International Roaming Access Protocols (IRAP) Program Test Specification Protocol Implementation Conformance Statement (PICS) proforma for IRAP interfaces Specification v.0.7 February 2005 Date: 2005-02-16 Version 0.7 Page: 1 of 40
Revision History Revision Author Date Comments 1.0 Carlos Perez Carlos Cárdenas 2004-11-05 Final version Date: 2005-02-16 Version 0.7 Page: 2 of 40
Contributors Janie Baños Carlos Pérez Carlos Cárdenas Jeremy Rover CETECO, Spain CETECO, Spain CETECO, Spain Intel Corporation Disclaimer and copyright notice THIS DRAFT DOCUENT IS PROVIDED AS IS WITH NO WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF ERCHANTABILITY, NONINFRINGEENT, FITNESS FOR ANY PARTICULAR PURPOSE, OR ANY WARRANTY OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAPLE. Any liability, including liability for infringement of any proprietary rights, relating to use of information in this document is disclaimed. No license, express or implied, by estoppels or otherwise, to any intellectual property rights are granted herein. This document is an intermediate draft for comment only and is subject to change without notice. No products should be designed based on this document. Date: 2005-02-16 Version 0.7 Page: 3 of 40
Contents 1 Scope... 5 2 References... 5 3 Definitions and abbreviations... 6 A: ICS Proforma... 7 A:1 Role... 7 A:2 WS Client... 7 A:3 Access Network... 10 A:4 Home Service Provider... 20 A:5 Intermediary... 28 Date: 2005-02-16 Version 0.7 Page: 4 of 40
1 Scope This document specifies the Protocol Implementation Conformance Statement (PICS) for IRAP interfaces. 2 References The following documents contain provisions, which through reference in this text constitute provisions of the present document. References are either specific (identified by date of publication, edition number, version number, etc) or non-specific. For a specific reference, subsequent revisions do not apply. For a non-specific reference, the latest version applies. [1] ISO/IEC 9646-1: Information technology Open Systems Interconnection Conformance testing methodology and framework Part 1: General concepts. [2] Public WLAN Roaming Interfaces Specification v 0.94. IRAP Project. January 2005. [3] Public WLAN Roaming arket Requirements. IRAP Project. August 2004. [4] RFC 2865 RADIUS (Remote Authentication Dial In User). [5] Wi-Fi 802.11a with WPA system Interoperability Test Plan v2.2 June 2004. [6] Wi-Fi 802.11b with WPA system Interoperability Test Plan v2.2 June 2004. [7] Wi-Fi 802.11g with WPA system Interoperability Test Plan v2.2 June 2004. [8] ANSI/IEEE Std 802.11-1999 Edition. Standard for Information Technology - Telecommunications and information exchange between systems - Local and etropolitan Area networks - Specific requirements - Part 11: Wireless LAN edium Access Control (AC) and Physical Layer (PHY) specifications. [9] ANSI/IEEE Std 802.11b-1999 Edition. IEEE Standard for Information Technology - Telecommunications and information exchange between systems - Local and etropolitan Area networks - Specific requirements - Part 11: Wireless LAN edium Access Control (AC) and Physical Layer (PHY) specifications: Higher Speed Physical Layer (PHY) Extension in the 2.4 GHz band. [10] IEEE. Standards for local and metropolitan area networks: Standard for port based network access control. IEEE Draft P802.1X/D11, arch 2001. [11] RFC2716 "PPP EAP TLS Authentication Protocol" [12] Draft-ietf-pppext-eap-ttls-05.txt, "EAP Tunneled TLS Authentication Protocol (EAP-TTLS)" [13] draft-josefsson-pppext-eap-tls-eap-02.txt, "Protected EAP Protocol (PEAP)" [14] draft-haverinen-pppext-eap-sim-14.txt, "Extensible Authentication Protocol ethod for GS Subscriber Identity odules (EAP-SI)" [15] RFC 2759, "icrosoft PPP CHAP Extensions, Version 2" [16] RFC 2246, "The TLS Protocol Version 1.0" [17] RFC 3580, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines" [18] RFC 3579, "RADIUS (Remote Authentication Dial In User Service) For Extensible Authentication Protocol (EAP)" [19] RFC 2486, "The Network Access Identifier" [20] RFC 2866, "RADIUS Accounting" Date: 2005-02-16 Version 0.7 Page: 5 of 40
