INTERNET-DRAFT Murtaza S. Chiba Title: Cisco Systems, Inc. draft-chiba-radius-dynamic-authorization-05.txt Expires January 2002 Gopal Dommety Cisco Systems, Inc. Mark Eklund Cisco Systems, Inc. David Mitton Circular Logic, UnLtd. Aboba B. Microsoft August 2002 Dynamic Authorization Extensions to Remote Authentication Dial-In User Service (RADIUS) Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Distribution of this memo is unlimited. This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html To view the entire list of current Internet-Drafts, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). M. Chiba Expires January 2002 [Page 1] Internet Draft Dynamic Authorization Extensions August 2002 Abstract This document describes the current practices for allowing dynamic changes to a user session as implemented by network access server products providing the Remote Authentication Dial-In User Service. Namely it documents the current methods for disconnecting and changing data filters applicable to a user session. 1.0 Introduction The RADIUS protocol, defined in [RFC2865] does not support unsolicited messages sent from the RADIUS server to the NAS. However, there are many instances in which it is desirable for changes to be made to session characteristics without requiring the NAS to initiate the exchange. For example, it may be desirable for administrators to be able to terminate sessions in progress. Alternatively, if the user changes authorization level, this may require that data filters be added/deleted from the session. To overcome these limitations, various vendors have implemented additional RADIUS commands in order to be able to support unsolicited messages sent from the RADIUS server to the NAS. These extended commands provide support for: 1) Disconnect messages, and 2) Change of Filters messages The disconnect messages cause a user session to be terminated immediately, whereas change of filter messages modify the applicable data filters for the user session. The packet format consists of the fields: Code, Identifier, Length, Authenticator, and Attributes in the Type:Length:Value(TLV) formats. All the fields hold the same meaning as those described in RADIUS[1]. The Authenticator field must be calculated in the same way as is specified for an Accounting-Request in [RFC2866]. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- M. Chiba Expires January 2002 [Page 2] Internet Draft Dynamic Authorization Extensions August 2002 2.0 Current Practices This draft outlines the details for Disconnect Messages and Change-of-Filters Messages that are commonly implemented. 2.1 Protocol Port Information For either type of request (Disconnect, or Change of Filters), the UDP port 1700 is used as the destination port. For responses, the source and destination ports are reversed. 2.2 Identification Attributes A number of attributes are used to uniquely identify a user session on the NAS and one, or more, of these should be present in either type of messages (Disconnect or, Change-of-Filters). The set of attributes includes the following: Username(1): This is the name of the user associated with the session Acct-Session-Id(44): This is derived from a RADIUS Accounting-Start Framed-IP-Address(8): This is the IP Address associated with the session NAS-Port(5): This is the Port on which the user connection is terminated NAS-Port-Type(61): The type of port used Note: The numbers in parenthesis denote the attribute numbers as documented in [1] & [3]. The ability to use all/some of the identifiers to map to unique/multiple session(s) is beyond the scope of this document. 2.3 Disconnect Messages (DM) A Disconnect packet is sent by the RADIUS server in order to terminate a user session on a NAS. The Disconnect packet is sent to UDP port 1700, and identifies the session to be terminated by inclusion of one or more identification attributes as described in the section 2.2 above. M. Chiba Expires January 2002 [Page 3] Internet Draft Dynamic Authorization Extensions August 2002 ---------- Disconnect-Request ---------- | | <-------------------- | | | NAS | | Client | | | Disconnect-Response | | | | ---------------------> | | ---------- ---------- Codes used [2]: 40 - Disconnect-Request 41 - Disconnect-ACK 42 - Disconnect-NAK A Disconnect Request is followed by a response of either, Disconnect-Ack, if the NAS successfully disconnects the user, or a Disconnect-NAK, if it was unable to disconnect the user. A Disconnect-Ack may contain the attribute Acct-Terminate-Cause (49) with the value set to 6 for Admin-Reset. 2.4 Change-of-Filters Messages(CoF) The CoF message packets contain information for dynamically changing data filters of a user's session. The data filters can be of either ingress, or egress kind, and are sent in addition to the identification attributes as described in section 2.2. The port used, and packet format, are the same as that for Disconnect Messages. The following attribute should be sent in a Change-of-Filters Request: Filter-ID (11) - Indicates the name of a data filter list to be applied for the session that the identification attributes map to. ---------- CoF Request ---------- | | <-------------------- | | | NAS | | Client | | | CoF Response | | | | ---------------------> | | ---------- ---------- Codes used [2]: 43 - CoF-Request 44 - CoF-ACK 45 - CoF-NAK M. Chiba Expires January 2002 [Page 4] Internet Draft Dynamic Authorization Extensions August 2002 A Change of Filter request is followed by a response of either, CoF-Ack if the NAS is able to successfully change the data filters for the user's session or, a CoF-NAK if it does not succeed. 