Radius
https://ja.wikipedia.org/wiki/RADIUS
「このページは著作権侵害のおそれが指摘されており、事実関係の調査が依頼されています。」
転載元はよく知らない。 IETFのRFC(request for commnet)だけからの理解をするために、まずRFCを読む
読む目的によって、全部読むか、全部に加えてそれぞれのRFCで参照しているRFCも全部読むか、現在有効な文書だけ読むか、現在重要な文書だけ読むかの4種類を想定
<この項は書きかけです。順次追記します。>
重要な文書だけ読む
RADIUSの著名な書籍を読み、その参考文献、引用しているRFCだけ読む。
この方法だと、今回の目的のうち、RFCだけから理解するという作業にならなくなってしまう。
現在有効な文書だけ読む
下記検索結果からObsolatedとなっているもの以外を読む。
ここから始める。
まず、表題にRADIUSの文字があるものだけ最初に読む(1)。
RFC editor search
https://www.rfc-editor.org/search/rfc_search.php
読んだものからURLをつける。
少し作業を進めてみると、
RFC2865,2866, 2867, 2868, 2869の5文書が中核文書だと思ってもいいかもしれない。
もし、構造が変わるのであれば、前の文書をObsolateして、新しい文書番号をつけるはずだから。
(どんどん新しい文書にしていくものと、古い文書を大切にしてUpdateするものもあるかもしれず、かならずしも新番号がつかなければ中核とは限らないかもしれない。)
Radius RFCを全部読む
RFC Editor Searchで、Rasiusで検索した結果が下記。
他の通信規約の場合に、略称が全く出てこない文章もあったような気がする。
全部読む過程で、関連文書、変更文書などが、この一覧にないかを確認する。
Radius RFCで参照しているRFCも読む
ReferenceのRFCを理解していないと、本質的な事項がわからないかもしれない。
例えば、
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
はTCPと共存する通信規約で重要である。TCPの上で動くか、UDPの上で動くかで、上の規約の特徴が生きるかどうかがかかっている本質的な参照と、部分的な調整上で参照しているRFCでは必読度が違うかもしれない。
今回は、参照通信規約の重み付けは行なっていない。(重要度を評価するほど理解していない)
参考資料(reference)
RADIUSプロトコル概要
https://qiita.com/noppe78/items/2fb87f45200ad09195ec
シングル構成のRADIUSサーバを、HA環境に移行した時のメモ
https://qiita.com/nagase/items/8316e02f16acf4567326
SoftEther + (Radius + Google-Authenticator) でMFA認証VPN
https://qiita.com/m0559reen/items/87d86968f5cc36fbff1c
OneLoginのRADIUSを使ってAWS WorkSpacesのMFAを実現したときに詰まったところ
https://qiita.com/14kw/items/f2b7790a57b06e292810
Cisco WLC と FreeRADIUS を利用した EAP-TLS認証
https://qiita.com/haruca_tech/items/a9cf4a9168f325e65513
FreeRADIUS
https://qiita.com/eiuemura/items/3dcad222a9a295359b10
EC2上にRADIUSサーバを構築する手順
https://qiita.com/tokino/items/e9e17ec6f253e86bff4e
一覧(list)
| Number | Title | Authors | Date | More Info | Status |
|:--|:--|:--|:--|:--|:--|:--|
|2058 | Remote Authentication Dial In User Service (RADIUS) | C. Rigney, A. Rubens, W. Simpson, S. Willens | January 1997 | Obsoleted by RFC 2138 |P.S.|
|2059 | RADIUS Accounting | C. Rigney | January 1997 | Obsoleted by RFC 2139 |Inf.|
|2107 | Ascend Tunnel Management Protocol - ATMP | K. Hamzeh | February 1997 | |Inf.|
|2138 | Remote Authentication Dial In User Service (RADIUS) | C. Rigney, A. Rubens, W. Simpson, S. Willens | April 1997 | Obsoletes RFC 2058, Obsoleted by RFC 2865 |P.S.|
|2139 | RADIUS Accounting | C. Rigney | April 1997 | Obsoletes RFC 2059, Obsoleted by RFC 2866 |Inf.|
|2548 | Microsoft Vendor-specific RADIUS Attributes | G. Zorn | March 1999 | Errata |Inf.|
|2607 | Proxy Chaining and Policy Implementation in Roaming | B. Aboba, J. Vollbrecht | June 1999 | |Inf.|
|2618 | RADIUS Authentication Client MIB | B. Aboba, G. Zorn | June 1999 | Obsoleted by RFC 4668 |P.S.|
|2619 | RADIUS Authentication Server MIB | G. Zorn, B. Aboba | June 1999 | Obsoleted by RFC 4669 |P.S.|
|2620 | RADIUS Accounting Client MIB | B. Aboba, G. Zorn | June 1999 | Obsoleted by RFC 4670 |Inf.|
|2621 | RADIUS Accounting Server MIB | G. Zorn, B. Aboba | June 1999 | Obsoleted by RFC 4671 |Inf.|
