tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 7155

 
 
 

Diameter Network Access Server Application

Part 2 of 4, p. 11 to 31
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 11 
3.  Diameter NAS Application Messages

   This section defines the Diameter message Command Code [RFC6733]
   values that MUST be supported by all Diameter implementations
   conforming to this specification.  The Command Codes are as follows:

   +-----------------------------------+---------+------+--------------+
   | Command Name                      | Abbrev. | Code | Reference    |
   +-----------------------------------+---------+------+--------------+
   | AA-Request                        |   AAR   | 265  | Section 3.1  |
   | AA-Answer                         |   AAA   | 265  | Section 3.2  |
   | Re-Auth-Request                   |   RAR   | 258  | Section 3.3  |
   | Re-Auth-Answer                    |   RAA   | 258  | Section 3.4  |
   | Session-Termination-Request       |   STR   | 275  | Section 3.5  |
   | Session-Termination-Answer        |   STA   | 275  | Section 3.6  |
   | Abort-Session-Request             |   ASR   | 274  | Section 3.7  |
   | Abort-Session-Answer              |   ASA   | 274  | Section 3.8  |
   | Accounting-Request                |   ACR   | 271  | Section 3.9  |
   | Accounting-Answer                 |   ACA   | 271  | Section 3.10 |
   +-----------------------------------+---------+------+--------------+

   Note that the message formats in the following subsections use the
   standard Diameter Command Code Format ([RFC6733], Section 3.2).

3.1.  AA-Request (AAR) Command

   The AA-Request (AAR), which is indicated by setting the Command Code
   field to 265 and the 'R' bit in the Command Flags field, is used to
   request authentication and/or authorization for a given NAS user.
   The type of request is identified through the Auth-Request-Type AVP
   [RFC6733].  The recommended value for most situations is
   AUTHORIZE_AUTHENTICATE.

   If Authentication is requested, the User-Name attribute SHOULD be
   present, as well as any additional authentication AVPs that would
   carry the password information.  A request for authorization SHOULD
   only include the information from which the authorization will be
   performed, such as the User-Name, Called-Station-Id, or Calling-
   Station-Id AVPs.  All requests SHOULD contain AVPs uniquely
   identifying the source of the call, such as Origin-Host and NAS-Port.
   Certain networks MAY use different AVPs for authorization purposes.
   A request for authorization will include some AVPs defined in
   Section 4.4.

   It is possible for a single session to be authorized first and then
   for an authentication request to follow.

Top      Up      ToC       Page 12 
   This AA-Request message MAY be the result of a multi-round
   authentication exchange, which occurs when the AA-Answer message is
   received with the Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH.
   A subsequent AAR message SHOULD be sent, with the User-Password AVP
   that includes the user's response to the prompt and MUST include any
   State AVPs that were present in the AAA message.

      Message Format

         <AA-Request> ::= < Diameter Header: 265, REQ, PXY >
                          < Session-Id >
                          { Auth-Application-Id }
                          { Origin-Host }
                          { Origin-Realm }
                          { Destination-Realm }
                          { Auth-Request-Type }
                          [ Destination-Host ]
                          [ NAS-Identifier ]
                          [ NAS-IP-Address ]
                          [ NAS-IPv6-Address ]
                          [ NAS-Port ]
                          [ NAS-Port-Id ]
                          [ NAS-Port-Type ]
                          [ Origin-AAA-Protocol ]
                          [ Origin-State-Id ]
                          [ Port-Limit ]
                          [ User-Name ]
                          [ User-Password ]
                          [ Service-Type ]
                          [ State ]
                          [ Authorization-Lifetime ]
                          [ Auth-Grace-Period ]
                          [ Auth-Session-State ]
                          [ Callback-Number ]
                          [ Called-Station-Id ]
                          [ Calling-Station-Id ]
                          [ Originating-Line-Info ]
                          [ Connect-Info ]
                          [ CHAP-Auth ]
                          [ CHAP-Challenge ]
                        * [ Framed-Compression ]
                          [ Framed-Interface-Id ]
                          [ Framed-IP-Address ]
                        * [ Framed-IPv6-Prefix ]
                          [ Framed-IP-Netmask ]
                          [ Framed-MTU ]
                          [ Framed-Protocol ]
                          [ ARAP-Password ]

Top      Up      ToC       Page 13 
                          [ ARAP-Security ]
                        * [ ARAP-Security-Data ]
                        * [ Login-IP-Host ]
                        * [ Login-IPv6-Host ]
                          [ Login-LAT-Group ]
                          [ Login-LAT-Node ]
                          [ Login-LAT-Port ]
                          [ Login-LAT-Service ]
                        * [ Tunneling ]
                        * [ Proxy-Info ]
                        * [ Route-Record ]
                        * [ AVP ]

3.2.  AA-Answer (AAA) Command

   The AA-Answer (AAA) message is indicated by setting the Command Code
   field to 265 and clearing the 'R' bit in the Command Flags field.  It
   is sent in response to the AA-Request (AAR) message.  If
   authorization was requested, a successful response will include the
   authorization AVPs appropriate for the service being provided, as
   defined in Section 4.4.

