version of the protocol
to use between both peers.
Calhoun expires in six months [Page 9]
DRAFT Enhanced RADIUS June 1996
Command
267 for NAS-Reboot-Indication.
Identifier
The Identifier field MUST be changed whenever the content of the
Attributes field changes, and whenever a valid reply has been
received for a previous request. For retransmissions, the
Identifier MAY remain unchanged.
Length
The total length of the message, including this header.
Authenticator
The Authenticator field is a random 16 octet value. If the Timestamp
option is supported, the first four octets contain a timestamp of
when the packet was sent from the peer.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
5.3. NAS-Reboot-Ack
Description
The NAS-Reboot-Ack message is sent from the RADIUS Server to the
NAS to acknowledge the receipt of the NAS-Reboot message. The
Server MUST replace the version value in the version field with the
highest version number which it supports, up to and including
the version which was included in the NAS-Reboot's version field.
The NAS may wish to ignore the version number contained in the Flag
field, however it is envisioned that the NAS would retain this
information to remove any backward compatibility problems with any
future versions of the protocol.
Calhoun expires in six months [Page 10]
DRAFT Enhanced RADIUS June 1996
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
254 for Enhanced RADIUS.
Flags
The Flag field is used as described above.
Version
The Version field is used by the RADIUS Server to inform the NAS
the highest version which it supports. The Server MUST not insert
a version which is higher than requested by the NAS. The client
MUST use the version which is reported by the Server. If the NAS
does not support the version returned by the Server, it should
default to RADIUS V1.
Command
268 for NAS-Reboot-Ack.
Identifier
The Identifier field is a copy of the Identifier field of the
packet which caused this event.
Length
The total length of the message, including this header.
Calhoun expires in six months [Page 11]
DRAFT Enhanced RADIUS June 1996
Authenticator
The Authenticator field is a random 16 octet value. If the Timestamp
option is supported, the first four octets contain a timestamp of
when the packet was sent from the peer.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
6. Attributes
RADIUS Attributes carry the specific authentication, authorization,
information and configuration details for the request and reply.
Some Attributes MAY be listed more than once. The effect of this is
Attribute specific, and is specified by each such Attribute
description.
The end of the list of Attributes is indicated by the length of the
RADIUS packet.
A summary of the Attribute format is shown below. The fields are
transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags | Vendor ID (optional) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Vendor ID (opt)| Value ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
The Type field is two octets. RADIUS Version 1 reserves the
lowest 256 attribute numbers. Up-to-date values of the RADIUS Type
field are specified in the most recent "Assigned Numbers" RFC [2].
Calhoun [Page 12]
DRAFT Resource Management Extension Specifications February 1996
Enhanced RADIUS Versions will use attribute numbers 257 and above.
Vendor Specific attributes reside within this space when the Vendor
Specific bit is set (see flags). This will allow up to 65535
trouble-free vendor specific attributes (per vendor).
Length
The Length field is two octets, and indicates the length of this
Attribute including the Type, Length, Flag, Vendor ID is present and
Value fields. If a packet is received with an Invalid length, the
packet SHOULD be rejected.
Flags
The Flags field indicates how the NAS or RADIUS Server MUST react
to the attribute. The following values are currently supported:
1 - The Device MUST support this attribute. If the attribute
is NOT supported, the device MUST reject the Command.
If this flag is not set, then the device MAY accept the
command regardless of whether or not the particular attribute
is recognized.
128 - If this bit is set, the optional Vendor ID field will be
present. When set, the attribute is a vendor specific
attribute
Value
The Value field is zero or more octets and contains information
specific to the Attribute. The format and length of the Value
field is determined by the Type and Length fields.
The format of the value field is one of five data types.
string 0-65526 octets.
address 32 bit value, most significant octet first.
extended
address Address Length is determined from the Length field, most
significant octet first. This is required in order to
support protocols which require an address length greater
than 32 bits (i.e. IPNG). Note that this type is
differentiated from the previous type by the value of length.
Calhoun expires in six months [Page 13]
DRAFT Enhanced RADIUS June 1996
integer 32 bit value, most significant octet first.
time 32 bit value, most significant octet first -- seconds
since 00:00:00 GMT, January 1, 1970.
References
[1] Rigney, et alia, "RADIUS Authentication", Internet-Draft,
Livingston, May 1995.
[2] Reynolds, J., and J. Postel, "Assigned Numbers", RFC 1700,
USC/Information Sciences Institute, October 1994.
[3] Postel, J., "User Datagram Protocol", RFC 768, USC/Information
Sciences Institute, August 1980.
[4] Calhoun, "Enhanced RADIUS Protocol Extension Specifications",
Internet-Draft, US Robotics Access Corp., May 1996.
Calhoun expires in six months [Page 14]