9.5 New Extensions Attributes
In the familiar (yet repetitive, I know)
format of Chapter 2, I will now detail the new
attributes offered in RFC 2869, as well as those specified in the
"RADIUS Attributes for Tunnel Protocol
Support" (RFC 2868) and "RADIUS
Accounting Modifications for Tunnel Protocol
Support" (RFC 2867). They are presented in ascending
order of the attribute number.
|
Attribute Number
|
52
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Access-Accept, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The value of this attribute
is the number of times that the Acct-Input-Octets
counter has exceeded and wrapped over 232
since this transaction's inception. It
can only be present in Accounting-Request packets
where the value of the Acct-Status-Type is either
Stop or Interim-Update.
|
Attribute Number
|
53
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Access-Accept, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The value of this attribute is
the
number of times that the Acct-Output-Octets
counter has exceeded and wrapped over 232
since this transaction's inception. It
can only be present in Accounting-Request packets
where the value of the Acct-Status-Type is either
Stop or Interim-Update.
|
Attribute Number
|
55
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Access-Accept, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute indicates the time at
which
an event marked by the transmission of an
Accounting-Request packet occurred. The value is
represented as an integer in the typical Unix-style time notation:
the number of seconds since January 1, 1970 00:00 UTC.
|
Attribute Number
|
64
|
|
Length
|
6
|
|
Value
|
ENUM
|
|
Allowed in
|
Access-Request, Accept-Accept, Accounting-Request
|
|
Prohibited in
|
Access-Reject, Access-Challenge, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute is an enumerated value that
indicates the tunneling protocol specified for a particular session.
If the attribute is present in an Access-Request
packet, the RADIUS server should read its presence as a hint; it is
not required to honor that request.
The possible values for the Tunnel-Type attribute
and their corresponding meanings are listed in Table 9-2.
Table 9-2. Tunnel-Type enumerated values
|
1
|
Point-to-Point Tunneling Protocol (PPTP)
|
|
2
|
Layer Two Forwarding (L2F)
|
|
3
|
Layer Two Tunneling Protocol (L2TP)
|
|
4
|
Ascend Tunnel Management Protocol (ATMP)
|
|
5
|
Virtual Tunneling Protocol (VTP)
|
|
6
|
IP Authentication Header in the Tunnel-mode (AH)
|
|
7
|
IP-in-IP Encapsulation (IP-IP)
|
|
8
|
Minimal IP-in-IP Encapsulation (MIN-IP-IP)
|
|
9
|
IP Encapsulating Security Payload in the Tunnel-mode (ESP)
|
|
10
|
Generic Route Encapsulation (GRE)
|
|
11
|
Bay Dial Virtual Services (DVS)
|
|
12
|
IP-in-IP Tunneling
|
|
Attribute Number
|
65
|
|
Length
|
6
|
|
Value
|
ENUM
|
|
Allowed in
|
Access-Request, Accept-Accept
|
|
Prohibited in
|
Access-Reject, Access-Challenge, Accounting-Request,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute is an enumerated value that indicates
the transport medium to use when creating a tunnel based on a
protocol that can support multiple tunnel types. If the attribute is
present in an Access-Request packet, the RADIUS
server should read its presence as a hint; it is not required to
honor that request.
The possible values for the Tunnel-Medium-Type
attribute and their corresponding meanings are listed in Table 9-3.
Table 9-3. Tunnel-Medium-Type enumerated values
|
1
|
IPv4 (IP Version 4)
|
|
2
|
IPv6 (IP Version 6)
|
|
3
|
NSAP
|
|
4
|
HDLC (8-bit multidrop)
|
|
5
|
BBN 1822
|
|
6
|
802 (includes all 802 media plus Ethernet "canonical
format")
|
|
7
|
E.163 (POTS)
|
|
8
|
E.164 (SMDS, Frame Relay, ATM)
|
|
9
|
F.69 (Telex)
|
|
10
|
X.121 (X.25, Frame Relay)
|
|
11
|
IPX
|
|
12
|
AppleTalk
|
|
13
|
Decnet IV
|
|
14
|
Banyan Vines
|
|
15
|
E.164 with NSAP format subaddress
|
|
Attribute Number
|
66
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Accept, Accounting-Request
|
|
Prohibited in
|
Access-Reject, Access-Challenge, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The
Tunnel-Client-Endpoint
attribute contains the address of the initiator of the tunnel.
