RADIUS EXTensions (radext)
--------------------------

Charter
Last Modified: 2008-05-29

Current Status: Active Working Group

Chair(s):
    Bernard Aboba  <[email protected]>
    David Nelson  <[email protected]>

Operations and Management Area Director(s):
    Dan Romascanu  <[email protected]>
    Ronald Bonica  <[email protected]>

Operations and Management Area Advisor:
    Dan Romascanu  <[email protected]>

Technical Advisor(s):
    Paul Congdon  <[email protected]>

Mailing Lists:
    General Discussion:[email protected]
    To Subscribe:      [email protected]
        In Body:       In Body: subscribe
    Archive:           https://ops.ietf.org/lists/radiusext

Description of Working Group:

The RADIUS Extensions Working Group will focus on extensions to the
RADIUS protocol required to define extensions to the standard
attribute space as well as to address cryptographic algorithm
agility and use over new transports. In addition, RADEXT will
work on RADIUS Design Guidelines and define new attributes for
particular applications of authentication, authorization and
accounting such as NAS management and local area network (LAN) usage.

In order to enable interoperation of heterogeneous RADIUS/Diameter
deployments, all RADEXT WG work items MUST contain a Diameter
compatibility section, outlining how interoperability with
Diameter will be maintained.

Furthermore, to ensure backward compatibility with existing RADIUS
implementations, as well as compatibility between RADIUS and Diameter,
the following restrictions are imposed on extensions considered by the
RADEXT WG:

- All documents produced MUST specify means of interoperation with
legacy RADIUS and, if possible, be backward
compatible with existing RADIUS RFCs, including RFCs 2865-2869,
3162, 3575, 3579, 3580, 4668-4673,4675, 5080, 5090 and 5176.
Transport profiles should, if possible, be compatible with RFC 3539.

- All RADIUS work MUST be compatible with equivalent facilities in
Diameter. Where possible, new attributes should be defined so that
the same attribute can be used in both RADIUS and Diameter without
translation. In other cases a translation considerations
section should be included in the specification.


Work Items

The immediate goals of the RADEXT working group are to address the
following issues:

- RADIUS design guidelines. This document will provide guidelines for
design of RADIUS attributes. It will specifically consider how
complex data types may be introduced in a robust manner, maintaining
backwards compatibility with existing RADIUS RFCs, across all the
classes of attributes: Standard, Vendor-Specific and SDO-Specific.
In addition, it will review RADIUS data types and associated
backwards compatibility issues.

- RADIUS Management authorization. This document will define the
use of RADIUS for NAS management over IP.

-RADIUS attribute space extension. The standard RADIUS attribute
space is currently being depleted. This document will provide
additional standard attribute space, while maintaining backward
compatibility with existing attributes.

-RADIUS Cryptographic Algorithm Agility. RADIUS has traditionally
relied on MD5 for both per-packet integrity and authentication as well
as attribute confidentiality. Given the increasingly successful
attacks being mounted against MD5, the ability to support
alternative algorithms is required. This work item will
include documentation of RADIUS crypto-agility requirements,
as well as development of one or more Experimental RFCs providing
support for negotiation of alternative cryptographic algorithms
to protect RADIUS.

- IEEE 802 attributes. New attributes have been proposed to
support IEEE 802 standards for wired and wireless LANs. This
work item will support authentication, authorization and
accounting attributes needed by IEEE 802 groups including
IEEE 802.1, IEEE 802.11 and IEEE 802.16.

- New RADIUS transports. A reliable transport profile for
RADIUS will be developed, as well as specifications for
Secure transports, including TCP/TLS (RADSEC) and UDP/DTLS.

- Documentation of Status-Server usage. A document
describing usage of the Status-Server facility will be
developed.