|2809 | Implementation of L2TP Compulsory Tunneling via RADIUS | B. Aboba, G. Zorn | April 2000 | |Inf.|
|2865 | Remote Authentication Dial In User Service (RADIUS) https://www.rfc-editor.org/rfc/rfc2865.txt| C. Rigney, S. Willens, A. Rubens, W. Simpson | June 2000 | Errata, Obsoletes RFC 2138, Updated by RFC 2868, RFC 3575, RFC 5080, RFC 6929, RFC 8044 | D.S. |
|2866 | RADIUS Accounting https://www.rfc-editor.org/rfc/rfc2866.txt| C. Rigney | June 2000 | Errata, Obsoletes RFC 2139, Updated by RFC 2867, RFC 5080, RFC 5997 |Inf.|
|2867 | RADIUS Accounting Modifications for Tunnel Protocol Support https://www.rfc-editor.org/rfc/rfc2867.txt | G. Zorn, B. Aboba, D. Mitton | June 2000 | Errata, Updates RFC 2866 |Inf.|
|2868 | RADIUS Attributes for Tunnel Protocol Support https://www.rfc-editor.org/rfc/rfc2868.txt| G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. Goyret | June 2000 | Errata, Updates RFC 2865, Updated by RFC 3575 |Inf.|
|2869 | RADIUS Extensions https://www.rfc-editor.org/rfc/rfc2869.txt| C. Rigney, W. Willats, P. Calhoun | June 2000 | Updated by RFC 3579, RFC 5080 |Inf.|
|2881 | Network Access Server Requirements Next Generation (NASREQNG) NAS Model | D. Mitton, M. Beadles | July 2000 | |Inf.|
|2882 | Network Access Servers Requirements: Extended RADIUS Practices | D. Mitton | July 2000 | |Inf.|
|3162 | RADIUS and IPv6 | B. Aboba, G. Zorn, D. Mitton | August 2001 | Errata, Updated by RFC 8044 |P.S.|
|3575 | IANA Considerations for RADIUS (Remote Authentication Dial In User Service) | B. Aboba | July 2003 | Errata, Updates RFC 2865, RFC 2868, Updated by RFC 6929 |P.S.|
|3576 | Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) | M. Chiba, G. Dommety, M. Eklund, D. Mitton, B. Aboba | July 2003 | Obsoleted by RFC 5176 |Inf.|
|3579 | RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)https://www.ietf.org/rfc/rfc3579.txt | B. Aboba, P. Calhoun | September 2003 | Updates RFC 2869, Updated by RFC 5080 |Inf.|
|3580 | IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines | P. Congdon, B. Aboba, A. Smith, G. Zorn, J. Roese | September 2003 | Errata, Updated by RFC 7268 |Inf.|
|4005 | Diameter Network Access Server Application | P. Calhoun, G. Zorn, D. Spence, D. Mitton | August 2005 | Errata, Obsoleted by RFC 7155 |P.S.|
|4014 | Remote Authentication Dial-In User Service (RADIUS) Attributes Suboption for the Dynamic Host Configuration Protocol (DHCP) Relay Agent Information Option | R. Droms, J. Schnizlein | February 2005 | |P.S.|
|4372 | Chargeable User Identity | F. Adrangi, A. Lior, J. Korhonen, J. Loughney | January 2006 | |P.S.|
|4590 | RADIUS Extension for Digest Authentication | B. Sterman, D. Sadolevsky, D. Schwartz, D. Williams, W. Beck | July 2006 | Errata, Obsoleted by RFC 5090 |P.S.|
|4603 | Additional Values for the NAS-Port-Type Attribute | G. Zorn, G. Weber, R. Foltak | July 2006 | |Inf.|
|4668 | RADIUS Authentication Client MIB for IPv6 | D. Nelson | August 2006 | Errata, Obsoletes RFC 2618 |P.S.|
