INTERNET DRAFT D. Spence
draft-spence-aaa-nas-data-model-00.txt R. Kopacz
J. Vollbrecht
Interlink Networks, Inc.
D. Durham
A. Kulkarni
Intel Corp.
W. Weiss
Ellacoya Networks, Inc.
November 2000
Data Model for Network Access
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This memo describes work in progress within the AAA Working Group.
Comments are welcome and can be submitted to the authors or to the
AAA Working Group mailing list (aaa-wg@merit.edu).
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society 2000. All Rights Reserved.
Spence et al. expires May 2001 [Page 1]
INTERNET DRAFT Data Model for Network Access November 2000
Abstract
Recently, considerable attention has been given to the need to better
structure the information carried in protocols operating within the
network access environment. The arguable benefits of structured
information is consistency in the definitions and reuse of individual
data elements and well defined means for extending existing
structures to support new or proprietary features and capabilities.
In an effort to demonstrate the benefits of organizing data elements
and provide a practical means for deploying such a model, this memo
takes the existing attributes currently used in RADIUS and maps them
into a data model. To demonstrate the deployment of the data model
within the network access environment, the data model has been
represented as a PIB. While the data model could be implemented to
run over protocols other than COPS, SPPI is currently the only
language available which expresses data modeling concepts with
sufficient detail to demonstrate the benefits in a practical manner.
Table of Contents
Status of this Memo ............................................ 1
Copyright Notice ............................................... 1
Abstract ....................................................... 2
1. Introduction ................................................ 2
2. The Network Access Data Model ............................... 4
2.1. How to read the UML .................................... 4
3. Some Issues Raised by the Study ............................. 5
4. The RADIUS PIB .............................................. 7
5. Security Considerations ..................................... 87
References ..................................................... 87
Authors' Addresses ............................................. 88
1. Introduction
This memo describes work done in response to a request from the chair
of the aaa-wg for data modelling input to the aaa design team. The
work includes developing a data model of "RADIUS NAS" which includes
all the RADIUS attributes, a description of some issues with the
RADIUS data structure uncovered by the process of documenting the
model, and a mapping of the model to an SPPI representation. We
think this work illustrates the benefits of data modelling in this
environment.
The next iteration of this work will produce an "ideal" data model of
a NAS and Server, and compare this with the "RADIUS NAS" model. The
"ideal" model will then be used to design and evaluate the aaa
Spence et al. expires May 2001 [Page 2]
INTERNET DRAFT Data Model for Network Access November 2000
protocol.
Contrary to the RADIUS environment of the past, today's network
access environment has to coexist with many other technologies. There
is an increasing trend to move as much network complexity as possible
to the edges and make the core of the network as simple as possible.
As more and more functionality is moved to the edges of the network,
AAA will have to coexist with DiffServ, IntServ, MPLS, L2TP, DHCP and
IPSEC, to name a few. This trend represents a significant
integration challenge. While each technology is using it's own
protocols and management strategies, there is a significant number of
interdependencies between the technologies. One subset may perform
classification based on addresses or ports, while another subset may
specify relationships between users and addresses or applications and
ports. In turn, various services may be provisioned based on this
knowledge. These services can include tunnels, security, QoS,
firewalls, and access to multicast resources. As the sophistication
of service offerings increases, the accounting strategies applied to
these services will become more complex and interwoven with the
service as well.
Given all these interrelationships, a common set of semantics in the
protocols and the management interfaces is critical. Inconsistencies
in the representations of various concepts require mappings that are
in themselves subjective and error prone, particularly when
undertaken by individual vendors. Mapping problems are exacerbated
when the semantics of various attributes are subjective. When an
attribute has multiple meanings depending on the context in which it
is being used, mappings become much more difficult.
In the timeframe when AAA will be deployed, user identity and service
accounting will play key roles in the infrastructure at the edges of
large networks. Non-AAA technologies will become increasingly
dependent on most of the attributes defined within the AAA protocol
and visa versa. These interdependencies demand that more discipline
be applied to the definition and organization of the attributes
defined and used by AAA. This memo takes a first step at defining
these attributes consistently and organizing them along functional
boundaries.
The basis of this contribution is the initial set of RADIUS
attributes defined in the RADIUS RFCs [3-7]. These attributes were
first organized by logical function, and then the interrelationships
where specified. The complete data model is represented in a UML
diagram [2]. (The UML diagram is too complex to be represented in a
text document, but a URL for obtaining it is given in [2].) This
model was then physically instantiated in SPPI. SPPI was chosen
because it was the only data modeling language available that
Spence et al. expires May 2001 [Page 3]
INTERNET DRAFT Data Model for Network Access November 2000
provides the necessary constructs to adequately implement the model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [14].
2. The Network Access Data Model
2.1. How to read the UML
The data model discussed in this memo is graphically presented in [2]
using the Unified Modeling Language (UML). Since the conventions for
UML may be new to this audience, this section is provided as a
tutorial for reading UML graphics.
On first glance, the UML diagram has two obvious features. The first
is the boxes that appear throughout the diagram. The second is the
lines of various colors that interconnect the boxes. Let's first
consider the boxes. Each box represents a grouping of data elements.
The box itself is referred to as a 'class.' The various data
elements in the box are referred to as attributes or properties. It
is worth noting that a class can be used to logically represent
either a data structure that exists within a process (such as a
routing table entry), or a protocol element that is passed between
two processes over a network, or both. Given that this data model
draws heavily on existing RADIUS attributes, the main application for
the classes will be as protocol elements. However, many of the
classes defined in the model, such as Session Management and
surrounding classes are also valid data structures that could be
retrieved through management protocols such as SNMP.
The lines interconnecting the various boxes represent the various
types or relationships that can exist. The blue line with the
arrowhead at the top represents inheritance. Inheritance describes a
specialization of a more generalized concept. The main purpose of
inheritance is to allow the consistent specification of attributes
that mean the same thing across various specializations. For
example, all known forms of user authentication share the concept of
a user name. Therefore, user name is specified in a superclass (more
generalized) and reused in each specialization of user
authentication. It is important to note that an instantiation of a
subclass (more specialized) will include the attributes in between
and including the subclass and the base class at the top of the
inheritance tree. Therefore, an instance of Tunnel Service will
have the attributes of Tunnel Service, IP Setup, Framed Link Setup,
and Session Management. A convenient way of thinking about
inheritance or specialization is to apply the phrase 'is a type of'
Spence et al. expires May 2001 [Page 4]
INTERNET DRAFT Data Model for Network Access November 2000
or 'is a special kind of' or just 'is a.' For example, Chap
Authentication is a special kind of User Authentication, but User
Authentication is not a special kind of Chap Authentication.
The green line with a diamond at one end represents the concept of
aggregation. Aggregations are collections of class instances that
are owned by another class instance. Aggregations also have a
temporal meaning. In other words when the owner of an aggregation is
no longer valid, the aggregation is no longer valid either. The
diamond on the green line is always connected to the class that is
the owner. Hence, the NAS Port Manager owns a NAS Identification. A
convenient way to determine the appropriate use of an aggregation is
with the phrase 'has a'. So, we can say that Multilink has a Session
Manager.
The red line describes an association. An association is a
relationship of some type. Relationships typically exist to allow
mutual traversal of related items. For example, if we know the User
Name and we want to find the Per Session Accounting information, we
would use the association to the appropriate Session Management
instance and then use the association from Session Management to the
appropriate instance of Per Session Accounting. In addition there is
no temporal relationship between two ends of an association. In
other words, either end can exist without the other end. The concept
of associations is fairly universal. MIBs use row pointers to
represent associations. Directories use Distinguished Names to
accomplish the same thing. The way to determine the appropriate use
of associations is to apply the phrase 'uses a'. For example, Call
Setup uses a Callback Service.
3. Some Issues Raised by the Study
During the course of the project, a number or issues were uncovered
that require further study. Some of these relate to limitations of
the model while others point out limitations in RADIUS. Limitations
of the model may be overcome with more sophisticated modeling
techniques. The limitations of RADIUS can be overcome in the design
of the next generation protocol.
1) Multi-party Issues
The model is mostly a static model of the data as stored in a NAS.
This gives a coherent point of view. Unfortunately, the
communications involve multiple parties. A NAS model, for
instance, does not capture user to server communications or server
to server communications. It also does not convey the origin or
destination of the data since it is not a communication model.
Spence et al. expires May 2001 [Page 5]
INTERNET DRAFT Data Model for Network Access November 2000
2) Temporal Aspects Not Modeled
AAA often requires a sequence of messages. Sequencing is not
depicted in a static data model. It has been suggested that a
state diagram could be created to model the temporal aspects of
the communications.
3) The Place of Accounting
Currently, the three As are entirely separate in the model whereas
the accounting data elements should be divided up according to
which parts of the service they pertain to just as the
authorization/ provisioning data elements are. Unfortunately,
this cannot be done with RADIUS because the accounting attributes
are all generic. This leads to ambiguities as to what the counts
represent. Take Acct-Input-Octets, for example. Where are the
octets counted? If you count them in different places, you get
different results.
4) Overloading of RADIUS Attributes
There are a number of places where RADIUS uses the same attribute
for more than one purpose. For example the User-Password
attribute can convey a PAP password or the response to a
challenge. This problem has been handled in the model and the PIB
by splitting one attribute into two or more attributes by
appending numbers following the attribute name.
5) The Place of Multilink
In RADIUS, multilink is simply an aggregation of sessions. In
PPP, however, it is the upper sublayer of the data link layer.
From a service perspective this is important. The network layer
(IP) lies above the data link layer. So, for instance, you have
one IP address for the multilink not for the individual links.
Network layer tunnels would be built with one tunnel for the
multi-link.
6) Management of the Multilink Service
Currently, the management of the multilink service is the sole
responsibility of the NASes. There are no standard protocols to
assist the NASes. Management is difficult because multilink
sessions will span multiple NASes in a POP. The AAA server could
provide valuable assistance with multilink management but it would
require much more information than RADIUS provides. One could
expand the model to encompass multilink management.
Spence et al. expires May 2001 [Page 6]
INTERNET DRAFT Data Model for Network Access November 2000
7) The Relation Between Subsessions and Supersessions
As an example of session aggregation, multilink raises the issue
of how to model the notion of subsessions and supersessions. For
example, one ought to be able to treat the subsessions as sessions
and also treat the supersessions as sessions while still modeling
the aggregation. Thus it ought to be possible to generate
accounting data for a multilink session and also be able to
generate accounting data for the individual subsessions. RADIUS
does not provide for multilink accounting.
8) How to Depict the Authorization/Provisioning Objects
The authorization/provisioning objects toward the bottom of the
diagram model the service itself. The service supports data
communications in the data link and network layers.
Unfortunately, they come out in this diagram upside down. Also,
the network layer objects are shown as extensions of the link
layer objects. They could be separate objects.
9) Where to Place the Tunneling Attributes
Various different types of tunneling at various different protocol
layers are all lumped together in RADIUS into a single set of
tunnel attributes. More work could fruitfully be spent in
modeling tunnels and refining the attributes.
4. The RADIUS PIB
The RADIUS PIB was created from the data model. Because the data
model sought to organize the RADIUS attributes, the data elements of
the RADIUS PIB are drawn from the RADIUS attribute set. The
descriptions were extracted directly from the RADIUS RFCs [3-7]. Some
RADIUS attributes are used for more than one purpose in different
contexts. To remove such ambiguities, we have sometimes defined more
than one data element based on the same RADIUS attribute. We
appended an integer to the RADIUS attribute name to distinguish the
different data elements based on the same attribute. A few RADIUS
attributes contain more than one data field. These were entered into
the PIBs as multiple data elements as needed.
Spence et al. expires May 2001 [Page 7]
INTERNET DRAFT Data Model for Network Access November 2000
RADIUS-PIB PIB-DEFINITIONS ::= BEGIN
IMPORTS
Unsigned32, Integer32,
MODULE-IDENTITY, OBJECT-TYPE
FROM COPS-PR-SPPI;
radiusModelPib MODULE-IDENTITY
SUBJECT-CATEGORIES { tbd(0) -- RADIUS client type }
LAST-UPDATED "200011161800Z"
ORGANIZATION " IETF AAA WG"
CONTACT-INFO
"
David Spence
Interlink Networks, Inc.
