[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Review of Management Authorization -00 document

To: "David B. Nelson" <dnelson@elbrysnetworks.com>, <radiusext@ops.ietf.org>
Subject: Re: Review of Management Authorization -00 document
From: <Bernard_Aboba@hotmail.com>
Date: Mon, 19 Nov 2007 16:52:59 -0800
In-reply-to: <BAY117-F27713262C7B703C9D83BD193880@phx.gbl> <000a01c8208a$ebde28c0$091716ac@xpsuperdvd2> <092b01c82a03$f70a1240$6401a8c0@NEWTON603> <BAY117-DS356E6A3236C5C6875271A937D0@phx.gbl> <0ba901c82a68$193ca7b0$6401a8c0@NEWTON603> <BAY117-DS31CD83DC4DB030DBD79D2937E0@phx.gbl> <0c5a01c82a7b$67697e50$6401a8c0@NEWTON603> <BAY117-DS177E9C7237B8D2D71F204937E0@phx.gbl> <107301c82ab8$e8be16e0$6401a8c0@NEWTON603> <BAY117-DS1B3097656FA19E3C3700C937E0@phx.gbl> <00ed01c82ad9$86031d40$5d1216ac@xpsuperdvd2>
References: <BAY117-F27713262C7B703C9D83BD193880@phx.gbl> <000a01c8208a$ebde28c0$091716ac@xpsuperdvd2> <092b01c82a03$f70a1240$6401a8c0@NEWTON603> <BAY117-DS356E6A3236C5C6875271A937D0@phx.gbl> <0ba901c82a68$193ca7b0$6401a8c0@NEWTON603> <BAY117-DS31CD83DC4DB030DBD79D2937E0@phx.gbl> <0c5a01c82a7b$67697e50$6401a8c0@NEWTON603> <BAY117-DS177E9C7237B8D2D71F204937E0@phx.gbl> <107301c82ab8$e8be16e0$6401a8c0@NEWTON603> <BAY117-DS1B3097656FA19E3C3700C937E0@phx.gbl> <00ed01c82ad9$86031d40$5d1216ac@xpsuperdvd2>

That may well be one use case.  There are others.  Password authentication
is commonly used.


What attributes go along with that?  User-Password?  CHAP-Password?

The NAS-Prompt Service-Type has been used to authorize

local console access to the CLI as well as remote console access to theCLI.

Many implementations distinguish the two cases by the value of
NAS-Port-Type, which may be Async (0) for the physical console or Virtual
(5) for any form of remote console (e.g. telnet, shh, rlogin, et. al.).


OK.  My memory is returning...

The Management-Transport-Protocol attribute could certainly be used in
conjunction with the NAS-Port-Type attribute of Virtual (5), as is the
current practice.


OK.  It would make sense to say that in the document;.  Is there a situation
where  NAS-Port-Type = Async (0) would make much sense along with
a Management-Transport-Protocol, attribute?

Yes, that's an important element of this proposal. Just because someoneis
authorized to obtain network service from the NAS doesn't mean they are
authorized to manage the NAS.  If a single RADIUS server (or set of
primary/backup servers) is used to handle all authentication requests, itisimportant for the server to be able to authorize management access onlyfor
those in the system administration group.

In that sense, the usage of the Management-Transport-Protocol attribute
usage as a hint is as important, or more important, than the provisioning
usage.


OK.  It might be useful to have an example or two to make this clear.

Do you think it is important to have an attribute that says "telnet" or
"rlogin" in addition to one that says "over SSH" or "over TLS"?

The scenario here is to provide more info in the case whereNAS-Port-Type=virtual,

and Server-Type=NAS-Prompt, right?  I guess there are scenarios where this
could make a difference to the RADIUS server (e.g. router mistakenly enables
an insecure management protocol and RADIUS server wants to make sure it

that only secure protocols are authorized).


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: Review of Management Authorization -00 document
  - From: "David B. Nelson" <d.b.nelson@comcast.net>

References:
- Review of Management Authorization -00 document
  - From: "Bernard Aboba" <bernard_aboba@hotmail.com>
- RE: Review of Management Authorization -00 document
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>
- RE: Review of Management Authorization -00 document
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: Review of Management Authorization -00 document
  - From: <Bernard_Aboba@hotmail.com>
- RE: Review of Management Authorization -00 document
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: Review of Management Authorization -00 document
  - From: <Bernard_Aboba@hotmail.com>
- RE: Review of Management Authorization -00 document
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: Review of Management Authorization -00 document
  - From: <Bernard_Aboba@hotmail.com>
- Re: Review of Management Authorization -00 document
  - From: <Bernard_Aboba@hotmail.com>
- RE: Review of Management Authorization -00 document
  - From: "David B. Nelson" <dnelson@elbrysnetworks.com>

Prev by Date: Re: I-D Action:draft-ietf-radext-management-authorization-01.txt
Next by Date: RE: Review of Management Authorization -00 document
Previous by thread: RE: Review of Management Authorization -00 document
Next by thread: RE: Review of Management Authorization -00 document
Index(es):
- Date
- Thread