Re: a question about Management Authorization -01 document

[Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>]

On Thu, Dec 20, 2007 at 11:08:03AM +0800, li chunxiu wrote:

> I agree with the point of view of a local policy named "read-only-group1"
> and another named "read-write-group1". 
> If the Access Control is mainly done in NAS, the Access Control policy in
> Radius may be very simple, and the pattern of "read-only-group1" is ok.
> If the Radius needs to participate in the Access Control, there may be some
> complicate policies. If the policies are too complicated to be expressed in
> one Management-Policy-Id, which expression is better? Will the policies be
> separated to several parts in each Management-Policy-Id within each
> Access-Accept? And these parts will be composed to be whole policies in the
> NAS to accomplish the Access Control, right? 

Section 4 defines the purpose and scope of the access control policy
attributes. In particular, note that the Management-Policy-Id and
Management-Privilege-Level attributes are not meant to carry accress
control rules; they merely identify which locally known access control
rules to apply.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>