idnits 2.17.00 (12 Aug 2021) /tmp/idnits55809/draft-aboba-dynradius-01.txt: ** The Abstract section seems to be numbered Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2022-05-14) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? ** The document seems to lack a 1id_guidelines paragraph about the list of current Internet-Drafts. ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 11 longer pages, the longest (page 2) being 66 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 11 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 54 instances of weird spacing in the document. Is it really formatted ragged-right, rather than justified? ** There are 129 instances of too long lines in the document, the longest one being 15 characters in excess of 72. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 128: '... MUST (...' RFC 2119 keyword, line 131: '... MAY ( nasIPAddress $ nasPo...' Miscellaneous warnings: ---------------------------------------------------------------------------- == Line 13 has weird spacing: '...), its areas...' == Line 14 has weird spacing: '... its worki...' == Line 18 has weird spacing: '... and may ...' == Line 19 has weird spacing: '...afts as refer...' == Line 22 has weird spacing: '... To learn...' == (49 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (19 November 1997) is 8942 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '1' is defined on line 465, but no explicit reference was found in the text == Unused Reference: '2' is defined on line 468, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 472, but no explicit reference was found in the text == Unused Reference: '4' is defined on line 476, but no explicit reference was found in the text == Unused Reference: '6' is defined on line 486, but no explicit reference was found in the text == Unused Reference: '7' is defined on line 490, but no explicit reference was found in the text == Unused Reference: '8' is defined on line 493, but no explicit reference was found in the text == Unused Reference: '11' is defined on line 504, but no explicit reference was found in the text == Unused Reference: '12' is defined on line 509, but no explicit reference was found in the text == Unused Reference: '13' is defined on line 513, but no explicit reference was found in the text == Unused Reference: '16' is defined on line 525, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1777 (ref. '1') (Obsoleted by RFC 3494) -- Possible downref: Non-RFC (?) normative reference: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' == Outdated reference: draft-ietf-asid-ldapv3-attributes has been published as RFC 2252 == Outdated reference: draft-ietf-asid-ldapv3-dynamic has been published as RFC 2589 ** Obsolete normative reference: RFC 2138 (ref. '6') (Obsoleted by RFC 2865) ** Obsolete normative reference: RFC 2139 (ref. '7') (Obsoleted by RFC 2866) == Outdated reference: draft-ietf-radius-ext has been published as RFC 2869 ** Downref: Normative reference to an Informational draft: draft-ietf-radius-ext (ref. '8') == Outdated reference: A later version (-01) exists of draft-ietf-radius-acct-interim-00 -- Possible downref: Normative reference to a draft: ref. '9' -- No information found for draft-ietf-asid-dynatt - is the name correct? -- Possible downref: Normative reference to a draft: ref. '10' -- No information found for draft-ietf-asid-ldapv3-tls - is the name correct? -- Possible downref: Normative reference to a draft: ref. '11' -- No information found for draft-ietf-asid-proto-col - is the name correct? -- Possible downref: Normative reference to a draft: ref. '12' -- No information found for draft-ietf-asid-proto-col - is the name correct? -- Duplicate reference: draft-ietf-asid-proto-col, mentioned in '13', was also mentioned in '12'. -- Possible downref: Normative reference to a draft: ref. '13' == Outdated reference: A later version (-05) exists of draft-aboba-radius-01 -- Possible downref: Normative reference to a draft: ref. '14' -- Possible downref: Normative reference to a draft: ref. '15' -- Possible downref: Normative reference to a draft: ref. '16' Summary: 17 errors (**), 0 flaws (~~), 25 warnings (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group Bernard Aboba 3 INTERNET-DRAFT Microsoft 4 5 19 November 1997 7 Lightweight Directory Access Protocol (v3): 8 Dynamic Attributes for the Remote Access Dialin User Service (RADIUS) 10 1. Status of this Memo 12 This document is an Internet-Draft. Internet-Drafts are working docu- 13 ments of the Internet Engineering Task Force (IETF), its areas, and 14 its working groups. Note that other groups may also distribute work- 15 ing documents as Internet-Drafts. 17 Internet-Drafts are draft documents valid for a maximum of six months 18 and may be updated, replaced, or obsoleted by other documents at any 19 time. It is inappropriate to use Internet-Drafts as reference mate- 20 rial or to cite them other than as ``work in progress.'' 22 To learn the current status of any Internet-Draft, please check the 23 ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow 24 Directories on ds.internic.net (US East Coast), nic.nordu.net 25 (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific Rim). 27 The distribution of this memo is unlimited. It is filed as , and expires June 1, 1998. Please send com- 29 ments to the authors. 31 2. Abstract 33 This document defines dynamic attributes used by the Remote Access 34 Dialin User Service (RADIUS). These attributes are written to a 35 dynamic directory service by the RADIUS server in order to provide 36 information about sessions in progress. This information can then be 37 used in order to provide for control of simultaneous logins, or for 38 detection or tracking of security incidents in progress. 40 3. Introduction 42 The RADIUS protocol, described in [6]-[9], supports authentication, 43 authorization and accounting for dialup users. To date, RADIUS 44 servers have retrieved their configuration from user databases and/or 45 flat configuration files. In order to consolidate stores of user 46 information, it is desirable to integrate a RADIUS with an LDAP-based 47 directory service. 49 This document is one of three related specifications which describe 50 how a RADIUS server may be integrated with an LDAP-based directory 51 service. Reference [14] specifies how user data utilized by a RADIUS 52 server may be stored in an LDAP-based directory service. Reference 53 [15] describes how user credentials submitted during PPP authentica- 54 tion and sent by the NAS in the RADIUS Access-Request may be validated 55 by the RADIUS server. 57 This document describes how a dynamic directory service may be used to 58 store these and other attributes relating to sessions in progress. 59 Such information can be useful for a variety of purposes including 60 security incident response; simultaneous usage control; or monitoring 61 of connection quality, login time, packet size or bandwidth usage. Due 62 to the frequency of changes to this data, dynamic attributes must be 63 employed, as described in [5] and [10]. 