[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: a question about Management Authorization -01 document
On Thu, Dec 20, 2007 at 11:08:03AM +0800, li chunxiu wrote:
> I agree with the point of view of a local policy named "read-only-group1"
> and another named "read-write-group1".
> If the Access Control is mainly done in NAS, the Access Control policy in
> Radius may be very simple, and the pattern of "read-only-group1" is ok.
> If the Radius needs to participate in the Access Control, there may be some
> complicate policies. If the policies are too complicated to be expressed in
> one Management-Policy-Id, which expression is better? Will the policies be
> separated to several parts in each Management-Policy-Id within each
> Access-Accept? And these parts will be composed to be whole policies in the
> NAS to accomplish the Access Control, right?
Section 4 defines the purpose and scope of the access control policy
attributes. In particular, note that the Management-Policy-Id and
Management-Privilege-Level attributes are not meant to carry accress
control rules; they merely identify which locally known access control
rules to apply.
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
to unsubscribe send a message to email@example.com with
the word 'unsubscribe' in a single line as the message text body.