1 - 2 - 3 - 6 - 7 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
service
Click on the red underlined text to get to the source
... RADIUS
clients and servers are not aware of each other's capabilities,
they may not be able to successfully negotiate a mutually
acceptable service, or in some cases, even be aware of what
service has been implemented. Diameter ...
... acceptable service, or in some cases, even be aware of what
service has been implemented. Diameter includes support for error
handling (Section 7), capability negotiation ...
... in [AAAREQ]).
- Basic services necessary for applications, such as handling of
user sessions or accounting ...
... Diameter server to authenticate the user.
- Transporting of service specific authorization information,
between client and servers ...
... client generates Diameter messages to request authentication,
authorization, and accounting services for the user. A Diameter
agent ...
... The Diameter protocol also supports server-initiated messages, such
as a request to abort service to a particular user.
...
... AVPs of type Enumerated, an application may require a new value to
communicate some service-specific information.
In order to allocate a new AVP value ...
... Diameter accounting. Such
services need to define the AVPs carried in the Accounting-Request
...
... accounting server from accepting accounting requests for unbillable
services. The combination of the home domain and the accounting
...
... Local Realm
A local realm is the administrative domain providing services to a
user. An administrative domain MAY act as a local realm for
...
... sessions. Each
authorized session is bound to a particular service, and its state
is considered active ...
... session
A sub-session represents a distinct service (e.g., QoS or data
characteristics) provided to a given session ...
... QoS or data
characteristics) provided to a given session. These services may
happen concurrently (e.g., simultaneous voice and data transfer ...
... accounting. In addition, they MUST fully support each Diameter
application that is needed to implement the client's service, e.g.,
NASREQ and/or Mobile IPv4 ...
... accounting. In addition, they MUST fully support each Diameter
application that is needed to implement the intended service, e.g.,
NASREQ and/or Mobile IPv4 ...
... accounting. In addition, they MUST fully support each Diameter
application that is needed to implement proxied services, e.g.,
NASREQ and/or Mobile IPv4 ...
... Session-Termination-Request, Session-Termination-
Answer, expiration of authorized service time in the Session-Timeout
AVP ...
... supported applications. The receiver of a Capabilities Exchange
message advertising Relay service MUST assume that the sender
supports all current and future applications.
...
... from the Client via the Relay to the Server. Each "user" of a
service causes an auth request to be sent, with a unique session
identifier. Once accepted by the server, both the client ...
... sessions. Each authorized
session is bound to a particular service, and its state is considered
active ...
...
Since Relays do not perform any application level processing, they
provide relaying services for all Diameter applications, and
therefore MUST advertise the Relay Application Identifier ...
... state.
Since enforcing policies requires an understanding of the service
being provided, Proxies MUST only advertise the Diameter applications ...
... configuration needs to be centralized. An example is a redirect
agent that provides services to all members of a consortium, but does
not wish to be burdened with relaying all messages between realms.
This scenario is advantageous since it does not require that the
...
... Since redirect agents do not perform any application level
processing, they provide relaying services for all Diameter
applications, and therefore MUST advertise the Relay Application
Identifier.
...
...
End-to-end security services include confidentiality and message
origin authentication. These services ...
... services include confidentiality and message
origin authentication. These services are provided by supporting AVP
integrity ...
... AVPs.
Which AVPs are sensitive is determined by service provider policy.
AVPs containing keys and passwords ...
... SHOULD be subjected to further scrutiny, as should accounting
requests indicating a difference between the requested and provided
service.
Similarly, the local Diameter ...
... authorization response, the
local realm implicitly indicates its agreement to provide the service
indicated in the authorization response. If the service ...
... service
indicated in the authorization response. If the service cannot be
provided by the local realm, then a DIAMETER_UNABLE_TO_COMPLY error
message ...
... receiving an authorization response for a service that it cannot
perform MUST NOT substitute an alternate service, and then send
...
... authorization response for a service that it cannot
perform MUST NOT substitute an alternate service, and then send
accounting requests for the alternate service ...
... for simpler and more robust deployment of Diameter services. In
order to promote interoperable implementations of Diameter peer
...
... Diameter operation on.
3.1 The services relevant for the task of transport protocol
selection are those with NAPTR ...
... transport protocol
selection are those with NAPTR service fields with values
"AAA+D2x", where x is a letter that corresponds to a transport
protocol ...
... SCTP. We also establish an IANA
registry for NAPTR service name to transport protocol
mappings.
...
... SRV record for contacting a server with the specific transport
protocol in the NAPTR services field. The resource record
will contain an empty regular expression ...
... transport
protocols, there will be multiple NAPTR records, each with a
different service value. As per RFC 2915(-> 3404prop | 3403prop | 3402prop | 3401) [NAPTR], the client ...
... client
discards any records whose services fields are not applicable.
For the purposes of this specification, several rules are
defined.