65 Attributes useful for this purpose include attributes from both the 66 Access-Request and Access-Reply. For example, attributes such as Nas- 67 IP-Address, Nas-Port, Nas-Identifier, Called-Station-Id, Calling-Sta- 68 tion-Id, and Connect-Info are available from the RADIUS Access-Request 69 packet. Other attributes such as Framed-IP-Address may be computed 70 dynamically, and sent in the RADIUS Access-Accept packet. Attributes 71 relating to a user's resource consumption during a session in progress 72 are made available via the Interim Accounting Record Extension 73 described in [9]. These include Acct-Input-Octets, Acct-Output-Octets, 74 Acct-Session-Id, Acct-Authentic, Acct-Session-Time, Acct-Input-Pack- 75 ets, Acct-Output-Packets, Acct-Terminate-Cause, Acct-Multi-Session-Id, 76 Acct-Link-Count, Acct-Tunnel-Client-Endpoint, and Act-Tunnel-Connec- 77 tion-Id. 79 Typically it is expected that the RADIUS server will create an entry 80 in the dynamic directory service after a successful authentication, 81 and will delete the entry when the user logs off. However, some imple- 82 mentations may find it desirable to allow persistence of entries 83 relating to failed authentications or logged off users. In this case, 84 a refresh interval is typically set (for example, 24 hours) so that 85 the entries will timeout after an appropriate interval. 87 3.1. Example 89 Let us assume that BIGCO wishes to offer dialin access to their domes- 90 tic sales force, as well as VPN access to contractors and finance 91 employees travelling overseas. In order to consistently manage and 92 account for the use of their NAS devices and Layer 2 tunnel servers 93 (PPTP/L2F/L2TP), BIGCO has chosen to adopt the RADIUS protocol. 95 As part of this service offering, BIGCO may wish to restrict contrac- 96 tors and finance employees to a single login at a time. In order to 97 implement this policy, it is necessary for the BIGCO RADIUS server to 98 be able to retrieve the number of sessions in progress for a particu- 99 lar user. 101 BIGCO may also wish to implement auditing and alarming policies. For 102 example, BIGCO may wish to set an alarm when contractors remain conti- 103 nously logged on for more than a certain amount of time, attempt to 104 access the network from more than one location simultaneously, or 105 transfer more than a threshold number of octets during a given time 106 period. It may also be desirable to set a threshold on failed authen- 107 tications during a given time period, in order to detect break-ins in 108 progress. 110 If an alarm is triggered, it may be desirable to have access to the 111 Nas-IP-Address, Nas-Port, Called-Station-Id and Calling-Station-Id for 112 the failed login attempt or session in progress so that the call may 113 be traced. 115 4. Object definitions 117 The RADIUS dynamic attribute schema includes definition of the follow- 118 ing objects: 120 Dynamic RADIUS Person Class 122 4.1. Dynamic RADIUS Person Class 124 ( DynamicRadiusPersonClass 1 125 NAME 'dynamicRadiusPersonClass' 126 SUP top 127 STRUCTURAL 128 MUST ( 129 userName $ acctSessionId $ connectionStatus 130 ) 131 MAY ( nasIPAddress $ nasPort $ framedIPAddress $ 132 class $ calledStationId $ callingStationId $ 133 nasIdentifier $ acctInputOctets $ 134 acctOutputOctets $ acctAuthentic $ 135 acctSessionTime $ acctInputPackets $ acctOutputPackets $ 136 acctTerminateCause $ acctMultiSessionId $ acctLinkCount $ 137 acctInputGigawords $ acctOutputGigawords $ 138 nasPortType $ tunnelType $ tunnelMediumType $ 139 acctTunnelClientEndpoint $ acctTunnelConnection $ 140 tunnelPrivateGroupId $ connectInfo $ authenticationType $ 141 eapType $ encryptionType $ sessionLocalStartTime $ 142 sessionLocalEndTime $ ispId $ connectionStatus $ 143 serviceClass 144 ) 145 ) 147 5. Attribute definitions 149 5.1. New Attribute Types Used in the Dynamic RADIUS Person Class 151 ( radius dynamicRadiusPersonClass 1 152 NAME 'userName' 153 DESC 'the name of the user' 154 EQUALITY caseIgnoreIA5Match 155 SYNTAX 'IA5String{128}' 156 SINGLE-VALUE 157 ) 159 ( radius dynamicRadiusPersonClass 4 160 NAME 'nasIPAddress' 161 DESC 'IP address of the NAS' 162 EQUALITY caseIgnoreIA5Match 163 SYNTAX 'IA5String{128}' 164 SINGLE-VALUE 165 ) 167 ( radius dynamicRadiusPersonClass 