It's designed to work in conjunction with the
Tunnel-Server-Endpoint and
Acct-Tunnel-Connection-ID attributes to provide a
way to identify a specific tunnel for accounting, billing, and
auditing functions. If the tunnel is an IPv4 tunnel, then the value
of this attribute is either the FQDN of the initiator end of the
tunnel or the dotted-decimal (x.x.x.x)
address of the initiator. If the tunnel is an IPv6 tunnel, the string
is either the FQDN as described here or a textual representation of
the address. All other tunnel formats use a tag that refers to local
configuration data specific to the medium.
|
Attribute Number
|
67
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Accept, Accounting-Request
|
|
Prohibited in
|
Access-Reject, Access-Challenge, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The
Tunnel-Server-Endpoint
attribute contains the address of the initiator of the tunnel.
It's designed to work in conjunction with the
Tunnel-Client-Endpoint and
Acct-Tunnel-Connection-ID attributes to provide a
way to identify a specific tunnel for accounting, billing, and
auditing functions. If the tunnel is an IPv4 tunnel, then the value
of this attribute is either the FQDN of the receiving (server) end of
the tunnel or the dotted-decimal (x.x.x.x)
address of the receiver. If the tunnel is an IPv6 tunnel, the string
is either the FQDN as described here or a textual representation of
the address. All other tunnel formats use a tag that refers to local
configuration data specific to the medium.
|
Attribute Number
|
68
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Access-Accept, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute defines the identifier assigned to
a
specific tunnel session. This attribute works in conjunction with
Tunnel-Client-Endpoint and
Tunnel-Server-Endpoint to uniquely identify a
specific session for accounting, auditing, and billing purposes. The
field encoding for the value of this attribute is implementation
specific.
|
Attribute Number
|
69
|
|
Length
|
5 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Access-Request, Access-Reject, Access-Challenge, Accounting-Response,
Accounting-Request
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute contains the password for authenticating
to a remote server and includes a
"salt" field that is used to verify
the uniqueness of the key used to encrypt the tunnel password.You can
find more information at the RFC 2868, but no sense sending you off
on a chase. Here's the relevant part:
The plaintext String field consists of three logical sub-fields: the
Data-Length and Password sub-fields (both of which are required), and
the optional Padding sub-field. The Data-Length sub-field is one
octet in length and contains the length of the unencrypted Password
sub-field. The Password sub-field contains the actual tunnel
password. If the combined length (in octets) of the unencrypted
Data-Length and Password sub-fields is not an even multiple of 16,
then the Padding sub-field MUST be present. If it is present, the
length of the Padding sub-field is variable, between 1 and 15 octets.
The String field MUST be encrypted as follows, prior to transmission:
Construct a plaintext version of the String field by concatenating
the Data-Length and Password sub-fields. If necessary, pad the
resulting string until its length (in octets) is an even multiple of
16. It is recommended that zero octets (0x00) be
used for padding. Call this plaintext P. Call the shared secret S,
the pseudo-random 128-bit Request Authenticator (from the
corresponding Access-Request packet) R, and the contents of the Salt
field A. Break P into 16 octet chunks p(1),
p(2)...p(i), where i =
len(P)/16. Call the ciphertext blocks
c(1), c(2)...c(i) and the final
ciphertext C. Intermediate values
b(1), b(2)...c(i) are required.
Encryption is performed in the following manner (+
indicates concatenation):
b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1)
b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2)
b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i)
The resulting encrypted String field will contain
c(1)+c(2)+...+c(i)
On receipt, the process is reversed to yield the plaintext String.
|
Attribute Number
|
70
|
|
Length
|
18
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request
|
|
Prohibited in
|
Access-Accept, Access-Reject, Access-Challenge, Accounting-Response,
Accounting-Request
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute is a 16-octet string designed to carry the
client's response to mutual authentication of the
client and the RADIUS client machine. The highest-order octets
contain the dial-up user's challenge to the RADIUS
client, which consists of two 32-bit numbers totaling eight octets.
The lowest-order octets contain the dial-up user's
response to the RADIUS client's challenge. This as
well consists of two 32-bit numbers totaling eight
octets.
|
Attribute Number
|
71
|
|
Length
|
16
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, found in
Access-Accept packets with the
Framed-Protocol attribute set to ARAP, transmits
password data that the RADIUS client machine is responsible for
transmitting to the user in an ARAP feature flags packet. The value
is a compound string containing such information as the restrictions
on a user for changing his password, the minimum acceptable password
length, the password creation date in Macintosh time (32 unsigned
bits representing seconds since Midnight GMT January 1, 1904), the
password expiration delta from the creation date in seconds, and the
current RADIUS server's time in Macintosh format.
|
Attribute Number
|
72
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, found in Access-Accept packets
with the Framed-Protocol attribute set to ARAP,
indicates how the ARAP zone list for the user should be interpreted.
