Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)

["Alan DeKok" <aland@nitros9.org>]

"Nelson, David" <dnelson@enterasys.com> wrote:
> For the SSHSM usage case, the question is whether it is an unacceptable
> security risk for a trusted NAS to be able to obtain authorization
> information about a user that is not actually "present" at the NAS?

  i.e. "present" as in "the RADIUS server performed the
authentication, and verified that the user is present".

  Is there any *other* authentication credentials that can be sent to
the RADIUS server, to mitigate the issue?  e.g. A kerberos ticket?

  The RADIUS server could either validate the kerberos ticket itself,
or log the ticket for later auditing.  If it's too hard to send the
ticket, maybe a hash of the ticket, or ticket ID (I'm not sure if this
is available or useful in Kerberos..)

  If the server had some auditing capability for Authorize-Only
requests, an admin could correlate that information with
authentication performed by non-RADIUS servers.  That would mitigate
the concerns over the RADIUS server not performing the authorization.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>