[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: review of NAS-Management-authorization

To: "David B. Nelson" <dnelson@elbrysnetworks.com>
Subject: Re: review of NAS-Management-authorization
From: "Greg Weber" <gdweber@gmail.com>
Date: Mon, 22 Oct 2007 13:26:20 -0400
Cc: "David Harrington" <ietfdbh@comcast.net>, radiusext@ops.ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gTaQkqq98JMQPircQNQEwU2dsa6m0Eyi1YZH/0BxW7YZK6rUNRO5i+bOGvV6uEWtiUsuxXgL1DTUZL7Q0yweHudId6fna0PdEK90ItuAy5ub213nAwQKIQXm6VVqRCUBon0JddvaLDPHtTKg0wLELr5oIFxyx7CiCXtO9DEUqdw=
In-reply-to: <00a001c8128b$bbb34020$5d1216ac@xpsuperdvd2>
References: <039101c8107e$aff9da50$b927303d@china.huawei.com> <005701c811d0$5dc41360$5d1216ac@xpsuperdvd2> <00ba01c811eb$8ff60170$b927303d@china.huawei.com> <00a001c8128b$bbb34020$5d1216ac@xpsuperdvd2>

> Since this is a common use case, I propose to add and additional attribute
> to explicitly provision integer privilege level.  That text would look like:
>
> 7.x.  Management-Privilege-Level
>
>    The Management-Privilege-Level attribute indicates the integer
>    Privilege level to be assigned for management access for the
>    Authenticated user.   Many NASes provide the notion of
>    differentiated management privilege levels denoted by an integer
>    value.  The specific access rights conferred by each value are
>    implementation dependent.  It MAY be used in both Access-Request
>    and Access-Accept packets.
>
>    A summary of the Management-Privilege-Level attribute format is
>    Show below.  The fields are transmitted from left to right.
>
>        0                   1                   2                   3
>        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>       |     Type      |    Length     |             Value
>       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>                  Value (cont)         |
>       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>       Type
>
>          (TBA) for Management-Privilege-Level.
>
>       Length
>
>          6
>
>
>       Value
>
>          The Value field is an Integer, denoting a management
>            privilege level.
>
> Further thoughts on this proposal?
>

It seems fine to offer this as a separate attribute from Management-Policy-Id.

If we want this to be useful for non-framed management sessions (with
Service-Type values other than Framed-Management), I wonder if we want
to limit this new attribute's use to sessions where Service-Type is
NAS-Prompt (not Administrative).  I think typically, NASes treat
NAS-Prompt as minimal privilege and Administrative as full privilege.
If we limit Management-Privilege-Level to Service-Type=NAS-Prompt, it
would only have the effect of increasing privilege level when
understood.  But, if Management-Privilege-Level were used with
Service-Type=Administrative to restrict privileges, *and* the
particular did not understand (and ignored) the
Management-Privilege-Level attribute, the effect would be to avoid
privilege restrictions.

And alternative would be to have the server use the
Management-Privilege-Level only when the NAS had hinted that it was
supported (a la Chargeable-User-Identity, if I recall).

Greg

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: review of NAS-Management-authorization
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

References:
- RE: review of NAS-Management-authorization
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: review of NAS-Management-authorization
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: I-D Action:draft-ietf-radext-rfc3576bis-13.txt
Next by Date: RE: review of NAS-Management-authorization
Previous by thread: RE: review of NAS-Management-authorization
Next by thread: RE: review of NAS-Management-authorization
Index(es):
- Date
- Thread