rfc3576.txt

radius协议的经典实现

Chiba, et al.                Informational                     [Page 11]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003


   Session identification attributes

   Attribute              #    Reference  Description
   ---------             ---   ---------  -----------
   User-Name              1    [RFC2865]  The name of the user
                                          associated with the session.
   NAS-Port               5    [RFC2865]  The port on which the
                                          session is terminated.
   Framed-IP-Address      8    [RFC2865]  The IPv4 address associated
                                          with the session.
   Called-Station-Id     30    [RFC2865]  The link address to which
                                          the session is connected.
   Calling-Station-Id    31    [RFC2865]  The link address from which
                                          the session is connected.
   Acct-Session-Id       44    [RFC2866]  The identifier uniquely
                                          identifying the session
                                          on the NAS.
   Acct-Multi-Session-Id 50    [RFC2866]  The identifier uniquely
                                          identifying related sessions.
   NAS-Port-Type         61    [RFC2865]  The type of port used.
   NAS-Port-Id           87    [RFC2869]  String identifying the port
                                          where the session is.
   Originating-Line-Info 94    [NASREQ]   Provides information on the
                                          characteristics of the line
                                          from which a session
                                          originated.
   Framed-Interface-Id   96    [RFC3162]  The IPv6 Interface Identifier
                                          associated with the session;
                                          always sent with
                                          Framed-IPv6-Prefix.
   Framed-IPv6-Prefix    97    [RFC3162]  The IPv6 prefix associated
                                          with the session, always sent
                                          with Framed-Interface-Id.

   To address security concerns described in Section 5.1., the User-Name
   Attribute SHOULD be present in Disconnect-Request or CoA-Request
   packets; one or more additional session identification attributes MAY
   also be present.  To address security concerns described in Section
   5.2., one or more of the NAS-IP-Address or NAS-IPv6-Address
   Attributes SHOULD be present in Disconnect-Request or CoA-Request
   packets; the NAS-Identifier Attribute MAY be present in addition.

   If one or more authorization changes specified in a CoA-Request
   cannot be carried out, or if one or more attributes or attribute-
   values is unsupported, a CoA-NAK MUST be sent.  Similarly, if there
   are one or more unsupported attributes or attribute values in a
   Disconnect-Request, a Disconnect-NAK MUST be sent.




Chiba, et al.                Informational                     [Page 12]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003


   Where a Service-Type Attribute with value "Authorize Only" is
   included within a CoA-Request or Disconnect-Request, attributes
   representing an authorization change MUST NOT be included; only
   identification attributes are permitted.  If attributes other than
   NAS or session identification attributes are included in such a CoA-
   Request, implementations MUST send a CoA-NAK; an Error-Cause
   Attribute with value "Unsupported Attribute" MAY be included.
   Similarly, if attributes other than NAS or session identification
   attributes are included in such a Disconnect-Request, implementations
   MUST send a Disconnect-NAK; an Error-Cause Attribute with value
   "Unsupported Attribute" MAY be included.

3.1.  Error-Cause

   Description

      It is possible that the NAS cannot honor Disconnect-Request or
      CoA-Request messages for some reason.  The Error-Cause Attribute
      provides more detail on the cause of the problem.  It MAY be
      included within Disconnect-ACK, Disconnect-NAK and CoA-NAK
      messages.

      A summary of the Error-Cause Attribute format is shown below.  The
      fields are transmitted from left to right.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |             Value
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
              Value (cont)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      101 for Error-Cause

   Length

      6

   Value

      The Value field is four octets, containing an integer specifying
      the cause of the error.  Values 0-199 and 300-399 are reserved.
      Values 200-299 represent successful completion, so that these
      values may only be sent within Disconnect-ACK or CoA-ACK message
      and MUST NOT be sent within a Disconnect-NAK or CoA-NAK.  Values



Chiba, et al.                Informational                     [Page 13]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003