...
...
3.2 A client MUST discard any service fields that identify a
resolution service whose value is not "D2X", for values of X
...
... client MUST discard any service fields that identify a
resolution service whose value is not "D2X", for values of X
that indicate transport protocols supported by the client ...
... When returned, the request was successfully completed, but
additional processing is required by the application in order to
provide service to the user.
...
... to an alternate peer. This error MUST only be used when a
specific server is requested, and it cannot provide the requested
service.
DIAMETER ...
... AUTHORIZATION_REJECTED 5003
A request was received for which the user could not be authorized.
This error could occur if the service requested is not permitted
to the user.
...
... Diameter server has detected AVPs in the request that
contradicted each other, and is not willing to provide service to
the user. One or more Failed-AVP AVPs ...
...
Diameter can provide two different types of services to applications.
The first involves authentication and authorization ...
... Diameter client issues an auth request to its local server. The
auth request is defined in a service specific Diameter application
(e.g., NASREQ ...
... session. Note that if payment for services is expected by the
serving realm from the user's home realm, the Authorization-Lifetime ...
... session the home realm is willing to be fiscally
responsible for. Services provided past the expiration of the
Authorization-Lifetime and Auth-Grace-Period ...
... AVPs are the
responsibility of the access device. Of course, the actual cost of
services rendered is clearly outside the scope of the protocol.
An access device that does not expect to send a re-authorization ...
... hint, it agrees that since
no session termination message will be received once service to the
user is terminated, it cannot maintain state for the session ...
... information to free resources.
When a service only makes use of the Accounting portion of the
Diameter protocol ...
... authorization portion of a Diameter application. The term
Service-Specific below refers to a message defined in a Diameter
application (e.g., Mobile IPv4, NASREQ ...
... answer
Pending Failed Service-specific Cleanup Idle
authorization answer received
...
... auth req
Open Successful Service-specific Provide Open
authorization answer received Service ...
... Service-specific Provide Open
authorization answer received Service
Open Failed Service-specific ...
... State
-------------------------------------------------------------
Idle Service-specific authorization Send Open
request received, and successful
...
... specific answer
Idle Service-specific authorization Send Idle
request received, and failed serv.
...
... user is not authorized specific answer
Open Service-specific authorization Send Open
request received, and user successful
...
... answer
Open Service-specific authorization Send Idle
request received, and user failed serv.
...
... auth req
Pending Successful Service-specific Grant Open
authorization answer Access
...
... Access Device user/device
Open Service to user is terminated Discon. Idle
user/device
...
... State
-------------------------------------------------------------
Idle Service-specific authorization Send serv. Idle
request received, and specific
...
... have an accounting portion or that require only accounting services.
The first state machine is to be observed by clients ...
... equal to GRANT_AND_LOSE
PendingS User service terminated Store PendingS
stop
record
...
... interim
record
Open User service terminated Send PendingL
accounting
...
... not equal to GRANT_AND_LOSE
PendingI User service terminated Store PendingI
stop
record
...
... re-authentication and/or re-
authorization service for a particular session by issuing a Re-Auth-
Request (RAR ...
... RAR).
For example, for pre-paid services, the Diameter server that
originally authorized a session ...
... originally authorized a session may need some confirmation that the
user is still using the services.
An access device that receives a RAR ...
... active session MUST initiate a re-auth towards the user,
if the service supports this particular feature. Each Diameter
application MUST state whether service ...
... service supports this particular feature. Each Diameter
application MUST state whether service-initiated re-auth is
supported, since some applications do not allow access devices to
prompt the user for re-auth.
...
... bit set, may be sent by any server to the
access device that is providing session service, to request that the
user be re-authenticated and/or re-authorized.
...
... Diameter authorization terminates,
the access device that provided the service MUST issue a Session-
Termination-Request (STR ...
... STR) message to the Diameter server that
authorized the service, to notify it that the session is no longer
active ...
... authorized but never actually started. This could occur, for
example, due to a sudden resource shortage in the access device, or
because the access device is unwilling to provide the type of service
requested in the authorization, or because the access device does not
...
... STR for that session is received.
The access device is not expected to provide service beyond the
expiration of these timers; thus, expiration of either of these
...
... A Diameter server may request that the access device stop providing
service for a particular session by issuing an Abort-Session-Request
...
... bit set, may be sent by any server to
the access device that is providing session service, to request that
the session identified by the Session-Id ...
... authorization AVPs that are necessary to
identify the service being requested/offered.
AUTHORIZE_AUTHENTICATE ...
... application specific authentication information, and authorization
information necessary to identify the service being
requested/offered.
...
... AVP Code 291) is of type Unsigned32
and contains the maximum number of seconds of service to be provided
to the user before the user is to be re-authenticated and/or re-
...
... authorization
messages, and contains the number of seconds the user is authorized
to receive service from the time the re-auth answer message is
received by the access device.
