Committed to connecting the world. Other for any supplementary information: Configure the following parameters as desired, then click Apply. EAP Method — Notification. Reserved for Future use. The hotspot realm uses EAP Notification messages for authentication.
|Published (Last):||4 July 2007|
|PDF File Size:||8.6 Mb|
|ePub File Size:||3.16 Mb|
|Price:||Free* [*Free Regsitration Required]|
This document defines the syntax for the Network Access Identifier NAI , the user identifier submitted by the client prior to accessing resources. This document is a revised version of RFC It addresses issues with international character sets and makes a number of other corrections to RFC It represents the consensus of the IETF community.
All rights reserved. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Without obtaining an adequate license from the person s controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
Requirements Language NAI Definition UTF-8 Syntax and Normalization Formal Syntax NAI Length Considerations Support for Username Privacy International Character Sets The Normalization Process Issues with the Normalization Process Use in Other Protocols Routing inside of AAA Systems Compatibility with Email Usernames Compatibility with DNS Realm Construction Historical Practices Security Considerations Correlation of Identities over Time and Protocols Multiple Identifiers Administration of Names Normative References Informative References Changes from RFC Introduction Considerable interest exists for a set of features that fit within the general category of inter-domain authentication, or "roaming capability" for network access, including dialup Internet users, Virtual Private Network VPN usage, wireless LAN authentication, and other applications.
By "inter-domain authentication", this document refers to situations where a user has authentication credentials at one "home" domain but is able to present them at a second "visited" domain to access certain services at the visited domain. The two domains generally have a pre-existing relationship, so that the credentials can be passed from the visited domain to the home domain for verification.
That is, the "roaming" scenario involves a user visiting, or "roaming" to, a non-home domain and requesting the use of services at that visited domain. When the NAI was defined for network access, it had the side effect of defining an identifier that could be used in non-AAA systems.
This process simplified the management of credentials, by reusing the same credential in multiple situations. Protocols that reuse the same credential or the same identifier format can benefit from this simplified management.
The alternative is to have protocol-specific credentials or identifier formats, which increases cost to both the user and the administrator. There are privacy implications to using one identifier across multiple protocols. See Sections 2. The goal of this document is to define the format of an identifier that can be used in many protocols.
A protocol may transport an encoded version of the NAI e. However, the definition of the NAI is protocol independent. The goal of this document is to encourage the widespread adoption of the NAI format. This adoption will decrease the work required to leverage identification and authentication in other protocols. It will also decrease the complexity of non-AAA systems for end users and administrators.
This document only suggests that the NAI format be used; it does not require such use. Many protocols already define their own identifier formats. The definition of the NAI in this document has no requirements on protocol specifications, implementations, or deployments. However, this document suggests that using one standard identifier format is preferable to using multiple incompatible identifier formats.
That is, the interpretation of the identifier is context specific, while the format of the identifier remains the same. These issues are discussed in more detail in Section 2. In contrast, this document allows for the use of multiple identifiers and recommends the use of anonymous identifiers where those identifiers are publicly visible.
Differences and enhancements compared to that document are listed in Appendix A. Terminology This document frequently uses the following terms: "Local" or "Localized" Text "Local" or "localized" text is text that is in either non-UTF-8 or non-normalized form.
The character set, encoding, and locale are in general unknown to Authentication, Authorization, and Accounting AAA network protocols. The client that "knows" the locale may have a different concept of this text than other AAA entities, which do not know the same locale. The purpose of the NAI is to allow a user to be associated with an account name, as well as to assist in the routing of the authentication request across multiple domains. In IEEE Examples of cases where roaming capability might be required include ISP "confederations" and ISP-provided corporate network access support.
Purpose As described in [ RFC ], there are a number of providers offering network access services, and essentially all Internet Service Providers are involved in roaming consortia. It is also expected that NASes will use the NAI as part of the process of opening a new tunnel, in order to determine the tunnel endpoint. Many protocols include authentication capabilities, including defining their own identifier formats. These identifiers can then end up being transported in AAA protocols, so that the originating protocols can leverage AAA for user authentication.
