Internet Draft Pat R. Calhoun Category: Experimental US Robotics Access Corp. expires in six months July 1996 Enhanced Remote Authentication Dial In User Service (RADIUS) Dynamic Filter Change Status of this Memo Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). Abstract This specification defines an extension to the Enhanced RADIUS protocol [1]. As the dial-up services grow in complexity, there is a need for a user's filters to change dynamically, which could be initiated via an out-of-band request from the user to the RADIUS server or by the RADIUS server itself. Calhoun [Page 1] DRAFT Dynamic Filter Change July 1996 Introduction As ISP's service offerings expand, there is a need for a user to request a new set of filters to be applied to his session on the NAS. The existing method would be to have two distinct accounts for the user, each with a different set of filters. A more graceful method would be for the user to request, with an out-of-band message to the RADIUS server, a change of the user's filters. It is envisioned that the out-of-band message would contain some form of security, but this is outside of the scope of this document. This specification will detail the RADIUS protocol required between the NAS and the RADIUS server. 2. Command Name and Command Code Command Name: RADIUS-Change-Filter-Request Command Code: 304 Command Name: RADIUS-Change-Filter-Request-Ack Command Code: 305 Command Name: RADIUS-Change-Filter-Request-Nak Command Code: 306 3. Command Meanings 3.1 RADIUS-Change-Filter-Request Description RADIUS-Change-Filter-Request packets are initiated by the RADIUS Server to the NAS when a change to the users' filters is required. A NAS which does not support this feature MUST return a Command-Unrecognized message. Calhoun [Page 2] DRAFT Dynamic Filter Change July 1996 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 304 for RADIUS-Change-Filter-Request Identifier The Identifier field MUST be changed whenever the content of the Attributes field changes, and whenever a valid reply has been received for a previous request. For retransmissions, the Identifier MAY remain unchanged. Calhoun [Page 3] DRAFT Dynamic Filter Change July 1996 Length The total length of the message, including this header. Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) Attributes The Attribute field is variable in length. The following RADIUS attributes [2] are included in the message: NAS-IP-Address This attribute MUST contain the IP Address of the NAS. NAS-Port This attribute MUST contain the port number of the user. Filter-Id This attribute MAY be present if the NAS implements filter naming. However, a vendor specific filter rule may be sent in it's place. The absence of a filter attribute will remove all filters currently assigned to the user's port. 3.2 RADIUS-Change-Filter-Request-Ack Description RADIUS-Change-Filter-Request-Ack packets is sent from the NAS to the RADIUS Server if the filter was successfully changed. The message should be sent as follow: Calhoun [Page 4] DRAFT Dynamic Filter Change July 1996 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 254 for Enhanced RADIUS. Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 305 for RADIUS-Change-Filter-Request-Ack Identifier The Identifier field is a copy of the Identifier field of the RADIUS-Change-Filter-Request which caused this RADIUS-Change-Filter-Request-Ack to be sent. Length The total length of the message, including this header. Calhoun [Page 5] DRAFT Dynamic Filter Change July 1996 Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) 3.3 RADIUS-Change-Filter-Request-Nak Description RADIUS-Change-Filter-Request-Nak packets is sent from the NAS to the RADIUS Server if the filter was not successfully changed. The message should be sent as follow: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Flags | Ver | Command | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Message Integrity Code | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code 254 for Enhanced RADIUS. Calhoun [Page 6] DRAFT Dynamic Filter Change July 1996 Flags The Flag field is used as defined in [1]. Version MUST be set to 2 Command 306 for RADIUS-Change-Filter-Request-Nak Identifier The Identifier field is a copy of the Identifier field of the RADIUS-Change-Filter-Request which caused this RADIUS-Change-Filter-Request-Nak to be sent. Length The total length of the message, including this header. Authenticator The Authenticator field is a random 16 octet value. If the Timestamp option is supported, the first four octets contain a timestamp of when the packet was sent from the peer. Message Integrity Code This field contains an MD5 hash of the following: MD5( packet | Shared Secret ) 4. Attribute Name and Attribute Code No additional attributes are required for this extension. 5. Attribute Meanings No additional attributes are required for this extension. Calhoun [Page 7] DRAFT Dynamic Filter Change July 1996 6. Motivation The motivation for this extension to the protocol is to allow RADIUS Servers to download filters dynamically. In the past, a user would have to have two separate user accounts, or if some dynamic filter mechanism on the RADIUS server existed, the user would have to logoff and log back in. This extension will provide the service provider's with the capability of adding new services to their existing infrastructure. It is envisioned that the client would have access to some application which would send an out-of-band request to the service provider's RADIUS Server, which would in turn send a new set of filters to the NAS for the user's port. 7. Description (or Implementation Rules) Upon receipt of a RADIUS-Change-Filter-Request, the NAS MUST ensure that the NAS port is still active. If so, the NAS must replace any filters which are currently applied to the port with the new set of filters received in the message. If the Filter-Id attribute is included in the message, then the NAS must use it in the traditional RADIUS method, however the message may also support vendor specific filter rules instead. The absence of any filters in the message will remove any such filters currently applied to the user's port. References [1] Calhoun, Rubens, "Enhanced RADIUS", Internet-Draft, draft-calhoun-enh-radius-00.txt, US Robotics Access Corp., June 1996. [2] Rigney, et alia, "RADIUS Authentication", Internet-Draft, draft-ietf-radius-radius-02.txt, Livingston, May 1996. Calhoun [Page 8]