| Article Index |
|---|
| RADIUS/Diameter Protocol Interactions |
| Page 2 |
| Page 3 |
| Page 4 |
| Page 5 |
| Page 6 |
| Page 7 |
| All Pages |
Page 4 of 7
9.2. Diameter Request Forwarded as RADIUS Request
When a server receives a Diameter request to be forwarded to a RADIUS
entity, the following are examples of the steps that may be taken:
- The Origin-Host AVP's value is inserted into the NAS-Identifier
attribute.
- The following information MUST be present in the corresponding
Diameter response and therefore MUST be saved, either in a
local state table or encoded in a RADIUS Proxy-State attribute:
1. Origin-Host AVP
2. Session-Id AVP
3. Proxy-Info AVP
4. Any other AVP that MUST be present in the response and
has no corresponding RADIUS attribute.
- If the CHAP-Auth AVP is present, the grouped AVPs are used to
create the RADIUS CHAP-Password attribute data.
- If the User-Password AVP is present, the data should be
encrypted and forwarded by using RADIUS rules. The same is
true for any other RADIUS-encrypted attribute values.
- AVPs of the type Address must be translated to the
corresponding RADIUS attribute.
- If the Accounting-Input-Octets, Accounting-Input-Packets,
Accounting-Output-Octets, or Accounting-Output-Packets AVPs are
present, they must be translated to the corresponding RADIUS
attributes. If the value of the Diameter AVPs do not fit
within a 32-bit RADIUS attribute, the RADIUS Acct-Input-
Gigawords and Acct-Output-Gigawords must be used.
- If the RADIUS link supports the Message-Authenticator attribute
[RADIUSExt], it SHOULD be generated and added to the request.
When the corresponding response is received by the Translation Agent,
which is guaranteed in the RADIUS protocol, the following steps may
be taken:
- If the RADIUS code is set to Access-Challenge, a Diameter AA-
Answer message is created with the Result-Code set to
DIAMETER_MULTI_ROUND_AUTH. If the Session-Timeout AVP is
present in the RADIUS message, its value is inserted into the
Multi-Round-Time-Out AVP.
- If a Proxy-State attribute is present, extract the encoded
information; otherwise, retrieve the original Proxy-Info AVP
group information from the local state table.
- The response's Origin-Host information is created from the FQDN
of the RADIUS message's source IP address. The same FQDN is
also stored to a Route-Record AVP.
- The response's Destination-Host AVP is copied from the saved
request's Origin-Host information.
- The Session-Id information can be recovered from local state,
or from the constructed State or Proxy-State attribute, as
above.
- If a Proxy-Info AVP was present in the request, the same AVP
MUST be added to the response.
- If the RADIUS State attributes are present, they must be
present in the Diameter response, minus those added by the
gateway.
- Any other AVPs that were saved at request time, and that MUST
be present in the response, are added to the message.
When translating a RADIUS Access-Accept to Diameter AA-Answer that
contains a Session-Timeout attribute, do the following:
- If the RADIUS message contains a Session-Timeout attribute and
a Termination-Action attribute set to DEFAULT (or no
Termination-Action attribute at all), translate it to AA-Answer
with a Session-Timeout AVP and remove the Termination-Action
attribute.
- If the RADIUS message contains a Session-Timeout attribute and
a Termination-Action attribute set to AA-REQUEST, translate it
to AA-Answer with Authorization-Lifetime AVP and with Re-Auth-
Request-Type set to AUTHORIZE_AUTHENTICATE and remove the
Session-Timeout attribute.
9.2.1. RADIUS Dynamic Authorization Considerations
A RADIUS/Diameter gateway communicating with a RADIUS client that
implements RADIUS Dynamic Authorization [RADDynAuth] may translate
Diameter Re-Auth-Request (RAR) messages and Abort-Session-Request
(ASR) messages [BASE] into RADIUS CoA-Request and Disconnect-Request
messages respectively.
If the RADIUS client does not support the capability, the gateway
will receive an ICMP Port Unreachable indication when it transmits
the RADIUS message. Even if the NAS supports [RADDynAuth], it may
not support the Service-Type in the request message. In this case it
will respond with a NAK message and (optionally) an Error-Cause
attribute with value 405, "Unsupported Service". If the gateway
encounters these error conditions, or if it does not support
[RADDynAuth], it sends a Diameter Answer message with an Result-Code
AVP of "DIAMETER_COMMAND_UNSUPPORTED" to the AAA server.
When encoding the RADIUS messages, the gateway MUST include the
Diameter Session-ID in the RADIUS State attribute value, as mentioned
above. The RADIUS client should return it in the response.
A Diameter Re-Auth-Request (RAR) message [BASE] received by the
gateway will be translated into a RADIUS CoA-Request and sent to the
RADIUS client. The RADIUS client should respond with a CoA-ACK or
CoA-NAK message, which the gateway should translate into a Re-Auth-
Answer (RAA) message.
If the gateway receives a RADIUS CoA-NAK response containing a
Service-Type Attribute with value "Authorize Only" and an Error-Cause
Attribute with value "Request Initiated", this indicates an extended
exchange request per [RADDynAuth] section 3.2, note 6.
The response is translated to a Diameter Re-Auth-Answer (RAA) with a
Result-Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server.
Subsequently, the gateway should receive a RADIUS Access-Request from
the NAS, with a Service-Type of "Authorize Only". This is translated
into a Diameter AA-Request with an Auth-Request-Type AVP of
AUTHORIZE_ONLY and sent to the AAA server. The AAA server will then
reply with a Diameter AA-Answer, which is translated into a RADIUS
Access-Accept or Access-Reject, depending on the value of the
Result-Code AVP.
A Diameter Abort-Session-Request (ASR) message [BASE] received by the
gateway will be translated into a RADIUS Disconnect-Request and sent
to the RADIUS client. The RADIUS client should respond with a
Disconnect-ACK or Disconnect-NAK message, which the gateway should
translate into an Abort-Session-Answer (ASA) message.
If the gateway receives a RADIUS Disconnect-NAK response containing a
Service-Type Attribute with value "Authorize Only" and an Error-Cause
Attribute with value "Request Initiated", the Disconnect-NAK response
is translated into a Diameter Abort-Session-Answer (ASA) with a
Result-Code AVP of "DIAMETER_LIMITED_SUCCESS" sent to the AAA server.
Subsequently, the gateway should receive a RADIUS Access-Request from
the NAS, with a Service-Type of "Authorize Only". This is translated
into a Diameter AA-Request with an Auth-Request-Type AVP of
AUTHORIZE_ONLY and sent to the AAA server. The AAA server will then
reply with a Diameter AA-Answer, which is translated into a RADIUS
Access-Accept or Access-Reject, depending on the value of the
Result-Code AVP.
