1 - 2 - 3 - 6 - 7 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
authorization
Click on the red underlined text to get to the source
... Phase 2, it is typically not possible to define separate trust or
authorization schemes for each application. This limits the
usefulness of IPsec in inter-domain ...
...
- Transporting of service specific authorization information,
between client and servers, allowing the peers to decide whether a
...
... client generates Diameter messages to request authentication,
authorization, and accounting services for the user. A Diameter
...
... Diameter server performs authentication and/or authorization of the
user. A Diameter node MAY act as an agent ...
... NASREQ documents describe applications that use this base
specification for Authentication, Authorization and Accounting.
...
... AVPs
- Creating new authentication/authorization applications
- Creating new accounting applications
...
... AVP is used within other Diameter
commands (i.e., authentication/authorization commands).
A DIAMETER ...
... protocol-specific data (e.g., routing
information) as well as authentication, authorization or
accounting information.
...
... Diameter Server is one that handles authentication,
authorization and accounting requests for a particular realm. By
its very nature, a Diameter Server ...
... identity is used to identify the user during authentication and/or
authorization, while the realm is used for message routing
purposes.
...
... accounting
applications, but for use in authentication and authorization it is
always extended for a particular application. Two Diameter
applications are defined by companion documents: NASREQ ...
...
The initial request for authentication and/or authorization of a user
would include the Session-Id. The Session-Id ...
... can be locally supported (via the realm), processes the
authentication and/or authorization request, and replies with an
answer, which is routed back to NAS using saved transaction ...
... Diameter Path Authorization ...
...
Prior to bringing up a connection, authorization checks are performed
at each connection along the path. Diameter ...
... business
transaction as specified by the contractual relationship between the
server and the previous hop. A DIAMETER_AUTHORIZATION_REJECTED error
message (see Section 7.1.5) is sent if the route traversed by the
...
... session.
Accounting requests without corresponding authorization responses
SHOULD be subjected to further scrutiny, as should accounting
requests indicating a difference between the requested and provided
...
... that the route traversed by the response is acceptable. At each
step, forwarding of an authorization response is considered evidence
of a willingness to take on financial risk relative to the session.
...
... accept responses which would violate those limits. By issuing an
accounting request corresponding to the authorization response, the
local realm implicitly indicates its agreement to provide the service ...
... agreement to provide the service
indicated in the authorization response. If the service cannot be
provided by the local realm, then a DIAMETER ...
... client
receiving an authorization response for a service that it cannot
perform MUST NOT substitute an alternate service ...
... Auth-Request- 274 8.7 Enumerated | M | P | | V | N |
Type | | | | | |
Authorization- 291 8.9 Unsigned32 | M | P | | V | N |
Lifetime ...
... Diameter Server.
Authorization can be achieved for example, by configuration of a
Diameter Server CA ...
... certificates so as to signify
Diameter Server authorization.
A dynamically discovered peer causes an entry in the Peer Table ...
... is used in order to advertise support of the Authentication and
Authorization portion of an application (see Section 2.4). The
Auth-Application-Id MUST also be present in all Authentication ...
... Auth-Application-Id MUST also be present in all Authentication and/or
Authorization messages that are defined in a separate Diameter
specification and have an Application ID assigned.
...
...
DIAMETER_AUTHORIZATION_REJECTED 5003
A request was received for which the user could not be authorized.
This error could occur if the service ...
... types of services to applications.
The first involves authentication and authorization, and can
optionally make use of accounting. The second only makes use of
...
... When a service makes use of the authentication and/or authorization
portion of an application, and a user requests access to the network,
...
... Session-Id AVP, which is used
in subsequent messages (e.g., subsequent authorization, accounting,
etc) relating to the user's session ...
... network resources for
a finite amount of time, and it is willing to extend the
authorization via a future request, it MUST add the Authorization-
Lifetime ...
... a finite amount of time, and it is willing to extend the
authorization via a future request, it MUST add the Authorization-
Lifetime AVP ...
... Lifetime AVP to the answer message. The Authorization-Lifetime AVP
defines the maximum number of seconds a user MAY make use of the
...
... AVP
defines the maximum number of seconds a user MAY make use of the
resources before another authorization request is expected by the
server. The Auth-Grace-Period AVP ...
... Auth-Grace-Period AVP contains the number of seconds
following the expiration of the Authorization-Lifetime, after which
the server will release all state information related to the user's
...