   For authentication exchanges requiring more than a single round trip,
   the server MUST set the Result-Code AVP to DIAMETER_MULTI_ROUND_AUTH.

   An AAA message with this result code MAY include one Reply-Message or
   more and MAY include zero or one State AVPs.

   If the Reply-Message AVP was present, the network access server
   SHOULD send the text to the user's client to display to the user,
   instructing the client to prompt the user for a response.  For
   example, this can be achieved in PPP via PAP.  If it is impossible to
   deliver the text prompt to the user, the Diameter NAS Application
   client MUST treat the AA-Answer (AAA) with the Reply-Message AVP as
   an error and deny access.

      Message Format

         <AA-Answer> ::= < Diameter Header: 265, PXY >
                         < Session-Id >
                         { Auth-Application-Id }
                         { Auth-Request-Type }
                         { Result-Code }
                         { Origin-Host }
                         { Origin-Realm }
                         [ User-Name ]
                         [ Service-Type ]
                       * [ Class ]

Top      Up      ToC       Page 14 
                       * [ Configuration-Token ]
                         [ Acct-Interim-Interval ]
                         [ Error-Message ]
                         [ Error-Reporting-Host ]
                       * [ Failed-AVP ]
                         [ Idle-Timeout ]
                         [ Authorization-Lifetime ]
                         [ Auth-Grace-Period ]
                         [ Auth-Session-State ]
                         [ Re-Auth-Request-Type ]
                         [ Multi-Round-Time-Out ]
                         [ Session-Timeout ]
                         [ State ]
                       * [ Reply-Message ]
                         [ Origin-AAA-Protocol ]
                         [ Origin-State-Id ]
                       * [ Filter-Id ]
                         [ Password-Retry ]
                         [ Port-Limit ]
                         [ Prompt ]
                         [ ARAP-Challenge-Response ]
                         [ ARAP-Features ]
                         [ ARAP-Security ]
                       * [ ARAP-Security-Data ]
                         [ ARAP-Zone-Access ]
                         [ Callback-Id ]
                         [ Callback-Number ]
                         [ Framed-Appletalk-Link ]
                       * [ Framed-Appletalk-Network ]
                         [ Framed-Appletalk-Zone ]
                       * [ Framed-Compression ]
                         [ Framed-Interface-Id ]
                         [ Framed-IP-Address ]
                       * [ Framed-IPv6-Prefix ]
                         [ Framed-IPv6-Pool ]
                       * [ Framed-IPv6-Route ]
                         [ Framed-IP-Netmask ]
                       * [ Framed-Route ]
                         [ Framed-Pool ]
                         [ Framed-IPX-Network ]
                         [ Framed-MTU ]
                         [ Framed-Protocol ]
                         [ Framed-Routing ]
                       * [ Login-IP-Host ]
                       * [ Login-IPv6-Host ]
                         [ Login-LAT-Group ]
                         [ Login-LAT-Node ]
                         [ Login-LAT-Port ]

Top      Up      ToC       Page 15 
                         [ Login-LAT-Service ]
                         [ Login-Service ]
                         [ Login-TCP-Port ]
                       * [ NAS-Filter-Rule ]
                       * [ QoS-Filter-Rule ]
                       * [ Tunneling ]
                       * [ Redirect-Host ]
                         [ Redirect-Host-Usage ]
                         [ Redirect-Max-Cache-Time ]
                       * [ Proxy-Info ]
                       * [ AVP ]

3.3.  Re-Auth-Request (RAR) Command

   A Diameter server can initiate reauthentication and/or
   reauthorization for a particular session by issuing a Re-Auth-Request
   (RAR) message [RFC6733].

   For example, for prepaid services, the Diameter server that
   originally authorized a session may need some confirmation that the
   user is still using the services.

   If a NAS receives an RAR message with Session-Id equal to a currently
   active session and a Re-Auth-Type that includes authentication, it
   MUST initiate a reauthentication toward the user, if the service
   supports this particular feature.