|4669 | RADIUS Authentication Server MIB for IPv6 | D. Nelson | August 2006 | Errata, Obsoletes RFC 2619 |P.S.|
|4670 | RADIUS Accounting Client MIB for IPv6 | D. Nelson | August 2006 | Errata, Obsoletes RFC 2620 |Inf.|
|4671 | RADIUS Accounting Server MIB for IPv6 | D. Nelson | August 2006 | Errata, Obsoletes RFC 2621 |Inf.|
|4672 | RADIUS Dynamic Authorization Client MIB | S. De Cnodder, N. Jonnala, M. Chiba | September 2006 | Errata |Inf.|
|4673 | RADIUS Dynamic Authorization Server MIB | S. De Cnodder, N. Jonnala, M. Chiba | September 2006 | Errata |Inf.|
|4675 | RADIUS Attributes for Virtual LAN and Priority Support | P. Congdon, M. Sanchez, B. Aboba | September 2006 | Errata |P.S.|
|4679 | DSL Forum Vendor-Specific RADIUS Attributes | V. Mammoliti, G. Zorn, P. Arberg, R. Rennison | September 2006 | Errata |Inf.|
|4818 | RADIUS Delegated-IPv6-Prefix Attribute | J. Salowey, R. Droms | April 2007 | |P.S.|
|4849 | RADIUS Filter Rule Attribute | P. Congdon, M. Sanchez, B. Aboba | April 2007 | |P.S.|
|5030 | Mobile IPv4 RADIUS Requirements | M. Nakhjiri, Ed., K. Chowdhury, A. Lior, K. Leung | October 2007 | |Inf.|
|5080 | Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes | D. Nelson, A. DeKok | December 2007 | Errata, Updates RFC 2865, RFC 2866, RFC 2869, RFC 3579 |P.S.|
|5090 | RADIUS Extension for Digest Authentication | B. Sterman, D. Sadolevsky, D. Schwartz, D. Williams, W. Beck | February 2008 | Errata, Obsoletes RFC 4590 |P.S.|
|5176 | Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) | M. Chiba, G. Dommety, M. Eklund, D. Mitton, B. Aboba | January 2008 | Errata, Obsoletes RFC 3576 |Inf.|
|5580 | Carrying Location Objects in RADIUS and Diameter | H. Tschofenig, Ed., F. Adrangi, M. Jones, A. Lior, B. Aboba | August 2009 | Errata |P.S.|
|5607 | Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management | D. Nelson, G. Weber | July 2009 | |P.S.|
|5608 | Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models | K. Narayan, D. Nelson | August 2009 | Errata |P.S.|
|5904 | RADIUS Attributes for IEEE 802.16 Privacy Key Management Version 1 (PKMv1) Protocol Support | G. Zorn | June 2010 | |Inf.|
|5997 | Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol | A. DeKok | August 2010 | Errata, Updates RFC 2866 |Inf.|
|6065 | Using Authentication, Authorization, and Accounting Services to Dynamically Provision View-Based Access Control Model User-to-Group Mappings | K. Narayan, D. Nelson, R. Presuhn, Ed. | December 2010 | |P.S.|
|6158 a.k.a. BCP 158 |RADIUS Design Guidelines | A. DeKok, Ed., G. Weber | March 2011 | Updated by RFC 6929, RFC 8044 |B.C.P.|
|6218 |Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material | G. Zorn, T. Zhang, J. Walker, J. Salowey | April 2011 | Errata |Inf.|
|6421 | Crypto-Agility Requirements for Remote Authentication Dial-In User Service (RADIUS) | D. Nelson, Ed. | November 2011 | |Inf.|
|6519 | RADIUS Extensions for Dual-Stack Lite | R. Maglione, A. Durand | February 2012 | Errata |P.S.|