5 168 NAME 'nasPort' 169 DESC 'Physical port number of the NAS 170 Authenticating the user' 171 EQUALITY integerMatch 172 SYNTAX 'INTEGER' 173 SINGLE-VALUE 174 ) 176 ( radius dynamicRadiusPersonClass 8 177 NAME 'framedIPAddress' 178 DESC 'IP address to be assigned to the user 179 in dotted decimal notation' 180 EQUALITY caseIgnoreIA5Match 181 SYNTAX 'IA5String{128}' 182 SINGLE-VALUE 183 ) 185 ( radius dynamicRadiusPersonClass 25 186 NAME 'class' 187 DESC 'The service class for the user' 188 EQUALITY caseIgnoreIA5Match 189 SYNTAX 'IA5String{128}' 190 ) 192 ( radius dynamicRadiusPersonClass 30 193 NAME 'calledStationId' 194 DESC 'Phone number to which the user placed the call' 195 EQUALITY caseIgnoreIA5Match 196 SYNTAX 'IA5String{128}' 197 ) 199 ( radius dynamicRadiusPersonClass 31 200 NAME 'callingStationId' 201 DESC 'Phone number from which the user placed the call' 202 EQUALITY caseIgnoreIA5Match 203 SYNTAX 'IA5String{128}' 204 ) 206 ( radius dynamicRadiusPersonClass 32 207 NAME 'nasIdentifier' 208 DESC 'String identifying the NAS' 209 EQUALITY caseIgnoreIA5Match 210 SYNTAX 'IA5String{128}' 211 SINGLE-VALUE 212 ) 214 ( radius dynamicRadiusPersonClass 42 215 NAME 'acctInputOctets' 216 DESC 'How many octets have been received from the port during the session' 217 EQUALITY integerMatch 218 SYNTAX 'INTEGER' 219 SINGLE-VALUE 220 ) 222 ( radius dynamicRadiusPersonClass 43 223 NAME 'acctOutputOctets' 224 DESC 'How many octets have been sent to the port during the session' 225 EQUALITY integerMatch 226 SYNTAX 'INTEGER' 227 SINGLE-VALUE 228 ) 230 ( radius dynamicRadiusPersonClass 44 231 NAME 'acctSessionId' 232 DESC 'Unique Accounting ID string for the session' 233 EQUALITY caseIgnoreIA5Match 234 SYNTAX 'IA5String{128}' 235 SINGLE-VALUE 236 ) 238 ( radius dynamicRadiusPersonClass 45 239 NAME 'acctAuthentic' 240 DESC 'Indicates how the user was authenticated. Values include RADIUS 241 (1), Local (2), Remote (3)' 242 EQUALITY integerMatch 243 SYNTAX 'INTEGER' 244 SINGLE-VALUE 245 ) 247 ( radius dynamicRadiusPersonClass 46 248 NAME 'acctSessionTime' 249 DESC 'How many seconds the user has received service for' 250 EQUALITY integerMatch 251 SYNTAX 'INTEGER' 252 SINGLE-VALUE 253 ) 255 ( radius dynamicRadiusPersonClass 47 256 NAME 'acctInputPackets' 257 DESC 'How many packets have been received from the port during the session' 258 EQUALITY integerMatch 259 SYNTAX 'INTEGER' 260 SINGLE-VALUE 262 ) 264 ( radius dynamicRadiusPersonClass 48 265 NAME 'acctOutputPackets' 266 DESC 'How many packets have been sent to the port during the session' 267 EQUALITY integerMatch 268 SYNTAX 'INTEGER' 269 SINGLE-VALUE 270 ) 272 ( radius dynamicRadiusPersonClass 49 273 NAME 'acctTerminateCause' 274 DESC 'Integer identifying how the session was terminated.' 275 EQUALITY integerMatch 276 SYNTAX 'INTEGER' 277 SINGLE-VALUE 278 ) 280 ( radius dynamicRadiusPersonClass 50 281 NAME 'acctMultiSessionId' 282 DESC 'Unique string linking together multiple related sessions.' 283 EQUALITY caseIgnoreIA5Match 284 SYNTAX 'IA5String{128}' 285 ) 287 ( radius dynamicRadiusPersonClass 51 288 NAME 'acctLinkCount' 289 DESC 'Count of links in a multilink session at time of last measurement.' 290 EQUALITY integerMatch 291 SYNTAX 'INTEGER' 292 ) 294 ( radius dynamicRadiusPersonClass 52 295 NAME 'acctInputGigawords' 296 DESC 'This is an extended accounting attribute, included 297 to allow for keeping track of long or fast sessions. If 298 used, it represents bits 32-63 of the number of inbound 299 octets during the session.' 300 EQUALITY integerMatch 301 SYNTAX 'INTEGER' 302 SINGLE-VALUE 303 ) 305 ( radius dynamicRadiusPersonClass 53 306 NAME 'acctOutputGigawords' 307 DESC 'This is an extended accounting attribute, included 308 to allow for keeping track of long or fast sessions. If 309 used, it represents bits 32-63 of the number of outbound 310 octets during the session.' 