      Message Format

         <RA-Request>  ::= < Diameter Header: 258, REQ, PXY >
                          < Session-Id >
                          { Origin-Host }
                          { Origin-Realm }
                          { Destination-Realm }
                          { Destination-Host }
                          { Auth-Application-Id }
                          { Re-Auth-Request-Type }
                          [ User-Name ]
                          [ Origin-AAA-Protocol ]
                          [ Origin-State-Id ]
                          [ NAS-Identifier ]
                          [ NAS-IP-Address ]
                          [ NAS-IPv6-Address ]
                          [ NAS-Port ]
                          [ NAS-Port-Id ]
                          [ NAS-Port-Type ]
                          [ Service-Type ]
                          [ Framed-IP-Address ]

Top      Up      ToC       Page 16 
                          [ Framed-IPv6-Prefix ]
                          [ Framed-Interface-Id ]
                          [ Called-Station-Id ]
                          [ Calling-Station-Id ]
                          [ Originating-Line-Info ]
                          [ Acct-Session-Id ]
                          [ Acct-Multi-Session-Id ]
                          [ State ]
                        * [ Class ]
                          [ Reply-Message ]
                        * [ Proxy-Info ]
                        * [ Route-Record ]
                        * [ AVP ]

3.4.  Re-Auth-Answer (RAA) Command

   The Re-Auth-Answer (RAA) message [RFC6733] is sent in response to the
   RAR.  The Result-Code AVP MUST be present and indicates the
   disposition of the request.

   A successful RAA transaction MUST be followed by an AAR message.

      Message Format

         <RA-Answer>  ::= < Diameter Header: 258, PXY >
                          < Session-Id >
                          { Result-Code }
                          { Origin-Host }
                          { Origin-Realm }
                          [ User-Name ]
                          [ Origin-AAA-Protocol ]
                          [ Origin-State-Id ]
                          [ Error-Message ]
                          [ Error-Reporting-Host ]
                        * [ Failed-AVP ]
                        * [ Redirected-Host ]
                          [ Redirected-Host-Usage ]
                          [ Redirected-Host-Cache-Time ]
                          [ Service-Type ]
                        * [ Configuration-Token ]
                          [ Idle-Timeout ]
                          [ Authorization-Lifetime ]
                          [ Auth-Grace-Period ]
                          [ Re-Auth-Request-Type ]
                          [ State ]
                        * [ Class ]
                        * [ Reply-Message ]
                          [ Prompt ]

Top      Up      ToC       Page 17 
                        * [ Proxy-Info ]
                        * [ AVP ]

3.5.  Session-Termination-Request (STR) Command

   The Session-Termination-Request (STR) message [RFC6733] is sent by
   the NAS to inform the Diameter server that an authenticated and/or
   authorized session is being terminated.

      Message Format

         <ST-Request> ::= < Diameter Header: 275, REQ, PXY >
                         < Session-Id >
                         { Origin-Host }
                         { Origin-Realm }
                         { Destination-Realm }
                         { Auth-Application-Id }
                         { Termination-Cause }
                         [ User-Name ]
                         [ Destination-Host ]
                       * [ Class ]
                         [ Origin-AAA-Protocol ]
                         [ Origin-State-Id ]
                       * [ Proxy-Info ]
                       * [ Route-Record ]
                       * [ AVP ]

3.6.  Session-Termination-Answer (STA) Command

   The Session-Termination-Answer (STA) message [RFC6733] is sent by the
   Diameter server to acknowledge the notification that the session has
   been terminated.  The Result-Code AVP MUST be present and MAY contain
   an indication that an error occurred while the STR was being
   serviced.

   Upon sending the STA, the Diameter server MUST release all resources
   for the session indicated by the Session-Id AVP.  Any intermediate
   server in the Proxy-Chain MAY also release any resources, if
   necessary.

Top      Up      ToC       Page 18 
      Message Format

         <ST-Answer>  ::= < Diameter Header: 275, PXY >
                          < Session-Id >
                          { Result-Code }
                          { Origin-Host }
                          { Origin-Realm }
                          [ User-Name ]
                        * [ Class ]
                          [ Error-Message ]
                          [ Error-Reporting-Host ]
                        * [ Failed-AVP ]
                          [ Origin-AAA-Protocol ]
                          [ Origin-State-Id ]
                        * [ Redirect-Host ]
                          [ Redirect-Host-Usage ]
                          [ Redirect-Max-Cache-Time ]
                        * [ Proxy-Info ]
                        * [ AVP ]

3.7.  Abort-Session-Request (ASR) Command

   The Abort-Session-Request (ASR) message [RFC6733] can be sent by any
   Diameter server to the NAS providing session service to request that
   the session identified by the Session-Id be stopped.