3 Definitions and abbreviations AAA Authentication, Authorization and Accounting AN Access Network AP Access Point ASP Abstract Service Primitive ATC Abstract Test Case AT Abstract Test ethod EAP Extensible Authentication Protocol LAN Local Access Network LT Lower Tester NAI Network Access Identifier PCO Point of Control and Observation PDU Protocol Data Unit PICS Protocol Implementation Conformance Statement SI Subscriber Identity odule SSL Secure Socket Layer SUT System Under Test TLS Transport Layer Security TP Test Purpose TSS Test Suite Structure UA Universal Access ethod UT Upper Tester VLAN Virtual LAN WPA Wi-Fi Protected Access WS Wireless Station Date: 2005-02-16 Version 0.7 Page: 6 of 40
A: ICS Proforma A:1 Role A: 1.1 Roles Item Role Reference Status 1 Wireless Station Client Clause 2.1 O.1 2 Access Network Clause 2.1 O.1 3 Home Service Provider Clause 2.1 O.1 4 Intermediary Clause 2.1 O.1 O.1: It is mandatory to support at least one of the defined roles A:2 WS Client A: 2.1 Type of IEEE 802.11 (WFA certification) WS Client devices Prerequisite: A:1.1/1 1 WFA WPA 802.11 a compliant Clause 3.2.1 X 2 WFA WPA 802.11 b compliant Clause 3.2.1 O.1 3 WFA WPA 802.11 ab compliant Clause 3.2.1 O.1 4 WFA WPA 802.11 bg compliant Clause 3.2.1 O.1 5 WFA WPA 802.11 abg compliant Clause 3.2.1 O.1 6 WFA WPA 2 Enterprise compliant Clause 3.2.1 O X: Excluded. O.1: It is mandatory to be at least one of the defined devices Date: 2005-02-16 Version 0.7 Page: 7 of 40
A: 2.2 WS Client: Hotspot identification Prerequisite: A:1.1/1 Capable to differentiate between 1 multiple BSSID capability information elements which have the same SSID Clause 3.2.1 A: 2.3 WS Client: Access method support Prerequisite: A:1.1/1 1 UA access method Clause 3.2.1 O 2 WPA/802.1X access method Clause 3.2.1 A: 2.4 WS Client: Authentication and Authorization mode support Prerequisite: A:1.1/1 1 UA authentication and authorization method using HTTPS Clause 3.2.1 C.1 2 WPA/802.1X authentication and authorization method Clause 3.2.1 3 for an EAP method for mutual authentication and key deriving Clause 3.2.1 C.2 4 Capable to generate NAI as specified by RFC 2486bis Clause 3.2.1 C.2 C.1: andatory if UA access method is supported C.2: andatory if WPA/802.1X access method is supported Date: 2005-02-16 Version 0.7 Page: 8 of 40
A: 2.5 WS Client: EAP methods Prerequisite: A:1.1/1 1 EAP-TLS Clause 3.2.3 O.1 2 EAP-TTLS Clause 3.2.3 O.1 3 PEAP/EAP-SCHAPv2 Clause 3.2.3 O.1 4 EAP-SI Clause 3.2.3 O.1 5 EAP-AKA Clause 3.2.3 O.1 6 Other EAP method Clause 3.2.3 O.1 O.1: It is mandatory to be at least one of the defined methods A:2.6 WS Client: User logout support Prerequisite: A:1.1/1 for explicit logout via the 1 802.11 Disassociation message for explicit logout via EAPOL- 2 Logoff message from the EAP supplicant Clause 3.2.1 Clause 3.2.1 O O Date: 2005-02-16 Version 0.7 Page: 9 of 40
A:3 Access Network A:3.1 Access Network (Interface 1 endpoint A): Type of IEEE 802.11 WLAN devices (WFA certification) Prerequisite: A:1.1/2 1 WFA WPA 802.11 a compliant Clause 4.2.1 X 2 WFA WPA 802.11 b compliant Clause 4.2.1 O.1 3 WFA WPA 802.11 ab compliant Clause 4.2.1 O.1 4 WFA WPA 802.11 bg compliant Clause 4.2.1 O.1 5 WFA WPA 802.11 abg compliant Clause 4.2.1 O.1 6 WFA WPA 2 Enterprise Clause 4.2.1 O X: Excluded. O.1: It is mandatory to be at least one of the defined devices A:3.2 Access Network (Interface 1 endpoint A): Access method support Prerequisite: A:1.1/2 1 UA access method Clause 3.2.2 O 2 WPA/802.1X access method Clause 3.2.2 Date: 2005-02-16 Version 0.7 Page: 10 of 40
A:3.3 Access Network (Interface 1 endpoint A): Hotspot identification Prerequisite: A:1.1/2 1 SSID used for WPA/802.1X is broadcasted according to IEEE Clause 3.2.2 802.11 specification 2 SSID used for UA is broadcasted according to IEEE 802.11 Clause 3.2.2 C.1 specification 3 The beacon message contains the WPA Information Element for Clause 3.2.2 WPA/802.1X access method 4 The beacon message indicates open authentication by not requiring WEP or 802.1X for UA access method Clause 3.2.2 C.1 C.1: andatory if UA access method is supported. A:3.4 Access Network (Interface 1 Endpoint A): Authentication and Authorization method support Prerequisite: A:1.1/2 1 UA authentication and authorization method Clause 3.2.2 C.1 2 Secure authentication of credentials over HTTPS Clause 3.2.2 C.1 3 Guest access prior to network authentication Clause 2.2 O 4 Redirection to a login web page while user in unauthenticated mode Clause 3.2.2 C.1 5 WPA/802.1X authentication and authorization method Clause 3.2.2 C.2 6 for EAPOL messages Clause 3.2.2 C.2 7 for transport EAP messages of any EAP method types Clause 3.2.2 C.2 8 for NAI as specified by RFC 2486bis Clause 3.2.2 C.2 C.1: andatory if UA access method is supported C.2: andatory if WPA/801.X access method supported Date: 2005-02-16 Version 0.7 Page: 11 of 40
