|
Page 3 of 7 9.1.1. RADIUS Dynamic Authorization Considerations
A Diameter/RADIUS gateway may communicate with a server that
implements RADIUS Dynamic Authorization [RADDynAuth]. If the server
supports these functions, it MUST be listening on the assigned port
and would receive RADIUS CoA-Request and Disconnect-Request messages.
These can be mapped into the Diameter Re-Auth-Request (RAR) and
Abort-Session-Request (ASR) message exchanges, respectively [BASE].
If the [RADDynAuth] is not supported, the port would not be active
and the RADIUS server would receive an ICMP Port Unreachable
indication. Alternatively, if the messages are received but with an
inappropriate Service-Type, the gateway can respond with the
appropriate NAK message and an Error-Cause attribute with the value
of 405, "Unsupported Service".
The RADIUS CoA-Request and Disconnect-Request messages will not
contain a Diameter Session-Id. Diameter requires that this value
match an active session context. The gateway MUST have a session Id
cache (or other means) to identify the sessions these functions
pertain to. If unable to identify the session, the gateway (or NAS)
should return an Error-Cause value 503, "Session Context Not Found".
The RADIUS CoA-Request message only supports a change of
authorization attributes, and the received CoA-Request SHOULD include
a Service-Type of "Authorize-Only". This indicates an extended
exchange request by the rules given in [RADDynAuth] section 3.2, note
6. This is the only type of exchange supported by Diameter [BASE].
For the CoA-Request, the translated RAR message will have a Re-Auth-
Type of AUTHORIZE_ONLY. The returned RAA will be translated into a
CoA-NAK with Error-Cause "Request Initiated". The gateway's Diameter
client SHOULD also start a reauthorization sequence by sending an AAR
message, which will be translated into an Access-Request message.
The RADIUS server will use the Access-Accept (or Access-Reject)
message to convey the new authorization attributes, which the gateway
will pass back in an AAA message.
Any attributes included in the COA-Request or Access-Accept message
are to be considered mandatory in Diameter. If they cannot be
supported, they MUST result in an error message return to the RADIUS
server, with an Error-Cause of "Unsupported Attribute". The Diameter
NAS will attempt to apply all the attributes supplied in the AA
message to the session.
A RADIUS Disconnect-Request message received by the gateway would be
translated to a Diameter Abort-Session-Request (ASR) message [BASE].
The results will be returned by the Diameter client in an AbortSession-Answer (ASA) message. A success indication would translate
to a RADIUS Disconnect-ACK, and a failure would generate a
Disconnect-NAK.
|