      Message Format

         <AS-Request>  ::= < Diameter Header: 274, REQ, PXY >
                          < Session-Id >
                          { Origin-Host }
                          { Origin-Realm }
                          { Destination-Realm }
                          { Destination-Host }
                          { Auth-Application-Id }
                          [ User-Name ]
                          [ Origin-AAA-Protocol ]
                          [ Origin-State-Id ]
                          [ NAS-Identifier ]
                          [ NAS-IP-Address ]
                          [ NAS-IPv6-Address ]
                          [ NAS-Port ]
                          [ NAS-Port-Id ]
                          [ NAS-Port-Type ]
                          [ Service-Type ]
                          [ Framed-IP-Address ]
                          [ Framed-IPv6-Prefix ]
                          [ Framed-Interface-Id ]

Top      Up      ToC       Page 19 
                          [ Called-Station-Id ]
                          [ Calling-Station-Id ]
                          [ Originating-Line-Info ]
                          [ Acct-Session-Id ]
                          [ Acct-Multi-Session-Id ]
                          [ State ]
                        * [ Class ]
                        * [ Reply-Message ]
                        * [ Proxy-Info ]
                        * [ Route-Record ]
                        * [ AVP ]

3.8.  Abort-Session-Answer (ASA) Command

   The ASA message [RFC6733] is sent in response to the ASR.  The
   Result-Code AVP MUST be present and indicates the disposition of the
   request.

   If the session identified by Session-Id in the ASR was successfully
   terminated, the Result-Code is set to DIAMETER_SUCCESS.  If the
   session is not currently active, the Result-Code AVP is set to
   DIAMETER_UNKNOWN_SESSION_ID.  If the access device does not stop the
   session for any other reason, the Result-Code AVP is set to
   DIAMETER_UNABLE_TO_COMPLY.

      Message Format

         <AS-Answer>  ::= < Diameter Header: 274, PXY >
                          < Session-Id >
                          { Result-Code }
                          { Origin-Host }
                          { Origin-Realm }
                          [ User-Name ]
                          [ Origin-AAA-Protocol ]
                          [ Origin-State-Id ]
                          [ State]
                          [ Error-Message ]
                          [ Error-Reporting-Host ]
                        * [ Failed-AVP ]
                        * [ Redirected-Host ]
                          [ Redirected-Host-Usage ]
                          [ Redirected-Max-Cache-Time ]
                        * [ Proxy-Info ]
                        * [ AVP ]

Top      Up      ToC       Page 20 
3.9.  Accounting-Request (ACR) Command

   The ACR message [RFC6733] is sent by the NAS to report its session
   information to a target server downstream.

   The Acct-Application-Id AVP MUST be present.

   The AVPs listed in the Diameter Base protocol specification [RFC6733]
   MUST be assumed to be present, as appropriate.  NAS service-specific
   accounting AVPs SHOULD be present as described in Section 4.6 and the
   rest of this specification.

      Message Format

         <AC-Request> ::= < Diameter Header: 271, REQ, PXY >
                         < Session-Id >
                         { Origin-Host }
                         { Origin-Realm }
                         { Destination-Realm }
                         { Accounting-Record-Type }
                         { Accounting-Record-Number }
                         { Acct-Application-Id }
                         [ User-Name ]
                         [ Accounting-Sub-Session-Id ]
                         [ Acct-Session-Id ]
                         [ Acct-Multi-Session-Id ]
                         [ Origin-AAA-Protocol ]
                         [ Origin-State-Id ]
                         [ Destination-Host ]
                         [ Event-Timestamp ]
                         [ Acct-Delay-Time ]
                         [ NAS-Identifier ]
                         [ NAS-IP-Address ]
                         [ NAS-IPv6-Address ]
                         [ NAS-Port ]
                         [ NAS-Port-Id ]
                         [ NAS-Port-Type ]
                       * [ Class ]
                         [ Service-Type ]
                         [ Termination-Cause ]
                         [ Accounting-Input-Octets ]
                         [ Accounting-Input-Packets ]
                         [ Accounting-Output-Octets ]
                         [ Accounting-Output-Packets ]
                         [ Acct-Authentic ]
                         [ Accounting-Auth-Method ]
                         [ Acct-Link-Count ]
                         [ Acct-Session-Time ]