A:3.5 Access Network (Interface 1 Endpoint A): IP Connectivity Prerequisite: A:1.1/2 1 Provide DHCP Service Clause 3.2.2 Provide assignment of WS Client IP 2 address Provide assignment of WS Client net 3 mask address Provide assignment of WS Client 4 gateway IP address Provide WS client DNS server 5 address Clause 3.2.2 Clause 3.2.2 Clause 3.2.2 Clause 3.2.2 A:3.6 Access Network (Interface 1 Endpoint A): for Logout Prerequisite: A:1.1/2 1 for explicit logout by the WS Client via the 802.11 Disassociate Clause 3.2.2 C.2 2 for explicit logout by the WS Client via EAPOL-Logoff message Clause 3.2.2 C.2 3 It does not act on EAPOL-Logoff message until the client has completed WPA authentication and successfully established keys Clause 3.2.2 C.2 C.2: andatory if WPA/802.1X access method supported Date: 2005-02-16 Version 0.7 Page: 12 of 40
A:3.7 Access Network (Interface 2 endpoint A): Standards supported Prerequisite: A:1.1/2 IETF Standards support (RFC 2865 1 RADIUS) IETF Standards support (RFC 2866 2 RADIUS Accounting) IETF Standards support (RFC 2869 3 RADIUS Extensions) IETF Standards support (RFC 3579 4 RADIUS support for EAP) IETF Standards support (RFC 3580 5 802.1X over RADIUS) IETF Standards support (RFC 3748 6 EAP) ust be able to route RADIUS 7 messages based on the NAI (RFC 2486bis NAI specification) Accept WPA keying information 8 contained in icrosoft vendor-specific RADIUS attributes (RFC 2548) IPSec to protect RADIUS 9 transmissions Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 Clause 4.2.1 O A:3.8 Access Network (Interface 3 endpoint A): Standards support Prerequisite: A:1.1/2 IETF Standards support (RFC 2865 1 RADIUS) IETF Standards support (RFC 2866 2 RADIUS Accounting) IPSec to protect RADIUS 3 transmissions Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 O Date: 2005-02-16 Version 0.7 Page: 13 of 40
A:3.9 Access Network (Interface 2 endpoint A): RADIUS essages support Prerequisite: A:1.1/2 1 Access-Request Clause 4.4 2 Access-Accept Clause 4.4 3 Access-Reject Clause 4.4 4 Access-Challenge Clause 4.4 A:3.10 Access Network (Interface 3 endpoint A): RADIUS essages support Prerequisite: A:1.1/2 1 Accounting-Request Clause 4.4 2 Accounting-Response Clause 4.4 A:3.11 Access Network (Interface 2 endpoint A): RADIUS Access-Request message attributes (Send) Prerequisite: A:1.1/1 1 User-name (1) Clause 4.4 2 User Password (2) Clause 4.4 C.1 3 NAS-IP-Address (4) Clause 4.4 4 NAS-Port (5) Clause 4.4 5 Service-Type (6) Clause 4.4 O 6 State (24) Clause 4.4 O 7 Called-Station-ID (30) Clause 4.4 8 Calling-Station-ID (31) Clause 4.4 9 NAS-Identifier (32) Clause 4.4 10 Proxy-State (33) Clause 4.4 11 Acct-Session-Id (44) Clause 4.4 O 12 NAS-Port-Type (61) Clause 4.4 13 EAP-essage (79) Clause 4.4 C.2 14 essage-authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is used. C.2: andatory if WPA or WPA2 access method is used. Date: 2005-02-16 Version 0.7 Page: 14 of 40
A:3.12 Access Network (Interface 2 endpoint A): RADIUS Access-Accept message attributes (Receive) Prerequisite: A:1.1/1 1 User-name (1) Clause 4.4 2 Service Type (6) Clause 4.4 3 Reply essage (18) Clause 4.4 C.1 4 Class (25) Clause 4.4 5 S-PPE-Recv-Key (16) Clause 4.4 C.2 6 S-PPE-Send-Key (17) Clause 4.4 C.2 7 Session-Timeout (27) Clause 4.4 8 Idle-Timeout (28) Clause 4.4 9 Termination Action (29) Clause 4.4 10 Proxy State (33) Clause 4.4 11 Acct-Session-ID (44) Clause 4.4 12 EAP essage (79) Clause 4.4 C.2 13 essage Authenticator (80) Clause 4.4 C.2 14 Acct-Interim-Interval (85) Clause 4.4 C.1 Optional if UA access is supported. C.2: andatory if WPA or WPA2 is used. A:3.13 Access Network (Interface 2 endpoint A): RADIUS Access-Reject message attributes (Receive) Prerequisite: A:1.1/1 1 Reply essage (18) Clause 4.4 C.1 2 Proxy-State (33) Clause 4.4 3 EAP essage (79) Clause 4.4 C.2 4 essage authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is supported. C.2: andatory if WPA or WPA2 is used. Date: 2005-02-16 Version 0.7 Page: 15 of 40
