[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
"Nelson, David" <email@example.com> wrote:
> For the SSHSM usage case, the question is whether it is an unacceptable
> security risk for a trusted NAS to be able to obtain authorization
> information about a user that is not actually "present" at the NAS?
i.e. "present" as in "the RADIUS server performed the
authentication, and verified that the user is present".
Is there any *other* authentication credentials that can be sent to
the RADIUS server, to mitigate the issue? e.g. A kerberos ticket?
The RADIUS server could either validate the kerberos ticket itself,
or log the ticket for later auditing. If it's too hard to send the
ticket, maybe a hash of the ticket, or ticket ID (I'm not sure if this
is available or useful in Kerberos..)
If the server had some auditing capability for Authorize-Only
requests, an admin could correlate that information with
authentication performed by non-RADIUS servers. That would mitigate
the concerns over the RADIUS server not performing the authorization.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.