7 Network Working Group C. Rigney
8 Request for Comments: 2138 Livingston
9 Obsoletes: 2058 A. Rubens
10 Category: Standards Track Merit
18 Remote Authentication Dial In User Service (RADIUS)
22 This document specifies an Internet standards track protocol for the
23 Internet community, and requests discussion and suggestions for
24 improvements. Please refer to the current edition of the "Internet
25 Official Protocol Standards" (STD 1) for the standardization state
26 and status of this protocol. Distribution of this memo is unlimited.
30 This document describes a protocol for carrying authentication,
31 authorization, and configuration information between a Network Access
32 Server which desires to authenticate its links and a shared
33 Authentication Server.
37 This memo documents the RADIUS protocol. There has been some
38 confusion in the assignment of port numbers for this protocol. The
39 early deployment of RADIUS was done using the erroneously chosen port
40 number 1645, which conflicts with the "datametrics" service. The
41 officially assigned port number for RADIUS is 1812.
45 1. Introduction .......................................... 3
46 1.1 Specification of Requirements ................... 4
47 1.2 Terminology ..................................... 5
48 2. Operation ............................................. 5
49 2.1 Challenge/Response .............................. 7
50 2.2 Interoperation with PAP and CHAP ................ 7
51 2.3 Why UDP? ........................................ 8
52 3. Packet Format ......................................... 10
53 4. Packet Types .......................................... 13
54 4.1 Access-Request .................................. 13
58 Rigney, et. al. Standards Track [Page 1]
60 RFC 2138 RADIUS April 1997
63 4.2 Access-Accept ................................... 14
64 4.3 Access-Reject ................................... 15
65 4.4 Access-Challenge ................................ 17
66 5. Attributes ............................................ 18
67 5.1 User-Name ....................................... 21
68 5.2 User-Password ................................... 22
69 5.3 CHAP-Password ................................... 23
70 5.4 NAS-IP-Address .................................. 24
71 5.5 NAS-Port ........................................ 25
72 5.6 Service-Type .................................... 26
73 5.7 Framed-Protocol ................................. 28
74 5.8 Framed-IP-Address ............................... 29
75 5.9 Framed-IP-Netmask ............................... 29
76 5.10 Framed-Routing .................................. 30
77 5.11 Filter-Id ....................................... 31
78 5.12 Framed-MTU ...................................... 32
79 5.13 Framed-Compression .............................. 33
80 5.14 Login-IP-Host ................................... 33
81 5.15 Login-Service ................................... 34
82 5.16 Login-TCP-Port .................................. 35
83 5.17 (unassigned) .................................... 36
84 5.18 Reply-Message ................................... 36
85 5.19 Callback-Number ................................. 37
86 5.20 Callback-Id ..................................... 38
87 5.21 (unassigned) .................................... 38
88 5.22 Framed-Route .................................... 39
89 5.23 Framed-IPX-Network .............................. 40
90 5.24 State ........................................... 40
91 5.25 Class ........................................... 41
92 5.26 Vendor-Specific ................................. 42
93 5.27 Session-Timeout ................................. 44
94 5.28 Idle-Timeout .................................... 44
95 5.29 Termination-Action .............................. 45
96 5.30 Called-Station-Id ............................... 46
97 5.31 Calling-Station-Id .............................. 47
98 5.32 NAS-Identifier .................................. 48
99 5.33 Proxy-State ..................................... 48
100 5.34 Login-LAT-Service ............................... 49
101 5.35 Login-LAT-Node .................................. 50
102 5.36 Login-LAT-Group ................................. 51
103 5.37 Framed-AppleTalk-Link ........................... 52
104 5.38 Framed-AppleTalk-Network ........................ 53
105 5.39 Framed-AppleTalk-Zone ........................... 54
106 5.40 CHAP-Challenge .................................. 55
107 5.41 NAS-Port-Type ................................... 55
108 5.42 Port-Limit ...................................... 56
109 5.43 Login-LAT-Port .................................. 57
110 5.44 Table of Attributes ............................. 58
114 Rigney, et. al. Standards Track [Page 2]
116 RFC 2138 RADIUS April 1997
119 6. Examples .............................................. 59
120 6.1 User Telnet to Specified Host ................... 60
121 6.2 Framed User Authenticating with CHAP ............ 60
122 6.3 User with Challenge-Response card ............... 61
123 Security Considerations ...................................... 63
124 References ................................................... 64
125 Acknowledgements ............................................. 64
126 Chair's Address .............................................. 65
127 Author's Addresses ........................................... 65
131 Managing dispersed serial line and modem pools for large numbers of
132 users can create the need for significant administrative support.
133 Since modem pools are by definition a link to the outside world, they
134 require careful attention to security, authorization and accounting.
135 This can be best achieved by managing a single "database" of users,
136 which allows for authentication (verifying user name and password) as
137 well as configuration information detailing the type of service to
138 deliver to the user (for example, SLIP, PPP, telnet, rlogin).
140 Key features of RADIUS are:
144 A Network Access Server (NAS) operates as a client of RADIUS. The
145 client is responsible for passing user information to designated
146 RADIUS servers, and then acting on the response which is returned.
148 RADIUS servers are responsible for receiving user connection
149 requests, authenticating the user, and then returning all
150 configuration information necessary for the client to deliver
153 A RADIUS server can act as a proxy client to other RADIUS servers
154 or other kinds of authentication servers.
158 Transactions between the client and RADIUS server are
159 authenticated through the use of a shared secret, which is never
160 sent over the network. In addition, any user passwords are sent
161 encrypted between the client and RADIUS server, to eliminate the
162 possibility that someone snooping on an unsecure network could
163 determine a user's password.
170 Rigney, et. al. Standards Track [Page 3]
172 RFC 2138 RADIUS April 1997
175 Flexible Authentication Mechanisms
177 The RADIUS server can support a variety of methods to authenticate
178 a user. When it is provided with the user name and original
179 password given by the user, it can support PPP PAP or CHAP, UNIX
180 login, and other authentication mechanisms.
184 All transactions are comprised of variable length Attribute-
185 Length-Value 3-tuples. New attribute values can be added without
186 disturbing existing implementations of the protocol.
188 1.1. Specification of Requirements
190 In this document, several words are used to signify the requirements
191 of the specification. These words are often capitalized.
193 MUST This word, or the adjective "required", means that the
194 definition is an absolute requirement of the specification.
196 MUST NOT This phrase means that the definition is an absolute
197 prohibition of the specification.
199 SHOULD This word, or the adjective "recommended", means that there
200 may exist valid reasons in particular circumstances to
201 ignore this item, but the full implications must be
202 understood and carefully weighed before choosing a
205 MAY This word, or the adjective "optional", means that this
206 item is one of an allowed set of alternatives. An
207 implementation which does not include this option MUST be
208 prepared to interoperate with another implementation which
209 does include the option.
226 Rigney, et. al. Standards Track [Page 4]
228 RFC 2138 RADIUS April 1997
233 This document frequently uses the following terms:
235 service The NAS provides a service to the dial-in user, such as PPP
238 session Each service provided by the NAS to a dial-in user
239 constitutes a session, with the beginning of the session
240 defined as the point where service is first provided and
241 the end of the session defined as the point where service
242 is ended. A user may have multiple sessions in parallel or
243 series if the NAS supports that.
246 This means the implementation discards the packet without
247 further processing. The implementation SHOULD provide the
248 capability of logging the error, including the contents of
249 the silently discarded packet, and SHOULD record the event
250 in a statistics counter.
254 When a client is configured to use RADIUS, any user of the client
255 presents authentication information to the client. This might be
256 with a customizable login prompt, where the user is expected to enter
257 their username and password. Alternatively, the user might use a
258 link framing protocol such as the Point-to-Point Protocol (PPP),
259 which has authentication packets which carry this information.
261 Once the client has obtained such information, it may choose to
262 authenticate using RADIUS. To do so, the client creates an "Access-
263 Request" containing such Attributes as the user's name, the user's
264 password, the ID of the client and the Port ID which the user is
265 accessing. When a password is present, it is hidden using a method
266 based on the RSA Message Digest Algorithm MD5 [1].
268 The Access-Request is submitted to the RADIUS server via the network.
269 If no response is returned within a length of time, the request is
270 re-sent a number of times. The client can also forward requests to
271 an alternate server or servers in the event that the primary server
272 is down or unreachable. An alternate server can be used either after
273 a number of tries to the primary server fail, or in a round-robin
274 fashion. Retry and fallback algorithms are the topic of current
275 research and are not specified in detail in this document.
282 Rigney, et. al. Standards Track [Page 5]
284 RFC 2138 RADIUS April 1997
287 Once the RADIUS server receives the request, it validates the sending
288 client. A request from a client for which the RADIUS server does not
289 have a shared secret should be silently discarded. If the client is
290 valid, the RADIUS server consults a database of users to find the
291 user whose name matches the request. The user entry in the database
292 contains a list of requirements which must be met to allow access for
293 the user. This always includes verification of the password, but can
294 also specify the client(s) or port(s) to which the user is allowed
297 The RADIUS server MAY make requests of other servers in order to
298 satisfy the request, in which case it acts as a client.
300 If any condition is not met, the RADIUS server sends an "Access-
301 Reject" response indicating that this user request is invalid. If
302 desired, the server MAY include a text message in the Access-Reject
303 which MAY be displayed by the client to the user. No other
304 Attributes are permitted in an Access-Reject.
306 If all conditions are met and the RADIUS server wishes to issue a
307 challenge to which the user must respond, the RADIUS server sends an
308 "Access-Challenge" response. It MAY include a text message to be
309 displayed by the client to the user prompting for a response to the
310 challenge, and MAY include a State attribute. If the client receives
311 an Access-Challenge and supports challenge/response it MAY display
312 the text message, if any, to the user, and then prompt the user for a
313 response. The client then re-submits its original Access-Request
314 with a new request ID, with the User-Password Attribute replaced by
315 the response (encrypted), and including the State Attribute from the
316 Access-Challenge, if any. Only 0 or 1 instances of the State
317 Attributes should be present in a request. The server can respond to
318 this new Access-Request with either an Access-Accept, an Access-
319 Reject, or another Access-Challenge.
321 If all conditions are met, the list of configuration values for the
322 user are placed into an "Access-Accept" response. These values
323 include the type of service (for example: SLIP, PPP, Login User) and
324 all necessary values to deliver the desired service. For SLIP and
325 PPP, this may include values such as IP address, subnet mask, MTU,
326 desired compression, and desired packet filter identifiers. For
327 character mode users, this may include values such as desired
338 Rigney, et. al. Standards Track [Page 6]
340 RFC 2138 RADIUS April 1997
343 2.1. Challenge/Response
345 In challenge/response authentication, the user is given an
346 unpredictable number and challenged to encrypt it and give back the
347 result. Authorized users are equipped with special devices such as
348 smart cards or software that facilitate calculation of the correct
349 response with ease. Unauthorized users, lacking the appropriate
350 device or software and lacking knowledge of the secret key necessary
351 to emulate such a device or software, can only guess at the response.