775 Technology Drive, Suite 200
Ann Arbor, MI 48108
USA
Phone: +1 734 821 1203
EMail: dspence@interlinknetworks.com "
DESCRIPTION
"A PIB module containing the base set of provisioning
classes that are required for support of the RADIUS
protocol by a NAS."
::= { tbd }
--
-- The root OID for PRCs in the Radius PIB
--
radiusGenPibClasses OBJECT IDENTIFIER ::= { radiusModelPib 1 }
nasIdTable OBJECT-TYPE
SYNTAX SEQUENCE OF NasIdEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 1 }
Spence et al. expires May 2001 [Page 8]
INTERNET DRAFT Data Model for Network Access November 2000
nasIdEntry OBJECT-TYPE
SYNTAX NasIdEntry
STATUS current
DESCRIPTION
"An instance of this class contains the information to
identify a NAS. It also contains a pointer to the
instance of the NAS Manager table that it uses for all
operations."
PIB-INDEX{ nasIdPrid }
::= { nasIdTable 1 }
NasIdEntry::= SEQUENCE {
nasIdPrid InstanceId,
radNasIdentifier SnmpAdminString,
radNasIpAddress InetAddress,
nasManager Prid
}
nasIdPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { nasIdEntry 1 }
radNasIdentifier OBJECT-TYPE
SYNTAX SnmpAdminString
STATUS current
DESCRIPTION
"This Attribute contains a string identifying the NAS
originating the Access-Request. It is only used in
Access-Request packets. Either radNasIpAddress or
radNasIdentifier MUST be present in an Access-Request
packet.
Note that radNasIdentifier MUST NOT be used to select
the shared secret used to authenticate the request. The
source IP address of the Access-Request packet MUST be
used to select the shared secret."
::= { nasIdEntry 2 }
Spence et al. expires May 2001 [Page 9]
INTERNET DRAFT Data Model for Network Access November 2000
radNasIpAddress OBJECT-TYPE
SYNTAX InetAddress
STATUS current
DESCRIPTION
"This Attribute indicates the identifying IP Address of
the NAS which is requesting authentication of the user,
and SHOULD be unique to the NAS within the scope of the
RADIUS server. NAS-IP-Address is only used in Access-
Request packets. Either NAS-IP-Address or
radNasIdentifier MUST be present in an Access-Request
packet.
Note that NAS-IP-Address MUST NOT be used to select the
shared secret used to authenticate the request. The
source IP address of the Access-Request packet MUST be
used to select the shared secret."
::= { nasIdEntry 3 }
nasManager OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
"This attribute points to an instance of the Nas
Manager table."
::= { nasIdEntry 4 }
--
-- The NAS Port Manager table
--
nasPortManagerTable OBJECT-TYPE
SYNTAX SEQUENCE OF NasPortManagerEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 2 }
Spence et al. expires May 2001 [Page 10]
INTERNET DRAFT Data Model for Network Access November 2000
nasPortManagerEntry OBJECT-TYPE
SYNTAX NasPortManagerEntry
STATUS current
DESCRIPTION
""
PIB-INDEX{ nasPortManagerPrid }
::= { NasPortManagerTable 1 }
NasPortManagerEntry::= SEQUENCE {
nasPortManagerPrid InstanceId,
nasId Prid,
callSetup Prid,
radNasPort Integer32,
radNasPortID OCTET STRING,
radNasPortType INTEGER
}
nasPortManagerPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { nasPortManagerEntry 1 }
nasId OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { nasPortManagerEntry 2 }
callSetup OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { nasPortManagerEntry 3 }
Spence et al. expires May 2001 [Page 11]
INTERNET DRAFT Data Model for Network Access November 2000
radNasPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the physical port number of
the NAS which is authenticating the user. It is only
used in Access-Request packets. Note that this is using
'port' in its sense of a physical connection on the NAS,
not in the sense of a TCP or UDP port number. Either
radNasPort or radNasPortType (61) or both SHOULD be
present in an Access-Request packet, if the NAS
differentiates among its ports."
::= { nasPortManagerEntry 4 }
radNasPortId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute contains a text string which identifies
the port of the NAS which is authenticating the user.
It is only used in Access-Request and Accounting-Request
packets. Note that this is using 'port' in its sense of
a physical connection on the NAS, not in the sense of a
TCP or UDP port number.
Either radNasPort or radNasPortId SHOULD be present in
an Access-Request packet, if the NAS differentiates
among its ports. radNasPortId is intended for use by
NASes which cannot conveniently number their ports."
::= { nasPortManagerEntry 5 }
Spence et al. expires May 2001 [Page 12]
INTERNET DRAFT Data Model for Network Access November 2000
radNasPortType OBJECT-TYPE
SYNTAX INTEGER {
radAsync(0),
radSync(1),
radIsdnSync(2),
radIsdnAsyncV120(3),
radIsdnAsyncV110(4),
radVirtual(5),
radPIAFS(6),
radHdlcClearChannel(7),
radX25(8),
radX75(9),
radG3Fax(10),
radSDSL(11),
radAdslCAP(12),
radAdslDMT(13),
radIdsl(14),
radEthernet(15),
radXdsl(16),
radCable(17),
radWirelessOther(18),
radWirelessIEEE80211(19)
}
STATUS current
DESCRIPTION
"This Attribute indicates the type of the physical port
of the NAS which is authenticating the user. It can be
used instead of or in addition to the radNasPort (5)
attribute. It is only used in Access-Request packets.
Either radNasPort (5) or radNasPortType or both SHOULD
be present in an Access-Request packet, if the NAS
differentiates among its ports.
A value of 'radAsync(0)' indicates Async.
A value of 'radSync(1)' indicates Sync.
A value of 'radIsdnSync(2)' indicates ISDN Sync.
A value of 'radIsdnAsyncV120(3)' indicates ISDN Async
V.120.
A value of 'radIsdnAsyncV110(4)' indicates ISDN Async
V.110.
A value of 'radVirtual(5)' indicates Virtual. Virtual
refers to a connection to the NAS via some transport
Spence et al. expires May 2001 [Page 13]
INTERNET DRAFT Data Model for Network Access November 2000
protocol, instead of through a physical port. For
example, if a user telnetted into a NAS to authenticate
himself as an Outbound-User, the Access-Request might
include radNasPortType = Virtual as a hint to the RADIUS
server that the user was not on a physical port.
A value of 'radPIAFS(6)' indicates PIAFS. PIAFS is a
form of wireless ISDN commonly used in Japan, and stands
for PHS (Personal Handyphone System) Internet Access
Forum Standard (PIAFS).
A value of 'radHdlcClearChannel(7)' indicates HDLC Clear
Channel.
A value of 'radX25(8)' indicates X.25.
A value of 'radX75(9)' indicates X.75.
A value of 'radG3Fax(10)' indicates G.3 Fax.
A value of 'radSDSL(11)' indicates SDSL - Symmetric DSL.
A value of 'radAdslCAP(12)' indicates ADSL-CAP -
Asymmetric DSL, Carrierless Amplitude Phase Modulation.
A value of 'radAdslDMT(13)' indicates ADSL-DMT -
Asymmetric DSL, Discrete Multi-Tone.
A value of 'radIdsl(14)' indicates IDSL - ISDN Digital
Subscriber Line.
A value of 'radEthernet(15)' indicates Ethernet.
A value of 'radXdsl(16)' indicates xDSL - Digital
Subscriber Line of unknown type.
A value of 'radCable(17)' indicates Cable.
A value of 'radWirelessOther(18)' indicates Wireless -
Other.
A value of 'radWirelessIEEE80211(19)' indicates Wireless
- IEEE 802.11."
::= { nasPortManagerEntry 6 }
Spence et al. expires May 2001 [Page 14]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Call Setup Table
--
CallSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF CallSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 3 }
callSetupEntry OBJECT-TYPE
SYNTAX CallSetupEntry
STATUS current
DESCRIPTION
""
PIB-INDEX{ callSetupPrid }
::= { CallSetupTable 1 }
CallSetupEntry::= SEQUENCE {
callSetupPrid InstanceId,
nasPortManager Prid,
sessionManagement Prid,
callBackService Prid,
radCalledStationId OCTET STRING,
radCallingStationId OCTET STRING
}
callSetupPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { callSetupEntry 1 }
Spence et al. expires May 2001 [Page 15]
INTERNET DRAFT Data Model for Network Access November 2000
nasPortManager OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { callSetupEntry 2 }
sessionManagement OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { callSetupEntry 3 }
callBackService OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { callSetupEntry 4 }
radCalledStationId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute allows the NAS to send in the Access-
Request packet the phone number that the user called,
using Dialed Number Identification (DNIS) or similar
technology. Note that this may be different from the
phone number the call comes in on. It is only used in
Access-Request packets."
::= { callSetupEntry 5 }
Spence et al. expires May 2001 [Page 16]
INTERNET DRAFT Data Model for Network Access November 2000
radCallingStationId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute allows the NAS to send in the Access-
Request packet the phone number that the call came from,
using Automatic Number Identification (ANI) or similar
technology. It is only used in Access-Request packets."
::= { callSetupEntry 6 }
--
-- The Callback Service Table
--
callBackServiceTable OBJECT-TYPE
SYNTAX SEQUENCE OF CallBackServiceEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 4 }
callBackServiceEntry OBJECT-TYPE
SYNTAX CallSetupEntry
STATUS current
DESCRIPTION
""
PIB-INDEX{ callBackServicePrid }
::= { callBackServiceTable 1 }
CallBackServiceEntry::= SEQUENCE {
callBackServicePrid InstanceId,
callSetup Prid,
radCallbackNumber OCTET STRING,
radCallbackId OCTET STRING
}
Spence et al. expires May 2001 [Page 17]
INTERNET DRAFT Data Model for Network Access November 2000
callBackServicePrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { callBackServiceEntry 1 }
callSetup OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { callBackServiceEntry 2 }
radCallbackNumber OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates a dialing string to be used
for callback. It MAY be used in Access-Accept packets.
It MAY be used in an Access-Request packet as a hint to
the server that a Callback service is desired, but the
server is not required to honor the hint."
::= { callBackServiceEntry 3 }
radCallbackId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the name of a place to be
called, to be interpreted by the NAS. It MAY be used in
Access-Accept packets."
::= { callBackServiceEntry 4 }
Spence et al. expires May 2001 [Page 18]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Session Management Table
--
SessionManagementTable OBJECT-TYPE
SYNTAX SEQUENCE OF SessionManagementEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 5 }
sessionManagementEntry OBJECT-TYPE
SYNTAX SessionManagementEntry
STATUS current
DESCRIPTION
""
PIB-INDEX{ SessionManagementPrid }
::= { SessionManagementTable 1 }
SessionManagementEntry::= SEQUENCE {
SessionManagementPrid InstanceId,
CallSetup Prid,
UserAuth Prid,
PerSessionAcct Prid,
AccountingControl Prid,
MultilinkSession Prid,
radAcctSessionId OCTET STRING,
radClass OCTET STRING,
radSessionTimeout Unsigned32,
radIdleTimeout Unsigned32,
radConfigurationToken OCTET STRING,
radServiceType INTEGER,
radConnectInfo OCTET STRING
}
Spence et al. expires May 2001 [Page 19]
INTERNET DRAFT Data Model for Network Access November 2000
SessionManagementPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { sessionManagementEntry 1 }
CallSetup OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { sessionManagementEntry 2 }
UserAuth OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { sessionManagementEntry 3 }
PerSessionAcct OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { sessionManagementEntry 4 }
AccountingControl OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { sessionManagementEntry 5 }
Spence et al. expires May 2001 [Page 20]
INTERNET DRAFT Data Model for Network Access November 2000
MultilinkSession OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { sessionManagementEntry 6 }
radAcctSessionId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute is a unique Accounting ID to make it
easy to match start and stop records in a log file. The
start and stop records for a given session MUST have the
same radAcctSessionId. An Accounting-Request packet
MUST have an radAcctSessionId. An Access-Request packet
MAY have an radAcctSessionId; if it does, then the NAS
MUST use the same radAcctSessionId in the Accounting-
Request packets for that session."
::= { sessionManagementEntry 7 }
radClass OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute is available to be sent by the server to
the client in an Access-Accept and SHOULD be sent
unmodified by the client to the accounting server as
part of the Accounting-Request packet if accounting is
supported. The client MUST NOT interpret the attribute
locally."