The value field is an integer that can be one of three values. The
integer 1 signifies that the user should only be
allowed access to the default zone. The integer 2
indicates that the zone filter should be used inclusively—that
is, the user should be allowed to access only the zones listed in his
filter. The integer 4 specifies that the zone
filter should be used exclusively—meaning the user should be
allowed to access all zones except those listed in his filter.
The Filter-ID attribute must also be present if
this attribute's value is set to
2 or 4 in order to name the
zone list filter to which the access flag should be applied.
|
Attribute Number
|
73
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Access-Challenge
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Accept,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute is found in an
Access-Challenge
packet and indicates the ARAP security module that's
to be used for the transaction. The value of this attribute is an
integer representing a Macintosh operating system type, which is four
ASCII characters cast as a 32-bit integer.
|
Attribute Number
|
74
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Challenge
|
|
Prohibited in
|
Accounting-Request, Access-Accept, Access-Reject, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute contains the actual challenge or response, based on
the security model contained in the ARAP-Security
attribute, and is found in
Access-Request and
Access-Challenge packets.
|
Attribute Number
|
75
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Access-Reject
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Accept, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, which can be
found in Access-Reject packets, indicates the
number of authentication attempts a user is allowed before he is
disconnected. This attribute is used primarily with the ARAP
protocol.
|
Attribute Number
|
76
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Access-Challenge
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Accept,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, found only in
Access-Challenge packets, tells the RADIUS client
box party to the transaction whether to echo the
user's response as entered by the user or whether to
cease the echo. If the value of this attribute is
0, the input will not be echoed. If the value is
1, the input will be echoed.
|
Attribute Number
|
77
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Accounting-Request
|
|
Prohibited in
|
Access-Challenge, Access-Reject, Access-Accept, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1 in an Access-Request packet; unlimited in an Accounting-Request
packet
|
The RADIUS client gear will send this
attribute inside an Access-Request or
Accounting-Request packet to indicate the
properties and nature of this user's connection.
Among the data points collected are connection speed, transmit speed,
receive speed, and any other optional information. More than one of
these attributes is allowed in the
Accounting-Request packet to satisfy increasing
ITU pressure to allow more modem information to be transmitted that
may exceed 252 octets.
|
Attribute Number
|
78
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute is designed to be sent
from
a RADIUS proxy server to a RADIUS proxy client inside an
Access-Accept packet in large, distributed
networking architectures. It serves to designate which user profile
to use. The value field is implementation dependent and should be
read as undistinguished octets.
|
Attribute Number
|
79
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept, Access-Reject, Access-Challenge, Access-Request
|
|
Prohibited in
|
Accounting-Request, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
Unlimited in Access-Request and Access-Challenge packets;1 in
Access-Accept and Access-Reject packets
|
This attribute serves as the method by which EAP messages are
transmitted within a RADIUS packet. The RADIUS client machine places
all of the messages received from the client into individual
EAP-Message attributes and wraps them into a
standard Access-Request packet. The RADIUS server
then returns EAP messages in Access-Challenge,
Access-Accept, and
Access-Reject messages.
The Message-Authenticator attribute (detailed a
bit later in this chapter) is required to be present if this
attribute is used; this is to protect the integrity of RADIUS over
EAP to the same degree that EAP affords transactional integrity on
its side of the link. The Message-Authenticator
must be used to protect all Access-Request,
Access-Challenge,
Access-Accept, and
Access-Reject messages which hold one or more
EAP-Message attributes.
|
Attribute Number
|
80
|
|
Length
|
18
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Challenge, Access-Accept, Access-Reject
|
|
Prohibited in
|
Accounting-Request, Accounting-Response
|
|
Presence in Packet
|
Required in Access-Request, Access-Accept, Access-Reject, or
Access-Challenge packets that contain EAP-Message; otherwise, not
required
|
|
Maximum Iterations
|
1
|
The
Message-Authenticator
attribute is used to sign packets to ensure their integrity is
protected. The attribute may be used in any
Access-Request, but any packet that contains
EAP-Messages must also have the
Message-Authenticator attribute present. The
Message-Authenticator itself is an HMAC-MD5
checksum of the entire Access-Request packet,
containing the Type, ID, Length, and Authenticator field, using the
shared secret as the key.