A:3.14 Access Network (Interface 2 endpoint A): RADIUS Access-Challenge message attributes (Receive) Prerequisite: A:1.1/1 1 Reply essage (18) Clause 4.4 C.1 2 State (24) Clause 4.4 3 Proxy-State (33) Clause 4.4 4 Acct-Session-Id (44) Clause 4.4 5 EAP essage (79) Clause 4.4 C.2 6 essage-authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is supported C.2: andatory if WPA or WPA2 is used A:3.15 Access Network (Interface 3 Endpoint A): Accounting using RADIUS Prerequisite: A:1.1/1 1 2 3 4 5 6 7 8 9 10 An Accounting-Start message is sent when the client successfully authenticates to the network and is authorized for services An Accounting-Stop message is sent when session timeout expires An Accounting-Stop message is sent when inactivity timer expires An Accounting-Stop message is sent when Access Network detects that WS client has disconnected or disassociated Accounting-Interim records are sent at least every 5 minutes WS IP address is included in Framed- IP-Address attribute in the Accounting Start message WS IP address is included in Framed- IP-Address attribute in the Accounting Stop message WS IP address is included in Framed- IP-Address attribute in the Accounting Interim message Accounting On and Off messages are sent to the home network when it undergoes a reset Accounting messages contains the same Acct-Session-Id attribute for each physical entity if multiple accounting messages are generated Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 Clause 5.2.1 O Date: 2005-02-16 Version 0.7 Page: 16 of 40
by different physical entities under the same session Attempting to deliver accounting 11 records until an acknowledgement is received Clause 5.2.1 O A:3.16 Access Network (Interface 3 endpoint A): RADIUS Accounting-Start message attributes (Send) Prerequisite: A:1.1/1 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 O 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 O 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 Acct-Status-Type (40) Clause 5.4 11 Acct-Delay-Time (41) Clause 5.4 12 Acct-Session-Id (44) Clause 5.4 13 Acct-ulti-Session-ID (50) Clause 5.4 O 14 Event-Timestamp (55) Clause 5.4 O 15 NAS-Port-Type (61) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 17 of 40
A:3.17 Access Network (Interface 3 endpoint A): RADIUS Accounting-Stop message attributes (Send) Prerequisite: A:1.1/1 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 O 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 O 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 NAS-Port-Type (61) Clause 5.4 11 Acct-Status-Type (40) Clause 5.4 12 Acct-Delay-Time (41) Clause 5.4 13 Acct-Input-Octets (42) Clause 5.4 14 Acct-Output-Octets (43) Clause 5.4 15 Acct-Session-Id (44) Clause 5.4 16 Acct-Session-Time (46) Clause 5.4 17 Acct-Input-Packets (47) Clause 5.4 18 Acct-Output-Packets (48) Clause 5.4 19 Acct-Terminate-Cause (49) Clause 5.4 20 Acct-ulti-Session-ID (50) Clause 5.4 O 21 Event-Timestamp (55) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 18 of 40
A:3.18 Access Network (Interface 3 endpoint A): RADIUS Accounting-Interim message attributes (send) Prerequisite: A:1.1/1 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 O 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 O 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 Acct-Status-Type (40) Clause 5.4 11 Acct-Delay-Time (41) Clause 5.4 12 Acct-Input-Octets (42) Clause 5.4 13 Acct-Output-Octets (43) Clause 5.4 14 Acct-Session-Id (44) Clause 5.4 15 Acct-Session-Time (46) Clause 5.4 16 Acct-Input-Packets (47) Clause 5.4 17 Acct-Output-Packets (48) Clause 5.4 18 Acct-ulti-Session-ID (50) Clause 5.4 O 19 Event-Timestamp (55) Clause 5.4 O 20 NAS-Port-Type (61) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 19 of 40
