Radius

This guide acts as a protocol implementation compliance statement for Radius protocol.

Topics in this document:

RADIUS Protocol

This section give information on how AAA Gateway maps the RADIUS access-control messages for the RADIUS protocol defined in RFC-2865 and RFC-2869.

Section Compliance

The Table 1-1 below lists the compliance information for the RADIUS protocol sections in RFC-2865.

Table 1-1: RFC-2865 Section Compliance

Section NumberSectionStatusNotes
1IntroductionNot applicable-
1.1Specification of RequirementsNot applicable-
1.2TerminologyNot applicable-
2OperationPartially supported-
2.1Challenge/ResponseSupported-
2.2Interoperation with PAP and CHAPNot supported-
2.3ProxyNot applicable-
2.4Why UDP?Not applicable-
2.5Retransmission HintsSupported-
2.6Keep-Alives Considered HarmfulSupported-
3Packet FormatSupported-
4Packet TypesSupported-
4.1Access-RequestSupported-
4.2Access-AcceptSupported-
4.3Access-RejectSupported-
4.4Access-ChallengeSupported-
5AttributesSupported-
5.1User-NameSupported-
5.2User-PasswordSupported-
5.3CHAP-PasswordSupported-
5.4NAS-IP-AddressSupported-
5.5NAS-PortSupported-
5.6Service-TypeSupported-
5.7Framed-ProtocolSupported-
5.8Framed-IP-AddressSupported-
5.9Framed-IP-NetmaskSupported-
5.10Framed-RoutingSupported-
5.11Filter-IdSupported-
5.12Framed-MTUSupported-
5.13Framed-CompressionSupported-
5.14Login-IP-HostSupported-
5.15Login-ServiceSupported-
5.16Login-TCP-PortSupported-
5.17(unassigned)Supported-
5.18Reply-MessageSupported-
5.19Callback-NumberSupported-
5.20Callback-IdSupported-
5.21(unassigned)Supported-
5.22Framed-RouteSupported-
5.23Framed-IPX-NetworkSupported-
5.24StateSupported-
5.25ClassSupported-
5.26Vendor-SpecificSupported-
5.27Session-TimeoutSupported-
5.28Idle-TimeoutSupported-
5.29Termination-ActionSupported-
5.30Called-Station-IdSupported-
5.31Calling-Station-IdSupported-
5.32NAS-IdentifierSupported-
5.33Proxy-StateSupported-
5.34Login-LAT-ServiceSupported-
5.35Login-LAT-NodeSupported-
5.36Login-LAT-GroupSupported-
5.37Framed-AppleTalk-LinkSupported-
5.38Framed-AppleTalk-NetworkSupported-
5.39Framed-AppleTalk-ZoneSupported-
5.40CHAP-ChallengeSupported-
5.41NAS-Port-TypeSupported-
5.42Port-LimitSupported-
5.43Login-LAT-PortSupported-
5.44Table of AttributesSupported-
6IANA ConsiderationsNo requirement-
6.1Definition of TermsNo requirement-
6.2Recommended Registration PoliciesNo requirement-
7ExamplesSupported-
7.1User Telnet to Specified HostSupported-
7.2Framed User Authenticating with CHAPSupported-
7.3User with Challenge-Response cardNot supported-
8Security ConsiderationsNot supported-
9Change LogNo requirement-
10ReferencesNo requirement-
11AcknowledgementsNo requirement-
12Chair’s AddressNo requirement-
13Authors’ AddressesNo requirement-
14Full Copyright StatementNo requirement-

The following Table 1-2 provides a list of the compliance information for the RADIUS protocol sections in RFC-2869.

