INTERNET DRAFT D. Spence draft-spence-aaa-nas-data-model-00.txt R. Kopacz J. Vollbrecht Interlink Networks, Inc. D. Durham A. Kulkarni Intel Corp. W. Weiss Ellacoya Networks, Inc. November 2000 Data Model for Network Access Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This memo describes work in progress within the AAA Working Group. Comments are welcome and can be submitted to the authors or to the AAA Working Group mailing list (aaa-wg@merit.edu). Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society 2000. All Rights Reserved. Spence et al. expires May 2001 [Page 1] INTERNET DRAFT Data Model for Network Access November 2000 Abstract Recently, considerable attention has been given to the need to better structure the information carried in protocols operating within the network access environment. The arguable benefits of structured information is consistency in the definitions and reuse of individual data elements and well defined means for extending existing structures to support new or proprietary features and capabilities. In an effort to demonstrate the benefits of organizing data elements and provide a practical means for deploying such a model, this memo takes the existing attributes currently used in RADIUS and maps them into a data model. To demonstrate the deployment of the data model within the network access environment, the data model has been represented as a PIB. While the data model could be implemented to run over protocols other than COPS, SPPI is currently the only language available which expresses data modeling concepts with sufficient detail to demonstrate the benefits in a practical manner. Table of Contents Status of this Memo ............................................ 1 Copyright Notice ............................................... 1 Abstract ....................................................... 2 1. Introduction ................................................ 2 2. The Network Access Data Model ............................... 4 2.1. How to read the UML .................................... 4 3. Some Issues Raised by the Study ............................. 5 4. The RADIUS PIB .............................................. 7 5. Security Considerations ..................................... 87 References ..................................................... 87 Authors' Addresses ............................................. 88 1. Introduction This memo describes work done in response to a request from the chair of the aaa-wg for data modelling input to the aaa design team. The work includes developing a data model of "RADIUS NAS" which includes all the RADIUS attributes, a description of some issues with the RADIUS data structure uncovered by the process of documenting the model, and a mapping of the model to an SPPI representation. We think this work illustrates the benefits of data modelling in this environment. The next iteration of this work will produce an "ideal" data model of a NAS and Server, and compare this with the "RADIUS NAS" model. The "ideal" model will then be used to design and evaluate the aaa Spence et al. expires May 2001 [Page 2] INTERNET DRAFT Data Model for Network Access November 2000 protocol. Contrary to the RADIUS environment of the past, today's network access environment has to coexist with many other technologies. There is an increasing trend to move as much network complexity as possible to the edges and make the core of the network as simple as possible. As more and more functionality is moved to the edges of the network, AAA will have to coexist with DiffServ, IntServ, MPLS, L2TP, DHCP and IPSEC, to name a few. This trend represents a significant integration challenge. While each technology is using it's own protocols and management strategies, there is a significant number of interdependencies between the technologies. One subset may perform classification based on addresses or ports, while another subset may specify relationships between users and addresses or applications and ports. In turn, various services may be provisioned based on this knowledge. These services can include tunnels, security, QoS, firewalls, and access to multicast resources. As the sophistication of service offerings increases, the accounting strategies applied to these services will become more complex and interwoven with the service as well. Given all these interrelationships, a common set of semantics in the protocols and the management interfaces is critical. Inconsistencies in the representations of various concepts require mappings that are in themselves subjective and error prone, particularly when undertaken by individual vendors. Mapping problems are exacerbated when the semantics of various attributes are subjective. When an attribute has multiple meanings depending on the context in which it is being used, mappings become much more difficult. In the timeframe when AAA will be deployed, user identity and service accounting will play key roles in the infrastructure at the edges of large networks. Non-AAA technologies will become increasingly dependent on most of the attributes defined within the AAA protocol and visa versa. These interdependencies demand that more discipline be applied to the definition and organization of the attributes defined and used by AAA. This memo takes a first step at defining these attributes consistently and organizing them along functional boundaries. The basis of this contribution is the initial set of RADIUS attributes defined in the RADIUS RFCs [3-7]. These attributes were first organized by logical function, and then the interrelationships where specified. The complete data model is represented in a UML diagram [2]. (The UML diagram is too complex to be represented in a text document, but a URL for obtaining it is given in [2].) This model was then physically instantiated in SPPI. SPPI was chosen because it was the only data modeling language available that Spence et al. expires May 2001 [Page 3] INTERNET DRAFT Data Model for Network Access November 2000 provides the necessary constructs to adequately implement the model. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [14]. 2. The Network Access Data Model 2.1. How to read the UML The data model discussed in this memo is graphically presented in [2] using the Unified Modeling Language (UML). Since the conventions for UML may be new to this audience, this section is provided as a tutorial for reading UML graphics. On first glance, the UML diagram has two obvious features. The first is the boxes that appear throughout the diagram. The second is the lines of various colors that interconnect the boxes. Let's first consider the boxes. Each box represents a grouping of data elements. The box itself is referred to as a 'class.' The various data elements in the box are referred to as attributes or properties. It is worth noting that a class can be used to logically represent either a data structure that exists within a process (such as a routing table entry), or a protocol element that is passed between two processes over a network, or both. Given that this data model draws heavily on existing RADIUS attributes, the main application for the classes will be as protocol elements. However, many of the classes defined in the model, such as Session Management and surrounding classes are also valid data structures that could be retrieved through management protocols such as SNMP. The lines interconnecting the various boxes represent the various types or relationships that can exist. The blue line with the arrowhead at the top represents inheritance. Inheritance describes a specialization of a more generalized concept. The main purpose of inheritance is to allow the consistent specification of attributes that mean the same thing across various specializations. For example, all known forms of user authentication share the concept of a user name. Therefore, user name is specified in a superclass (more generalized) and reused in each specialization of user authentication. It is important to note that an instantiation of a subclass (more specialized) will include the attributes in between and including the subclass and the base class at the top of the inheritance tree. Therefore, an instance of Tunnel Service will have the attributes of Tunnel Service, IP Setup, Framed Link Setup, and Session Management. A convenient way of thinking about inheritance or specialization is to apply the phrase 'is a type of' Spence et al. expires May 2001 [Page 4] INTERNET DRAFT Data Model for Network Access November 2000 or 'is a special kind of' or just 'is a.' For example, Chap Authentication is a special kind of User Authentication, but User Authentication is not a special kind of Chap Authentication. The green line with a diamond at one end represents the concept of aggregation. Aggregations are collections of class instances that are owned by another class instance. Aggregations also have a temporal meaning. In other words when the owner of an aggregation is no longer valid, the aggregation is no longer valid either. The diamond on the green line is always connected to the class that is the owner. Hence, the NAS Port Manager owns a NAS Identification. A convenient way to determine the appropriate use of an aggregation is with the phrase 'has a'. So, we can say that Multilink has a Session Manager. The red line describes an association. An association is a relationship of some type. Relationships typically exist to allow mutual traversal of related items. For example, if we know the User Name and we want to find the Per Session Accounting information, we would use the association to the appropriate Session Management instance and then use the association from Session Management to the appropriate instance of Per Session Accounting. In addition there is no temporal relationship between two ends of an association. In other words, either end can exist without the other end. The concept of associations is fairly universal. MIBs use row pointers to represent associations. Directories use Distinguished Names to accomplish the same thing. The way to determine the appropriate use of associations is to apply the phrase 'uses a'. For example, Call Setup uses a Callback Service. 3. Some Issues Raised by the Study During the course of the project, a number or issues were uncovered that require further study. Some of these relate to limitations of the model while others point out limitations in RADIUS. Limitations of the model may be overcome with more sophisticated modeling techniques. The limitations of RADIUS can be overcome in the design of the next generation protocol. 1) Multi-party Issues The model is mostly a static model of the data as stored in a NAS. This gives a coherent point of view. Unfortunately, the communications involve multiple parties. A NAS model, for instance, does not capture user to server communications or server to server communications. It also does not convey the origin or destination of the data since it is not a communication model. Spence et al. expires May 2001 [Page 5] INTERNET DRAFT Data Model for Network Access November 2000 2) Temporal Aspects Not Modeled AAA often requires a sequence of messages. Sequencing is not depicted in a static data model. It has been suggested that a state diagram could be created to model the temporal aspects of the communications. 3) The Place of Accounting Currently, the three As are entirely separate in the model whereas the accounting data elements should be divided up according to which parts of the service they pertain to just as the authorization/ provisioning data elements are. Unfortunately, this cannot be done with RADIUS because the accounting attributes are all generic. This leads to ambiguities as to what the counts represent. Take Acct-Input-Octets, for example. Where are the octets counted? If you count them in different places, you get different results. 