...
... maintained, and the access device MUST issue a session termination
message when service to the user is terminated. This is the
default value.
...
... RADIUS] is of type Unsigned32
and contains the maximum number of seconds of service to be provided
to the user before termination of the session. When both the
...
...
DIAMETER_SERVICE_NOT_PROVIDED 2
This value is used when the user disconnected prior to the receipt
of the authorization ...
... The following values are supported:
REFUSE_SERVICE 0
If either the re-auth or the STR message delivery ...
... STR message delivery fails, terminate
service with the user, and do not attempt any subsequent attempts.
TRY_AGAIN 1
...
... AVP present.
ALLOW_SERVICE 2
If re-auth message delivery fails, assume that re-authorization ...
... Diameter application (e.g., NASREQ, MobileIP), MUST define their
Service-Specific AVPs that MUST be present in the Accounting-Request
...
... AVPs described in this document will be present
in all Accounting messages, so only their respective service-specific
AVPs need to be defined in this section.
...
... Different types of accounting records are sent depending on the
actual type of accounted service and the authorization server's
directions for interim accounting ...
... authorization server's
directions for interim accounting. If the accounted service is a
one-time event, meaning that the start and stop of the event are
...
... set to the value EVENT_RECORD.
If the accounted service is of a measurable length, then the AVP MUST
use the values START ...
... session, two accounting records MUST
be generated for each service of type session. When the initial
...
... authorization phase to identify a
particular session. Services that do not require any authorization
still use the Session-Id ...
...
Furthermore, there are certain applications where a user receives
service from different access devices (e.g., Mobile IPv4), each with
their own unique Session-Id ...
...
The AVP listed below SHOULD include service specific accounting AVPs,
as described in Section 9.3.
...
...
The AVP listed below SHOULD include service specific accounting AVPs,
as described in Section 9.3.
...
... start and end of the event
are simultaneous). This record contains all information relevant
to the service, and is the only record of the service.
...
... are simultaneous). This record contains all information relevant
to the service, and is the only record of the service.
START ...
... Accounting Start, Interim, and Stop Records are used to
indicate that a service of a measurable length has been given. An
Accounting Start ...
... accounting records. With different values in this
AVP, service sessions can result in one, two, or two+N accounting
...
... Value field set to 0 means that EVENT_RECORD, START_RECORD,
and STOP_RECORD are produced, as appropriate for the service.
2. The inclusion of the AVP ...
... accounting message storms are not
created either among records or around a common service start
time.
...
... AVP with Value field set to DELIVER_AND_GRANT means that the
service MUST only be granted as long as there is a connection to
an accounting ...
... accounting record stream to a backup server is not a reason to
discontinue the service to the user.
GRANT_AND_STORE 2
...
... The AVP with Value field set to GRANT_AND_STORE means that service
SHOULD be granted if there is a connection, or as long as records
...
... The AVP with Value field set to GRANT_AND_LOSE means that service
SHOULD be granted even if the records can not be delivered or
stored.
...
... NAPTR Service Fields ...
... registration in the RFC MUST include the following information:
Service Field: The service field being registered. An example for a
new fictitious transport protocol ...
...
Service Field: The service field being registered. An example for a
new fictitious transport protocol called NCTP might be "AAA ...
... Protocol: The specific transport protocol associated with that
service field. This MUST include the name and acronym for the
protocol, along with reference to a document that describes the
...
... Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers ...
... Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782prop, February 2000. ...
... Veizades, J., Guttman, E., Perkins, C. and M. Day, "Service Location Protocol, Version 2", RFC 2165prop, June 1999. ...
... Guttman, E., Perkins, C. and J. Kempf, "Service Templates and Service: Schemes", RFC 2609prop, June 1999. ...
... Guttman, E., Perkins, C. and J. Kempf, "Service Templates and Service: Schemes", RFC 2609prop, June 1999. ...
... Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003. ...
... Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865draft, June 2000. ...
... Appendix A. Diameter Service Template ...
...
The following service template describes the attributes used by
Diameter servers to advertise themselves. This simplifies the
...
... Diameter servers based on
characteristics of the Diameter service desired (for example, an AAA
server to use for accounting.)
...
... Name of submitter: "Erik Guttman" <Erik.Guttman@sun.com> Language of
service template: en
Security Considerations ...
... secrets or cryptographic keys. Still, as Diameter services are
vital for network operation it is important to use SLPv2 ...
... authentication to prevent an attacker from modifying or
eliminating service advertisements for legitimate Diameter
servers.
...
... Template text:
-------------------------template begins here-----------------------
template-type=service:diameter
...
... Diameter implementations support one or more applications.
# . Additional applications may be defined in the future.
# An updated service template will be created at that time.
...
... Diameter implementations support one or more applications.
# . Additional applications may be defined in the future.
# An updated service template will be created at that time.
#
...