draft-ietf-radius-ext-03.txt   draft-ietf-radius-ext-04.txt 
RADIUS Working Group C Rigney RADIUS Working Group C Rigney
INTERNET-DRAFT Livingston INTERNET-DRAFT Livingston
W Willats W Willats
Cyno Technologies Cyno Technologies
P Calhoun P Calhoun
Sun Microsystems Sun Microsystems
expires September 1999 February 1999
RADIUS Extensions RADIUS Extensions
draft-ietf-radius-ext-03.txt draft-ietf-radius-ext-04.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
This document is a submission to the RADIUS Working Group of the This document is a submission to the RADIUS Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted Internet Engineering Task Force (IETF). Comments should be submitted
to the ietf-radius@livingston.com mailing list. to the ietf-radius@livingston.com mailing list.
skipping to change at page 2, line 26 skipping to change at page 2, line 26
1.1 Specification of Requirements ................... 4 1.1 Specification of Requirements ................... 4
1.2 Terminology ..................................... 4 1.2 Terminology ..................................... 4
2. Operation ............................................. 5 2. Operation ............................................. 5
2.1 RADIUS support for Interim Accounting Updates 5 2.1 RADIUS support for Interim Accounting Updates 5
2.2 RADIUS support for Apple Remote Access Protocol 6 2.2 RADIUS support for Apple Remote Access Protocol 6
2.3 RADIUS Support for Extensible Authentication 2.3 RADIUS Support for Extensible Authentication
Protocol (EAP) ........................... 12 Protocol (EAP) ........................... 12
2.3.1 Protocol Overview ............................... 12 2.3.1 Protocol Overview ............................... 12
2.3.2 Retransmission .................................. 14 2.3.2 Retransmission .................................. 14
2.3.3 Fragmentation ................................... 15 2.3.3 Fragmentation ................................... 14
2.3.4 Examples ........................................ 15 2.3.4 Examples ........................................ 15
2.3.5 Alternative uses ................................ 20 2.3.5 Alternative uses ................................ 20
3. Packet Format ......................................... 20 3. Packet Format ......................................... 20
4. Packet Types .......................................... 20 4. Packet Types .......................................... 20
5. Attributes ............................................ 20 5. Attributes ............................................ 20
5.1 Acct-Input-Gigawords ............................ 22 5.1 Acct-Input-Gigawords ............................ 22
5.2 Acct-Output-Gigawords ........................... 23 5.2 Acct-Output-Gigawords ........................... 23
skipping to change at page 3, line 4 skipping to change at page 2, line 52
5.8 ARAP-Security-Data .............................. 28 5.8 ARAP-Security-Data .............................. 28
5.9 Password-Retry .................................. 29 5.9 Password-Retry .................................. 29
5.10 Prompt .......................................... 30 5.10 Prompt .......................................... 30
5.11 Connect-Info .................................... 31 5.11 Connect-Info .................................... 31
5.12 Configuration-Token ............................. 32 5.12 Configuration-Token ............................. 32
5.13 EAP-Message ..................................... 32 5.13 EAP-Message ..................................... 32
5.14 Signature ....................................... 34 5.14 Signature ....................................... 34
5.15 ARAP-Challenge-Response ......................... 36 5.15 ARAP-Challenge-Response ......................... 36
5.16 Acct-Interim-Interval ........................... 37 5.16 Acct-Interim-Interval ........................... 37
5.17 Table of Attributes ............................. 37 5.17 Table of Attributes ............................. 37
6. Security Considerations ............................... 38 5.18 Framed-Pool ..................................... 38
6.1 Separation of EAP server and PPP authenticator 5.19 Table of Attributes ............................. 39
6.2 Connection hijacking ............................ 39 6. Security Considerations ............................... 40
6.3 Man in the middle attacks ....................... 40 6.1 Signature Security .............................. 40
6.4 Multiple databases .............................. 40 6.2 EAP Security .................................... 40
6.5 Negotiation attacks ............................. 40 6.2.1 Separation of EAP server and PPP authenticator
6.2.2 Connection hijacking ............................ 42
6.2.3 Man in the middle attacks ....................... 42
6.2.4 Multiple databases .............................. 42
6.2.5 Negotiation attacks ............................. 43
7. References ............................................ 42 7. References ............................................ 44
8. Acknowledgements ...................................... 42
9. Chair's Address ....................................... 43 8. Acknowledgements ...................................... 45
10. Author's Address ...................................... 43
11. Full Copyright Statement .............................. 45 9. Chair's Address ....................................... 45
10. Author's Address ...................................... 45
11. Full Copyright Statement .............................. 47
1. Introduction 1. Introduction
RFC 2138 [1] describes the RADIUS Protocol as it is implemented and RFC 2138 [1] describes the RADIUS Protocol as it is implemented and
deployed today, and RFC 2139 [2] describes how Accounting can be deployed today, and RFC 2139 [2] describes how Accounting can be
performed with RADIUS. performed with RADIUS.