::= { sessionManagementEntry 8 }
Spence et al. expires May 2001 [Page 21]
INTERNET DRAFT Data Model for Network Access November 2000
radSessionTimeout OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This Attribute sets the maximum number of seconds of
service to be provided to the user before termination of
the session or prompt. This Attribute is available to be
sent by the server to the client in an Access-Accept or
Access-Challenge."
::= { sessionManagementEntry 9 }
radIdleTimeout OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This Attribute sets the maximum number of consecutive
seconds of idle connection allowed to the user before
termination of the session or prompt. This Attribute is
available to be sent by the server to the client in an
Access-Accept or Access-Challenge."
::= { sessionManagementEntry 10 }
radConfigurationToken OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute is for use in large distributed
authentication networks based on proxy. It is sent from
a RADIUS Proxy Server to a RADIUS Proxy Client in an
Access-Accept to indicate a type of user profile to be
used. It should not be sent to a NAS."
::= { sessionManagementEntry 11 }
Spence et al. expires May 2001 [Page 22]
INTERNET DRAFT Data Model for Network Access November 2000
radServiceType OBJECT-TYPE
SYNTAX INTEGER {
radLogin(1),
radFramed(2),
radCallbackLogin(3),
radCallbackFramed(4),
radOutbound(5),
radAdministrative(6),
radNASPrompt(7),
radAuthenticateOnly(8),
radCallbackNASPrompt(9),
radCallCheck(10),
radCallbackAdministrative(11)
}
STATUS current
DESCRIPTION
"This Attribute indicates the type of service the user
has requested, or the type of service to be provided.
It MAY be used in both Access-Request and Access-Accept
packets. A NAS is not required to implement all of
these service types, and MUST treat unknown or
unsupported radServiceTypes as though an Access-Reject
had been received instead.
The service types are defined as follows when used in an
Access-Accept. When used in an Access-Request, they MAY
be considered to be a hint to the RADIUS server that the
NAS has reason to believe the user would prefer the kind
of service indicated, but the server is not required to
honor the hint.
A value of 'radLogin(1)' indicates that the user should
be connected to a host.
A value of 'radFramed(2)' indicates that a Framed
Protocol should be started for the User, such as PPP or
SLIP.
A value of 'radCallbackLogin(3)' indicates that the user
should be disconnected and called back, then connected
to a host.
A value of 'radCallbackFramed(4)' indicates that the
user should be disconnected and called back, then a
Framed Protocol should be started for the User, such as
PPP or SLIP.
Spence et al. expires May 2001 [Page 23]
INTERNET DRAFT Data Model for Network Access November 2000
A value of 'radOutbound(5)' indicates that the user
should be granted access to outgoing devices.
A value of 'radAdministrative(6)' indicates that the
user should be granted access to the administrative
interface to the NAS from which privileged commands can
be executed.
A value of 'radNASPrompt(7)' indicates that the user
should be provided a command prompt on the NAS from
which non-privileged commands can be executed.
A value of 'radAuthenticateOnly(8)' indicates that only
Authentication is requested, and no authorization
information needs to be returned in the Access-Accept
(typically used by proxy servers rather than the NAS
itself).
A value of 'radCallbackNASPrompt(9)' indicates that the
user should be disconnected and called back, then
provided a command prompt on the NAS from which non-
privileged commands can be executed.
A value of 'radCallCheck(10)' is used by the NAS in an
Access-Request packet to indicate that a call is being
received and that the RADIUS server should send back an
Access-Accept to answer the call, or an Access-Reject to
not accept the call, typically based on the
radCalledStationId or radCallingStationId attributes. It
is recommended that such Access-Requests use the value
of radCallingStationId as the value of the radUserName.
A value of 'radCallbackAdministrative(11)' indicates
that the user should be disconnected and called back,
then granted access to the administrative interface to
the NAS from which privileged commands can be executed."
::= { sessionManagementEntry 12 }
Spence et al. expires May 2001 [Page 24]
INTERNET DRAFT Data Model for Network Access November 2000
radConnectInfo OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute is sent from the NAS to indicate the
nature of the user's connection.
The NAS MAY send this attribute in an Access-Request or
Accounting-Request to indicate the nature of the user's
connection."
::= { sessionManagementEntry 13 }
--
-- The User Authentication Table
--
UserAuthTable OBJECT-TYPE
SYNTAX SEQUENCE OF UserAuthEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 6 }
userAuthEntry OBJECT-TYPE
SYNTAX UserAuthEntry
STATUS current
DESCRIPTION
""
PIB-INDEX{ UserAuthPrid }
::= { UserAuthTable 1 }
UserAuthEntry::= SEQUENCE {
UserAuthPrid InstanceId,
SessionMgmt Prid,
radUserName OCTET STRING
}
Spence et al. expires May 2001 [Page 25]
INTERNET DRAFT Data Model for Network Access November 2000
UserAuthPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { userAuthEntry 1 }
SessionMgmt OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { userAuthEntry 2 }
radUserName OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the name of the user to be
authenticated. It MUST be sent in Access-Request packets
if available.
It MAY be sent in an Access-Accept packet, in which case
the client SHOULD use the name returned in the Access-
Accept packet in all Accounting-Request packets for this
session. If the Access-Accept includes radServiceType =
Rlogin and the radUserName attribute, a NAS MAY use the
returned radUserName when performing the Rlogin
function."
::= { userAuthEntry 3 }
Spence et al. expires May 2001 [Page 26]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Password Authentication Table
--
passwordAuthTable OBJECT-TYPE
SYNTAX SEQUENCE OF PasswordAuthEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 7 }
passwordAuthEntry OBJECT-TYPE
SYNTAX PasswordAuthEntry
STATUS current
DESCRIPTION ""
EXTENDS { userAuthEntry }
::= { passwordAuthTable 1 }
PasswordAuthEntry::= SEQUENCE {
radUserPassword1 OCTET STRING,
radReplyMessage1 OCTET STRING,
radPasswordRetry1 Integer32
}
Spence et al. expires May 2001 [Page 27]
INTERNET DRAFT Data Model for Network Access November 2000
radUserPassword1 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the password of the user to be
authenticated. It is only used in Access-Request
packets.
On transmission, the password is hidden. The password
is first padded at the end with nulls to a multiple of
16 octets. A one-way MD5 hash is calculated over a
stream of octets consisting of the shared secret
followed by the Request Authenticator. This value is
XORed with the first 16 octet segment of the password
and placed in the first 16 octets of the String field of
the radUserPassword Attribute.
If the password is longer than 16 characters, a second
one-way MD5 hash is calculated over a stream of octets
consisting of the shared secret followed by the result
of the first xor. That hash is XORed with the second 16
octet segment of the password and placed in the second
16 octets of the String field of the radUserPassword
Attribute.
If necessary, this operation is repeated, with each xor
result being used along with the shared secret to
generate the next hash to xor the next segment of the
password, to no more than 128 characters.
The method is taken from the book 'Network Security' by
Kaufman, Perlman and Speciner [8] pages 109-110. A more
precise explanation of the method follows:
Call the shared secret S and the pseudo-random 128-bit
Request Authenticator RA. Break the password into 16-
octet chunks p1, p2, etc. with the last one padded at
the end with nulls to a 16-octet boundary. Call the
ciphertext blocks c(1), c(2), etc. We'll need
intermediate values b1, b2, etc.
b1 = MD5(S + RA) c(1) = p1 xor b1
b2 = MD5(S + c(1)) c(2) = p2 xor b2
. .
. .
. .
bi = MD5(S + c(i-1)) c(i) = pi xor bi
Spence et al. expires May 2001 [Page 28]
INTERNET DRAFT Data Model for Network Access November 2000
The String will contain c(1)+c(2)+...+c(i) where +
denotes concatenation.
On receipt, the process is reversed to yield the
original password."
::= { passwordAuthEntry 1 }
radReplyMessage1 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates text which MAY be displayed to
the user.
When used in an Access-Accept, it is the success
message.
When used in an Access-Reject, it is the failure
message. It MAY indicate a dialog message to prompt the
user before another Access-Request attempt.
Multiple radReplyMessage's MAY be included and if any
are displayed, they MUST be displayed in the same order
as they appear in the packet."
::= { passwordAuthEntry 2 }
radPasswordRetry1 OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute MAY be included in an Access-Reject to
indicate how many authentication attempts a user may be
allowed to attempt before being disconnected."
::= { passwordAuthEntry 3 }
Spence et al. expires May 2001 [Page 29]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The CHAP Authentication Table
--
chapAuthTable OBJECT-TYPE
SYNTAX SEQUENCE OF ChapAuthEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 8 }
chapAuthEntry OBJECT-TYPE
SYNTAX ChapAuthEntry
STATUS current
DESCRIPTION ""
EXTENDS { userAuthEntry }
::= { chapAuthTable 1 }
ChapAuthEntry::= SEQUENCE {
radChapChallenge OCTET STRING,
radChapPasswordIdent INTEGER,
radChapPasswordResponse OCTET STRING
}
radChapChallenge OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute contains the CHAP Challenge sent by the
NAS to a PPP Challenge-Handshake Authentication Protocol
(CHAP) user. It is only used in Access-Request packets.
If the CHAP challenge value is 16 octets long it MAY be
placed in the Request Authenticator field instead of
using this attribute.
The CHAP challenge value is found in the
radChapChallenge Attribute (60) if present in the
packet, otherwise in the Request Authenticator field."
::= { chapAuthEntry 1 }
Spence et al. expires May 2001 [Page 30]
INTERNET DRAFT Data Model for Network Access November 2000
radChapPasswordIdent OBJECT-TYPE
SYNTAX INTEGER (0..255)
STATUS current
DESCRIPTION
"This Attribute contains the CHAP Identifier from the
user's CHAP Response. It is only used in Access-Request
packets.
This field is is one component of the CHAP-Password
attribute."
::= { chapAuthEntry 2 }
radChapPasswordResponse OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
STATUS current
DESCRIPTION
"This Attribute indicates the response value provided by
a PPP Challenge-Handshake Authentication Protocol (CHAP)
user in response to the challenge. It is only used in
Access-Request packets.
This field is one component of the CHAP-Password
attribute, and contains the CHAP Response from
the user."
::= { chapAuthEntry 3 }
--
-- The EAP Authentication Table
--
eapAuthTable OBJECT-TYPE
SYNTAX SEQUENCE OF EapAuthEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 9 }
Spence et al. expires May 2001 [Page 31]
INTERNET DRAFT Data Model for Network Access November 2000
eapAuthEntry OBJECT-TYPE
SYNTAX EapAuthEntry
STATUS current
DESCRIPTION ""
EXTENDS { userAuthEntry }
::= { eapAuthTable 1 }
EapAuthEntry::= SEQUENCE {
radEapMessage OCTET STRING
}
Spence et al. expires May 2001 [Page 32]
INTERNET DRAFT Data Model for Network Access November 2000
radEapMessage OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute encapsulates Extended Access Protocol
[9] packets so as to allow the NAS to authenticate dial-
in users via EAP without having to understand the EAP
protocol.
The NAS places any EAP messages received from the user
into one or more EAP attributes and forwards them to the
RADIUS Server as part of the Access-Request, which can
return EAP messages in Access-Challenge, Access-Accept
and Access-Reject packets.
A RADIUS Server receiving EAP messages that it does not
understand SHOULD return an Access-Reject.
The NAS places EAP messages received from the
authenticating peer into one or more radEapMessage
attributes and forwards them to the RADIUS Server within
an Access-Request message. If multiple radEapMessages
are contained within an Access-Request or Access-
Challenge packet, they MUST be in order and they MUST be
consecutive attributes in the Access-Request or Access-
Challenge packet. Access-Accept and Access-Reject
packets SHOULD only have ONE radEapMessage attribute in
them, containing EAP-Success or EAP-Failure.
It is expected that EAP will be used to implement a
variety of authentication methods, including methods
involving strong cryptography. In order to prevent
attackers from subverting EAP by attacking RADIUS/EAP,
(for example, by modifying the EAP-Success or EAP-
Failure packets) it is necessary that RADIUS/EAP provide
integrity protection at least as strong as those used in
the EAP methods themselves.
Therefore the Message-Authenticator attribute MUST be
used to protect all Access-Request, Access-Challenge,
Access-Accept, and Access-Reject packets containing an
radEapMessage attribute.
