ROAMOPS Working Group Bernard Aboba INTERNET-DRAFT Microsoft Corporation Category: Standards Track John R. Vollbrecht Merit Networks, Inc. 21 July 1997 Glen Zorn Microsoft Guidelines for the Secure Operation of RADIUS Proxies in Roaming 1. Status of this Memo This document is an Internet-Draft. Internet-Drafts are working docu- ments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute work- ing documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference mate- rial or to cite them other than as "work in progress." To learn the current status of any Internet-Draft, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). The distribution of this memo is unlimited. It is filed as , and expires February 1, 1998. Please send comments to the authors. 2. Abstract Today, RADIUS proxy chaining is widely deployed for the purposes of providing roaming services. This document provides guidelines for the secure operation of RADIUS proxies within roaming systems. 2.1. Terminology This document frequently uses the following terms: Network Access Server The Network Access Server (NAS) is the device that clients contact in order to get access to the network. RADIUS server This is a server which provides for authentication/autho- rization via the protocol described in [3], and for account- ing as described in [4]. Aboba, Vollbrecht & Zorn [Page 1] INTERNET-DRAFT 21 July 1997 RADIUS proxy In order to provide for the routing of RADIUS authentication and accounting requests, a RADIUS proxy can be employed. To the NAS, the RADIUS proxy appears to act as a RADIUS server, and to the RADIUS server, the proxy appears to act as a RADIUS client. Network Access Identifier In order to provide for the routing of RADIUS authentication and accounting requests, the userID field used in PPP (known as the Network Access Identifier or NAI) and in the subse- quent RADIUS authentication and accounting requests, can contain structure. This structure provides a means by which the RADIUS proxy will locate the RADIUS server that is to receive the request. Roaming relationships Roaming relationships include relationships between compa- nies and ISPs, relationships among peer ISPs within a roam- ing association, and relationships between an ISP and a roaming consortia. Together, the set of relationships form- ing a path between a local ISP's authentication proxy and the home authentication server is known as the roaming rela- tionship path. 3. Introduction Today, as described in [1], RADIUS proxy chaining is widely deployed for the purposes of providing roaming services. In such systems, RADIUS authentication and accounting packets are routed between a NAS device and a home RADIUS server through a series of RADIUS proxies. The purpose of this document is to provide guidelines for the secure operation of such systems. An example of such a proxy chaining system is shown below. (request) (request) (request) NAS ----------> Proxy1 ----------> Proxy2 ----------> Home RADIUS (reply) (reply) (reply) Server <--------- <--------- <--------- In the above diagram, the NAS generates a RADIUS request and sends it to Proxy1. Proxy1 forwards the request to Proxy2 and Proxy2 forwards the request to the Home Server. The Home Server generates a reply and returns it to Proxy2. Proxy2 receives the reply, matches it with the request it had sent, and forwards a reply to Proxy1. Proxy1 matches the reply with the request it sent earlier and forwards a reply to the NAS. This model applies to all RADIUS requests, including Access Requests and Accounting Requests. RADIUS proxies implementing policy MAY send a reply without forwarding the request. An example of this would be when the proxy refuses all connections from a particular realm during prime time. In this case Aboba, Vollbrecht & Zorn [Page 2] INTERNET-DRAFT 21 July 1997 the home server will never receive the Access-Request. This situation is shown below: (request) (request) NAS ----------> Proxy1 ----------> Proxy2 Home RADIUS (reply) (reply) Server <--------- <--------- The proxy SHOULD reply directly only to Access-Requests