Table 1-2: RFC-2869 Section Compliance

Section NumberSectionStatusNotes
1IntroductionNot applicable-
1.1Specification of RequirementsNot applicable-
1.2TerminologyNot applicable-
2OperationPartially supported-
2.1RADIUS support for Interim Accounting UpdatesNot supported-
2.2RADIUS support for Apple Remote Access ProtocolNot supported-
2.3RADIUS Support for Extensible Authentication Protocol (EAP)Supported-
2.3.1Protocol OverviewSupported-
2.3.2RetransmissionSupported-
2.3.3FragmentationNot supported-
2.3.4ExamplesSupported-
2.3.5Alternative UsesSupported-
3Packet FormatSupported-
4Packet TypesSupported-
5AttributesPartially supported-
5.1Acct-Input-GigawordsNot supported-
5.2Acct-Output-GigawordsNot supported-
5.3Event-TimestampNot supported-
5.4ARAP-PasswordNot supported-
5.5ARAP-FeaturesNot supported-
5.6ARAP-Zone-AccessNot supported-
5.7ARAP-SecurityNot supported-
5.8ARAP-Security-DataNot supported-
5.9Password-RetryNot supported-
5.10PromptNot supported-
5.11Connect-InfoNot supported-
5.12Configuration-TokenNot supported-
5.13EAP-MessageSupported-
5.14Message-AuthenticatorSupported-
5.15ARAP-Challenge-ResponseNot supported-
5.16Acct-Interim-IntervalNot supported-
5.17NAS-Port-IdSupported-
5.18Framed-PoolNot supported-
5.19Table of AttributesNot supported-
6IANA ConsiderationsNo requirement-
7Security ConsiderationsSupported-
7.1Message-Authenticator SecuritySupported-
7.2EAP SecuritySupported-
7.2.1Separation of EAP server and PPP authenticatorNot supported-
7.2.2Connection hijackingNot supported-
7.2.3Man in the middle attacksNot supported-
7.2.4Multiple databasesNot supported-
7.2.5Negotiation attacksNot supported-
8ReferencesNo requirement-
9AcknowledgementsNo requirement-
10Chair’s AddressNo requirement-
11Authors’ AddressesNo requirement-
12Full Copyright StatementNo requirement-

Access-Request AVPs

Here is a Table 1-3 with the compliance information for Access-Request attribute-value pairs (AVPs).

Table 1-3: Access-Request AVPs

RADIUS AVPStatusNotes
User-NameSupported-
User-PasswordSupported-
CHAP-PasswordSupported-
CHAP-ChallengeSupported-
NAS-IP-AddressSupported-
NAS-PortSupported-
NAS-Port-TypeSupported-
NAS-IdentifierSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Callback-NumberSupported-
Called-Station-IdSupported-
Calling-Station-IdSupported-
StateSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
Vendor-SpecificSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

Access-Accept AVPs

Below is the compliance information for Access-Accept AVPs.

Table 1-4: Access-Accept AVPs

RADIUS AVPStatusNotes
User-NameSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-RoutingSupported-
Framed-RouteSupported-
Framed-IPX-NetworkSupported-
Framed-AppleTalk-LinkSupported-
Framed-AppleTalk-NetworkSupported-
Framed-AppleTalk-ZoneSupported-
Filter-IdSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Login-ServiceSupported-
Login-TCP-PortSupported-
Reply-MessageSupported-
Callback-NumberSupported-
Callback-IdSupported-
ClassSupported-
Session-TimeoutSupported-
Idle-TimeoutSupported-
Termination-ActionSupported-
StateSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
Port-LimitSupported-
Vendor-SpecificSupported-
Acct-Session-IdSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

Access-Reject AVPs

Table 1-5 has a list of the compliance information for Access-Reject AVPs.

Table 1-5: Access-Reject AVPs

RADIUS AVPStatusNotes
User-NameSupported-
Reply-MessageSupported-
ClassSupported-
Proxy-StateSupported-
Vendor-SpecificSupported-
Acct-Session-IdSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

Access-Challenge AVPs

Table 1-6 contains the compliance information for Access-Challenge AVPs.

Table 1-6: Access-Challenge AVPs

RADIUS AVPStatusNotes
Reply-MessageSupported-
Session-TimeoutSupported-
Idle-TimeoutSupported-
StateSupported-
Proxy-StateSupported-
Vendor-SpecificSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

RADIUS Accounting Protocol

This section provides details on how AAA Gateway maps the RADIUS accounting messages for the RADIUS protocol defined in RFC-2866.

Section Compliance

Below is a list of the compliance information for the RADIUS Accounting protocol sections in RFC-2866.

