Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes
RFC 5080
Network Working Group D. Nelson
Request for Comments: 5080 Elbrys Networks, Inc
Updates: 2865, 2866, 2869, 3579 A. DeKok
Category: Standards Track FreeRADIUS
December 2007
Common Remote Authentication Dial In User Service (RADIUS)
Implementation Issues and Suggested Fixes
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This document describes common issues seen in Remote Authentication
Dial In User Service (RADIUS) implementations and suggests some
fixes. Where applicable, ambiguities and errors in previous RADIUS
specifications are clarified.
Nelson & DeKok Standards Track [Page 1]
RFC 5080 RADIUS Issues & Fixes December 2007
Table of Contents
1. Introduction ....................................................2
1.1. Terminology ................................................3
1.2. Requirements Language ......................................3
2. Issues ..........................................................3
2.1. Session Definition .........................................3
2.1.1. State Attribute .....................................3
2.1.2. Request-ID Supplementation ..........................6
2.2. Overload Conditions ........................................7
2.2.1. Retransmission Behavior .............................7
2.2.2. Duplicate Detection and Orderly Delivery ...........10
2.2.3. Server Response to Overload ........................11
2.3. Accounting Issues .........................................12
2.3.1. Attributes Allowed in an Interim Update ............12
2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ..........12
2.3.3. Request Authenticator ..............................13
2.3.4. Interim-Accounting-Interval ........................13
2.3.5. Counter Values in the RADIUS Management
Information Base (MIB) .............................14
2.4. Multiple Filter-ID Attributes .............................15
2.5. Mandatory and Optional Attributes .........................16
2.6. Interpretation of Access-Reject ...........................18
2.6.1. Improper Use of Access-Reject ......................18
2.6.2. Service Request Denial .............................19
2.7. Addressing ................................................20
2.7.1. Link-Local Addresses ...............................20
2.7.2. Multiple Addresses .................................20
2.8. Idle-Timeout ..............................................21
2.9. Unknown Identity ..........................................21
2.10. Responses After Retransmissions ..........................22
2.11. Framed-IPv6-Prefix .......................................23
3. Security Considerations ........................................24
4. References .....................................................25
4.1. Normative References ......................................25
4.2. Informative References ....................................25
1. Introduction
The last few years have seen an increase in the deployment of RADIUS
clients and servers. This document describes common issues seen in
RADIUS implementations and suggests some fixes. Where applicable,
ambiguities and errors in previous RADIUS specifications are
clarified.
Nelson & DeKok Standards Track [Page 2]
RFC 5080 RADIUS Issues & Fixes December 2007
1.1. Terminology
This document uses the following terms:
Network Access Server (NAS)
The device providing access to the network. Also known as the
Authenticator in IEEE 802.1X or Extensible Authentication Protocol
(EAP) terminology, or RADIUS client.
service
The NAS provides a service to the user, such as network access via
802.11 or Point to Point Protocol (PPP).
session
Each service provided by the NAS to a peer constitutes a session,
with the beginning of the session defined as the point where
service is first provided, and the end of the session is defined
as the point where service is ended. A peer may have multiple
sessions in parallel or series if the NAS supports that, with each
Show full document text