and SHOULD NOT reply directly to Accounting-Requests. When replying directly to an Access-Request, the proxy MUST reply either with an Access-Reject or an Access-Challenge packet. A RADIUS proxy MUST NOT reply directly with an Access-Accept. A proxy forwarding a request SHOULD NOT send a reply to a request until it has received a reply from the server or proxy to which it sent the corresponding request. The effect of this is that the NAS will never see a reply which was not initiated by the home server. A less pleasant consequence is that the delay between request and reply at the NAS will be longer than if the reply were "faked" by a proxy. A proxy MAY decide to Reject a Request that has been accepted by the home server. This could be based on the set of attributes returned by the home server. In this case the Proxy SHOULD send an Access-Reject to the NAS and an Accounting message with Acct-Status-Type=Proxy-Stop to the home server. This lets the Home Server know that the Session it approved has been denied downstream by the Proxy. However, a proxy MUST NOT send an Access-Accept after receiving an Access-Reject from the home server. (AccReq) (AccReq) (AccReq) NAS ----------> Proxy1 ----------> Proxy2 ----------> Home RADIUS (AccRejct) (AccAccpt) (AccAccpt) Server <--------- <--------- <--------- (AcctPxStop) (AcctPxStop) ----------> ----------> Home servers SHOULD insert a unique session identifier in the Class attribute in an Access-Accept and Access-Challenge. Proxies and NASes MUST forward the Class attribute. The NAS MUST include the Class attribute in subsequent requests, in particular for Accounting- Requests. The Class attribute can be used to match accounting requests with prior access requests. It can also be used to match session log records between the home Server, proxies, and NAS. The sequence of events is shown below: --------> --------> ---------> Aboba, Vollbrecht & Zorn [Page 3] INTERNET-DRAFT 21 July 1997 NAS Proxy1 Proxy2 Home (add class) <-class-- <-class- <-class-- In RADIUS proxy chaining, the forwarding function is carried out based on the realm portion of the Network Access Identifier (NAI), defined in [9]. While the mechanism by which the path is selected is implemen- tation dependent, existing implementations typically use static for- warding tables set in their configuration files. While the RADIUS protocol described in [3] does not provide for authentication of Access-Requests, such authentication is possible using the Signature attribute described in [5]. Proxies MUST include the Signature attribute in all Access-Requests. Since the RADIUS pro- tocol, described in [3], does support authentication of Access-Reply packets, the Signature attribute is not required in an Access-Reply. 4. Trust models In conventional ISP application, the NAS, RADIUS proxy, and RADIUS server typically exist within a single administrative entity. As a result, the RADUS proxy and RADIUS server may be considered to be trusted components. However, in a roaming system implemented with proxy chaining, the NAS, RADIUS proxies, and RADIUS server may be managed by different adminis- trative entities. Through the use of shared secrets it is possible for RADIUS proxies operating in different domains to establish a trust relationship. However, since RADIUS packets are only authenticated on a hop-by-hop basis, proxy chaining systems deployed in roaming operate without end-to-end authentication. This means that in such systems security is only as strong as the weakest link in the proxy chain. Among other things, this implies that it is advisable to keep the chain as short as possible. To date, as described in [1], existing roaming implementations have been limited in scale, forwarding RADIUS packets over a maximum of two hops, or implementing star configura- tions with all systems connecting to a single trusted entity. Such configurations minimize trust issues. 