353 The Access-Challenge packet typically contains a Reply-Message
354 including a challenge to be displayed to the user, such as a numeric
355 value unlikely ever to be repeated. Typically this is obtained from
356 an external server that knows what type of authenticator should be in
357 the possession of the authorized user and can therefore choose a
358 random or non-repeating pseudorandom number of an appropriate radix
361 The user then enters the challenge into his device (or software) and
362 it calculates a response, which the user enters into the client which
363 forwards it to the RADIUS server via a second Access-Request. If the
364 response matches the expected response the RADIUS server replies with
365 an Access-Accept, otherwise an Access-Reject.
367 Example: The NAS sends an Access-Request packet to the RADIUS Server
368 with NAS-Identifier, NAS-Port, User-Name, User-Password (which may
369 just be a fixed string like "challenge" or ignored). The server
370 sends back an Access-Challenge packet with State and a Reply-Message
371 along the lines of "Challenge 12345678, enter your response at the
372 prompt" which the NAS displays. The NAS prompts for the response and
373 sends a NEW Access-Request to the server (with a new ID) with NAS-
374 Identifier, NAS-Port, User-Name, User-Password (the response just
375 entered by the user, encrypted), and the same State Attribute that
376 came with the Access-Challenge. The server then sends back either an
377 Access-Accept or Access-Reject based on whether the response matches
378 what it should be, or it can even send another Access-Challenge.
380 2.2. Interoperation with PAP and CHAP
382 For PAP, the NAS takes the PAP ID and password and sends them in an
383 Access-Request packet as the User-Name and User-Password. The NAS MAY
384 include the Attributes Service-Type = Framed-User and Framed-Protocol
385 = PPP as a hint to the RADIUS server that PPP service is expected.
387 For CHAP, the NAS generates a random challenge (preferably 16 octets)
388 and sends it to the user, who returns a CHAP response along with a
389 CHAP ID and CHAP username. The NAS then sends an Access-Request
390 packet to the RADIUS server with the CHAP username as the User-Name
394 Rigney, et. al. Standards Track [Page 7]
396 RFC 2138 RADIUS April 1997
399 and with the CHAP ID and CHAP response as the CHAP-Password
400 (Attribute 3). The random challenge can either be included in the
401 CHAP-Challenge attribute or, if it is 16 octets long, it can be
402 placed in the Request Authenticator field of the Access-Request
403 packet. The NAS MAY include the Attributes Service-Type = Framed-
404 User and Framed-Protocol = PPP as a hint to the RADIUS server that
405 PPP service is expected.
407 The RADIUS server looks up a password based on the User-Name,
408 encrypts the challenge using MD5 on the CHAP ID octet, that password,
409 and the CHAP challenge (from the CHAP-Challenge attribute if present,
410 otherwise from the Request Authenticator), and compares that result
411 to the CHAP-Password. If they match, the server sends back an
412 Access-Accept, otherwise it sends back an Access-Reject.
414 If the RADIUS server is unable to perform the requested
415 authentication it should return an Access-Reject. For example, CHAP
416 requires that the user's password be available in cleartext to the
417 server so that it can encrypt the CHAP challenge and compare that to
418 the CHAP response. If the password is not available in cleartext to
419 the RADIUS server then the server MUST send an Access-Reject to the
424 A frequently asked question is why RADIUS uses UDP instead of TCP as
425 a transport protocol. UDP was chosen for strictly technical reasons.
427 There are a number of issues which must be understood. RADIUS is a
428 transaction based protocol which has several interesting
431 1. If the request to a primary Authentication server fails, a
432 secondary server must be queried.
434 To meet this requirement, a copy of the request must be kept
435 above the transport layer to allow for alternate transmission.
436 This means that retransmission timers are still required.
438 2. The timing requirements of this particular protocol are
439 significantly different than TCP provides.
441 At one extreme, RADIUS does not require a "responsive"
442 detection of lost data. The user is willing to wait several
443 seconds for the authentication to complete. The generally
444 aggressive TCP retransmission (based on average round trip
445 time) is not required, nor is the acknowledgement overhead of
450 Rigney, et. al. Standards Track [Page 8]
452 RFC 2138 RADIUS April 1997
455 At the other extreme, the user is not willing to wait several
456 minutes for authentication. Therefore the reliable delivery of
457 TCP data two minutes later is not useful. The faster use of an
458 alternate server allows the user to gain access before giving
461 3. The stateless nature of this protocol simplifies the use of UDP.
463 Clients and servers come and go. Systems are rebooted, or are
464 power cycled independently. Generally this does not cause a
465 problem and with creative timeouts and detection of lost TCP
466 connections, code can be written to handle anomalous events.
467 UDP however completely eliminates any of this special handling.
468 Each client and server can open their UDP transport just once
469 and leave it open through all types of failure events on the
472 4. UDP simplifies the server implementation.
474 In the earliest implementations of RADIUS, the server was
475 single threaded. This means that a single request was
476 received, processed, and returned. This was found to be
477 unmanageable in environments where the back-end security
478 mechanism took real time (1 or more seconds). The server
479 request queue would fill and in environments where hundreds of
480 people were being authenticated every minute, the request
481 turn-around time increased to longer that users were willing to
482 wait (this was especially severe when a specific lookup in a
483 database or over DNS took 30 or more seconds). The obvious
484 solution was to make the server multi-threaded. Achieving this
485 was simple with UDP. Separate processes were spawned to serve
486 each request and these processes could respond directly to the
487 client NAS with a simple UDP packet to the original transport
490 It's not all a panacea. As noted, using UDP requires one thing
491 which is built into TCP: with UDP we must artificially manage
492 retransmission timers to the same server, although they don't
493 require the same attention to timing provided by TCP. This one
494 penalty is a small price to pay for the advantages of UDP in
497 Without TCP we would still probably be using tin cans connected
498 by string. But for this particular protocol, UDP is a better
506 Rigney, et. al. Standards Track [Page 9]
508 RFC 2138 RADIUS April 1997
513 Exactly one RADIUS packet is encapsulated in the UDP Data field [2],
514 where the UDP Destination Port field indicates 1812 (decimal).
516 When a reply is generated, the source and destination ports are
519 This memo documents the RADIUS protocol. There has been some
520 confusion in the assignment of port numbers for this protocol. The
521 early deployment of RADIUS was done using the erroneously chosen port
522 number 1645, which conflicts with the "datametrics" service. The
523 officially assigned port number for RADIUS is 1812.
525 A summary of the RADIUS data format is shown below. The fields are
526 transmitted from left to right.
529 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
530 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
531 | Code | Identifier | Length |
532 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
537 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
539 +-+-+-+-+-+-+-+-+-+-+-+-+-
543 The Code field is one octet, and identifies the type of RADIUS
544 packet. When a packet is received with an invalid Code field, it is
547 RADIUS Codes (decimal) are assigned as follows:
553 5 Accounting-Response
555 12 Status-Server (experimental)
556 13 Status-Client (experimental)
562 Rigney, et. al. Standards Track [Page 10]
564 RFC 2138 RADIUS April 1997
567 Codes 4 and 5 are covered in the RADIUS Accounting document [9], and
568 are not further mentioned here. Codes 12 and 13 are reserved for
569 possible use, but are not further mentioned here.
573 The Identifier field is one octet, and aids in matching requests and
578 The Length field is two octets. It indicates the length of the
579 packet including the Code, Identifier, Length, Authenticator and
580 Attribute fields. Octets outside the range of the Length field
581 should be treated as padding and should be ignored on reception. If
582 the packet is shorter than the Length field indicates, it should be
583 silently discarded. The minimum length is 20 and maximum length is
588 The Authenticator field is sixteen (16) octets. The most significant
589 octet is transmitted first. This value is used to authenticate the
590 reply from the RADIUS server, and is used in the password hiding
593 Request Authenticator
595 In Access-Request Packets, the Authenticator value is a 16 octet
596 random number, called the Request Authenticator. The value SHOULD
597 be unpredictable and unique over the lifetime of a secret (the
598 password shared between the client and the RADIUS server), since
599 repetition of a request value in conjunction with the same secret
600 would permit an attacker to reply with a previously intercepted
601 response. Since it is expected that the same secret MAY be used
602 to authenticate with servers in disparate geographic regions, the
603 Request Authenticator field SHOULD exhibit global and temporal
606 The Request Authenticator value in an Access-Request packet SHOULD
607 also be unpredictable, lest an attacker trick a server into
608 responding to a predicted future request, and then use the
609 response to masquerade as that server to a future Access-Request.
618 Rigney, et. al. Standards Track [Page 11]
620 RFC 2138 RADIUS April 1997
623 Although protocols such as RADIUS are incapable of protecting
624 against theft of an authenticated session via realtime active
625 wiretapping attacks, generation of unique unpredictable requests
626 can protect against a wide range of active attacks against
629 The NAS and RADIUS server share a secret. That shared secret
630 followed by the Request Authenticator is put through a one-way MD5
631 hash to create a 16 octet digest value which is xored with the
632 password entered by the user, and the xored result placed in the
633 User-Password attribute in the Access-Request packet. See the
634 entry for User-Password in the section on Attributes for a more
635 detailed description.
637 Response Authenticator
639 The value of the Authenticator field in Access-Accept, Access-
640 Reject, and Access-Challenge packets is called the Response
641 Authenticator, and contains a one-way MD5 hash calculated over a
642 stream of octets consisting of: the RADIUS packet, beginning with
643 the Code field, including the Identifier, the Length, the Request
644 Authenticator field from the Access-Request packet, and the
645 response Attributes, followed by the shared secret. That is,
646 ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret)
647 where + denotes concatenation.
