[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Editorial review of draft-ietf-radext-management-authorization-03.txt
Abstract
This document describes Remote Authentication Dial-In User Service
(RADIUS) attributes for the authorization and service provisioning of
Network Access Servers (NASes). Both local and remote management are
supported, with granular access rights and management privileges.
Specific provisions are made for remote management via framed
management protocols, and for specification of a protected transport
protocol.
[BA] This document is about NAS management authorization, not
authorization of NASes. Suggest the following:
This document specifies Remote Authentication Dial-In User Service
(RADIUS) attributes for Network Access Server (NAS) management.
Both local and remote management are
supported, with granular access rights and management privileges.
Specific provisions are made for remote management via framed
management protocols, which may run over a secure transport
protocol.
2. Introduction and Rationale
[BA] How about combining Sections 2, part of 3 and 6 into a Section 1 that
reads as follows? The Terminology section can then be Section 1.1.
1. Introduction
RFC 2865 [RFC 2865] defines the NAS-Prompt and Administrative values of
the Service-Type Attribute. Both of these values provide access to
the interactive, text-based Command Line Interface (CLI) of the NAS,
and were originally developed to control access to the physical
console port of the NAS, most often a serial port.
Remote access to the CLI of the NAS has been available in NAS
implementations for many years, using protocols such as Telnet,
Rlogin and the remote terminal service of SSH. In order to distinguish
local, physical, console access from remote access, the NAS-Port-Type
Attribute is generally included in Access-Request and Access-Accept
messages, along with the Service-Type Attribute, to indicate the form
of access. A NAS-Port-Type of Async (0) is used to signify a local
serial port connection, while a value of Virtual (5) is used to
signify a remote connection, via a remote terminal protocol. This
usage provides no selectivity among the various available remote
terminal protocols (e.g. Telnet, Rlogin, SSH, etc.).
Today, it is common for network devices to support more than two
privilege levels for management access than just NAS-Prompt
(non-privileged) and Administrative (privileged). Also, other
management mechanisms may be used, such as Web-based management,
Simple Network Management Protocol (SNMP) and NETCONF.
To provide support for these additional features, this specification
defines attributes for framed management protocols, management protocol
security, and management access privilege levels.
Remote management via the command line is carried over protocols
such as Telnet, Rlogin and the remote terminal service of SSH. Since
these protocols are primarily for the delivery of terminal or
pseudo-TTY services, the term "Framed Management" is used to describe
management protocols supporting techniques other than the command-line.
Typically these mechanisms format management information in a binary or
textual encoding such as HTML, XML or ASN.1/BER. Examples include
web-based management (HTML over HTTP or HTTPS), NETCONF (XML over
SSH/BEEP/SOAP) and SNMP (SMI over ASN.1/BER). Command line
interface, menu interface or other text-based (e.g. ASCII or UTF-8)
terminal emulation services are not considered to be Framed Management
protocols.
[BA] How about combining part of Section 3, as well as 4, 5 and 6 into
a Section 2 that reads as follows?
2. Overview
To support the authorization and provisioning of Framed Management
access to managed entities, this document introduces a new value for
the Service-Type Attribute [RFC2865], and one new attribute. The new
value for the Service-Type Attribute is Framed-Management, used for
remote device management via a Framed Management Protocol. The new
attribute is Framed-Management-Protocol, the value of which specifies a
particular protocol for use in the remote management session.
Two new attributes are introduced in this document in support of
granular management access rights or command privilege levels.
The Management-Policy-Id Attribute provides a text string
specifying a policy name of local scope, that is assumed to have
been pre-provisioned on the NAS. This use of an attribute to
specify use of a pre-provisioned policy is similar to
the Filter-Id Attribute defined in [RFC2865] Section 5.11.
The local application of the Management-Policy-Id within the managed
entity may take the form of (a) one of an enumeration of command
privilege levels, (b) a mapping into an SNMP Access Control Model,
such as the View Based Access Control Model (VACM) [RFC3415], or (c)
some other set of management access policy rules that is mutually
understood by the managed entity and the remote management
application. Examples are given in Section X.
The Management-Privilege-Level Attribute contains an
integer-valued management privilege level indication. This attribute
serves to modify or augment the management permissions provided by
the NAS-Prompt value of the Service-Type Attribute, and thus applies to
CLI management.
To enable management security requirements to be specified, the
Management-Transport-Protection Attribute is introduced. The value
of this attribute indicates the minimum level of secure transport
protocol protection required for the provisioning of NAS-Prompt,
Administrative or Framed-Management service.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>