LAN Edge Device RADIUS October 2003 RADIUSEXT Working Group Internet Draft C. Black, Editor Category: Informational Hewlett-Packard Corporation P. Congdon Hewlett-Packard Corporation LAN Edge Device Vendor-specific RADIUS Attributes Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This document describes the set of LAN Edge Device vendor-specific RADIUS attributes. This specification defines attributes which are specific to IEEE 802 devices, as well as attributes which are specific to capabilities typically implemented in IEEE 802 devices but for which there is not a current IEEE 802 specification defining those capabilities. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. 1. Specification of Requirements In this document, the key words "MAY", "MUST, "MUST NOT", "optional", "recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as described in [2]. 2. Attributes 2.1 Introduction This document describes vendor-specific RADIUS attributes which enable the authentication-triggered automatic authorization of users connected to edge networking devices in a LAN environment. Many of these attributes relate directly to IEEE 802 parameters which may be configured on these devices; some of these attributes go beyond what is defined in the IEEE 802 standard, and deal with aspects such as layer three access control lists and quality of service. This specification is targeted towards the configuration of LAN Edge Devices - that is, devices which attach end nodes such as hosts and C. Black Expires -October 2004 [Page 1] LAN Edge Device RADIUS October 2003 peripherals to the network. It is not intended to address the configuration of internal or core devices in a network, however it is conceivable that many of the attributes defined here could be applied to devices in this part of the network. As a LAN Edge Device, the assumption is thus that the authenticating user is associated with the port identified in the NAS-Port RADIUS attribute. As such, actions directed at the control of access by the user are achieved through controlling the port on which the user is connected. Users typically authenticate to the LAN Edge device using the IEEE 802.1X [1] Port Access Control scheme, however other edge authentication procedures are also possible. 2.2 Overview of LAN Edge Device Attributes The following attributes are defined to enable the delivery LAN Edge Device configuration information to network devices. Each of these attributes will be described in further detail in the sections following. Editors Note: These attributes will ultimately be defined according to the textual format used in RFC 2865. They are currently defined in abbreviated format until a relatively stable set of attributes is agreed upon. Input Attributes: These attributes are typically included with a RADIUS authorization request, and are used to determine the values of the IEEE 802 VSAs which will be returned in the authorization response. Location-ID : String Location-Name : String Time : TimeTicks Output Attributes: Some or all of these attributes are typically included with a RADIUS authorization reply, and may be used by the LAN Edge Device RADIUS client to configure itself appropriately for the user, device, or application which is being authenticated. VLAN attributes: PVID : Integer Egress-VID : VID : Integer Type : Integer{ tagged(1), untagged(2) } Ingress-Filter-Enable : Boolean Class of Service Attributes: C. Black Expires -October 2004 [Page 2] LAN Edge Device RADIUS October 2003 User-Priority-Regeneration-Table : Octet String Access Control Attributes: IP-Filter-Name : String IP-Filter-Raw : String Bandwidth Attributes: Bandwidth-Min-Ingress : Integer Bandwidth-Max-Ingress : Integer Bandwidth-Min-Egress : Integer Bandwidth-Max-Egress : Integer 2.3 Attribute Details The IEEE 802 vendor specific attributes will use a VSA format that differs from the recommendation in RFC 2865 in order to accommodate a larger vendor attribute space. The Vendor type field shall be 16-bits instead of the recommended 8-bits as seen in RFC 2865. The IEEE VSA attributes will use the following format: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 26 | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | Vendor type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Vendor-Length | Attribute-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2.3.1 Location-ID This attribute represents the