Top      Up      ToC       Page 21 
                         [ Acct-Tunnel-Connection ]
                         [ Acct-Tunnel-Packets-Lost ]
                         [ Callback-Id ]
                         [ Callback-Number ]
                         [ Called-Station-Id ]
                         [ Calling-Station-Id ]
                       * [ Connection-Info ]
                         [ Originating-Line-Info ]
                         [ Authorization-Lifetime ]
                         [ Session-Timeout ]
                         [ Idle-Timeout ]
                         [ Port-Limit ]
                         [ Accounting-Realtime-Required ]
                         [ Acct-Interim-Interval ]
                       * [ Filter-Id ]
                       * [ NAS-Filter-Rule ]
                       * [ QoS-Filter-Rule ]
                         [ Framed-Appletalk-Link ]
                         [ Framed-Appletalk-Network ]
                         [ Framed-Appletalk-Zone ]
                         [ Framed-Compression ]
                         [ Framed-Interface-Id ]
                         [ Framed-IP-Address ]
                         [ Framed-IP-Netmask ]
                       * [ Framed-IPv6-Prefix ]
                         [ Framed-IPv6-Pool ]
                       * [ Framed-IPv6-Route ]
                         [ Framed-IPX-Network ]
                         [ Framed-MTU ]
                         [ Framed-Pool ]
                         [ Framed-Protocol ]
                       * [ Framed-Route ]
                         [ Framed-Routing ]
                       * [ Login-IP-Host ]
                       * [ Login-IPv6-Host ]
                         [ Login-LAT-Group ]
                         [ Login-LAT-Node ]
                         [ Login-LAT-Port ]
                         [ Login-LAT-Service ]
                         [ Login-Service ]
                         [ Login-TCP-Port ]
                       * [ Tunneling ]
                       * [ Proxy-Info ]
                       * [ Route-Record ]
                       * [ AVP ]

Top      Up      ToC       Page 22 
3.10.  Accounting-Answer (ACA) Command

   The ACA message [RFC6733] is used to acknowledge an Accounting-
   Request command.  The Accounting-Answer command contains the same
   Session-Id as the Request.

   Only the target Diameter server or home Diameter server SHOULD
   respond with the Accounting-Answer command.

   The Acct-Application-Id AVP MUST be present.

   The AVPs listed in the Diameter Base protocol specification [RFC6733]
   MUST be assumed to be present, as appropriate.  NAS service-specific
   accounting AVPs SHOULD be present as described in Section 4.6 and the
   rest of this specification.

      Message Format

         <AC-Answer> ::= < Diameter Header: 271, PXY >
                         < Session-Id >
                         { Result-Code }
                         { Origin-Host }
                         { Origin-Realm }
                         { Accounting-Record-Type }
                         { Accounting-Record-Number }
                         { Acct-Application-Id }
                         [ User-Name ]
                         [ Accounting-Sub-Session-Id ]
                         [ Acct-Session-Id ]
                         [ Acct-Multi-Session-Id ]
                         [ Event-Timestamp ]
                         [ Error-Message ]
                         [ Error-Reporting-Host ]
                       * [ Failed-AVP ]
                         [ Origin-AAA-Protocol ]
                         [ Origin-State-Id ]
                         [ NAS-Identifier ]
                         [ NAS-IP-Address ]
                         [ NAS-IPv6-Address ]
                         [ NAS-Port ]
                         [ NAS-Port-Id ]
                         [ NAS-Port-Type ]
                         [ Service-Type ]
                         [ Termination-Cause ]
                         [ Accounting-Realtime-Required ]

Top      Up      ToC       Page 23 
                         [ Acct-Interim-Interval ]
                       * [ Class ]
                       * [ Proxy-Info ]
                       * [ AVP ]

4.  Diameter NAS Application AVPs

   The following sections define a new derived AVP data format, define a
   set of application-specific AVPs, and describe the use of AVPs
   defined in other documents by the Diameter NAS Application.

4.1.  Derived AVP Data Formats

4.1.1.  QoSFilterRule

   The QosFilterRule format is derived from the OctetString AVP Base
   Format.  It uses the US-ASCII charset.  Packets may be marked or
   metered based on the following information:

   o  Direction (in or out)

   o  Source and destination IP address (possibly masked)

   o  Protocol

   o  Source and destination port (lists or ranges)

   o  Differentiated Services Code Point (DSCP) values (no mask or
      range)

   Rules for the appropriate direction are evaluated in order; the first
   matched rule terminates the evaluation.  Each packet is evaluated
   once.  If no rule matches, the packet is treated as best effort.  An
   access device unable to interpret or apply a QoS rule SHOULD NOT
   terminate the session.

Top      Up      ToC       Page 24 
   QoSFilterRule filters MUST follow the following format:

      action dir proto from src to dst [options]

      where

      action

                  tag  Mark packet with a specific DSCP [RFC2474]

                  meter  Meter traffic


      dir         The format is as described under IPFilterRule
                  [RFC6733]


      proto       The format is as described under IPFilterRule
                  [RFC6733]


      src and dst The format is as described under IPFilterRule
                  [RFC6733]


   The options are described in Section 4.4.9.

   The rule syntax is a modified subset of ipfw(8) from FreeBSD, and the
   ipfw.c code may provide a useful base for implementations.

4.2.  NAS Session AVPs

   Diameter reserves the AVP Codes 0 - 255 for RADIUS Attributes that
   are implemented in Diameter.

4.2.1.  Call and Session Information

   This section describes the AVPs specific to Diameter applications
   that are needed to identify the call and session context and status
   information.  On a request, this information allows the server to
   qualify the session.