This memo suggests several additional Attributes that can be added to This memo suggests several additional Attributes that can be added to
RADIUS to perform various useful functions. These Attributes do not RADIUS to perform various useful functions. These Attributes do not
have extensive field experience yet and should therefore be have extensive field experience yet and should therefore be
skipping to change at page 12, line 46 skipping to change at page 12, line 46
The peer will then respond with an EAP-Response/Identity which the The peer will then respond with an EAP-Response/Identity which the
the NAS will then forward to the RADIUS server in the EAP-Message the NAS will then forward to the RADIUS server in the EAP-Message
attribute of a RADIUS Access-Request packet. The RADIUS Server will attribute of a RADIUS Access-Request packet. The RADIUS Server will
typically use the EAP-Response/Identity to determine which EAP type typically use the EAP-Response/Identity to determine which EAP type
is to be applied to the user. is to be applied to the user.
In order to permit non-EAP aware RADIUS proxies to forward the In order to permit non-EAP aware RADIUS proxies to forward the
Access-Request packet, if the NAS sends the EAP-Request/Identity, the Access-Request packet, if the NAS sends the EAP-Request/Identity, the
NAS MUST copy the contents of the EAP-Response/Identity into the NAS MUST copy the contents of the EAP-Response/Identity into the
User-Name attribute and MUST include the EAP-Response/Identity in the User-Name attribute and MUST include the EAP-Response/Identity in the
User-Name attribute in every subsequent Access-Request. NAS-Port User-Name attribute in every subsequent Access-Request. NAS-Port or
SHOULD be included in the attributes issued by the NAS in the NAS-Port-Id SHOULD be included in the attributes issued by the NAS in
Access-Request packet, and either NAS-Identifier or NAS-IP-Address the Access-Request packet, and either NAS-Identifier or NAS-IP-
MUST be included. In order to permit forwarding of the Access-Reply Address MUST be included. In order to permit forwarding of the
by EAP-unaware proxies, if a User-Name attribute was included in an Access-Reply by EAP-unaware proxies, if a User-Name attribute was
Access-Request, the RADIUS Server MUST include the User-Name included in an Access-Request, the RADIUS Server MUST include the
attribute in subsequent Access-Challenge and Access-Accept packets. User-Name attribute in subsequent Access-Accept packets. Without the
Without the User-Name attribute, accounting and billing becomes very User-Name attribute, accounting and billing becomes very difficult to
difficult to manage. manage.
If identity is determined via another means such as Called-Station-Id If identity is determined via another means such as Called-Station-Id
or Calling-Station-Id, the NAS MUST include these identifying or Calling-Station-Id, the NAS MUST include these identifying
attributes in every Access-Request, and the RADIUS Server MUST attributes in every Access-Request.
include them in every Access-Challenge and Access-Accept.