4) Overloading of RADIUS Attributes There are a number of places where RADIUS uses the same attribute for more than one purpose. For example the User-Password attribute can convey a PAP password or the response to a challenge. This problem has been handled in the model and the PIB by splitting one attribute into two or more attributes by appending numbers following the attribute name. 5) The Place of Multilink In RADIUS, multilink is simply an aggregation of sessions. In PPP, however, it is the upper sublayer of the data link layer. From a service perspective this is important. The network layer (IP) lies above the data link layer. So, for instance, you have one IP address for the multilink not for the individual links. Network layer tunnels would be built with one tunnel for the multi-link. 6) Management of the Multilink Service Currently, the management of the multilink service is the sole responsibility of the NASes. There are no standard protocols to assist the NASes. Management is difficult because multilink sessions will span multiple NASes in a POP. The AAA server could provide valuable assistance with multilink management but it would require much more information than RADIUS provides. One could expand the model to encompass multilink management. Spence et al. expires May 2001 [Page 6] INTERNET DRAFT Data Model for Network Access November 2000 7) The Relation Between Subsessions and Supersessions As an example of session aggregation, multilink raises the issue of how to model the notion of subsessions and supersessions. For example, one ought to be able to treat the subsessions as sessions and also treat the supersessions as sessions while still modeling the aggregation. Thus it ought to be possible to generate accounting data for a multilink session and also be able to generate accounting data for the individual subsessions. RADIUS does not provide for multilink accounting. 8) How to Depict the Authorization/Provisioning Objects The authorization/provisioning objects toward the bottom of the diagram model the service itself. The service supports data communications in the data link and network layers. Unfortunately, they come out in this diagram upside down. Also, the network layer objects are shown as extensions of the link layer objects. They could be separate objects. 9) Where to Place the Tunneling Attributes Various different types of tunneling at various different protocol layers are all lumped together in RADIUS into a single set of tunnel attributes. More work could fruitfully be spent in modeling tunnels and refining the attributes. 4. The RADIUS PIB The RADIUS PIB was created from the data model. Because the data model sought to organize the RADIUS attributes, the data elements of the RADIUS PIB are drawn from the RADIUS attribute set. The descriptions were extracted directly from the RADIUS RFCs [3-7]. Some RADIUS attributes are used for more than one purpose in different contexts. To remove such ambiguities, we have sometimes defined more than one data element based on the same RADIUS attribute. We appended an integer to the RADIUS attribute name to distinguish the different data elements based on the same attribute. A few RADIUS attributes contain more than one data field. These were entered into the PIBs as multiple data elements as needed. Spence et al. expires May 2001 [Page 7] INTERNET DRAFT Data Model for Network Access November 2000 RADIUS-PIB PIB-DEFINITIONS ::= BEGIN IMPORTS Unsigned32, Integer32, MODULE-IDENTITY, OBJECT-TYPE FROM COPS-PR-SPPI; radiusModelPib MODULE-IDENTITY SUBJECT-CATEGORIES { tbd(0) -- RADIUS client type } LAST-UPDATED "200011161800Z" ORGANIZATION " IETF AAA WG" CONTACT-INFO " David Spence Interlink Networks, Inc. 775 Technology Drive, Suite 200 Ann Arbor, MI 48108 USA Phone: +1 734 821 1203 EMail: dspence@interlinknetworks.com " DESCRIPTION "A PIB module containing the base set of provisioning classes that are required for support of the RADIUS protocol by a NAS." ::= { tbd } -- -- The root OID for PRCs in the Radius PIB -- radiusGenPibClasses OBJECT IDENTIFIER ::= { radiusModelPib 1 } nasIdTable OBJECT-TYPE SYNTAX SEQUENCE OF NasIdEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 1 } Spence et al. expires May 2001 [Page 8] INTERNET DRAFT Data Model for Network Access November 2000 nasIdEntry OBJECT-TYPE SYNTAX NasIdEntry STATUS current DESCRIPTION "An instance of this class contains the information to identify a NAS. It also contains a pointer to the instance of the NAS Manager table that it uses for all operations." PIB-INDEX{ nasIdPrid } ::= { nasIdTable 1 } NasIdEntry::= SEQUENCE { nasIdPrid InstanceId, radNasIdentifier SnmpAdminString, radNasIpAddress InetAddress, nasManager Prid } nasIdPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { nasIdEntry 1 } radNasIdentifier OBJECT-TYPE SYNTAX SnmpAdminString STATUS current DESCRIPTION "This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either radNasIpAddress or radNasIdentifier MUST be present in an Access-Request packet. Note that radNasIdentifier MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret." ::= { nasIdEntry 2 } Spence et al. expires May 2001 [Page 9] INTERNET DRAFT Data Model for Network Access November 2000 radNasIpAddress OBJECT-TYPE SYNTAX InetAddress STATUS current DESCRIPTION "This Attribute indicates the identifying IP Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access- Request packets. Either NAS-IP-Address or radNasIdentifier MUST be present in an Access-Request packet. Note that NAS-IP-Address MUST NOT be used to select the shared secret used to authenticate the request. The source IP address of the Access-Request packet MUST be used to select the shared secret." ::= { nasIdEntry 3 } nasManager OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "This attribute points to an instance of the Nas Manager table." ::= { nasIdEntry 4 } -- -- The NAS Port Manager table -- nasPortManagerTable OBJECT-TYPE SYNTAX SEQUENCE OF NasPortManagerEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 2 } Spence et al. expires May 2001 [Page 10] INTERNET DRAFT Data Model for Network Access November 2000 nasPortManagerEntry OBJECT-TYPE SYNTAX NasPortManagerEntry STATUS current DESCRIPTION "" PIB-INDEX{ nasPortManagerPrid } ::= { NasPortManagerTable 1 } NasPortManagerEntry::= SEQUENCE { nasPortManagerPrid InstanceId, nasId Prid, callSetup Prid, radNasPort Integer32, radNasPortID OCTET STRING, radNasPortType INTEGER } nasPortManagerPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { nasPortManagerEntry 1 } nasId OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { nasPortManagerEntry 2 } callSetup OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { nasPortManagerEntry 3 } Spence et al. expires May 2001 [Page 11] INTERNET DRAFT Data Model for Network Access November 2000 radNasPort OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the physical port number of the NAS which is authenticating the user. It is only used in Access-Request packets. Note that this is using 'port' in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either radNasPort or radNasPortType (61) or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports." ::= { nasPortManagerEntry 4 } radNasPortId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute contains a text string which identifies the port of the NAS which is authenticating the user. It is only used in Access-Request and Accounting-Request packets. Note that this is using 'port' in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number. Either radNasPort or radNasPortId SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports. radNasPortId is intended for use by NASes which cannot conveniently number their ports." ::= { nasPortManagerEntry 5 } Spence et al. expires May 2001 [Page 12] INTERNET DRAFT Data Model for Network Access November 2000 radNasPortType OBJECT-TYPE SYNTAX INTEGER { radAsync(0), radSync(1), radIsdnSync(2), radIsdnAsyncV120(3), radIsdnAsyncV110(4), radVirtual(5), radPIAFS(6), radHdlcClearChannel(7), radX25(8), radX75(9), radG3Fax(10), radSDSL(11), radAdslCAP(12), radAdslDMT(13), radIdsl(14), radEthernet(15), radXdsl(16), radCable(17), radWirelessOther(18), radWirelessIEEE80211(19) } STATUS current DESCRIPTION "This Attribute indicates the type of the physical port of the NAS which is authenticating the user. It can be used instead of or in addition to the radNasPort (5) attribute. It is only used in Access-Request packets. Either radNasPort (5) or radNasPortType or both SHOULD be present in an Access-Request packet, if the NAS differentiates among its ports. A value of 'radAsync(0)' indicates Async. A value of 'radSync(1)' indicates Sync. A value of 'radIsdnSync(2)' indicates ISDN Sync. A value of 'radIsdnAsyncV120(3)' indicates ISDN Async V.120. A value of 'radIsdnAsyncV110(4)' indicates ISDN Async V.110. A value of 'radVirtual(5)' indicates Virtual. Virtual refers to a connection to the NAS via some transport Spence et al. expires May 2001 [Page 13] INTERNET DRAFT Data Model for Network Access November 2000 protocol, instead of through a physical port. For example, if a user telnetted into a NAS to authenticate himself as an Outbound-User, the Access-Request might include radNasPortType = Virtual as a hint to the RADIUS server that the user was not on a physical port. A value of 'radPIAFS(6)' indicates PIAFS. PIAFS is a form of wireless ISDN commonly used in Japan, and stands for PHS (Personal Handyphone System) Internet Access Forum Standard (PIAFS). A value of 'radHdlcClearChannel(7)' indicates HDLC Clear Channel. A value of 'radX25(8)' indicates X.25. A value of 'radX75(9)' indicates X.75. A value of 'radG3Fax(10)' indicates G.3 Fax. A value of 'radSDSL(11)' indicates SDSL - Symmetric DSL. A value of 'radAdslCAP(12)' indicates ADSL-CAP - Asymmetric DSL, Carrierless Amplitude Phase Modulation. A value of 'radAdslDMT(13)' indicates ADSL-DMT - Asymmetric DSL, Discrete Multi-Tone. A value of 'radIdsl(14)' indicates IDSL - ISDN Digital Subscriber Line. A value of 'radEthernet(15)' indicates Ethernet. A value of 'radXdsl(16)' indicates xDSL - Digital Subscriber Line of unknown type. A value of 'radCable(17)' indicates Cable. A value of 'radWirelessOther(18)' indicates Wireless - Other. A value of 'radWirelessIEEE80211(19)' indicates Wireless - IEEE 802.11." ::= { nasPortManagerEntry 6 } Spence et al. expires May 2001 [Page 14] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Call Setup Table -- CallSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF CallSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 3 } callSetupEntry OBJECT-TYPE SYNTAX CallSetupEntry STATUS current DESCRIPTION "" PIB-INDEX{ callSetupPrid } ::= { CallSetupTable 1 } CallSetupEntry::= SEQUENCE { callSetupPrid InstanceId, nasPortManager Prid, sessionManagement Prid, callBackService Prid, radCalledStationId OCTET STRING, radCallingStationId OCTET STRING } callSetupPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { callSetupEntry 1 } Spence et al. expires May 2001 [Page 15] INTERNET DRAFT Data Model for Network Access November 2000 nasPortManager OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { callSetupEntry 2 } sessionManagement OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { callSetupEntry 3 } callBackService OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { callSetupEntry 4 } radCalledStationId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute allows the NAS to send in the Access- Request packet the phone number that the user called, using Dialed Number Identification (DNIS) or similar technology. Note that this may be different from the phone number the call comes in on. It is only used in Access-Request packets." ::= { callSetupEntry 5 } Spence et al. expires May 2001 [Page 16] INTERNET DRAFT Data Model for Network Access November 2000 radCallingStationId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute allows the NAS to send in the Access- Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology. It is only used in Access-Request packets." ::= { callSetupEntry 6 } -- -- The Callback Service Table -- callBackServiceTable OBJECT-TYPE SYNTAX SEQUENCE OF CallBackServiceEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 4 } callBackServiceEntry OBJECT-TYPE SYNTAX CallSetupEntry STATUS current DESCRIPTION "" PIB-INDEX{ callBackServicePrid } ::= { callBackServiceTable 1 } CallBackServiceEntry::= SEQUENCE { callBackServicePrid InstanceId, callSetup Prid, radCallbackNumber OCTET STRING, radCallbackId OCTET STRING } Spence et al. expires May 2001 [Page 17] INTERNET DRAFT Data Model for Network Access November 2000 callBackServicePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { callBackServiceEntry 1 } callSetup OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { callBackServiceEntry 2 } radCallbackNumber OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates a dialing string to be used for callback. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that a Callback service is desired, but the server is not required to honor the hint." ::= { callBackServiceEntry 3 } radCallbackId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the name of a place to be called, to be interpreted by the NAS. It MAY be used in Access-Accept packets." ::= { callBackServiceEntry 4 } Spence et al. expires May 2001 [Page 18] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Session Management Table -- SessionManagementTable OBJECT-TYPE SYNTAX SEQUENCE OF SessionManagementEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 5 } sessionManagementEntry OBJECT-TYPE SYNTAX SessionManagementEntry STATUS current DESCRIPTION "" PIB-INDEX{ SessionManagementPrid } ::= { SessionManagementTable 1 } SessionManagementEntry::= SEQUENCE { SessionManagementPrid InstanceId, CallSetup Prid, UserAuth Prid, PerSessionAcct Prid, AccountingControl Prid, MultilinkSession Prid, radAcctSessionId OCTET STRING, radClass OCTET STRING, radSessionTimeout Unsigned32, radIdleTimeout Unsigned32, radConfigurationToken OCTET STRING, radServiceType INTEGER, radConnectInfo OCTET STRING } Spence et al. expires May 2001 [Page 19] INTERNET DRAFT Data Model for Network Access November 2000 SessionManagementPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { sessionManagementEntry 1 } CallSetup OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { sessionManagementEntry 2 } UserAuth OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { sessionManagementEntry 3 } PerSessionAcct OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { sessionManagementEntry 4 } AccountingControl OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { sessionManagementEntry 5 } Spence et al. expires May 2001 [Page 20] INTERNET DRAFT Data Model for Network Access November 2000 MultilinkSession OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { sessionManagementEntry 6 } radAcctSessionId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute is a unique Accounting ID to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same radAcctSessionId. An Accounting-Request packet MUST have an radAcctSessionId. An Access-Request packet MAY have an radAcctSessionId; if it does, then the NAS MUST use the same radAcctSessionId in the Accounting- Request packets for that session." ::= { sessionManagementEntry 7 } radClass OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute is available to be sent by the server to the client in an Access-Accept and SHOULD be sent unmodified by the client to the accounting server as part of the Accounting-Request packet if accounting is supported. The client MUST NOT interpret the attribute locally." ::= { sessionManagementEntry 8 } Spence et al. expires May 2001 [Page 21] INTERNET DRAFT Data Model for Network Access November 2000 radSessionTimeout OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This Attribute sets the maximum number of seconds of service to be provided to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge." ::= { sessionManagementEntry 9 } radIdleTimeout OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This Attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session or prompt. This Attribute is available to be sent by the server to the client in an Access-Accept or Access-Challenge." ::= { sessionManagementEntry 10 } radConfigurationToken OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute is for use in large distributed authentication networks based on proxy. It is sent from a RADIUS Proxy Server to a RADIUS Proxy Client in an Access-Accept to indicate a type of user profile to be used. It should not be sent to a NAS." ::= { sessionManagementEntry 11 } Spence et al. expires May 2001 [Page 22] INTERNET DRAFT Data Model for Network Access November 2000 radServiceType OBJECT-TYPE SYNTAX INTEGER { radLogin(1), radFramed(2), radCallbackLogin(3), radCallbackFramed(4), radOutbound(5), radAdministrative(6), radNASPrompt(7), radAuthenticateOnly(8), radCallbackNASPrompt(9), radCallCheck(10), radCallbackAdministrative(11) } STATUS current DESCRIPTION "This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported radServiceTypes as though an Access-Reject had been received instead. The service types are defined as follows when used in an Access-Accept. When used in an Access-Request, they MAY be considered to be a hint to the RADIUS server that the NAS has reason to believe the user would prefer the kind of service indicated, but the server is not required to honor the hint. A value of 'radLogin(1)' indicates that the user should be connected to a host. A value of 'radFramed(2)' indicates that a Framed Protocol should be started for the User, such as PPP or SLIP. A value of 'radCallbackLogin(3)' indicates that the user should be disconnected and called back, then connected to a host. A value of 'radCallbackFramed(4)' indicates that the user should be disconnected and called back, then a Framed Protocol should be started for the User, such as PPP or SLIP. Spence et al. expires May 2001 [Page 23] INTERNET DRAFT Data Model for Network Access November 2000 A value of 'radOutbound(5)' indicates that the user should be granted access to outgoing devices. A value of 'radAdministrative(6)' indicates that the user should be granted access to the administrative interface to the NAS from which privileged commands can be executed. A value of 'radNASPrompt(7)' indicates that the user should be provided a command prompt on the NAS from which non-privileged commands can be executed. A value of 'radAuthenticateOnly(8)' indicates that only Authentication is requested, and no authorization information needs to be returned in the Access-Accept (typically used by proxy servers rather than the NAS itself). A value of 'radCallbackNASPrompt(9)' indicates that the user should be disconnected and called back, then provided a command prompt on the NAS from which non- privileged commands can be executed. A value of 'radCallCheck(10)' is used by the NAS in an Access-Request packet to indicate that a call is being received and that the RADIUS server should send back an Access-Accept to answer the call, or an Access-Reject to not accept the call, typically based on the radCalledStationId or radCallingStationId attributes. It is recommended that such Access-Requests use the value of radCallingStationId as the value of the radUserName. A value of 'radCallbackAdministrative(11)' indicates that the user should be disconnected and called back, then granted access to the administrative interface to the NAS from which privileged commands can be executed." ::= { sessionManagementEntry 12 } Spence et al. expires May 2001 [Page 24] INTERNET DRAFT Data Model for Network Access November 2000 radConnectInfo OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute is sent from the NAS to indicate the nature of the user's connection. The NAS MAY send this attribute in an Access-Request or Accounting-Request to indicate the nature of the user's connection." ::= { sessionManagementEntry 13 } -- -- The User Authentication Table -- UserAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF UserAuthEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 6 } userAuthEntry OBJECT-TYPE SYNTAX UserAuthEntry STATUS current DESCRIPTION "" PIB-INDEX{ UserAuthPrid } ::= { UserAuthTable 1 } UserAuthEntry::= SEQUENCE { UserAuthPrid InstanceId, SessionMgmt Prid, radUserName OCTET STRING } Spence et al. expires May 2001 [Page 25] INTERNET DRAFT Data Model for Network Access November 2000 UserAuthPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { userAuthEntry 1 } SessionMgmt OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { userAuthEntry 2 } radUserName OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the name of the user to be authenticated. It MUST be sent in Access-Request packets if available. It MAY be sent in an Access-Accept packet, in which case the client SHOULD use the name returned in the Access- Accept packet in all Accounting-Request packets for this session. If the Access-Accept includes radServiceType = Rlogin and the radUserName attribute, a NAS MAY use the returned radUserName when performing the Rlogin function." ::= { userAuthEntry 3 } Spence et al. expires May 2001 [Page 26] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Password Authentication Table -- passwordAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF PasswordAuthEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 7 } passwordAuthEntry OBJECT-TYPE SYNTAX PasswordAuthEntry STATUS current DESCRIPTION "" EXTENDS { userAuthEntry } ::= { passwordAuthTable 1 } PasswordAuthEntry::= SEQUENCE { radUserPassword1 OCTET STRING, radReplyMessage1 OCTET STRING, radPasswordRetry1 Integer32 } Spence et al. expires May 2001 [Page 27] INTERNET DRAFT Data Model for Network Access November 2000 radUserPassword1 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the password of the user to be authenticated. It is only used in Access-Request packets. On transmission, the password is hidden. The password is first padded at the end with nulls to a multiple of 16 octets. A one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the Request Authenticator. This value is XORed with the first 16 octet segment of the password and placed in the first 16 octets of the String field of the radUserPassword Attribute. If the password is longer than 16 characters, a second one-way MD5 hash is calculated over a stream of octets consisting of the shared secret followed by the result of the first xor. That hash is XORed with the second 16 octet segment of the password and placed in the second 16 octets of the String field of the radUserPassword Attribute. If necessary, this operation is repeated, with each xor result being used along with the shared secret to generate the next hash to xor the next segment of the password, to no more than 128 characters. The method is taken from the book 'Network Security' by Kaufman, Perlman and Speciner [8] pages 109-110. A more precise explanation of the method follows: Call the shared secret S and the pseudo-random 128-bit Request Authenticator RA. Break the password into 16- octet chunks p1, p2, etc. with the last one padded at the end with nulls to a 16-octet boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need intermediate values b1, b2, etc. b1 = MD5(S + RA) c(1) = p1 xor b1 b2 = MD5(S + c(1)) c(2) = p2 xor b2 . . . . . . bi = MD5(S + c(i-1)) c(i) = pi xor bi Spence et al. expires May 2001 [Page 28] INTERNET DRAFT Data Model for Network Access November 2000 The String will contain c(1)+c(2)+...+c(i) where + denotes concatenation. On receipt, the process is reversed to yield the original password." ::= { passwordAuthEntry 1 } radReplyMessage1 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. Multiple radReplyMessage's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet." ::= { passwordAuthEntry 2 } radPasswordRetry1 OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute MAY be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected." ::= { passwordAuthEntry 3 } Spence et al. expires May 2001 [Page 29] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The CHAP Authentication Table -- chapAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF ChapAuthEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 8 } chapAuthEntry OBJECT-TYPE SYNTAX ChapAuthEntry STATUS current DESCRIPTION "" EXTENDS { userAuthEntry } ::= { chapAuthTable 1 } ChapAuthEntry::= SEQUENCE { radChapChallenge OCTET STRING, radChapPasswordIdent INTEGER, radChapPasswordResponse OCTET STRING } radChapChallenge OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute contains the CHAP Challenge sent by the NAS to a PPP Challenge-Handshake Authentication Protocol (CHAP) user. It is only used in Access-Request packets. If the CHAP challenge value is 16 octets long it MAY be placed in the Request Authenticator field instead of using this attribute. The CHAP challenge value is found in the radChapChallenge Attribute (60) if present in the packet, otherwise in the Request Authenticator field." ::= { chapAuthEntry 1 } Spence et al. expires May 2001 [Page 30] INTERNET DRAFT Data Model for Network Access November 2000 radChapPasswordIdent OBJECT-TYPE SYNTAX INTEGER (0..255) STATUS current DESCRIPTION "This Attribute contains the CHAP Identifier from the user's CHAP Response. It is only used in Access-Request packets. This field is is one component of the CHAP-Password attribute." ::= { chapAuthEntry 2 } radChapPasswordResponse OBJECT-TYPE SYNTAX OCTET STRING (SIZE (16)) STATUS current DESCRIPTION "This Attribute indicates the