Access-Request packets including an radEapMessage
attribute without a Message-Authenticator attribute
SHOULD be silently discarded by the RADIUS server. A
RADIUS Server supporting radEapMessage MUST calculate
Spence et al. expires May 2001 [Page 33]
INTERNET DRAFT Data Model for Network Access November 2000
the correct value of the Message-Authenticator and
silently discard the packet if it does not match the
value sent. A RADIUS Server not supporting radEapMessage
MUST return an Access-Reject if it receives an Access-
Request containing an radEapMessage attribute. A RADIUS
Server receiving an radEapMessage attribute that it does
not understand MUST return an Access-Reject.
Access-Challenge, Access-Accept, or Access-Reject
packets including an radEapMessage attribute without a
Message-Authenticator attribute SHOULD be silently
discarded by the NAS. A NAS supporting radEapMessage
MUST calculate the correct value of the Message-
Authenticator and silently discard the packet if it does
not match the value sent."
::= { eapAuthEntry 1 }
--
-- The Access Challenge Table
--
accessChallengeTable OBJECT-TYPE
SYNTAX SEQUENCE OF PasswordAuthEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 10 }
accessChallengeEntry OBJECT-TYPE
SYNTAX PasswordAuthEntry
STATUS current
DESCRIPTION ""
EXTENDS { userAuthEntry }
::= { accessChallengeTable 1 }
PasswordAuthEntry::= SEQUENCE {
radReplyMessage2 OCTET STRING,
radPrompt INTEGER,
radState1 OCTET STRING,
radUserPassword2 OCTET STRING,
radReplyMessage3 OCTET STRING,
radPasswordRetry2 Integer32
}
Spence et al. expires May 2001 [Page 34]
INTERNET DRAFT Data Model for Network Access November 2000
radReplyMessage2 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates text which MAY be displayed to
the user.
When used in an Access-Challenge, it MAY indicate a
dialog message to prompt the user for a response.
Multiple radReplyMessage's MAY be included and if any
are displayed, they MUST be displayed in the same order
as they appear in the packet."
::= { accessChallengeEntry 1 }
radPrompt OBJECT-TYPE
SYNTAX INTEGER {
radNoEcho(0),
radEcho(1)
}
STATUS current
DESCRIPTION
"This attribute is used only in Access-Challenge
packets, and indicates to the NAS whether it should echo
the user's response as it is entered, or not echo it.
A value of 'radNoEcho(0)' means: no echo.
A value of 'radEcho(1)' means: echo."
::= { accessChallengeEntry 2 }
Spence et al. expires May 2001 [Page 35]
INTERNET DRAFT Data Model for Network Access November 2000
radState1 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute is available to be sent by the server to
the client in an Access-Challenge and MUST be sent
unmodified from the client to the server in the new
Access-Request reply to that challenge, if any.
The client MUST NOT interpret the attribute locally.
A packet must have only zero or one radState Attribute.
Usage of the radState Attribute is implementation
dependent."
::= { accessChallengeEntry 3 }
radUserPassword2 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the user's input following
an Access-Challenge. It is only used in
Access-Request packets."
::= { accessChallengeEntry 4 }
radReplyMessage3 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates text which MAY be displayed to
the user.
When used in an Access-Accept, it is the success
message.
When used in an Access-Reject, it is the failure
message. It MAY indicate a dialog message to prompt the
user before another Access-Request attempt.
Multiple radReplyMessage's MAY be included and if any
are displayed, they MUST be displayed in the same order
as they appear in the packet."
::= { accessChallengeEntry 5 }
Spence et al. expires May 2001 [Page 36]
INTERNET DRAFT Data Model for Network Access November 2000
radPasswordRetry2 OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute MAY be included in an Access-Reject to
indicate how many authentication attempts a user may be
allowed to attempt before being disconnected."
::= { accessChallengeEntry 6 }
--
-- The Framed Link Setup Table
--
framedLinkSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF FramedLinkSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 11 }
framedLinkSetupEntry OBJECT-TYPE
SYNTAX ChapAuthEntry
STATUS current
DESCRIPTION ""
EXTENDS { sessionManagementEntry }
::= { framedLinkSetupTable 1 }
FramedLinkSetupEntry::= SEQUENCE {
radFramedProtocol INTEGER,
radFramedMTU Integer32,
radFramedCompression INTEGER,
radPortLimit Unsigned32
}
Spence et al. expires May 2001 [Page 37]
INTERNET DRAFT Data Model for Network Access November 2000
radFramedProtocol OBJECT-TYPE
SYNTAX INTEGER {
radPPP(1),
radSLIP(2),
radARAP(3),
radGandalf(4),
radXylogics(5),
radX75Synchronous(6)
}
STATUS current
DESCRIPTION
"This Attribute indicates the framing to be used for
framed access. It MAY be used in both Access-Request and
Access-Accept packets.
A value of 'radPPP(1)' represents PPP.
A value of 'radSLIP(2)' represents SLIP.
A value of 'radARAP(3)' represents AppleTalk Remote
Access Protocol (ARAP).
A value of 'radGandalf(4)' represents Gandalf
proprietary SingleLink/MultiLink protocol.
A value of 'radXylogics(5)' represents Xylogics
proprietary IPX/SLIP.
A value of 'radX75Synchronous(6)' represents X.75
Synchronous."
::= { framedLinkSetupEntry 1 }
radFramedMTU OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the Maximum Transmission Unit
to be configured for the user, when it is not negotiated
by some other means (such as PPP). It MAY be used in
Access-Accept packets. It MAY be used in an Access-
Request packet as a hint by the NAS to the server that
it would prefer that value, but the server is not
required to honor the hint."
::= { framedLinkSetupEntry 2 }
Spence et al. expires May 2001 [Page 38]
INTERNET DRAFT Data Model for Network Access November 2000
radFramedCompression OBJECT-TYPE
SYNTAX INTEGER {
radNone(0),
radVJ(1),
radIPXheader(2),
radStacLZS(3)
}
STATUS current
DESCRIPTION
"This Attribute indicates a compression protocol to be
used for the link. It MAY be used in Access-Accept
packets. It MAY be used in an Access-Request packet as
a hint to the server that the NAS would prefer to use
that compression, but the server is not required to
honor the hint.
More than one compression protocol Attribute MAY be
sent. It is the responsibility of the NAS to apply the
proper compression protocol to appropriate link traffic.
A value of 'radNone(0)' indicates None.
A value of 'radVJ(1)' indicates VJ TCP/IP header
compression.
A value of 'radIPXheader(2)' indicates IPX header
compression.
A value of 'radStacLZS(3)' indicates Stac-LZS
compression."
::= { framedLinkSetupEntry 3 }
Spence et al. expires May 2001 [Page 39]
INTERNET DRAFT Data Model for Network Access November 2000
radPortLimit OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This Attribute sets the maximum number of ports to be
provided to the user by the NAS. This Attribute MAY be
sent by the server to the client in an Access-Accept
packet. It is intended for use in conjunction with
Multilink PPP [10] or similar uses. It MAY also be sent
by the NAS to the server as a hint that that many ports
are desired for use, but the server is not required to
honor the hint."
::= { framedLinkSetupEntry 4 }
--
-- The AppleTalk Link Setup Table
--
appleTalkLinkSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF AppleTalkLinkSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 12 }
appleTalkLinkSetupEntry OBJECT-TYPE
SYNTAX AppleTalkLinkSetupEntry
STATUS current
DESCRIPTION ""
EXTENDS { framedLinkSetupEntry }
::= { appleTalkLinkSetupTable 1 }
Spence et al. expires May 2001 [Page 40]
INTERNET DRAFT Data Model for Network Access November 2000
AppleTalkLinkSetupEntry::= SEQUENCE {
radArapPassword OCTET STRING,
radPasswordRetry3 Integer32,
radArapChallengeResponse OCTET STRING,
radArapFeaturesValue1 Integer32,
radArapFeaturesValue2 Integer32,
radArapFeaturesValue3 Unsigned32,
radArapFeaturesValue4 Integer32,
radArapFeaturesValue5 Unsigned32,
radArapZoneAccess INTEGER,
radArapSecurity Unsigned32,
radArapSecurityData OCTET STRING
}
radArapPassword OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute is only present in an Access-Request
packet containing a radFramedProtocol of ARAP.
Only one of radUserPassword, radChapPassword, or
radArapPassword needs to be present in an Access-
Request, or one or more radEapMessages."
::= { appleTalkLinkSetupEntry 1 }
radPasswordRetry3 OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute MAY be included in an Access-Reject to
indicate how many authentication attempts a user may be
allowed to attempt before being disconnected.
It is primarily intended for use with ARAP
authentication."
::= { appleTalkLinkSetupEntry 2 }
Spence et al. expires May 2001 [Page 41]
INTERNET DRAFT Data Model for Network Access November 2000
radArapChallengeResponse OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute is sent in an Access-Accept packet with
radFramedProtocol of ARAP, and contains the response to
the dial-in client's challenge."
::= { appleTalkLinkSetupEntry 3 }
radArapFeaturesValue1 OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute is sent in an Access-Accept packet with
Framed-Protocol of ARAP, and includes password
information that the NAS should sent to the user in an
ARAP 'feature flags' packet.
This field is one component of a 5-component compound
string which comprises the ARAP-Features attribute.
If radArapFeaturesValue1 is zero, users cannot change
their password. If non-zero users can. (RADIUS does not
handle the password changing, just the attribute which
indicates whether ARAP indicates they can."
::= { appleTalkLinkSetupEntry 4 }
radArapFeaturesValue2 OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute is sent in an Access-Accept packet with
Framed-Protocol of ARAP, and includes password
information that the NAS should sent to the user in an
ARAP 'feature flags' packet.
This field is one component of a 5-component compound
string which comprises the ARAP-Features attribute.
radArapFeaturesValue2 is the minimum acceptable password
length, from 0 to 8."
::= { appleTalkLinkSetupEntry 5 }
Spence et al. expires May 2001 [Page 42]
INTERNET DRAFT Data Model for Network Access November 2000
radArapFeaturesValue3 OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This attribute is sent in an Access-Accept packet with
Framed-Protocol of ARAP, and includes password
information that the NAS should sent to the user in an
ARAP 'feature flags' packet.
This field is one component of a 5-component compound
string which comprises the ARAP-Features attribute.
radArapFeaturesValue3 is the password creation date in
Macintosh format, defined as 32 unsigned bits
representing seconds since Midnight GMT January 1,
1904."
::= { appleTalkLinkSetupEntry 6 }
radArapFeaturesValue4 OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute is sent in an Access-Accept packet with
Framed-Protocol of ARAP, and includes password
information that the NAS should sent to the user in an
ARAP 'feature flags' packet.
This field is one component of a 5-component compound
string which comprises the ARAP-Features attribute.
radArapFeaturesValue4 is the password Expiration Delta
from create date in seconds."
::= { appleTalkLinkSetupEntry 7 }
Spence et al. expires May 2001 [Page 43]
INTERNET DRAFT Data Model for Network Access November 2000
radArapFeaturesValue5 OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This attribute is sent in an Access-Accept packet with
Framed-Protocol of ARAP, and includes password
information that the NAS should sent to the user in an
ARAP 'feature flags' packet.
This field is one component of a 5-component compound
string which comprises the ARAP-Features attribute.
radArapFeaturesValue5 is the current RADIUS time in
Macintosh format."
::= { appleTalkLinkSetupEntry 8 }
radArapZoneAccess OBJECT-TYPE
SYNTAX INTEGER {
radDefaultZone(1),
radUseZoneFilterInclusively(2),
radUseZoneFilterExclusively(4)
}
STATUS current
DESCRIPTION
"This attribute is included in an Access-Accept packet
with radFramedProtocol of ARAP to indicate how the ARAP
zone list for the user should be used.
A value of 'radDefaultZone(1)' means: Only allow access
to default zone.
A value of 'radUseZoneFilterInclusively(2)' means: Use
zone filter inclusively.
A value of 'radUseZoneFilterExclusively(4)' means: Use
zone filter exclusively."
::= { appleTalkLinkSetupEntry 9 }
Spence et al. expires May 2001 [Page 44]
INTERNET DRAFT Data Model for Network Access November 2000
radArapSecurity OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This attribute identifies the ARAP Security Module to
be used in an Access-Challenge packet."
