Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes
RFC 5080
Document Type RFC - Proposed Standard (December 2007; Errata)
Last updated 2015-10-14
Replaces draft-aboba-radext-fixes
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5080 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Dan Romascanu
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                          D. Nelson
Request for Comments: 5080                          Elbrys Networks, Inc
Updates: 2865, 2866, 2869, 3579                                 A. DeKok
Category: Standards Track                                     FreeRADIUS
                                                           December 2007

       Common Remote Authentication Dial In User Service (RADIUS)
               Implementation Issues and Suggested Fixes

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document describes common issues seen in Remote Authentication
   Dial In User Service (RADIUS) implementations and suggests some
   fixes.  Where applicable, ambiguities and errors in previous RADIUS
   specifications are clarified.

Nelson & DeKok              Standards Track                     [Page 1]
RFC 5080                 RADIUS Issues & Fixes             December 2007

Table of Contents

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Requirements Language ......................................3
   2. Issues ..........................................................3
      2.1. Session Definition .........................................3
           2.1.1. State Attribute .....................................3
           2.1.2. Request-ID Supplementation ..........................6
      2.2. Overload Conditions ........................................7
           2.2.1. Retransmission Behavior .............................7
           2.2.2. Duplicate Detection and Orderly Delivery ...........10
           2.2.3. Server Response to Overload ........................11
      2.3. Accounting Issues .........................................12
           2.3.1. Attributes Allowed in an Interim Update ............12
           2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ..........12
           2.3.3. Request Authenticator ..............................13
           2.3.4. Interim-Accounting-Interval ........................13
           2.3.5. Counter Values in the RADIUS Management
                  Information Base (MIB) .............................14
      2.4. Multiple Filter-ID Attributes .............................15
      2.5. Mandatory and Optional Attributes .........................16
      2.6. Interpretation of Access-Reject ...........................18
           2.6.1. Improper Use of Access-Reject ......................18
           2.6.2. Service Request Denial .............................19
      2.7. Addressing ................................................20
           2.7.1. Link-Local Addresses ...............................20
           2.7.2. Multiple Addresses .................................20
      2.8. Idle-Timeout ..............................................21
      2.9. Unknown Identity ..........................................21
      2.10. Responses After Retransmissions ..........................22
      2.11. Framed-IPv6-Prefix .......................................23
   3. Security Considerations ........................................24
   4. References .....................................................25
      4.1. Normative References ......................................25
      4.2. Informative References ....................................25

1.  Introduction

   The last few years have seen an increase in the deployment of RADIUS
   clients and servers.  This document describes common issues seen in
   RADIUS implementations and suggests some fixes.  Where applicable,
   ambiguities and errors in previous RADIUS specifications are
   clarified.

Nelson & DeKok              Standards Track                     [Page 2]
RFC 5080                 RADIUS Issues & Fixes             December 2007

1.1.  Terminology

   This document uses the following terms:

   Network Access Server (NAS)
      The device providing access to the network.  Also known as the
      Authenticator in IEEE 802.1X or Extensible Authentication Protocol
      (EAP) terminology, or RADIUS client.

   service
      The NAS provides a service to the user, such as network access via
      802.11 or Point to Point Protocol (PPP).

   session
      Each service provided by the NAS to a peer constitutes a session,
      with the beginning of the session defined as the point where
      service is first provided, and the end of the session is defined
      as the point where service is ended.  A peer may have multiple
      sessions in parallel or series if the NAS supports that, with each
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools