Network Access Server Requirements David Mitton Internet Draft Bay Networks Expires February 1999 August 1998 Network Access Server Requirements Next Generation (NASREQNG) Operational Model Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." To view the entire list of current Internet-Drafts, please check the "1id-abstracts.txt" listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu (US West Coast). This document is a draft submission to the proposed Network-Access- Server Requirements Next Generation (NASREQNG) Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mailing list nasreqng@tdmx.rutgers.edu. Abstract This document describes the terminology and an operational model of typical Network Access Server (NAS). The purpose of this effort is to set the reference space for describing and evaluating NAS service protocols, such as RADIUS (RFC 2138, 2139) and follow-on efforts like Diameter (draft-calhoun-diameter-04.txt). These are protocols for carrying authentication, authorization, and user configuration information between a Network Access Server which desires to authenticate its calls and a shared Authentication Server. Scope There are several tradeoffs taken in this document. The purpose of this document is to describe a model for evaluating NAS service protocols. It will mention examples of typical NAS hardware and software features, but these are not to be taken as hard limitations of the model, but merely illustrative of the point of discussion. An important goal of the model is to allow further development and expansion of capabilities in NAS development. As with most IETF projects, the focus is on standardizing the protocol interaction between the components of the system. The documents produced will not address the following areas: - AAA server back-end implementation is abstracted and not proscribed. The actual organization of the data in the server, it's interfaces, and capabilities are left to the implementation. - NAS front-end call technology is not constricted, alternate and new technology will be accommodated. The resultant protocol specifications must be flexible in design to allow for new technologies and services to be added with minimal impact on existing implementations. Specific Terminology The following terms are used in this document in this manner: - Call - the arrival of a telephone call, or initiation of a network service request - Session - the provided service to a specific authorized user Network Access System Equipment Assumptions A typical hardware based NAS is implemented in a constrained system. It is important that the NAS protocols don’t assume unlimited resources on the part of the platform. The following are typical constraints: - A computer system of minimal to moderate performance (example processors: Intel 386 or 486, Motorola 68000) - A moderate amount, but not large RAM (typically varies with supported # of ports 1MB to 8MB) - Some small amount of non-volatile memory, and/or way to be configured out-of-band - No assumption of a local file system or disk storage A NAS system may consist of a system of interconnected specialized processor system units. Typically they may circuit boards (or blades) that are arrayed in a card cage (or chassis) and referred to by their position (i.e. slot number). The interconnection methods are typically proprietary and will not be addressed here. A NAS is sometimes referred to as a Remote Access Server (RAS) as it typically allows remote access to a network. However, a more general picture is that of an "Edge Server", where the NAS sits on the edge of a network of some type, and allows dynamic access to it. Such systems typically have; - At least one LAN or high performance network interface (e.g. Ethernet, ATM, FR) - At least one, but typically many, serial interface ports, which could be; - serial RS232 ports direct wired or wired to a modem, or - have integral hardware or software modems (V.22bis,V.32, V.34, X2, Kflex, V.90, etc.) - have direct connections to telephone network digital WAN lines (ISDN, T1, T3, NFAS, or SS7) However, systems may perform some of the functions of a NAS, but not have these kinds of hardware characteristics. An example would be a industry personal computer server system, that has several modem line connections. These lines will be managed like a dedicated NAS, but the system itself is a general file server. Likewise, with the development of tunneling protocols, tunnel server systems must behave like a "virtual" NAS, where the calls come from the network tunneled sessions and not hardware ports. NAS Services: The core of what a NAS provides, are dynamic network services. What distinguishes a NAS from a typical routing system, is that these services are provided on a per-user basis, and accounted for. This accounting may lead to policies and controls to limit appropriate usage to levels based on the availability of network bandwidth, or service agreements between the user and the provider. Typical services include: - dial-up or direct access serial line access; Ability to access the network using a the public telephone network. - dial-out connections; Ability to cause the NAS to initiate a connection over the public telephone network, typically based on the arrival of traffic to a specific network system. - callback (NAS generates call to caller); Ability to cause the NAS to reverse or initiate a network connection based on the arrival of a dial-in call. - asynchronous terminal services (Telnet, Rlogin, LAT, others); The NAS implements the network protocol on behalf of the caller, and presents a terminal interface. - network access (SLIP, PPP, IPX, NETBEUI, ARAP); The NAS allows the caller to access the network directly - tunneling (from access connection to remote server); The NAS transports the callers network packets over the internet to a remote server using an encapsulation protocol. Authentication, Authorization and Accounting (AAA) Servers Because of the need to authenticate and account, and for practical reasons of implementation, NAS systems have come to depend on external server systems to implement authentication databases and accounting recording. By separating these functions from the NAS equipment, they can be implemented in general purpose computer systems, that may provide better suited long term storage media, and more sophisticated database software infrastructures. Not to mention that a centralized server can allow the coordinated administration of many NAS systems as appropriate (for example a server may service an entire POP). For ease of management, there is a strong desire to piggyback NAS authentication information with other authentication databases, so that authentication information can be managed for several services (such as OS shell login, or Web Server access) from the same provider, without creating separate passwords and accounts for the user. Session action information is stored and processed to produce accounting usage records. This is typically done with a long term (nightly, weekly or monthly) batch type process. However, as network operations grow in sophistication, there are requirements to provide real-time monitoring of port and user status, so that the state information can be used to implement policy decisions and the ability to possibly terminate access for administrative reasons. Typically only the NAS knows the true state of a session. Typical NAS Operation Sequence: The following details a typical NAS operational sequence: - Call arrival on port or network - Port: - auto-detect (or not) type of call - CLI/SLIP: prompt for username and password (if security set) - PPP: engage LCP, Authentication - Request authentication from AAA server - if okay, proceed to service - may challenge - may ask for password change/update - Network: - activate internal protocol server (telnet, ftp) - engage protocol's authentication technique - confirm authentication information with AAA server - Call Management Services - Information from the telephone system arrives indicating that a call has been placed - The AAA server is consulted using the information supplied by the telephone system (typically Called or Calling number information) - The server indicates whether to respond to the call by answering it, or by returning a busy to the caller. - The server may also need to allocate a port to receive a call, and route it accordingly. - Dial-out - packet destination matches outbound route pre-configured - find profile information to setup call - Request information from AAA server for call details - VPN/Tunneling (mandatory) - authentication server identifies user as remote - tunnel protocol is invoked to a remote server - authentication information may be forwarded to remote AAA server - if successful, the local link is given a remote identity - Multi-link aggregation - after a new call is authenticated by the AAA server, if MP options are present, then other bundles with the same identifying information is searched for - bundle searches are performed across multiple systems - join calls that match authentication and originator identities as one network addressable data source with a single network IP address - Hardwired (non-interactive) services - permanent WAN connections (FR) - permanent serial connections (printers) Characteristics of systems and sessions: Sessions must have a user identifier and authenticator to complete the authentication process. Accounting starts from time of call or service, though finer details are allowed. At the end of service, the call may be disconnected or allow re- authentication. Some systems allow decisions on call handling to be made on telephone system information provided before the call is answered (e.g. caller id or destination number) In such systems, calls may be busied-out or non-answered if system resources are not ready or available. Authorization to run services are supplied and applied after authentication. A NAS may abort call if session authorization information disagrees with call characteristics. Some system resources may be controlled by server driven policies Accounting messages are sent to the accounting server when service begins, and ends. Accounting is not a real-time service, the NAS may be queue and batch send event records. Separation of NAS and AAA server functions As a distributed system, there is a separation of roles between the NAS and the server: - Server provides authentication services; checks passwords (static or dynamic) - Server databases may be organized in any way (only protocol specified) - Server may use external systems to authenticate (including OS user dbs, token cards, one-time-lists, proxy or other means) - Server provides authorization information to NAS - The process of providing a service may lead to requests for additional information - Service authorization may require real-time enforcement (services may be based on Time of Day, or variable cost debits) - Session accounting information is tallied by the NAS and reported to server Administrative features and Management The system may have other operational services that are used to run and control the NAS. Some users that have “Administrative” privileges may have access to system configuration tools, or services that affect the operation and configuration of the system (e.g. loading boot images, internal file system access, etc..) Access to these facilities may be authenticated by the AAA server (provided it is configured and reachable!) and levels of access authorization may be provided. The NAS system is presumed to have a