Internet Draft Pat R. Calhoun
Category: Experimental US Robotics Access Corp.
expires in six months July 1996
Enhanced Remote Authentication Dial In User Service (RADIUS)
Dynamic Filter Change
<draft-calhoun-enh-radius-filter-00.txt>
Status of this Memo
Distribution of this memo is unlimited.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim).
Abstract
This specification defines an extension to the Enhanced RADIUS
protocol [1]. As the dial-up services grow in complexity, there is a
need for a user's filters to change dynamically, which could be
initiated via an out-of-band request from the user to the RADIUS
server or by the RADIUS server itself.
Calhoun [Page 1]
DRAFT Dynamic Filter Change July 1996
Introduction
As ISP's service offerings expand, there is a need for a user to
request a new set of filters to be applied to his session on the
NAS. The existing method would be to have two distinct accounts for
the user, each with a different set of filters. A more graceful
method would be for the user to request, with an out-of-band message
to the RADIUS server, a change of the user's filters.
It is envisioned that the out-of-band message would contain some form
of security, but this is outside of the scope of this document. This
specification will detail the RADIUS protocol required between the
NAS and the RADIUS server.
2. Command Name and Command Code
Command Name: RADIUS-Change-Filter-Request
Command Code: 304
Command Name: RADIUS-Change-Filter-Request-Ack
Command Code: 305
Command Name: RADIUS-Change-Filter-Request-Nak
Command Code: 306
3. Command Meanings
3.1 RADIUS-Change-Filter-Request
Description
RADIUS-Change-Filter-Request packets are initiated by the RADIUS
Server to the NAS when a change to the users' filters is required.
A NAS which does not support this feature MUST return a
Command-Unrecognized message.
Calhoun [Page 2]
DRAFT Dynamic Filter Change July 1996
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attributes ...
+-+-+-+-+-+-+-+-+-+-+-+-+-
Code
254 for Enhanced RADIUS.
Flags
The Flag field is used as defined in [1].
Version
MUST be set to 2
Command
304 for RADIUS-Change-Filter-Request
Identifier
The Identifier field MUST be changed whenever the content of the
Attributes field changes, and whenever a valid reply has been
received for a previous request. For retransmissions, the
Identifier MAY remain unchanged.
Calhoun [Page 3]
DRAFT Dynamic Filter Change July 1996
Length
The total length of the message, including this header.
Authenticator
The Authenticator field is a random 16 octet value. If the
Timestamp option is supported, the first four octets contain a
timestamp of when the packet was sent from the peer.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
Attributes
The Attribute field is variable in length. The following RADIUS
attributes [2] are included in the message:
NAS-IP-Address
This attribute MUST contain the IP Address of the NAS.
NAS-Port
This attribute MUST contain the port number of the user.
Filter-Id
This attribute MAY be present if the NAS implements filter
naming. However, a vendor specific filter rule may be sent in
it's place.
The absence of a filter attribute will remove all filters
currently assigned to the user's port.
3.2 RADIUS-Change-Filter-Request-Ack
Description
RADIUS-Change-Filter-Request-Ack packets is sent from the NAS to
the RADIUS Server if the filter was successfully changed. The
message should be sent as follow:
Calhoun [Page 4]
DRAFT Dynamic Filter Change July 1996
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
254 for Enhanced RADIUS.
Flags
The Flag field is used as defined in [1].
Version
MUST be set to 2
Command
305 for RADIUS-Change-Filter-Request-Ack
Identifier
The Identifier field is a copy of the Identifier field of the
RADIUS-Change-Filter-Request which caused this
RADIUS-Change-Filter-Request-Ack to be sent.
Length
The total length of the message, including this header.
Calhoun [Page 5]
DRAFT Dynamic Filter Change July 1996
Authenticator
The Authenticator field is a random 16 octet value. If the
Timestamp option is supported, the first four octets contain a
timestamp of when the packet was sent from the peer.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
3.3 RADIUS-Change-Filter-Request-Nak
Description
RADIUS-Change-Filter-Request-Nak packets is sent from the NAS to
the RADIUS Server if the filter was not successfully changed. The
message should be sent as follow:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Code | Flags | Ver | Command |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identifier | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authenticator |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Message Integrity Code |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Code
254 for Enhanced RADIUS.
Calhoun [Page 6]
DRAFT Dynamic Filter Change July 1996
Flags
The Flag field is used as defined in [1].
Version
MUST be set to 2
Command
306 for RADIUS-Change-Filter-Request-Nak
Identifier
The Identifier field is a copy of the Identifier field of the
RADIUS-Change-Filter-Request which caused this
RADIUS-Change-Filter-Request-Nak to be sent.
Length
The total length of the message, including this header.
Authenticator
The Authenticator field is a random 16 octet value. If the
Timestamp option is supported, the first four octets contain a
timestamp of when the packet was sent from the peer.
Message Integrity Code
This field contains an MD5 hash of the following:
MD5( packet | Shared Secret )
4. Attribute Name and Attribute Code
No additional attributes are required for this extension.
5. Attribute Meanings
No additional attributes are required for this extension.
Calhoun [Page 7]
DRAFT Dynamic Filter Change July 1996
6. Motivation
The motivation for this extension to the protocol is to allow
RADIUS Servers to download filters dynamically. In the past, a
user would have to have two separate user accounts, or if some
dynamic filter mechanism on the RADIUS server existed, the user
would have to logoff and log back in.
This extension will provide the service provider's with the
capability of adding new services to their existing
infrastructure. It is envisioned that the client would have access
to some application which would send an out-of-band request to the
service provider's RADIUS Server, which would in turn send a new
set of filters to the NAS for the user's port.
7. Description (or Implementation Rules)
Upon receipt of a RADIUS-Change-Filter-Request, the NAS MUST ensure
that the NAS port is still active. If so, the NAS must replace any
filters which are currently applied to the port with the new set
of filters received in the message.
If the Filter-Id attribute is included in the message, then the NAS
must use it in the traditional RADIUS method, however the message
may also support vendor specific filter rules instead. The absence
of any filters in the message will remove any such filters
currently applied to the user's port.
References
[1] Calhoun, Rubens, "Enhanced RADIUS", Internet-Draft,
draft-calhoun-enh-radius-00.txt,
US Robotics Access Corp., June 1996.
[2] Rigney, et alia, "RADIUS Authentication", Internet-Draft,
draft-ietf-radius-radius-02.txt, Livingston, May 1996.
Calhoun [Page 8]