[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)

To: "Nelson, David" <dnelson@enterasys.com>
Subject: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
Date: Sat, 15 Jul 2006 21:29:20 +0200
Cc: isms@ietf.org, radiusext@ops.ietf.org
In-reply-to: <3CFB564E055A594B82C4FE89D2156560219368@MABOSEVS2.ets.enterasys.com>
Mail-followup-to: "Nelson, David" <dnelson@enterasys.com>, isms@ietf.org, radiusext@ops.ietf.org
References: <3CFB564E055A594B82C4FE89D2156560219368@MABOSEVS2.ets.enterasys.com>
Reply-to: j.schoenwaelder@iu-bremen.de
User-agent: Mutt/1.5.10i

On Thu, Jul 13, 2006 at 04:59:18PM -0400, Nelson, David wrote:
> 
> In an Access-Accept message, the NAS is trusted to have authorization
> information for the user because (a) the NAS is trusted and (b) the user
> is present at the NAS, so the NAS has a "need to know".  The concerns
> with Authorize Only operations, that do not have a previous successful
> RADIUS authentication as a prerequisite, is that when the user is not
> present at the NAS, the NAS does not have a "need to know" the user's
> authorization status.  Information might be leaked to a NAS about users,
> that the NAS would not otherwise be entitled to have.

Thanks, I think I understand this. Now I wonder how other AAA systems
which I have been told to support authorize only deal with this issue.
Can someone please explain?
 
> IN RFC 3576, the requirement for a previous RADIUS authentication is met
> by requiring a server State attribute t be in the Access-Request
> message, which provides that binding for Authorize Only operation.

If I understand this correctly, then you have (a) the NAS is trusted
and (b) the user was previously present at the NAS here. Correct?

> The only form of RADIUS operation that currently provides authorization
> information on a "user" without user credentials is the call check
> operation.  In these cases the actual user is not identified, but rather
> the user's phone number (or similar network address information).
> 
> For the SSHSM usage case, the question is whether it is an unacceptable
> security risk for a trusted NAS to be able to obtain authorization
> information about a user that is not actually "present" at the NAS?

This probably needs more thought and discussion.

Thanks for discussing this issue and writing things up in a way that I
seem to understand.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
  - From: "Avi Lior" <avi@bridgewatersystems.com>

References:
- Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
  - From: "Nelson, David" <dnelson@enterasys.com>

Prev by Date: RE: Is there interest in Radius MIB notifications?
Next by Date: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Previous by thread: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Next by thread: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
Index(es):
- Date
- Thread