response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge. It is only used in Access-Request packets. This field is one component of the CHAP-Password attribute, and contains the CHAP Response from the user." ::= { chapAuthEntry 3 } -- -- The EAP Authentication Table -- eapAuthTable OBJECT-TYPE SYNTAX SEQUENCE OF EapAuthEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 9 } Spence et al. expires May 2001 [Page 31] INTERNET DRAFT Data Model for Network Access November 2000 eapAuthEntry OBJECT-TYPE SYNTAX EapAuthEntry STATUS current DESCRIPTION "" EXTENDS { userAuthEntry } ::= { eapAuthTable 1 } EapAuthEntry::= SEQUENCE { radEapMessage OCTET STRING } Spence et al. expires May 2001 [Page 32] INTERNET DRAFT Data Model for Network Access November 2000 radEapMessage OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute encapsulates Extended Access Protocol [9] packets so as to allow the NAS to authenticate dial- in users via EAP without having to understand the EAP protocol. The NAS places any EAP messages received from the user into one or more EAP attributes and forwards them to the RADIUS Server as part of the Access-Request, which can return EAP messages in Access-Challenge, Access-Accept and Access-Reject packets. A RADIUS Server receiving EAP messages that it does not understand SHOULD return an Access-Reject. The NAS places EAP messages received from the authenticating peer into one or more radEapMessage attributes and forwards them to the RADIUS Server within an Access-Request message. If multiple radEapMessages are contained within an Access-Request or Access- Challenge packet, they MUST be in order and they MUST be consecutive attributes in the Access-Request or Access- Challenge packet. Access-Accept and Access-Reject packets SHOULD only have ONE radEapMessage attribute in them, containing EAP-Success or EAP-Failure. It is expected that EAP will be used to implement a variety of authentication methods, including methods involving strong cryptography. In order to prevent attackers from subverting EAP by attacking RADIUS/EAP, (for example, by modifying the EAP-Success or EAP- Failure packets) it is necessary that RADIUS/EAP provide integrity protection at least as strong as those used in the EAP methods themselves. Therefore the Message-Authenticator attribute MUST be used to protect all Access-Request, Access-Challenge, Access-Accept, and Access-Reject packets containing an radEapMessage attribute. Access-Request packets including an radEapMessage attribute without a Message-Authenticator attribute SHOULD be silently discarded by the RADIUS server. A RADIUS Server supporting radEapMessage MUST calculate Spence et al. expires May 2001 [Page 33] INTERNET DRAFT Data Model for Network Access November 2000 the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. A RADIUS Server not supporting radEapMessage MUST return an Access-Reject if it receives an Access- Request containing an radEapMessage attribute. A RADIUS Server receiving an radEapMessage attribute that it does not understand MUST return an Access-Reject. Access-Challenge, Access-Accept, or Access-Reject packets including an radEapMessage attribute without a Message-Authenticator attribute SHOULD be silently discarded by the NAS. A NAS supporting radEapMessage MUST calculate the correct value of the Message- Authenticator and silently discard the packet if it does not match the value sent." ::= { eapAuthEntry 1 } -- -- The Access Challenge Table -- accessChallengeTable OBJECT-TYPE SYNTAX SEQUENCE OF PasswordAuthEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 10 } accessChallengeEntry OBJECT-TYPE SYNTAX PasswordAuthEntry STATUS current DESCRIPTION "" EXTENDS { userAuthEntry } ::= { accessChallengeTable 1 } PasswordAuthEntry::= SEQUENCE { radReplyMessage2 OCTET STRING, radPrompt INTEGER, radState1 OCTET STRING, radUserPassword2 OCTET STRING, radReplyMessage3 OCTET STRING, radPasswordRetry2 Integer32 } Spence et al. expires May 2001 [Page 34] INTERNET DRAFT Data Model for Network Access November 2000 radReplyMessage2 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates text which MAY be displayed to the user. When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. Multiple radReplyMessage's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet." ::= { accessChallengeEntry 1 } radPrompt OBJECT-TYPE SYNTAX INTEGER { radNoEcho(0), radEcho(1) } STATUS current DESCRIPTION "This attribute is used only in Access-Challenge packets, and indicates to the NAS whether it should echo the user's response as it is entered, or not echo it. A value of 'radNoEcho(0)' means: no echo. A value of 'radEcho(1)' means: echo." ::= { accessChallengeEntry 2 } Spence et al. expires May 2001 [Page 35] INTERNET DRAFT Data Model for Network Access November 2000 radState1 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any. The client MUST NOT interpret the attribute locally. A packet must have only zero or one radState Attribute. Usage of the radState Attribute is implementation dependent." ::= { accessChallengeEntry 3 } radUserPassword2 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the user's input following an Access-Challenge. It is only used in Access-Request packets." ::= { accessChallengeEntry 4 } radReplyMessage3 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates text which MAY be displayed to the user. When used in an Access-Accept, it is the success message. When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. Multiple radReplyMessage's MAY be included and if any are displayed, they MUST be displayed in the same order as they appear in the packet." ::= { accessChallengeEntry 5 } Spence et al. expires May 2001 [Page 36] INTERNET DRAFT Data Model for Network Access November 2000 radPasswordRetry2 OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute MAY be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected." ::= { accessChallengeEntry 6 } -- -- The Framed Link Setup Table -- framedLinkSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF FramedLinkSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 11 } framedLinkSetupEntry OBJECT-TYPE SYNTAX ChapAuthEntry STATUS current DESCRIPTION "" EXTENDS { sessionManagementEntry } ::= { framedLinkSetupTable 1 } FramedLinkSetupEntry::= SEQUENCE { radFramedProtocol INTEGER, radFramedMTU Integer32, radFramedCompression INTEGER, radPortLimit Unsigned32 } Spence et al. expires May 2001 [Page 37] INTERNET DRAFT Data Model for Network Access November 2000 radFramedProtocol OBJECT-TYPE SYNTAX INTEGER { radPPP(1), radSLIP(2), radARAP(3), radGandalf(4), radXylogics(5), radX75Synchronous(6) } STATUS current DESCRIPTION "This Attribute indicates the framing to be used for framed access. It MAY be used in both Access-Request and Access-Accept packets. A value of 'radPPP(1)' represents PPP. A value of 'radSLIP(2)' represents SLIP. A value of 'radARAP(3)' represents AppleTalk Remote Access Protocol (ARAP). A value of 'radGandalf(4)' represents Gandalf proprietary SingleLink/MultiLink protocol. A value of 'radXylogics(5)' represents Xylogics proprietary IPX/SLIP. A value of 'radX75Synchronous(6)' represents X.75 Synchronous." ::= { framedLinkSetupEntry 1 } radFramedMTU OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). It MAY be used in Access-Accept packets. It MAY be used in an Access- Request packet as a hint by the NAS to the server that it would prefer that value, but the server is not required to honor the hint." ::= { framedLinkSetupEntry 2 } Spence et al. expires May 2001 [Page 38] INTERNET DRAFT Data Model for Network Access November 2000 radFramedCompression OBJECT-TYPE SYNTAX INTEGER { radNone(0), radVJ(1), radIPXheader(2), radStacLZS(3) } STATUS current DESCRIPTION "This Attribute indicates a compression protocol to be used for the link. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that compression, but the server is not required to honor the hint. More than one compression protocol Attribute MAY be sent. It is the responsibility of the NAS to apply the proper compression protocol to appropriate link traffic. A value of 'radNone(0)' indicates None. A value of 'radVJ(1)' indicates VJ TCP/IP header compression. A value of 'radIPXheader(2)' indicates IPX header compression. A value of 'radStacLZS(3)' indicates Stac-LZS compression." ::= { framedLinkSetupEntry 3 } Spence et al. expires May 2001 [Page 39] INTERNET DRAFT Data Model for Network Access November 2000 radPortLimit OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This Attribute sets the maximum number of ports to be provided to the user by the NAS. This Attribute MAY be sent by the server to the client in an Access-Accept packet. It is intended for use in conjunction with Multilink PPP [10] or similar uses. It MAY also be sent by the NAS to the server as a hint that that many ports are desired for use, but the server is not required to honor the hint." ::= { framedLinkSetupEntry 4 } -- -- The AppleTalk Link Setup Table -- appleTalkLinkSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF AppleTalkLinkSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 12 } appleTalkLinkSetupEntry OBJECT-TYPE SYNTAX AppleTalkLinkSetupEntry STATUS current DESCRIPTION "" EXTENDS { framedLinkSetupEntry } ::= { appleTalkLinkSetupTable 1 } Spence et al. expires May 2001 [Page 40] INTERNET DRAFT Data Model for Network Access November 2000 AppleTalkLinkSetupEntry::= SEQUENCE { radArapPassword OCTET STRING, radPasswordRetry3 Integer32, radArapChallengeResponse OCTET STRING, radArapFeaturesValue1 Integer32, radArapFeaturesValue2 Integer32, radArapFeaturesValue3 Unsigned32, radArapFeaturesValue4 Integer32, radArapFeaturesValue5 Unsigned32, radArapZoneAccess INTEGER, radArapSecurity Unsigned32, radArapSecurityData OCTET STRING } radArapPassword OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute is only present in an Access-Request packet containing a radFramedProtocol of ARAP. Only one of radUserPassword, radChapPassword, or radArapPassword needs to be present in an Access- Request, or one or more radEapMessages." ::= { appleTalkLinkSetupEntry 1 } radPasswordRetry3 OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute MAY be included in an Access-Reject to indicate how many authentication attempts a user may be allowed to attempt before being disconnected. It is primarily intended for use with ARAP authentication." ::= { appleTalkLinkSetupEntry 2 } Spence et al. expires May 2001 [Page 41] INTERNET DRAFT Data Model for Network Access November 2000 radArapChallengeResponse OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute is sent in an Access-Accept packet with radFramedProtocol of ARAP, and contains the response to the dial-in client's challenge." ::= { appleTalkLinkSetupEntry 3 } radArapFeaturesValue1 OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP 'feature flags' packet. This field is one component of a 5-component compound string which comprises the ARAP-Features attribute. If radArapFeaturesValue1 is zero, users cannot change their password. If non-zero users can. (RADIUS does not handle the password changing, just the attribute which indicates whether ARAP indicates they can." ::= { appleTalkLinkSetupEntry 4 } radArapFeaturesValue2 OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP 'feature flags' packet. This field is one component of a 5-component compound string which comprises the ARAP-Features attribute. radArapFeaturesValue2 is the minimum acceptable password length, from 0 to 8." ::= { appleTalkLinkSetupEntry 5 } Spence et al. expires May 2001 [Page 42] INTERNET DRAFT Data Model for Network Access November 2000 radArapFeaturesValue3 OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP 'feature flags' packet. This field is one component of a 5-component compound string which comprises the ARAP-Features attribute. radArapFeaturesValue3 is the password creation date in Macintosh format, defined as 32 unsigned bits representing seconds since Midnight GMT January 1, 1904." ::= { appleTalkLinkSetupEntry 6 } radArapFeaturesValue4 OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP 'feature flags' packet. This field is one component of a 5-component compound string which comprises the ARAP-Features attribute. radArapFeaturesValue4 is the password Expiration Delta from create date in seconds." ::= { appleTalkLinkSetupEntry 7 } Spence et al. expires May 2001 [Page 43] INTERNET DRAFT Data Model for Network Access November 2000 radArapFeaturesValue5 OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This