651 The secret (password shared between the client and the RADIUS server)
652 SHOULD be at least as large and unguessable as a well-chosen
653 password. It is preferred that the secret be at least 16 octets.
654 This is to ensure a sufficiently large range for the secret to
655 provide protection against exhaustive search attacks. A RADIUS
656 server SHOULD use the source IP address of the RADIUS UDP packet to
657 decide which shared secret to use, so that RADIUS requests can be
660 When using a forwarding proxy, the proxy must be able to alter the
661 packet as it passes through in each direction - when the proxy
662 forwards the request, the proxy can add a Proxy-State Attribute, and
663 when the proxy forwards a response, it removes the Proxy-State
664 Attribute. Since Access-Accept and Access-Reject replies are
665 authenticated on the entire packet contents, the stripping of the
666 Proxy-State attribute would invalidate the signature in the packet -
667 so the proxy has to re-sign it.
669 Further details of RADIUS proxy implementation are outside the scope
674 Rigney, et. al. Standards Track [Page 12]
676 RFC 2138 RADIUS April 1997
681 Many Attributes may have multiple instances, in such a case the order
682 of Attributes of the same Type SHOULD be preserved. The order of
683 Attributes of different Types is not required to be preserved.
685 In the section below on "Attributes" where the text refers to which
686 packets an attribute is allowed in, only packets with Codes 1, 2, 3
687 and 11 and attributes defined in this document are covered in this
688 document. A summary table is provided at the end of the "Attributes"
689 section. To determine which Attributes are allowed in packets with
690 codes 4 and 5 refer to the RADIUS Accounting document [9].
694 The RADIUS Packet type is determined by the Code field in the first
701 Access-Request packets are sent to a RADIUS server, and convey
702 information used to determine whether a user is allowed access to
703 a specific NAS, and any special services requested for that user.
704 An implementation wishing to authenticate a user MUST transmit a
705 RADIUS packet with the Code field set to 1 (Access-Request).
707 Upon receipt of an Access-Request from a valid client, an
708 appropriate reply MUST be transmitted.
710 An Access-Request MUST contain a User-Name attribute. It SHOULD
711 contain either a NAS-IP-Address attribute or NAS-Identifier
712 attribute (or both, although that is not recommended). It MUST
713 contain either a User-Password attribute or CHAP-Password
714 attribute. It SHOULD contain a NAS-Port or NAS-Port-Type
715 attribute or both unless the type of access being requested does
716 not involve a port or the NAS does not distinguish among its
719 An Access-Request MAY contain additional attributes as a hint to
720 the server, but the server is not required to honor the hint.
722 When a User-Password is present, it is hidden using a method based
723 on the RSA Message Digest Algorithm MD5 [1].
725 A summary of the Access-Request packet format is shown below. The
726 fields are transmitted from left to right.
730 Rigney, et. al. Standards Track [Page 13]
732 RFC 2138 RADIUS April 1997
736 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
737 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
738 | Code | Identifier | Length |
739 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
741 | Request Authenticator |
744 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
746 +-+-+-+-+-+-+-+-+-+-+-+-+-
750 1 for Access-Request.
754 The Identifier field MUST be changed whenever the content of the
755 Attributes field changes, and whenever a valid reply has been
756 received for a previous request. For retransmissions, the
757 Identifier MUST remain unchanged.
759 Request Authenticator
761 The Request Authenticator value MUST be changed each time a new
766 The Attribute field is variable in length, and contains the list
767 of Attributes that are required for the type of service, as well
768 as any desired optional Attributes.
774 Access-Accept packets are sent by the RADIUS server, and provide
775 specific configuration information necessary to begin delivery of
776 service to the user. If all Attribute values received in an
777 Access-Request are acceptable then the RADIUS implementation MUST
778 transmit a packet with the Code field set to 2 (Access-Accept).
786 Rigney, et. al. Standards Track [Page 14]
788 RFC 2138 RADIUS April 1997
791 On reception of an Access-Accept, the Identifier field is matched
792 with a pending Access-Request. Additionally, the Response
793 Authenticator field MUST contain the correct response for the
794 pending Access-Request. Invalid packets are silently discarded.
796 A summary of the Access-Accept packet format is shown below. The
797 fields are transmitted from left to right.
800 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
801 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
802 | Code | Identifier | Length |
803 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
805 | Response Authenticator |
808 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
810 +-+-+-+-+-+-+-+-+-+-+-+-+-
818 The Identifier field is a copy of the Identifier field of the
819 Access-Request which caused this Access-Accept.
821 Response Authenticator
823 The Response Authenticator value is calculated from the Access-
824 Request value, as described earlier.
828 The Attribute field is variable in length, and contains a list of
829 zero or more Attributes.
842 Rigney, et. al. Standards Track [Page 15]
844 RFC 2138 RADIUS April 1997
851 If any value of the received Attributes is not acceptable, then
852 the RADIUS server MUST transmit a packet with the Code field set
853 to 3 (Access-Reject). It MAY include one or more Reply-Message
854 Attributes with a text message which the NAS MAY display to the
857 A summary of the Access-Reject packet format is shown below. The
858 fields are transmitted from left to right.
861 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
862 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
863 | Code | Identifier | Length |
864 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
866 | Response Authenticator |
869 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
871 +-+-+-+-+-+-+-+-+-+-+-+-+-
879 The Identifier field is a copy of the Identifier field of the
880 Access-Request which caused this Access-Reject.
882 Response Authenticator
884 The Response Authenticator value is calculated from the Access-
885 Request value, as described earlier.
889 The Attribute field is variable in length, and contains a list of
890 zero or more Attributes.
898 Rigney, et. al. Standards Track [Page 16]
900 RFC 2138 RADIUS April 1997
903 4.4. Access-Challenge
907 If the RADIUS server desires to send the user a challenge
908 requiring a response, then the RADIUS server MUST respond to the
909 Access-Request by transmitting a packet with the Code field set to
910 11 (Access-Challenge).
912 The Attributes field MAY have one or more Reply-Message
913 Attributes, and MAY have a single State Attribute, or none. No
914 other Attributes are permitted in an Access-Challenge.
916 On receipt of an Access-Challenge, the Identifier field is matched
917 with a pending Access-Request. Additionally, the Response
918 Authenticator field MUST contain the correct response for the
919 pending Access-Request. Invalid packets are silently discarded.
921 If the NAS does not support challenge/response, it MUST treat an
922 Access-Challenge as though it had received an Access-Reject
925 If the NAS supports challenge/response, receipt of a valid
926 Access-Challenge indicates that a new Access-Request SHOULD be
927 sent. The NAS MAY display the text message, if any, to the user,
928 and then prompt the user for a response. It then sends its
929 original Access-Request with a new request ID and Request
930 Authenticator, with the User-Password Attribute replaced by the
931 user's response (encrypted), and including the State Attribute
932 from the Access-Challenge, if any. Only 0 or 1 instances of the
933 State Attribute can be present in an Access-Request.
935 A NAS which supports PAP MAY forward the Reply-Message to the
936 dialin client and accept a PAP response which it can use as though
937 the user had entered the response. If the NAS cannot do so, it
938 should treat the Access-Challenge as though it had received an
939 Access-Reject instead.
954 Rigney, et. al. Standards Track [Page 17]
956 RFC 2138 RADIUS April 1997
959 A summary of the Access-Challenge packet format is shown below. The
960 fields are transmitted from left to right.
963 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
964 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
965 | Code | Identifier | Length |
966 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
968 | Response Authenticator |
971 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
973 +-+-+-+-+-+-+-+-+-+-+-+-+-
977 11 for Access-Challenge.
981 The Identifier field is a copy of the Identifier field of the
982 Access-Request which caused this Access-Challenge.
984 Response Authenticator
986 The Response Authenticator value is calculated from the Access-
987 Request value, as described earlier.
991 The Attributes field is variable in length, and contains a list of
992 zero or more Attributes.
996 RADIUS Attributes carry the specific authentication, authorization,
997 information and configuration details for the request and reply.
999 Some Attributes MAY be included more than once. The effect of this
1000 is Attribute specific, and is specified in each Attribute
1003 The end of the list of Attributes is indicated by the Length of the
1010 Rigney, et. al. Standards Track [Page 18]
1012 RFC 2138 RADIUS April 1997
1015 A summary of the Attribute format is shown below. The fields are
1016 transmitted from left to right.
1019 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0
1020 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1021 | Type | Length | Value ...
1022 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1026 The Type field is one octet. Up-to-date values of the RADIUS Type
1027 field are specified in the most recent "Assigned Numbers" RFC [3].
1028 Values 192-223 are reserved for experimental use, values 224-240
1029 are reserved for implementation-specific use, and values 241-255
1030 are reserved and should not be used. This specification concerns
1031 the following values:
1033 A RADIUS server MAY ignore Attributes with an unknown Type.
1035 A RADIUS client MAY ignore Attributes with an unknown Type.
1049 13 Framed-Compression
1059 23 Framed-IPX-Network
1066 Rigney, et. al. Standards Track [Page 19]
1068 RFC 2138 RADIUS April 1997
1073 29 Termination-Action
1074 30 Called-Station-Id
1075 31 Calling-Station-Id
1078 34 Login-LAT-Service
1081 37 Framed-AppleTalk-Link
1082 38 Framed-AppleTalk-Network
1083 39 Framed-AppleTalk-Zone
1084 40-59 (reserved for accounting)
1092 The Length field is one octet, and indicates the length of this
1093 Attribute including the Type, Length and Value fields. If an
1094 Attribute is received in an Access-Request but with an invalid
1095 Length, an Access-Reject SHOULD be transmitted. If an Attribute
1096 is received in an Access-Accept, Access-Reject or Access-Challenge
1097 packet with an invalid length, the packet MUST either be treated
1098 an Access-Reject or else silently discarded.
1102 The Value field is zero or more octets and contains information
1103 specific to the Attribute. The format and length of the Value
1104 field is determined by the Type and Length fields.
