rfc5176.txt

使用最广泛的radius的linux的源码

   CoA-NAK; an Error-Cause Attribute with value "Unsupported Service"
   SHOULD be included.

2.3.  Packet Format

   For either Disconnect-Request or CoA-Request packets UDP port 3799 is
   used as the destination port.  For responses, the source and
   destination ports are reversed.  Exactly one RADIUS packet is
   encapsulated in the UDP Data field.

   A summary of the data format is shown below.  The fields are
   transmitted from left to right.

   The packet format consists of the following fields: Code, Identifier,
   Length, Authenticator, and Attributes in Type-Length-Value (TLV)
   format.  All fields hold the same meaning as those described in
   RADIUS [RFC2865].  The Authenticator field MUST be calculated in the
   same way as is specified for an Accounting-Request in [RFC2866].

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |  Identifier   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                         Authenticator                         |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Attributes ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-







Chiba, et al.                Informational                      [Page 6]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


   Code

      The Code field is one octet, and identifies the type of RADIUS
      packet.  Packets received with an invalid Code field MUST be
      silently discarded.  RADIUS codes (decimal) for this extension are
      assigned as follows:

      40 - Disconnect-Request [RFC3575]
      41 - Disconnect-ACK [RFC3575]
      42 - Disconnect-NAK [RFC3575]
      43 - CoA-Request [RFC3575]
      44 - CoA-ACK [RFC3575]
      45 - CoA-NAK [RFC3575]

   Identifier

      The Identifier field is one octet, and aids in matching requests
      and replies.  A Dynamic Authorization Server implementing this
      specification MUST be capable of detecting a duplicate request if
      it has the same source IP address, source UDP port, and Identifier
      within a short span of time.

      The responsibility for retransmission of Disconnect-Request and
      CoA-Request packets lies with the Dynamic Authorization Client.
      If after sending these packets, the Dynamic Authorization Client
      does not receive a response, it will retransmit.

      The Identifier field MUST be changed whenever the content of the
      Attributes field changes, or whenever a valid reply has been
      received for a previous request.  For retransmissions where the
      contents are identical, the Identifier MUST remain unchanged.

      If the Dynamic Authorization Client is retransmitting a
      Disconnect-Request or CoA-Request to the same Dynamic
      Authorization Server as before, and the attributes haven't
      changed, the same Request Authenticator, Identifier, and source
      port MUST be used.  If any attributes have changed, a new
      Authenticator and Identifier MUST be used.

      If the Request to a primary Dynamic Authorization Server fails, a
      secondary Dynamic Authorization Server must be queried, if
      available; issues relating to failover algorithms are described in
      [RFC3539].  Since this represents a new request, a new Request
      Authenticator and Identifier MUST be used.  However, where the
      Dynamic Authorization Client is sending directly to the NAS,
      failover typically does not make sense, since CoA-Request or
      Disconnect-Request packets need to be delivered to the NAS where
      the session resides.



Chiba, et al.                Informational                      [Page 7]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


   Length

      The Length field is two octets.  It indicates the length of the
      packet including the Code, Identifier, Length, Authenticator, and
      Attribute fields.  Octets outside the range of the Length field
      MUST be treated as padding and ignored on reception.  If the
      packet is shorter than the Length field indicates, it MUST be
      silently discarded.  The minimum length is 20 and maximum length
      is 4096.

   Authenticator

      The Authenticator field is sixteen (16) octets.  The most
      significant octet is transmitted first.  This value is used to
      authenticate packets between the Dynamic Authorization Client and
      the Dynamic Authorization Server.

      Request Authenticator

         In Request packets, the Authenticator value is a 16-octet MD5
         [RFC1321] checksum, called the Request Authenticator.  The
         Request Authenticator is calculated the same way as for an
         Accounting-Request, specified in [RFC2866].

         Note that the Request Authenticator of a CoA-Request or
         Disconnect-Request cannot be computed the same way as the
         Request Authenticator of a RADIUS Access-Request, because there
         is no User-Password Attribute in a CoA-Request or Disconnect-
         Request.

      Response Authenticator

         The Authenticator field in a Response packet (e.g.,
         Disconnect-ACK, Disconnect-NAK, CoA-ACK, or CoA-NAK) is called
         the Response Authenticator, and contains a one-way MD5 hash
         calculated over a stream of octets consisting of the Code,
         Identifier, Length, the Request Authenticator field from the
         packet being replied to, and the response attributes if any,
         followed by the shared secret.  The resulting 16-octet MD5 hash
         value is stored in the Authenticator field of the Response
         packet.

      Administrative note: As noted in [RFC2865], Section 3, the secret
      (password shared between the Dynamic Authorization Client and the
      Dynamic Authorization Server) SHOULD be at least as large and
      unguessable as a well-chosen password.  The Dynamic Authorization





Chiba, et al.                Informational                      [Page 8]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


      Server MUST use the source IP address of the RADIUS UDP packet to
      decide which shared secret to use, so that requests can be
      proxied.

   Attributes

      In CoA-Request and Disconnect-Request packets, all attributes MUST
      be treated as mandatory.  If one or more authorization changes
      specified in a CoA-Request cannot be carried out, the NAS MUST
      send a CoA-NAK.  A NAS MUST respond to a CoA-Request containing
      one or more unsupported attributes or Attribute values with a
      CoA-NAK; an Error-Cause Attribute with value 401 (Unsupported
      Attribute) or 407 (Invalid Attribute Value) MAY be included.  A
      NAS MUST respond to a Disconnect-Request containing one or more
      unsupported attributes or Attribute values with a Disconnect-NAK;
      an Error-Cause Attribute with value 401 (Unsupported Attribute) or
      407 (Invalid Attribute Value) MAY be included.

