rfc5176.txt

使用最广泛的radius的linux的源码

Chiba, et al.                Informational                     [Page 16]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


      values may only be sent within CoA-ACK or Disconnect-ACK packets
      and MUST NOT be sent within a CoA-NAK or Disconnect-NAK packet.
      Values 400-499 represent fatal errors committed by the Dynamic
      Authorization Client, so that they MAY be sent within CoA-NAK or
      Disconnect-NAK packets, and MUST NOT be sent within CoA-ACK or
      Disconnect-ACK packets.  Values 500-599 represent fatal errors
      occurring on a Dynamic Authorization Server, so that they MAY be
      sent within CoA-NAK and Disconnect-NAK packets, and MUST NOT be
      sent within CoA-ACK or Disconnect-ACK packets.  Error-Cause values
      SHOULD be logged by the Dynamic Authorization Client.  Error-Code
      values (expressed in decimal) include:

       #     Value
      ---    -----
      201    Residual Session Context Removed
      202    Invalid EAP Packet (Ignored)
      401    Unsupported Attribute
      402    Missing Attribute
      403    NAS Identification Mismatch
      404    Invalid Request
      405    Unsupported Service
      406    Unsupported Extension
      407    Invalid Attribute Value
      501    Administratively Prohibited
      502    Request Not Routable (Proxy)
      503    Session Context Not Found
      504    Session Context Not Removable
      505    Other Proxy Processing Error
      506    Resources Unavailable
      507    Request Initiated
      508    Multiple Session Selection Unsupported

      "Residual Session Context Removed" is sent in response to a
      Disconnect-Request if one or more user sessions are no longer
      active, but residual session context was found and successfully
      removed.  This value is only sent within a Disconnect-ACK and MUST
      NOT be sent within a CoA-ACK, Disconnect-NAK, or CoA-NAK.

      "Invalid EAP Packet (Ignored)" is a non-fatal error that MUST NOT
      be sent by implementations of this specification.

      "Unsupported Attribute" is a fatal error sent if a Request
      contains an attribute (such as a Vendor-Specific or EAP-Message
      Attribute) that is not supported.

      "Missing Attribute" is a fatal error sent if critical attributes
      (such as NAS or session identification attributes) are missing
      from a Request.



Chiba, et al.                Informational                     [Page 17]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


      "NAS Identification Mismatch" is a fatal error sent if one or more
      NAS identification attributes (see Section 3) do not match the
      identity of the NAS receiving the Request.

      "Invalid Request" is a fatal error sent if some other aspect of
      the Request is invalid, such as if one or more attributes (such as
      EAP-Message Attribute(s)) are not formatted properly.

      "Unsupported Service" is a fatal error sent if a Service-Type
      Attribute included with the Request is sent with an invalid or
      unsupported value.  This error cannot be sent in response to a
      Disconnect-Request.

      "Unsupported Extension" is a fatal error sent due to lack of
      support for an extension such as Disconnect and/or CoA packets.
      This will typically be sent by a proxy receiving an ICMP port
      unreachable message after attempting to forward a CoA-Request or
      Disconnect-Request to the NAS.

      "Invalid Attribute Value" is a fatal error sent if a CoA-Request
      or Disconnect-Request contains an attribute with an unsupported
      value.

      "Administratively Prohibited" is a fatal error sent if the NAS is
      configured to prohibit honoring of CoA-Request or Disconnect-
      Request packets for the specified session.

      "Request Not Routable" is a fatal error that MAY be sent by a
      proxy and MUST NOT be sent by a NAS.  It indicates that the proxy
      was unable to determine how to route a CoA-Request or Disconnect-
      Request to the NAS.  For example, this can occur if the required
      entries are not present in the proxy's realm routing table.

      "Session Context Not Found" is a fatal error sent if the session
      context identified in the CoA-Request or Disconnect-Request does
      not exist on the NAS.

      "Session Context Not Removable" is a fatal error sent in response
      to a Disconnect-Request if the NAS was able to locate the session
      context, but could not remove it for some reason.  It MUST NOT be
      sent within a CoA-ACK, CoA-NAK, or Disconnect-ACK, only within a
      Disconnect-NAK.

      "Other Proxy Processing Error" is a fatal error sent in response
      to a CoA or Disconnect-Request that could not be processed by a
      proxy, for reasons other than routing.





Chiba, et al.                Informational                     [Page 18]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


      "Resources Unavailable" is a fatal error sent when a CoA or
      Disconnect-Request could not be honored due to lack of available
      NAS resources (memory, non-volatile storage, etc.).

      "Request Initiated" is a fatal error sent by a NAS in response to
      a CoA-Request including a Service-Type Attribute with a value of
      "Authorize Only".  It indicates that the CoA-Request has not been
      honored, but that the NAS is sending one or more RADIUS Access-
      Requests including a Service-Type Attribute with value "Authorize
      Only" to the RADIUS server.

      "Multiple Session Selection Unsupported" is a fatal error sent by
      a NAS in response to a CoA-Request or Disconnect-Request whose
      session identification attributes match multiple sessions, where
      the NAS does not support Requests applying to multiple sessions.




































Chiba, et al.                Informational                     [Page 19]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


3.6.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in which packets, and in what quantity.