attribute is sent in an Access-Accept packet with Framed-Protocol of ARAP, and includes password information that the NAS should sent to the user in an ARAP 'feature flags' packet. This field is one component of a 5-component compound string which comprises the ARAP-Features attribute. radArapFeaturesValue5 is the current RADIUS time in Macintosh format." ::= { appleTalkLinkSetupEntry 8 } radArapZoneAccess OBJECT-TYPE SYNTAX INTEGER { radDefaultZone(1), radUseZoneFilterInclusively(2), radUseZoneFilterExclusively(4) } STATUS current DESCRIPTION "This attribute is included in an Access-Accept packet with radFramedProtocol of ARAP to indicate how the ARAP zone list for the user should be used. A value of 'radDefaultZone(1)' means: Only allow access to default zone. A value of 'radUseZoneFilterInclusively(2)' means: Use zone filter inclusively. A value of 'radUseZoneFilterExclusively(4)' means: Use zone filter exclusively." ::= { appleTalkLinkSetupEntry 9 } Spence et al. expires May 2001 [Page 44] INTERNET DRAFT Data Model for Network Access November 2000 radArapSecurity OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This attribute identifies the ARAP Security Module to be used in an Access-Challenge packet." ::= { appleTalkLinkSetupEntry 10 } radArapSecurityData OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute contains the actual security module challenge or response, and can be found in Access- Challenge and Access-Request packets." ::= { appleTalkLinkSetupEntry 11 } -- -- The AppleTalk Protocol Setup Table -- AppleTalkProtoSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF AppleTalkProtoSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 13 } appleTalkProtoSetupEntry OBJECT-TYPE SYNTAX AppleTalkProtoSetupEntry STATUS current DESCRIPTION "" EXTENDS { appleTalkLinkSetupEntry } ::= { appleTalkProtoSetupTable 1 } AppleTalkProtoSetupEntry::= SEQUENCE { radFramedAppleTalkLink Integer32, radFramedAppleTalkNetwork Integer32, radFramedAppleTalkZone OCTET STRING } Spence et al. expires May 2001 [Page 45] INTERNET DRAFT Data Model for Network Access November 2000 radFramedAppleTalkLink OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the AppleTalk network number which should be used for the serial link to the user, which is another AppleTalk router. It is only used in Access-Accept packets. It is never used when the user is not another router." ::= { appleTalkProtoSetupEntry 1 } radFramedAppleTalkNetwork OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the AppleTalk Network number which the NAS should probe to allocate an AppleTalk node for the user. It is only used in Access-Accept packets. It is never used when the user is another router. Multiple instances of this Attribute indicate that the NAS may probe using any of the network numbers specified." ::= { appleTalkProtoSetupEntry 2 } radFramedAppleTalkZone OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the AppleTalk Default Zone to be used for this user. It is only used in Access-Accept packets. Multiple instances of this attribute in the same packet are not allowed." ::= { appleTalkProtoSetupEntry 3 } Spence et al. expires May 2001 [Page 46] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The IP Setup Table -- ipSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 14 } ipSetupEntry OBJECT-TYPE SYNTAX IpSetupEntry STATUS current DESCRIPTION "" EXTENDS { framedLinkSetupEntry } ::= { ipSetupTable 1 } IpSetupEntry::= SEQUENCE { radFramedIpAddress IpAddress, radFramedIpNetmask IpAddress, radFramedRouting INTEGER, radFramedRoute OCTET STRING, radFramedPool OCTET STRING, radFilterId OCTET STRING } radFramedIpAddress OBJECT-TYPE SYNTAX IpAddress STATUS current DESCRIPTION "This Attribute indicates the address to be configured for the user. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint." ::= { ipSetupEntry 1 } Spence et al. expires May 2001 [Page 47] INTERNET DRAFT Data Model for Network Access November 2000 radFramedIpNetmask OBJECT-TYPE SYNTAX IpAddress STATUS current DESCRIPTION "This Attribute indicates the IP netmask to be configured for the user when the user is a router to a network. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that netmask, but the server is not required to honor the hint." ::= { ipSetupEntry 2 } radFramedRouting OBJECT-TYPE SYNTAX INTEGER { radNone(0), radSendRoutingPackets(1), radListenForRoutingPackets(2), radSendAndListen(3) } STATUS current DESCRIPTION "This Attribute indicates the routing method for the user, when the user is a router to a network. It is only used in Access-Accept packets. A value of 'radNone(0)' means: None. A value of 'radSendRoutingPackets(1)' means: Send routing packets. A value of 'radListenForRoutingPackets(2)' means: Listen for routing packets. A value of 'radSendAndListen(3)' means: Send and Listen." ::= { ipSetupEntry 3 } Spence et al. expires May 2001 [Page 48] INTERNET DRAFT Data Model for Network Access November 2000 radFramedRoute OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute provides routing information to be configured for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times." ::= { ipSetupEntry 4 } radFramedPool OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute contains the name of an assigned address pool that SHOULD be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore this Attribute. Address pools are usually used for IP addresses, but can be used for other protocols if the NAS supports pools for those protocols." ::= { ipSetupEntry 5 } radFilterId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the name of the filter list for this user. Zero or more radFilterId attributes MAY be sent in an Access-Accept packet. Identifying a filter list by name allows the filter to be used on different NASes without regard to filter-list implementation details." ::= { ipSetupEntry 6 } Spence et al. expires May 2001 [Page 49] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The IPX Protocol Setup Table -- ipxProtoSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF IpxProtoSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 15 } ipxProtoSetupEntry OBJECT-TYPE SYNTAX IpxProtoSetupEntry STATUS current DESCRIPTION "" EXTENDS { framedLinkSetupEntry } ::= { ipxProtoSetupTable 1 } IpxProtoSetupEntry::= SEQUENCE { radFramedIpxNetwork Integer32 } radFramedIpxNetwork OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the IPX Network number to be configured for the user. It is used in Access-Accept packets." ::= { ipxProtoSetupEntry 1 } Spence et al. expires May 2001 [Page 50] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Non Framed Setup Table -- nonFramedSetupTable OBJECT-TYPE SYNTAX SEQUENCE OF NonFramedSetupEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 16 } nonFramedSetupEntry OBJECT-TYPE SYNTAX NonFramedSetupEntry STATUS current DESCRIPTION "" EXTENDS { sessionManagementEntry } ::= { nonFramedSetupTable 1 } NonFramedSetupEntry::= SEQUENCE { terminationService Prid, radLoginService INTEGER } terminationService OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { nonFramedSetupEntry 1 } Spence et al. expires May 2001 [Page 51] INTERNET DRAFT Data Model for Network Access November 2000 radLoginService OBJECT-TYPE SYNTAX INTEGER { radTelnet(0), radRlogin(1), radTCPClear(2), radPortMaster(3), radLAT(4), radX25PAD(5), radX25T3POS(6), radTCPClearQuiet(8) } STATUS current DESCRIPTION "This Attribute indicates the service to use to connect the user to the login host. It is only used in Access- Accept packets. A value of 'radTelnet(0)' means: Telnet. A value of 'radRlogin(1)' means: Rlogin. A value of 'radTCPClear(2)' means: TCP Clear. A value of 'radPortMaster(3)' means: PortMaster (proprietary). A value of 'radLAT(4)' means: LAT. A value of 'radX25PAD(5)' means: X25-PAD. A value of 'radX25T3POS(6)' means: X25-T3POS. A value of 'radTCPClearQuiet(8)' means: TCP Clear Quiet (suppresses any NAS-generated connect string)." ::= { nonFramedSetupEntry 2 } Spence et al. expires May 2001 [Page 52] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Non Framed TCP/IP connection Table -- nonFramedTCPIPConnectTable OBJECT-TYPE SYNTAX SEQUENCE OF NonFramedTCPIPConnectEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 17 } nonFramedTCPIPConnectEntry OBJECT-TYPE SYNTAX NonFramedTCPIPConnectEntry STATUS current DESCRIPTION "" EXTENDS { nonFramedSetupEntry } ::= { nonFramedTCPIPConnectTable 1 } NonFramedTCPIPConnectEntry::= SEQUENCE { radLoginIpHost IpAddress, radLoginTcpPort Integer32 } radLoginIpHost OBJECT-TYPE SYNTAX IpAddress STATUS current DESCRIPTION "This Attribute indicates the system with which to connect the user, when the radLoginService Attribute is included. It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint." ::= { nonFramedTCPIPConnectEntry 1 } Spence et al. expires May 2001 [Page 53] INTERNET DRAFT Data Model for Network Access November 2000 radLoginTcpPort OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the TCP port with which the user is to be connected, when the radLoginService Attribute is also present. It is only used in Access- Accept packets." ::= { nonFramedTCPIPConnectEntry 2 } -- -- The Non Framed LAT connection Table -- nonFramedLATConnectTable OBJECT-TYPE SYNTAX SEQUENCE OF NonFramedLATConnectEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 18 } nonFramedLATConnectEntry OBJECT-TYPE SYNTAX NonFramedLATConnectEntry STATUS current DESCRIPTION "" EXTENDS { nonFramedSetupEntry } ::= { nonFramedLATConnectTable 1 } NonFramedLATConnectEntry::= SEQUENCE { radLoginLatService OCTET STRING, radLoginLatNode OCTET STRING, radLoginLatGroup OCTET STRING, radLoginLatPort OCTET STRING } Spence et al. expires May 2001 [Page 54] INTERNET DRAFT Data Model for Network Access November 2000 radLoginLatService OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the system with which the user is to be connected by LAT. It MAY be used in Access- Accept packets, but only when LAT is specified as the radLoginService. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint. Administrators use the service attribute when dealing with clustered systems, such as a VAX or Alpha cluster. In such an environment several different time sharing hosts share the same resources (disks, printers, etc.), and administrators often configure each to offer access (service) to each of the shared resources. In this case, each host in the cluster advertises its services through LAT broadcasts. Sophisticated users often know which service providers (machines) are faster and tend to use a node name when initiating a LAT connection. Alternately, some administrators want particular users to use certain machines as a primitive form of load balancing (although LAT knows how to do load balancing itself)." ::= { nonFramedLATConnectEntry 1 } radLoginLatNode OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the Node with which the user is to be automatically connected by LAT. It MAY be used in Access-Accept packets, but only when LAT is specified as the radLoginService. It MAY be used in an Access- Request packet as a hint to the server, but the server is not required to honor the hint." ::= { nonFramedLATConnectEntry 2 } Spence et al. expires May 2001 [Page 55] INTERNET DRAFT Data Model for Network Access November 2000 radLoginLatGroup OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute contains a string identifying the LAT group codes which this user is authorized to use. It MAY be used in Access-Accept packets, but only when LAT is specified as the radLoginService. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint. LAT supports 256 different group codes, which LAT uses as a form of access rights. LAT encodes the group codes as a 256 bit bitmap. Administrators can assign one or more of the group code bits at the LAT service provider; it will only accept LAT connections that have these group codes set in the bit map. The administrators assign a bitmap of authorized group codes to each user; LAT gets these from the operating system, and uses these in its requests to the service providers." ::= { nonFramedLATConnectEntry 3 } radLoginLatPort OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the Port with which the user is to be connected by LAT. It MAY be used in Access- Accept packets, but only when LAT is specified as the radLoginService. It MAY be used in an Access-Request packet as a hint to the server, but the server is not required to honor the hint." ::= { nonFramedLATConnectEntry 4 } Spence et al. expires May 2001 [Page 56] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Per Session Accounting Table -- PerSessionAcctTable OBJECT-TYPE SYNTAX SEQUENCE OF PerSessionAcctEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 19 } perSessionAcctEntry OBJECT-TYPE SYNTAX PerSessionAcctEntry STATUS current DESCRIPTION "" PIB-INDEX { perSessionAcctPrid } ::= { PerSessionAcctTable 1 } PerSessionAcctEntry::= SEQUENCE { perSessionAcctPrid InstanceId, sessionManagement Prid, radAcctStatusType INTEGER, radAcctInputOctets Integer32, radAcctOutputOctets Integer32, radAcctInputGigawords Integer32, radAcctOutputGigawords Integer32, radAcctSessionTime Integer32, radAcctInputPackets Integer32, radAcctOutputPackets Integer32, radAcctAuthentic INTEGER, radAcctTerminateCause INTEGER } perSessionAcctPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { perSessionAcctEntry 1 } Spence et al. expires May 2001 [Page 57] INTERNET DRAFT Data Model for Network Access November 2000 sessionManagement OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { perSessionAcctEntry 2 } Spence et al. expires May 2001 [Page 58] INTERNET DRAFT Data Model for Network Access November 2000 radAcctStatusType OBJECT-TYPE SYNTAX INTEGER { radAcctStatusStart(1), radAcctStatusStop(2), radAcctStatusInterimUpdate(3), radAcctStatusAccountingOn(7), radAcctStatusAccountingOff(8), radAcctStatusReservedForTunnelAccounting(9), radAcctStatusReservedForTunnelAccounting(10), radAcctStatusReservedForTunnelAccounting(11), radAcctStatusReservedForTunnelAccounting(12), radAcctStatusReservedForTunnelAccounting(13), radAcctStatusReservedForTunnelAccounting(14), radAcctStatusReservedForFailed(15) } STATUS current DESCRIPTION "This attribute indicates whether this Accounting- Request marks the beginning of the user service (Start) or the end (Stop). It MAY be used by the client to mark the start of accounting (for example, upon booting) by specifying Accounting-On and to mark the end of accounting (for example, just before a scheduled reboot) by specifying Accounting-Off. A value of 'radAcctStatusStart(1)' means: Start. A value of 'radAcctStatusStop(2)' means: Stop. A value of 'radAcctStatusInterimUpdate(3)' means: Interim-Update. A value of 'radAcctStatusAccountingOn(7)' means: Accounting-On. A value of 'radAcctStatusAccountingOff(8)' means: Accounting-Off. A value of 'radAcctStatusReservedForTunnelAccounting(9)' means: Reserved for Tunnel Accounting. A value of 'radAcctStatusReservedForTunnelAccounting(10)' means: Reserved for Tunnel Accounting. Spence et al. expires May 2001 [Page 59] INTERNET DRAFT Data Model for Network Access November 2000 A value of 'radAcctStatusReservedForTunnelAccounting(11)' means: Reserved for Tunnel Accounting. A value of 'radAcctStatusReservedForTunnelAccounting(12)' means: Reserved for Tunnel Accounting. A value of 'radAcctStatusReservedForTunnelAccounting(13)' means: Reserved for Tunnel Accounting. A value of 'radAcctStatusReservedForTunnelAccounting(14)' means: Reserved for Tunnel Accounting. A value of 'radAcctStatusReservedForFailed(15)' means: Reserved for Failed." ::= { perSessionAcctEntry 3 } radAcctInputOctets OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many octets have been received from the port over the course of this service being provided, and can only be present in Accounting- Request records where the radAcctStatusType is set to Stop." ::= { perSessionAcctEntry 4 } radAcctOutputOctets OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many octets have been sent to the port in the course of delivering this service, and can only be present in Accounting-Request records where the radAcctStatusType is set to Stop." ::= { perSessionAcctEntry 5 } Spence et al. expires May 2001 [Page 60] INTERNET DRAFT Data Model for Network Access November 2000 radAcctInputGigawords OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many times the radAcctInputOctets counter has wrapped around 2^32 over the course of this service being provided, and can only be present in Accounting-Request records where the radAcctStatusType is set to Stop or Interim-Update." ::= { perSessionAcctEntry 6 } radAcctOutputGigawords OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many times the radAcctOutputOctets counter has wrapped around 2^32 in the course of delivering this service, and can only be present in Accounting-Request records where the radAcctStatusType is set to Stop or Interim-Update." ::= { perSessionAcctEntry 7 } radAcctSessionTime OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many seconds the user has received service for, and can only be present in Accounting-Request records where the radAcctStatusType is set to Stop." ::= { perSessionAcctEntry 8 } Spence et al. expires May 2001 [Page 61] INTERNET DRAFT Data Model for Network Access November 2000 radAcctInputPackets OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many packets have been received from the port over the course of this service being provided to a Framed User, and can only be present in Accounting-Request records where the radAcctStatusType is set to Stop." ::= { perSessionAcctEntry 9 } radAcctOutputPackets OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many packets have been sent to the port in the course of delivering this service to a Framed User, and can only be present in Accounting-Request records where the radAcctStatusType is set to Stop." ::= { perSessionAcctEntry 10 } radAcctAuthentic OBJECT-TYPE SYNTAX INTEGER { radAcctAuthenticRADIUS(1), radAcctAuthenticLocal(2), radAcctAuthenticRemote(3) } STATUS current DESCRIPTION "This attribute MAY be included in an Accounting-Request to indicate how the user was authenticated, whether by RADIUS, the NAS itself, or another remote authentication protocol. Users who are delivered service without being authenticated SHOULD NOT generate Accounting records. A value of 'radAcctAuthenticRADIUS(1)' means: RADIUS. A value of 'radAcctAuthenticLocal(2)' means: Local. A value of 'radAcctAuthenticRemote(3)' means: Remote." ::= { perSessionAcctEntry 11 } Spence et al. expires May 2001 [Page 62] INTERNET DRAFT Data Model for Network Access November 2000 radAcctTerminateCause OBJECT-TYPE SYNTAX INTEGER { radTermCauseUserRequest(1), radTermCauseLostCarrier(2), radTermCauseLostService(3), radTermCauseIdleTimeout(4), radTermCauseSessionTimeout(5), radTermCauseAdminReset(6), radTermCauseAdminReboot(7), radTermCausePortError(8), radTermCauseNASError(9), radTermCauseNASRequest(10), radTermCauseNASReboot(11), radTermCausePortUnneeded(12), radTermCausePortPreempted(13), radTermCausePortSuspended(14), radTermCauseServiceUnavailable(15), radTermCauseCallback(16), radTermCauseUserError(17), radTermCauseHostRequest(18) } STATUS current DESCRIPTION "This attribute indicates how the session was terminated, and can only be present in Accounting- Request records where the radAcctStatusType is set to Stop. The termination causes are as follows: A value of 'radTermCauseUserRequest(1)' means: User requested termination of service, for example with LCP Terminate or by logging out. A value of 'radTermCauseLostCarrier(2)' means: DCD was dropped on the port. A value of 'radTermCauseLostService(3)' means: Service can no longer be provided; for example, user's connection to a host was interrupted. A value of 'radTermCauseIdleTimeout(4)' means: Idle timer expired. A value of 'radTermCauseSessionTimeout(5)' means: Maximum session length timer expired. Spence et al. expires May 2001 [Page 63] INTERNET DRAFT Data Model for Network Access November 2000 A value of 'radTermCauseAdminReset(6)' means: Administrator reset the port or session. A value of 'radTermCauseAdminReboot(7)' means: Administrator is ending service on the NAS, for example prior to rebooting the NAS. A value of 'radTermCausePortError(8)' means: NAS detected an error on the port which required ending the session. A value of 'radTermCauseNASError(9)' means: NAS detected some error (other than on the port) which required ending the session. A value of 'radTermCauseNASRequest(10)' means: NAS ended session for a non-error reason not otherwise listed here. A value of 'radTermCauseNASReboot(11)' means: The NAS ended the session in order to reboot non- administratively ('crash'). A value of 'radTermCausePortUnneeded(12)' means: NAS ended session because resource usage fell below low- water mark (for example, if a bandwidth-on-demand algorithm decided that the port was no longer needed). A value of 'radTermCausePortPreempted(13)' means: NAS ended session in order to allocate the port to a higher priority use. A value of 'radTermCausePortSuspended(14)' means: NAS ended session to suspend a virtual session. A value of 'radTermCauseServiceUnavailable(15)' means: NAS was unable to provide requested service. A value of 'radTermCauseCallback(16)' means: NAS is terminating current session in order to perform callback for a new session. A value of 'radTermCauseUserError(17)' means: Input from user is in error, causing termination of session. A value of 'radTermCauseHostRequest(18)' means: Login Host terminated session normally." Spence et al. expires May 2001 [Page 64] INTERNET DRAFT Data Model for Network Access November 2000 ::= { perSessionAcctEntry 12 } -- -- The Accounting Control Table -- accountingControlTable OBJECT-TYPE SYNTAX SEQUENCE OF AccountingControlEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 20 } accountingControlEntry OBJECT-TYPE SYNTAX AccountingControlEntry STATUS current DESCRIPTION "" PIB-INDEX { accountingControlPrid } ::= { AccountingControlTable 1 } AccountingControlEntry::= SEQUENCE { accountingControlPrid InstanceId, sessionManagement Prid, radAcctDelayTime Integer32, radEventTimestamp Unsigned32, radAcctInterimInterval Integer32 } accountingControlPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { accountingControlEntry 1 } Spence et al. expires May 2001 [Page 65] INTERNET DRAFT Data Model for Network Access November 2000 sessionManagement OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { accountingControlEntry 2 } radAcctDelayTime OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates how many seconds the client has been trying to send this record for, and can be subtracted from the time of arrival on the server to find the approximate time of the event generating this Accounting-Request. (Network transit time is ignored.) Note that changing the radAcctDelayTime causes the Identifier to change; see the discussion under Identifier above." ::= { accountingControlEntry 3 } radEventTimestamp OBJECT-TYPE SYNTAX Unsigned32 STATUS current DESCRIPTION "This attribute is included in an Accounting-Request packet to record the time that this event occurred on the NAS, in seconds since January 1, 1970 00:00 UTC." ::= { accountingControlEntry 4 } radAcctInterimInterval OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute indicates the number of seconds between each interim update in seconds for this specific session. This value can only appear in the Access-Accept message." ::= { accountingControlEntry 5 } Spence et al. expires May 2001 [Page 66] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Tunnel Acct Table -- tunnelAcctTable OBJECT-TYPE SYNTAX SEQUENCE OF TunnelAcctEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 21 } tunnelAcctEntry OBJECT-TYPE SYNTAX TunnelAcctEntry STATUS current DESCRIPTION "" EXTENDS { perSessionAcctEntry } ::= { tunnelAcctTable 1 } TunnelAcctEntry::= SEQUENCE { radAcctTunnelConnection OCTET STRING, radAcctTunnelPacketsLost Integer32 } radAcctTunnelConnection OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the identifier assigned to the tunnel session. It SHOULD be included in Accounting- Request packets which contain an radAcctStatusType attribute having the value Start, Stop or any of the values described above. This attribute, along with the radTunnelClientEndpoint and radTunnelServerEndpoint attributes [6], may be used to provide a means to uniquely identify a tunnel session for auditing purposes." ::= { tunnelAcctEntry 1 } Spence et al. expires May 2001 [Page 67] INTERNET DRAFT Data Model for Network Access November 2000 radAcctTunnelPacketsLost OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This Attribute indicates the number of packets lost on a given link. It SHOULD be included in Accounting- Request packets which contain an radAcctStatusType attribute having the value radTunnelLink-Stop." ::= { tunnelAcctEntry 2 } -- -- The Tunneling Service Table -- tunnelingServiceTable