Table 2-1 RFC-2866 Section Compliance

Section NumberSectionStatusNotes
1IntroductionNot applicable-
1.1Specification of RequirementNot applicable-
1.2TerminologyNot applicable-
2OperationSupported-
2.1ProxyNot supported-
3Packet FormatSupported-
4Packet TypesSupported-
4.1Accounting-RequestSupported-
4.2Accounting-ResponseSupported-
5AttributesSupported-
5.1Acct-Status-TypeSupported-
5.2Acct-Delay-TimeSupported-
5.3Acct-Input-OctetsSupported-
5.4Acct-Output-OctetsSupported-
5.5Acct-Session-IdSupported-
5.6Acct-AuthenticSupported-
5.7Acct-Session-TimeSupported-
5.8Acct-Input-PacketsSupported-
5.9Acct-Output-PacketsSupported-
5.10Acct-Terminate-CauseSupported-
5.11Acct-Multi-Session-IdSupported-
5.12Acct-Link-CountSupported-
5.13Table of AttributesSupported-
6IANA ConsiderationsSupported-
7Security ConsiderationsSupported-
8Change LogNot applicable-
9ReferencesNo Requirement-
10AcknowledgementsNo requirement-

Accounting-Request AVPs

The following table contains the description of how ECE supports Accounting-Request attribute-value pairs (AVPs).

Table 2-2 Accounting-Request AVPs

RADIUS Accounting AVPStatusNotes
User-NameSupportedThis is mandatory AVP.
NAS-IP-AddressSupportedThis is mandatory AVP.
NAS-IdentifierSupportedThis is mandatory AVP.
NAS-Port-TypeSupported-
ClassSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Callback-NumberSupported-
Called-Station-IdSupported-
Calling-Station-IdSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
CHAP-ChallengeSupported-
Acct-Status-TypeSupportedThis is mandatory AVP.
Acct-Delay-TimeSupported-
Acct-Input-OctetsSupported-
Acct-Output-OctetsSupported-
Acct-Session-IdSupportedThis is mandatory AVP.
Acct-AuthenticSupported-
Acct-Session-TimeSupported-
Acct-Input-PacketsSupported-
Acct-Output-PacketsSupported-
Acct-Terminate-CauseSupported-
Acct-Multi-Session-IdSupported-
Acct-Link-CountSupported-
Vendor-SpecificSupported-

Accounting-Response AVPs

The Accounting-Response message does not have any AVPs.

RADIUS Disconnect Protocol

This section describes how AAA Gateway maps the RADIUS disconnect messages for the RADIUS protocol defined in RFC-3576.

Section Compliance

Below is the the compliance information for the RADIUS Disconnect protocol sections in RFC-3576.

Table 3-1 RFC-3576 Section Compliance

Section NumberSectionStatusNotes
1Introduction--
1.1Applicability--
1.2Requirements Language--
1.3Terminology--
2Overview--
2.1Disconnect Messages (DM)--
2.2Change-of-Authorization Messages (CoA)--
2.3Packet Format--
3Attributes--
3.1Error-Cause--
3.2Table of Attributes--
4IANA Considerations--
5Security Considerations--
5.1Authorization Issues--
5.2Impersonation--
5.3IPsec Usage Guidelines--
5.4Replay Protection--
6Example Traces--
7References--
7.1Normative References--
7.2Informative References--
8Intellectual Property Statement--
9Acknowledgements--
10Author’s Addresses--
11Full Copyright Statement--

Disconnect-Request AVPs

The following Table 3-2 lists the compliance information for Disconnect-Request attribute-value pairs (AVPs).

Table 3-2: Disconnect-Request AVPs

RADIUS AVPStatusNotes
User-NameSupported-
User-PasswordSupported-
CHAP-PasswordSupported-
CHAP-ChallengeSupported-
NAS-IP-AddressSupported-
NAS-PortSupported-
NAS-Port-TypeSupported-
NAS-IdentifierSupported-
Service-TypeSupported-
Framed-ProtocolSupported-
Framed-IP-AddressSupported-
Framed-IP-NetmaskSupported-
Framed-MTUSupported-
Framed-CompressionSupported-
Login-IP-HostSupported-
Callback-NumberSupported-
Called-Station-IdSupported-
Calling-Station-IdSupported-
StateSupported-
Proxy-StateSupported-
Login-LAT-ServiceSupported-
Login-LAT-NodeSupported-
Login-LAT-GroupSupported-
Login-LAT-PortSupported-
Vendor-SpecificSupported-
EAP-MessageSupported-
Message-AuthenticatorSupported-

Disconnect-Response AVPs

The Disconnect-Response message have no AVPs.