A:4 Home Service Provider A:4.1 Home Service Provider: Authentication and Authorization mode support Prerequisite: A:1.1/3 for WPA/802.1X 1 authentication and authorization method for NAI as specified in RFC 2 2486bis for WPA/802.1X authentication and authorization with 3 Access Networks with WPA2 compliant devices O A:4.2 Home Service Provider (Interface 3 endpoint H): Standards support Prerequisite: A:1.1/3 IETF Standards support (RFC 2865 1 RADIUS) Capable of generation at least 3 2 RADIUS Class attributes IETF Standards support (RFC 2866 2 RADIUS Accounting) IETF Standards support (RFC 2869 3 RADIUS Extensions) IETF Standards support (RFC 3579 4 RADIUS support for EAP) IETF Standards support (RFC 3580 5 802.1X over RADIUS) IETF Standards support (RFC 3748 6 EAP) IETF Standards support (RFC 7 2486bis NAI specification) IETF Standards support (RFC 2548 8 icrosoft Vendor Specific attributes) IPSec to protect RADIUS 9 transmissions Comments O Date: 2005-02-16 Version 0.7 Page: 20 of 40
A:4.3 Home Service Provider (Interface 3 endpoint H): Standards support Prerequisite: A:1.1/3 IETF Standards support (RFC 2865 1 RADIUS) IETF Standards support (RFC 2866 2 RADIUS Accounting) IPSec to protect RADIUS 3 transmissions O A:4.4 Home Service Provider (Interface 2 endpoint H): RADIUS essages support Prerequisite: A:1.1/3 1 Access-Request Clause 4.4 2 Access-Accept Clause 4.4 3 Access-Reject Clause 4.4 4 Access-Challenge Clause 4.4 A:4.5 Home Service Provider (Interface 3 endpoint H): RADIUS Accounting essages support Prerequisite: A:1.1/3 1 Accounting-Request Clause 4.4 2 Accounting-Response Clause 4.4 Date: 2005-02-16 Version 0.7 Page: 21 of 40
A:4.6 Home Service Provider (Interface 2 endpoint H): RADIUS Access- Request message attributes (receive) Prerequisite: A:1.1/3 1 User-name (1) Clause 4.4 2 User Password (2) Clause 4.4 C.1 3 NAS-IP-Address (4) Clause 4.4 4 NAS-Port (5) Clause 4.4 5 Service-Type (6) Clause 4.4 6 State (24) Clause 4.4 7 Called-Station-ID (30) Clause 4.4 8 Calling-Station-ID (31) Clause 4.4 9 NAS-Identifier (32) Clause 4.4 10 Proxy-State (33) Clause 4.4 11 Acct-Session-Id (44) Clause 4.4 12 NAS-Port-Type (61) Clause 4.4 13 EAP essage (79) Clause 4.4 C.2 14 essage-authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is supported. C.2: andatory if WPA or WPA2 is used Date: 2005-02-16 Version 0.7 Page: 22 of 40
A:4.7 Home Service Provider (Interface 2 endpoint H): RADIUS Access-Accept message attributes (send) Prerequisite: A:1.1/3 1 User-name (1) Clause 4.4 2 Service Type (6) Clause 4.4 O 3 Reply-essage Clause 4.4 C.1 4 Class (25) Clause 4.4 O 5 S-PPE-Recv-Key (16) Clause 4.4 C.2 6 S-PPE-Send-Key (17) Clause 4.4 C.2 7 Session-Timeout (27) Clause 4.4 O 8 Idle-Timeout (28) Clause 4.4 O 9 Termination Action (29) Clause 4.4 C.2 10 Proxy State (33) Clause 4.4 11 Acct-Session-Id (44) Clause 4.4 O 12 EAP essage (79) Clause 4.4 C.2 13 essage Authenticator (80) Clause 4.4 C.2 14 Acct-Interim-Interval (85) Clause 4.4 O C.1: Optional if UA access method is supported C.2: andatory if WPA or WPA2 is used. A:4.8 Home Service Provider (Interface 2 endpoint H): RADIUS Access-Reject message attributes (send) Prerequisite: A:1.1/3 1 Reply essage (18) Clause 4.4 C.1 2 Proxy-State (33) Clause 4.4 3 EAP essage (79) Clause 4.4 C.2 4 essage authenticator (80) Clause 4.4 C.2 C.1: Optional if UA access method is supported C.2: andatory if WPA or WPA2 is used. Date: 2005-02-16 Version 0.7 Page: 23 of 40
A:4.9 Home Service Provider (Interface 2 endpoint H): RADIUS Access- Challenge message attributes (send) Prerequisite: A:1.1/3 1 Reply essage (18) Clause 4.4 C.1 2 State (24) Clause 4.4 O 3 Proxy-State (33) Clause 4.4 4 Acct-Session-Id (44) Clause 4.4 O 5 EAP essage (79) Clause 4.4 C.2 6 essage-authenticator (80) Clause 4.4 C.2 C.1: Optional if UA access method is supported C.2: andatory if WPA or WPA2 is used A:4.10 Home Service Provider (Interface 3 endpoint H): RADIUS Accounting- Start message attributes (receive) Prerequisite: A:1.1/3 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-ID (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 Acct-Status-Type (40) Clause 5.4 11 Acct-Delay-Time (41) Clause 5.4 12 Acct-Session-Id (44) Clause 5.4 13 Acct-ulti-Session-Id (50) Clause 5.4 14 Event-Timestamp (55) Clause 5.4 15 NAS-Port-Type (61) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 24 of 40