|6572 | RADIUS Support for Proxy Mobile IPv6 | F. Xia, B. Sarikaya, J. Korhonen, Ed., S. Gundavelli, D. Damic | June 2012 | Updated by RFC 8044 |P.S.|
|6613 | RADIUS over TCP | A. DeKok | May 2012 | Updated by RFC 7930 |Exp.|
|6614 | Transport Layer Security (TLS) Encryption for RADIUS | S. Winter, M. McCauley, S. Venaas, K. Wierenga | May 2012 | |Exp.|
|6911 | RADIUS Attributes for IPv6 Access Networks | W. Dec, Ed., B. Sarikaya, G. Zorn, Ed., D. Miles, B. Lourdelet | April 2013 | |P.S.|
|6929 | Remote Authentication Dial In User Service (RADIUS) Protocol Extensions | A. DeKok, A. Lior | April 2013 | Updates RFC 2865, RFC 3575, RFC 6158 |P.S.|
|6930 |RADIUS Attribute for IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) | D. Guo, S. Jiang, Ed., R. Despres, R. Maglione | April 2013 | Errata |P.S.|
|7037 | RADIUS Option for the DHCPv6 Relay Agent | L. Yeh, M. Boucadair | October 2013 | |P.S.|
|7268 | RADIUS Attributes for IEEE 802 Networks | B. Aboba, J. Malinen, P. Congdon, J. Salowey, M. Jones | July 2014 | Updates RFC 3580, RFC 4072, Updated by RFC 8044 |P.S.|
|7360 | Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS | A. DeKok | September 2014 | |Exp.|
|7499 | Support of Fragmentation of RADIUS Packets | A. Perez-Mendez, Ed., R. Marin-Lopez, F. Pereniguez-Garcia, G. Lopez-Millan, D. Lopez, A. DeKok | April 2015 | |Exp.|
|7585 | Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI) | S. Winter, M. McCauley | October 2015 | Errata |Exp.|
|7593 | The eduroam Architecture for Network Roaming | K. Wierenga, S. Winter, T. Wolniewicz | September 2015 | Errata |Inf.|
|7831 | Application Bridging for Federated Access Beyond Web (ABFAB) Architecture | J. Howlett, S. Hartman, H. Tschofenig, J. Schaad | May 2016 | |Inf.|
|7832 | Application Bridging for Federated Access Beyond Web (ABFAB) Use Cases | R. Smith, Ed. | May 2016 | |Inf.|
|7833 | A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for the Security Assertion Markup Language (SAML) | J. Howlett, S. Hartman, A. Perez-Mendez, Ed. | May 2016 | |P.S.|
|7930 | Larger Packets for RADIUS over TCP | S. Hartman | August 2016 | Updates RFC 6613 |Exp.|
|8044 |Data Types in RADIUS | A. DeKok | January 2017 | Updates RFC 2865, RFC 3162, RFC 4072, RFC 6158, RFC 6572, RFC 7268 |P.S.|
|8045 | RADIUS Extensions for IP Port Configuration and Reporting | D. Cheng, J. Korhonen, M. Boucadair, S. Sivakumar | January 2017 | Errata |P.S.|
Best Current Practice: B.C.P.
Draft Standard: D.S.
Experimental: Exp.
Informational: Inf.
Proposed Standard: P.S.
RFC 2865
Remote Authentication Dial In User Service (RADIUS) https://www.rfc-editor.org/rfc/rfc2865.txt C. Rigney, S. Willens, A. Rubens, W. Simpson June 2000 Errata, Obsoletes RFC 2138, Updated by RFC 2868, RFC 3575, RFC 5080, RFC 6929, RFC 8044 Draft Standard
References
[1] Rigney, C., Rubens, A., Simpson, W. and S. Willens, "Remote Authentication Dial In User Service (RADIUS)", RFC 2138, April 1997.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997.
