IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
RFC 3580

Document Type RFC - Informational (September 2003; Errata)
Updated by RFC 7268
Last updated 2015-10-14
Stream ISE
Formats plain text pdf html bibtex
Stream ISE state (None)
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 3580 (Informational)
Telechat date
Responsible AD Randy Bush
Send notices to <paulcongon@hp.com>
Network Working Group                                         P. Congdon
Request for Comments: 3580                       Hewlett Packard Company
Category: Informational                                         B. Aboba
                                                               Microsoft
                                                                A. Smith
                                                        Trapeze Networks
                                                                 G. Zorn
                                                           Cisco Systems
                                                                J. Roese
                                                               Enterasys
                                                          September 2003

    IEEE 802.1X Remote Authentication Dial In User Service (RADIUS)
                            Usage Guidelines

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document provides suggestions on Remote Authentication Dial In
   User Service (RADIUS) usage by IEEE 802.1X Authenticators.  The
   material in this document is also included within a non-normative
   Appendix within the IEEE 802.1X specification, and is being presented
   as an IETF RFC for informational purposes.

Congdon, et al.              Informational                      [Page 1]
RFC 3580                   IEEE 802.1X RADIUS             September 2003

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
       1.1.  Terminology. . . . . . . . . . . . . . . . . . . . . . .  3
       1.2.  Requirements Language. . . . . . . . . . . . . . . . . .  4
   2.  RADIUS Accounting Attributes . . . . . . . . . . . . . . . . .  5
       2.1.  Acct-Terminate-Cause . . . . . . . . . . . . . . . . . .  5
       2.2.  Acct-Multi-Session-Id. . . . . . . . . . . . . . . . . .  6
       2.3.  Acct-Link-Count. . . . . . . . . . . . . . . . . . . . .  7
   3.  RADIUS Authentication. . . . . . . . . . . . . . . . . . . . .  7
       3.1.  User-Name. . . . . . . . . . . . . . . . . . . . . . . .  8
       3.2.  User-Password, CHAP-Password, CHAP-Challenge . . . . . .  8
       3.3.  NAS-IP-Address, NAS-IPv6-Address . . . . . . . . . . . .  8
       3.4.  NAS-Port . . . . . . . . . . . . . . . . . . . . . . . .  8
       3.5.  Service-Type . . . . . . . . . . . . . . . . . . . . . .  8
       3.6.  Framed-Protocol. . . . . . . . . . . . . . . . . . . . .  9
       3.7.  Framed-IP-Address, Framed-IP-Netmask . . . . . . . . . .  9
       3.8.  Framed-Routing . . . . . . . . . . . . . . . . . . . . .  9
       3.9.  Filter-ID. . . . . . . . . . . . . . . . . . . . . . . .  9
       3.10. Framed-MTU . . . . . . . . . . . . . . . . . . . . . . .  9
       3.11. Framed-Compression . . . . . . . . . . . . . . . . . . . 10
       3.12. Displayable Messages . . . . . . . . . . . . . . . . . . 10
       3.13. Callback-Number, Callback-ID . . . . . . . . . . . . . . 10
       3.14. Framed-Route, Framed-IPv6-Route. . . . . . . . . . . . . 11
       3.15. State, Class, Proxy-State. . . . . . . . . . . . . . . . 11
       3.16. Vendor-Specific. . . . . . . . . . . . . . . . . . . . . 11
       3.17. Session-Timeout. . . . . . . . . . . . . . . . . . . . . 11
       3.18. Idle-Timeout . . . . . . . . . . . . . . . . . . . . . . 12
       3.19. Termination-Action . . . . . . . . . . . . . . . . . . . 12
       3.20. Called-Station-Id. . . . . . . . . . . . . . . . . . . . 12
       3.21. Calling-Station-Id . . . . . . . . . . . . . . . . . . . 12
       3.22. NAS-Identifier . . . . . . . . . . . . . . . . . . . . . 12
       3.23. NAS-Port-Type. . . . . . . . . . . . . . . . . . . . . . 12
       3.24. Port-Limit . . . . . . . . . . . . . . . . . . . . . . . 13
       3.25. Password-Retry . . . . . . . . . . . . . . . . . . . . . 13
       3.26. Connect-Info . . . . . . . . . . . . . . . . . . . . . . 13
       3.27. EAP-Message. . . . . . . . . . . . . . . . . . . . . . . 13
       3.28. Message-Authenticator. . . . . . . . . . . . . . . . . . 13
       3.29. NAS-Port-Id. . . . . . . . . . . . . . . . . . . . . . . 13
       3.30. Framed-Pool, Framed-IPv6-Pool. . . . . . . . . . . . . . 14
       3.31. Tunnel Attributes. . . . . . . . . . . . . . . . . . . . 14
   4.  RC4 EAPOL-Key Descriptor . . . . . . . . . . . . . . . . . . . 15
   5.  Security Considerations. . . . . . . . . . . . . . . . . . . . 18
       5.1.  Packet Modification or Forgery . . . . . . . . . . . . . 18
       5.2.  Dictionary Attacks . . . . . . . . . . . . . . . . . . . 19
       5.3.  Known Plaintext Attacks. . . . . . . . . . . . . . . . . 19
       5.4.  Replay . . . . . . . . . . . . . . . . . . . . . . . . . 20
Show full document text