      400-499 represent fatal errors committed by the RADIUS server, so
      that they MAY be sent within CoA-NAK or Disconnect-NAK messages,
      and MUST NOT be sent within CoA-ACK or Disconnect-ACK messages.
      Values 500-599 represent fatal errors occurring on a NAS or RADIUS
      proxy, so that they MAY be sent within CoA-NAK and Disconnect-NAK
      messages, and MUST NOT be sent within CoA-ACK or Disconnect-ACK
      messages.  Error-Cause values SHOULD be logged by the RADIUS
      server.  Error-Code values (expressed in decimal) include:

    #     Value
   ---    -----
   201    Residual Session Context Removed
   202    Invalid EAP Packet (Ignored)
   401    Unsupported Attribute
   402    Missing Attribute
   403    NAS Identification Mismatch
   404    Invalid Request
   405    Unsupported Service
   406    Unsupported Extension
   501    Administratively Prohibited
   502    Request Not Routable (Proxy)
   503    Session Context Not Found
   504    Session Context Not Removable
   505    Other Proxy Processing Error
   506    Resources Unavailable
   507    Request Initiated

   "Residual Session Context Removed" is sent in response to a
   Disconnect-Request if the user session is no longer active, but
   residual session context was found and successfully removed.  This
   value is only sent within a Disconnect-ACK and MUST NOT be sent
   within a CoA-ACK, Disconnect-NAK or CoA-NAK.

   "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT be
   sent by implementations of this specification.

   "Unsupported Attribute" is a fatal error sent if a Request contains
   an attribute (such as a Vendor-Specific or EAP-Message Attribute)
   that is not supported.

   "Missing Attribute" is a fatal error sent if critical attributes
   (such as NAS or session identification attributes) are missing from a
   Request.

   "NAS Identification Mismatch" is a fatal error sent if one or more
   NAS identification attributes (see Section 3.) do not match the
   identity of the NAS receiving the Request.




Chiba, et al.                Informational                     [Page 14]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003


   "Invalid Request" is a fatal error sent if some other aspect of the
   Request is invalid, such as if one or more attributes (such as EAP-
   Message Attribute(s)) are not formatted properly.

   "Unsupported Service" is a fatal error sent if a Service-Type
   Attribute included with the Request is sent with an invalid or
   unsupported value.

   "Unsupported Extension" is a fatal error sent due to lack of support
   for an extension such as Disconnect and/or CoA messages.  This will
   typically be sent by a proxy receiving an ICMP port unreachable
   message after attempting to forward a Request to the NAS.

   "Administratively Prohibited" is a fatal error sent if the NAS is
   configured to prohibit honoring of Request messages for the specified
   session.

   "Request Not Routable" is a fatal error which MAY be sent by a RADIUS
   proxy and MUST NOT be sent by a NAS.  It indicates that the RADIUS
   proxy was unable to determine how to route the Request to the NAS.
   For example, this can occur if the required entries are not present
   in the proxy's realm routing table.

   "Session Context Not Found" is a fatal error sent if the session
   context identified in the Request does not exist on the NAS.

   "Session Context Not Removable" is a fatal error sent in response to
   a Disconnect-Request if the NAS was able to locate the session
   context, but could not remove it for some reason.  It MUST NOT be
   sent within a CoA-ACK, CoA-NAK or Disconnect-ACK, only within a
   Disconnect-NAK.

   "Other Proxy Processing Error" is a fatal error sent in response to a
   Request that could not be processed by a proxy, for reasons other
   than routing.

   "Resources Unavailable" is a fatal error sent when a Request could
   not be honored due to lack of available NAS resources (memory, non-
   volatile storage, etc.).

   "Request Initiated" is a fatal error sent in response to a Request
   including a Service-Type Attribute with a value of "Authorize Only".
   It indicates that the Disconnect-Request or CoA-Request has not been
   honored, but that a RADIUS Access-Request including a Service-Type
   Attribute with value "Authorize Only" is being sent to the RADIUS
   server.