      State changes resulting from a CoA-Request MUST be atomic: if the
      CoA-Request is successful for all matching sessions, the NAS MUST
      send a CoA-ACK in reply, and all requested authorization changes
      MUST be made.  If the CoA-Request is unsuccessful for any matching
      sessions, the NAS MUST send a CoA-NAK in reply, and the requested
      authorization changes MUST NOT be made for any of the matching
      sessions.  Similarly, a state change MUST NOT occur as a result of
      a Disconnect-Request that is unsuccessful with respect to any of
      the matching sessions; a NAS MUST send a Disconnect-NAK in reply
      if any of the matching sessions cannot be successfully terminated.
      A NAS that does not support dynamic authorization changes applying
      to multiple sessions MUST send a CoA-NAK or Disconnect-NAK in
      reply; an Error-Cause Attribute with value 508 (Multiple Session
      Selection Unsupported) SHOULD be included.

      Within this specification, attributes can be used for
      identification, authorization, or other purposes.  RADIUS
      Attribute specifications created after publication of this
      document SHOULD state whether an attribute can be included in CoA
      or Disconnect messages, and if so, which messages it can be
      included in and whether it serves as an identification or
      authorization attribute.

      Even if a NAS implements an attribute for use with RADIUS
      authentication and accounting, it is possible that it will not
      support inclusion of that attribute within CoA-Request and
      Disconnect-Request packets, given the difference in attribute
      semantics.  This is true even for attributes specified as





Chiba, et al.                Informational                      [Page 9]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


      allowable within Access-Accept packets (such as those defined
      within [RFC2865], [RFC2868], [RFC2869], [RFC3162], [RFC3579],
      [RFC4372], [RFC4675], [RFC4818], and [RFC4849]).

3.  Attributes

   In Disconnect-Request and CoA-Request packets, certain attributes are
   used to uniquely identify the NAS as well as user session(s) on the
   NAS.  The combination of NAS and session identification attributes
   included in a CoA-Request or Disconnect-Request packet MUST match at
   least one session in order for a Request to be successful; otherwise
   a Disconnect-NAK or CoA-NAK MUST be sent.  If all NAS identification
   attributes match, and more than one session matches all of the
   session identification attributes, then a CoA-Request or Disconnect-
   Request MUST apply to all matching sessions.

   Identification attributes include NAS and session identification
   attributes, as described below.

     NAS identification attributes

     Attribute              #   Reference  Description
     ---------             ---  ---------  -----------
     NAS-IP-Address         4   [RFC2865]  The IPv4 address of the NAS.
     NAS-Identifier        32   [RFC2865]  String identifying the NAS.
     NAS-IPv6-Address      95   [RFC3162]  The IPv6 address of the NAS.

     Session identification attributes

     Attribute              #   Reference  Description
     ---------             ---  ---------  -----------
     User-Name              1   [RFC2865]  The name of the user
                                           associated with one or
                                           more sessions.
     NAS-Port               5   [RFC2865]  The port on which a
                                           session is terminated.
     Framed-IP-Address      8   [RFC2865]  The IPv4 address associated
                                           with a session.
     Vendor-Specific       26   [RFC2865]  One or more vendor-specific
                                           identification attributes.
     Called-Station-Id     30   [RFC2865]  The link address to which
                                           a session is connected.
     Calling-Station-Id    31   [RFC2865]  The link address from which
                                           one or more sessions are
                                           connected.
     Acct-Session-Id       44   [RFC2866]  The identifier uniquely
                                           identifying a session
                                           on the NAS.



Chiba, et al.                Informational                     [Page 10]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


     Acct-Multi-Session-Id 50   [RFC2866]  The identifier uniquely
                                           identifying related sessions.
     NAS-Port-Id           87   [RFC2869]  String identifying the port
                                           where a session is.
     Chargeable-User-      89   [RFC4372]  The CUI associated with one
     Identity                              or more sessions.  Needed
                                           where a privacy Network
                                           Access Identifier (NAI) is
                                           used, since in this case the
                                           User-Name (e.g., "anonymous")
                                           may not identify sessions
                                           belonging to a given user.
     Framed-Interface-Id   96   [RFC3162]  The IPv6 Interface Identifier
                                           associated with a session,
                                           always sent with
                                           Framed-IPv6-Prefix.
     Framed-IPv6-Prefix    97   [RFC3162]  The IPv6 prefix associated
                                           with a session, always sent
                                           with Framed-Interface-Id.

   To address security concerns described in Section 6.1, either the
   User-Name or Chargeable-User-Identity attribute SHOULD be present in
   Disconnect-Request and CoA-Request packets.

   Where a Diameter client utilizes the same Session-Id for both
   authorization and accounting, inclusion of an Acct-Session-Id
   Attribute in a Disconnect-Request or CoA-Request can assist with
   Diameter/RADIUS translation, since Diameter RAR and ASR commands
   include a Session-Id AVP.  An Acct-Session-Id Attribute SHOULD be
   included in Disconnect-Request and CoA-Request packets.

   A NAS implementing this specification SHOULD send an Acct-Session-Id