5. Security issues Since current roaming implementations operate in more than 150 coun- tries and service millions of users, it is critical that RADIUS proxy chaining implementations be secure. In particular, protection must be provided against the following attacks: Theft of passwords Replay attacks Attribute editing Connection hijacking Authentication routing attacks Aboba, Vollbrecht & Zorn [Page 4] INTERNET-DRAFT 21 July 1997 Fraudulent accounting records 5.1. Theft of passwords In the case where clients authenticate using PAP, each RADIUS proxy along the path between the local NAS and the home RADIUS server will have access to the cleartext password. In many circumstances, this represents an unacceptable security risk, and as a result, it is rec- ommended that PAP SHOULD NOT be used in roaming. A possible exception to this recommendation occurs in situations where PAP is used in order to pass a one time password or token. 5.2. Replay attacks In this attack, a man in the middle or rogue RADIUS proxy collects CHAP-Challenge and CHAP-Response attributes, and later replays them. If this attack is performed in collaboration with an unscrupulous ISP, it can be used to subsequently submit fraudulent accounting records to the accounting agent for payment. The system performing the replay need not necessarily be the one that initially captured the CHAP Chal- lenge/Response pair. While such an attack has always been possible, without roaming the threat is restricted to RADIUS proxies operating in the home server's domain. With roaming, such an attack can be mounted by any RADIUS proxy capable of reaching the home RADIUS server. In order to detect replay attacks, RADIUS servers used in roaming SHOULD keep a log of CHAP challenges, so as to allow the log to be checked for replays. CHAP replay attacks can be defeated by means of an end-to-end chal- lenge-response exchange. For example, if the home RADIUS server returns an Access-Challenge packet containing a CHAP-Challenge attribute and maintains state with respect to outstanding challenges, replay attacks will not work. However, it should also be noted that end-to-end challenges (as prac- ticed within the EAP MD5 authentication method, or in the CHAP-Chal- lenge method described above) are subject to attacks by rogue RADIUS proxies. In such an attack a RADIUS proxy substitutes a static chal- lenge for the challenge sent by the home RADIUS server, and on receiv- ing the response, checks it against a databases of hashes applied against a dictionary. Use of the CHAP and PAP authentication methods may be avoided entirely by instructing the PPP authenticating peer to refuse these authentica- tion methods if offered. Aboba, Vollbrecht & Zorn [Page 5] INTERNET-DRAFT 21 July 1997 5.3. Attribute editing In this attack, a RADIUS proxy modifies an Access-Accept sent by the RADIUS server so as to lessen the security obtained by the client. For example, EAP attributes might be removed or modified so as to cause a client to authenticate with EAP MD5 or PAP, instead of a stronger authentication method. Alternatively, tunnel attributes might be removed or modified so as to remove encryption, redirect the tunnel to a rogue tunnel server, or otherwise lessen the security provided to the client. In order to prevent inappropriate modification of RADIUS attributes the table in Appendix A describe what attributes may be added, edited, deleted, or processed by authentication and accounting proxies. Inappropriate attribute editing need not occur du to acts of malice. The vast majority of such problems are likely to result from miscon- figuration of RADIUS proxies. In fact, it is expected that as roaming grows in popularity, attribute editing problems will become widespread. This is likely since several proxy implementations remove attributes that they do not understand, or can be set up to replace attribute sets sent in the Access-Accept with sets of attributes appropriate for a particular network. Since RADIUS only provides for hop-by-hop authentication, it is not possible to provide end-to-end integrity checks within proxy chaining systems. However, in order to provide for detection of inappropriate attribute editing, local RADIUS proxies and home