identifier for the location from which the request originated. It is assumed that this location identifier has been configured separately. Format : String This value is a string which should be of the form: isocc=,cc=,network= Example: isocc=us,cc=1,ac=916,network=HP_Roseville_R3L_S5300_J6 C. Black Expires -October 2004 [Page 3] LAN Edge Device RADIUS October 2003 2.3.2 Location-Name This attribute represents the name of the location from which the request originated. It is assumed that this location name has been configured separately; if not, the default value for this name is the sysName value from the MIB. Format : String 2.3.3 Time This attribute represents the time that the request was made, in UTC format. Format : TimeTicks 2.3.4 PVID This attribute represents the IEEE 802 Port VLAN ID for the port being configured for the user. Untagged packets received on this port will be placed onto the VLAN specified by this attribute. The attribute replaces the use of Tunnel-Type=VLAN (13), Tunnel-Medium- Type=802, and Tunnel-Private-Group-ID=VLANID as described in RFC 3580 [2]. Format : Integer 2.3.5 Egress-VID This attribute represents an allowed IEEE 802 Egress VID for this port. The Egress-VID contains two parts: the first part is the VID, the second part indicates if this VID is allowed for tagged or untagged packets. Multiple Egress-VID attributes can be delivered in an authentication response; each attribute adds the specified VLAN to the list of allowed egress VLANs for the port. Format : VID : Integer Type : Integer { tagged(1), untagged(2) } 2.3.6 User-Priority-Regeneration-Table This attribute represents the IEEE 802 prioritization that will be applied to packets arriving at this port. There are eight possible user priorities, according to the IEEE 802 standard. C. Black Expires -October 2004 [Page 4] LAN Edge Device RADIUS October 2003 This table maps the incoming priority (if one exists - the default is 0) into one of seven regenerated priorities. The format of this attribute is an eight byte octet string, where the first octet maps to incoming priority 0, the second octet to incoming priority 1, etc. The values in each octet represent the regenerated priority of the packet. It is thus possible to either remap incoming priorities to more appropriate values; or to honor the incoming priorities; or to override any incoming priorities, forcing them to all map to a single chosen priority. The IEEE 802.1D specification, Annex G, provides a useful description of traffic type - traffic class mappings. For mapping of this priority to quality of service at the IP layer, it is assumed that the LAN Edge Device has been provided a table with device-wide mappings of this user priority to the appropriate DiffServ code points. This table and its configuration are outside the scope of this document. 2.3.7 IP-Filter-Name Editor's Note: This attribute, and the one following, deal with attributes which are outside the domain of IEEE 802; however, since they are typically implemented in IEEE 802 devices, they are included here. The IP-Filter-Name attribute instructs the LAN Edge Device to enforce the access control list of the given name, applying it to packets from this user. The assumption is that the named ACL has already been defined at the device by some other mechanism. If this IP-Filter-Name is unknown at the device, then this attribute will effectively be ignored by the device. Note that IP-Filter-Names at this level are user-related; they pertain to specific accesses from this user to resources in the rest of the network, be they hosts or subnets. Global ACLs, which refer to group access rights such as subnet-to-subnet, are assumed to be applied elsewhere by a general policy configuration utility. Format : String 2.3.8 IP-Filter-Raw The IP-Filter-Raw attribute delivers to the LAN Edge Device an actual raw access control list, which is to be applied to packets originating from this user. The format of this list should follow C. Black Expires -October 2004 [Page 5] LAN Edge Device RADIUS October 2003 the conventions specified in RFC 3588 (Diameter), section 4.3, in which the IPFilterRule format is defined. Note that ACLs at this level are user-related; they pertain to specific accesses from this user to resources in the rest of the network, be they hosts or subnets. Global ACLs, which refer to group access rights such as subnet-to-subnet, are