::= { appleTalkLinkSetupEntry 10 }
radArapSecurityData OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute contains the actual security module
challenge or response, and can be found in Access-
Challenge and Access-Request packets."
::= { appleTalkLinkSetupEntry 11 }
--
-- The AppleTalk Protocol Setup Table
--
AppleTalkProtoSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF AppleTalkProtoSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 13 }
appleTalkProtoSetupEntry OBJECT-TYPE
SYNTAX AppleTalkProtoSetupEntry
STATUS current
DESCRIPTION ""
EXTENDS { appleTalkLinkSetupEntry }
::= { appleTalkProtoSetupTable 1 }
AppleTalkProtoSetupEntry::= SEQUENCE {
radFramedAppleTalkLink Integer32,
radFramedAppleTalkNetwork Integer32,
radFramedAppleTalkZone OCTET STRING
}
Spence et al. expires May 2001 [Page 45]
INTERNET DRAFT Data Model for Network Access November 2000
radFramedAppleTalkLink OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the AppleTalk network number
which should be used for the serial link to the user,
which is another AppleTalk router. It is only used in
Access-Accept packets. It is never used when the user
is not another router."
::= { appleTalkProtoSetupEntry 1 }
radFramedAppleTalkNetwork OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the AppleTalk Network number
which the NAS should probe to allocate an AppleTalk node
for the user. It is only used in Access-Accept packets.
It is never used when the user is another router.
Multiple instances of this Attribute indicate that the
NAS may probe using any of the network numbers
specified."
::= { appleTalkProtoSetupEntry 2 }
radFramedAppleTalkZone OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the AppleTalk Default Zone to
be used for this user. It is only used in Access-Accept
packets. Multiple instances of this attribute in the
same packet are not allowed."
::= { appleTalkProtoSetupEntry 3 }
Spence et al. expires May 2001 [Page 46]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The IP Setup Table
--
ipSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 14 }
ipSetupEntry OBJECT-TYPE
SYNTAX IpSetupEntry
STATUS current
DESCRIPTION ""
EXTENDS { framedLinkSetupEntry }
::= { ipSetupTable 1 }
IpSetupEntry::= SEQUENCE {
radFramedIpAddress IpAddress,
radFramedIpNetmask IpAddress,
radFramedRouting INTEGER,
radFramedRoute OCTET STRING,
radFramedPool OCTET STRING,
radFilterId OCTET STRING
}
radFramedIpAddress OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION
"This Attribute indicates the address to be configured
for the user. It MAY be used in Access-Accept packets.
It MAY be used in an Access-Request packet as a hint by
the NAS to the server that it would prefer that address,
but the server is not required to honor the hint."
::= { ipSetupEntry 1 }
Spence et al. expires May 2001 [Page 47]
INTERNET DRAFT Data Model for Network Access November 2000
radFramedIpNetmask OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION
"This Attribute indicates the IP netmask to be
configured for the user when the user is a router to a
network. It MAY be used in Access-Accept packets. It
MAY be used in an Access-Request packet as a hint by the
NAS to the server that it would prefer that netmask, but
the server is not required to honor the hint."
::= { ipSetupEntry 2 }
radFramedRouting OBJECT-TYPE
SYNTAX INTEGER {
radNone(0),
radSendRoutingPackets(1),
radListenForRoutingPackets(2),
radSendAndListen(3)
}
STATUS current
DESCRIPTION
"This Attribute indicates the routing method for the
user, when the user is a router to a network. It is
only used in Access-Accept packets.
A value of 'radNone(0)' means: None.
A value of 'radSendRoutingPackets(1)' means: Send
routing packets.
A value of 'radListenForRoutingPackets(2)' means: Listen
for routing packets.
A value of 'radSendAndListen(3)' means: Send and
Listen."
::= { ipSetupEntry 3 }
Spence et al. expires May 2001 [Page 48]
INTERNET DRAFT Data Model for Network Access November 2000
radFramedRoute OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute provides routing information to be
configured for the user on the NAS. It is used in the
Access-Accept packet and can appear multiple times."
::= { ipSetupEntry 4 }
radFramedPool OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute contains the name of an assigned address
pool that SHOULD be used to assign an address for the
user. If a NAS does not support multiple address pools,
the NAS should ignore this Attribute. Address pools are
usually used for IP addresses, but can be used for other
protocols if the NAS supports pools for those
protocols."
::= { ipSetupEntry 5 }
radFilterId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the name of the filter list
for this user. Zero or more radFilterId attributes MAY
be sent in an Access-Accept packet.
Identifying a filter list by name allows the filter to
be used on different NASes without regard to filter-list
implementation details."
::= { ipSetupEntry 6 }
Spence et al. expires May 2001 [Page 49]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The IPX Protocol Setup Table
--
ipxProtoSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF IpxProtoSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 15 }
ipxProtoSetupEntry OBJECT-TYPE
SYNTAX IpxProtoSetupEntry
STATUS current
DESCRIPTION ""
EXTENDS { framedLinkSetupEntry }
::= { ipxProtoSetupTable 1 }
IpxProtoSetupEntry::= SEQUENCE {
radFramedIpxNetwork Integer32
}
radFramedIpxNetwork OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the IPX Network number to be
configured for the user. It is used in Access-Accept
packets."
::= { ipxProtoSetupEntry 1 }
Spence et al. expires May 2001 [Page 50]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Non Framed Setup Table
--
nonFramedSetupTable OBJECT-TYPE
SYNTAX SEQUENCE OF NonFramedSetupEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 16 }
nonFramedSetupEntry OBJECT-TYPE
SYNTAX NonFramedSetupEntry
STATUS current
DESCRIPTION ""
EXTENDS { sessionManagementEntry }
::= { nonFramedSetupTable 1 }
NonFramedSetupEntry::= SEQUENCE {
terminationService Prid,
radLoginService INTEGER
}
terminationService OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { nonFramedSetupEntry 1 }
Spence et al. expires May 2001 [Page 51]
INTERNET DRAFT Data Model for Network Access November 2000
radLoginService OBJECT-TYPE
SYNTAX INTEGER {
radTelnet(0),
radRlogin(1),
radTCPClear(2),
radPortMaster(3),
radLAT(4),
radX25PAD(5),
radX25T3POS(6),
radTCPClearQuiet(8)
}
STATUS current
DESCRIPTION
"This Attribute indicates the service to use to connect
the user to the login host. It is only used in Access-
Accept packets.
A value of 'radTelnet(0)' means: Telnet.
A value of 'radRlogin(1)' means: Rlogin.
A value of 'radTCPClear(2)' means: TCP Clear.
A value of 'radPortMaster(3)' means: PortMaster
(proprietary).
A value of 'radLAT(4)' means: LAT.
A value of 'radX25PAD(5)' means: X25-PAD.
A value of 'radX25T3POS(6)' means: X25-T3POS.
A value of 'radTCPClearQuiet(8)' means: TCP Clear Quiet
(suppresses any NAS-generated connect string)."
::= { nonFramedSetupEntry 2 }
Spence et al. expires May 2001 [Page 52]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Non Framed TCP/IP connection Table
--
nonFramedTCPIPConnectTable OBJECT-TYPE
SYNTAX SEQUENCE OF NonFramedTCPIPConnectEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 17 }
nonFramedTCPIPConnectEntry OBJECT-TYPE
SYNTAX NonFramedTCPIPConnectEntry
STATUS current
DESCRIPTION ""
EXTENDS { nonFramedSetupEntry }
::= { nonFramedTCPIPConnectTable 1 }
NonFramedTCPIPConnectEntry::= SEQUENCE {
radLoginIpHost IpAddress,
radLoginTcpPort Integer32
}
radLoginIpHost OBJECT-TYPE
SYNTAX IpAddress
STATUS current
DESCRIPTION
"This Attribute indicates the system with which to
connect the user, when the radLoginService Attribute is
included. It MAY be used in Access-Accept packets. It
MAY be used in an Access-Request packet as a hint to the
server that the NAS would prefer to use that host, but
the server is not required to honor the hint."
::= { nonFramedTCPIPConnectEntry 1 }
Spence et al. expires May 2001 [Page 53]
INTERNET DRAFT Data Model for Network Access November 2000
radLoginTcpPort OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the TCP port with which the
user is to be connected, when the radLoginService
Attribute is also present. It is only used in Access-
Accept packets."
::= { nonFramedTCPIPConnectEntry 2 }
--
-- The Non Framed LAT connection Table
--
nonFramedLATConnectTable OBJECT-TYPE
SYNTAX SEQUENCE OF NonFramedLATConnectEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 18 }
nonFramedLATConnectEntry OBJECT-TYPE
SYNTAX NonFramedLATConnectEntry
STATUS current
DESCRIPTION ""
EXTENDS { nonFramedSetupEntry }
::= { nonFramedLATConnectTable 1 }
NonFramedLATConnectEntry::= SEQUENCE {
radLoginLatService OCTET STRING,
radLoginLatNode OCTET STRING,
radLoginLatGroup OCTET STRING,
radLoginLatPort OCTET STRING
}
Spence et al. expires May 2001 [Page 54]
INTERNET DRAFT Data Model for Network Access November 2000
radLoginLatService OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the system with which the user
is to be connected by LAT. It MAY be used in Access-
Accept packets, but only when LAT is specified as the
radLoginService. It MAY be used in an Access-Request
packet as a hint to the server, but the server is not
required to honor the hint.
Administrators use the service attribute when dealing
with clustered systems, such as a VAX or Alpha cluster.
In such an environment several different time sharing
hosts share the same resources (disks, printers, etc.),
and administrators often configure each to offer access
(service) to each of the shared resources. In this case,
each host in the cluster advertises its services through
LAT broadcasts.
Sophisticated users often know which service providers
(machines) are faster and tend to use a node name when
initiating a LAT connection. Alternately, some
administrators want particular users to use certain
machines as a primitive form of load balancing (although
LAT knows how to do load balancing itself)."
::= { nonFramedLATConnectEntry 1 }
radLoginLatNode OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the Node with which the user
is to be automatically connected by LAT. It MAY be used
in Access-Accept packets, but only when LAT is specified
as the radLoginService. It MAY be used in an Access-
Request packet as a hint to the server, but the server
is not required to honor the hint."
::= { nonFramedLATConnectEntry 2 }
Spence et al. expires May 2001 [Page 55]
INTERNET DRAFT Data Model for Network Access November 2000
radLoginLatGroup OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute contains a string identifying the LAT
group codes which this user is authorized to use. It
MAY be used in Access-Accept packets, but only when LAT
is specified as the radLoginService. It MAY be used in
an Access-Request packet as a hint to the server, but
the server is not required to honor the hint.
LAT supports 256 different group codes, which LAT uses
as a form of access rights. LAT encodes the group codes
as a 256 bit bitmap.
Administrators can assign one or more of the group code
bits at the LAT service provider; it will only accept
LAT connections that have these group codes set in the
bit map. The administrators assign a bitmap of
authorized group codes to each user; LAT gets these from
the operating system, and uses these in its requests to
the service providers."
::= { nonFramedLATConnectEntry 3 }
radLoginLatPort OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the Port with which the user
is to be connected by LAT. It MAY be used in Access-
Accept packets, but only when LAT is specified as the
radLoginService. It MAY be used in an Access-Request
packet as a hint to the server, but the server is not
required to honor the hint."