   These AVPs are used in addition to the following AVPs from the
   Diameter Base protocol specification [RFC6733]:

      Session-Id Auth-Application-Id Origin-Host Origin-Realm
      Auth-Request-Type Termination-Cause

Top      Up      ToC       Page 25 
   The following table gives the possible flag values for the session
   level AVPs.

                                            +-----------+
                                            | AVP Flag |
                                            |   Rules  |
                                            |-----+-----+
                                            |MUST | MUST|
   Attribute Name          Section Defined  |     |  NOT|
   -----------------------------------------|-----+-----|
   NAS-Port                4.2.2            |  M  |  V  |
   NAS-Port-Id             4.2.3            |  M  |  V  |
   NAS-Port-Type           4.2.4            |  M  |  V  |
   Called-Station-Id       4.2.5            |  M  |  V  |
   Calling-Station-Id      4.2.6            |  M  |  V  |
   Connect-Info            4.2.7            |  M  |  V  |
   Originating-Line-Info   4.2.8            |  M  |  V  |
   Reply-Message           4.2.9            |  M  |  V  |
   -----------------------------------------|-----+-----|

4.2.2.  NAS-Port AVP

   The NAS-Port AVP (AVP Code 5) is of type Unsigned32 and contains the
   physical or virtual port number of the NAS, which authenticates the
   user.  Note that "port" is meant in its sense as a service connection
   on the NAS, not as an IP protocol identifier; hence, the format and
   contents of the string that identifies the port are specific to the
   NAS implementation.

   Either the NAS-Port AVP or the NAS-Port-Id AVP (Section 4.2.3) SHOULD
   be present in the AA-Request (AAR, Section 3.1) command if the NAS
   differentiates among its ports.

4.2.3.  NAS-Port-Id AVP

   The NAS-Port-Id AVP (AVP Code 87) is of type UTF8String and consists
   of 7-bit US-ASCII text identifying the port of the NAS authenticating
   the user.  Note that "port" is meant in its sense as a service
   connection on the NAS, not as an IP protocol identifier.

   Either the NAS-Port-Id AVP or the NAS-Port AVP (Section 4.2.2) SHOULD
   be present in the AA-Request (AAR, Section 3.1) command if the NAS
   differentiates among its ports.  NAS-Port-Id is intended for use by
   NASes that cannot conveniently number their ports.

Top      Up      ToC       Page 26 
4.2.4.  NAS-Port-Type AVP

   The NAS-Port-Type AVP (AVP Code 61) is of type Enumerated and
   contains the type of the port on which the NAS is authenticating the
   user.  This AVP SHOULD be present if the NAS uses the same NAS-Port
   number ranges for different service types concurrently.

   The currently supported values of the NAS-Port-Type AVP are listed in
   [RADIUSAttrVals].

4.2.5.  Called-Station-Id AVP

   The Called-Station-Id AVP (AVP Code 30) is of type UTF8String and
   contains a 7-bit US-ASCII string sent by the NAS to describe the
   Layer 2 address the user contacted in the request.  For dialup
   access, this can be a phone number obtained by using the Dialed
   Number Identification Service (DNIS) or a similar technology.  Note
   that this may be different from the phone number the call comes in
   on.  For use with IEEE 802 access, the Called-Station-Id MAY contain
   a Media Access Control (MAC) address formatted as described in
   [RFC3580].

   If the Called-Station-Id AVP is present in an AAR message, the Auth-
   Request-Type AVP is set to AUTHORIZE_ONLY, and the User-Name AVP is
   absent, the Diameter server MAY perform authorization based on this
   AVP.  This can be used by a NAS to request whether a call should be
   answered based on the DNIS result.

   Further codification of this field's allowed content and usage is
   outside the scope of this specification.

4.2.6.  Calling-Station-Id AVP

   The Calling-Station-Id AVP (AVP Code 31) is of type UTF8String and
   contains a 7-bit US-ASCII string sent by the NAS to describe the
   Layer 2 address from which the user connected in the request.  For
   dialup access, this is the phone number the call came from, using
   Automatic Number Identification (ANI) or a similar technology.  For
   use with IEEE 802 access, the Calling-Station-Id AVP MAY contain a
   MAC address, formatted as described in RFC 3580.

   If the Calling-Station-Id AVP is present in an AAR message, the Auth-
   Request-Type AVP is set to AUTHORIZE_ONLY, and the User-Name AVP is
   absent, the Diameter server MAY perform authorization based on the
   value of this AVP.  This can be used by a NAS to request whether a
   call should be answered based on the Layer 2 address (ANI, MAC
   Address, etc.)

Top      Up      ToC       Page 27 
   Further codification of this field's allowed content and usage is
   outside the scope of this specification.

