rfc4590.txt

使用最广泛的radius的linux的源码

   Length
         3
   Text
         This attribute consists of a single URI that defines a
         protection space component.







Sterman, et al.             Standards Track                    [Page 19]

RFC 4590              RADIUS Digest Authentication             July 2006


3.18.  Digest-Stale Attribute

   Description
         This attribute is sent by a RADIUS server in order to notify
         the RADIUS client whether it has accepted a nonce.  If the
         nonce presented by the RADIUS client was stale, the value is
         'true' and is 'false' otherwise.  The RADIUS client puts the
         content of this attribute into a 'stale' directive of the
         WWW-Authenticate header in the HTTP-style response to the
         request it wants to authenticate.  The attribute MUST only be
         used in Access-Challenge packets.
   Type
         120 for Digest-Stale
   Length
         3
   Text
         The attribute has either the value 'true' or 'false' (both
         values without surrounding quotes).

3.19.  Digest-HA1 Attribute

   Description
         This attribute is used to allow the generation of an
         Authentication-Info header, even if the HTTP-style response's
         body is required for the calculation of the rspauth value.  It
         SHOULD be used in Access-Accept packets if the required quality
         of protection ('qop') is 'auth-int'.

         This attribute MUST NOT be sent if the qop parameter was not
         specified or has a value of 'auth' (in this case, use
         Digest-Response-Auth instead).

         The Digest-HA1 attribute MUST only be sent by the RADIUS server
         or processed by the RADIUS client if at least one of the
         following conditions is true:

         +  The Digest-Algorithm attribute's value is 'MD5-sess' or
            'AKAv1-MD5-sess'.

         +  IPsec is configured to protect traffic between RADIUS client
            and RADIUS server with IPsec (see Section 8).

         This attribute MUST only be used in Access-Accept packets.
   Type
         121 for Digest-HA1
   Length
         >= 3




Sterman, et al.             Standards Track                    [Page 20]

RFC 4590              RADIUS Digest Authentication             July 2006


   Text
         This attribute contains the hexadecimal representation of H(A1)
         as described in [RFC2617], sections 3.1.3, 3.2.1, and 3.2.2.2.

3.20.  SIP-AOR Attribute

   Description
         This attribute is used for the authorization of SIP messages.
         The SIP-AOR attribute identifies the URI, the use of which must
         be authenticated and authorized.  The RADIUS server uses this
         attribute to authorize the processing of the SIP request.  The
         SIP-AOR can be derived from, for example, the To header field
         in a SIP REGISTER request (user under registration), or the
         From header field in other SIP requests.  However, the exact
         mapping of this attribute to SIP can change due to new
         developments in the protocol.  This attribute MUST only be used
         when the RADIUS client wants to authorize SIP users and MUST
         only be used in Access-Request packets.
   Type
         122 for SIP-AOR
   Length
         >=3
   Text
         The syntax of this attribute corresponds either to a SIP URI
         (with the format defined in [RFC3261] or a tel URI (with the
         format defined in [RFC3966]).

         The SIP-AOR attribute holds the complete URI, including
         parameters and other parts.  It is up to the RADIUS server what
         components of the URI are regarded in the authorization
         decision.

4.  Diameter Compatibility

   This document defines support for Digest Authentication in RADIUS.  A
   companion document "Diameter Session Initiation Protocol (SIP)
   Application" [SIP-APP] defines support for Digest Authentication in
   Diameter, and addresses compatibility issues between RADIUS and
   Diameter.












Sterman, et al.             Standards Track                    [Page 21]

RFC 4590              RADIUS Digest Authentication             July 2006


5.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.

   +-----+--------+--------+-----------+-----+-------------------------+
   | Req | Accept | Reject | Challenge | #   | Attribute               |
   +-----+--------+--------+-----------+-----+-------------------------+
   | 1   | 0      | 0      | 0         | 1   | User-Name               |
   | 1   | 1      | 1      | 1         | 80  | Message-Authenticator   |
   | 0-1 | 0      | 0      | 0         | 103 | Digest-Response         |
   | 0-1 | 0      | 0      | 1         | 104 | Digest-Realm            |
   | 0-1 | 0      | 0      | 1         | 105 | Digest-Nonce            |
   | 0   | 0-1    | 0      | 0         | 106 | Digest-Response-Auth    |
   |     |        |        |           |     | (see Note 1, 2)         |
   | 0   | 0-1    | 0      | 0         | 107 | Digest-Nextnonce        |
   | 0-1 | 0      | 0      | 0         | 108 | Digest-Method           |
   | 0-1 | 0      | 0      | 0         | 109 | Digest-URI              |
   | 0-1 | 0      | 0      | 0+        | 110 | Digest-Qop              |
   | 0-1 | 0      | 0      | 0-1       | 111 | Digest-Algorithm (see   |
   |     |        |        |           |     | Note 3)                 |
   | 0-1 | 0      | 0      | 0         | 112 | Digest-Entity-Body-Hash |
   | 0-1 | 0      | 0      | 0         | 113 | Digest-CNonce           |
   | 0-1 | 0      | 0      | 0         | 114 | Digest-Nonce-Count      |
   | 0-1 | 0      | 0      | 0         | 115 | Digest-Username         |
   | 0-1 | 0      | 0      | 0-1       | 116 | Digest-Opaque           |
   | 0+  | 0+     | 0      | 0+        | 117 | Digest-Auth-Param       |
   | 0-1 | 0      | 0      | 0         | 118 | Digest-AKA-Auts         |
   | 0   | 0      | 0      | 0+        | 119 | Digest-Domain           |
   | 0   | 0      | 0      | 0-1       | 120 | Digest-Stale            |
   | 0   | 0-1    | 0      | 0         | 121 | Digest-HA1 (see Note 1, |
   |     |        |        |           |     | 2)                      |
   | 0-1 | 0      | 0      | 0         | 122 | SIP-AOR                 |
   +-----+--------+--------+-----------+-----+-------------------------+

                                  Table 1

   [Note 1] Digest-HA1 MUST be used instead of Digest-Response-Auth if
      Digest-Qop is 'auth-int'.

