Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
RFC 3576

Document Type RFC - Informational (July 2003; No errata)
Obsoleted by RFC 5176
Last updated 2015-10-14
Stream ISE
Formats plain text pdf html bibtex
Stream ISE state (None)
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 3576 (Informational)
Telechat date
Responsible AD Randy Bush
Send notices to (None)
Network Working Group                                           M. Chiba
Request for Comments: 3576                                    G. Dommety
Category: Informational                                        M. Eklund
                                                     Cisco Systems, Inc.
                                                               D. Mitton
                                                  Circular Logic, UnLtd.
                                                                B. Aboba
                                                   Microsoft Corporation
                                                               July 2003

              Dynamic Authorization Extensions to Remote
              Authentication Dial In User Service (RADIUS)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document describes a currently deployed extension to the Remote
   Authentication Dial In User Service (RADIUS) protocol, allowing
   dynamic changes to a user session, as implemented by network access
   server products.  This includes support for disconnecting users and
   changing authorizations applicable to a user session.

Chiba, et al.                Informational                      [Page 1]
RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
       1.1.  Applicability. . . . . . . . . . . . . . . . . . . . . .  3
       1.2.  Requirements Language  . . . . . . . . . . . . . . . . .  5
       1.3.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
       2.1.  Disconnect Messages (DM) . . . . . . . . . . . . . . . .  5
       2.2.  Change-of-Authorization Messages (CoA) . . . . . . . . .  6
       2.3.  Packet Format. . . . . . . . . . . . . . . . . . . . . .  7
   3.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 11
       3.1.  Error-Cause. . . . . . . . . . . . . . . . . . . . . . . 13
       3.2.  Table of Attributes. . . . . . . . . . . . . . . . . . . 16
   4.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 20
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 21
       5.1.  Authorization Issues . . . . . . . . . . . . . . . . . . 21
       5.2.  Impersonation. . . . . . . . . . . . . . . . . . . . . . 22
       5.3.  IPsec Usage Guidelines . . . . . . . . . . . . . . . . . 22
       5.4.  Replay Protection. . . . . . . . . . . . . . . . . . . . 25
   6.  Example Traces . . . . . . . . . . . . . . . . . . . . . . . . 26
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
       7.1.  Normative References . . . . . . . . . . . . . . . . . . 26
       7.2.  Informative References . . . . . . . . . . . . . . . . . 27
   8.  Intellectual Property Statement. . . . . . . . . . . . . . . . 28
   9.  Acknowledgements.  . . . . . . . . . . . . . . . . . . . . . . 28
   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29
   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 30

Chiba, et al.                Informational                      [Page 2]
RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003

1.  Introduction

   The RADIUS protocol, defined in [RFC2865], does not support
   unsolicited messages sent from the RADIUS server to the Network
   Access Server (NAS).

   However, there are many instances in which it is desirable for
   changes to be made to session characteristics, without requiring the
   NAS to initiate the exchange.  For example, it may be desirable for
   administrators to be able to terminate a user session in progress.
   Alternatively, if the user changes authorization level, this may
   require that authorization attributes be added/deleted from a user
   session.

   To overcome these limitations, several vendors have implemented
   additional RADIUS commands in order to be able to support unsolicited
   messages sent from the RADIUS server to the NAS.  These extended
   commands provide support for Disconnect and Change-of-Authorization
   (CoA) messages.  Disconnect messages cause a user session to be
   terminated immediately, whereas CoA messages modify session
   authorization attributes such as data filters.

1.1.  Applicability

   This protocol is being recommended for publication as an
   Informational RFC rather than as a standards-track RFC because of
Show full document text