While this approach will save a round-trip, it cannot be universally While this approach will save a round-trip, it cannot be universally
employed. There are circumstances in which the user's identity may employed. There are circumstances in which the user's identity may
not be needed (such as when authentication and accounting is handled not be needed (such as when authentication and accounting is handled
based on Called-Station-Id or Calling-Station-Id), and therefore an based on Called-Station-Id or Calling-Station-Id), and therefore an
EAP-Request/Identity packet may not necessarily be issued by the NAS EAP-Request/Identity packet may not necessarily be issued by the NAS
to the authenticating peer. In cases where an EAP-Request/Identity to the authenticating peer. In cases where an EAP-Request/Identity
packet will not be sent, the NAS will send to the RADIUS server a packet will not be sent, the NAS will send to the RADIUS server a
RADIUS Access-Request packet containing an EAP-Message attribute RADIUS Access-Request packet containing an EAP-Message attribute
signifying EAP-Start. EAP-Start is indicated by sending an EAP- signifying EAP-Start. EAP-Start is indicated by sending an EAP-
skipping to change at page 22, line 5 skipping to change at page 21, line 50
74 ARAP-Security-Data 74 ARAP-Security-Data
75 Password-Retry 75 Password-Retry
76 Prompt 76 Prompt
77 Connect-Info 77 Connect-Info
78 Configuration-Token 78 Configuration-Token
79 EAP-Message 79 EAP-Message
80 Signature 80 Signature
81-83 (refer to "RADIUS Attributes for Tunneling Support" draft) 81-83 (refer to "RADIUS Attributes for Tunneling Support" draft)
84 ARAP-Challenge-Response 84 ARAP-Challenge-Response
85 Acct-Interval-Time 85 Acct-Interval-Time
86-191 Unused 86 (refer to "RADIUS Attributes for Tunneling Support" draft)
87 NAS-Port-Id
88 Framed-Pool
89-191 Unused
Length Length
The Length field is one octet, and indicates the length of this The Length field is one octet, and indicates the length of this
attribute including the Type, Length and Value fields. If an attribute including the Type, Length and Value fields. If an
attribute is received in a packet with an invalid Length, the attribute is received in a packet with an invalid Length, the
entire request should be silently discarded. entire request should be silently discarded.
Value Value
The Value field is zero or more octets and contains information The Value field is zero or more octets and contains information
specific to the attribute. The format and length of the Value specific to the attribute. The format and length of the Value
field is determined by the Type and Length fields. field is determined by the Type and Length fields.
Note that a "string" in RADIUS does not terminate with a NUL (hex
00). The Attribute has a length field and does not use a
terminator. Strings may contain UTF-8 characters or 8-bit binary
data and servers and clients should be able to deal with embedded
nulls. RADIUS implementers using C are cautioned not to use
strcpy() when handling strings.
The format of the value field is one of four data types. The format of the value field is one of four data types.
string 0-253 octets string 1-253 octets. Strings of length zero (0) MUST NOT be
sent; omit the entire attribute instead.
address 32 bit unsigned value, most significant octet first. address 32 bit unsigned value, most significant octet first.
integer 32 bit unsigned value, most significant octet first. integer 32 bit unsigned value, most significant octet first.
time 32 bit unsigned value, most significant octet first -- time 32 bit unsigned value, most significant octet first --
seconds since 00:00:00 GMT, January 1, 1970. seconds since 00:00:00 UTC, January 1, 1970.
5.1. Acct-Input-Gigawords 5.1. Acct-Input-Gigawords
Description Description
This attribute indicates how many times the Acct-Input-Octets This attribute indicates how many times the Acct-Input-Octets
counter has wrapped around 2^32 over the course of this service counter has wrapped around 2^32 over the course of this service
being provided, and can only be present in Accounting-Request being provided, and can only be present in Accounting-Request
records where the Acct-Status-Type is set to Stop or Interim- records where the Acct-Status-Type is set to Stop or Interim-
Update. Update.
skipping to change at page 37, line 36 skipping to change at page 37, line 36
85 for Acct-Interim-Interval. 85 for Acct-Interim-Interval.