::= { nonFramedLATConnectEntry 4 }
Spence et al. expires May 2001 [Page 56]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Per Session Accounting Table
--
PerSessionAcctTable OBJECT-TYPE
SYNTAX SEQUENCE OF PerSessionAcctEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 19 }
perSessionAcctEntry OBJECT-TYPE
SYNTAX PerSessionAcctEntry
STATUS current
DESCRIPTION
""
PIB-INDEX { perSessionAcctPrid }
::= { PerSessionAcctTable 1 }
PerSessionAcctEntry::= SEQUENCE {
perSessionAcctPrid InstanceId,
sessionManagement Prid,
radAcctStatusType INTEGER,
radAcctInputOctets Integer32,
radAcctOutputOctets Integer32,
radAcctInputGigawords Integer32,
radAcctOutputGigawords Integer32,
radAcctSessionTime Integer32,
radAcctInputPackets Integer32,
radAcctOutputPackets Integer32,
radAcctAuthentic INTEGER,
radAcctTerminateCause INTEGER
}
perSessionAcctPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { perSessionAcctEntry 1 }
Spence et al. expires May 2001 [Page 57]
INTERNET DRAFT Data Model for Network Access November 2000
sessionManagement OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { perSessionAcctEntry 2 }
Spence et al. expires May 2001 [Page 58]
INTERNET DRAFT Data Model for Network Access November 2000
radAcctStatusType OBJECT-TYPE
SYNTAX INTEGER {
radAcctStatusStart(1),
radAcctStatusStop(2),
radAcctStatusInterimUpdate(3),
radAcctStatusAccountingOn(7),
radAcctStatusAccountingOff(8),
radAcctStatusReservedForTunnelAccounting(9),
radAcctStatusReservedForTunnelAccounting(10),
radAcctStatusReservedForTunnelAccounting(11),
radAcctStatusReservedForTunnelAccounting(12),
radAcctStatusReservedForTunnelAccounting(13),
radAcctStatusReservedForTunnelAccounting(14),
radAcctStatusReservedForFailed(15)
}
STATUS current
DESCRIPTION
"This attribute indicates whether this Accounting-
Request marks the beginning of the user service (Start)
or the end (Stop).
It MAY be used by the client to mark the start of
accounting (for example, upon booting) by specifying
Accounting-On and to mark the end of accounting (for
example, just before a scheduled reboot) by specifying
Accounting-Off.
A value of 'radAcctStatusStart(1)' means: Start.
A value of 'radAcctStatusStop(2)' means: Stop.
A value of 'radAcctStatusInterimUpdate(3)' means:
Interim-Update.
A value of 'radAcctStatusAccountingOn(7)' means:
Accounting-On.
A value of 'radAcctStatusAccountingOff(8)' means:
Accounting-Off.
A value of 'radAcctStatusReservedForTunnelAccounting(9)'
means: Reserved for Tunnel Accounting.
A value of
'radAcctStatusReservedForTunnelAccounting(10)' means:
Reserved for Tunnel Accounting.
Spence et al. expires May 2001 [Page 59]
INTERNET DRAFT Data Model for Network Access November 2000
A value of
'radAcctStatusReservedForTunnelAccounting(11)' means:
Reserved for Tunnel Accounting.
A value of
'radAcctStatusReservedForTunnelAccounting(12)' means:
Reserved for Tunnel Accounting.
A value of
'radAcctStatusReservedForTunnelAccounting(13)' means:
Reserved for Tunnel Accounting.
A value of
'radAcctStatusReservedForTunnelAccounting(14)' means:
Reserved for Tunnel Accounting.
A value of 'radAcctStatusReservedForFailed(15)' means:
Reserved for Failed."
::= { perSessionAcctEntry 3 }
radAcctInputOctets OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many octets have been
received from the port over the course of this service
being provided, and can only be present in Accounting-
Request records where the radAcctStatusType is set to
Stop."
::= { perSessionAcctEntry 4 }
radAcctOutputOctets OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many octets have been sent
to the port in the course of delivering this service,
and can only be present in Accounting-Request records
where the radAcctStatusType is set to Stop."
::= { perSessionAcctEntry 5 }
Spence et al. expires May 2001 [Page 60]
INTERNET DRAFT Data Model for Network Access November 2000
radAcctInputGigawords OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many times the
radAcctInputOctets counter has wrapped around 2^32 over
the course of this service being provided, and can only
be present in Accounting-Request records where the
radAcctStatusType is set to Stop or Interim-Update."
::= { perSessionAcctEntry 6 }
radAcctOutputGigawords OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many times the
radAcctOutputOctets counter has wrapped around 2^32 in
the course of delivering this service, and can only be
present in Accounting-Request records where the
radAcctStatusType is set to Stop or Interim-Update."
::= { perSessionAcctEntry 7 }
radAcctSessionTime OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many seconds the user has
received service for, and can only be present in
Accounting-Request records where the radAcctStatusType
is set to Stop."
::= { perSessionAcctEntry 8 }
Spence et al. expires May 2001 [Page 61]
INTERNET DRAFT Data Model for Network Access November 2000
radAcctInputPackets OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many packets have been
received from the port over the course of this service
being provided to a Framed User, and can only be present
in Accounting-Request records where the
radAcctStatusType is set to Stop."
::= { perSessionAcctEntry 9 }
radAcctOutputPackets OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many packets have been
sent to the port in the course of delivering this
service to a Framed User, and can only be present in
Accounting-Request records where the radAcctStatusType
is set to Stop."
::= { perSessionAcctEntry 10 }
radAcctAuthentic OBJECT-TYPE
SYNTAX INTEGER {
radAcctAuthenticRADIUS(1),
radAcctAuthenticLocal(2),
radAcctAuthenticRemote(3)
}
STATUS current
DESCRIPTION
"This attribute MAY be included in an Accounting-Request
to indicate how the user was authenticated, whether by
RADIUS, the NAS itself, or another remote authentication
protocol. Users who are delivered service without being
authenticated SHOULD NOT generate Accounting records.
A value of 'radAcctAuthenticRADIUS(1)' means: RADIUS.
A value of 'radAcctAuthenticLocal(2)' means: Local.
A value of 'radAcctAuthenticRemote(3)' means: Remote."
::= { perSessionAcctEntry 11 }
Spence et al. expires May 2001 [Page 62]
INTERNET DRAFT Data Model for Network Access November 2000
radAcctTerminateCause OBJECT-TYPE
SYNTAX INTEGER {
radTermCauseUserRequest(1),
radTermCauseLostCarrier(2),
radTermCauseLostService(3),
radTermCauseIdleTimeout(4),
radTermCauseSessionTimeout(5),
radTermCauseAdminReset(6),
radTermCauseAdminReboot(7),
radTermCausePortError(8),
radTermCauseNASError(9),
radTermCauseNASRequest(10),
radTermCauseNASReboot(11),
radTermCausePortUnneeded(12),
radTermCausePortPreempted(13),
radTermCausePortSuspended(14),
radTermCauseServiceUnavailable(15),
radTermCauseCallback(16),
radTermCauseUserError(17),
radTermCauseHostRequest(18)
}
STATUS current
DESCRIPTION
"This attribute indicates how the session was
terminated, and can only be present in Accounting-
Request records where the radAcctStatusType is set to
Stop.
The termination causes are as follows:
A value of 'radTermCauseUserRequest(1)' means: User
requested termination of service, for example with LCP
Terminate or by logging out.
A value of 'radTermCauseLostCarrier(2)' means: DCD was
dropped on the port.
A value of 'radTermCauseLostService(3)' means: Service
can no longer be provided; for example, user's
connection to a host was interrupted.
A value of 'radTermCauseIdleTimeout(4)' means: Idle
timer expired.
A value of 'radTermCauseSessionTimeout(5)' means:
Maximum session length timer expired.
Spence et al. expires May 2001 [Page 63]
INTERNET DRAFT Data Model for Network Access November 2000
A value of 'radTermCauseAdminReset(6)' means:
Administrator reset the port or session.
A value of 'radTermCauseAdminReboot(7)' means:
Administrator is ending service on the NAS, for example
prior to rebooting the NAS.
A value of 'radTermCausePortError(8)' means: NAS
detected an error on the port which required ending the
session.
A value of 'radTermCauseNASError(9)' means: NAS detected
some error (other than on the port) which required
ending the session.
A value of 'radTermCauseNASRequest(10)' means: NAS ended
session for a non-error reason not otherwise listed
here.
A value of 'radTermCauseNASReboot(11)' means: The NAS
ended the session in order to reboot non-
administratively ('crash').
A value of 'radTermCausePortUnneeded(12)' means: NAS
ended session because resource usage fell below low-
water mark (for example, if a bandwidth-on-demand
algorithm decided that the port was no longer needed).
A value of 'radTermCausePortPreempted(13)' means: NAS
ended session in order to allocate the port to a higher
priority use.
A value of 'radTermCausePortSuspended(14)' means: NAS
ended session to suspend a virtual session.
A value of 'radTermCauseServiceUnavailable(15)' means:
NAS was unable to provide requested service.
A value of 'radTermCauseCallback(16)' means: NAS is
terminating current session in order to perform callback
for a new session.
A value of 'radTermCauseUserError(17)' means: Input from
user is in error, causing termination of session.
A value of 'radTermCauseHostRequest(18)' means: Login
Host terminated session normally."
Spence et al. expires May 2001 [Page 64]
INTERNET DRAFT Data Model for Network Access November 2000
::= { perSessionAcctEntry 12 }
--
-- The Accounting Control Table
--
accountingControlTable OBJECT-TYPE
SYNTAX SEQUENCE OF AccountingControlEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 20 }
accountingControlEntry OBJECT-TYPE
SYNTAX AccountingControlEntry
STATUS current
DESCRIPTION
""
PIB-INDEX { accountingControlPrid }
::= { AccountingControlTable 1 }
AccountingControlEntry::= SEQUENCE {
accountingControlPrid InstanceId,
sessionManagement Prid,
radAcctDelayTime Integer32,
radEventTimestamp Unsigned32,
radAcctInterimInterval Integer32
}
accountingControlPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { accountingControlEntry 1 }
Spence et al. expires May 2001 [Page 65]
INTERNET DRAFT Data Model for Network Access November 2000
sessionManagement OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { accountingControlEntry 2 }
radAcctDelayTime OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates how many seconds the client
has been trying to send this record for, and can be
subtracted from the time of arrival on the server to
find the approximate time of the event generating this
Accounting-Request. (Network transit time is ignored.)
Note that changing the radAcctDelayTime causes the
Identifier to change; see the discussion under
Identifier above."
::= { accountingControlEntry 3 }
radEventTimestamp OBJECT-TYPE
SYNTAX Unsigned32
STATUS current
DESCRIPTION
"This attribute is included in an Accounting-Request
packet to record the time that this event occurred on
the NAS, in seconds since January 1, 1970 00:00 UTC."
::= { accountingControlEntry 4 }
radAcctInterimInterval OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute indicates the number of seconds between
each interim update in seconds for this specific
session. This value can only appear in the Access-Accept
message."
::= { accountingControlEntry 5 }
Spence et al. expires May 2001 [Page 66]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Tunnel Acct Table
--
tunnelAcctTable OBJECT-TYPE
SYNTAX SEQUENCE OF TunnelAcctEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 21 }
tunnelAcctEntry OBJECT-TYPE
SYNTAX TunnelAcctEntry
STATUS current
DESCRIPTION ""
EXTENDS { perSessionAcctEntry }
::= { tunnelAcctTable 1 }
TunnelAcctEntry::= SEQUENCE {
radAcctTunnelConnection OCTET STRING,
radAcctTunnelPacketsLost Integer32
}
radAcctTunnelConnection OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the identifier assigned to the
tunnel session. It SHOULD be included in Accounting-
Request packets which contain an radAcctStatusType
attribute having the value Start, Stop or any of the
values described above. This attribute, along with the
radTunnelClientEndpoint and radTunnelServerEndpoint
attributes [6], may be used to provide a means to
uniquely identify a tunnel session for auditing
purposes."
::= { tunnelAcctEntry 1 }
Spence et al. expires May 2001 [Page 67]
INTERNET DRAFT Data Model for Network Access November 2000
radAcctTunnelPacketsLost OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This Attribute indicates the number of packets lost on
a given link. It SHOULD be included in Accounting-
Request packets which contain an radAcctStatusType
attribute having the value radTunnelLink-Stop."
