On Nov 18, 2004, at 10:15 AM, Shashi Kiran wrote:
> Does anyone have examples of large nets where more than a
few
> local users are maintained across all devices ?
Another instance of a network-level issue is the case where a
provider has managed VPNs with a centralized shared RADIUS between
enterprises,
Seems like more of a service to customers than something used to manage
admin access to the providers core.
You're
right.It's for a situation involving managed enterprise VPNs involving dynamic
subscribers. The provider owns the termination device and
authentication infrastructure. Would you want to include such scenarios
as well, or focus on admin access to the provider's core only?
and there was a possibility for subscribers belonging to one VPN
to switch between VPNs or access a different service profile, by introducing
certain VSAs or source-spoofing, and cause security breaches. In this case
access controls checks need to be tightened on the router nodes or PEs where
subscribers are terminating, since the RADIUS by itself cannot handle it.
Not sure if you want to cover such scenarios here.
Seems a bit convoluted, to me anyhow. Do you know of an example of a core
being managed in this way?
Actually, this is more applicable at the edge. And it can happen very
easily, even by accident without deliberate malicious intent, if there're no
security check in place for instance to ensure that two enterprises cannot
assign the same VSAs (for instance the name of a VPN), or if they do, there're
additional attributes in place which makes the authentication unique. I've
seen these in a few provider networks. If I'm deviating from the purpose,
let me know.
---George