assumed to be applied elsewhere by a general policy configuration utility. Format : String 2.3.9 Bandwidth-Min-Ingress This attribute indicates the desired minimum bandwidth allocated to this user for traffic received at the port and transmitted by the user. This value is a target, rather than a guarantee. In other words, if an IEEE 802 device is oversubscribed, it will reduce bandwidth to users down to their targeted minimum bandwidths. Once bandwidth for all users on a device reaches their respective minimum, the device will fairly reduce bandwidth incrementally to all users. In this manner, users with special performance requirements can have higher minimum bandwidth targets, and thus will be impacted less by an oversubscribed device. Format : Integer Units : Kbps 2.3.10 Bandwidth-Max-Ingress This attributes indicates the enforced maximum bandwidth to be allocated to this user for traffic received at the port and transmitted by the user. The user is guaranteed to never receive more bandwidth than the maximum allotment specified by this value, even if there is available bandwidth on the IEEE 802 device. Since maximum bandwidth values can be enforced and do not depend on external influences such as traffic loads, this value can be thought of as a ‘bandwidth limit’ for the user. Format : Integer Units : Kbps 2.3.11 Bandwidth-Min-Egress This attribute indicates the desired minimum bandwidth allocated to this user for traffic sent to this user by the IEEE 802 network C. Black Expires -October 2004 [Page 6] LAN Edge Device RADIUS October 2003 device (e.g. Bridge, Access Point). This value is a target, rather than a guarantee. In other words, if an IEEE 802 device is oversubscribed, it will reduce bandwidth to users down to their targeted minimum bandwidths. Once bandwidth for all users on a device reaches their respective minimum, the device will fairly reduce bandwidth incrementally to all users. In this manner, users with special performance requirements can have higher minimum bandwidth targets, and thus will be impacted less by an oversubscribed device. Format : Integer Units : Kbps 2.3.12 Bandwidth-Max-Egress This attributes indicates the enforced maximum bandwidth to be allocated to this user for traffic sent by the IEEE 802 device to the user. The user is guaranteed to never receive more bandwidth than the maximum allotment specified by this value, even if there is available bandwidth on the IEEE 802 device. Since maximum bandwidth values can be enforced and do not depend on external influences such as traffic loads, this value can be thought of as a ‘bandwidth limit’ for the user. Format : Integer Units : Kbps 3. Table of Attributes The following table provides a guide to which of the above attributes may be found in which kinds of packets, and in what quantity. Auth-Req Auth-Reply Acct-Req # Attribute -------- ---------- -------- -- --------- 0-1 0 0-1 1 Location-ID 0-1 0 0-1 2 Location-Name 0-1 0 0-1 3 Time 0 0-1 0 11 PVID 0 0+ 0 12 Egress-VID 0 0-1 0 13 Ingress-Filter-Enable 0 0-1 0 14 User-Priority-Regeneration-Table 0 0-1 0 15 IP-Filter-Name 0 0-1 0 16 IP-Filter-Raw 0 0-1 0 17 Bandwidth-Min-Ingress 0 0-1 0 18 Bandwidth-Max-Ingress 0 0-1 0 19 Bandwidth-Min-Egress C. Black Expires -October 2004 [Page 7] LAN Edge Device RADIUS October 2003 0 0-1 0 20 Bandwidth-Max-Egress The following table defines the meaning of the above table entries. 0 This attribute MUST NOT be present in packet. 0+ Zero or more instances of this attribute MAY be present in the packet. 0-1 Zero or one instance of this attribute MAY be present in the packet. 4. Acknowledgements 5. Editor's Address Questions about this memo can be directed to: Chuck Black ProCurve Networking Business Hewlett-Packard Company 8000 Foothills Blvd Roseville, CA 95747 Phone: +1 916 785 9713 Fax: +1 916 785 1199 Email: chuck.black@hp.com Paul Congdon ProCurve Networking Business Hewlett-Packard Company 8000 Foothills Blvd - MS 5662 Roseville, CA 95747 Phone: +1 916 785 5753 Fax: +1 916 785 8478 Email: paul.congdon@hp.com 6. References [1] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2001, June 2001. [2] Congdon, P., Aboba, B., Smith, A., Zorn, G., Roese, J., "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003. C. Black Expires -October 2004 [Page 8] LAN Edge Device RADIUS October 2003 7. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. C. Black Expires -October 2004 [Page 9]