[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Isms] Summary of Authorize Only issue

To: "Nelson, David" <dnelson@enterasys.com>
Subject: Re: [Isms] Summary of Authorize Only issue
From: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>
Date: Thu, 27 Jul 2006 10:03:47 +0200
Cc: isms@ietf.org, radiusext@ops.ietf.org
In-reply-to: <3CFB564E055A594B82C4FE89D2156560219398@MABOSEVS2.ets.enterasys.com>
Mail-followup-to: "Nelson, David" <dnelson@enterasys.com>, isms@ietf.org, radiusext@ops.ietf.org
References: <3CFB564E055A594B82C4FE89D2156560219398@MABOSEVS2.ets.enterasys.com>
Reply-to: j.schoenwaelder@iu-bremen.de
User-agent: Mutt/1.5.10i

On Wed, Jul 26, 2006 at 03:56:04PM -0400, Nelson, David wrote:
> (2) There are two extended SNMP over SSH use cases:
> 
>       (a) RADIUS provides initial authentication and 
>           authorization of SNMPv3 over SSH, base-service
>           authorization, and (optionally) granular access
>           control authorization.
> 
>       (b) Some other authentication mechanism/service 
>           provides initial authentication (and no
>           authorization) of SNMPv3 over SSH.  RADIUS
>           provides base-service authorization and 
>           (optionally) granular access control
>           authorization.
> 
> Note that "granular access control" means a mapping to the VACM or some
> other Access Control Subsystem.
> 
> These use cases are currently out of scope for the ISMS WG charter, but
> might be added at a later date.

Note that the reference "these use cases" is somewhat ambiguous. I
assume you refer to (2a) and (2b). But even with this interpretation,
it is only the optional part which is out of scope for the ISMS WG.

Personally, I consider provisioning of SNMP access control mappings
via RADIUS authorization a functionality which is totally independent
of authentication and base-service authorization. So perhaps (2a) and
(2b) should be combined into an SNMP access control provisioning use
case:

(2) There is an SNMP access control provisioning use case:

    RADIUS provides authorization information to be used by SNMP
    access control models, for example by providing a mapping of
    securityName to securityGroup, for use with the VACM. An example
    of such an attribute is Management-Policy-ID, conceptually similar
    to Filter-ID. Due to the strict separation of access control from
    authentication in the SNMP architecture, this requires that RADIUS
    provides an Authorize Only service for SNMP usage.

/js

-- 
Juergen Schoenwaelder		    International University Bremen
<http://www.eecs.iu-bremen.de/>	    P.O. Box 750 561, 28725 Bremen, Germany

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

References:
- Summary of Authorize Only issue
  - From: "Nelson, David" <dnelson@enterasys.com>

Prev by Date: RE: Summary of Authorize Only issue
Next by Date: Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Previous by thread: RE: Summary of Authorize Only issue
Next by thread: RE: Summary of Authorize Only issue
Index(es):
- Date
- Thread