RE: review of NAS-Management-authorization

["David B. Nelson" <dnelson@elbrysnetworks.com>]

Greg Weber writes...

> It seems fine to offer this as a separate attribute from Management-
> Policy-Id.
> 
> If we want this to be useful for non-framed management sessions 
> (with Service-Type values other than Framed-Management), I wonder
> if we want to limit this new attribute's use to sessions where 
> Service-Type is NAS-Prompt (not Administrative).

That would certainly support the use case this attribute is intended to
address.  There may be value in limiting the applicability of 
Management-Privilege-Level to CLI interfaces, since it is not clear how one
would apply both Management-Policy-Id and Management-Privilege-Level to a
framed management session.  The only question in my mind is whether this
should be a SHOULD NOT or MUST NOT.

> If we limit Management-Privilege-Level to Service-Type=NAS-Prompt,
> it would only have the effect of increasing privilege level when
> understood.  But, if Management-Privilege-Level were used with
> Service-Type=Administrative to restrict privileges, *and* the
> particular did not understand (and ignored) the
> Management-Privilege-Level attribute, the effect would be to avoid
> privilege restrictions.

Sounds good to me.

> And alternative would be to have the server use the
> Management-Privilege-Level only when the NAS had hinted that it
> was supported (a la Chargeable-User-Identity, if I recall).

The proposed text already indicates that it may appear in an Access-Request
message, as a hint to the RADIUS server that the NAS supports this
attribute.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>