RADIUS servers SHOULD implement auditing functionality. For example, the local RADIUS proxy SHOULD include RADIUS attributes received in the Access-Accept within the session record or Accounting- Start message for the session. Similarly, home RADIUS servers SHOULD log the contents of RADIUS Access-Replies sent, and SHOULD periodi- cally check for discrepancies between attributes sent in RADIUS Access-Replies, and attributes received by local proxies. In order to prevent intermediate proxies from modifying accounting records, accounting records SHOULD NOT travel the same path taken by RADIUS authentication. Instead, accounting records SHOULD be sent directly between the local proxy and the systems requiring copies of the accounting records. 5.4. Connection hijacking In this form of attack, the attacker attempts to inject packets into the conversation between the NAS and the home RADIUS server. RADIUS as described in [3] is vulnerable to such attacks since only Access-Reply and Access-Challenge packets are authenticated. In order to provide for authentication of Access-Request packets, RADIUS proxies operating in roaming systems MUST support the Signature attribute, as decribed in [9]. RADIUS proxies used in roaming imple- mentations MUST check for the presence of the Signature attribute in Aboba, Vollbrecht & Zorn [Page 6] INTERNET-DRAFT 21 July 1997 Access-Requests forwarded to them from other proxies, and MUST silently discard Access-Request packets missing the Signature attribute or failing authentication. RADIUS proxies operating in roam- ing systems also MUST include a Signature attribute in all forwarded Access-Request packets. 5.5. Authentication routing attacks In roaming, one of the functions of the RADIUS proxy is to route authentications between domains. Authentication routing attacks affect the core of a roaming system by modifying authentication rout- ing information, thus disabling the system or causing RADIUS packets to be routed inappropriately. Since to date roaming has been implemented on a relatively small scale, existing implementations perform authentication routing based on local knowledge expressed in proxy configuration files. To date implementations have not found a need for dynamic routing protocols, or propagation of global routing information. Since authentication routing information is fundamental to the opera- tional of a roaming system, routing information SHOULD be propagated using an transfer method supporting mutual authentication, such as Kerberized rcp, SSH or TLS. Since all RADIUS packets used in roaming are secured by a shared secret, such attacks will not rsult in more than a denial of service, as long as the attacker did not also obtain the shared secrets. As with attribute editing, it is expected that most problems of this type will result from misconfiguration of RADIUS proxies. In order to detect such misconfigurations, RADIUS proxies participating in roaming MUST implement the Route attribute described below. The Route attribute provides trace route and/or source route capabilities. This allows a local RADIUS proxy to specify a route through which an Access-Request must travel, or for a home RADIUS server to determine whether to authorize Access-Requests routed on a given roaming rela- tionship path. A RADIUS proxy receiving a Route attribute with the Trace option set MUST append the domain of the system from which it received the packet to the end of the Route attribute prior to forwarding it. 5.6. Fraudulent accounting records In this form of attack, a local RADIUS proxy transmits fraudulent accounting packets or session records to the accounting agent in an effort to collect fees to which they are not entitled. In order to detect submission of fraudulent accounting records by an unscrupulous ISP, the the accounting gateway SHOULD send copies of session records to all parties with a financial interest in the Aboba, Vollbrecht & Zorn [Page 7] INTERNET-DRAFT 21 July 1997 session. Parties receiving copies of these session records SHOULD reconcile them with logs of proxied authentications. In order to make it easier to match RADIUS authentication logs with accounting records, RADIUS servers involved in roaming SHOULD include a Class attribute in the Access-Accept. The Class attribute should uniquely identify a session, so as to allow an authentication log entry to be matched with a corresponding accounting record. In order to be able to match accounting records with logs of proxied RADIUS authentications, accounting agents SHOULD require that they act as an authentication proxy for all sessions for which an accounting record will subsequently be submitted. 