[3] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
[5] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[8] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.
[9] Kaufman, C., Perlman, R., and Speciner, M., "Network Security: Private Communications in a Public World", Prentice Hall, March 1995, ISBN 0-13-061466-1.
[10] Jacobson, V., "Compressing TCP/IP headers for low-speed serial links", RFC 1144, February 1990.
[11] ISO 8859. International Standard -- Information Processing -- 8-bit Single-Byte Coded Graphic Character Sets -- Part 1: Latin Alphabet No. 1, ISO 8859-1:1987.
[12] Sklower, K., Lloyd, B., McGregor, G., Carr, D. and T. Coradetti, "The PPP Multilink Protocol (MP)", RFC 1990, August 1996.
[13] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[14] Galvin, J., McCloghrie, K. and J. Davin, "SNMP Security Protocols", RFC 1352, July 1992.
[15] Dobbertin, H., "The Status of MD5 After a Recent Attack", CryptoBytes Vol.2 No.2, Summer 1996.
RFC 2866
RFC 2866 RADIUS Accounting https://www.rfc-editor.org/rfc/rfc2866.txt C. Rigney June 2000Errata, Obsoletes RFC 2139, Updated by RFC 2867, RFC 5080, RFC 5997 Informational
References
[1] Rigney, C., "RADIUS Accounting", RFC 2139, April 1997.
[2] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997.
[4] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980.
[5] Rivest, R. and S. Dusse, "The MD5 Message-Digest Algorithm", RFC1321, April 1992.
[6] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC2279, January 1998.
[8] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
RFC 2867
RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Supporthttps://www.rfc-editor.org/rfc/rfc2867.txt G. Zorn, B. Aboba, D. Mitton June 2000 Errata, Updates RFC 2866 Inf.
References
[1] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000.
[4] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and B. Palter, "Layer Two Tunneling Protocol "L2TP"", RFC 2661, August 1999.
[5] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W. and G. Zorn, "Point-to-Point Tunneling Protocol (PPTP)", RFC 2637, July 1999.
RFC 2868
RFC2868 RADIUS Attributes for Tunnel Protocol Support https://www.rfc-editor.org/rfc/rfc2868.txt| G. Zorn, D. Leifer, A. Rubens, J. Shriver, M. Holdrege, I. Goyret June 2000 Errata, Updates RFC 2865, Updated by RFC 3575 Inf.
References
[1] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little, W. and G. Zorn, "Point-to-Point Tunneling Protocol (PPTP)", RFC 2637, July 1999.
[2] Valencia, A., Littlewood, M. and T. Kolar, T., "Cisco Layer Two Forwarding (Protocol) 'L2F'", RFC 2341, May 1998.
[3] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn, G. and B. Palter, "Layer Two Tunnelling Protocol (L2TP)", RFC 2661, August 1999.
[4] Hamzeh, K., "Ascend Tunnel Management Protocol - ATMP", RFC 2107, February 1997.
[5] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[6] Perkins, C., "IP Encapsulation within IP", RFC 2003, October 1996.
[7] Perkins, C., "Minimal Encapsulation within IP", RFC 2004, October 1996.
[8] Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC 1827, August 1995.
[9] Hanks, S., Li, T., Farinacci, D. and P. Traina, "Generic Routing Encapsulation (GRE)", RFC 1701, October 1994.
[10] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995.
[11] Zorn, G. and D. Mitton, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
[12] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial in User Service (RADIUS)", RFC 2865, June 2000.
[13] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[14] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[15] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions", RFC 2869, June 2000.
[16] Narten, T. and H. Alvestrand, "Guidelines for writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[17] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998.
RFC2869
RFC2869 RADIUS Extensions https://www.rfc-editor.org/rfc/rfc2869.txt C. Rigney, W. Willats, P. Calhoun June 2000 Updated by RFC 3579, RFC 5080 Inf.
References
[1] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[2] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[3] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.
[4] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March, 1997.
[5] Reynolds, J. and J. Postel, "Assigned Numbers", STD 2, RFC 1700, October 1994.