A:4.11 Home Service Provider (Interface 3 endpoint H): RADIUS Accounting- Stop message attributes (receive) Prerequisite: A:1.1/3 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 NAS-Port-Type (61) Clause 5.4 11 Acct-Status-Type (40) Clause 5.4 12 Acct-Delay-Time (41) Clause 5.4 13 Acct-Input-Octets (42) Clause 5.4 14 Acct-Output-Octets (43) Clause 5.4 15 Acct-Session-Id (44) Clause 5.4 16 Acct-Session-Time (46) Clause 5.4 17 Acct-Input-Packets (47) Clause 5.4 18 Acct-Output-Packets (48) Clause 5.4 19 Acct-Terminate-Cause (49) Clause 5.4 20 Acct-ulti-Session-ID (50) Clause 5.4 21 Event-Timestamp (55) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 25 of 40
A:4.12 Home Service Provider (Interface 3 endpoint H): RADIUS Accounting- Interim message attributes (receive) Prerequisite: A:1.1/3 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 NAS-Port-Type (61) Clause 5.4 5 Service-Type (6) Clause 5.4 6 Framed-IP-Address (8) Clause 5.4 7 Class (25) Clause 5.4 8 Called-Station-Id (30) Clause 5.4 9 Calling-Station-Id (31) Clause 5.4 10 NAS-Identifier (32) Clause 5.4 11 Acct-Status-Type (40) Clause 5.4 12 Acct-Delay-Time (41) Clause 5.4 13 Acct-Input-Octets (42) Clause 5.4 14 Acct-Output-Octets (43) Clause 5.4 15 Acct-Session-Id (44) Clause 5.4 16 Acct-Session-Time (46) Clause 5.4 17 Acct-Input-Packets (47) Clause 5.4 18 Acct-Output-Packets (48) Clause 5.4 19 Acct-ulti-Session-ID (50) Clause 5.4 20 Event-Timestamp (55) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 26 of 40
A:4.13 Home Service Provider (Interface 2 Endpoint H): EAP methods support Prerequisite: A:1.1/3 1 EAP-TLS Clause 3.2.1 O.1 2 EAP-TTLS Clause 3.2.1 O.1 3 PEAP/EAP-SCHAPv2 Clause 3.2.1 O.1 4 EAP-SI Clause 3.2.1 O.1 5 EAP-AKA Clause 3.2.1 O.1 6 Other EAP method Clause 3.2.1 O.1 O.1: It is mandatory to be at least one of the defined methods Date: 2005-02-16 Version 0.7 Page: 27 of 40
A:5 Intermediary A:5.1 Intermediary: Authentication and Authorization mode support Prerequisite: A:1.1/4 for WPA/802.1X 1 authentication and authorization method for NAI as specified in RFC 2 2486bis for WPA/802.1X authentication and authorization with 3 Access Networks with WPA2 compliant devices O A:5.2 Intermediary (Interface 2I endpoint H): Standards support Prerequisite: A:1.1/4 IETF Standards support (RFC 2865 1 RADIUS) IETF Standards support (RFC 2866 2 RADIUS Accounting) IETF Standards support (RFC 2869 3 RADIUS Extensions) IETF Standards support (RFC 3579 4 RADIUS support for EAP) IETF Standards support (RFC 3580 5 802.1X over RADIUS) IETF Standards support (RFC 3748 6 EAP) IETF Standards support (RFC 7 2866bis NAI specification) IETF Standards support (RFC 2548 8 icrosoft Vendor Specific attributes) IPSec to protect RADIUS 9 transmissions O Date: 2005-02-16 Version 0.7 Page: 28 of 40
A:5.3 Intermediary (Interface 3I endpoint H): Standards support Prerequisite: A:1.1/4 1 2 3 IETF Standards support (RFC 2865 RADIUS) IETF Standards support (RFC 2866 RADIUS Accounting) IPSec to protect RADIUS transmissions O A:5.4 Intermediary: Proxy and routing capability Prerequisite: A:1.1/4 It is able to proxy the RADIUS 1 messages received It is able to modify the content of the 2 attributes in the proxied RADIUS messages It is able to change the value of Proxy- State attribute of no proxied RADIUS 3 messages if Intermediary is acting as a proxy It does not change the value of the 4 Proxy-State attribute in proxied RADIUS messages It is capable to route according to the 5 NAI Clause 4.2.3 Clause 4.2.3 Clause 4.2.3 Clause 4.2.3 Clause 4.2.3 O A:5.5 Intermediary (Interface 2I endpoint H): RADIUS essages support Prerequisite: A:1.1/2 1 Access-Request Clause 4.4 2 Access-Accept Clause 4.4 3 Access-Reject Clause 4.4 4 Access-Challenge Clause 4.4 Date: 2005-02-16 Version 0.7 Page: 29 of 40
A:5.6 Intermediary (Interface 3I endpoint H): RADIUS essages support Prerequisite: A:1.1/2 1 Accounting-Request Clause 4.4 2 Accounting-Response Clause 4.4 A:5.7 Intermediary (Interface 2I endpoint A): RADIUS essages support Prerequisite: A:1.1/2 1 Access-Request Clause 4.4 2 Access-Accept Clause 4.4 3 Access-Reject Clause 4.4 4 Access-Challenge Clause 4.4 A:5.8 Intermediary (Interface 3I endpoint A): RADIUS essages support Prerequisite: A:1.1/2 1 Accounting-Request Clause 4.4 2 Accounting-Response Clause 4.4 Date: 2005-02-16 Version 0.7 Page: 30 of 40