::= { tunnelAcctEntry 2 }
--
-- The Tunneling Service Table
--
tunnelingServiceTable OBJECT-TYPE
SYNTAX SEQUENCE OF TunnelingServiceEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 22 }
tunnelingServiceEntry OBJECT-TYPE
SYNTAX TunnelingServiceEntry
STATUS current
DESCRIPTION ""
PIB-INDEX { tunnelingServicePrid }
::= { tunnelingServiceTable 1 }
TunnelingServiceEntry::= SEQUENCE {
tunnelingServicePrid InstanceId,
radTunnelType INTEGER,
radTunnelMediumType INTEGER,
radTunnelClientEndpoint OCTET STRING,
radTunnelServerEndpoint OCTET STRING,
radTunnelPassword OCTET STRING,
radTunnelPrivateGroupId OCTET STRING,
radTunnelAssignmentId OCTET STRING,
radTunnelPreference Integer32,
radTunnelClientAuthId OCTET STRING,
radTunnelServerAuthId OCTET STRING
}
Spence et al. expires May 2001 [Page 68]
INTERNET DRAFT Data Model for Network Access November 2000
tunnelingServicePrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { tunnelingServiceEntry 1 }
Spence et al. expires May 2001 [Page 69]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelType OBJECT-TYPE
SYNTAX INTEGER {
radttPPTP(1),
radttL2F(2),
radttL2TP(3),
radttATMP(4),
radttVTP(5),
radttAH(6),
radttIpIpEncapsulation(7),
radttMinIpIp(8),
radttESP(9),
radttGRE(10),
radttDVS(11),
radttIpIpTunneling(12)
}
STATUS current
DESCRIPTION
"This Attribute indicates the tunneling protocol(s) to
be used (in the case of a tunnel initiator) or the the
tunneling protocol in use (in the case of a tunnel
terminator). It MAY be included in Access-Request,
Access-Accept and Accounting-Request packets. If the
radTunnelType Attribute is present in an Access-Request
packet sent from a tunnel initiator, it SHOULD be taken
as a hint to the RADIUS server as to the tunnelling
protocols supported by the tunnel end-point; the RADIUS
server MAY ignore the hint, however. A tunnel initiator
is not required to implement any of these tunnel types;
if a tunnel initiator receives an Access-Accept packet
which contains only unknown or unsupported
radTunnelTypes, the tunnel initiator MUST behave as
though an Access-Reject had been received instead.
If the radTunnelType Attribute is present in an Access-
Request packet sent from a tunnel terminator, it SHOULD
be taken to signify the tunnelling protocol in use. In
this case, if the RADIUS server determines that the use
of the communicated protocol is not authorized, it MAY
return an Access-Reject packet. If a tunnel terminator
receives an Access-Accept packet which contains one or
more radTunnelType Attributes, none of which represent
the tunneling protocol in use, the tunnel terminator
SHOULD behave as though an Access-Reject had been
received instead.
A value of 'radttPPTP(1)' indicates Point-to-Point
Tunneling Protocol (PPTP).
Spence et al. expires May 2001 [Page 70]
INTERNET DRAFT Data Model for Network Access November 2000
A value of 'radttL2F(2)' indicates Layer Two Forwarding
(L2F).
A value of 'radttL2TP(3)' indicates Layer Two Tunneling
Protocol (L2TP).
A value of 'radttATMP(4)' indicates Ascend Tunnel
Management Protocol (ATMP).
A value of 'radttVTP(5)' indicates Virtual Tunneling
Protocol (VTP).
A value of 'radttAH(6)' indicates IP Authentication
Header in the Tunnel-mode (AH).
A value of 'radttIpIpEncapsulation(7)' indicates IP-in-
IP Encapsulation (IP-IP).
A value of 'radttMinIpIp(8)' indicates Minimal IP-in-IP
Encapsulation (MIN-IP-IP).
A value of 'radttESP(9)' indicates IP Encapsulating
Security Payload in the Tunnel-mode (ESP).
A value of 'radttGRE(10)' indicates Generic Route
Encapsulation (GRE).
A value of 'radttDVS(11)' indicates Bay Dial Virtual
Services (DVS).
A value of 'radttIpIpTunneling(12)' indicates IP-in-IP
Tunneling."
::= { tunnelingServiceEntry 2 }
Spence et al. expires May 2001 [Page 71]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelMediumType OBJECT-TYPE
SYNTAX INTEGER {
radtmIpV4(1),
radtmIpV6(2),
radtmNSAP(3),
radtmHDLC(4),
radtmBBN1822(5),
radtm802(6),
radtmE163(7),
radtmE164(8),
radtmF69(9),
radtmX121(10),
radtmIPX(11),
radtmAppletalk(12),
radtmDecnetIV(13),
radtmBanyanVines(14),
radtmE164withNsapFormatSubaddr(15)
}
STATUS current
DESCRIPTION
"The radTunnelMediumType Attribute indicates which
transport medium to use when creating a tunnel for those
protocols (such as L2TP) that can operate over multiple
transports. It MAY be included in both Access-Request
and Access-Accept packets; if it is present in an
Access-Request packet, it SHOULD be taken as a hint to
the RADIUS server as to the tunnel media supported by
the tunnel end-point. The RADIUS server MAY ignore the
hint, however.
A value of 'radtmIpV4(1)' means: IPv4 (IP version 4).
A value of 'radtmIpV6(2)' means: IPv6 (IP version 6).
A value of 'radtmNSAP(3)' means: NSAP.
A value of 'radtmHDLC(4)' means: HDLC (8-bit multidrop).
A value of 'radtmBBN1822(5)' means: BBN 1822.
A value of 'radtm802(6)' means: 802 (includes all 802
media plus Ethernet 'canonical format').
A value of 'radtmE163(7)' means: E.163 (POTS).
A value of 'radtmE164(8)' means: E.164 (SMDS, Frame
Relay, ATM).
Spence et al. expires May 2001 [Page 72]
INTERNET DRAFT Data Model for Network Access November 2000
A value of 'radtmF69(9)' means: F.69 (Telex).
A value of 'radtmX121(10)' means: X.121 (X.25, Frame
Relay).
A value of 'radtmIPX(11)' means: IPX.
A value of 'radtmAppletalk(12)' means: Appletalk.
A value of 'radtmDecnetIV(13)' means: Decnet IV.
A value of 'radtmBanyanVines(14)' means: Banyan Vines.
A value of 'radtmE164withNsapFormatSubaddr(15)' means:
E.164 with NSAP format subaddress."
::= { tunnelingServiceEntry 3 }
radTunnelClientEndpoint OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute contains the address of the initiator
end of the tunnel. It MAY be included in both Access-
Request and Access-Accept packets to indicate the
address from which a new tunnel is to be initiated. If
the radTunnelClientEndpoint Attribute is included in an
Access-Request packet, the RADIUS server should take the
value as a hint; the server is not obligated to honor
the hint, however. This Attribute SHOULD be included in
Accounting-Request packets which contain
radAcctStatusType attributes with values of either Start
or Stop, in which case it indicates the address from
which the tunnel was initiated. This Attribute, along
with the radTunnelServerEndpoint and
radAcctTunnelConnectionId attributes, may be used to
provide a globally unique means to identify a tunnel for
accounting and auditing purposes."
::= { tunnelingServiceEntry 4 }
Spence et al. expires May 2001 [Page 73]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelServerEndpoint OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the address of the server end
of the tunnel. The radTunnelServerEndpoint Attribute
MAY be included (as a hint to the RADIUS server) in the
Access-Request packet and MUST be included in the
Access-Accept packet if the initiation of a tunnel is
desired. It SHOULD be included in Accounting-Request
packets which contain radAcctStatusType attributes with
values of either Start or Stop and which pertain to a
tunneled session. This Attribute, along with the
radTunnelClientEndpoint and radTunnelConnectionId
Attributes [5], may be used to provide a globally
unique means to identify a tunnel for accounting and
auditing purposes."
::= { tunnelingServiceEntry 5 }
radTunnelPassword OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute may contain a password to be used to
authenticate to a remote server. It may only be
included in an Access-Accept packet."
::= { tunnelingServiceEntry 6 }
Spence et al. expires May 2001 [Page 74]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelPrivateGroupId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute indicates the group ID for a particular
tunneled session. The radTunnelPrivateGroupId Attribute
MAY be included in the Access-Request packet if the
tunnel initiator can pre-determine the group resulting
from a particular connection and SHOULD be included in
the Access-Accept packet if this tunnel session is to be
treated as belonging to a particular private group.
Private groups may be used to associate a tunneled
session with a particular group of users. For example,
it may be used to facilitate routing of unregistered IP
addresses through a particular interface. It SHOULD be
included in Accounting-Request packets which contain
radAcctStatusType attributes with values of either Start
or Stop and which pertain to a tunneled session."
::= { tunnelingServiceEntry 7 }
Spence et al. expires May 2001 [Page 75]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelAssignmentId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute is used to indicate to the tunnel
initiator the particular tunnel to which a session is to
be assigned. Some tunneling protocols, such as PPTP and
L2TP, allow for sessions between the same two tunnel
endpoints to be multiplexed over the same tunnel and
also for a given session to utilize its own dedicated
tunnel. This attribute provides a mechanism for RADIUS
to be used to inform the tunnel initiator (e.g. PAC,
LAC) whether to assign the session to a multiplexed
tunnel or to a separate tunnel. Furthermore, it allows
for sessions sharing multiplexed tunnels to be assigned
to different multiplexed tunnels.
A particular tunneling implementation may assign
differing characteristics to particular tunnels. For
example, different tunnels may be assigned different QOS
parameters. Such tunnels may be used to carry either
individual or multiple sessions. The
radTunnelAssignmentId attribute thus allows the RADIUS
server to indicate that a particular session is to be
assigned to a tunnel that provides an appropriate level
of service. It is expected that any QOS-related RADIUS
tunneling attributes defined in the future that
accompany this attribute will be associated by the
tunnel initiator with the ID given by this attribute.
In the meantime, any semantic given to a particular ID
string is a matter left to local configuration in the
tunnel initiator.
The radTunnelAssignmentId attribute is of significance
only to RADIUS and the tunnel initiator. The ID it
specifies is intended to be of only local use to RADIUS
and the tunnel initiator. The ID assigned by the tunnel
initiator is not conveyed to the tunnel peer.
This attribute MAY be included in the Access-Accept.
The tunnel initiator receiving this attribute MAY choose
to ignore it and assign the session to an arbitrary
multiplexed or non-multiplexed tunnel between the
desired endpoints. This attribute SHOULD also be
included in Accounting-Request packets which contain
radAcctStatusType attributes with values of either Start
or Stop and which pertain to a tunneled session.
Spence et al. expires May 2001 [Page 76]
INTERNET DRAFT Data Model for Network Access November 2000
If a tunnel initiator supports the radTunnelAssignmentId
Attribute, then it should assign a session to a tunnel
in the following manner:
- If this attribute is present and a tunnel exists
between the specified endpoints with the specified ID,
then the session should be assigned to that tunnel.
- If this attribute is present and no tunnel exists
between the specified endpoints with the specified ID,
then a new tunnel should be established for the session
and the specified ID should be associated with the new
tunnel.
- If this attribute is not present, then the session is
assigned to an unnamed tunnel. If an unnamed tunnel
does not yet exist between the specified endpoints then
it is established and used for this and subsequent
sessions established without the radTunnelAssignmentId
attribute. A tunnel initiator MUST NOT assign a session
for which a radTunnelAssignmentId Attribute was not
specified to a named tunnel (i.e. one that was initiated
by a session specifying this attribute).
Note that the same ID may be used to name different
tunnels if such tunnels are between different
endpoints."
::= { tunnelingServiceEntry 8 }
Spence et al. expires May 2001 [Page 77]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelPreference OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"If more than one set of tunneling attributes is
returned by the RADIUS server to the tunnel initiator,
this Attribute SHOULD be included in each set to
indicate the relative preference assigned to each
tunnel. For example, suppose that Attributes describing
two tunnels are returned by the server, one with a
radTunnelType of PPTP and the other with a radTunnelType
of L2TP. If the tunnel initiator supports only one of
the radTunnelTypes returned, it will initiate a tunnel
of that type. If, however, it supports both tunnel
protocols, it SHOULD use the value of the
radTunnelPreference Attribute to decide which tunnel
should be started. The tunnel having the numerically
lowest value in the Value field of this Attribute SHOULD
be given the highest preference. The values assigned to
two or more instances of the radTunnelPreference
Attribute within a given Access-Accept packet MAY be
identical. In this case, the tunnel initiator SHOULD use
locally configured metrics to decide which set of
attributes to use. This Attribute MAY be included (as a
hint to the server) in Access-Request packets, but the
RADIUS server is not required to honor this hint."
::= { tunnelingServiceEntry 9 }
radTunnelClientAuthId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute specifies the name used by the tunnel
initiator during the authentication phase of tunnel
establishment. The radTunnelClientAuthId Attribute MAY
be included (as a hint to the RADIUS server) in the
Access-Request packet, and MUST be included in the
Access-Accept packet if an authentication name other
than the default is desired. This Attribute SHOULD be
included in Accounting-Request packets which contain
radAcctStatusType attributes with values of either Start
or Stop and which pertain to a tunneled session."