Goals and Milestones:

  Done         Updates to RFC 2618-2621 RADIUS MIBs submitted for publication

  Done         SIP RADIUS authentication draft submitted as a Proposed
               Standard RFC

  Done         RFC 2486bis submitted as a Proposed Standard RFC

  Done         RFC 3576 MIBs submitted as an Informational RFC

  Done         RADIUS VLAN and Priority Attributes draft submitted as a
               Proposed Standard RFC (reduced in scope)

  Done         RADIUS Implementation Issues and Fixes draft submitted as an
               Informational RFC

  Done         RADIUS Filtering Attributes draft submitted as a Proposed
               Standard RFC (split out from VLAN & Priority draft)

  Done         RFC 3576bis submitted as an Informational RFC (split out from
               Issues & Fixes draft)

  Done         RADIUS Redirection Attributes draft submitted as a Proposed
               Standard RFC (split out from VLAN & Priority draft)

  Jun 2008       RADIUS Design Guidelines submitted as a Best Current Practice
               RFC

  Jun 2008       RADIUS Management Authorization I-D submitted as a Proposed
               Standard RFC

  Sep 2008       Extended Attributes I-D submitted as a Proposed Standard RFC

  Sep 2008       RADIUS Crypto-agility Requirements submitted as an
               Informational RFC

  Dec 2008       IEEE 802 Attributes I-D submitted as a Proposed Standard RFC

  Jan 2009       Reliable Transport Profile for RADIUS I-D submitted as a
               Proposed Standard RFC

  Mar 2009       Status-Server I-D submitted as a Proposed Standard RFC

  Mar 2009       RADSEC (RADIUS over TCP/TLS) draft submitted as an Experimental
               RFC

  Jun 2009       RADIUS Cryptographic Algorithm Agility I-D submitted as an
               Experimental RFC

  Jun 2009       RADIUS over DTLS I-D submitted as an Experimental RFC


Internet-Drafts:

Posted Revised         I-D Title   <Filename>
------ ------- --------------------------------------------
Aug 2007 Feb 2008   <draft-ietf-radext-management-authorization-02.txt>
               Remote Authentication Dial-In User Service (RADIUS)
               Authorization for Network Access Server (NAS) Management

Sep 2007 Dec 2007   <draft-ietf-radext-design-02.txt>
               RADIUS Design Guidelines

Nov 2007 Mar 2008   <draft-ietf-radext-extended-attributes-03.txt>
               Extended Remote Authentication Dial In User Service (RADIUS)
               Attributes

May 2008 May 2008   <draft-ietf-radext-crypto-agility-requirements-00.txt>
               Crypto-Agility Requirements for Remote Dial-In User Service
               (RADIUS)

Request For Comments:

 RFC   Stat Published     Title
------- -- ----------- ------------------------------------
RFC4282Standard  Dec 2005    The Network Access Identifier

RFC4372Standard  Jan 2006    Chargeable User Identity

RFC4590 PS   Jul 2006    RADIUS Extension for Digest Authentication

RFC4668 PS   Aug 2006    RADIUS Authentication Client MIB for IPV6

RFC4669 PS   Aug 2006    RADIUS Authentication Server MIB for IPv6

RFC4671 I    Aug 2006    RADIUS Accounting Server MIB for IPv6

RFC4670 I    Aug 2006    RADIUS Accounting Client MIB for IPv6

RFC4672 I    Sep 2006    RADIUS Dynamic Authorization Client MIB

RFC4673 I    Sep 2006    RADIUS Dynamic Authorization Server MIB

RFC4675 PS   Sep 2006    RADIUS Attributes for Virtual LAN and Priority Support

RFC4818 PS   Apr 2007    RADIUS Delegated-IPv6-Prefix Attribute

RFC4849 PS   Apr 2007    RADIUS Filter Rule Attribute

RFC5080 PS   Dec 2007    Common Remote Authentication Dial In User Service
                      (RADIUS) Implementation Issues and Suggested Fixes

RFC5176 I    Jan 2008    Dynamic Authorization Extensions to Remote
                      Authentication Dial In User Service (RADIUS)

RFC5090 PS   Feb 2008    RADIUS Extension for Digest Authentication