[6] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000.
[7] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
[8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[9] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[10] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[11] Slatalla, M., and Quittner, J., "Masters of Deception." HarperCollins, New York, 1995.
RFC3579
RFC3579 RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)https://www.ietf.org/rfc/rfc3579.txt B. Aboba, P. Calhoun September 2003, Updates RFC 2869, Updated by RFC 5080, Inf.
References
6.1. Normative References
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[RFC2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[RFC2284] Blunk, L. and J. Vollbrecht, "PPP Extensible Authentication Protocol (EAP)", RFC 2284, March 1998.
[RFC2401] Atkinson, R. and S. Kent, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.
[RFC2406] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
[RFC2486] Aboba, B. and M. Beadles, "The Network Access Identifier", RFC 2486, January 1999.
[RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000.
[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission Timer", RFC 2988, November 2000.
[RFC3162] Aboba, B., Zorn, G. and D. Mitton, "RADIUS and IP6", RFC 3162, August 2001.
[RFC3280] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D. and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003.
6.2. Informative References
[RFC826] Plummer, D., "An Ethernet Address Resolution Protocol", STD 37, RFC 826, November 1982.
[RFC1510] Kohl, J. and C. Neuman, "The Kerberos Network Authentication Service (V5)", RFC 1510, September 1993.
[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994.
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", RFC 2548, March 1999.
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999.
[RFC2716] Aboba, B. and D. Simon,"PPP EAP TLS Authentication Protocol", RFC 2716, October 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC2867] Zorn, G., Aboba, B. and D. Mitton, "RADIUS Accounting Modifications for Tunnel Protocol Support", RFC 2867, June 2000.
[RFC2868] Zorn, G., Leifer, D., Rubens, A., Shriver, J., Holdrege, M. and I. Goyret, "RADIUS Attributes for Tunnel Protocol Support", RFC 2868, June 2000.
[RFC2869] Rigney, C., Willats, W. and P. Calhoun, "RADIUS Extensions", RFC 2869, June 2000.
[RFC2983] Black, D. "Differentiated Services and Tunnels", RFC 2983, October 2000.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G. and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[IEEE802] IEEE Standards for Local and Metropolitan Area Networks: Overview and Architecture, ANSI/IEEE Std 802, 1990.
[IEEE8021X] IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Std 802.1X-2001, June 2001.
[MD5Attack] Dobbertin, H., "The Status of MD5 After a Recent Attack", CryptoBytes Vol.2 No.2, Summer 1996.
[Masters] Slatalla, M. and J. Quittner, "Masters of Deception." HarperCollins, New York, 1995.
[NASREQ] Calhoun, P., et al., "Diameter Network Access Server Application", Work in Progress.
用語(term)
RFC3579
authenticator
The end of the link requiring the authentication. Also
known as the Network Access Server (NAS) or RADIUS client.
Within IEEE 802.1X terminology, the term Authenticator is
used.
peer
The other end of the point-to-point link (PPP),
point-to-point LAN segment (IEEE 802.1X) or wireless link,
which is being authenticated by the authenticator. In IEEE
802.1X, this end is known as the Supplicant.
authentication server
An authentication server is an entity that provides an
authentication service to an authenticator (NAS). This
service verifies from the credentials provided by the peer,
the claim of identity made by the peer; it also may provide
credentials allowing the peer to verify the identity of the
authentication server. Within this document it is assumed
that the NAS operates as a pass-through, forwarding EAP
packets between the RADIUS server and the EAP peer.
Therefore the RADIUS server operates as an authentication
server.
displayable message
This is interpreted to be a human readable string of
characters, and MUST NOT affect operation of the protocol.
The message encoding MUST follow the UTF-8 transformation
format [RFC2279].
Network Access Server (NAS)
The device providing access to the network. Also known as
the Authenticator (IEEE 802.1X or EAP terminology) or
RADIUS client.
RFC2865, RFC2866, RFC2869
service
The NAS provides a service to the dial-in user, such as PPP
or Telnet.
RFC3579
service
The NAS provides a service to the user, such as IEEE 802 or
PPP.