OBJECT-TYPE SYNTAX SEQUENCE OF TunnelingServiceEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 22 } tunnelingServiceEntry OBJECT-TYPE SYNTAX TunnelingServiceEntry STATUS current DESCRIPTION "" PIB-INDEX { tunnelingServicePrid } ::= { tunnelingServiceTable 1 } TunnelingServiceEntry::= SEQUENCE { tunnelingServicePrid InstanceId, radTunnelType INTEGER, radTunnelMediumType INTEGER, radTunnelClientEndpoint OCTET STRING, radTunnelServerEndpoint OCTET STRING, radTunnelPassword OCTET STRING, radTunnelPrivateGroupId OCTET STRING, radTunnelAssignmentId OCTET STRING, radTunnelPreference Integer32, radTunnelClientAuthId OCTET STRING, radTunnelServerAuthId OCTET STRING } Spence et al. expires May 2001 [Page 68] INTERNET DRAFT Data Model for Network Access November 2000 tunnelingServicePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { tunnelingServiceEntry 1 } Spence et al. expires May 2001 [Page 69] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelType OBJECT-TYPE SYNTAX INTEGER { radttPPTP(1), radttL2F(2), radttL2TP(3), radttATMP(4), radttVTP(5), radttAH(6), radttIpIpEncapsulation(7), radttMinIpIp(8), radttESP(9), radttGRE(10), radttDVS(11), radttIpIpTunneling(12) } STATUS current DESCRIPTION "This Attribute indicates the tunneling protocol(s) to be used (in the case of a tunnel initiator) or the the tunneling protocol in use (in the case of a tunnel terminator). It MAY be included in Access-Request, Access-Accept and Accounting-Request packets. If the radTunnelType Attribute is present in an Access-Request packet sent from a tunnel initiator, it SHOULD be taken as a hint to the RADIUS server as to the tunnelling protocols supported by the tunnel end-point; the RADIUS server MAY ignore the hint, however. A tunnel initiator is not required to implement any of these tunnel types; if a tunnel initiator receives an Access-Accept packet which contains only unknown or unsupported radTunnelTypes, the tunnel initiator MUST behave as though an Access-Reject had been received instead. If the radTunnelType Attribute is present in an Access- Request packet sent from a tunnel terminator, it SHOULD be taken to signify the tunnelling protocol in use. In this case, if the RADIUS server determines that the use of the communicated protocol is not authorized, it MAY return an Access-Reject packet. If a tunnel terminator receives an Access-Accept packet which contains one or more radTunnelType Attributes, none of which represent the tunneling protocol in use, the tunnel terminator SHOULD behave as though an Access-Reject had been received instead. A value of 'radttPPTP(1)' indicates Point-to-Point Tunneling Protocol (PPTP). Spence et al. expires May 2001 [Page 70] INTERNET DRAFT Data Model for Network Access November 2000 A value of 'radttL2F(2)' indicates Layer Two Forwarding (L2F). A value of 'radttL2TP(3)' indicates Layer Two Tunneling Protocol (L2TP). A value of 'radttATMP(4)' indicates Ascend Tunnel Management Protocol (ATMP). A value of 'radttVTP(5)' indicates Virtual Tunneling Protocol (VTP). A value of 'radttAH(6)' indicates IP Authentication Header in the Tunnel-mode (AH). A value of 'radttIpIpEncapsulation(7)' indicates IP-in- IP Encapsulation (IP-IP). A value of 'radttMinIpIp(8)' indicates Minimal IP-in-IP Encapsulation (MIN-IP-IP). A value of 'radttESP(9)' indicates IP Encapsulating Security Payload in the Tunnel-mode (ESP). A value of 'radttGRE(10)' indicates Generic Route Encapsulation (GRE). A value of 'radttDVS(11)' indicates Bay Dial Virtual Services (DVS). A value of 'radttIpIpTunneling(12)' indicates IP-in-IP Tunneling." ::= { tunnelingServiceEntry 2 } Spence et al. expires May 2001 [Page 71] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelMediumType OBJECT-TYPE SYNTAX INTEGER { radtmIpV4(1), radtmIpV6(2), radtmNSAP(3), radtmHDLC(4), radtmBBN1822(5), radtm802(6), radtmE163(7), radtmE164(8), radtmF69(9), radtmX121(10), radtmIPX(11), radtmAppletalk(12), radtmDecnetIV(13), radtmBanyanVines(14), radtmE164withNsapFormatSubaddr(15) } STATUS current DESCRIPTION "The radTunnelMediumType Attribute indicates which transport medium to use when creating a tunnel for those protocols (such as L2TP) that can operate over multiple transports. It MAY be included in both Access-Request and Access-Accept packets; if it is present in an Access-Request packet, it SHOULD be taken as a hint to the RADIUS server as to the tunnel media supported by the tunnel end-point. The RADIUS server MAY ignore the hint, however. A value of 'radtmIpV4(1)' means: IPv4 (IP version 4). A value of 'radtmIpV6(2)' means: IPv6 (IP version 6). A value of 'radtmNSAP(3)' means: NSAP. A value of 'radtmHDLC(4)' means: HDLC (8-bit multidrop). A value of 'radtmBBN1822(5)' means: BBN 1822. A value of 'radtm802(6)' means: 802 (includes all 802 media plus Ethernet 'canonical format'). A value of 'radtmE163(7)' means: E.163 (POTS). A value of 'radtmE164(8)' means: E.164 (SMDS, Frame Relay, ATM). Spence et al. expires May 2001 [Page 72] INTERNET DRAFT Data Model for Network Access November 2000 A value of 'radtmF69(9)' means: F.69 (Telex). A value of 'radtmX121(10)' means: X.121 (X.25, Frame Relay). A value of 'radtmIPX(11)' means: IPX. A value of 'radtmAppletalk(12)' means: Appletalk. A value of 'radtmDecnetIV(13)' means: Decnet IV. A value of 'radtmBanyanVines(14)' means: Banyan Vines. A value of 'radtmE164withNsapFormatSubaddr(15)' means: E.164 with NSAP format subaddress." ::= { tunnelingServiceEntry 3 } radTunnelClientEndpoint OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute contains the address of the initiator end of the tunnel. It MAY be included in both Access- Request and Access-Accept packets to indicate the address from which a new tunnel is to be initiated. If the radTunnelClientEndpoint Attribute is included in an Access-Request packet, the RADIUS server should take the value as a hint; the server is not obligated to honor the hint, however. This Attribute SHOULD be included in Accounting-Request packets which contain radAcctStatusType attributes with values of either Start or Stop, in which case it indicates the address from which the tunnel was initiated. This Attribute, along with the radTunnelServerEndpoint and radAcctTunnelConnectionId attributes, may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes." ::= { tunnelingServiceEntry 4 } Spence et al. expires May 2001 [Page 73] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelServerEndpoint OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the address of the server end of the tunnel. The radTunnelServerEndpoint Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet and MUST be included in the Access-Accept packet if the initiation of a tunnel is desired. It SHOULD be included in Accounting-Request packets which contain radAcctStatusType attributes with values of either Start or Stop and which pertain to a tunneled session. This Attribute, along with the radTunnelClientEndpoint and radTunnelConnectionId Attributes [5], may be used to provide a globally unique means to identify a tunnel for accounting and auditing purposes." ::= { tunnelingServiceEntry 5 } radTunnelPassword OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute may contain a password to be used to authenticate to a remote server. It may only be included in an Access-Accept packet." ::= { tunnelingServiceEntry 6 } Spence et al. expires May 2001 [Page 74] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelPrivateGroupId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute indicates the group ID for a particular tunneled session. The radTunnelPrivateGroupId Attribute MAY be included in the Access-Request packet if the tunnel initiator can pre-determine the group resulting from a particular connection and SHOULD be included in the Access-Accept packet if this tunnel session is to be treated as belonging to a particular private group. Private groups may be used to associate a tunneled session with a particular group of users. For example, it may be used to facilitate routing of unregistered IP addresses through a particular interface. It SHOULD be included in Accounting-Request packets which contain radAcctStatusType attributes with values of either Start or Stop and which pertain to a tunneled session." ::= { tunnelingServiceEntry 7 } Spence et al. expires May 2001 [Page 75] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelAssignmentId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute is used to indicate to the tunnel initiator the particular tunnel to which a session is to be assigned. Some tunneling protocols, such as PPTP and L2TP, allow for sessions between the same two tunnel endpoints to be multiplexed over the same tunnel and also for a given session to utilize its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be used to inform the tunnel initiator (e.g. PAC, LAC) whether to assign the session to a multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing multiplexed tunnels to be assigned to different multiplexed tunnels. A particular tunneling implementation may assign differing characteristics to particular tunnels. For example, different tunnels may be assigned different QOS parameters. Such tunnels may be used to carry either individual or multiple sessions. The radTunnelAssignmentId attribute thus allows the RADIUS server to indicate that a particular session is to be assigned to a tunnel that provides an appropriate level of service. It is expected that any QOS-related RADIUS tunneling attributes defined in the future that accompany this attribute will be associated by the tunnel initiator with the ID given by this attribute. In the meantime, any semantic given to a particular ID string is a matter left to local configuration in the tunnel initiator. The radTunnelAssignmentId attribute is of significance only to RADIUS and the tunnel initiator. The ID it specifies is intended to be of only local use to RADIUS and the tunnel initiator. The ID assigned by the tunnel initiator is not conveyed to the tunnel peer. This attribute MAY be included in the Access-Accept. The tunnel initiator receiving this attribute MAY choose to ignore it and assign the session to an arbitrary multiplexed or non-multiplexed tunnel between the desired endpoints. This attribute SHOULD also be included in Accounting-Request packets which contain radAcctStatusType attributes with values of either Start or Stop and which pertain to a tunneled session. Spence et al. expires May 2001 [Page 76] INTERNET DRAFT Data Model for Network Access November 2000 If a tunnel initiator supports the radTunnelAssignmentId Attribute, then it should assign a session to a tunnel in the following manner: - If this attribute is present and a tunnel exists between the specified endpoints with the specified ID, then the session should be assigned to that tunnel. - If this attribute is present and no tunnel exists between the specified endpoints with the specified ID, then a new tunnel should be established for the session and the specified ID should be associated with the new tunnel. - If this attribute is not present, then the session is assigned to an unnamed tunnel. If an unnamed tunnel does not yet exist between the specified endpoints then it is established and used for this and subsequent sessions established without the radTunnelAssignmentId attribute. A tunnel initiator MUST NOT assign a session for which a radTunnelAssignmentId Attribute was not specified to a named tunnel (i.e. one that was initiated by a session specifying this attribute). Note that the same ID may be used to name different tunnels if such tunnels are between different endpoints." ::= { tunnelingServiceEntry 8 } Spence et al. expires May 2001 [Page 77] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelPreference OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "If more than one set of tunneling attributes is returned by the RADIUS server to the tunnel initiator, this Attribute SHOULD be included in each set to indicate the relative preference assigned to each tunnel. For example, suppose that Attributes describing two tunnels are returned by the server, one with a radTunnelType of PPTP and the other with a radTunnelType of L2TP. If the tunnel initiator supports only one of the radTunnelTypes returned, it will initiate a tunnel of that type. If, however, it supports both tunnel protocols, it SHOULD use the value of the radTunnelPreference Attribute to decide which tunnel should be started. The tunnel having the numerically lowest value