[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RADIUS Extension for Management Authorization Draft

To: "Barney Wolff" <barney@databus.com>
Subject: RE: RADIUS Extension for Management Authorization Draft
From: "Nelson, David" <dnelson@enterasys.com>
Date: Thu, 15 Jul 2004 10:48:41 -0400
Cc: <radiusext@ops.ietf.org>

A follow-up thought...

> > Suppose we're in a proxy situation and the user's home 
> > RADIUS server decides to grant administrative access to
> > a provider's NAS?
> 
> There may be additional text required in the Proxy Considerations
> portion of the draft. However, today we have the Admin Service-Type
that
> grants "super-user" or privileged access to the management CLI of the
> NAS.  How would the issues you raise be different for that attribute?

There's another way to think about this problem.  That is the concept of
"split-horizon" RADIUS authentication, wherein one RADIUS server [farm]
is used to provision network access through a NAS and a second RADIUS
server [farm] is used to provision management access into the NAS.  The
issue you raise is certainly valid in various Proxy RADIUS, multi-party
environments.  It would likely not be an issue in most enterprise
environments.  I do think the issue exists today with the NAS-Prompt and
Admin Service-Types.

Regards,

Dave



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- Re: RADIUS Extension for Management Authorization Draft
  - From: Barney Wolff <barney@databus.com>

Prev by Date: RE: RADIUS Extension for Management Authorization Draft
Next by Date: Re: NAI decoration: User Identity issues
Previous by thread: Re: RADIUS Extension for Management Authorization Draft
Next by thread: Re: RADIUS Extension for Management Authorization Draft
Index(es):
- Date
- Thread