   [Note 2] Digest-Response-Auth MUST be used instead of Digest-HA1 if
      Digest-Qop is 'auth'.

   [Note 3] If Digest-Algorithm is missing, 'MD5' is assumed.







Sterman, et al.             Standards Track                    [Page 22]

RFC 4590              RADIUS Digest Authentication             July 2006


6.  Examples

   This is an example selected from the traffic between a softphone (A),
   a Proxy Server (B), and an example.com RADIUS server (C).  The
   communication between the Proxy Server and a SIP Public Switched
   Telephone Network (PSTN) gateway is omitted for brevity.  The SIP
   messages are not shown completely.

   A->B

      INVITE sip:97226491335@example.com SIP/2.0
      From: <sip:12345678@example.com>
      To: <sip:97226491335@example.com>

   B->A

      SIP/2.0 100 Trying

   B->C

      Code = 1 (Access-Request)
      Attributes:
      NAS-IP-Address = c0 0 2 26 (192.0.2.38)
      NAS-Port-Type = 5 (Virtual)
      User-Name = 12345678
      Digest-Method = INVITE
      Digest-URI = sip:97226491335@example.com
      Message-Authenticator =
       08 af 7e 01 b6 8d 74 c3 a4 3c 33 e1 56 2a 80 43

   C->B

      Code = 11 (Access-Challenge)
      Attributes:
      Digest-Nonce = 3bada1a0
      Digest-Realm = example.com
      Digest-Qop = auth
      Digest-Algorithm = MD5
      Message-Authenticator =
       f8 01 26 9f 70 5e ef 5d 24 ac f5 ca fb 27 da 40

   B->A

      SIP/2.0 407 Proxy Authentication Required
      Proxy-Authenticate: Digest realm="example.com"
           ,nonce="3bada1a0",qop=auth,algorithm=MD5
      Content-Length: 0




Sterman, et al.             Standards Track                    [Page 23]

RFC 4590              RADIUS Digest Authentication             July 2006


   A->B

      ACK sip:97226491335@example.com SIP/2.0

   A->B

      INVITE sip:97226491335@example.com SIP/2.0
      Proxy-Authorization: Digest algorithm="md5",nonce="3bada1a0"
           ,realm="example.com"
           ,response="f3ce87e6984557cd0fecc26f3c5e97a4"
           ,uri="sip:97226491335@example.com",username="12345678"
           ,qop=auth,algorithm=MD5
      From: <sip:12345678@example.com>
      To: <sip:97226491335@example.com>

   B->C

      Code = 1 (Access-Request)
      Attributes:
      NAS-IP-Address = c0 0 2 26 (192.0.2.38)
      NAS-Port-Type = 5 (Virtual)
      User-Name = 12345678
      Digest-Response = f3ce87e6984557cd0fecc26f3c5e97a4
      Digest-Realm = example.com
      Digest-Nonce = 3bada1a0
      Digest-Method = INVITE
      Digest-URI = sip:97226491335@example.com
      Digest-Qop = auth
      Digest-Algorithm = md5
      Digest-Username =  12345678
      SIP-AOR =  sip:12345678@example.com
      Message-Authenticator =
          ff 67 f4 13 8e b8 59 32 22 f9 37 0f 32 f8 e0 ff

   C->B

      Code = 2 (Access-Accept)
      Attributes:
      Digest-Response-Auth =
                      6303c41b0e2c3e524e413cafe8cce954
      Message-Authenticator =
          75 8d 44 49 66 1f 7b 47 9d 10 d0 2d 4a 2e aa f1

   B->A

      SIP/2.0 180 Ringing





Sterman, et al.             Standards Track                    [Page 24]

RFC 4590              RADIUS Digest Authentication             July 2006


   B->A

      SIP/2.0 200 OK

   A->B

      ACK sip:97226491335@example.com SIP/2.0

   A second example shows the traffic between a web browser (A), web
   server (B), and a RADIUS server (C).

   A->B

      GET /index.html HTTP/1.1

   B->C

      Code = 1 (Access-Request)
      Attributes:
      NAS-IP-Address = c0 0 2 26 (192.0.2.38)
      NAS-Port-Type = 5 (Virtual)
      Digest-Method = GET
      Digest-URI = /index.html
      Message-Authenticator =
       34 a6 26 46 f3 81 f9 b4 97 c0 dd 9d 11 8f ca c7

   C->B

      Code = 11 (Access-Challenge)
      Attributes:
      Digest-Nonce = a3086ac8
      Digest-Realm = example.com
      Digest-Qop = auth
      Digest-Algorithm = MD5
      Message-Authenticator =
       f8 01 26 9f 70 5e ef 5d 24 ac f5 ca fb 27 da 40

   B->A

      HTTP/1.1 401 Authentication Required
      WWW-Authenticate: Digest realm="example.com",
          nonce="a3086ac8",qop=auth,algorithm=MD5
      Content-Length: 0








Sterman, et al.             Standards Track                    [Page 25]

RFC 4590              RADIUS Digest Authentication             July 2006