[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Isms] Summary of Authorize Only issue
On Wed, Jul 26, 2006 at 03:56:04PM -0400, Nelson, David wrote:
> (2) There are two extended SNMP over SSH use cases:
> (a) RADIUS provides initial authentication and
> authorization of SNMPv3 over SSH, base-service
> authorization, and (optionally) granular access
> control authorization.
> (b) Some other authentication mechanism/service
> provides initial authentication (and no
> authorization) of SNMPv3 over SSH. RADIUS
> provides base-service authorization and
> (optionally) granular access control
> Note that "granular access control" means a mapping to the VACM or some
> other Access Control Subsystem.
> These use cases are currently out of scope for the ISMS WG charter, but
> might be added at a later date.
Note that the reference "these use cases" is somewhat ambiguous. I
assume you refer to (2a) and (2b). But even with this interpretation,
it is only the optional part which is out of scope for the ISMS WG.
Personally, I consider provisioning of SNMP access control mappings
via RADIUS authorization a functionality which is totally independent
of authentication and base-service authorization. So perhaps (2a) and
(2b) should be combined into an SNMP access control provisioning use
(2) There is an SNMP access control provisioning use case:
RADIUS provides authorization information to be used by SNMP
access control models, for example by providing a mapping of
securityName to securityGroup, for use with the VACM. An example
of such an attribute is Management-Policy-ID, conceptually similar
to Filter-ID. Due to the strict separation of access control from
authentication in the SNMP architecture, this requires that RADIUS
provides an Authorize Only service for SNMP usage.
Juergen Schoenwaelder International University Bremen
<http://www.eecs.iu-bremen.de/> P.O. Box 750 561, 28725 Bremen, Germany
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.