A:5.9 Intermediary (Interface 2I endpoint H): RADIUS Access-Request message attributes (receive) Prerequisite: A:1.1/4 1 User-name (1) Clause 4.4 2 User Password (2) Clause 4.4 C.1 3 NAS-IP-Address (4) Clause 4.4 4 NAS-Port (5) Clause 4.4 5 Service-Type (6) Clause 4.4 6 State (24) Clause 4.4 7 Called-Station-ID (30) Clause 4.4 8 Calling-Station-ID (31) Clause 4.4 9 NAS-Identifier (32) Clause 4.4 10 Proxy-State (33) Clause 4.4 11 Acct-Session-Id (44) Clause 4.4 12 NAS-Port-Type (61) Clause 4.4 13 EAP essage (79) Clause 4.4 C.2 14 essage-authenticator (80) Clause 4.4 C.2 C.1 andatory if UA access method is used in the Access Network C.2: andatory if WPA or WPA2 is used in the Access Network Date: 2005-02-16 Version 0.7 Page: 31 of 40
A:5.10 Intermediary (Interface 2I endpoint H): RADIUS Access-Accept message attributes (send) Prerequisite: A:1.1/4 1 User-name (1) Clause 4.4 2 Service Type (6) Clause 4.4 O 3 Class (25) Clause 4.4 O 4 S-PPE-Recv-Key (16) Clause 4.4 C.2 5 S-PPE-Send-Key (17) Clause 4.4 C.2 6 Session-Timeout (27) Clause 4.4 O 7 Idle-Timeout (28) Clause 4.4 O 8 Termination Action (29) Clause 4.4 C.2 9 Proxy State (33) Clause 4.4 10 Acct-Session-Id (44) Clause 4.4 O 11 EAP essage (79) Clause 4.4 C.2 12 essage Authenticator (80) Clause 4.4 C.2 13 Acct-Interim-Interval (85) Clause 4.4 O C.2: andatory if WPA or WPA2 is used. A:5.11 Intermediary (Interface 2I endpoint H): RADIUS Access-Reject message attributes (send) Prerequisite: A:1.1/4 1 Reply essage (18) Clause 4.4 O 2 Proxy-State (33) Clause 4.4 3 EAP essage (79) Clause 4.4 C.2 4 essage authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is supported C.2: andatory if WPA or WPA2 is used. Date: 2005-02-16 Version 0.7 Page: 32 of 40
A:5.12 Intermediary (Interface 2I endpoint H): RADIUS Access-Challenge message attributes (send) Prerequisite: A:1.1/4 1 Reply essage (18) Clause 4.4 O 2 State (24) Clause 4.4 3 Proxy-State (33) Clause 4.4 4 Acct-Session-Id (44) Clause 4.4 O 5 EAP essage (79) Clause 4.4 C.2 6 essage-authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is supported C.2: andatory if WPA or WPA2 is used A:5.13 Intermediary (Interface 3I endpoint H): RADIUS Accounting-Start message attributes (receive) Prerequisite: A:1.1/4 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-ID (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 Acct-Status-Type (40) Clause 5.4 11 Acct-Delay-Time (41) Clause 5.4 12 Acct-Session-Id (44) Clause 5.4 13 Acct-ulti-Session-ID (50) Clause 5.4 14 Event-Timestamp (55) Clause 5.4 15 NAS-Port-Type (61) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 33 of 40
A:5.14 Intermediary (Interface 3I endpoint H): RADIUS Accounting-Stop message attributes (receive) Prerequisite: A:1.1/3 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 NAS-Port-Type (61) Clause 5.4 11 Acct-Status-Type (40) Clause 5.4 12 Acct-Delay-Time (41) Clause 5.4 13 Acct-Input-Octets (42) Clause 5.4 14 Acct-Output-Octets (43) Clause 5.4 15 Acct-Session-Id (44) Clause 5.4 16 Acct-Session-Time (46) Clause 5.4 17 Acct-Input-Packets (47) Clause 5.4 18 Acct-Output-Packets (48) Clause 5.4 19 Acct-Terminate-Cause (49) Clause 5.4 20 Acct-ulti-Session-ID (50) Clause 5.4 21 Event-Timestamp (55) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 34 of 40
A:5.15 Intermediary (Interface 3I endpoint H): RADIUS Accounting-Interim message attributes (receive) Prerequisite: A:1.1/4 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 NAS-Port-Type (61) Clause 5.4 5 Service-Type (6) Clause 5.4 6 Framed-IP-Address (8) Clause 5.4 7 Class (25) Clause 5.4 8 Called-Station-Id (30) Clause 5.4 9 Calling-Station-Id (31) Clause 5.4 10 NAS-Identifier (32) Clause 5.4 11 Acct-Status-Type (40) Clause 5.4 12 Acct-Delay-Time (41) Clause 5.4 13 Acct-Input-Octets (42) Clause 5.4 14 Acct-Output-Octets (43) Clause 5.4 15 Acct-Session-Id (44) Clause 5.4 16 Acct-Session-Time (46) Clause 5.4 17 Acct-Input-Packets (47) Clause 5.4 18 Acct-Output-Packets (48) Clause 5.4 19 Acct-ulti-Session-ID (50) Clause 5.4 20 Event-Timestamp (55) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 35 of 40