RFC2865
session
Each service provided by the NAS to a dial-in user
constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where service
is ended. A user may have multiple sessions in parallel or
series if the NAS supports that.
RFC2866
session
Each service provided by the NAS to a dial-in user
constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where service
is ended. A user may have multiple sessions in parallel or
series if the NAS supports that, with each session
generating a separate start and stop accounting record with
its own Acct-Session-Id.
RFC2869
session
Each service provided by the NAS to a dial-in user
constitutes a session, with the beginning of the session
defined as the point where service is first provided and
the end of the session defined as the point where service
is ended. A user may have multiple sessions in parallel or
series if the NAS supports that, with each session
generating a separate start and stop accounting record.
##RFC3579
###session
Each service provided by the NAS to a peer constitutes a
session, with the beginning of the session defined as the
point where service is first provided and the end of the
session defined as the point where service is ended. A
peer may have multiple sessions in parallel or series if
the NAS supports that, with each session generating a
separate start and stop accounting record.
RFC2865, RFC2866, 2869, RFC3579
silently discard
This means the implementation discards the packet without
further processing. The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.
RFC文書の参照関係
| RFC | obsolate | updates | updated | reference | title |
|---|---|---|---|---|---|
| 2865 | 2138 | 2138 | Remote Authentication Dial In User Service (RADIUS) | ||
| 2119 | Key words for use in RFCs to Indicate Requirement Levels | ||||
| 1321 | The MD5 Message-Digest Algorithm | ||||
| 768 | User Datagram Protocol | ||||
| 2866 | RADIUS Accounting | ||||
| 1700 | Assigned Numbers | ||||
| 2279 | UTF-8, a transformation format of ISO 10646 | ||||
| 2486 | The Network Access Identifier | ||||
| 1144 | Compressing TCP/IP headers for low-speed serial links | ||||
| 1990 | The PPP Multilink Protocol (MP) | ||||
| 2434 | Guidelines for Writing an IANA Considerations Section in RFCs | ||||
| 1352 | SNMP Security Protocols | ||||
| 2868 | RADIUS Attributes for Tunnel Protocol Support | ||||
| 3575 | IANA Considerations for RADIUS (Remote Authentication Dial In User Service) | ||||
| 5080 | Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes | ||||
| 6929 | Remote Authentication Dial In User Service (RADIUS) Protocol Extensions | ||||
| 8044 | Data Types in RADIUS | ||||
| 2866 | 2139 | 2139 | RADIUS Accounting | ||
| 2865 | Remote Authentication Dial In User Service (RADIUS) | ||||
| 2119 | Key words for use in RFCs to Indicate Requirement Levels | ||||
| 768 | User Datagram Protocol | ||||
| 1321 | The MD5 Message-Digest Algorithm | ||||
| 1700 | Assigned Numbers | ||||
| 2279 | UTF-8, a transformation format of ISO 10646 | ||||
| 2434 | Guidelines for Writing an IANA Considerations Section in RFCs | ||||
| 2867 | RADIUS Accounting Modifications for Tunnel Protocol Support | ||||
| 5080 | Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes | ||||
| 5997 | Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol | ||||
| 2867 | 2866 | 2866 | RADIUS Accounting | ||
| 2119 | Key words for use in RFCs to Indicate Requirement Levels | ||||
| 2868 | RADIUS Attributes for Tunnel Protocol Support | ||||
| 2661 | Layer Two Tunneling Protocol "L2TP" | ||||
| 2637 | Point-to-Point Tunneling Protocol (PPTP) | ||||
| 2868 | 2865 | Remote Authentication Dial In User Service (RADIUS) | |||