4.2.7.  Connect-Info AVP

   The Connect-Info AVP (AVP Code 77) is of type UTF8String and is sent
   in the AA-Request message or an ACR message with the value of the
   Accounting-Record-Type AVP set to STOP.  When sent in the AA-Request,
   it indicates the nature of the user's connection.  The connection
   speed SHOULD be included at the beginning of the first Connect-Info
   AVP in the message.  If the transmit and receive connection speeds
   differ, both may be included in the first AVP with the transmit speed
   listed first (the speed at which the NAS modem transmits), then a
   slash (/), then the receive speed, and then other optional
   information.

   For example: "28800 V42BIS/LAPM" or "52000/31200 V90"

   If sent in an ACR message with the value of the Accounting-Record-
   Type AVP set to STOP, this attribute may summarize statistics
   relating to session quality.  For example, in IEEE 802.11, the
   Connect-Info AVP may contain information on the number of link layer
   retransmissions.  The exact format of this attribute is
   implementation specific.

4.2.8.  Originating-Line-Info AVP

   The Originating-Line-Info AVP (AVP Code 94) is of type OctetString
   and is sent by the NAS system to convey information about the origin
   of the call from a Signaling System 7 (SS7).

   The Originating Line Information (OLI) element indicates the nature
   and/or characteristics of the line from which a call originated
   (e.g., pay phone, hotel phone, cellular phone).  Telephone companies
   are starting to offer OLI to their customers as an option over
   Primary Rate Interface (PRI).  Internet Service Providers (ISPs) can
   use OLI in addition to Called-Station-Id and Calling-Station-Id
   attributes to differentiate customer calls and to define different
   services.

   The Value field contains two octets (00 - 99).  ANSI T1.113 and
   BELLCORE 394 can be used for additional information about these
   values and their use.  For information on the currently assigned
   values, see [ANITypes].

Top      Up      ToC       Page 28 
4.2.9.  Reply-Message AVP

   The Reply-Message AVP (AVP Code 18) is of type UTF8String and
   contains text that MAY be displayed to the user.  When used in an AA-
   Answer message with a successful Result-Code AVP, it indicates
   success.  When found in an AAA message with a Result-Code other than
   DIAMETER_SUCCESS, the AVP contains a failure message.

   The Reply-Message AVP MAY contain text to prompt the user before
   another AA-Request attempt.  When used in an AA-Answer message
   containing a Result-Code AVP with the value DIAMETER_MULTI_ROUND_AUTH
   or in a Re-Auth-Request message, it MAY contain text to prompt the
   user for a response.

4.3.  NAS Authentication AVPs

   This section defines the AVPs necessary to carry the authentication
   information in the Diameter protocol.  The functionality defined here
   provides a RADIUS-like Authentication, Authorization, and Accounting
   service [RFC2865] over a more reliable and secure transport, as
   defined in the Diameter Base protocol [RFC6733].

   The following table gives the possible flag values for the session
   level AVPs.

                                            +----------+
                                            | AVP Flag |
                                            |  Rules   |
                                            |----+-----|
                                            |MUST| MUST|
   Attribute Name           Section Defined |    |  NOT|
   -----------------------------------------|----+-----|
   User-Password                 4.3.1      | M  |  V  |
   Password-Retry                4.3.2      | M  |  V  |
   Prompt                        4.3.3      | M  |  V  |
   CHAP-Auth                     4.3.4      | M  |  V  |
   CHAP-Algorithm                4.3.5      | M  |  V  |
   CHAP-Ident                    4.3.6      | M  |  V  |
   CHAP-Response                 4.3.7      | M  |  V  |
   CHAP-Challenge                4.3.8      | M  |  V  |
   ARAP-Password                 4.3.9      | M  |  V  |
   ARAP-Challenge-Response       4.3.10     | M  |  V  |
   ARAP-Security                 4.3.11     | M  |  V  |
   ARAP-Security-Data            4.3.12     | M  |  V  |
   -----------------------------------------|----+-----|

Top      Up      ToC       Page 29 
4.3.1.  User-Password AVP

   The User-Password AVP (AVP Code 2) is of type OctetString and
   contains the password of the user to be authenticated or the user's
   input in a multi-round authentication exchange.

   The User-Password AVP contains a user password or one-time password
   and therefore represents sensitive information.  As required by the
   Diameter Base protocol [RFC6733], Diameter messages are encrypted by
   using IPsec [RFC4301] or Transport Layer Security (TLS) [RFC5246].
   Unless this AVP is used for one-time passwords, the User-Password AVP
   SHOULD NOT be used in untrusted proxy environments without encrypting
   it by using end-to-end security techniques.

   The clear-text password (prior to encryption) MUST NOT be longer than
   128 bytes in length.