A:5.16 Intermediary (Interface 2I endpoint A): RADIUS Access-Request message attributes (Send) Prerequisite: A:1.1/4 1 User-name (1) Clause 4.4 2 User Password (2) Clause 4.4 C.3 3 NAS-IP-Address (4) Clause 4.4 4 NAS-Port (5) Clause 4.4 5 Service-Type (6) Clause 4.4 O 6 State (24) Clause 4.4 O 7 Called-Station-ID (30) Clause 4.4 8 Calling-Station-ID (31) Clause 4.4 9 NAS-Identifier (32) Clause 4.4 10 Proxy-State (33) Clause 4.4 11 Acct-Session-Id (44) Clause 4.4 O 12 NAS-Port-Type (61) Clause 4.4 13 EAP-essage (79) Clause 4.4 C.2 essage-authenticator (80) Clause 4.4 C.2 C.2: andatory if WPA or WPA2 is used. C.3: andatory to send if Intermediary receives Access Request with this attribute Date: 2005-02-16 Version 0.7 Page: 36 of 40
A:5.17 Intermediary (Interface 2I endpoint A): RADIUS Access-Accept message attributes (Receive) Prerequisite: A:1.1/4 1 User-name (1) Clause 4.4 2 Service Type (6) Clause 4.4 3 Class (25) Clause 4.4 4 S-PPE-Recv-Key (26) Clause 4.4 C.2 5 S-PPE-Send-Key (26) Clause 4.4 C.2 6 Session-Timeout (27) Clause 4.4 7 Idle-Timeout (28) Clause 4.4 8 Termination Action (29) Clause 4.4 C.2 9 Proxy State (33) Clause 4.4 10 Acct-Session-Id (44) Clause 4.4 11 EAP essage (79) Clause 4.4 C.2 12 essage Authenticator (80) Clause 4.4 C.2 13 Acct-Interim-Interval (85) Clause 4.4 C.2: andatory if WPA or WPA2 is used. A:5.18 Intermediary (Interface 2I endpoint A): RADIUS Access-Reject message attributes (Receive) Prerequisite: A:1.1/4 1 Reply essage (18) Clause 4.4 C.1 2 Proxy-State (33) Clause 4.4 3 EAP essage (79) Clause 4.4 C.2 4 essage authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is used. C.2: andatory if WPA or WPA2 is used. Date: 2005-02-16 Version 0.7 Page: 37 of 40
A:5.19 Intermediary (Interface 2I endpoint A): RADIUS Access-Challenge message attributes (Receive) Prerequisite: A:1.1/4 1 Reply essage (18) Clause 4.4 C.1 2 State (24) Clause 4.4 3 Proxy-State (33) Clause 4.4 4 Acct-Session-Id (44) Clause 4.4 5 EAP essage (79) Clause 4.4 C.2 6 essage-authenticator (80) Clause 4.4 C.2 C.1: andatory if UA access method is supported C.2: andatory if WPA or WPA2 is used A:5.20 Intermediary (Interface 3I endpoint A): RADIUS Accounting-Start message attributes (Send) Prerequisite: A:1.1/4 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 O 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 O 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 Acct-Status-Type (40) Clause 5.4 11 Acct-Delay-Time (41) Clause 5.4 12 Acct-Session-Id (44) Clause 5.4 13 Acct-ulti-Session-ID (50) Clause 5.4 O 14 Event-Timestamp (55) Clause 5.4 O 15 NAS-Port-Type (61) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 38 of 40
A:5.21 Intermediary (Interface 3I endpoint A): RADIUS Accounting-Stop message attributes (Send) Prerequisite: A:1.1/4 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 O 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 O 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 NAS-Port-Type (61) Clause 5.4 11 Acct-Status-Type (40) Clause 5.4 12 Acct-Delay-Time (41) Clause 5.4 13 Acct-Input-Octets (42) Clause 5.4 14 Acct-Output-Octets (43) Clause 5.4 15 Acct-Session-Id (44) Clause 5.4 16 Acct-Session-Time (46) Clause 5.4 17 Acct-Input-Packets (47) Clause 5.4 18 Acct-Output-Packets (48) Clause 5.4 19 Acct-Terminate-Cause (49) Clause 5.4 20 Acct-ulti-Session-ID (50) Clause 5.4 O 21 Event-Timestamp (55) Clause 5.4 O Date: 2005-02-16 Version 0.7 Page: 39 of 40
A:5.22 Intermediary (Interface 3I endpoint A): RADIUS Accounting-Interim message attributes (send) Prerequisite: A:1.1/4 1 User-name (1) Clause 5.4 2 NAS-IP-Address (4) Clause 5.4 3 NAS-Port (5) Clause 5.4 4 Service-Type (6) Clause 5.4 O 5 Framed-IP-Address (8) Clause 5.4 6 Class (25) Clause 5.4 O 7 Called-Station-Id (30) Clause 5.4 8 Calling-Station-Id (31) Clause 5.4 9 NAS-Identifier (32) Clause 5.4 10 Acct-Status-Type (40) Clause 5.4 11 Acct-Delay-Time (41) Clause 5.4 12 Acct-Input-Octets (42) Clause 5.4 13 Acct-Output-Octets (43) Clause 5.4 14 Acct-Session-Id (44) Clause 5.4 15 Acct-Session-Time (46) Clause 5.4 16 Acct-Input-Packets (47) Clause 5.4 17 Acct-Output-Packets (48) Clause 5.4 18 Acct-ulti-Session-ID (50) Clause 5.4 O 19 Event-Timestamp (55) Clause 5.4 O 20 NAS-Port-Type (61) Clause 5.4 Date: 2005-02-16 Version 0.7 Page: 40 of 40