... services is expected by the
serving realm from the user's home realm, the Authorization-Lifetime
AVP, combined with the Auth-Grace-Period ...
... responsible for. Services provided past the expiration of the
Authorization-Lifetime and Auth-Grace-Period AVPs are the
...
... services rendered is clearly outside the scope of the protocol.
An access device that does not expect to send a re-authorization or a
session termination request to the server MAY include the Auth-
...
... NO_STATE_MAINTAINED MUST NOT be set in subsequent re-
authorization requests and answers.
The base protocol ...
...
The base protocol does not include any authorization request
messages, since these are largely application-specific and are
...
... Diameter implementations that make use of the authentication
and/or authorization portion of a Diameter application. The term
Service-Specific ...
... Pending Successful Service-specific Grant Open
authorization answer Access
received with default
Auth-Session-State ...
... Pending Failed Service-specific Cleanup Idle
authorization answer received
Open User or client ...
... Open Failed Service-specific Discon. Idle
authorization answer user/device
received.
...
... -------------------------------------------------------------
Idle Service-specific authorization Send Open
request received, and successful
user is authorized serv.
...
...
Idle Service-specific authorization Send Idle
request received, and failed serv.
user is not authorized specific answer
...
...
Open Service-specific authorization Send Open
request received, and user successful
is authorized serv. specific
...
...
Open Service-specific authorization Send Idle
request received, and user failed serv.
is not authorized specific
...
... Pending Successful Service-specific Grant Open
authorization answer Access
received with Auth-Session-
...
... Pending Failed Service-specific Cleanup Idle
authorization answer
received
...
... -------------------------------------------------------------
Idle Service-specific authorization Send serv. Idle
request received, and specific
successfully processed answer
...
...
Note that the action 'Disconnect user/dev' MUST have an effect also
to the authorization session state table, e.g., cause the STR ...
... to be sent, if the given application has both
authentication/authorization and accounting portions.
...
... Diameter server may initiate a re-authentication and/or re-
authorization service for a particular session by issuing a Re-Auth-
...
... When a user session that required Diameter authorization terminates,
the access device that provided the service MUST issue a Session ...
... because the access device is unwilling to provide the type of service
requested in the authorization, or because the access device does not
support a mandatory AVP returned in the authorization ...
... authorization, or because the access device does not
support a mandatory AVP returned in the authorization, etc.
It is also possible that a session ...
... proxy. For example, a proxy may
modify an authorization answer, converting the result from success to
failure, prior to forwarding the message to the access device. If
the answer did not contain an Auth-Session-State ...
... Diameter server also MUST clean up resources when the Session-
Timeout expires, or when the Authorization-Lifetime and the Auth-
Grace-Period AVPs expires without receipt of a re-authorization ...
... Authorization-Lifetime and the Auth-
Grace-Period AVPs expires without receipt of a re-authorization
request, regardless of whether an STR for that session ...
...
AUTHORIZE_ONLY 2
The request being sent is for authorization only, and MUST contain
the application specific authorization AVPs ...
... The request being sent is for authorization only, and MUST contain
the application specific authorization AVPs that are necessary to
identify the service ...
... The request contains a request for both authentication and
authorization. The request MUST include both the relevant
application specific authentication information, and authorization
information ...
... authorization. The request MUST include both the relevant
application specific authentication information, and authorization
information necessary to identify the service being
requested/offered.
...
... by the client. Note that a
Session-Id MAY be used for both the authorization and accounting
commands of a given application.
...
... Authorization-Lifetime AVP ...
... to the user before the user is to be re-authenticated and/or re-
authorized. Great care should be taken when the Authorization-
Lifetime value is determined, since a low, non-zero ...
... AVP are present in a
message, the value of the latter MUST NOT be smaller than the
Authorization-Lifetime AVP.
...
... An Authorization-Lifetime AVP MAY be present in re-authorization
messages, and contains the number of seconds the user is authorized
to receive service ...
... contains the number of seconds the Diameter server will wait
following the expiration of the Authorization-Lifetime AVP before
cleaning up resources for the session ...
... session termination messages
will be sent by the access device upon expiration of the
Authorization-Lifetime.
...
... application-specific auth answers to inform the client
of the action expected upon expiration of the Authorization-Lifetime.
If the answer message contains an Authorization-Lifetime ...
... Authorization-Lifetime.
If the answer message contains an Authorization-Lifetime AVP with a
positive value, the Re-Auth-Request-Type ...