Chiba, et al.                Informational                     [Page 15]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003


3.2.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in which packets, and in what quantity.

   Change-of-Authorization Messages

   Request   ACK      NAK   #   Attribute
   0-1       0        0     1   User-Name [Note 1]
   0-1       0        0     4   NAS-IP-Address [Note 1]
   0-1       0        0     5   NAS-Port [Note 1]
   0-1       0        0-1   6   Service-Type [Note 6]
   0-1       0        0     7   Framed-Protocol [Note 3]
   0-1       0        0     8   Framed-IP-Address [Note 1]
   0-1       0        0     9   Framed-IP-Netmask [Note 3]
   0-1       0        0    10   Framed-Routing [Note 3]
   0+        0        0    11   Filter-ID [Note 3]
   0-1       0        0    12   Framed-MTU [Note 3]
   0+        0        0    13   Framed-Compression [Note 3]
   0+        0        0    14   Login-IP-Host [Note 3]
   0-1       0        0    15   Login-Service [Note 3]
   0-1       0        0    16   Login-TCP-Port [Note 3]
   0+        0        0    18   Reply-Message [Note 2]
   0-1       0        0    19   Callback-Number [Note 3]
   0-1       0        0    20   Callback-Id [Note 3]
   0+        0        0    22   Framed-Route [Note 3]
   0-1       0        0    23   Framed-IPX-Network [Note 3]
   0-1       0-1      0-1  24   State [Note 7]
   0+        0        0    25   Class [Note 3]
   0+        0        0    26   Vendor-Specific [Note 3]
   0-1       0        0    27   Session-Timeout [Note 3]
   0-1       0        0    28   Idle-Timeout [Note 3]
   0-1       0        0    29   Termination-Action [Note 3]
   0-1       0        0    30   Called-Station-Id [Note 1]
   0-1       0        0    31   Calling-Station-Id [Note 1]
   0-1       0        0    32   NAS-Identifier [Note 1]
   0+        0+       0+   33   Proxy-State
   0-1       0        0    34   Login-LAT-Service [Note 3]
   0-1       0        0    35   Login-LAT-Node [Note 3]
   0-1       0        0    36   Login-LAT-Group [Note 3]
   0-1       0        0    37   Framed-AppleTalk-Link [Note 3]
   0+        0        0    38   Framed-AppleTalk-Network [Note 3]
   0-1       0        0    39   Framed-AppleTalk-Zone [Note 3]
   0-1       0        0    44   Acct-Session-Id [Note 1]
   0-1       0        0    50   Acct-Multi-Session-Id [Note 1]
   0-1       0-1      0-1  55   Event-Timestamp
   0-1       0        0    61   NAS-Port-Type [Note 1]
   Request   ACK      NAK   #   Attribute



Chiba, et al.                Informational                     [Page 16]

RFC 3576       Dynamic Authorization Extensions to RADIUS      July 2003


   Request   ACK      NAK   #   Attribute
   0-1       0        0    62   Port-Limit [Note 3]
   0-1       0        0    63   Login-LAT-Port [Note 3]
   0+        0        0    64   Tunnel-Type [Note 5]
   0+        0        0    65   Tunnel-Medium-Type [Note 5]
   0+        0        0    66   Tunnel-Client-Endpoint [Note 5]
   0+        0        0    67   Tunnel-Server-Endpoint [Note 5]
   0+        0        0    69   Tunnel-Password [Note 5]
   0-1       0        0    71   ARAP-Features [Note 3]
   0-1       0        0    72   ARAP-Zone-Access [Note 3]
   0+        0        0    78   Configuration-Token [Note 3]
   0+        0-1      0    79   EAP-Message [Note 2]
   0-1       0-1      0-1  80   Message-Authenticator
   0+        0        0    81   Tunnel-Private-Group-ID [Note 5]
   0+        0        0    82   Tunnel-Assignment-ID [Note 5]
   0+        0        0    83   Tunnel-Preference [Note 5]