Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
RFC 3576
Document | Type |
RFC - Informational
(July 2003; No errata)
Obsoleted by RFC 5176
|
|
---|---|---|---|
Authors | Murtaza Chiba , Gopal Dommety , Mark Eklund , David Mitton , Bernard Aboba | ||
Last updated | 2015-10-14 | ||
Stream | ISE | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | ISE state | (None) | |
Consensus Boilerplate | Unknown | ||
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3576 (Informational) | |
Action Holders |
(None)
|
||
Telechat date | |||
Responsible AD | Randy Bush | ||
Send notices to | (None) |
Network Working Group M. Chiba Request for Comments: 3576 G. Dommety Category: Informational M. Eklund Cisco Systems, Inc. D. Mitton Circular Logic, UnLtd. B. Aboba Microsoft Corporation July 2003 Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. Chiba, et al. Informational [Page 1] RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Applicability. . . . . . . . . . . . . . . . . . . . . . 3 1.2. Requirements Language . . . . . . . . . . . . . . . . . 5 1.3. Terminology. . . . . . . . . . . . . . . . . . . . . . . 5 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Disconnect Messages (DM) . . . . . . . . . . . . . . . . 5 2.2. Change-of-Authorization Messages (CoA) . . . . . . . . . 6 2.3. Packet Format. . . . . . . . . . . . . . . . . . . . . . 7 3. Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1. Error-Cause. . . . . . . . . . . . . . . . . . . . . . . 13 3.2. Table of Attributes. . . . . . . . . . . . . . . . . . . 16 4. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 20 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 21 5.1. Authorization Issues . . . . . . . . . . . . . . . . . . 21 5.2. Impersonation. . . . . . . . . . . . . . . . . . . . . . 22 5.3. IPsec Usage Guidelines . . . . . . . . . . . . . . . . . 22 5.4. Replay Protection. . . . . . . . . . . . . . . . . . . . 25 6. Example Traces . . . . . . . . . . . . . . . . . . . . . . . . 26 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 7.1. Normative References . . . . . . . . . . . . . . . . . . 26 7.2. Informative References . . . . . . . . . . . . . . . . . 27 8. Intellectual Property Statement. . . . . . . . . . . . . . . . 28 9. Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . 28 10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 29 11. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 30 Chiba, et al. Informational [Page 2] RFC 3576 Dynamic Authorization Extensions to RADIUS July 2003 1. Introduction The RADIUS protocol, defined in [RFC2865], does not support unsolicited messages sent from the RADIUS server to the Network Access Server (NAS). However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange. For example, it may be desirable for administrators to be able to terminate a user session in progress. Alternatively, if the user changes authorization level, this may require that authorization attributes be added/deleted from a user session. To overcome these limitations, several vendors have implemented additional RADIUS commands in order to be able to support unsolicited messages sent from the RADIUS server to the NAS. These extended commands provide support for Disconnect and Change-of-Authorization (CoA) messages. Disconnect messages cause a user session to be terminated immediately, whereas CoA messages modify session authorization attributes such as data filters. 1.1. Applicability This protocol is being recommended for publication as an Informational RFC rather than as a standards-track RFC because of problems that cannot be fixed without creating incompatibilities with deployed implementations. This includes security vulnerabilities, as well as semantic ambiguities resulting from the design of theShow full document text