in the Value field of this Attribute SHOULD be given the highest preference. The values assigned to two or more instances of the radTunnelPreference Attribute within a given Access-Accept packet MAY be identical. In this case, the tunnel initiator SHOULD use locally configured metrics to decide which set of attributes to use. This Attribute MAY be included (as a hint to the server) in Access-Request packets, but the RADIUS server is not required to honor this hint." ::= { tunnelingServiceEntry 9 } radTunnelClientAuthId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute specifies the name used by the tunnel initiator during the authentication phase of tunnel establishment. The radTunnelClientAuthId Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain radAcctStatusType attributes with values of either Start or Stop and which pertain to a tunneled session." ::= { tunnelingServiceEntry 10 } Spence et al. expires May 2001 [Page 78] INTERNET DRAFT Data Model for Network Access November 2000 radTunnelServerAuthId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute specifies the name used by the tunnel terminator during the authentication phase of tunnel establishment. The radTunnelClientAuthId Attribute MAY be included (as a hint to the RADIUS server) in the Access-Request packet, and MUST be included in the Access-Accept packet if an authentication name other than the default is desired. This Attribute SHOULD be included in Accounting-Request packets which contain radAcctStatusType attributes with values of either Start or Stop and which pertain to a tunneled session." ::= { tunnelingServiceEntry 11 } -- -- The Multilink Session Table -- multilinkSessionTable OBJECT-TYPE SYNTAX SEQUENCE OF MultilinkSessionEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 23 } multilinkSessionEntry OBJECT-TYPE SYNTAX TunnelingServiceEntry STATUS current DESCRIPTION "" PIB-INDEX { multilinkSessionPrid } ::= { MultilinkSessionTable 1 } MultilinkSessionEntry::= SEQUENCE { multilinkSessionPrid InstanceId, SessionManagement Prid, radAcctMultiSessionId OCTET STRING, radAcctLinkCount Integer32 } Spence et al. expires May 2001 [Page 79] INTERNET DRAFT Data Model for Network Access November 2000 multilinkSessionPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { multilinkSessionEntry 1 } SessionManagement OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { multilinkSessionEntry 2 } radAcctMultiSessionId OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute is a unique Accounting ID to make it easy to link together multiple related sessions in a log file. Each session linked together would have a unique radAcctSessionId but the same radAcctMultiSessionId. It is strongly recommended that the radAcctMultiSessionId contain UTF-8 encoded 10646 [11] characters." ::= { multilinkSessionEntry 3 } Spence et al. expires May 2001 [Page 80] INTERNET DRAFT Data Model for Network Access November 2000 radAcctLinkCount OBJECT-TYPE SYNTAX Integer32 STATUS current DESCRIPTION "This attribute gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. The NAS MAY include the radAcctLinkCount attribute in any Accounting-Request which might have multiple links. The Value field contains the number of links seen so far in this Multilink Session. It may be used to make it easier for an accounting server to know when it has all the records for a given Multilink session. When the number of Accounting- Requests received with radAcctStatusType = Stop and the same radAcctMultiSessionId and unique radAcctSessionId's equals the largest value of radAcctLinkCount seen in those Accounting-Requests, all Stop Accounting-Requests for that Multilink Session have been received. An example showing 8 Accounting-Requests should make things clearer. For clarity only the relevant attributes are shown, but additional attributes containing accounting information will also be present in the Accounting-Request. Multi-Session-Id Session-Id Status-Type Link-Count '10' '10' Start 1 '10' '11' Start 2 '10' '11' Stop 2 '10' '12' Start 3 '10' '13' Start 4 '10' '12' Stop 4 '10' '13' Stop 4 '10' '10' Stop 4" ::= { multilinkSessionEntry 4 } Spence et al. expires May 2001 [Page 81] INTERNET DRAFT Data Model for Network Access November 2000 -- -- The Termination Service Table -- terminationServiceTable OBJECT-TYPE SYNTAX SEQUENCE OF terminationServiceEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 24 } terminationServiceEntry OBJECT-TYPE SYNTAX terminationServiceEntry STATUS current DESCRIPTION "" PIB-INDEX { terminationServicePrid } ::= { terminationServiceTable 1 } terminationServiceEntry::= SEQUENCE { terminationServicePrid InstanceId, nonFramedSetup Prid, radState2 OCTET STRING, radTerminationAction INTEGER } terminationServicePrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { terminationServiceEntry 1 } Spence et al. expires May 2001 [Page 82] INTERNET DRAFT Data Model for Network Access November 2000 nonFramedSetup OBJECT-TYPE SYNTAX Prid STATUS current DESCRIPTION "" ::= { terminationServiceEntry 2 } radState2 OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute is available to be sent by the server to the client in an Access-Accept that also includes a radTerminationAction Attribute with the value of RADIUS- Request. If the NAS performs the radTerminationAction by sending a new Access-Request upon termination of the current session, it MUST include the radState attribute unchanged in that Access-Request. The client MUST NOT interpret the attribute locally. A packet must have only zero or one radState Attribute. Usage of the radState Attribute is implementation dependent." ::= { terminationServiceEntry 3 } Spence et al. expires May 2001 [Page 83] INTERNET DRAFT Data Model for Network Access November 2000 radTerminationAction OBJECT-TYPE SYNTAX INTEGER { radDefault(0), radRadiusRequest(1) } STATUS current DESCRIPTION "This Attribute indicates what action the NAS should take when the specified service is completed. It is only used in Access-Accept packets. A value of 'radDefault(0)' means to take the default action. If the value is set to 'radRadiusRequest(1)', upon termination of the specified service the NAS MAY send a new Access-Request to the RADIUS server, including the radState attribute if any." ::= { terminationServiceEntry 4 } -- -- The Excluded Radius Atributes Table -- (i.e. the Radius attributes not included in the model) -- excludedAttributesTable OBJECT-TYPE SYNTAX SEQUENCE OF excludedAttributesEntry PIB-ACCESS notify STATUS current DESCRIPTION "" ::= { radiusModelPib 25 } excludedAttributesEntry OBJECT-TYPE SYNTAX excludedAttributesEntry STATUS current DESCRIPTION "" PIB-INDEX { excludedAttributesPrid } ::= { excludedAttributesTable 1 } Spence et al. expires May 2001 [Page 84] INTERNET DRAFT Data Model for Network Access November 2000 excludedAttributesEntry::= SEQUENCE { excludedAttributesPrid InstanceId, radProxyState OCTET STRING, radMessageAuthenticator OCTET STRING, radVendorSpecific OCTET STRING } excludedAttributesPrid OBJECT-TYPE SYNTAX InstanceId STATUS current DESCRIPTION "An index to uniquely identify an instance of this policy class." ::= { excludedAttributesEntry 1 } radProxyState OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute is available to be sent by a proxy server to another server when forwarding an Access- Request and MUST be returned unmodified in the Access- Accept, Access-Reject or Access-Challenge. When the proxy server receives the response to its request, it MUST remove its own radProxyState (the last radProxyState in the packet) before forwarding the response to the NAS. If a radProxyState Attribute is added to a packet when forwarding the packet, the radProxyState Attribute MUST be added after any existing radProxyState attributes. The content of any radProxyState other than the one added by the current server should be treated as opaque octets and MUST NOT affect operation of the protocol. Usage of the radProxyState Attribute is implementation dependent. A description of its function is outside the scope of this specification." ::= { excludedAttributesEntry 2 } Spence et al. expires May 2001 [Page 85] INTERNET DRAFT Data Model for Network Access November 2000 radMessageAuthenticator OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This attribute MAY be used to sign Access-Requests to prevent spoofing Access-Requests using CHAP, ARAP or EAP authentication methods. It MAY be used in any Access- Request. It MUST be used in any Access-Request, Access- Accept, Access-Reject or Access-Challenge that includes an radEapMessage attribute. A RADIUS Server receiving an Access-Request with a Message-Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. A RADIUS Client receiving an Access-Accept, Access- Reject or Access-Challenge with a Message-Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. Earlier drafts of this memo used 'Signature' as the name of this attribute, but Message-Authenticator is more precise. Its operation has not changed, just the name." ::= { excludedAttributesEntry 3 } radVendorSpecific OBJECT-TYPE SYNTAX OCTET STRING STATUS current DESCRIPTION "This Attribute is available to allow vendors to support their own extended Attributes not suitable for general usage. It MUST not affect the operation of the RADIUS protocol. Servers not equipped to interpret the vendor-specific information sent by a client MUST ignore it (although it may be reported). Clients which do not receive desired vendor-specific information SHOULD make an attempt to operate without it, although they may do so (and report they are doing so) in a degraded mode." ::= { excludedAttributesEntry 4 } Spence et al. expires May 2001 [Page 86] INTERNET DRAFT Data Model for Network Access November 2000 END 5. Security Considerations The PIB defined in this memo is intended to be accessed via an AAA protocol. It is the responsibility of the protocol to provide the security framework to protect the PIB from unauthorized access. References [1] Bradner, S., "The Internet Standards Process -- Revision 3", RFC 2026, BCP 9, October 1996. [2] Spence D., W. Weiss, D. Durham, A. Kulkarni, R. Kopacz, J. Vollbrecht, "UML Data Model for Network Access", November 2000, http://www.interlinknetworks.com/otherdocs/nasmodel.html [3] Rigney, C., A. Rubens, W. Simpson, S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [4] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [5] Zorn, G., D. Mitton, B. Aboba, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000. [6] Zorn, G., D. Leifer, J. Shriver, A. Rubens, M. Holdrege, I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000. [7] C. Rigney, W. Willats, P. Calhoun, A. Rubens, B. Aboba, "RADIUS Extensions", RFC 2869, June 2000. [8] Kaufman, C., Perlman, R., and Speciner, M., "Network Security: Private Communications in a Public World", Prentice Hall, March 1995, ISBN 0-13-061466-1. [9] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998. [10] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990, August 1996. [11] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998. Spence et al. expires May 2001 [Page 87] INTERNET DRAFT Data Model for Network Access November 2000 [12] McCloghrie, K., M. Fine, J. Seligson, K. Chan, S. Hahn, R. Sahita, A. Smith, F. Reichmeyer, "Structure of Policy Provisioning Information (SPPI)", draft-ietf-rap-sppi-01.txt, July 2000. [13] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [14] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997. Authors' Addresses David Spence Interlink Networks, Inc. 775 Technology Drive, Suite 200 Ann Arbor, MI 48108 USA Phone: +1 734 821 1203 EMail: dspence@interlinknetworks.com Robert Kopacz Interlink Networks, Inc. 775 Technology Drive, Suite 200 Ann Arbor, MI 48108 USA Phone: +1 734 821 1230 EMail: bkopacz@interlinknetworks.com John Vollbrecht Interlink Networks, Inc. 775 Technology Drive, Suite 200 Ann Arbor, MI 48108 USA Phone: +1 734 821 1205 EMail: jrv@interlinknetworks.com Spence et al. expires May 2001 [Page 88] INTERNET DRAFT Data Model for Network Access November 2000 David Durham Intel Corporation JF3-206 2111 N.E. 25th Ave. Hillsboro, OR 97124-5961 USA Phone: +1 503 264 6232 EMail: david.durham@intel.com Amol Kulkarni Intel Corporation JF3-206 2111 N.E. 25th Ave. Hillsboro, OR 97124-5961 USA Phone: +1 503 712 1168 EMail: amol.kulkarni@intel.com Walter Weiss Ellacoya Networks 7 Henry Clay Dr. Merrimack, NH 03054 USA Phone: +1 603 879 7325 EMail: wweiss@ellacoya.com Spence et al. expires May 2001 [Page 89]