3.0 Security Considerations The protocol exchanges described are susceptible to the same vulnerabilities as RADIUS and it is recommended that IPSec be employed to afford better security. Within RADIUS, a shared secret is used for hiding of attributes such as User-Password [1]. In addition, the shared secret is used in computation of the Response Authenticator [1], Therefore, in RADIUS a shared secret is used to provide confidentiality as well as integrity protection and authentication. As a result, only use of IPSEC ESP with a non-null transform can provide security services sufficient to substitute for RADIUS application-layer security. Therefore, where IPSEC AH or ESP null is used, it will typically still be necessary to configure a RADIUS shared secret. However, where RADIUS is run over IPSEC ESP with a non-null transform, the secret shared between the NAS and the RADIUS server may not be configured. In this case, a shared secret of zero length must be assumed [7]. Additionally, when IPsec is used with RADIUS, DES-CBC should not be used as the encryption transform, and per-packet replay protection and authentication must be used. A typical IPsec policy for an IPsec-capable RADIUS client is "Initiate IPsec, from me to any, destination port UDP 1812", similarly for clients implementing this specification the policy would be "Initiate IPsec, from me to any, destination port UDP 1700". This causes an IPsec SA to be set up by the RADIUS client prior to sending RADIUS traffic to any RADIUS server. If some RADIUS servers contacted by the client do not support IPsec, then a more granular policy will be required. For an IPsec-capable RADIUS server, a typical IPsec policy is "Accept IPsec, from any to me, destination port 1812" and for servers implementing this specification the policy would be "Accept IPsec, from any to me, destination port 1700". This causes the RADIUS server to accept (but not require) use of IPsec. It may not be appropriate to require IPsec for all RADIUS clients connecting to an IPsec-enabled RADIUS server, since some RADIUS clients may not support IPsec. M. Chiba Expires January 2002 [Page 5] Internet draft Dynamic Authorization Extensions August 2002 Where no RADIUS shared secret is configured, and IPsec with ESP and non-null transform is used for security, it is important that trust be demonstrated between the RADIUS client and RADIUS server by some means. For example, it would not be wise to enable any host with a certificate chaining to a trusted root to act as a RADIUS client, unless that host were specifically authorized to provide network access. This can be accomplished by configuring the RADIUS server to expect communication from a RADIUS client, either by configuring it with the machine name of the RADIUS client (expected to be present in the certificate), or its IP address. Alternatively, if a separate CA exists for RADIUS clients, then the RADIUS server can configure this CA as a trusted root for use with IPsec. However, since unlike SSL/TLS, IKE does not permit certificate policies to be set on a per-port basis, such a policy would need to apply to all uses of IPsec on RADIUS clients and servers. Thus, assuming that only certificate authentication is supported in the deployment, a management station initiating an IPSec-protected telnet session to the RADIUS server would need to obtain a certificate chaining to the RADIUS client CA. Issuing such a certificate might not be appropriate if the management station was not authorized as a RADIUS client." Since this specification utilizes the Request Authenticator field for integrity protection and authentication, rather than as a nonce, no liveness or protection against replay is provided by the RADIUS header. Where IPsec is not used, in order to provide replay protection, the Event-Timestamp (55) attribute, described in [4] SHOULD be included. When this attribute is present, the RADIUS server MUST check that the Event-Timestamp is current within an acceptable time window. This implies the need for time synchronization within the network, which can be achieved using secure NTP, as described in [6]. A default time window of 300 seconds is recommended. 4.0 Example Traces of current Disconnect Requests Disconnect Request with Username: 0: xxxx xxxx xxxx xxxx xxxx 2801 001c 1b23 .B.....$.-(....# 16: 624c 3543 ceba 55f1 be55 a714 ca5e 0108 bL5C..U..U...^.. 32: 6d63 6869 6261 Disconnect Request with Acct-Session-ID: 0: xxxx xxxx xxxx xxxx xxxx 2801 001e ad0d .B..... ~.(..... 16: 8e53 55b6 bd02 a0cb ace6 4e38 77bd 2c0a .SU.......N8w.,. 32: 3930 3233 3435 3637 90234567 M. Chiba Expires January 2002 [Page 6] Internet draft Dynamic Authorization Extensions August 2002 Disconnect Request with Framed-IP-Address: 0: xxxx xxxx xxxx xxxx xxxx 2801 001a 0bda .B....."2.(..... 16: 33fe 765b 05f0 fd9c c32a 2f6b 5182 0806 3.v[.....*/kQ... 32: 0a00 0203 5.0 Normative References [1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [2] Mitton, D., "Network Access Server Requirements: Extended RADIUS Practices", RFC 2882, July 2000. [3] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [4] Rigney, C., Willats W., Calhoun P., "RADIUS Extensions", RFC 2869, June 2000. [5] Mills, D. L., "Network Time Protocol (version 3) Specification, Implementation and Analysis, RFC 1305 March, 1992. [6] Mills, D., "Public Key Cryptography for the Network Time Protocol", Internet draft (work in progress), draft-ietf-stime-ntpauth-03.txt, February 2002. [7] Aboba, B., Zorn, G., Mitton, D., "RADIUS and IPv6", RFC 3162, August 2001. 6.0 Copyright Copyright (C) The Internet Society (2000). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. M. Chiba Expires January 2002 [Page 7] Internet draft Dynamic Authorization Extensions August 2002 This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 7.0 Acknowledgements Funding for the RFC Editor function is currently provided by the Internet Society. This protocol function was first developed and distributed by Ascend Communications. Example code was distributed in their free server kit. This document removes vendor specific functions and attributes so that it interoperates with other implementations. The authors would like to acknowledge the valuable suggestions and feedback from the following people: Randy Bush, Glen Zorn, Mark Jones, Claudio Lapidus and Anurag Batta. 8.0 Authors' Addresses Murtaza Chiba Gopal Dommety Mark Eklund Cisco Systems, Inc. Cisco Systems, Inc. Cisco Systems, Inc. 170 West Tasman Dr. 170 West Tasman Dr. 170 West Tasman Dr. San Jose, CA 95134 San Jose, CA 95134 San Jose, CA 95134 Tel: (408) 525-7198 Tel: (408) 525-1404 Tel: (865) 671-6255 mchiba@cisco.com gdommety@cisco.com meklund@cisco.com David Mitton Bernard Aboba Circular Logic UnLtd. Microsoft Corporation 733 Turnpike Street #154 One Microsoft Way North Andover, MA 01845 Redmond, WA 98052 Tel: 978 683-1814 Tel: +1 425 706 6605 david@mitton.com bernarda@microsoft.com