6. Proposed RADIUS attributes for use in roaming 6.1. Route Description In a roaming implementation based on proxy chaining, RADIUS packets are routed between the NAS and RADIUS server through a series of RADIUS proxies. This attribute allows for the authentication route taken by a RADIUS Access-Request, Access-Challenge, or Access-Reply packet to be recorded within the packet, or alternatively, for a source-route to be specified. RADIUS proxies receiving an Access- Request message with a Source-Route attribute MUST either honor the attribute or return an Access-Reject. A summary of the Route attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Flags | String +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | String... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type ? for Route Length >=3 Flags The Flags field indicates the intended purpose of the Route Aboba, Vollbrecht & Zorn [Page 8] INTERNET-DRAFT 21 July 1997 attribute: 0 0 1 2 3 4 5 6 7 8 +-+-+-+-+-+-+-+-+ |T S L D R R R R| +-+-+-+-+-+-+-+-+ T = Trace. If T=1, then the string represents a trace route request, and a RADIUS proxy receiving a Route option set MUST append the domain of system from which it received the packet to the end of the Route prior to forwarding it. S = Source route. If S=1 then the string field represents a source route. L = Loose. If L=1 and S=1, then the string field represents a loose source route. If L=0 and S=1, then the route represents a strict source route. The combinations S=0, L=1 and T=1, S=1 are not permitted. R = Reserved. D = Direction. If D=1, the Route attribute is relevant to an Access-Request or Accounting-Request packet; if D=0, the Route attribute is relevant to an Access-Reply, Access-Challenge or Accounting-Reply packet. String The String field includes the route, which is represented as a series of domains separated by the "/" character. For example, a valid source route is ispb.com/ispgroup.com/ispa.com/bigco.com/. If trace routing is used, then a RADIUS proxy receiving a packet from another proxy MUST append the domain of the sender onto the end of the Route attribute, prior to forwarding it. Note that the Route attribute is represented as a domain path, NOT a path comprised of the IP addresses or fully qualified domain names of the RADIUS proxies themselves. Thus, it is expected that RADIUS proxies implementing the Route attribute will be able to trans- late the IP address of the sending proxy into the appropriate domain for use in the Route attribute. This is typically accom- plished through proxy configuration files. Since a single RADIUS attribute may only be 253 octets in length, if the Route attribute is larger than this, it may be necessary to split the contents across multiple Route attributes. In order to permit Route attributes to exceed 253 octets, Route attributes with identical values of the Flags field are to be concatenated prior to interpretation. However, Route attributes with different values of the Flags field MUST NOT be concatenated, since it is possible for multi- ple Route attributes to be required within a packet. For exam- ple, it is possible for a packet to contain one Route attribute with T=1,S=0 indicating a trace request, and another Route attribute with T=0, S=1, L=1, indicating the presence of a Loose Source route. In this case, a Loose Source Route is presented at the same time that it is requested that the actual route be recorded and returned. Aboba, Vollbrecht & Zorn [Page 9] INTERNET-DRAFT 