1106 Note that a "string" in RADIUS does not require termination by an
1107 ASCII NUL because the Attribute already has a length field.
1122 Rigney, et. al. Standards Track [Page 20]
1124 RFC 2138 RADIUS April 1997
1127 The format of the value field is one of four data types.
1131 address 32 bit value, most significant octet first.
1133 integer 32 bit value, most significant octet first.
1135 time 32 bit value, most significant octet first -- seconds
1136 since 00:00:00 GMT, January 1, 1970. The standard
1137 Attributes do not use this data type but it is presented
1138 here for possible use within Vendor-Specific attributes.
1145 This Attribute indicates the name of the user to be authenticated.
1146 It is only used in Access-Request packets.
1148 A summary of the User-Name Attribute format is shown below. The
1149 fields are transmitted from left to right.
1152 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1154 | Type | Length | String ...
1155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1167 The String field is one or more octets. The NAS may limit the
1168 maximum length of the User-Name but the ability to handle at least
1169 63 octets is recommended.
1178 Rigney, et. al. Standards Track [Page 21]
1180 RFC 2138 RADIUS April 1997
1183 The format of the username MAY be one of several forms:
1185 monolithic Consisting only of alphanumeric characters. This
1186 simple form might be used to locally manage a NAS.
1188 simple Consisting only of printable ASCII characters.
1190 name@fqdn SMTP address. The Fully Qualified Domain Name (with or
1191 without trailing dot) indicates the realm in which the
1195 A name in ASN.1 form used in Public Key authentication
1202 This Attribute indicates the password of the user to be
1203 authenticated, or the user's input following an Access-Challenge.
1204 It is only used in Access-Request packets.
1206 On transmission, the password is hidden. The password is first
1207 padded at the end with nulls to a multiple of 16 octets. A one-
1208 way MD5 hash is calculated over a stream of octets consisting of
1209 the shared secret followed by the Request Authenticator. This
1210 value is XORed with the first 16 octet segment of the password and
1211 placed in the first 16 octets of the String field of the User-
1214 If the password is longer than 16 characters, a second one-way MD5
1215 hash is calculated over a stream of octets consisting of the
1216 shared secret followed by the result of the first xor. That hash
1217 is XORed with the second 16 octet segment of the password and
1218 placed in the second 16 octets of the String field of the User-
1221 If necessary, this operation is repeated, with each xor result
1222 being used along with the shared secret to generate the next hash
1223 to xor the next segment of the password, to no more than 128
1226 The method is taken from the book "Network Security" by Kaufman,
1227 Perlman and Speciner [4] pages 109-110. A more precise
1228 explanation of the method follows:
1234 Rigney, et. al. Standards Track [Page 22]
1236 RFC 2138 RADIUS April 1997
1239 Call the shared secret S and the pseudo-random 128-bit Request
1240 Authenticator RA. Break the password into 16-octet chunks p1, p2,
1241 etc. with the last one padded at the end with nulls to a 16-octet
1242 boundary. Call the ciphertext blocks c(1), c(2), etc. We'll need
1243 intermediate values b1, b2, etc.
1245 b1 = MD5(S + RA) c(1) = p1 xor b1
1246 b2 = MD5(S + c(1)) c(2) = p2 xor b2
1250 bi = MD5(S + c(i-1)) c(i) = pi xor bi
1252 The String will contain c(1)+c(2)+...+c(i) where + denotes
1255 On receipt, the process is reversed to yield the original
1258 A summary of the User-Password Attribute format is shown below. The
1259 fields are transmitted from left to right.
1262 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1264 | Type | Length | String ...
1265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1269 2 for User-Password.
1273 At least 18 and no larger than 130.
1277 The String field is between 16 and 128 octets long, inclusive.
1283 This Attribute indicates the response value provided by a PPP
1284 Challenge-Handshake Authentication Protocol (CHAP) user in
1285 response to the challenge. It is only used in Access-Request
1290 Rigney, et. al. Standards Track [Page 23]
1292 RFC 2138 RADIUS April 1997
1295 The CHAP challenge value is found in the CHAP-Challenge Attribute
1296 (60) if present in the packet, otherwise in the Request
1297 Authenticator field.
1299 A summary of the CHAP-Password Attribute format is shown below. The
1300 fields are transmitted from left to right.
1303 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9
1304 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1305 | Type | Length | CHAP Ident | String ...
1306 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1310 3 for CHAP-Password.
1318 This field is one octet, and contains the CHAP Identifier from the
1319 user's CHAP Response.
1323 The String field is 16 octets, and contains the CHAP Response from
1330 This Attribute indicates the identifying IP Address of the NAS
1331 which is requesting authentication of the user. It is only used
1332 in Access-Request packets. Either NAS-IP-Address or NAS-
1333 Identifier SHOULD be present in an Access-Request packet.
1346 Rigney, et. al. Standards Track [Page 24]
1348 RFC 2138 RADIUS April 1997
1351 A summary of the NAS-IP-Address Attribute format is shown below. The
1352 fields are transmitted from left to right.
1355 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1356 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1357 | Type | Length | Address
1358 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1364 4 for NAS-IP-Address.
1372 The Address field is four octets.
1378 This Attribute indicates the physical port number of the NAS which
1379 is authenticating the user. It is only used in Access-Request
1380 packets. Note that this is using "port" in its sense of a
1381 physical connection on the NAS, not in the sense of a TCP or UDP
1382 port number. Either NAS-Port or NAS-Port-Type (61) or both SHOULD
1383 be present in an Access-Request packet, if the NAS differentiates
1386 A summary of the NAS-Port Attribute format is shown below. The
1387 fields are transmitted from left to right.
1402 Rigney, et. al. Standards Track [Page 25]
1404 RFC 2138 RADIUS April 1997
1408 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1410 | Type | Length | Value
1411 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1413 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1425 The Value field is four octets. Despite the size of the field,
1426 values range from 0 to 65535.
1432 This Attribute indicates the type of service the user has
1433 requested, or the type of service to be provided. It MAY be used
1434 in both Access-Request and Access-Accept packets. A NAS is not
1435 required to implement all of these service types, and MUST treat
1436 unknown or unsupported Service-Types as though an Access-Reject
1437 had been received instead.
1439 A summary of the Service-Type Attribute format is shown below. The
1440 fields are transmitted from left to right.
1443 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1444 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1445 | Type | Length | Value
1446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1448 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1458 Rigney, et. al. Standards Track [Page 26]
1460 RFC 2138 RADIUS April 1997
1469 The Value field is four octets.
1479 9 Callback NAS Prompt
1482 The service types are defined as follows when used in an Access-
1483 Accept. When used in an Access-Request, they should be considered
1484 to be a hint to the RADIUS server that the NAS has reason to
1485 believe the user would prefer the kind of service indicated, but
1486 the server is not required to honor the hint.
1488 Login The user should be connected to a host.
1490 Framed A Framed Protocol should be started for the
1491 User, such as PPP or SLIP.
1493 Callback Login The user should be disconnected and called
1494 back, then connected to a host.
1496 Callback Framed The user should be disconnected and called
1497 back, then a Framed Protocol should be started
1498 for the User, such as PPP or SLIP.
1500 Outbound The user should be granted access to outgoing
1503 Administrative The user should be granted access to the
1504 administrative interface to the NAS from which
1505 privileged commands can be executed.
1507 NAS Prompt The user should be provided a command prompt
1508 on the NAS from which non-privileged commands
1514 Rigney, et. al. Standards Track [Page 27]
1516 RFC 2138 RADIUS April 1997
1519 Authenticate Only Only Authentication is requested, and no
1520 authorization information needs to be returned
1521 in the Access-Accept (typically used by proxy
1522 servers rather than the NAS itself).
1524 Callback NAS Prompt The user should be disconnected and called
1525 back, then provided a command prompt on the
1526 NAS from which non-privileged commands can be
1529 5.7. Framed-Protocol
1533 This Attribute indicates the framing to be used for framed access.
1534 It MAY be used in both Access-Request and Access-Accept packets.
1536 A summary of the Framed-Protocol Attribute format is shown below.
1537 The fields are transmitted from left to right.
1540 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1541 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1542 | Type | Length | Value
1543 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1545 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1549 7 for Framed-Protocol.
1557 The Value field is four octets.
1561 3 AppleTalk Remote Access Protocol (ARAP)
1562 4 Gandalf proprietary SingleLink/MultiLink protocol
1563 5 Xylogics proprietary IPX/SLIP
1570 Rigney, et. al. Standards Track [Page 28]
1572 RFC 2138 RADIUS April 1997
1575 5.8. Framed-IP-Address
1579 This Attribute indicates the address to be configured for the
1580 user. It MAY be used in Access-Accept packets. It MAY be used in
1581 an Access-Request packet as a hint by the NAS to the server that
1582 it would prefer that address, but the server is not required to
1585 A summary of the Framed-IP-Address Attribute format is shown below.
1586 The fields are transmitted from left to right.
1589 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1590 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1591 | Type | Length | Address
1592 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1594 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1598 8 for Framed-IP-Address.
1606 The Address field is four octets. The value 0xFFFFFFFF indicates
1607 that the NAS should allow the user to select an address (e.g.
1608 Negotiated). The value 0xFFFFFFFE indicates that the NAS should
1609 select an address for the user (e.g. Assigned from a pool of
1610 addresses kept by the NAS). Other valid values indicate that the
1611 NAS should use that value as the user's IP address.
1613 5.9. Framed-IP-Netmask
1617 This Attribute indicates the IP netmask to be configured for the
1618 user when the user is a router to a network. It MAY be used in
1619 Access-Accept packets. It MAY be used in an Access-Request packet
1620 as a hint by the NAS to the server that it would prefer that
1621 netmask, but the server is not required to honor the hint.
1626 Rigney, et. al. Standards Track [Page 29]
1628 RFC 2138 RADIUS April 1997
1631 A summary of the Framed-IP-Netmask Attribute format is shown below.
1632 The fields are transmitted from left to right.
1635 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1636 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1637 | Type | Length | Address
1638 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1640 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1644 9 for Framed-IP-Netmask.
1652 The Address field is four octets specifying the IP netmask of the
1655 5.10. Framed-Routing
1659 This Attribute indicates the routing method for the user, when the
1660 user is a router to a network. It is only used in Access-Accept
1663 A summary of the Framed-Routing Attribute format is shown below. The
1664 fields are transmitted from left to right.
