RFC 5080 - Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes

Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes
RFC 5080

Versions
08


Document	Type	RFC - Proposed Standard (December 2007; Errata) Updates RFC 2869, RFC 3579, RFC 2865, RFC 2866 Was draft-ietf-radext-fixes (radext WG)
	Last updated	2015-10-14
	Replaces	draft-aboba-radext-fixes
	Stream	IETF
	Formats	plain text pdf html bibtex
Stream	WG state	(None)
	Document shepherd	No shepherd assigned
IESG	IESG state	RFC 5080 (Proposed Standard)
	Consensus Boilerplate	Unknown
	Telechat date
	Responsible AD	Dan Romascanu
	Send notices to	(None)

Email authors IPR References Referenced by Nits

Network Working Group                                          D. Nelson
Request for Comments: 5080                          Elbrys Networks, Inc
Updates: 2865, 2866, 2869, 3579                                 A. DeKok
Category: Standards Track                                     FreeRADIUS
                                                           December 2007

       Common Remote Authentication Dial In User Service (RADIUS)
               Implementation Issues and Suggested Fixes

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document describes common issues seen in Remote Authentication
   Dial In User Service (RADIUS) implementations and suggests some
   fixes.  Where applicable, ambiguities and errors in previous RADIUS
   specifications are clarified.

Nelson & DeKok              Standards Track                     [Page 1]
RFC 5080                 RADIUS Issues & Fixes             December 2007

Table of Contents

   1. Introduction ....................................................2
      1.1. Terminology ................................................3
      1.2. Requirements Language ......................................3
   2. Issues ..........................................................3
      2.1. Session Definition .........................................3
           2.1.1. State Attribute .....................................3
           2.1.2. Request-ID Supplementation ..........................6
      2.2. Overload Conditions ........................................7
           2.2.1. Retransmission Behavior .............................7
           2.2.2. Duplicate Detection and Orderly Delivery ...........10
           2.2.3. Server Response to Overload ........................11
      2.3. Accounting Issues .........................................12
           2.3.1. Attributes Allowed in an Interim Update ............12
           2.3.2. Acct-Session-Id and Acct-Multi-Session-Id ..........12
           2.3.3. Request Authenticator ..............................13
           2.3.4. Interim-Accounting-Interval ........................13
           2.3.5. Counter Values in the RADIUS Management
                  Information Base (MIB) .............................14
      2.4. Multiple Filter-ID Attributes .............................15
      2.5. Mandatory and Optional Attributes .........................16
      2.6. Interpretation of Access-Reject ...........................18
           2.6.1. Improper Use of Access-Reject ......................18
           2.6.2. Service Request Denial .............................19
      2.7. Addressing ................................................20
           2.7.1. Link-Local Addresses ...............................20
           2.7.2. Multiple Addresses .................................20
      2.8. Idle-Timeout ..............................................21
      2.9. Unknown Identity ..........................................21
      2.10. Responses After Retransmissions ..........................22
      2.11. Framed-IPv6-Prefix .......................................23
   3. Security Considerations ........................................24
   4. References .....................................................25
      4.1. Normative References ......................................25
      4.2. Informative References ....................................25

1.  Introduction

   The last few years have seen an increase in the deployment of RADIUS
   clients and servers.  This document describes common issues seen in
   RADIUS implementations and suggests some fixes.  Where applicable,
   ambiguities and errors in previous RADIUS specifications are
   clarified.

Nelson & DeKok              Standards Track                     [Page 2]
RFC 5080                 RADIUS Issues & Fixes             December 2007

1.1.  Terminology

   This document uses the following terms:

   Network Access Server (NAS)
      The device providing access to the network.  Also known as the
      Authenticator in IEEE 802.1X or Extensible Authentication Protocol
      (EAP) terminology, or RADIUS client.

   service
      The NAS provides a service to the user, such as network access via
      802.11 or Point to Point Protocol (PPP).

   session
      Each service provided by the NAS to a peer constitutes a session,
      with the beginning of the session defined as the point where

Show full document text

Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested FixesRFC 5080

Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes
RFC 5080