As mentioned earlier in the text, some RADIUS client machines
calculate the Message-Authenticator incorrectly,
while others use the same attribute values for different purposes. Of
course this creates a mess. It's also important to
note that the use of the IPsec protocol really makes this a stopgap
measure. When IPsec implementation becomes more widespread, this
attribute will be made redundant.
|
Attribute Number
|
81
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The
Tunnel-Private-Group-ID
attribute designates the group ID value for a specified tunneling
session. Private groups are used to associate configured tunnels with
specified groups of users. The value of the field is unrestricted and
can be configured in whatever way a specific implementation requires.
|
Attribute Number
|
82
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute is designed to specify which pre-configured tunnel a
particular connection should use. More specifically, some tunnel
protocols allow for multiplexing multiple connections across one
specific tunnel, and with this attribute, RADIUS can inform the
initiator (the client, in other words) whether the connection will be
over an individual tunnel or a multiplexed tunnel.
There are specific behaviors a tunnel initiator should follow when
using the Tunnel-Assignment-ID
attribute:
If a tunnel exists between the specified end points with the
designated assignment ID, then the session should use that tunnel. If no tunnel exists between the specified end points with the
designated assignment ID, then a new tunnel should be created and
referred to as the label indicated in the
Tunnel-Assignment-ID value. If the Tunnel-Assignment-ID attribute is not
present, then the session should be assigned to an unnamed tunnel. If
this tunnel doesn't exist, it should be created and
used for all sessions that don't have the Tunnel-Assignment-ID
attribute.
|
Attribute Number
|
83
|
|
Length
|
6
|
|
Value
|
HEX
|
|
Allowed in
|
Access-Accept, Access-Request
|
|
Prohibited in
|
Accounting-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute indicates the preference
assigned
to each tunnel when more than one set of tunneling attributes is
returned by the RADIUS server to the client initiator. The value of
this attributes ranges from 0x01 through 0x1F, with the lowest value
receiving the highest preference and the highest value receiving the
lowest preference.
|
Attribute Number
|
84
|
|
Length
|
10
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, found in
Access-Accept packets with a
Framed-Protocol attribute set to ARAP, contains
the response to the dial-in client's challenge. The
value is an eight-octet response to the client challenge, calculated
by performing DES encryption on the highest-order eight octets of the
ARAP-Password attribute's value,
using the user's password as the key.
|
Attribute Number
|
85
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The value of the
Acct-Interim-Interval
attribute indicates the number of seconds between each transmittal of
an interim update for a specific session. The value cannot be less
than 60, and best practices reveal that the value of this attribute
really has no benefit to being less than 600. Serious increases in
network traffic that can adversely affect performance can occur if
this value is incorrectly or inefficiently set.
|
Attribute Number
|
86
|
|
Length
|
6
|
|
Value
|
INTEGER
|
|
Allowed in
|
Accounting-Request
|
|
Prohibited in
|
Access-Accept, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The value of this attribute is the
number
of packets that have been lost over a given link.
|
Attribute Number
|
87
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Accounting-Request
|
|
Prohibited in
|
Access-Challenge, Access-Reject, Access-Accept, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The value of this attribute, read from textual characters encoded
with UTF-8, indicates the physical port on the NAS machine to which
to a user is connected. It is only found in
Access-Request and
Accounting-Request packets.
|
Attribute Number
|
88
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Accept
|
|
Prohibited in
|
Accounting-Request, Access-Request, Access-Reject, Access-Challenge,
Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
This attribute, found only in Access-Accept
packets, indicates
the name of the address pool that should be used to give an address
to the authenticating user.
|
Attribute Number
|
90
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Accept, Accounting-Request
|
|
Prohibited in
|
Access-Reject, Access-Challenge, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The
Tunnel-Client-Auth-ID
attribute designates the name of the initiator that was used during
the creation of a tunnel in the authentication phase. It should be
included in Access-Accept where the default
authentication name is not sufficient or otherwise undesired.
|
Attribute Number
|
91
|
|
Length
|
3 or more octets
|
|
Value
|
STRING
|
|
Allowed in
|
Access-Request, Access-Accept, Accounting-Request
|
|
Prohibited in
|
Access-Reject, Access-Challenge, Accounting-Response
|
|
Presence in Packet
|
Not required
|
|
Maximum Iterations
|
1
|
The
Tunnel-Server-Auth-ID
attribute designates the name of the receiver (the server) that was
used during the creation of a tunnel in the authentication phase. It
should be included in Access-Accept where the
default
authentication name is not sufficient or otherwise undesired.
|
