Network Working Group C. Rigney Request for Comments: 2865 S. Willens Obsoletes: 2138 Livingston Category: Standards Track A. Rubens Merit W. Simpson Daydreamer June 2000 Remote Authentication Dial In User Service (RADIUS) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. IESG Note: This protocol is widely implemented and used. Experience has shown that it can suffer degraded performance and lost data when used in large scale systems, in part because it does not include provisions for congestion control. Readers of this document may find it beneficial to track the progress of the IETF's AAA working group, which may develop a successor protocol that better addresses the scaling and congestion control issues. Abstract This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. Implementation Note This memo documents the RADIUS protocol. The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812. Rigney, et al. Standards Track [Page 1] RFC 2865 RADIUS June 2000 Table of Contents 1. Introduction .......................................... 3 1.1 Specification of Requirements ................... 4 1.2 Terminology ..................................... 5 2. Operation ............................................. 5 2.1 Challenge/Response .............................. 7 2.2 Interoperation with PAP and CHAP ................ 8 2.3 Proxy ........................................... 8 2.4 Why UDP? ........................................ 11 2.5 Retransmission Hints ............................ 12 2.6 Keep-Alives Considered Harmful .................. 13 3. Packet Format ......................................... 13 4. Packet Types .......................................... 17 4.1 Access-Request .................................. 17 4.2 Access-Accept ................................... 18 4.3 Access-Reject ................................... 20 4.4 Access-Challenge ................................ 21 5. Attributes ............................................ 22 5.1 User-Name ....................................... 26 5.2 User-Password ................................... 27 5.3 CHAP-Password ................................... 28 5.4 NAS-IP-Address .................................. 29 5.5 NAS-Port ........................................ 30 5.6 Service-Type .................................... 31 5.7 Framed-Protocol ................................. 33 5.8 Framed-IP-Address ............................... 34 5.9 Framed-IP-Netmask ............................... 34 5.10 Framed-Routing .................................. 35 5.11 Filter-Id ....................................... 36 5.12 Framed-MTU ...................................... 37 5.13 Framed-Compression .............................. 37 5.14 Login-IP-Host ................................... 38 5.15 Login-Service ................................... 39 5.16 Login-TCP-Port .................................. 40 5.17 (unassigned) .................................... 41 5.18 Reply-Message ................................... 41 5.19 Callback-Number ................................. 42 5.20 Callback-Id ..................................... 42 5.21 (unassigned) .................................... 43 5.22 Framed-Route .................................... 43 5.23 Framed-IPX-Network .............................. 44 5.24 State ........................................... 45 5.25 Class ........................................... 46 5.26 Vendor-Specific ................................. 47 5.27 Session-Timeout ................................. 48 5.28 Idle-Timeout .................................... 49 5.29 Termination-Action .............................. 49 Rigney, et al. Standards Track [Page 2] RFC 2865 RADIUS June 2000 5.30 Called-Station-Id ............................... 50 5.31 Calling-Station-Id .............................. 51 5.32 NAS-Identifier .................................. 52 5.33 Proxy-State ..................................... 53 5.34 Login-LAT-Service ............................... 54 5.35 Login-LAT-Node .................................. 55 5.36 Login-LAT-Group ................................. 56 5.37 Framed-AppleTalk-Link ........................... 57 5.38 Framed-AppleTalk-Network ........................ 58 5.39 Framed-AppleTalk-Zone ........................... 58 5.40 CHAP-Challenge .................................. 59 5.41 NAS-Port-Type ................................... 60 5.42 Port-Limit ...................................... 61 5.43 Login-LAT-Port .................................. 62 5.44 Table of Attributes ............................. 63 6. IANA Considerations ................................... 64 6.1 Definition of Terms ............................. 64 6.2 Recommended Registration Policies ............... 65 7. Examples .............................................. 66 7.1 User Telnet to Specified Host ................... 66 7.2 Framed User Authenticating with CHAP ............ 67 7.3 User with Challenge-Response card ............... 68 8. Security Considerations ............................... 71 9. Change Log ............................................ 71 10. References ............................................ 73 11. Acknowledgements ...................................... 74 12. Chair's Address ....................................... 74 13. Authors' Addresses .................................... 75 14. Full Copyright Statement .............................. 