::= { tunnelingServiceEntry 10 }
Spence et al. expires May 2001 [Page 78]
INTERNET DRAFT Data Model for Network Access November 2000
radTunnelServerAuthId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute specifies the name used by the tunnel
terminator during the authentication phase of tunnel
establishment. The radTunnelClientAuthId Attribute MAY
be included (as a hint to the RADIUS server) in the
Access-Request packet, and MUST be included in the
Access-Accept packet if an authentication name other
than the default is desired. This Attribute SHOULD be
included in Accounting-Request packets which contain
radAcctStatusType attributes with values of either Start
or Stop and which pertain to a tunneled session."
::= { tunnelingServiceEntry 11 }
--
-- The Multilink Session Table
--
multilinkSessionTable OBJECT-TYPE
SYNTAX SEQUENCE OF MultilinkSessionEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 23 }
multilinkSessionEntry OBJECT-TYPE
SYNTAX TunnelingServiceEntry
STATUS current
DESCRIPTION ""
PIB-INDEX { multilinkSessionPrid }
::= { MultilinkSessionTable 1 }
MultilinkSessionEntry::= SEQUENCE {
multilinkSessionPrid InstanceId,
SessionManagement Prid,
radAcctMultiSessionId OCTET STRING,
radAcctLinkCount Integer32
}
Spence et al. expires May 2001 [Page 79]
INTERNET DRAFT Data Model for Network Access November 2000
multilinkSessionPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { multilinkSessionEntry 1 }
SessionManagement OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { multilinkSessionEntry 2 }
radAcctMultiSessionId OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute is a unique Accounting ID to make it
easy to link together multiple related sessions in a log
file. Each session linked together would have a unique
radAcctSessionId but the same radAcctMultiSessionId. It
is strongly recommended that the radAcctMultiSessionId
contain UTF-8 encoded 10646 [11] characters."
::= { multilinkSessionEntry 3 }
Spence et al. expires May 2001 [Page 80]
INTERNET DRAFT Data Model for Network Access November 2000
radAcctLinkCount OBJECT-TYPE
SYNTAX Integer32
STATUS current
DESCRIPTION
"This attribute gives the count of links which are known
to have been in a given multilink session at the time
the accounting record is generated. The NAS MAY include
the radAcctLinkCount attribute in any Accounting-Request
which might have multiple links.
The Value field contains the number of links seen so far
in this Multilink Session.
It may be used to make it easier for an accounting
server to know when it has all the records for a given
Multilink session. When the number of Accounting-
Requests received with radAcctStatusType = Stop and the
same radAcctMultiSessionId and unique radAcctSessionId's
equals the largest value of radAcctLinkCount seen in
those Accounting-Requests, all Stop Accounting-Requests
for that Multilink Session have been received.
An example showing 8 Accounting-Requests should make
things clearer. For clarity only the relevant
attributes are shown, but additional attributes
containing accounting information will also be present
in the Accounting-Request.
Multi-Session-Id Session-Id Status-Type Link-Count
'10' '10' Start 1
'10' '11' Start 2
'10' '11' Stop 2
'10' '12' Start 3
'10' '13' Start 4
'10' '12' Stop 4
'10' '13' Stop 4
'10' '10' Stop 4"
::= { multilinkSessionEntry 4 }
Spence et al. expires May 2001 [Page 81]
INTERNET DRAFT Data Model for Network Access November 2000
--
-- The Termination Service Table
--
terminationServiceTable OBJECT-TYPE
SYNTAX SEQUENCE OF terminationServiceEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 24 }
terminationServiceEntry OBJECT-TYPE
SYNTAX terminationServiceEntry
STATUS current
DESCRIPTION
""
PIB-INDEX { terminationServicePrid }
::= { terminationServiceTable 1 }
terminationServiceEntry::= SEQUENCE {
terminationServicePrid InstanceId,
nonFramedSetup Prid,
radState2 OCTET STRING,
radTerminationAction INTEGER
}
terminationServicePrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { terminationServiceEntry 1 }
Spence et al. expires May 2001 [Page 82]
INTERNET DRAFT Data Model for Network Access November 2000
nonFramedSetup OBJECT-TYPE
SYNTAX Prid
STATUS current
DESCRIPTION
""
::= { terminationServiceEntry 2 }
radState2 OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute is available to be sent by the server
to the client in an Access-Accept that also includes a
radTerminationAction Attribute with the value of RADIUS-
Request. If the NAS performs the radTerminationAction
by sending a new Access-Request upon termination of the
current session, it MUST include the radState attribute
unchanged in that Access-Request.
The client MUST NOT interpret the attribute locally.
A packet must have only zero or one radState Attribute.
Usage of the radState Attribute is implementation
dependent."
::= { terminationServiceEntry 3 }
Spence et al. expires May 2001 [Page 83]
INTERNET DRAFT Data Model for Network Access November 2000
radTerminationAction OBJECT-TYPE
SYNTAX INTEGER {
radDefault(0),
radRadiusRequest(1)
}
STATUS current
DESCRIPTION
"This Attribute indicates what action the NAS should
take when the specified service is completed. It is
only used in Access-Accept packets.
A value of 'radDefault(0)' means to take the default
action.
If the value is set to 'radRadiusRequest(1)', upon
termination of the specified service the NAS MAY send a
new Access-Request to the RADIUS server, including the
radState attribute if any."
::= { terminationServiceEntry 4 }
--
-- The Excluded Radius Atributes Table
-- (i.e. the Radius attributes not included in the model)
--
excludedAttributesTable OBJECT-TYPE
SYNTAX SEQUENCE OF excludedAttributesEntry
PIB-ACCESS notify
STATUS current
DESCRIPTION
""
::= { radiusModelPib 25 }
excludedAttributesEntry OBJECT-TYPE
SYNTAX excludedAttributesEntry
STATUS current
DESCRIPTION
""
PIB-INDEX { excludedAttributesPrid }
::= { excludedAttributesTable 1 }
Spence et al. expires May 2001 [Page 84]
INTERNET DRAFT Data Model for Network Access November 2000
excludedAttributesEntry::= SEQUENCE {
excludedAttributesPrid InstanceId,
radProxyState OCTET STRING,
radMessageAuthenticator OCTET STRING,
radVendorSpecific OCTET STRING
}
excludedAttributesPrid OBJECT-TYPE
SYNTAX InstanceId
STATUS current
DESCRIPTION
"An index to uniquely identify an instance of this
policy class."
::= { excludedAttributesEntry 1 }
radProxyState OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute is available to be sent by a proxy
server to another server when forwarding an Access-
Request and MUST be returned unmodified in the Access-
Accept, Access-Reject or Access-Challenge. When the
proxy server receives the response to its request, it
MUST remove its own radProxyState (the last
radProxyState in the packet) before forwarding the
response to the NAS.
If a radProxyState Attribute is added to a packet when
forwarding the packet, the radProxyState Attribute MUST
be added after any existing radProxyState attributes.
The content of any radProxyState other than the one
added by the current server should be treated as opaque
octets and MUST NOT affect operation of the protocol.
Usage of the radProxyState Attribute is implementation
dependent. A description of its function is outside the
scope of this specification."
::= { excludedAttributesEntry 2 }
Spence et al. expires May 2001 [Page 85]
INTERNET DRAFT Data Model for Network Access November 2000
radMessageAuthenticator OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This attribute MAY be used to sign Access-Requests to
prevent spoofing Access-Requests using CHAP, ARAP or EAP
authentication methods. It MAY be used in any Access-
Request. It MUST be used in any Access-Request, Access-
Accept, Access-Reject or Access-Challenge that includes
an radEapMessage attribute.
A RADIUS Server receiving an Access-Request with a
Message-Authenticator Attribute present MUST calculate
the correct value of the Message-Authenticator and
silently discard the packet if it does not match the
value sent.
A RADIUS Client receiving an Access-Accept, Access-
Reject or Access-Challenge with a Message-Authenticator
Attribute present MUST calculate the correct value of
the Message-Authenticator and silently discard the
packet if it does not match the value sent.
Earlier drafts of this memo used 'Signature' as the name
of this attribute, but Message-Authenticator is more
precise. Its operation has not changed, just the name."
::= { excludedAttributesEntry 3 }
radVendorSpecific OBJECT-TYPE
SYNTAX OCTET STRING
STATUS current
DESCRIPTION
"This Attribute is available to allow vendors to support
their own extended Attributes not suitable for general
usage. It MUST not affect the operation of the RADIUS
protocol.
Servers not equipped to interpret the vendor-specific
information sent by a client MUST ignore it (although it
may be reported). Clients which do not receive desired
vendor-specific information SHOULD make an attempt to
operate without it, although they may do so (and report
they are doing so) in a degraded mode."
::= { excludedAttributesEntry 4 }
Spence et al. expires May 2001 [Page 86]
INTERNET DRAFT Data Model for Network Access November 2000
END
5. Security Considerations
The PIB defined in this memo is intended to be accessed via an AAA
protocol. It is the responsibility of the protocol to provide the
security framework to protect the PIB from unauthorized access.
References
[1] Bradner, S., "The Internet Standards Process -- Revision 3", RFC
2026, BCP 9, October 1996.
[2] Spence D., W. Weiss, D. Durham, A. Kulkarni, R. Kopacz, J.
Vollbrecht, "UML Data Model for Network Access", November 2000,
http://www.interlinknetworks.com/otherdocs/nasmodel.html
[3] Rigney, C., A. Rubens, W. Simpson, S. Willens, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, June
2000.
[4] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[5] Zorn, G., D. Mitton, B. Aboba, "RADIUS Accounting Modifications
for Tunnel Protocol Support", RFC 2867, June 2000.
[6] Zorn, G., D. Leifer, J. Shriver, A. Rubens, M. Holdrege, I.
Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC
2868, June 2000.
[7] C. Rigney, W. Willats, P. Calhoun, A. Rubens, B. Aboba, "RADIUS
Extensions", RFC 2869, June 2000.
[8] Kaufman, C., Perlman, R., and Speciner, M., "Network Security:
Private Communications in a Public World", Prentice Hall, March
1995, ISBN 0-13-061466-1.
[9] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication
Protocol (EAP)", RFC 2284, March 1998.
[10] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti,
"The PPP Multilink Protocol (MP)", RFC 1990, August 1996.
[11] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC
2279, January 1998.
Spence et al. expires May 2001 [Page 87]
INTERNET DRAFT Data Model for Network Access November 2000
[12] McCloghrie, K., M. Fine, J. Seligson, K. Chan, S. Hahn, R.
Sahita, A. Smith, F. Reichmeyer, "Structure of Policy
Provisioning Information (SPPI)", draft-ietf-rap-sppi-01.txt,
July 2000.
[13] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC
1321, April 1992.
[14] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March, 1997.
Authors' Addresses
David Spence
Interlink Networks, Inc.
775 Technology Drive, Suite 200
Ann Arbor, MI 48108
USA
Phone: +1 734 821 1203
EMail: dspence@interlinknetworks.com
Robert Kopacz
Interlink Networks, Inc.
775 Technology Drive, Suite 200
Ann Arbor, MI 48108
USA
Phone: +1 734 821 1230
EMail: bkopacz@interlinknetworks.com
John Vollbrecht
Interlink Networks, Inc.
775 Technology Drive, Suite 200
Ann Arbor, MI 48108
USA
Phone: +1 734 821 1205
EMail: jrv@interlinknetworks.com
Spence et al. expires May 2001 [Page 88]
INTERNET DRAFT Data Model for Network Access November 2000
David Durham
Intel Corporation
JF3-206
2111 N.E. 25th Ave.
Hillsboro, OR 97124-5961
USA
Phone: +1 503 264 6232
EMail: david.durham@intel.com
Amol Kulkarni
Intel Corporation
JF3-206
2111 N.E. 25th Ave.
Hillsboro, OR 97124-5961
USA
Phone: +1 503 712 1168
EMail: amol.kulkarni@intel.com
Walter Weiss
Ellacoya Networks
7 Henry Clay Dr.
Merrimack, NH 03054
USA
Phone: +1 603 879 7325
EMail: wweiss@ellacoya.com
Spence et al. expires May 2001 [Page 89]