[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] RE: Follow up on Authorize Only issue
Bernard Aboba writes...
> Does the Service-Type of "Framed-Management" imply
> authorization-only?
No. It could equally be used when RADIUS is providing both
authentication and authorization.
> Or is it possible for authentication to be requested
> as well?
Yes.
> For example, what attributes are used in existing SSH
> implementations acting as a RADIUS client?
I rather suspect that existing implementations either ignore the
Service-Type (i.e. authenticate only) or expect something like
NAS-Prompt.
There is an issue to be worked out, and that it how does the NAS signal
to the RADIUS Server that it is seeking Authorize Only service
specifically for SSHSM?
The existing Authorize only usage in RFC 3576 suggests that:
The NAS then sends an Access-Request
to the RADIUS server with a Service-Type Attribute with value
"Authorize Only". This Access-Request SHOULD contain the NAS
attributes from the Disconnect or CoA-Request, as well as the session
attributes from the Request legal for inclusion in an Access-Request
as specified in [RFC2865], [RFC2868], [RFC2869] and [RFC3162]. As
noted in [RFC2869] Section 5.19, a Message-Authenticator attribute
SHOULD be included in an Access-Request that does not contain a
User-Password, CHAP-Password, ARAP-Password or EAP-Message Attribute.
So it seems clear that the Access-Request message, in the SSHSM
Authorize Only usage, should contain;
Service-Type = Authorize Only
Message-Authenticator
Plus various forms of ID attributes, such as NAS-IP-Address,
NAS-Identifier, etc.
But what else?
It would be typical to include:
Service-Type = Framed-Management
Framed-Management-Protocol = SNMPv3
as hints, however, the value of Service-Type conflicts.
Perhaps simply including:
Framed-Management-Protocol = SNMPv3
is a sufficient hint to the RADIUS Server, along with Service-Type =
Authorize Only, to indicate the SSHSM Authorize Only use case.
I would fully expect that the Access-Accept message would contain:
Service-Type = Framed-Management
Framed-Management-Protocol = SNMPv3
Message-Authenticator
Plus what ever else might be desired.
There was also a suggestion on the list that the NAS convey the asserted
identity to the RADIUS Server for audit purposes. This could be
accomplished by a (new) Asserted-Identity attribute.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>