76 1. Introduction This document obsoletes RFC 2138 [1]. A summary of the changes between this document and RFC 2138 is available in the "Change Log" appendix. Managing dispersed serial line and modem pools for large numbers of users can create the need for significant administrative support. Since modem pools are by definition a link to the outside world, they require careful attention to security, authorization and accounting. This can be best achieved by managing a single "database" of users, which allows for authentication (verifying user name and password) as well as configuration information detailing the type of service to deliver to the user (for example, SLIP, PPP, telnet, rlogin). Rigney, et al. Standards Track [Page 3] RFC 2865 RADIUS June 2000 Key features of RADIUS are: Client/Server Model A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response which is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. Network Security Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on an unsecure network could determine a user's password. Flexible Authentication Mechanisms The RADIUS server can support a variety of methods to authenticate a user. When it is provided with the user name and original password given by the user, it can support PPP PAP or CHAP, UNIX login, and other authentication mechanisms. Extensible Protocol All transactions are comprised of variable length Attribute- Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol. 1.1. Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [2]. These key words mean the same thing whether capitalized or not. An implementation is not compliant if it fails to satisfy one or more of the must or must not requirements for the protocols it implements. An implementation that satisfies all the must, must not, should and Rigney, et al. Standards Track [Page 4] RFC 2865 RADIUS June 2000 should not requirements for its protocols is said to be "unconditionally compliant"; one that satisfies all the must and must not requirements but not all the should or should not requirements for its protocols is said to be "conditionally compliant". A NAS that does not implement a given service MUST NOT implement the RADIUS attributes for that service. For example, a NAS that is unable to offer ARAP service MUST NOT implement the RADIUS attributes for ARAP. A NAS MUST treat a RADIUS access-accept authorizing an unavailable service as an access-reject instead. 1.2. Terminology This document frequently uses the following terms: service The NAS provides a service to the dial-in user, such as PPP or Telnet. session Each service provided by the NAS to a dial-in user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended. A user may have multiple sessions in parallel or series if the NAS supports that. silently discard This means the implementation discards the packet without further processing. The implementation SHOULD provide the capability of logging the error, including the contents of the silently discarded packet, and SHOULD record the event in a statistics counter. 2. Operation When a client is configured to use RADIUS, any user of the client presents authentication information to the client. This might be with a customizable login prompt, where the user is expected to enter their username and password. Alternatively, the user might use a link framing protocol such as the Point-to-Point Protocol (PPP), which has authentication packets which carry this information. Once the client has obtained such information, it may choose to authenticate using RADIUS. To do so, the client creates an "Access- Request" containing such Attributes as the user's name, the user's password, the ID of the client and the Port ID which the user is accessing. When a password is present, it is hidden using a method based on the RSA Message Digest Algorithm MD5 [3]. Rigney, et al. Standards Track [Page 5] RFC 2865 RADIUS June 2000 The Access-Request is submitted to the RADIUS server via the network. If no response is returned within a length of time, the request is re-sent a number of times. The client can also forward requests to an alternate server or servers in the event that the primary server is down or unreachable. An alternate server can be used either after a number of tries to the primary server fail, or in a round-robin fashion. Retry and fallback algorithms are the topic of current research and are not specified in detail in this document. Once the RADIUS server receives the request, it validates the sending client. A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded. If the client is valid, the RADIUS server consults a database of users to find the user whose name matches the request. The user entry in the database contains a list of requirements which must be met to allow access for the user. This always includes verification of the password, but can also specify the client(s) or port(s) to which the user is allowed access. The RADIUS server MAY make requests of other servers in order to satisfy the request, in which case it acts as a client. If any Proxy-State attributes were present in the Access-Request, they MUST be copied unmodified and in order into the response packet. Other Attributes can be placed before, after, or even between the Proxy-State attributes. If any condition is not met, the RADIUS server sends an "Access- Reject" response indicating that this user request is invalid. If desired, the server MAY include a text message in the Access-Reject which MAY be displayed by the client to the user. No other Attributes (except Proxy-State) are permitted in an Access-Reject. If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an "Access-Challenge" response. It MAY include a text message to be displayed by the client to the user prompting for a response to the challenge, and MAY include a State attribute. If the client receives an Access-Challenge and supports challenge/response it MAY display the text message, if any, to the user, and then prompt the user for a response. The client then re- submits its original Access-Request with a new request ID, with the User-Password Attribute replaced by the response (encrypted), and including the State Attribute from the Access-Challenge, if any. Only 0 or 1 instances of the State Attribute SHOULD be Rigney, et al. Standards Track [Page 6] RFC 2865 RADIUS June 2000 present in a request. The server can respond to this new Access- Request with either an Access-Accept, an Access-Reject, or another Access-Challenge. If all conditions are met, the list of configuration values for the us