Length Length
6 6
Value Value
The Value field contains the number of seconds between each The Value field contains the number of seconds between each
interim update to be sent from the NAS for this session. The value interim update to be sent from the NAS for this session. The value
MUST NOT be smaller than 60 and SHOULD NOT be less than 600. MUST NOT be smaller than 60. The value SHOULD NOT be smaller than
600, and careful consideration should be given to its impact on
network traffic.
5.17. Table of Attributes 5.17. NAS-Port-Id
Description
This Attribute contains a string which identifies the port of the
NAS which is authenticating the user. It is only used in Access-
Request and Accounting-Request packets. Note that this is using
"port" in its sense of a physical connection on the NAS, not in
the sense of a TCP or UDP port number.
Either NAS-Port or NAS-Port-Id SHOULD be present in an Access-
Request packet, if the NAS differentiates among its ports. NAS-
Port-Id is intended for use by NASes which cannot conveniently
number their ports.
A summary of the NAS-Port-Id Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
87 for NAS-Port-Id.
Length
>= 3
String
The String field contains the name of the port in UTF-8 [6]
format.
5.18. Framed-Pool
Description
This Attribute contains the name of an assigned address pool that
SHOULD be used to assign an address for the user. If a NAS does
not support multiple address pools, the NAS should ignore this
Attribute. Address pools are usually used for IP addresses, but
can be used for other protocols if the NAS supports pools for
those protocols.
A summary of the Framed-Pool Attribute format is shown below. The
fields are transmitted from left to right.
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | String...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
88 for Framed-Pool
Length
>= 3
String
The string field contains the name of an assigned address pool
configured on the NAS.
5.19. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kind of packets. Acct-Input-Gigawords, Acct-Output- in which kind of packets. Acct-Input-Gigawords, Acct-Output-
Gigawords, and Event-Timestamp may have 0-1 instances in an Gigawords, Event-Timestamp, and NAS-Port-Id may have 0-1 instances in
Accounting-Request packet. Connect-Info may have 0+ instances in an an Accounting-Request packet. Connect-Info may have 0+ instances in
Accounting-Request packet. The other attributes added in this an Accounting-Request packet. The other attributes added in this
document must not be present in an Accounting-Request. document must not be present in an Accounting-Request.
Request Accept Reject Challenge # Attribute Request Accept Reject Challenge # Attribute
0-1 0 0 0 70 ARAP-Password [Note 1] 0-1 0 0 0 70 ARAP-Password [Note 1]
0 0-1 0 0-1 71 ARAP-Features 0 0-1 0 0-1 71 ARAP-Features
0 0-1 0 0 72 ARAP-Zone-Access 0 0-1 0 0 72 ARAP-Zone-Access
0-1 0 0 0-1 73 ARAP-Security 0-1 0 0 0-1 73 ARAP-Security
0+ 0 0 0+ 74 ARAP-Security-Data 0+ 0 0 0+ 74 ARAP-Security-Data
0 0 0-1 0 75 Password-Retry 0 0 0-1 0 75 Password-Retry
0 0 0 0-1 76 Prompt 0 0 0 0-1 76 Prompt
0-1 0 0 0 77 Connect-Info 0-1 0 0 0 77 Connect-Info
0 0+ 0 0 78 Configuration-Token 0 0+ 0 0 78 Configuration-Token
0+ 0+ 0+ 0+ 79 EAP-Message [Note 1] 0+ 0+ 0+ 0+ 79 EAP-Message [Note 1]
0-1 0-1 0-1 0-1 80 Signature [Note 1] 0-1 0-1 0-1 0-1 80 Signature [Note 1]
0 0-1 0 0-1 84 ARAP-Challenge-Response 0 0-1 0 0-1 84 ARAP-Challenge-Response
0 0-1 0 0 85 Acct-Interim-Interval 0 0-1 0 0 85 Acct-Interim-Interval
0-1 0 0 0 87 NAS-Port-Id
0 0-1 0 0 88 Framed-Pool
Request Accept Reject Challenge # Attribute Request Accept Reject Challenge # Attribute
[Note 1] An Access-Request that contains either a User-Password or [Note 1] An Access-Request that contains either a User-Password or
CHAP-Password or ARAP-Password or one or more EAP-Message attributes CHAP-Password or ARAP-Password or one or more EAP-Message attributes
MUST NOT contain more than one type of those four attributes. If it MUST NOT contain more than one type of those four attributes. If it
does not contain any of those four attributes, it SHOULD contain a does not contain any of those four attributes, it SHOULD contain a
Signature. If any packet type contains an EAP-Message attribute it Signature. If any packet type contains an EAP-Message attribute it
MUST also contain a Signature. MUST also contain a Signature.