...
AUTHORIZE_ONLY 0
An authorization only re-auth is expected upon expiration of the
Authorization-Lifetime. This is the default value ...
... An authorization only re-auth is expected upon expiration of the
Authorization-Lifetime. This is the default value if the AVP is
...
... AUTHENTICATE 1
An authentication and authorization re-auth is expected upon
expiration of the Authorization-Lifetime.
...
... authentication and authorization re-auth is expected upon
expiration of the Authorization-Lifetime.
...
... session. When both the
Session-Timeout and the Authorization-Lifetime AVPs are present in an
answer message ...
... A Session-Timeout AVP MAY be present in a re-authorization answer
message, and contains the remaining number of seconds from the
beginning of the re-auth.
...
... SERVICE_NOT_PROVIDED 2
This value is used when the user disconnected prior to the receipt
of the authorization answer message.
...
... DIAMETER_BAD_ANSWER 3
This value indicates that the authorization answer received by the
access device was not processed successfully.
...
... Unsigned32, and MAY
be present in application-specific authorization answer messages. If
present, this AVP ...
... application-specific re-auth messages for this session MUST be sent
to the same authorization server. This AVP MAY also specify that a
Session-Termination-Request ...
... AVP Code 271) is of type Enumerated,
and MAY be present in application-specific authorization answer
messages that either do not include the Session-Binding ...
... SERVICE 2
If re-auth message delivery fails, assume that re-authorization
succeeded. If STR message delivery ...
... AVP present. If
the second delivery fails for re-auth, assume re-authorization
succeeded. If the second delivery fails for STR ...
... Unsigned32,
and SHOULD be present in application-specific authorization answer
messages whose Result-Code AVP ...
... AVPs are present in application-specific
authorization answer messages, they MUST be present in subsequent
re-authorization ...
... authorization answer messages, they MUST be present in subsequent
re-authorization, session termination and accounting messages. Class ...
... Class
AVPs found in a re-authorization answer message override the ones
found in any previous authorization ...
... authorization answer message override the ones
found in any previous authorization answer message. Diameter server
...
... The server directed model means that the device generating the
accounting data gets information from either the authorization server
(if contacted) or the accounting server regarding the way accounting ...
... traffic conditions. This may be sufficient for many applications.
The authorization server (chain) directs the selection of proper
transfer strategy, based on its knowledge of the user and
relationships of roaming ...
... Diameter node that receives a successful authentication and/or
authorization messages from the Home AAA server MUST collect
accounting ...
... accounting records are sent depending on the
actual type of accounted service and the authorization server's
directions for interim accounting. If the accounted service ...
... use the values START_RECORD, STOP_RECORD, and possibly,
INTERIM_RECORD. If the authorization server has not directed interim
accounting to be enabled for the session ...
... Accounting-Request is sent, the value MUST be STOP_RECORD.
If the authorization server has directed interim accounting to be
enabled, the Diameter ...
... Acct-Interim-Interval as
well as any re-authentication or re-authorization of the session. The
Diameter ...
... Session-Id AVP, which is globally unique (see
Section 8.8), is used during the authorization phase to identify a
particular session. Services ...
... particular session. Services that do not require any authorization
still use the Session-Id AVP ...
... messages MAY use a different Session-Id from that sent in
authorization messages. Specific applications MAY require different
a Session-ID for accounting ...
... Session-
Id AVP is used for correlation. During authorization, a server that
determines that a request is for an existing session ...
... Accounting Records SHOULD be sent every time a re-authentication
or re-authorization occurs. Further, additional interim record
triggers MAY be defined by application-specific Diameter
applications ...
... AVP MAY be returned by the
Diameter server in an authorization answer, and MUST be used in all
accounting messages for the given session ...
... AVP Code 483) is of type
Enumerated and is sent from the Diameter home authorization server to
the Diameter client ...
... This is the default behavior if the AVP isn't included in the
reply from the authorization server.
GRANT_AND_LOSE 3
...
... Auth-Session-State |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |
Authorization- |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |0 |
Lifetime | | | | | | | | | | | | |
...
... allocations SHOULD NOT be made for purposes unrelated to
authentication, authorization or accounting.
...
... Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576 ...
... Glass, S., Hiller, T., Jacobs, S. and C. Perkins, "Mobile IP Authentication, Authorization, and Accounting Requirements", RFC 2977, October 2000. ...