Re: RADIUS Extension for Management Authorization Draft

[Barney Wolff <barney@databus.com>]

On Thu, Jul 15, 2004 at 10:48:41AM -0400, Nelson, David wrote:
> A follow-up thought...
> 
> > > Suppose we're in a proxy situation and the user's home 
> > > RADIUS server decides to grant administrative access to
> > > a provider's NAS?
> > 
> > There may be additional text required in the Proxy Considerations
> > portion of the draft. However, today we have the Admin Service-Type
> that
> > grants "super-user" or privileged access to the management CLI of the
> > NAS.  How would the issues you raise be different for that attribute?
> 
> There's another way to think about this problem.  That is the concept of
> "split-horizon" RADIUS authentication, wherein one RADIUS server [farm]
> is used to provision network access through a NAS and a second RADIUS
> server [farm] is used to provision management access into the NAS.  The
> issue you raise is certainly valid in various Proxy RADIUS, multi-party
> environments.  It would likely not be an issue in most enterprise
> environments.  I do think the issue exists today with the NAS-Prompt and
> Admin Service-Types.

I agree completely with split-horizon.  That's why I'm uncomfortable with
SSO.  I'd be much happier if the outside user had to go through two
stages, one to get "inside" and the next to do things on the NAS.

Regards,
Barney

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>