   Change-of-Authorization Messages

   Request   ACK      NAK   #   Attribute
   0-1       0        0     1   User-Name (Note 1)
   0-1       0        0     4   NAS-IP-Address (Note 1)
   0-1       0        0     5   NAS-Port (Note 1)
   0-1       0        0-1   6   Service-Type
   0-1       0        0     7   Framed-Protocol (Note 3)
   0-1       0        0     8   Framed-IP-Address (Notes 1, 6)
   0-1       0        0     9   Framed-IP-Netmask (Note 3)
   0-1       0        0    10   Framed-Routing (Note 3)
   0+        0        0    11   Filter-ID (Note 3)
   0-1       0        0    12   Framed-MTU (Note 3)
   0+        0        0    13   Framed-Compression (Note 3)
   0+        0        0    14   Login-IP-Host (Note 3)
   0-1       0        0    15   Login-Service (Note 3)
   0-1       0        0    16   Login-TCP-Port (Note 3)
   0+        0        0    18   Reply-Message (Note 2)
   0-1       0        0    19   Callback-Number (Note 3)
   0-1       0        0    20   Callback-Id (Note 3)
   0+        0        0    22   Framed-Route (Note 3)
   0-1       0        0    23   Framed-IPX-Network (Note 3)
   0-1       0-1      0-1  24   State
   0+        0        0    25   Class (Note 3)
   0+        0        0    26   Vendor-Specific (Note 7)
   0-1       0        0    27   Session-Timeout (Note 3)
   0-1       0        0    28   Idle-Timeout (Note 3)
   0-1       0        0    29   Termination-Action (Note 3)
   Request   ACK      NAK   #   Attribute

















Chiba, et al.                Informational                     [Page 20]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


   Request   ACK      NAK   #   Attribute
   0-1       0        0    30   Called-Station-Id (Note 1)
   0-1       0        0    31   Calling-Station-Id (Note 1)
   0-1       0        0    32   NAS-Identifier (Note 1)
   0+        0+       0+   33   Proxy-State
   0-1       0        0    34   Login-LAT-Service (Note 3)
   0-1       0        0    35   Login-LAT-Node (Note 3)
   0-1       0        0    36   Login-LAT-Group (Note 3)
   0-1       0        0    37   Framed-AppleTalk-Link (Note 3)
   0+        0        0    38   Framed-AppleTalk-Network (Note 3)
   0-1       0        0    39   Framed-AppleTalk-Zone (Note 3)
   0-1       0        0    44   Acct-Session-Id (Note 1)
   0-1       0        0    50   Acct-Multi-Session-Id (Note 1)
   0-1       0-1      0-1  55   Event-Timestamp
   0+        0        0    56   Egress-VLANID (Note 3)
   0-1       0        0    57   Ingress-Filters (Note 3)
   0+        0        0    58   Egress-VLAN-Name (Note 3)
   0-1       0        0    59   User-Priority-Table (Note 3)
   0-1       0        0    61   NAS-Port-Type (Note 3)
   0-1       0        0    62   Port-Limit (Note 3)
   0-1       0        0    63   Login-LAT-Port (Note 3)
   0+        0        0    64   Tunnel-Type (Note 5)
   0+        0        0    65   Tunnel-Medium-Type (Note 5)
   0+        0        0    66   Tunnel-Client-Endpoint (Note 5)
   0+        0        0    67   Tunnel-Server-Endpoint (Note 5)
   0+        0        0    69   Tunnel-Password (Note 5)
   0-1       0        0    71   ARAP-Features (Note 3)
   0-1       0        0    72   ARAP-Zone-Access (Note 3)
   0+        0        0    78   Configuration-Token (Note 3)
   0+        0-1      0    79   EAP-Message (Note 2)
   0-1       0-1      0-1  80   Message-Authenticator
   0+        0        0    81   Tunnel-Private-Group-ID (Note 5)
   0+        0        0    82   Tunnel-Assignment-ID (Note 5)
   0+        0        0    83   Tunnel-Preference (Note 5)
   0-1       0        0    85   Acct-Interim-Interval (Note 3)
   0-1       0        0    87   NAS-Port-Id (Note 1)
   0-1       0        0    88   Framed-Pool (Note 3)
   0-1       0        0    89   Chargeable-User-Identity (Note 1)
   0+        0        0    90   Tunnel-Client-Auth-ID (Note 5)
   0+        0        0    91   Tunnel-Server-Auth-ID (Note 5)
   0-1       0        0    92   NAS-Filter-Rule (Note 3)
   0         0        0    94   Originating-Line-Info
   0-1       0        0    95   NAS-IPv6-Address (Note 1)
   0-1       0        0    96   Framed-Interface-Id (Notes 1, 6)
   0+        0        0    97   Framed-IPv6-Prefix (Notes 1, 6)
   0+        0        0    98   Login-IPv6-Host (Note 3)
   0+        0        0    99   Framed-IPv6-Route (Note 3)
   Request   ACK      NAK   #   Attribute



Chiba, et al.                Informational                     [Page 21]

RFC 5176       Dynamic Authorization Extensions to RADIUS   January 2008


   Request   ACK      NAK   #   Attribute
   0-1       0        0   100   Framed-IPv6-Pool (Note 3)
   0         0        0+  101   Error-Cause
   0+        0        0   123   Delegated-IPv6-Prefix (Note 3)
   Request   ACK      NAK   #   Attribute

   Disconnect Messages

   Request   ACK      NAK   #   Attribute
   0-1       0        0     1   User-Name (Note 1)
   0-1       0        0     4   NAS-IP-Address (Note 1)
   0-1       0        0     5   NAS-Port (Note 1)
   0         0        0     6   Service-Type
   0         0        0     8   Framed-IP-Address (Note 1)