311 EQUALITY integerMatch 312 SYNTAX 'INTEGER' 313 SINGLE-VALUE 314 ) 315 ( radius dynamicRadiusPersonClass 61 316 NAME 'nasPortType' 317 DESC 'Port on which the user has logged in. Values include 318 Async(1), Sync(2), ISDN Sync(3), V.120(4), V.110(5) and Virtual(6).' 319 EQUALITY integerMatch 320 SYNTAX 'INTEGER' 321 ) 323 ( radius dynamicRadiusPersonClass 64 324 NAME 'tunnelType' 325 DESC 'Type of tunnel set up. Values include 326 PPTP(1), L2F(2), L2TP(3), ATMP(4), VTP(5), 327 AH(6), IP-IP(7)' 328 EQUALITY integerMatch 329 SYNTAX 'INTEGER' 330 SINGLE-VALUE 331 ) 333 ( radius dynamicRadiusPersonClass 65 334 NAME 'tunnelMediumType' 335 DESC 'Medium tunnel runs over. Values include IP(1), 336 X.25(2), ATM(3), Frame Relay(4).' 337 EQUALITY integerMatch 338 SYNTAX 'INTEGER' 339 SINGLE-VALUE 340 ) 342 ( radius dynamicRadiusPersonClass 66 343 NAME 'acctTunnelClientEndpoint' 344 DESC 'This is the address of the Tunnel Client Endpoint.' 345 EQUALITY caseIgnoreIA5Match 346 SYNTAX 'IA5String{128}' 347 SINGLE-VALUE 348 ) 350 ( radius dynamicRadiusPersonClass 67 351 NAME 'tunnelServerEndpoint' 352 DESC 'The address of the tunnel server. The format 353 of the string depends on the tunnelMediumType 354 attribute.' 355 EQUALITY integerMatch 356 SYNTAX 'INTEGER' 357 SINGLE-VALUE 358 ) 360 ( radius dynamicRadiusPersonClass 68 361 NAME 'acctTunnelConnection' 362 DESC 'This is the connection Id assigned to the call; it is included in 363 Accounting-Request packets and written to ILS. A tag field lives 364 in the first four octets.' 365 EQUALITY caseIgnoreIA5Match 366 SYNTAX 'IA5String{128}' 367 SINGLE-VALUE 368 ) 370 ( radius dynamicRadiusPersonClass 69 371 NAME 'tunnelPrivateGroupId' 372 DESC 'This is the private group Id assigned to the call. 373 A tag field lives in the first four octets.' 374 EQUALITY caseIgnoreIA5Match 375 SYNTAX 'IA5String{128}' 376 SINGLE-VALUE 377 ) 379 ( radius dynamicRadiusPersonClass 77 380 NAME 'connectInfo' 381 DESC 'This is the connect string returned by the modem in the 382 initial connection, or by post-termination diagnostics.' 383 EQUALITY caseIgnoreIA5Match 384 SYNTAX 'IA5String{128}' 385 ) 387 ( radius dynamicRadiusPersonClass 257 388 NAME 'authenticationType' 389 DESC 'This attribute indicates the authentication 390 type for the user. Values include PAP (1), 391 CHAP(2), EAP(3), MS-CHAP(4), and SPAP(5).' 392 EQUALITY integerMatch 393 SYNTAX 'INTEGER' 394 SINGLE-VALUE 395 ) 397 ( radius dynamicRadiusPersonClass 258 398 NAME 'eapType' 399 DESC 'This attribute indicates the EAP type for this 400 user. It should only have a value when EAP is 401 enabled for the user.' 402 EQUALITY integerMatch 403 SYNTAX 'INTEGER' 404 SINGLE-VALUE 405 ) 407 ( radius dynamicRadiusPersonClass 259 408 NAME 'encryptionType' 409 DESC 'Encryption type used (40-bit RC4 (1), 128-bit RC4 (2)).' 410 EQUALITY integerMatch 411 SYNTAX 'INTEGER' 412 SINGLE-VALUE 413 ) 415 ( radius dynamicRadiusPersonClass 260 416 NAME 'sessionLocalStartTime' 417 DESC 'This is a timestamp giving session start in local time.' 418 EQUALITY caseIgnoreIA5Match 419 SYNTAX 'IA5String{128}' 420 SINGLE-VALUE 421 ) 423 ( radius dynamicRadiusPersonClass 261 424 NAME 'sessionLocalEndTime' 425 DESC 'This is a timestamp giving session end in local time.' 426 EQUALITY caseIgnoreIA5Match 427 SYNTAX 'IA5String{128}' 428 SINGLE-VALUE 429 ) 431 ( radius dynamicRadiusPersonClass 262 432 NAME 'ispId' 433 DESC 'String identifying the local ISP to which the user 434 is connected' 435 EQUALITY caseIgnoreIA5Match 436 SYNTAX 'IA5String{128}' 437 SINGLE-VALUE 438 ) 440 ( radius dynamicRadiusPersonClass 263 441 NAME 'connectionStatus' 442 DESC 'Indicates status of the connection. Values include 443 Failed Authentication (1), Logged On (2), or 444 Logged Off (3).' 