The following table defines the above table entries. The following table defines the above table entries.
0 This attribute MUST NOT be present 0 This attribute MUST NOT be present
0+ Zero or more instances of this attribute MAY be present. 0+ Zero or more instances of this attribute MAY be present.
0-1 Zero or one instance of this attribute MAY be present. 0-1 Zero or one instance of this attribute MAY be present.
1 Exactly one instance of this attribute MUST be present. 1 Exactly one instance of this attribute MUST be present.
6. Security Considerations 6. Security Considerations
Security issues are the primary topic of this document. The attributes other than Signature and EAP-Message in this document
have no additional security considerations beyond those already
identified in RFC 2138 [1].
6.1. Signature Security
Access-Request packets with a User-Password establish the identity of
both the user and the NAS sending the Access-Request, because of the
way the shared secret between NAS and RADIUS server is used.
Access-Request packets with CHAP-Password or EAP-Message do not have
a User-Password attribute, so the Signature attribute should be used
in access-request packets that do not have a User-Password, in order
to establish the identity of the NAS sending the request.
6.2. EAP Security
Since the purpose of EAP is to provide enhanced security for PPP Since the purpose of EAP is to provide enhanced security for PPP
authentication, it is critical that RADIUS support for EAP be secure. authentication, it is critical that RADIUS support for EAP be secure.
In particular, the following issues must be addressed: In particular, the following issues must be addressed:
Separation of EAP server and PPP authenticator Separation of EAP server and PPP authenticator
Connection hijacking Connection hijacking
Man in the middle attacks Man in the middle attacks
Multiple databases Multiple databases
Negotiation attacks Negotiation attacks
6.1. Separation of EAP server and PPP authenticator 6.2.1. Separation of EAP server and PPP authenticator
It is possible for the EAP endpoints to mutually authenticate, It is possible for the EAP endpoints to mutually authenticate,
negotiate a ciphersuite, and derive a session key for subsequent use negotiate a ciphersuite, and derive a session key for subsequent use
in PPP encryption. in PPP encryption.
This does not present an issue on the peer, since the peer and EAP This does not present an issue on the peer, since the peer and EAP
client reside on the same machine; all that is required is for the client reside on the same machine; all that is required is for the
EAP client module to pass the session key to the PPP encryption EAP client module to pass the session key to the PPP encryption
module. module.
The situation may be more complex when EAP/RADIUS is used, since the The situation is more complex when EAP is used with RADIUS, since the
PPP authenticator will typically not reside on the same machine as PPP authenticator will typically not reside on the same machine as
the EAP server. For example, the EAP server may be a backend security the EAP server. For example, the EAP server may be a backend security
server, or a module residing on the RADIUS server. server, or a module residing on the RADIUS server.
In the case where the EAP server and PPP authenticator reside on In the case where the EAP server and PPP authenticator reside on
different machines, there are several implications for security. different machines, there are several implications for security.