1667 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1668 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1669 | Type | Length | Value
1670 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1672 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1676 10 for Framed-Routing.
1682 Rigney, et. al. Standards Track [Page 30]
1684 RFC 2138 RADIUS April 1997
1693 The Value field is four octets.
1696 1 Send routing packets
1697 2 Listen for routing packets
1704 This Attribute indicates the name of the filter list for this
1705 user. Zero or more Filter-Id attributes MAY be sent in an
1706 Access-Accept packet.
1708 Identifying a filter list by name allows the filter to be used on
1709 different NASes without regard to filter-list implementation
1712 A summary of the Filter-Id Attribute format is shown below. The
1713 fields are transmitted from left to right.
1716 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1717 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1718 | Type | Length | String ...
1719 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
1738 Rigney, et. al. Standards Track [Page 31]
1740 RFC 2138 RADIUS April 1997
1745 The String field is one or more octets, and its contents are
1746 implementation dependent. It is intended to be human readable and
1747 MUST NOT affect operation of the protocol. It is recommended that
1748 the message contain displayable ASCII characters from the range 32
1749 through 126 decimal.
1755 This Attribute indicates the Maximum Transmission Unit to be
1756 configured for the user, when it is not negotiated by some other
1757 means (such as PPP). It is only used in Access-Accept packets.
1759 A summary of the Framed-MTU Attribute format is shown below. The
1760 fields are transmitted from left to right.
1763 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1764 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1765 | Type | Length | Value
1766 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1768 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1780 The Value field is four octets. Despite the size of the field,
1781 values range from 64 to 65535.
1794 Rigney, et. al. Standards Track [Page 32]
1796 RFC 2138 RADIUS April 1997
1799 5.13. Framed-Compression
1803 This Attribute indicates a compression protocol to be used for the
1804 link. It MAY be used in Access-Accept packets. It MAY be used in
1805 an Access-Request packet as a hint to the server that the NAS
1806 would prefer to use that compression, but the server is not
1807 required to honor the hint.
1809 More than one compression protocol Attribute MAY be sent. It is
1810 the responsibility of the NAS to apply the proper compression
1811 protocol to appropriate link traffic.
1813 A summary of the Framed-Compression Attribute format is shown below.
1814 The fields are transmitted from left to right.
1817 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1818 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1819 | Type | Length | Value
1820 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1822 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1826 13 for Framed-Compression.
1834 The Value field is four octets.
1837 1 VJ TCP/IP header compression [5]
1838 2 IPX header compression
1844 This Attribute indicates the system with which to connect the
1845 user, when the Login-Service Attribute is included. It MAY be
1846 used in Access-Accept packets. It MAY be used in an Access-
1850 Rigney, et. al. Standards Track [Page 33]
1852 RFC 2138 RADIUS April 1997
1855 Request packet as a hint to the server that the NAS would prefer
1856 to use that host, but the server is not required to honor the
1859 A summary of the Login-IP-Host Attribute format is shown below. The
1860 fields are transmitted from left to right.
1863 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1864 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1865 | Type | Length | Address
1866 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1868 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1872 14 for Login-IP-Host.
1880 The Address field is four octets. The value 0xFFFFFFFF indicates
1881 that the NAS SHOULD allow the user to select an address. The
1882 value 0 indicates that the NAS SHOULD select a host to connect the
1883 user to. Other values indicate the address the NAS SHOULD connect
1890 This Attribute indicates the service which should be used to
1891 connect the user to the login host. It is only used in Access-
1894 A summary of the Login-Service Attribute format is shown below. The
1895 fields are transmitted from left to right.
1906 Rigney, et. al. Standards Track [Page 34]
1908 RFC 2138 RADIUS April 1997
1912 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1913 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1914 | Type | Length | Value
1915 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1917 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1921 15 for Login-Service.
1929 The Value field is four octets.
1934 3 PortMaster (proprietary)
1937 5.16. Login-TCP-Port
1941 This Attribute indicates the TCP port with which the user is to be
1942 connected, when the Login-Service Attribute is also present. It
1943 is only used in Access-Accept packets.
1945 A summary of the Login-TCP-Port Attribute format is shown below. The
1946 fields are transmitted from left to right.
1949 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1950 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1951 | Type | Length | Value
1952 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1954 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1958 16 for Login-TCP-Port.
1962 Rigney, et. al. Standards Track [Page 35]
1964 RFC 2138 RADIUS April 1997
1973 The Value field is four octets. Despite the size of the field,
1974 values range from 0 to 65535.
1980 ATTRIBUTE TYPE 17 HAS NOT BEEN ASSIGNED.
1986 This Attribute indicates text which MAY be displayed to the user.
1988 When used in an Access-Accept, it is the success message.
1990 When used in an Access-Reject, it is the failure message. It MAY
1991 indicate a dialog message to prompt the user before another
1992 Access-Request attempt.
1994 When used in an Access-Challenge, it MAY indicate a dialog message
1995 to prompt the user for a response.
1997 Multiple Reply-Message's MAY be included and if any are displayed,
1998 they MUST be displayed in the same order as they appear in the
2001 A summary of the Reply-Message Attribute format is shown below. The
2002 fields are transmitted from left to right.
2005 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2006 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2007 | Type | Length | String ...
2008 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2013 18 for Reply-Message.
2018 Rigney, et. al. Standards Track [Page 36]
2020 RFC 2138 RADIUS April 1997
2029 The String field is one or more octets, and its contents are
2030 implementation dependent. It is intended to be human readable,
2031 and MUST NOT affect operation of the protocol. It is recommended
2032 that the message contain displayable ASCII characters from the
2033 range 10, 13, and 32 through 126 decimal. Mechanisms for
2034 extension to other character sets are beyond the scope of this
2037 5.19. Callback-Number
2041 This Attribute indicates a dialing string to be used for callback.
2042 It MAY be used in Access-Accept packets. It MAY be used in an
2043 Access-Request packet as a hint to the server that a Callback
2044 service is desired, but the server is not required to honor the
2047 A summary of the Callback-Number Attribute format is shown below.
2048 The fields are transmitted from left to right.
2051 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2052 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2053 | Type | Length | String ...
2054 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2058 19 for Callback-Number.
2074 Rigney, et. al. Standards Track [Page 37]
2076 RFC 2138 RADIUS April 1997
2081 The String field is one or more octets. The actual format of the
2082 information is site or application specific, and a robust
2083 implementation SHOULD support the field as undistinguished octets.
2085 The codification of the range of allowed usage of this field is
2086 outside the scope of this specification.
2092 This Attribute indicates the name of a place to be called, to be
2093 interpreted by the NAS. It MAY be used in Access-Accept packets.
2095 A summary of the Callback-Id Attribute format is shown below. The
2096 fields are transmitted from left to right.
2099 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2100 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2101 | Type | Length | String ...
2102 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2114 The String field is one or more octets. The actual format of the
2115 information is site or application specific, and a robust
2116 implementation SHOULD support the field as undistinguished octets.
2117 The codification of the range of allowed usage of this field is
2118 outside the scope of this specification.
2124 ATTRIBUTE TYPE 21 HAS NOT BEEN ASSIGNED.
2130 Rigney, et. al. Standards Track [Page 38]
2132 RFC 2138 RADIUS April 1997
2139 This Attribute provides routing information to be configured for
2140 the user on the NAS. It is used in the Access-Accept packet and
2141 can appear multiple times.
2143 A summary of the Framed-Route Attribute format is shown below. The
2144 fields are transmitted from left to right.
2147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
2148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2149 | Type | Length | String...
2150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2154 22 for Framed-Route.
2162 The String field is one or more octets, and its contents are
2163 implementation dependent. It is intended to be human readable and
2164 MUST NOT affect operation of the protocol. It is recommended that
2165 the message contain displayable ASCII characters from the range 32
2166 through 126 decimal.
2168 For IP routes, it SHOULD contain a destination prefix in dotted
2169 quad form optionally followed by a slash and a decimal length
2170 specifier stating how many high order bits of the prefix should be
2171 used. That is followed by a space, a gateway address in dotted
2172 quad form, a space, and one or more metrics separated by spaces.
2173 For example, "192.168.1.0/24 192.168.1.1 1 2 -1 3 400". The length
2174 specifier may be omitted in which case it should default to 8 bits
2175 for class A prefixes, 16 bits for class B prefixes, and 24 bits
2176 for class C prefixes. For example, "192.168.1.0 192.168.1.1 1".
2178 Whenever the gateway address is specified as "0.0.0.0" the IP
2179 address of the user SHOULD be used as the gateway address.
2186 Rigney, et. al. Standards Track [Page 39]
2188 RFC 2138 RADIUS April 1997
2191 5.23. Framed-IPX-Network
2195 This Attribute indicates the IPX Network number to be configured
2196 for the user. It is used in Access-Accept packets.
2198 A summary of the Framed-IPX-Network Attribute format is shown below.
2199 The fields are transmitted from left to right.
2202 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2204 | Type | Length | Value
2205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2211 23 for Framed-IPX-Network.
2219 The Value field is four octets. The value 0xFFFFFFFE indicates
2220 that the NAS should select an IPX network for the user (e.g.
2221 assigned from a pool of one or more IPX networks kept by the NAS).
2222 Other values should be used as the IPX network for the link to the
2229 This Attribute is available to be sent by the server to the client
2230 in an Access-Challenge and MUST be sent unmodified from the client
2231 to the server in the new Access-Request reply to that challenge,
2242 Rigney, et. al. Standards Track [Page 40]
2244 RFC 2138 RADIUS April 1997
2247 This Attribute is available to be sent by the server to the client
2248 in an Access-Accept that also includes a Termination-Action
2249 Attribute with the value of RADIUS-Request. If the NAS performs
2250 the Termination-Action by sending a new Access-Request upon
2251 termination of the current session, it MUST include the State
2252 attribute unchanged in that Access-Request.
2254 In either usage, no interpretation by the client should be made.
2255 A packet may have only one State Attribute. Usage of the State
2256 Attribute is implementation dependent.
2258 A summary of the State Attribute format is shown below. The fields
2259 are transmitted from left to right.
2262 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2264 | Type | Length | String ...