445 EQUALITY integerMatch 446 SYNTAX 'INTEGER' 447 SINGLE-VALUE 448 ) 450 ( radius dynamicRadiusPersonClass 264 451 NAME 'serviceClass' 452 DESC ' String identifying class of service given to user.' 453 EQUALITY caseIgnoreIA5Match 454 SYNTAX 'IA5String{128}' 455 SINGLE-VALUE 456 ) 458 6. Acknowledgments 460 Thanks to David Eitelbach, Ashwin Palenkar and Gurdeep Singh Pall of 461 Microsoft for useful discussions of this problem space. 463 7. References 465 [1] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access Pro- 466 tocol." RFC 1777, March 1995. 468 [2] "Information Processing Systems - Open Systems Interconnection - 469 The Directory: Overview of Concepts, Models and Service." ISO/IEC JTC 470 1/SC21, International Standard 9594-1, 1988. 472 [3] "Information Processing Systems - Open Systems Interconnection - 473 The Directory: Selected Object Classes." Recommendation X.521 ISO/IEC 474 JTC 1/SC21, International Standard 9594-7, 1993. 476 [4] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight Directory 477 Access Protocol (v3): Attribute Syntax Definitions. " Internet Draft 478 (work in progress), draft-ietf-asid-ldapv3-attributes-08.txt, Critical 479 Angle, Isode, Netscape, October 1997. 481 [5] Y. Yaacovi, M. Wahl, T. Genovese, "Lightweight Directory Access 482 Protocol (v3): Extensions for Dynamic Directory Services. " Internet 483 Draft (work in progress), draft-ietf-asid-ldapv3-dynamic-06.txt, 484 Microsoft, Critical Angle, September 1997. 486 [6] C. Rigney, A. Rubens, W. Simpson, S. Willens. "Remote Authenti- 487 cation Dial In User Service (RADIUS)." RFC 2138, Livingston, Merit, 488 Daydreamer, April 1997. 490 [7] C. Rigney. "RADIUS Accounting." RFC 2139, Livingston, April 491 1997. 493 [8] C. Rigney, W. Willats. "RADIUS Extensions." Work in progress, 494 draft-ietf-radius-ext-01.txt, Livingston, June 1997. 496 [9] P.R. Calhoun, M.A. Beadles, A. Ratcliffe. "RADIUS Accounting 497 Interim Accounting Record Extension." Work in progress, draft-ietf- 498 radius-acct-interim-00.txt, 3Com, CompuServe, UUNET, July 1997. 500 [10] Y. Yaacovi, M. Wahl, T. Genovese, "Lightweight Directory Access 501 Protocol: Dynamic Attributes." Internet Draft (work in progress), 502 draft-ietf-asid-dynatt-00.txt, Microsoft, Critical Angle, July 1997. 504 [11] J. Hodges, R.L. Morgan, M. Wahl, "Lightweight Directory Access 505 Protocol (v3): Extension for Transport Layer Security." Internet Draft 506 (work in progress), draft-ietf-asid-ldapv3-tls-01.txt, Stanford, Crit- 507 ical Angle, June 1997. 509 [12] M. Wahl, T. Hoews, S. Kille, "Lightweight Directory Access Proto- 510 col (v3)." Internet Draft (work in progress), draft-ietf-asid-proto- 511 col-08.txt, Critical Angle, Netscape, Isode, October 1997. 513 [13] M. Wahl, T. Hoews, S. Kille, "Lightweight Directory Access Proto- 514 col (v3)." Internet Draft (work in progress), draft-ietf-asid-proto- 515 col-08.txt, Critical Angle, Netscape, Isode, October 1997. 517 [14] B. Aboba, "Lightweight Directory Access Protocol (v3): Schema for 518 the Remote Access Dialin User Service (RADIUS) " Internet Draft (work 519 in progress), draft-aboba-radius-01.txt, Microsoft, November 1997. 521 [15] B. Aboba, "Lightweight Directory Access Protocol (v3): Extension 522 for PPP Authentication" Internet Draft (work in progress), draft- 523 aboba-ppp-01.txt, Microsoft, November 1997. 525 [16] T. Howes, L. Howard, "A Simple Caching Scheme for LDAP and X.500 526 Directories." Internet Draft (work in progress), draft-ietf-asid- 527 ldap-cache-01.txt, Netscape, October 1997. 529 8. Authors' Addresses 531 Bernard Aboba 532 Microsoft Corporation 533 One Microsoft Way 534 Redmond, WA 98052 536 Phone: 425-936-6605 537 EMail: bernarda@microsoft.com