INTERNET-DRAFT Murtaza S. Chiba Title: Cisco Systems, Inc. draft-chiba-radius-dynamic-authorization-04.txt Expires November 2002 Gopal Dommety Cisco Systems, Inc. Mark Eklund Cisco Systems, Inc. David Mitton Circular Logic, UnLtd. June 2002 Dynamic Authorization Extensions to Remote Authentication Dial-In User Service (RADIUS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html To view the entire list of current Internet-Drafts, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). M. Chiba Expires November 2002 [Page 1] Internet Draft Dynamic Authorization Extensions June 2002 Abstract This document describes the current practices implemented by several Remote Authentication Dial-In User Service network access server products for allowing dynamic changes to a user session to accommodate the needs for the above scenarios. Namely it documents the current methods for disconnecting and changing data filters applicable to a user session. 1.0 Introduction The RADIUS protocol, defined in [RFC2865] does not support unsolicited messages sent from the RADIUS server to the NAS. However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange. For example, it may be desirable for administrators to be able to terminate sessions in progress. Alternatively, if the user changes authorization level, this may require that data filters be added/deleted from the session. To overcome these limitations, various vendors have implemented a additional RADIUS commands in order to support unsolicited messages sent from the RADIUS server to the NAS. These extended commands provide support for: 1) Disconnect messages, and 2) Change of Filters messages The disconnect messages cause a user session to be terminated immediately, whereas change of filter messages modify the applicable data filters for the user session. The packet format consists of the fields: Code, Identifier, Length, Authenticator, and Attributes in the Type:Length:Value(TLV) formats. All the fields hold the same meaning as those described in RADIUS[1]. The Authenticator field is calculated in the same way as is specified for an Accounting-Request in [RFC2866]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- M. Chiba Expires November 2002 [Page 2] Internet Draft Dynamic Authorization Extensions June 2002 2.0 Current Practices This draft outlines the details for Disconnect Messages and Change-of-Filters Messages that are commonly implemented. 2.1 Protocol Port Information For either type of request (Disconnect, or Change of Filters), the UDP port 1700 is used as the destination port. For responses the source and destination ports are reversed. 2.2 Identification Attributes A number of attributes are used to uniquely identify a user session on the NAS and one, or more, of these are present in either type of messages (Disconnect or, Change-of-Filters). The set of attributes includes the following: Username(1): This is the name of the user associated with the session Acct-Session-Id(44): This is derived from a RADIUS Accounting-Start Framed-IP-Address(8): This is the IP Address associated with the session NAS-Port(5): This is the Port on which the user connection is terminated NAS-Port-Type(61): The type of port used Note: The numbers in parenthesis denote the attribute number in [1] & [3]. The ability to use all/some of the identifiers to map to unique/multiple session(s) is beyond the scope of this document. 2.3 Disconnect Messages (DM) A Disconnect packet is sent by the RADIUS server in order to terminate a user session on a NAS. The Disconnect packet is sent to UDP port 1700, and identifies the session to be terminated by inclusion of one or more identification attributes as described in the section 2.2 above. M. Chiba Expires November 2002 [Page 3] Internet Draft Dynamic Authorization Extensions June 2002 ---------- Disconnect-Request ---------- | | <-------------------- | | | NAS | | Client | | | Disconnect-Response | | | | ---------------------> | | ---------- ---------- Codes used [2]: 40 - Disconnect-Request 41 - Disconnect-ACK 42 - Disconnect-NAK A Disconnect Request is followed by a response of either, Disconnect-Ack, if the NAS successfully disconnects the user, or a Disconnect-NAK, if it was unable to disconnect the user. A Disconnect-Ack may contain the attribute Acct-Terminate-Cause (49) with the value set to 6 for Admin-Reset. 2.4 Change-of-Filters Messages(CoF) The CoF message packets contain information for dynamically changing data filters of a user's session. The data filters can be of either ingress, or egress kind, and are sent in addition to the identification attributes as described in section 2.2. The port used, and packet format, are the same as that for Disconnect Messages. The following attribute should be sent in a Change-of-Filters Request: Filter-ID (11) - Indicates the name of a data filter list to be applied for the session that the identification attributes map to. ---------- CoF Request ---------- | | <-------------------- | | | NAS | | Client | | | CoF Response | | | | ---------------------> | | ---------- ---------- Codes used [2]: 43 - CoF-Request 44 - CoF-ACK 45 - CoF-NAK A Change of Filter request is followed by a response of either, CoF-Ack if the NAS is able to successfully change the data filters for the user's session or, a CoF-NAK if it does not succeed. M. Chiba Expires November 2002 [Page 4] Internet Draft Dynamic Authorization Extensions June 2002 3.0 Security Considerations The protocol exchanges described, are susceptible to the same vulnerabilities as RADIUS and it is recommended that IPSec be employed to afford better security. However, there are a few other things that are/can be done in the absence of/in addition to using IPSec. To maintain data integrity, a 16 byte Authenticator is calculated employing the same algorithm as the one describe for Accounting- Requests[3]. For protection against replay attacks, it is recommended to include the Event-Timestamp(55) attribute as described in [4]. It is also recommended to use as many of the identification attributes as described in section 2.2. This will help thwart attacks if the value of any one of them does not match up to a current session. 4.0 Example Traces of current Disconnect Requests Disconnect Request with Username: 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....# 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^.. 32: 6d63 6869 6261 Disconnect Request with Acct-Session-ID: 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(..... 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,. 32: 3930 3233 3435 3637 90234567 Disconnect Request with Framed-IP-Address: 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(..... 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ... 32: 0a00 0203 5.0 Normative References [1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [2] Mitton, D., "Network Access Server Requirements: Extended RADIUS Practices", RFC 2882, July 2000. [3] Rigney, C., "RADIUS Accounting", RFC 2866 June 2000. [4] Rigney, C., Willats W., Calhoun P., "RADIUS Extensions", RFC 2869, June 2000 M. Chiba Expires November 2002 [Page 5] Internet draft Dynamic Authorization Extensions June 2002 6.0 Copyright Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 7.0 Acknowledgements Funding for the RFC Editor function is currently provided by the Internet Society. This protocol function was first developed and distributed by Ascend Communications. Example code was distributed in their free server kit. This document removes vendor specific functions and attributes so that it interoperates with other implementations. The authors would like to acknowledge the valuable suggestions and feedback from the following people: Randy Bush, Bernard Aboba, Glen Zorn, Mark Jones, Claudio Lapidus and Anurag Batta. M. Chiba Expires November 2002 [Page 6] Internet draft Dynamic Authorization Extensions June 2002 8.0 Authors' Addresses Murtaza Chiba Gopal Dommety Mark Eklund Cisco Systems, Inc. Cisco Systems, Inc. Cisco Systems, Inc. 170 West Tasman Dr. 170 West Tasman Dr. 170 West Tasman Dr. San Jose, CA 95134 San Jose, CA 95134 San Jose, CA 95134 Tel: (408) 525-7198 Tel: (408) 525-1404 Tel: (865) 671-6255 mchiba@cisco.com gdommety@cisco.com meklund@cisco.com David Mitton Circular Logic UnLtd. 733 Turnpike Street #154 North Andover, MA 01845 Phone: 978 683-1814 Email: david@mitton.com