2265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2277 The String field is one or more octets. The actual format of the
2278 information is site or application specific, and a robust
2279 implementation SHOULD support the field as undistinguished octets.
2281 The codification of the range of allowed usage of this field is
2282 outside the scope of this specification.
2288 This Attribute is available to be sent by the server to the client
2289 in an Access-Accept and should be sent unmodified by the client to
2290 the accounting server as part of the Accounting-Request packet if
2291 accounting is supported. No interpretation by the client should
2298 Rigney, et. al. Standards Track [Page 41]
2300 RFC 2138 RADIUS April 1997
2303 A summary of the Class Attribute format is shown below. The fields
2304 are transmitted from left to right.
2307 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2309 | Type | Length | String ...
2310 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2322 The String field is one or more octets. The actual format of the
2323 information is site or application specific, and a robust
2324 implementation SHOULD support the field as undistinguished octets.
2326 The codification of the range of allowed usage of this field is
2327 outside the scope of this specification.
2329 5.26. Vendor-Specific
2333 This Attribute is available to allow vendors to support their own
2334 extended Attributes not suitable for general usage. It MUST not
2335 affect the operation of the RADIUS protocol.
2337 Servers not equipped to interpret the vendor-specific information
2338 sent by a client MUST ignore it (although it may be reported).
2339 Clients which do not receive desired vendor-specific information
2340 SHOULD make an attempt to operate without it, although they may do
2341 so (and report they are doing so) in a degraded mode.
2343 A summary of the Vendor-Specific Attribute format is shown below.
2344 The fields are transmitted from left to right.
2354 Rigney, et. al. Standards Track [Page 42]
2356 RFC 2138 RADIUS April 1997
2360 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2362 | Type | Length | Vendor-Id
2363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2364 Vendor-Id (cont) | String...
2365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2369 26 for Vendor-Specific.
2377 The high-order octet is 0 and the low-order 3 octets are the SMI
2378 Network Management Private Enterprise Code of the Vendor in
2379 network byte order, as defined in the Assigned Numbers RFC [3].
2383 The String field is one or more octets. The actual format of the
2384 information is site or application specific, and a robust
2385 implementation SHOULD support the field as undistinguished octets.
2387 The codification of the range of allowed usage of this field is
2388 outside the scope of this specification.
2390 It SHOULD be encoded as a sequence of vendor type / vendor length
2391 / value fields, as follows. The Attribute-Specific field is
2392 dependent on the vendor's definition of that attribute. An
2393 example encoding of the Vendor-Specific attribute using this
2397 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2398 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2399 | Type | Length | Vendor-Id
2400 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2401 Vendor-Id (cont) | Vendor type | Vendor length |
2402 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2403 | Attribute-Specific...
2404 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2410 Rigney, et. al. Standards Track [Page 43]
2412 RFC 2138 RADIUS April 1997
2415 5.27. Session-Timeout
2419 This Attribute sets the maximum number of seconds of service to be
2420 provided to the user before termination of the session or prompt.
2421 This Attribute is available to be sent by the server to the client
2422 in an Access-Accept or Access-Challenge.
2424 A summary of the Session-Timeout Attribute format is shown below.
2425 The fields are transmitted from left to right.
2428 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2429 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2430 | Type | Length | Value
2431 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2433 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2437 27 for Session-Timeout.
2445 The field is 4 octets, containing a 32-bit unsigned integer with
2446 the maximum number of seconds this user should be allowed to
2447 remain connected by the NAS.
2453 This Attribute sets the maximum number of consecutive seconds of
2454 idle connection allowed to the user before termination of the
2455 session or prompt. This Attribute is available to be sent by the
2456 server to the client in an Access-Accept or Access-Challenge.
2466 Rigney, et. al. Standards Track [Page 44]
2468 RFC 2138 RADIUS April 1997
2471 A summary of the Idle-Timeout Attribute format is shown below. The
2472 fields are transmitted from left to right.
2475 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2476 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2477 | Type | Length | Value
2478 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2480 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2484 28 for Idle-Timeout.
2492 The field is 4 octets, containing a 32-bit unsigned integer with
2493 the maximum number of consecutive seconds of idle time this user
2494 should be permitted before being disconnected by the NAS.
2496 5.29. Termination-Action
2500 This Attribute indicates what action the NAS should take when the
2501 specified service is completed. It is only used in Access-Accept
2504 A summary of the Termination-Action Attribute format is shown below.
2505 The fields are transmitted from left to right.
2508 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2509 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2510 | Type | Length | Value
2511 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2513 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2517 29 for Termination-Action.
2522 Rigney, et. al. Standards Track [Page 45]
2524 RFC 2138 RADIUS April 1997
2533 The Value field is four octets.
2538 If the Value is set to RADIUS-Request, upon termination of the
2539 specified service the NAS MAY send a new Access-Request to the
2540 RADIUS server, including the State attribute if any.
2542 5.30. Called-Station-Id
2546 This Attribute allows the NAS to send in the Access-Request packet
2547 the phone number that the user called, using Dialed Number
2548 Identification (DNIS) or similar technology. Note that this may be
2549 different from the phone number the call comes in on. It is only
2550 used in Access-Request packets.
2552 A summary of the Called-Station-Id Attribute format is shown below.
2553 The fields are transmitted from left to right.
2556 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2557 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2558 | Type | Length | String ...
2559 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2564 30 for Called-Station-Id.
2572 The String field is one or more octets, containing the phone
2573 number that the user's call came in on.
2578 Rigney, et. al. Standards Track [Page 46]
2580 RFC 2138 RADIUS April 1997
2583 The actual format of the information is site or application
2584 specific. Printable ASCII is recommended, but a robust
2585 implementation SHOULD support the field as undistinguished octets.
2587 The codification of the range of allowed usage of this field is
2588 outside the scope of this specification.
2590 5.31. Calling-Station-Id
2594 This Attribute allows the NAS to send in the Access-Request packet
2595 the phone number that the call came from, using Automatic Number
2596 Identification (ANI) or similar technology. It is only used in
2597 Access-Request packets.
2599 A summary of the Calling-Station-Id Attribute format is shown below.
2600 The fields are transmitted from left to right.
2603 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2604 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2605 | Type | Length | String ...
2606 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2610 31 for Calling-Station-Id.
2618 The String field is one or more octets, containing the phone
2619 number that the user placed the call from.
2621 The actual format of the information is site or application
2622 specific. Printable ASCII is recommended, but a robust
2623 implementation SHOULD support the field as undistinguished octets.
2625 The codification of the range of allowed usage of this field is
2626 outside the scope of this specification.
2634 Rigney, et. al. Standards Track [Page 47]
2636 RFC 2138 RADIUS April 1997
2639 5.32. NAS-Identifier
2643 This Attribute contains a string identifying the NAS originating
2644 the Access-Request. It is only used in Access-Request packets.
2645 Either NAS-IP-Address or NAS-Identifier SHOULD be present in an
2646 Access-Request packet.
2648 A summary of the NAS-Identifier Attribute format is shown below. The
2649 fields are transmitted from left to right.
2652 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2653 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2654 | Type | Length | String ...
2655 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2659 32 for NAS-Identifier.
2667 The String field is one or more octets, and should be unique to
2668 the NAS within the scope of the RADIUS server. For example, a
2669 fully qualified domain name would be suitable as a NAS-Identifier.
2671 The actual format of the information is site or application
2672 specific, and a robust implementation SHOULD support the field as
2673 undistinguished octets.
2675 The codification of the range of allowed usage of this field is
2676 outside the scope of this specification.
2682 This Attribute is available to be sent by a proxy server to
2683 another server when forwarding an Access-Request and MUST be
2684 returned unmodified in the Access-Accept, Access-Reject or
2685 Access-Challenge. This attribute should be removed by the proxy
2686 server before the response is forwarded to the NAS.
2690 Rigney, et. al. Standards Track [Page 48]
2692 RFC 2138 RADIUS April 1997
2695 Usage of the Proxy-State Attribute is implementation dependent. A
2696 description of its function is outside the scope of this
2699 A summary of the Proxy-State Attribute format is shown below. The
2700 fields are transmitted from left to right.
2703 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2704 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2705 | Type | Length | String ...
2706 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2718 The String field is one or more octets. The actual format of the
2719 information is site or application specific, and a robust
2720 implementation SHOULD support the field as undistinguished octets.
2722 The codification of the range of allowed usage of this field is
2723 outside the scope of this specification.
2725 5.34. Login-LAT-Service
2729 This Attribute indicates the system with which the user is to be
2730 connected by LAT. It MAY be used in Access-Accept packets, but
2731 only when LAT is specified as the Login-Service. It MAY be used
2732 in an Access-Request packet as a hint to the server, but the
2733 server is not required to honor the hint.
2735 Administrators use the service attribute when dealing with
2736 clustered systems, such as a VAX or Alpha cluster. In such an
2737 environment several different time sharing hosts share the same
2738 resources (disks, printers, etc.), and administrators often
2739 configure each to offer access (service) to each of the shared
2740 resources. In this case, each host in the cluster advertises its
2741 services through LAT broadcasts.
2746 Rigney, et. al. Standards Track [Page 49]
2748 RFC 2138 RADIUS April 1997
2751 Sophisticated users often know which service providers (machines)
2752 are faster and tend to use a node name when initiating a LAT
2753 connection. Alternately, some administrators want particular
2754 users to use certain machines as a primitive form of load
2755 balancing (although LAT knows how to do load balancing itself).
2757 A summary of the Login-LAT-Service Attribute format is shown below.
2758 The fields are transmitted from left to right.
2761 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2762 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2763 | Type | Length | String ...
2764 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2769 34 for Login-LAT-Service.
2777 The String field is one or more octets, and contains the identity
2778 of the LAT service to use. The LAT Architecture allows this
2779 string to contain $ (dollar), - (hyphen), . (period), _
2780 (underscore), numerics, upper and lower case alphabetics, and the
2781 ISO Latin-1 character set extension [6]. All LAT string
2782 comparisons are case insensitive.
2784 5.35. Login-LAT-Node
2788 This Attribute indicates the Node with which the user is to be
2789 automatically connected by LAT. It MAY be used in Access-Accept
2790 packets, but only when LAT is specified as the Login-Service. It
2791 MAY be used in an Access-Request packet as a hint to the server,
2792 but the server is not required to honor the hint.
