RFC 2868 (rfc2868) - Page 2 of 20


RADIUS Attributes for Tunnel Protocol Support



Alternative Format: Original Text Document



RFC 2868        RADIUS Tunnel Authentication Attributes        June 2000


2.  Specification of Requirements

   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
   "recommended", "SHOULD", and "SHOULD NOT", are to be interpreted as
   described in [14].

3.  Attributes

   Multiple instances of each of the attributes defined below may be
   included in a single RADIUS packet.  In this case, the attributes to
   be applied to any given tunnel SHOULD all contain the same value in
   their respective Tag fields; otherwise, the Tag field SHOULD NOT be
   used.

   If the RADIUS server returns attributes describing multiple tunnels
   then the tunnels SHOULD be interpreted by the tunnel initiator as
   alternatives and the server SHOULD include an instance of the
   Tunnel-Preference Attribute in the set of Attributes pertaining to
   each alternative tunnel.  Similarly, if the RADIUS client includes
   multiple sets of tunnel Attributes in an Access-Request packet, all
   the Attributes pertaining to a given tunnel SHOULD contain the same
   value in their respective Tag fields and each set SHOULD include an
   appropriately valued instance of the Tunnel-Preference Attribute.

3.1.  Tunnel-Type

   Description

      This Attribute indicates the tunneling protocol(s) to be used (in
      the case of a tunnel initiator) or the the tunneling protocol in
      use (in the case of a tunnel terminator).  It MAY be included in
      Access-Request, Access-Accept and Accounting-Request packets.  If
      the Tunnel-Type Attribute is present in an Access-Request packet
      sent from a tunnel initiator, it SHOULD be taken as a hint to the
      RADIUS server as to the tunnelling protocols supported by the
      tunnel end-point; the RADIUS server MAY ignore the hint, however.
      A tunnel initiator is not required to implement any of these
      tunnel types; if a tunnel initiator receives an Access-Accept
      packet which contains only unknown or unsupported Tunnel-Types,
      the tunnel initiator MUST behave as though an Access-Reject had
      been received instead.

      If the Tunnel-Type Attribute is present in an Access-Request
      packet sent from a tunnel terminator, it SHOULD be taken to
      signify the tunnelling protocol in use.  In this case, if the
      RADIUS server determines that the use of the communicated protocol
      is not authorized, it MAY return an Access-Reject packet.  If a
      tunnel terminator receives an Access-Accept packet which contains



Zorn, et al.                 Informational