| 3575 | IANA Considerations for RADIUS (Remote Authentication Dial In User Service) | ||||
| 2637 | Point-to-Point Tunneling Protocol (PPTP) | ||||
| 2341 | Cisco Layer Two Forwarding (Protocol) 'L2F | ||||
| 2661 | Layer Two Tunneling Protocol "L2TP" | ||||
| 2107 | Ascend Tunnel Management Protocol - ATMP | ||||
| 2401 | Security Architecture for the Internet Protocol | ||||
| 2001 | IP Encapsulation within IP | ||||
| 2004 | Minimal Encapsulation within IP | ||||
| 1827 | IP Encapsulating Security Payload (ESP) | ||||
| 1701 | Generic Routing Encapsulation (GRE) | ||||
| 1853 | IP in IP Tunneling | ||||
| 2867 | RADIUS Accounting Modifications for Tunnel Protocol Support | ||||
| 2865 | Remote Authentication Dial in User Service (RADIUS) | ||||
| 2119 | Key words for use in RFCs to Indicate Requirement Levels | ||||
| 1700 | Assigned Numbers | ||||
| 2869 | RADIUS Extensions" | ||||
| 2434 | Guidelines for Writing an IANA Considerations Section in RFCs | ||||
| 2373 | IP Version 6 Addressing Architecture | ||||
| 2869 | 3579 | ||||
| 5080 | Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes | ||||
| 2865 | Remote Authentication Dial in User Service (RADIUS) | ||||
| 2866 | RADIUS Accounting | ||||
| 2284 | PPP Extensible Authentication Protocol (EAP) | ||||
| 2119 | Key words for use in RFCs to Indicate Requirement Levels | ||||
| 1700 | Assigned Numbers | ||||
| 2868 | RADIUS Attributes for Tunnel Protocol Support | ||||
| 2867 | RADIUS Accounting Modifications for Tunnel Protocol Support | ||||
| 2279 | UTF-8, a transformation format of ISO 10646 | ||||
| 2104 | HMAC: Keyed-Hashing for Message Authentication" | ||||
| 2434 | Guidelines for Writing an IANA Considerations Section in RFCs | ||||
| 3579 | 2869 | RADIUS Extensions | |||
| 1321 | The MD5 Message-Digest Algorithm | ||||
| 2104 | HMAC: Keyed-Hashing for Message Authentication | ||||
| 2119 | Key words for use in RFCs to Indicate Requirement Levels | ||||
| 2279 | UTF-8, a transformation format of ISO 10646 | ||||
| 2284 | PPP Extensible Authentication Protocol (EAP) | ||||
| 2401 | Security Architecture for the Internet Protocol | ||||
| 2406 | IP Encapsulating Security Payload (ESP) | ||||
| 2409 | The Internet Key Exchange (IKE) | ||||
| 2486 | The Network Access Identifier | ||||
| 2865 | Remote Authentication Dial In User Service (RADIUS) | ||||
| 2988 | Computing TCP's Retransmission Timer | ||||
| 3162 | RADIUS and IP6 | ||||
| 3280 | Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile | ||||
| 3576 | Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) | ||||
| 826 | An Ethernet Address Resolution Protocol | ||||
| 1510 | The Kerberos Network Authentication Service (V5) | ||||
| 1661 | The Point-to-Point Protocol (PPP) | ||||
| 2548 | Microsoft Vendor-specific RADIUS Attributes | ||||
| 2607 | Proxy Chaining and Policy Implementation in Roaming | ||||
| 2716 | PPP EAP TLS Authentication Protocol" | ||||
| 2866 | RADIUS Accounting | ||||
| 2867 | RADIUS Accounting Modifications for Tunnel Protocol Support | ||||
| 2868 | RADIUS Attributes for Tunnel Protocol Support | ||||
| 2869 | RADIUS Extensions | ||||
| 2983 | Differentiated Services and Tunnels | ||||
| 3580 | IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines |
<この記事は個人の過去の経験に基づく個人の感想です。現在所属する組織、業務とは関係がありません。>
文書履歴(document history)
ver. 0.01 初稿 5文書(RFC2865,2866, 2867, 2868, 2869)の参考文献、参照関係整理 20190211 午前
ver. 0.02 RFC3579, 用語(term)追記 20190211 夕
ver. 0.03 表題追記 20190318
ver. 0.04 みだし修正 20210707
最後までおよみいただきありがとうございました。
いいね 💚、フォローをお願いします。
Thank you very much for reading to the last sentence.
Please press the like icon 💚 and follow me for your happy life.