[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Follow up on Authorize Only issue (was RE: [Isms] ISMS session summary)
On Thu, Jul 13, 2006 at 04:59:18PM -0400, Nelson, David wrote:
>
> In an Access-Accept message, the NAS is trusted to have authorization
> information for the user because (a) the NAS is trusted and (b) the user
> is present at the NAS, so the NAS has a "need to know". The concerns
> with Authorize Only operations, that do not have a previous successful
> RADIUS authentication as a prerequisite, is that when the user is not
> present at the NAS, the NAS does not have a "need to know" the user's
> authorization status. Information might be leaked to a NAS about users,
> that the NAS would not otherwise be entitled to have.
Thanks, I think I understand this. Now I wonder how other AAA systems
which I have been told to support authorize only deal with this issue.
Can someone please explain?
> IN RFC 3576, the requirement for a previous RADIUS authentication is met
> by requiring a server State attribute t be in the Access-Request
> message, which provides that binding for Authorize Only operation.
If I understand this correctly, then you have (a) the NAS is trusted
and (b) the user was previously present at the NAS here. Correct?
> The only form of RADIUS operation that currently provides authorization
> information on a "user" without user credentials is the call check
> operation. In these cases the actual user is not identified, but rather
> the user's phone number (or similar network address information).
>
> For the SSHSM usage case, the question is whether it is an unacceptable
> security risk for a trusted NAS to be able to obtain authorization
> information about a user that is not actually "present" at the NAS?
This probably needs more thought and discussion.
Thanks for discussing this issue and writing things up in a way that I
seem to understand.
/js
--
Juergen Schoenwaelder International University Bremen
<http://www.eecs.iu-bremen.de/> P.O. Box 750 561, 28725 Bremen, Germany
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>