21 July 1997 7. Appendix A: Allowable Proxy Behavior Proxies MAY interpret attributes they receive and MAY add attributes to Access-Request, Access-Reply, Access-Challenge, and Accounting- Request messages, as described below. Proxies MUST maintain attribute order when forwarding. A Proxy that adds attributes MUST precede the additional attributes with a "Proxy-State" attribute containing as its leading string the IP-Address of the Proxy. A Proxy may need to translate some attributes to support a particular service. Translation should be done only to support a common service, and only at the Proxy closest to the NAS. Translation could be done to support a common set of IP filters on NASs from different vendors. A local proxy (a proxy downstream from a NAS) MAY edit or delete attributes within Access-Requests, as provided below. An intermediate proxy (a proxy downstream from another proxy) SHOULD NOT edit or delete attributes when forwarding Access-Requests. Local proxies MAY edit or delete attributes in an Access-Reply, as provided below, if the downstream server is a NAS which is not able to interpret some attributes. Intermediate proxies SHOULD NOT edit or delete attributes in an Access-Reply. AUTHENTICATION Request Accept Reject Challenge # Attribute E A 1 User-Name [note 1] PD 2 User-Password [note 2] A 3 CHAP-Password [note 2] AED 4 NAS-IP-Address AED 5 NAS-Port AE AE 6 Service-Type AE AE 7 Framed-Protocol AED AED 8 Framed-IP-Address AED AED 9 Framed-IP-Netmask AED 10 Framed-Routing AE 11 Filter-Id AED 12 Framed-MTU AED AED 13 Framed-Compression AE AE 14 Login-IP-Host AE 15 Login-Service AE 16 Login-TCP-Port AE AE AE 18 Reply-Message AE AE 19 Callback-Number [note 3] A 20 Callback-Id AED 22 Framed-Route AED 23 Framed-IPX-Network AE AE AE 24 State AE 25 Class AED AED AED 26 Vendor-Specific AE AE 27 Session-Timeout AE AE 28 Idle-Timeout AE 29 Termination-Action AE 30 Called-Station-Id [note 3] Aboba, Vollbrecht & Zorn [Page 10] INTERNET-DRAFT 21 July 1997 AED 31 Calling-Station-Id [note 4] AED 32 NAS-Identifier AP AP AP AP 33 Proxy-State AE AE 34 Login-LAT-Service AE AE 35 Login-LAT-Node AE AE 36 Login-LAT-Group AE 37 Framed-AppleTalk-Link AED 38 Framed-AppleTalk-Network AED 39 Framed-AppleTalk-Zone 60 CHAP-Challenge AE 61 NAS-Port-Type AE AE 62 Port-Limit AE AE 63 Login-LAT-Port 64 Tunnel-Type 65 Tunnel-Medium-Type 67 Tunnel-Server-Endpoint P 69 Tunnel-Password AP 70 ARAP-Password AE AE 71 ARAP-Features AE 72 ARAP-Zone-Access A A 73 ARAP-Security A A 74 ARAP-Security-Data ED 75 Password-Retry AE 76 Prompt 77 Connect-Info AED 78 Configuration-Token 79 EAP-Message AP 80 Signature Request Accept Reject Challenge # Attribute 1. A proxy may strip the realm from the User-Name, so as to provide compatibiltiy with proxies that cannot handle this. 2. Use of PAP is considered undesirable in roaming, since each RADIUS proxy handling the Access-Request will have access to the cleartext password. As a result, if the user uses PAP to authenticate with the NAS, and the NAS sends the User-Password to the proxy (secure network) the proxy may convert it to CHAP before sending it to the home server (insecure network). In some situations this would be desirable (fewer proxies would have access to the password), and in others it would be undesirable (the home NAS has no way to know that it was only PAP that was done). 3. A proxy may edit these attributes in order to make them more spe- cific. For example, the proxy might need to change Callback-Number = "7771111" to Callback-Number = "5107771111". 