4.3.2.  Password-Retry AVP

   The Password-Retry AVP (AVP Code 75) is of type Unsigned32 and MAY be
   included in the AA-Answer if the Result-Code indicates an
   authentication failure.  The value of this AVP indicates how many
   authentication attempts a user is permitted before being
   disconnected.  This AVP is primarily intended for use when the
   Framed-Protocol AVP (Section 4.4.10.1) is set to ARAP.

4.3.3.  Prompt AVP

   The Prompt AVP (AVP Code 76) is of type Enumerated and MAY be present
   in the AA-Answer message.  When present, it is used by the NAS to
   determine whether the user's response, when entered, should be
   echoed.

   The supported values are listed in [RADIUSAttrVals].

4.3.4.  CHAP-Auth AVP

   The CHAP-Auth AVP (AVP Code 402) is of type Grouped and contains the
   information necessary to authenticate a user using the PPP Challenge-
   Handshake Authentication Protocol (CHAP) [RFC1994].  If the CHAP-Auth
   AVP is found in a message, the CHAP-Challenge AVP (Section 4.3.8)
   MUST be present as well.  The optional AVPs containing the CHAP
   response depend upon the value of the CHAP-Algorithm AVP
   (Section 4.3.8).  The grouped AVP has the following ABNF [RFC5234]
   grammar:

Top      Up      ToC       Page 30 
   CHAP-Auth  ::= < AVP Header: 402 >
                  { CHAP-Algorithm }
                  { CHAP-Ident }
                  [ CHAP-Response ]
                * [ AVP ]

4.3.5.  CHAP-Algorithm AVP

   The CHAP-Algorithm AVP (AVP Code 403) is of type Enumerated and
   contains the algorithm identifier used in the computation of the CHAP
   response [RFC1994].  The following values are currently supported:

   CHAP with MD5       5

      The CHAP response is computed by using the procedure described in
      [RFC1994].  This algorithm requires that the CHAP-Response AVP
      (Section 4.3.7) MUST be present in the CHAP-Auth AVP
      (Section 4.3.4).

4.3.6.  CHAP-Ident AVP

   The CHAP-Ident AVP (AVP Code 404) is of type OctetString and contains
   the 1 octet CHAP Identifier used in the computation of the CHAP
   response [RFC1994].

4.3.7.  CHAP-Response AVP

   The CHAP-Response AVP (AVP Code 405) is of type OctetString and
   contains the 16-octet authentication data provided by the user in
   response to the CHAP challenge [RFC1994].

4.3.8.  CHAP-Challenge AVP

   The CHAP-Challenge AVP (AVP Code 60) is of type OctetString and
   contains the CHAP Challenge sent by the NAS to the CHAP peer
   [RFC1994].

4.3.9.  ARAP-Password AVP

   The ARAP-Password AVP (AVP Code 70) is of type OctetString and is
   only present when the Framed-Protocol AVP (Section 4.4.10.1) is
   included in the message and is set to ARAP.  This AVP MUST NOT be
   present if either the User-Password or the CHAP-Auth AVP is present.
   See [RFC2869] for more information on the contents of this AVP.

Top      Up      ToC       Page 31 
4.3.10.  ARAP-Challenge-Response AVP

   The ARAP-Challenge-Response AVP (AVP Code 84) is of type OctetString
   and is only present when the Framed-Protocol AVP (Section 4.4.10.1)
   is included in the message and is set to ARAP.  This AVP contains an
   8-octet response to the dial-in client's challenge.  The Diameter
   server calculates this value by taking the dial-in client's challenge
   from the high-order 8 octets of the ARAP-Password AVP and performing
   DES encryption on this value with the authenticating user's password
   as the key.  If the user's password is fewer than 8 octets in length,
   the password is padded at the end with NULL octets to a length of 8
   before it is used as a key.

4.3.11.  ARAP-Security AVP

   The ARAP-Security AVP (AVP Code 73) is of type Unsigned32 and MAY be
   present in the AA-Answer message if the Framed-Protocol AVP
   (Section 4.4.10.1) is set to the value of ARAP, and the Result-Code
   AVP ([RFC6733], Section 7.1) is set to DIAMETER_MULTI_ROUND_AUTH.
   See RFC 2869 for more information on the contents of this AVP.

4.3.12.  ARAP-Security-Data AVP

   The ARAP-Security-Data AVP (AVP Code 74) is of type OctetString and
   MAY be present in the AA-Request or AA-Answer message if the Framed-
   Protocol AVP (Section 4.4.10.1) is set to the value of ARAP and the
   Result-Code AVP ([RFC6733], Section 7.1) is set to
   DIAMETER_MULTI_ROUND_AUTH.  This AVP contains the security module
   challenge or response associated with the ARAP Security Module
   specified in the ARAP-Security AVP (Section 4.3.11).



(page 31 continued on part 3)

Next RFC Part