Firstly, mutual authentication will occur between the peer and the Firstly, mutual authentication will occur between the peer and the
EAP server, not between the peer and the authenticator. This means EAP server, not between the peer and the authenticator. This means
that it is not possible for the peer to validate the identity of the that it is not possible for the peer to validate the identity of the
NAS or tunnel server that it is speaking to. NAS or tunnel server that it is speaking to.
skipping to change at page 39, line 47 skipping to change at page 42, line 5
The second issue that arises in the case of an EAP server and PPP The second issue that arises in the case of an EAP server and PPP
authenticator residing on different machines is that the session key authenticator residing on different machines is that the session key
negotiated between the peer and EAP server will need to be negotiated between the peer and EAP server will need to be
transmitted to the authenticator. Therefore a mechanism needs to be transmitted to the authenticator. Therefore a mechanism needs to be
provided to transmit the session key from the EAP server to the provided to transmit the session key from the EAP server to the
authenticator or tunnel server that needs to use the key. The authenticator or tunnel server that needs to use the key. The
specification of this transit mechanism is outside the scope of this specification of this transit mechanism is outside the scope of this
document. document.
6.2. Connection hijacking 6.2.2. Connection hijacking
In this form of attack, the attacker attempts to inject packets into In this form of attack, the attacker attempts to inject packets into
the conversation between the NAS and the RADIUS server, or between the conversation between the NAS and the RADIUS server, or between
the RADIUS server and the backend security server. RADIUS does not the RADIUS server and the backend security server. RADIUS does not
support encryption, and as described in [1], only Access-Reply and support encryption, and as described in [1], only Access-Reply and
Access-Challenge packets are integrity protected. Moreover, the Access-Challenge packets are integrity protected. Moreover, the
integrity protection mechanism described in [1] is weaker than that integrity protection mechanism described in [1] is weaker than that
likely to be used by some EAP methods, making it possible to subvert likely to be used by some EAP methods, making it possible to subvert
those methods by attacking EAP/RADIUS. those methods by attacking EAP/RADIUS.
In order to provide for authentication of all packets in the EAP In order to provide for authentication of all packets in the EAP
exchange, all EAP/RADIUS packets MUST be authenticated using the exchange, all EAP/RADIUS packets MUST be authenticated using the
Signature attribute, as described previously. Signature attribute, as described previously.
6.3. Man in the middle attacks 6.2.3. Man in the middle attacks
Since RADIUS security is based on shared secrets, end-to-end security Since RADIUS security is based on shared secrets, end-to-end security
is not provided in the case where authentication or accounting is not provided in the case where authentication or accounting
packets are forwarded along a proxy chain. As a result, attackers packets are forwarded along a proxy chain. As a result, attackers
gaining control of a RADIUS proxy will be able to modify EAP packets gaining control of a RADIUS proxy will be able to modify EAP packets
in transit. in transit.
6.4. Multiple databases 6.2.4. Multiple databases
In many cases a backend security server will be deployed along with a In many cases a backend security server will be deployed along with a
RADIUS server in order to provide EAP services. Unless the backend RADIUS server in order to provide EAP services. Unless the backend
security server also functions as a RADIUS server, two separate user security server also functions as a RADIUS server, two separate user
databases will exist, each containing information about the security databases will exist, each containing information about the security
requirements for the user. This represents a weakness, since security requirements for the user. This represents a weakness, since security
may be compromised by a successful attack on either of the servers, may be compromised by a successful attack on either of the servers,
or their backend databases. With multiple user databases, adding a or their backend databases. With multiple user databases, adding a
new user may require multiple operations, increasing the chances for new user may require multiple operations, increasing the chances for
error. The problems are further magnified in the case where user error. The problems are further magnified in the case where user
information is also being kept in an LDAP server. In this case, three information is also being kept in an LDAP server. In this case, three
stores of user information may exist. stores of user information may exist.
