[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Isms] RE: Follow up on Authorize Only issue

To: <isms@ietf.org>, <radiusext@ops.ietf.org>
Subject: RE: [Isms] RE: Follow up on Authorize Only issue
From: "Nelson, David" <dnelson@enterasys.com>
Date: Tue, 25 Jul 2006 14:12:23 -0400

Bernard Aboba writes...

> Does the Service-Type of "Framed-Management" imply 
> authorization-only?

No.  It could equally be used when RADIUS is providing both
authentication and authorization.

> Or is it possible for authentication to be requested 
> as well?

Yes.

> For example, what attributes are used in existing SSH 
> implementations acting as a RADIUS client?

I rather suspect that existing implementations either ignore the
Service-Type (i.e. authenticate only) or expect something like
NAS-Prompt.

There is an issue to be worked out, and that it how does the NAS signal
to the RADIUS Server that it is seeking Authorize Only service
specifically for SSHSM?

The existing Authorize only usage in RFC 3576 suggests that:

   The NAS then sends an Access-Request
   to the RADIUS server with a Service-Type Attribute with value
   "Authorize Only".  This Access-Request SHOULD contain the NAS
   attributes from the Disconnect or CoA-Request, as well as the session
   attributes from the Request legal for inclusion in an Access-Request
   as specified in [RFC2865], [RFC2868], [RFC2869] and [RFC3162].  As
   noted in [RFC2869] Section 5.19, a Message-Authenticator attribute
   SHOULD be included in an Access-Request that does not contain a
   User-Password, CHAP-Password, ARAP-Password or EAP-Message Attribute.


So it seems clear that the Access-Request message, in the SSHSM
Authorize Only usage, should contain;

Service-Type = Authorize Only
Message-Authenticator

Plus various forms of ID attributes, such as NAS-IP-Address,
NAS-Identifier, etc.

But what else?

It would be typical to include:

Service-Type = Framed-Management
Framed-Management-Protocol = SNMPv3

as hints, however, the value of Service-Type conflicts.

Perhaps simply including: 

Framed-Management-Protocol = SNMPv3

is a sufficient hint to the RADIUS Server, along with Service-Type =
Authorize Only, to indicate the SSHSM Authorize Only use case.

I would fully expect that the Access-Accept message would contain:

Service-Type = Framed-Management
Framed-Management-Protocol = SNMPv3
Message-Authenticator

Plus what ever else might be desired.

There was also a suggestion on the list that the NAS convey the asserted
identity to the RADIUS Server for audit purposes.  This could be
accomplished by a (new) Asserted-Identity attribute.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: [Isms] RE: Follow up on Authorize Only issue
Next by Date: RE: [Isms] RE: Follow up on Authorize Only issue
Previous by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Next by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Index(es):
- Date
- Thread