[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] RE: Follow up on Authorize Only issue
- To: "Jeffrey Hutzelman" <jhutz@cmu.edu>, "Nelson, David" <dnelson@enterasys.com>, <isms@ietf.org>, <radiusext@ops.ietf.org>
- Subject: RE: [Isms] RE: Follow up on Authorize Only issue
- From: "Glen Zorn \(gwz\)" <gwz@cisco.com>
- Date: Tue, 25 Jul 2006 14:20:49 -0700
- Authentication-results: sj-dkim-7.cisco.com; header.From=gwz@cisco.com; dkim=pass ( sig from cisco.com verified; );
- Dkim-signature: a=rsa-sha1; q=dns; l=2842; t=1153862450; x=1154726450; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=gwz@cisco.com; z=From:=22Glen=20Zorn=20\(gwz\)=22=20<gwz@cisco.com> |Subject:RE=3A=20[Isms]=20RE=3A=20Follow=20up=20on=20Authorize=20Only=20issue; X=v=3Dcisco.com=3B=20h=3Dj5JHVHOkk4k+d3Gjk+Lsn4+lNFg=3D; b=RVnPzzFl5J/oodGIc/kOZ/eYv2Y+Iy1FZW+ZxXYIe4wvUvrdGKjmu0qxTKhICGYnltcczAY/ Ssc41MlAgn9f4VJbylDEnioKlX4Ipj5EmRbN6qEMHZrjZ5K0OI3d0sI8;
Jeffrey Hutzelman <mailto:jhutz@cmu.edu> supposedly scribbled:
> On Tuesday, July 25, 2006 01:10:57 PM -0700 "Glen Zorn (gwz)"
> <gwz@cisco.com> wrote:
>
>> Aside from the fact that "Authorize Only" is hardly an authentication
>> method
>
> It's not an authentication method, but it fills that role in the
> protocol.
> Ordinarily, the RADIUS server must have some means of verifying the
> user's identity, because the NAS is counting on it to do that. The
> authentication method is simply the answer to the question "what is
> that means?". What we're doing is defining a new possible answer,
> which is "there is none; the NAS is not counting on you to verify the
> user's identity, so you don't have to do it".
>
> Now, you've suggested that the way to represent that answer is simply
> by not including the attributes required for some other method. The
> problem with that is that such a request is indistinguishable to the
> RADIUS server from a request using an authentication method it does
> not understand.
Actually, no, at least in current usage an authentication type _always_ has an associated attribute, which can be seen as something that the server doesn't understand.
> A RADIUS server which supports authorize-only will
> probably want to return success for the request using that feature,
> but still must return failure for requests using methods it doesn't
> understand. To make the distinction, you need an affirmative
> indication from the client that it wants authorize-only;
Is that not provided by the Service-Type of Authorize-Only?
> that is,
> that it is not depending on the RADIUS server to verify the user's
> identity.
>
>
>>>> I must note, BTW, that if you are trying to restrict what
>>>> information the RADIUS server gives out because you don't trust the
>>>> NAS, then giving out informaton based on what service the NAS
>>>> claims it is providing, or what port type the NAS claims the user
>>>> came in on, is kind of silly.
>>
>> What's actually silly is talking about untrusted NASen at all: if a
>> RADIUS client that has a valid shared secret has been compromised,
>> life is pretty much over anyway.
>
> Not necessarily. With the kinds of authentication mechanisms which
> make authorize-only RADIUS attractive, a NAS never gains the ability
> to impersonate a user. So, the service that NAS is providing
> probably has big problems, but the users' passwords haven't been
> compromised, and neither have other RADIUS clients. The compromised
> device can be turned off, and the problem is gone.
>
>
> -- Jeff
Hope this helps,
~gwz
Why is it that most of the world's problems can't be solved by simply
listening to John Coltrane? -- Henry Gabriel
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>