4. A proxy may wish to delete the Calling-Station-ID so as to protect the privacy of the caller. As with note 2 above, this attribute may be edited to make it more specific. ACCOUNTING Aboba, Vollbrecht & Zorn [Page 11] INTERNET-DRAFT 21 July 1997 Request Reply # Attribute 1 User-Name 2 User-Password 3 CHAP-Password AE 4 NAS-IP-Address AE 5 NAS-Port AE 6 Service-Type AE 7 Framed-Protocol AED 8 Framed-IP-Address AED 9 Framed-IP-Netmask AED 10 Framed-Routing AE 11 Filter-Id AED 12 Framed-MTU AED 13 Framed-Compression AE 14 Login-IP-Host AE 15 Login-Service AE 16 Login-TCP-Port 18 Reply-Message A 19 Callback-Number A 20 Callback-Id AED 22 Framed-Route AED 23 Framed-IPX-Network 24 State AE 25 Class AED 26 Vendor-Specific AE 27 Session-Timeout AE 28 Idle-Timeout AE 29 Termination-Action AED 30 Called-Station-Id AED 31 Calling-Station-Id AED 32 NAS-Identifier AP 33 Proxy-State AE 34 Login-LAT-Service AE 35 Login-LAT-Node AE 36 Login-LAT-Group AE 37 Framed-AppleTalk-Link AED 38 Framed-AppleTalk-Network AED 39 Framed-AppleTalk-Zone 40 Acct-Status-Type 41 Acct-Delay-Time [note 1] 42 Acct-Input-Octets 43 Acct-Output-Octets E 44 Acct-Session-Id [note 2] 45 Acct-Authentic 46 Acct-Session-Time 47 Acct-Input-Packets 48 Acct-Output-Packets 49 Acct-Terminate-Cause E 50 Acct-Multi-Session-Id [note 2] 51 Acct-Link-Count 60 CHAP-Challenge AE 61 NAS-Port-Type AE 62 Port-Limit AE 63 Login-LAT-Port Aboba, Vollbrecht & Zorn [Page 12] INTERNET-DRAFT 21 July 1997 64 Tunnel-Type 65 Tunnel-Medium-Type 66 Acct-Tunnel-Client-Endpoint 67 Tunnel-Server-Endpoint 68 Acct-Tunnel-Connection-ID 69 Tunnel-Password 70 ARAP-Password AE 71 ARAP-Features AE 72 ARAP-Zone-Access A 73 ARAP-Security A 74 ARAP-Security-Data ED 75 Password-Retry 76 Prompt 77 Connect-Info 78 Configuration-Token 79 EAP-Message 80 Signature Accounting Accounting Request Reply # Attribute 1. If the proxy can calculate the additional delay it is introducing, it should increment this. 2. The proxy may need to modify the NAS identification to hide private network information. In that case, it may forward packets with itself as the NAS, and will need to construct an Acct-Session-Id that is guaranteed to be unique. For example, if the proxy gets packets from 16 NASs, session '3478617' on the 11th NAS might be given the new ses- sion ID 'A3478617'. The following table defines the meaning of the above table entries. A This attribute MAY be added E This attribute MAY be edited. Editing is defined as a change beyond that required in hop-by-hop processing as described in [3]-[5]. D This attribute MAY be deleted. P This attribute MUST be processed as described in [3]-[5]. 8. Acknowledgments Thanks to Pat Calhoun of 3COM, Mark Beadles of CompuServe, Aydin Edguer of Morningstar, and Steven P. Crain of Shore.Net for useful discussions of this problem space. 9. References [1] B. Aboba, J. Lu, J. Alsop, J. Ding, W. Wang. "Review of Roaming Implementations." Internet draft (work in progress), draft-ietf- roamops-imprev-04.txt, Microsoft, Aimnet, i-Pass Alliance, Asiainfo, Aboba, Vollbrecht & Zorn [Page 13] INTERNET-DRAFT 21 July 1997 Merit, June, 1997. [2] B. Aboba, G. Zorn. "Dialing Roaming Requirements." Internet draft (work in progress), draft-ietf-roamops-roamreq-04.txt, Microsoft, June, 1997. [3] C. Rigney, A. Rubens, W. Simpson, S. Willens. "Remote Authenti- cation Dial In User Service (RADIUS)." RFC 2058, Livingston, Merit, Daydreamer, January, 1997. [4] C. Rigney. "RADIUS Accounting." RFC 2059, Livingston, January, 1997. [5] C. Rigney, W. Willats. "RADIUS Extensions." Internet draft (work in progress), draft-ietf-radius-ext-00.txt, Livingston, January, 1997. [6] R. Fielding, et al. "Hypertext Transfer Protocol - HTTP/1.1." RFC 2068, UC Irvine, January, 1997. [7] R. Rivest, S. Dusse. "The MD5 Message-Digest Algorithm", RFC 1321, MIT Laboratory for Computer Science, RSA Data Security Inc., April 1992. [8] S. Bradner. "Key words for use in RFCs to Indicate Requirement Levels." RFC 2119, Harvard University, March, 1997. [9] B. Aboba. "The Network Access Identifier." Internet draft (work in progress), draft-ietf-roamops-nai-06.txt, Microsoft, July 1997. 10. Authors' Addresses Bernard Aboba Microsoft Corporation One Microsoft Way Redmond, WA 98052 Phone: 425-936-6605 EMail: bernarda@microsoft.com John R. Vollbrecht Merit Network, Inc. 4251 Plymouth Rd. Ann Arbor, MI 48105-2785 Phone: 313-763-1206 EMail: jrv@merit.edu Glen Zorn Microsoft Corporation One Microsoft Way Redmond, WA 98052 Phone: 425-703-1559 Aboba, Vollbrecht & Zorn [Page 14] INTERNET-DRAFT 21 July 1997 EMail: glennz@microsoft.com Aboba, Vollbrecht & Zorn [Page 15]