2794 A summary of the Login-LAT-Node Attribute format is shown below. The
2795 fields are transmitted from left to right.
2802 Rigney, et. al. Standards Track [Page 50]
2804 RFC 2138 RADIUS April 1997
2808 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2809 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2810 | Type | Length | String ...
2811 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2815 35 for Login-LAT-Node.
2823 The String field is one or more octets, and contains the identity
2824 of the LAT Node to connect the user to. The LAT Architecture
2825 allows this string to contain $ (dollar), - (hyphen), . (period),
2826 _ (underscore), numerics, upper and lower case alphabetics, and
2827 the ISO Latin-1 character set extension. All LAT string
2828 comparisons are case insensitive.
2830 5.36. Login-LAT-Group
2834 This Attribute contains a string identifying the LAT group codes
2835 which this user is authorized to use. It MAY be used in Access-
2836 Accept packets, but only when LAT is specified as the Login-
2837 Service. It MAY be used in an Access-Request packet as a hint to
2838 the server, but the server is not required to honor the hint.
2840 LAT supports 256 different group codes, which LAT uses as a form
2841 of access rights. LAT encodes the group codes as a 256 bit
2844 Administrators can assign one or more of the group code bits at
2845 the LAT service provider; it will only accept LAT connections that
2846 have these group codes set in the bit map. The administrators
2847 assign a bitmap of authorized group codes to each user; LAT gets
2848 these from the operating system, and uses these in its requests to
2849 the service providers.
2858 Rigney, et. al. Standards Track [Page 51]
2860 RFC 2138 RADIUS April 1997
2863 A summary of the Login-LAT-Group Attribute format is shown below.
2864 The fields are transmitted from left to right.
2867 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2868 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2869 | Type | Length | String ...
2870 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2874 36 for Login-LAT-Group.
2882 The String field is a 32 octet bit map, most significant octet
2883 first. A robust implementation SHOULD support the field as
2884 undistinguished octets.
2886 The codification of the range of allowed usage of this field is
2887 outside the scope of this specification.
2889 5.37. Framed-AppleTalk-Link
2893 This Attribute indicates the AppleTalk network number which should
2894 be used for the serial link to the user, which is another
2895 AppleTalk router. It is only used in Access-Accept packets. It
2896 is never used when the user is not another router.
2898 A summary of the Framed-AppleTalk-Link Attribute format is shown
2899 below. The fields are transmitted from left to right.
2902 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2903 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2904 | Type | Length | Value
2905 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2907 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2914 Rigney, et. al. Standards Track [Page 52]
2916 RFC 2138 RADIUS April 1997
2921 37 for Framed-AppleTalk-Link.
2929 The Value field is four octets. Despite the size of the field,
2930 values range from 0 to 65535. The special value of 0 indicates
2931 that this is an unnumbered serial link. A value of 1-65535 means
2932 that the serial line between the NAS and the user should be
2933 assigned that value as an AppleTalk network number.
2935 5.38. Framed-AppleTalk-Network
2939 This Attribute indicates the AppleTalk Network number which the
2940 NAS should probe to allocate an AppleTalk node for the user. It
2941 is only used in Access-Accept packets. It is never used when the
2942 user is another router. Multiple instances of this Attribute
2943 indicate that the NAS may probe using any of the network numbers
2946 A summary of the Framed-AppleTalk-Network Attribute format is shown
2947 below. The fields are transmitted from left to right.
2950 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2951 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2952 | Type | Length | Value
2953 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2955 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2959 38 for Framed-AppleTalk-Network.
2970 Rigney, et. al. Standards Track [Page 53]
2972 RFC 2138 RADIUS April 1997
2977 The Value field is four octets. Despite the size of the field,
2978 values range from 0 to 65535. The special value 0 indicates that
2979 the NAS should assign a network for the user, using its default
2980 cable range. A value between 1 and 65535 (inclusive) indicates
2981 the AppleTalk Network the NAS should probe to find an address for
2984 5.39. Framed-AppleTalk-Zone
2988 This Attribute indicates the AppleTalk Default Zone to be used for
2989 this user. It is only used in Access-Accept packets. Multiple
2990 instances of this attribute in the same packet are not allowed.
2992 A summary of the Framed-AppleTalk-Zone Attribute format is shown
2993 below. The fields are transmitted from left to right.
2996 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
2997 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
2998 | Type | Length | String ...
2999 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
3003 39 for Framed-AppleTalk-Zone.
3011 The name of the Default AppleTalk Zone to be used for this user.
3012 A robust implementation SHOULD support the field as
3013 undistinguished octets.
3015 The codification of the range of allowed usage of this field is
3016 outside the scope of this specification.
3026 Rigney, et. al. Standards Track [Page 54]
3028 RFC 2138 RADIUS April 1997
3031 5.40. CHAP-Challenge
3035 This Attribute contains the CHAP Challenge sent by the NAS to a
3036 PPP Challenge-Handshake Authentication Protocol (CHAP) user. It
3037 is only used in Access-Request packets.
3039 If the CHAP challenge value is 16 octets long it MAY be placed in
3040 the Request Authenticator field instead of using this attribute.
3042 A summary of the CHAP-Challenge Attribute format is shown below. The
3043 fields are transmitted from left to right.
3046 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
3047 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
3048 | Type | Length | String...
3049 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
3053 60 for CHAP-Challenge.
3061 The String field contains the CHAP Challenge.
3067 This Attribute indicates the type of the physical port of the NAS
3068 which is authenticating the user. It can be used instead of or in
3069 addition to the NAS-Port (5) attribute. It is only used in
3070 Access-Request packets. Either NAS-Port (5) or NAS-Port-Type or
3071 both SHOULD be present in an Access-Request packet, if the NAS
3072 differentiates among its ports.
3082 Rigney, et. al. Standards Track [Page 55]
3084 RFC 2138 RADIUS April 1997
3087 A summary of the NAS-Port-Type Attribute format is shown below. The
3088 fields are transmitted from left to right.
3091 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3092 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3093 | Type | Length | Value
3094 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3096 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3100 61 for NAS-Port-Type.
3108 The Value field is four octets. "Virtual" refers to a connection
3109 to the NAS via some transport protocol, instead of through a
3110 physical port. For example, if a user telnetted into a NAS to
3111 authenticate himself as an Outbound-User, the Access-Request might
3112 include NAS-Port-Type = Virtual as a hint to the RADIUS server
3113 that the user was not on a physical port.
3126 This Attribute sets the maximum number of ports to be provided to
3127 the user by the NAS. This Attribute MAY be sent by the server to
3128 the client in an Access-Accept packet. It is intended for use in
3129 conjunction with Multilink PPP [7] or similar uses. It MAY also
3130 be sent by the NAS to the server as a hint that that many ports
3131 are desired for use, but the server is not required to honor the
3138 Rigney, et. al. Standards Track [Page 56]
3140 RFC 2138 RADIUS April 1997
3143 A summary of the Port-Limit Attribute format is shown below. The
3144 fields are transmitted from left to right.
3147 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3149 | Type | Length | Value
3150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3164 The field is 4 octets, containing a 32-bit unsigned integer with
3165 the maximum number of ports this user should be allowed to connect
3168 5.43. Login-LAT-Port
3172 This Attribute indicates the Port with which the user is to be
3173 connected by LAT. It MAY be used in Access-Accept packets, but
3174 only when LAT is specified as the Login-Service. It MAY be used
3175 in an Access-Request packet as a hint to the server, but the
3176 server is not required to honor the hint.
3178 A summary of the Login-LAT-Port Attribute format is shown below. The
3179 fields are transmitted from left to right.
3182 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
3183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
3184 | Type | Length | String ...
3185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
3189 63 for Login-LAT-Port.
3194 Rigney, et. al. Standards Track [Page 57]
3196 RFC 2138 RADIUS April 1997
3205 The String field is one or more octets, and contains the identity
3206 of the LAT port to use. The LAT Architecture allows this string
3207 to contain $ (dollar), - (hyphen), . (period), _ (underscore),
3208 numerics, upper and lower case alphabetics, and the ISO Latin-1
3209 character set extension. All LAT string comparisons are case
3212 5.44. Table of Attributes
3214 The following table provides a guide to which attributes may be found
3215 in which kinds of packets, and in what quantity.
3217 Request Accept Reject Challenge # Attribute
3219 0-1 0 0 0 2 User-Password [Note 1]
3220 0-1 0 0 0 3 CHAP-Password [Note 1]
3221 0-1 0 0 0 4 NAS-IP-Address
3222 0-1 0 0 0 5 NAS-Port
3223 0-1 0-1 0 0 6 Service-Type
3224 0-1 0-1 0 0 7 Framed-Protocol
3225 0-1 0-1 0 0 8 Framed-IP-Address
3226 0-1 0-1 0 0 9 Framed-IP-Netmask
3227 0 0-1 0 0 10 Framed-Routing
3228 0 0+ 0 0 11 Filter-Id
3229 0 0-1 0 0 12 Framed-MTU
3230 0+ 0+ 0 0 13 Framed-Compression
3231 0+ 0+ 0 0 14 Login-IP-Host
3232 0 0-1 0 0 15 Login-Service
3233 0 0-1 0 0 16 Login-TCP-Port
3234 0 0+ 0+ 0+ 18 Reply-Message
3235 0-1 0-1 0 0 19 Callback-Number
3236 0 0-1 0 0 20 Callback-Id
3237 0 0+ 0 0 22 Framed-Route
3238 0 0-1 0 0 23 Framed-IPX-Network
3239 0-1 0-1 0 0-1 24 State
3241 0+ 0+ 0 0+ 26 Vendor-Specific
3242 0 0-1 0 0-1 27 Session-Timeout
3243 0 0-1 0 0-1 28 Idle-Timeout
3244 0 0-1 0 0 29 Termination-Action
3245 0-1 0 0 0 30 Called-Station-Id
3246 0-1 0 0 0 31 Calling-Station-Id
3250 Rigney, et. al. Standards Track [Page 58]
3252 RFC 2138 RADIUS April 1997
3255 0-1 0 0 0 32 NAS-Identifier
3256 0+ 0+ 0+ 0+ 33 Proxy-State
3257 0-1 0-1 0 0 34 Login-LAT-Service
3258 0-1 0-1 0 0 35 Login-LAT-Node
3259 0-1 0-1 0 0 36 Login-LAT-Group
3260 0 0-1 0 0 37 Framed-AppleTalk-Link
3261 0 0+ 0 0 38 Framed-AppleTalk-Network
3262 0 0-1 0 0 39 Framed-AppleTalk-Zone
3263 0-1 0 0 0 60 CHAP-Challenge
3264 0-1 0 0 0 61 NAS-Port-Type
3265 0-1 0-1 0 0 62 Port-Limit
3266 0-1 0-1 0 0 63 Login-LAT-Port
3269 Request Accept Reject Challenge # Attribute
3272 [Note 1] An Access-Request MUST contain either a User-Password or a
3273 CHAP-Password, and MUST NOT contain both.
3275 The following table defines the meaning of the above table entries.
3277 0 This attribute MUST NOT be present in packet.