In order to address these threats, consolidation of databases is In order to address these threats, consolidation of databases is
recommended. This can be achieved by having both the RADIUS server recommended. This can be achieved by having both the RADIUS server
and backend security server store information in the same backend and backend security server store information in the same backend
database; by having the backend security server provide a full RADIUS database; by having the backend security server provide a full RADIUS
implementation; or by consolidating both the backend security server implementation; or by consolidating both the backend security server
and the RADIUS server onto the same machine. and the RADIUS server onto the same machine.
6.5. Negotiation attacks 6.2.5. Negotiation attacks
In a negotiation attack, a rogue NAS, tunnel server, RADIUS proxy or In a negotiation attack, a rogue NAS, tunnel server, RADIUS proxy or
RADIUS server causes the authenticating peer to choose a less secure RADIUS server causes the authenticating peer to choose a less secure
authentication method so as to make it easier to obtain the user's authentication method so as to make it easier to obtain the user's
password. For example, a session that would normally be authenticated password. For example, a session that would normally be authenticated
with EAP would instead authenticated via CHAP or PAP; alternatively, with EAP would instead authenticated via CHAP or PAP; alternatively,
a connection that would normally be authenticated via one EAP type a connection that would normally be authenticated via one EAP type
occurs via a less secure EAP type, such as MD5. The threat posed by occurs via a less secure EAP type, such as MD5. The threat posed by
rogue devices, once thought to be remote, has gained currency given rogue devices, once thought to be remote, has gained currency given
compromises of telephone company switching systems, such as those compromises of telephone company switching systems, such as those
skipping to change at page 45, line 7 skipping to change at page 47, line 7
Bernard Aboba Bernard Aboba
Microsoft Corporation Microsoft Corporation
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
Phone: +1 425 936 6605 Phone: +1 425 936 6605
E-Mail: bernarda@microsoft.com E-Mail: bernarda@microsoft.com
11. Full Copyright Statement 11. Full Copyright Statement
Copyright (C) The Internet Society (1997). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
skipping to change at line 1990 skipping to change at line 2091
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Table of Contents
1. Introduction .......................................... 4
1.1 Specification of Requirements ................... 4
1.2 Terminology ..................................... 4
2. Operation ............................................. 5
2.1 RADIUS support for Interim Accounting Updates
2.2 RADIUS support for Apple Remote Access
Protocol .......................................................... 6
2.3 RADIUS Support for Extensible Authentication
Protocol (EAP) .................................................... 12
2.3.1 Protocol Overview ............................... 12
2.3.2 Retransmission .................................. 14
2.3.3 Fragmentation ................................... 15
2.3.4 Examples ........................................ 15
2.3.5 Alternative uses ................................ 20
3. Packet Format ......................................... 20
4. Packet Types .......................................... 20
5. Attributes ............................................ 20
5.1 Acct-Input-Gigawords ............................ 22
5.2 Acct-Output-Gigawords ........................... 23
5.3 Event-Timestamp ................................. 24
5.4 ARAP-Password ................................... 24
5.5 ARAP-Features ................................... 25
5.6 ARAP-Zone-Access ................................ 27
5.7 ARAP-Security ................................... 28
5.8 ARAP-Security-Data .............................. 28
5.9 Password-Retry .................................. 29
5.10 Prompt .......................................... 30
5.11 Connect-Info .................................... 31
5.12 Configuration-Token ............................. 32
5.13 EAP-Message ..................................... 32
5.14 Signature ....................................... 34
5.15 ARAP-Challenge-Response ......................... 36
5.16 Acct-Interim-Interval ........................... 37
5.17 Table of Attributes ............................. 37
6. Security Considerations ............................... 38
6.1 Separation of EAP server and PPP authenticator
6.2 Connection hijacking ............................ 39
6.3 Man in the middle attacks ....................... 40
6.4 Multiple databases .............................. 40
6.5 Negotiation attacks ............................. 40
7. References ............................................ 42
8. Acknowledgements ...................................... 42
9. Chair's Address ....................................... 43
10. Author's Address ...................................... 43
11. Full Copyright Statement .............................. 45
 End of changes. 26 change blocks. 
44 lines changed or deleted 146 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/