[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Isms] RE: Follow up on Authorize Only issue

To: ietfdbh@comcast.net, isms@ietf.org, radiusext@ops.ietf.org
Subject: RE: [Isms] RE: Follow up on Authorize Only issue
From: "Bernard Aboba" <bernard_aboba@hotmail.com>
Date: Mon, 24 Jul 2006 21:23:35 -0700
Bcc:
In-reply-to: <042a01c6af56$dae6e0d0$0400a8c0@china.huawei.com>

OK. If RADIUS supports this, we can probably ask for specific
attributes or attribute sets.

Typically this is handled by utilization of a unique Service-Type orNAS-Port-Type value. The RADIUS policy engine then selects the attributeset to be returned based on these values.

There are multiple possible proposals on the ISMS table, and we are
trying to determine what RADIUS can or cannot provide for us.

We know that RADIUS can provide SSH-related attributes when the user
connects to the NAS using an SSH session and RADIUS provides the
authentication.

As far as I know there is no specification for SSH authentication supportwithin RADIUS so I'm not sure if this is true or not. For example, as Iunderstand it SSH can support authentication mechanisms such as Kerberoswhich are not supported in RADIUS.

We know that the RADIUS server might be able to provide SNMP-related
attributes when the user connects to the NAS using an SSH transport
and RADIUS provides the authentication.

In this case it sounds like the NAS-Port-Type might be "SSH" but theService-Type might be "SNMP".

We do not need "authorize-only" support for those situations, since
RADIUS would be doing the authentication.

I think this depends on whether RADIUS can support all the requiredauthentication methods. If not, then either that support needs to be addedto RADIUS or only authorization will be available.

The authentication might have been provided via Kerberos
or TLS or SNMPv3's USM, but RADIUS is not involved in the
authentication, only the (later) authorization.

In this case you might have a Service-Type of "SNMP" and a NAS-Port-Type of"SNMP".

The attributes we want to see are
specific to SNMP, or to Network Management via SNMP/Netconf/CLI, etc.

If RADIUS supports it, the RADIUS client may be able to identify that
the request is associated wih an SNMP engine, so the server can return
only SNMP-related attributes.

A Service-Type of "SNMP" with a NAS-Port-Type of "SNMP" could be used toindicate this.

Question: In the case where SSH is used, do you just need SSH attributes,or are SNMP attributes required there as well? In other words, how is SSHfor SNMP distinguished from plain old SSH?




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Prev by Date: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Next by Date: RE: Follow up on Authorize Only issue
Previous by thread: RE: Follow up on Authorize Only issue (was RE: [Isms] ISMS session
Next by thread: RE: [Isms] RE: Follow up on Authorize Only issue
Index(es):
- Date
- Thread