3278 0+ Zero or more instances of this attribute MAY be present in packet.
3279 0-1 Zero or one instance of this attribute MAY be present in packet.
3280 1 Exactly one instance of this attribute MUST be present in packet.
3284 A few examples are presented to illustrate the flow of packets and
3285 use of typical attributes. These examples are not intended to be
3286 exhaustive, many others are possible.
3306 Rigney, et. al. Standards Track [Page 59]
3308 RFC 2138 RADIUS April 1997
3311 6.1. User Telnet to Specified Host
3313 The NAS at 192.168.1.16 sends an Access-Request UDP packet to the
3314 RADIUS Server for a user named nemo logging in on port 3.
3316 Code = 1 (Access-Request)
3319 Request Authenticator = {16 octet random number}
3322 User-Password = {16 octets of Password padded at end with nulls,
3323 XORed with MD5(shared secret|Request Authenticator)}
3324 NAS-IP-Address = 192.168.1.16
3327 The RADIUS server authenticates nemo, and sends an Access-Accept UDP
3328 packet to the NAS telling it to telnet nemo to host 192.168.1.3.
3330 Code = 2 (Access-Accept)
3331 ID = 0 (same as in Access-Request)
3333 Response Authenticator = {16-octet MD-5 checksum of the code (2),
3334 id (0), Length (38), the Request Authenticator from
3335 above, the attributes in this reply, and the shared
3338 Service-Type = Login-User
3339 Login-Service = Telnet
3340 Login-Host = 192.168.1.3
3342 6.2. Framed User Authenticating with CHAP
3344 The NAS at 192.168.1.16 sends an Access-Request UDP packet to the
3345 RADIUS Server for a user named flopsy logging in on port 20 with PPP,
3346 authenticating using CHAP. The NAS sends along the Service-Type and
3347 Framed-Protocol attributes as a hint to the RADIUS server that this
3348 user is looking for PPP, although the NAS is not required to do so.
3362 Rigney, et. al. Standards Track [Page 60]
3364 RFC 2138 RADIUS April 1997
3367 Code = 1 (Access-Request)
3370 Request Authenticator = {16 octet random number also used as
3373 User-Name = "flopsy"
3374 CHAP-Password = {1 octet CHAP ID followed by 16 octet
3376 NAS-IP-Address = 192.168.1.16
3378 Service-Type = Framed-User
3379 Framed-Protocol = PPP
3381 The RADIUS server authenticates flopsy, and sends an Access-Accept
3382 UDP packet to the NAS telling it to start PPP service and assign an
3383 address for the user out of its dynamic address pool.
3385 Code = 2 (Access-Accept)
3386 ID = 1 (same as in Access-Request)
3388 Response Authenticator = {16-octet MD-5 checksum of the code (2),
3389 id (1), Length (56), the Request Authenticator from
3390 above, the attributes in this reply, and the shared
3393 Service-Type = Framed-User
3394 Framed-Protocol = PPP
3395 Framed-IP-Address = 255.255.255.254
3396 Framed-Routing = None
3397 Framed-Compression = 1 (VJ TCP/IP Header Compression)
3400 6.3. User with Challenge-Response card
3402 The NAS at 192.168.1.16 sends an Access-Request UDP packet to the
3403 RADIUS Server for a user named mopsy logging in on port 7.
3405 Code = 1 (Access-Request)
3408 Request Authenticator = {16 octet random number}
3411 User-Password = {16 octets of Password padded at end with nulls,
3412 XORed with MD5(shared secret|Request Authenticator)}
3413 NAS-IP-Address = 192.168.1.16
3418 Rigney, et. al. Standards Track [Page 61]
3420 RFC 2138 RADIUS April 1997
3423 The RADIUS server decides to challenge mopsy, sending back a
3424 challenge string and looking for a response. The RADIUS server
3425 therefore and sends an Access-Challenge UDP packet to the NAS.
3427 Code = 11 (Access-Challenge}
3428 ID = 2 (same as in Access-Request)
3430 Response Authenticator = {16-octet MD-5 checksum of the code (11),
3431 id (2), length (78), the Request Authenticator from
3432 above, the attributes in this reply, and the shared
3435 Reply-Message = "Challenge 32769430. Enter response at prompt."
3436 State = {Magic Cookie to be returned along with user's response;
3437 in this example 8 octets of data}
3439 The user enters his response, and the NAS send a new Access-Request
3440 with that response, and includes the State Attribute.
3442 Code = 1 (Access-Request)
3443 ID = 3 (Note that this changes)
3445 Request Authenticator = {NEW 16 octet random number}
3448 User-Password = {16 octets of Response padded at end with
3449 nulls, XORed with MD5 checksum of shared secret
3450 plus above Request Authenticator}
3451 NAS-IP-Address = 192.168.1.16
3453 State = {Magic Cookie from Access-Challenge packet, unchanged}
3455 The Response was incorrect, so the RADIUS server tells the NAS to
3456 reject the login attempt.
3458 Code = 3 (Access-Reject)
3459 ID = 3 (same as in Access-Request)
3461 Response Authenticator = {16-octet MD-5 checksum of the code (3),
3462 id (3), length(20), the Request Authenticator from
3463 above, the attributes in this reply if any, and the
3466 (none, although a Reply-Message could be sent)
3474 Rigney, et. al. Standards Track [Page 62]
3476 RFC 2138 RADIUS April 1997
3479 Security Considerations
3481 Security issues are the primary topic of this document.
3483 In practice, within or associated with each RADIUS server, there is a
3484 database which associates "user" names with authentication
3485 information ("secrets"). It is not anticipated that a particular
3486 named user would be authenticated by multiple methods. This would
3487 make the user vulnerable to attacks which negotiate the least secure
3488 method from among a set. Instead, for each named user there should
3489 be an indication of exactly one method used to authenticate that user
3490 name. If a user needs to make use of different authentication
3491 methods under different circumstances, then distinct user names
3492 SHOULD be employed, each of which identifies exactly one
3493 authentication method.
3495 Passwords and other secrets should be stored at the respective ends
3496 such that access to them is as limited as possible. Ideally, the
3497 secrets should only be accessible to the process requiring access in
3498 order to perform the authentication.
3500 The secrets should be distributed with a mechanism that limits the
3501 number of entities that handle (and thus gain knowledge of) the
3502 secret. Ideally, no unauthorized person should ever gain knowledge
3503 of the secrets. It is possible to achieve this with SNMP Security
3504 Protocols [8], but such a mechanism is outside the scope of this
3507 Other distribution methods are currently undergoing research and
3508 experimentation. The SNMP Security document [8] also has an
3509 excellent overview of threats to network protocols.
3530 Rigney, et. al. Standards Track [Page 63]
3532 RFC 2138 RADIUS April 1997
3537 [1] Rivest, R., and S. Dusse, "The MD5 Message-Digest Algorithm",
3538 RFC 1321, MIT Laboratory for Computer Science, RSA Data
3539 Security Inc., April 1992.
3541 [2] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
3542 USC/Information Sciences Institute, August 1980.
3544 [3] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
3545 1700, USC/Information Sciences Institute, October 1994.
3547 [4] Kaufman, C., Perlman, R., and Speciner, M., "Network Security:
3548 Private Communications in a Public World", Prentice Hall, March
3549 1995, ISBN 0-13-061466-1.
3551 [5] Jacobson, V., "Compressing TCP/IP headers for low-speed serial
3552 links", RFC 1144, Lawrence Berkeley Laboratory, February 1990.
3554 [6] ISO 8859. International Standard -- Information Processing --
3555 8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin
3556 Alphabet No. 1, ISO 8859-1:1987.
3557 <URL:http://www.iso.ch/cate/d16338.html>
3559 [7] Sklower, K., Lloyd, B., McGregor, G., and Carr, D., "The PPP
3560 Multilink Protocol (MP)", RFC 1717, University of California
3561 Berkeley, Lloyd Internetworking, Newbridge Networks
3562 Corporation, November 1994.
3564 [8] Galvin, J., McCloghrie, K., and Davin, J., "SNMP Security
3565 Protocols", RFC 1352, Trusted Information Systems, Inc., Hughes
3566 LAN Systems, Inc., MIT Laboratory for Computer Science, July
3569 [9] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.
3573 RADIUS was originally developed by Livingston Enterprises for their
3574 PortMaster series of Network Access Servers.
3586 Rigney, et. al. Standards Track [Page 64]
3588 RFC 2138 RADIUS April 1997
3593 The working group can be contacted via the current chair:
3596 Livingston Enterprises
3598 Pleasanton, California 94588
3600 Phone: +1 510 426 0770
3601 EMail: cdr@livingston.com
3605 Questions about this memo can also be directed to:
3608 Livingston Enterprises
3610 Pleasanton, California 94588
3612 Phone: +1 510 426 0770
3613 EMail: cdr@livingston.com
3618 Ann Arbor, Michigan 48105-2785
3620 EMail: acr@merit.edu
3622 William Allen Simpson
3624 Computer Systems Consulting Services
3626 Madison Heights, Michigan 48071
3628 EMail: wsimpson@greendragon.com
3631 Livingston Enterprises
3633 Pleasanton, California 94588
3635 EMail: steve@livingston.com
3642 Rigney, et. al. Standards Track [Page 65]