INTERNET DRAFT Pat R. Calhoun Category: Standards Track Sun Microsystems, Inc. Title: draft-calhoun-diameter-authent-07.txt William Bulley Date: October 1999 Merit Network, Inc. DIAMETER Dial-Up (ROAMOPS) Extensions Status of this Memo This document is an individual contribution for consideration by the AAA Working Group of the Internet Engineering Task Force. Comments should be submitted to the diameter@ipass.com mailing list. Distribution of this memo is unlimited. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html. Abstract This document describes the DIAMETER Dial-up User Authentication Extension that is used for ROAMOPS [4] purposes. This specification was carefully designed to ease the burden of servers that must act as RADIUS/DIAMETER gateways, by re-using the same address space that RADIUS has defined [1]. Further, by re-using the same address space, it allows a single server to read the same dictiionary for both Calhoun, Bulley expires April 2000 [Page 1] INTERNET DRAFT October 1999 DIAMETER and RADIUS. This backward compatibility will hopefully facilitate deployment of DIAMETER. Calhoun, Bulley expires April 2000 [Page 2] INTERNET DRAFT October 1999 Table of Contents 1.0 Introduction 1.1 Copyright Statement 1.2 Requirements language 1.3 Changes in version -06 1.4 Changes in version -07 2.0 Command Codes 2.1 AA-Request (AAR) 2.2 AA-Answer (AAA) 2.3 AA-Challenge-Ind (ACI) 3.0 DIAMETER AVPs 3.1 User-Name 3.2 User-Password 3.3 CHAP-Password 3.4 NAS-Port 3.5 Service-Type 3.6 Framed-Protocol 3.7 Framed-IP-Address 3.8 Framed-IP-Netmask 3.9 Framed-Routing 3.10 Filter-Id 3.11 Framed-MTU 3.12 Framed-Compression 3.13 Login-IP-Host 3.14 Login-Service 3.15 Login-TCP-Port 3.16 Reply-Message 3.17 Callback-Number 3.18 Callback-Id 3.19 Framed-Route 3.20 Framed-IPX-Network 3.21 Idle-Timeout 3.22 Called-Station-Id 3.23 Calling-Station-Id 3.24 Login-LAT-Service 3.25 Login-LAT-Node 3.26 Login-LAT-Group 3.27 Framed-AppleTalk-Link 3.28 Framed-AppleTalk-Network 3.29 Framed-AppleTalk-Zone 3.30 CHAP-Challenge 3.31 NAS-Port-Type 3.32 Port-Limit 3.33 Login-LAT-Port 3.34 Filter-Rule 3.35 Framed-Password-Policy 3.36 Table of Attributes Calhoun, Bulley expires April 2000 [Page 3] INTERNET DRAFT October 1999 4.0 Protocol Definition 4.1 Feature Advertisement/Discovery 4.2 Authorization Procedure 4.3 Integration with Resource-Management 5.0 References 6.0 Acknowledgements 7.0 Authors' Addresses 8.0 Full Copyright Statement 1.0 Introduction This document describes the DIAMETER Dial-up User Authentication Extension that is used for ROAMOPS [4] purposes. This specification was carefully designed to ease the burden of servers that must act as RADIUS/DIAMETER gateways, by re-using the same address space that RADIUS has defined [1]. Further, by re-using the same address space, it allows a single server to read the same dictiionary for both DIAMETER and RADIUS. This backward compatibility will hopefully facilitate deployment of DIAMETER. The Extension number for this draft is one (1). This value is used in the Extension-Id AVP as defined in [2]. 1.1 Copyright Statement Copyright (C) The Internet Society 1999. All Rights Reserved. 1.2 Requirements language In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as described in [12]. 1.3 Changes in version -06 The following changes have been made to version 06: - Changes to AVP Header Flags - Change to the document title - Changed the Command-Specific AVP Flags in all command codes defined. Calhoun, Bulley expires April 2000 [Page 4] INTERNET DRAFT October 1999 - Added a reference to RFC 1994 (CHAP) 1.4 Changes in version -07 The following changes have been made to version 07: - Changed the Filter-Rule Command Code AVP from 280 to 300 - Changed the Framed-Password-Policy Command Code AVP from 280 to 301 2.0 Command Codes This document defines the following DIAMETER Commands. All DIAMETER implementations supporting this extension MUST support all of the following commands: Command Name Command Code ----------------------------------- AA-Request 263 AA-Answer 264 AA-Challenge-Ind 265 2.1 AA-Request (AAR) Description The AA-Request message is used in order to request authentication and authorization for a given user. If Authentication is requested the User-Name attribute MUST be present. If only Authorization is required it is possible to authorize based on DNIS and ANI instead. However, it is not possible to authenticate using a User-Name AVP and later requesting authorization based on DNIS using the same Session-Id (although the inverse is legal). Note that the flag field MAY be used in this command in order to indicate that either Authentication-Only or Authorization-Only is required for the request. If the Authentication-Only bit is set the response MUST NOT include any authorization information. Both the Authenticate and Authorize bits MUST NOT be set at the same time. To ensure that a user is both authenticated and authorized, neither flag is set. Calhoun, Bulley expires April 2000 [Page 5] INTERNET DRAFT October 1999 The AA-Request message MUST include a unique Session-Id AVP. If The AA-Request is a result of a successful AA-Challenge-Ind the Session-Id MUST be identical to the one provided in the initial AA-Request. Message Format Section 3.36 contains a complete list of all valid AVPs for this message. ::= [] [] [] [] { || { || ::= [] [] [] [] [] [] { || [] [] [] [] [] { || [9] Sklower, Lloyd, McGregor, Carr, "The PPP Multilink Protocol (MP)", RFC 1717, November 1994. [10] Calhoun, Greene, "DIAMETER Resource Management Extension", draft-calhoun-diameter-res-mgmt-02.txt, Work in Progress, February 1999. [11] Calhoun, Zorn, Pan, "DIAMETER Framework", draft-calhoun-diameter-framework-02.txt, Work in Progress, December 1998. [12] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [13] P. Calhoun, W. Bulley, "DIAMETER Proxy Server Extensions", draft-calhoun-diameter-proxy-02.txt, Work in Progress, August 1999. 6.0 Acknowledgements The Author wishes to thank Carl Rigney since much of the text in the document was shamefully copied from [1] as well as the following people for their help in the development of this protocol: Nancy Greene, Ryan Moats Calhoun, Bulley expires April 2000 [Page 53] INTERNET DRAFT October 1999 7.0 Authors' Addresses Questions about this memo can be directed to: Pat R. Calhoun Network and Security Research Center, Sun Labs Sun Microsystems, Inc. 15 Network Circle Menlo Park, California, 94025 USA Phone: 1-650-786-7733 Fax: 1-650-786-6445 E-mail: pcalhoun@eng.sun.com William Bulley Merit Network, Inc. 4251 Plymouth Road, Suite C Ann Arbor, Michigan, 48105-2785 USA Phone: 1-734-764-9993 Fax: 1-734-647-3185 E-mail: web@merit.edu 8.0 Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this docu- ment itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Inter- net organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permis- sions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL Calhoun, Bulley expires April 2000 [Page 54] INTERNET DRAFT October 1999 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WAR- RANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Calhoun, Bulley expires April 2000 [Page 55]