[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RADIUS Extension for Management Authorization Draft
On Wed, Jul 14, 2004 at 05:20:45PM -0400, Nelson, David wrote:
> I have submitted an Internet-Draft entitled "RADIUS Extension for Management Authorization", located at the following URL:
>
> http://www.ietf.org/internet-drafts/draft-nelson-radius-management-authorization-00.txt
>
> This is based on work that I presented at the RADEXT BOF at IETF 58. Interest in this area of work was expressed at the BOF. I'd like to solicit comment on this initial draft on the list, and get an idea of the potential interest in making this a WG work item, and of others who may have an interest in contributing to the document.
I was not at the BOF, so perhaps am misjudging the intent of the draft.
It seems to in effect provide single-sign-on for NAS administration.
That is, based on RADIUS authentication, the user will be authorized
to administer the NAS without further authentication steps. I infer
this, because if there were further authentication steps intended after
the user was communicating with the NAS, that could be accomplished
simply with an appropriate Filter-Id which allowed the necessary packets
to pass - on the assumption, which I consider the only sane one, that
ordinary users are prevented from sending any packets whatsoever to
the NAS itself.
But SSO for NAS administration strikes me as a bad idea. The NAS already
has authentication and authorization procedures in place to enable and
control administration from within the network. Why should these be
bypassed simply because the user has "dialed" in? Do we really trust
RADIUS authentication as much as the NAS's native procedures? Suppose
we're in a proxy situation and the user's home RADIUS server decides to
grant administrative access to a provider's NAS?
Is dialup administration so common that it's important to allow SSO?
Regards,
Barney
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>