RE: [Isms] RE: Follow up on Authorize Only issue

["Nelson, David" <dnelson@enterasys.com>]

David Harrington writes...

> Ergo, I believe SSHSM should never use the "authorize-only" 
> feature.

I'm more that a little fuzzy on the architecture, the ASIs, etc., so
please bear with me.

I agree that the Access Control Subsystem will be the ultimate consumer
of the "fine granularity" authorization, such as that provided by
Management-Policy-ID, or a similar attribute.

It is my understanding, and please correct me if I miss some details,
that the Transport Mapping Subsystem (e.g. the SSN server) has the
responsibility of enforcing "coarse granularity" authorization, i.e.
whether a SNMP subsystem may be spawned by the SSH server.  It also has
the responsibility to pass along the securityName to the Access Control
Subsystem.  Given that any additional authorization information that
comes during an integrated RADIUS authentication and authorization also
needs to be passed along with the securityName, that implies some
participation by the Transport Mapping Subsystem.

In the case where RADIUS is only used for authorization, it could be
argued that it is the responsibility of the Access Control subsystem to
obtain that information.  I suppose the interface would be
implementation dependent.

This needs to be described somewhere.  If not in the RADIUS Usage for
SSHSM document, then where?


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>