RE: a question about Management Authorization -01 document

["David B. Nelson" <d.b.nelson@comcast.net>]

Li Chunxiu writes...

> In the RADIUS NAS Management Authorization Draft，the added attribute
> Management-Privilege-Level is an integer-valued attribute for use with
> CLI access methods, I have a question about it, does it apply to the
> Framed-Management-Protocol?

The Management-Privilege-Level attribute was added to address a review
comment and a long standing use case.

In the -01 draft, we made it clear that the Management-Policy-Id attribute
was to be a flat, simple name of local scope, and that the field was not to
be overloaded with other kinds of elements, all in the name of good
interoperability.  To address a need that might have tempted vendors to
overload the Management-Policy-Id attribute and to provide a way to
provision a long standing CLI management parameter, we added the new
attribute.

The use case is that of integer valued-privilege level for CLI usages, as
exemplified by the "enable' levels in Cisco's IOS.  This use is common in
other vendor's products, as well.

I don't see any reason that the Management-Privilege-Level attribute could
not be made applicable to Framed-Management sessions, but I don't see any
compelling reason for doing so.  Having it available as a matter of protocol
symmetry might be nice, but is there actually a use case that it would
support?  

> For example, in access control of SNMP protocol or Netconf protocol, is
> it necessary to use the Management-Privilege-Level attribute?

It seems to me that the named policy of Management-Policy-Id would be
sufficient for uses such as SNMP or Netconf.  Can you suggest a situation
where it would be desirable to have an integer-valued parameter for
provisioning access control via either of these methods?

Regards,

Dave




--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>