method of configuration that allows it to know it's identity and network parameters at boot time. Likewise, this configuration information is typically managed using the standard management protocols (e.g. SNMP). This will include the configuration of the parameters necessary to contact the AAA server itself. The purpose of the AAA server is not to provide network management for the NAS, but to authorize and characterize the individual services for the users. Therefore any feature that can be user specific is open to supply from the AAA server. Authentication Methods A NAS system typically supports a number of authentication systems. For async terminal users, these may be a simple as a prompt and input. For network datalink users, such as PPP, several different authentication methods will be supported (PAP, CHAP, MS-CHAP). Some of these may actually be protocols in and of themselves (EAP, Kerberos). Additionally, the content of the authentication exchanges may not be straightforward. Hard token cards, such as the Safeword and Securid, systems may generate one-time passphrases that must be validated against a proprietary server. In the case of multi-link support, it may be necessary to carry a session token or certificate for later links that could not generate the same authentication information. In the cases of VPN and mandatory tunneling services, typically a username is be presented that is parsed into a destination network identifier. The authentication information may not be validated locally, but at the remote end of the tunnel service. Session Authorization Information Once a user has been authenticated, there are a number of individual bits of information that the network management may wish to configure and authorize for the given user or class of users. Typical examples include: For async terminal users: - banners - custom prompts - menus - CLI macros - which could be used for: shortcuts, compound commands, restrictive scripts For network users: - addresses, and routes - callback instructions - packet and activity filters - host server addresses Some services may require dynamic allocation of resources. Information about the resources required may not be known during the authentication phase, it may come up later. (e.g. IP Addresses for multi-link bundles) It's also possible that the authorization will change over the time of the session. To provide these there has to be a division of responsibility between the NAS and the AAA server, or a cooperation using a stateful service. Such services include: - IP Address management - Concurrent login limitations - Tunnel usage limitations - Real-time account expirations - Call management policies In the process of resolving resource information, it may be required that a certain level of service be supplied, and if not available, the request refused, or corrective action taken. References: [1] Rigney, et.al. "Remote Authentication Dial In User Service (RADIUS)" RFC 2138, April 1977 [2] Rigney, et.al. "RADIUS Accounting", RFC 2139, April 1977 [3] Aboba, Zorn, "Implementation of PPTP/L2TP Compulsory Tunneling via RADIUS", draft-ietf-radius-tunnel-imp-03.txt, July 1997 [4] Calhoun, et.al. "Extensible Authentication Protocol Support in RADIUS", draft-ietf-radius-eap-02.txt, May 1997 [5] Aboba, Zorn, "Dialup Roaming Requirements", draft-ietf-roamops- roamreq-05.txt, July 1997 [6] Zorn, "Yet Another Authentication Protocol (YAAP)", draft-zorn- yaap-01.txt, 30 June 1996 [7] Calhoun, "Diameter Base Protocol", draft-ietf-calhoun-diameter- 04.txt, July 1998 Author's Information: David Mitton Bay Networks Access Division 8 Federal St. BL8-05 Billerica, MA 01821 Phone: 978-916-4570 Fax: 978-916-4789 mailto: dmitton@baynetworks.com NASREQNG Operational Model draft-ietf-nasreqng-model-00.txt Mitton, David Expires May 1999 Appendix - Acronyms and Glossary: AAA - Authentication, Authorization, Accounting, The three primary services required by a NAS server or protocol. NAS - Network Access Server, a system that provides access to a network. CLI - Command Line Interface, an interface to a command line service for use with an common asynchronous terminal facility. SLIP - Serial Line Internet Protocol, an IP-only predecessor to PPP IPX - Novell’s NetWare transport protocol NETBEUI - A Microsoft/IBM LAN protocol supported by Microsoft file services ARAP - AppleTalk Remote Access Protocol LAT - Local Area Transport, a Digital Equipment LAN protocol for terminal services VPN - Virtual Private Network, a term for networks that appear to be private to the user by the use of tunneling techniques. FR - Frame Relay, a synchronous WAN protocol and telephone network intraconnect service. ISDN - Integrated Services Digital Network, a telephone network facility for transmitting digital and analog information over a digital network connection. A NAS may have the ability to receive the information from the telephone network in digital form. BRI - Basic Rate Interface, PRI - Primary Rate Interface, a digital telephone interface of 64K bits per second. T1 - A digital telephone interface which provides 24-36 channels of PRI data and one control channel (2.048 Mbps). T3 - A digital telephone interface which provides 28 T1 services. Control for the entire connection is provided on a single channel. NFAS - Non-Facility Associated Signaling, a telephone network protocol/service for providing call information on a separate wire connection from the call itself. Used with multiple T1 or T3 connections. SS7 - A telephone network protocol for communicating call information on a separate data network from the voice network. POP - Point Of Presence, a geographic location of equipment and interconnection to the network. An ISP typically manages all equipment in a single POP in a similar manner.