RE: ssh authentication and service authorization questions

[Bernard Aboba <bernard_aboba@hotmail.com>]

RFC 5607 uses Service-Type=Framed-Management. Presumably that would be used
in exchanges 1,2. 

Section 6.1 states that the Framed-Management-Protocol attribute is used
with Service-Type=Framed-Management However, this isn't known until exchange
3 which will need to use Service-Type=Authorize-Only. 

Maybe the solution is just to clarify the Section 6.1 text?  I see no
inherent reason why a Framed-Management-Protocol attribute couldn't be
included in an Access-Request with Service-Type=Authorize-Only. 

-----Original Message-----
From: owner-radiusext@ops.ietf.org [mailto:owner-radiusext@ops.ietf.org] On
Behalf Of Alan DeKok
Sent: Tuesday, November 30, 2010 11:59 AM
To: Bernard Aboba
Cc: radiusext@ops.ietf.org; j.schoenwaelder@jacobs-university.de
Subject: Re: ssh authentication and service authorization questions

Bernard Aboba wrote:
> Several ideas come to mind:

  Or use Service-Type = Authorize-Only?

  It's intended for CoA, but there's no technical reason it couldn't be
used here.

  i.e.

1,2) Access-Request for initial session (user + password)
     Access-Accept contains State

3)  For each service:

       Access-Request + User-Name + State + Authorize-Only + ...
       ...

  The State attribute ties the later Access-Requests to the first one.
The RADIUS server can authorize individual services, based on their
connection with the initial Access-Request.

  IIRC, this is already being done for WiMAX, for authorizing individual
TCP connections.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>