There is therefore a need for a definition of a user identifier that can be used in multiple protocols. While the NAI is defined herein, it should be noted that existing protocols and deployments do not always use it. The process by which that is done is outside of the scope of this document. This specification does not forbid that practice. It only codifies the format and interpretation of the NAI.
This document cannot change existing protocols or practices. It can, however, suggest that using a consistent form for a user identifier is of benefit to the community. This document does not make any protocol-specific definitions for an identifier format, and it does not make changes to any existing protocol. Instead, it defines a protocol-independent form for the NAI. It is hoped that the NAI is a user identifier that can be used in multiple protocols.
Using a common identifier format simplifies protocols requiring authentication, as they no longer need to specify a protocol-specific format for user identifiers. It increases security, as multiple identifier formats allow attackers to make contradictory claims without being detected see Section 4. It simplifies deployments, as a user can have one identifier in multiple contexts, which allows them to be uniquely identified, so long as that identifier is itself protected against unauthorized access.
In short, having a standard is better than having no standard at all. However, some additional discussion is appropriate to motivate those changes. The intent appears to have been to encode, compare, and transport realms with the Punycode [ RFC ] encoding form as described in [ RFC ].
With international roaming growing in popularity, it is important for these issues to be corrected in order to provide robust and interoperable network services.
Furthermore, this document was motivated by a desire to codify existing practice related to the use of the NAI format and to encourage widespread use of the format.
NAI Definition 2. See [ RFC ] and Section 2. This local version can then be used for local processing. This document does not suggest how that is done. However, existing practice indicates that it is possible.
As internationalized domain names become more widely used, existing practices are likely to become inadequate. This document therefore defines the NAI, which is a user identifier format that can correctly deal with internationalized identifiers. As a result, NAIs processed only by Diameter nodes can be very long.
Each protocol can have its own limitations on maximum NAI length. The above criteria should permit the widest use and widest possible interoperability of the NAI. Therefore, the utf8-username portion SHOULD be treated as opaque data when processed by nodes that are not a part of the home domain for that realm. That is, the only domain that is capable of interpreting the meaning of the utf8-username portion of the NAI is the home domain. Any third-party domains cannot form any conclusions about the utf8-username and cannot decode it into subfields.
For example, it may be used as "firstname. There is simply no way and no reason for any other domain to interpret the utf8-username field as having any meaning whatsoever. In some situations, NAIs are used together with a separate authentication method that can transfer the username part in a more secure manner to increase privacy.
However, current practice is to use the username "anonymous" instead of omitting the username part. This behavior is also permitted.
IETF RFC 4282 PDF
To send the values configured in this profile to clients, you must associate this profile with an advertisement profile, then associate the advertisement profile with a hotspot 2. Name of the NAI realm. The specified authentication ID uses credential authentication. Justification for the specific reference:. Relationship with other existing or emerging documents:. Other for any supplementary information: Committed to connecting the world. Configure the following parameters as desired, then click Apply.
Lior Bridgewater Systems J. Korhonen Teliasonera J. Loughney Nokia January Chargeable User Identity Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" STD 1 for the standardization state and status of this protocol. Distribution of this memo is unlimited. This attribute can be used by a home network to identify a user for the purpose of roaming transactions that occur outside of the home network.
Google Network Working Group B. Arkko Ericsson P. Eronen Nokia December The Network Access Identifier Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" STD 1 for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Vudomuro Any explicit references within that referenced document should also be listed: Relationship with other existing or emerging documents:. Configure the following parameters as desired, then click Apply. Committed to connecting the world. For details, see Configuring Hotspot Advertisement Profiles. Other for any supplementary information: The hotspot realm uses EAP Notification messages for authentication.