[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

答复: a question about Management Authorization -01 document

To: "'David B. Nelson'" <d.b.nelson@comcast.net>, radiusext@ops.ietf.org
Subject: 答复: a question about Management Authorization -01 document
From: li chunxiu <lichunxiu@huawei.com>
Date: Wed, 19 Dec 2007 10:46:36 +0800
In-reply-to: <055501c8417f$9270fef0$031716ac@NEWTON603>

> Li Chunxiu writes...
> > In the RADIUS NAS Management Authorization Draft，the added attribute
> > Management-Privilege-Level is an integer-valued attribute for use with
> > CLI access methods, I have a question about it, does it apply to the
> > Framed-Management-Protocol?
> The Management-Privilege-Level attribute was added to address a review
> comment and a long standing use case.
> In the -01 draft, we made it clear that the Management-Policy-Id attribute
> was to be a flat, simple name of local scope, and that the field was not
to
> be overloaded with other kinds of elements, all in the name of good
> interoperability.  To address a need that might have tempted vendors to
> overload the Management-Policy-Id attribute and to provide a way to
> provision a long standing CLI management parameter, we added the new
> attribute.
> The use case is that of integer valued-privilege level for CLI usages, as
> exemplified by the "enable' levels in Cisco's IOS.  This use is common in
> other vendor's products, as well.
> I don't see any reason that the Management-Privilege-Level attribute could
> not be made applicable to Framed-Management sessions, but I don't see any
> compelling reason for doing so.  Having it available as a matter of
protocol
> symmetry might be nice, but is there actually a use case that it would
> support?
> 
> > For example, in access control of SNMP protocol or Netconf protocol, is
> > it necessary to use the Management-Privilege-Level attribute?
> 
> It seems to me that the named policy of Management-Policy-Id would be
> sufficient for uses such as SNMP or Netconf.  Can you suggest a situation
> where it would be desirable to have an integer-valued parameter for
> provisioning access control via either of these methods?
> 
Here is a situation:
1.NETCONF access, defined by a policy:
      *  Service-Type (6) = Framed-Management (xx)
      *  Framed-Management-Protocol (xx) = NETCONF(3)
      *  Management-Policy-Id (xx) = " Read-only group1"
2. NETCONF access, defined by a policy:
      *  Service-Type (6) = Framed-Management (xx)
      *  Framed-Management-Protocol (xx) = NETCONF(3)
      *  Management-Policy-Id (xx) = "group1 Read-only"
3. NETCONF access, defined by a policy, with the Management-Privilege-Level
attribute:
      *  Service-Type (6) = Framed-Management (xx)
      *  Framed-Management-Protocol (xx) = NETCONF(3)
      *  Management-Policy-Id (xx) = "group1 "
      *  Management-Privilege-Level (xx) = 15 
Comment:15 denotes Read-only 
        16 denotes create  ... ...
I think the 3rd example using the Management-Privilege-Level attribute
clarifies the use methods of Management-Privilege-Level attribute. 
What is your opinion?

 Regards, 
Li chunxiu



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

Follow-Ups:
- RE: a question about Management Authorization -01 document
  - From: "David B. Nelson" <d.b.nelson@comcast.net>
- Re: ????: a question about Management Authorization -01 document
  - From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>

References:
- RE: a question about Management Authorization -01 document
  - From: "David B. Nelson" <d.b.nelson@comcast.net>

Prev by Date: Re: Question on the Class attribute
Next by Date: Re: ????: a question about Management Authorization -01 document
Previous by thread: RE: a question about Management Authorization -01 document
Next by thread: Re: ????: a question about Management Authorization -01 document
Index(es):
- Date
- Thread