RADIUS Extended Attributes for Management Authorization - PowerPoint PPT Presentation

About This Presentation
Title:

RADIUS Extended Attributes for Management Authorization

Description:

Split horizon views. Layer 2 management view. Layer 3 management view. Etc. ... vendor applicability, it would be better to define them as standard attributes ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 13
Provided by: davidb198
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: RADIUS Extended Attributes for Management Authorization


1
RADIUS Extended Attributes for Management
Authorization
  • David B. Nelson
  • IETF 62, RADEXT WG
  • March 9, 2005

2
Need for Management Attributes
  • RADUIS currently defines two attributes for
    management
  • Both are for CLI style interface
  • Service-Type Admin
  • Service-Type NAS-Prompt
  • No attributes for provisioning other forms of
    management interfaces

3
Need for Management Attributes
  • Need for attributes that describe non-CLI
    management interfaces
  • SNMP
  • HTTP

4
Need for Management Attributes
  • Need for attributes to specify secure vs.
    non-secure management interfaces
  • SSH
  • SNMP v3
  • HTTPS / TLS

5
Need for Management Attributes
  • Need for attributes to specify roles or privilege
    levels
  • SNMPv3 VACM entries
  • Like the Filter-ID attribute, but for management
  • Split horizon views
  • Layer 2 management view
  • Layer 3 management view
  • Etc.

6
Need for Management Attributes
  • Need attributes to authorize management commands
    on a per-command or per-operation granularity
  • Need attributes to provide an audit trail, on a
    per-command basis, via accounting for
    configuration changes to facilitate problem
    resolution
  • Provides feature-parity with TACACS

7
Possible solution approach
  • Internet-Draft draft-nelson-radius-management-aut
    horization-01.txt
  • Service-Type Framed-Management
  • Management-Access-ID
  • A named access policy, similar to Filter-ID
  • Name is of local scope
  • Could be a privilege level
  • Could be a VACM table entry

8
Possible solution approach
  • Management-Protocol
  • Used in conjunction with a Service-Type of
    Framed-Management
  • Values might be
  • SNMP-V3
  • HTTP
  • HTTPS-TLS

9
Possible solution approach
  • Non-Framed-Management-CommandA command line
    interface (CLI) interaction
  • Framed-Management-OperationA SNMP/HTTP operation
  • Management-ContextContextual information for
    above two.For example, a CLI sub-mode, menu
    name, virtual router instance, administrative role

10
Changes since -00
  • For use in ISP, roaming consortia, public access,
    and similar environments, split-horizon AAA
    should be used for management access. Text added
    in Proxy Operations section.
  • SNMPv1 and SNMPv2c values of Framed-Management-Pro
    tocol removed.
  • Attributes related to granular authorization/accou
    nting of CLI commands added.

11
Is there an interest?
  • Enterasys Networks is working in this area using
    Vendor-Specific attributes
  • If the management access services that these
    attributes specify are of multi-vendor
    applicability, it would be better to define them
    as standard attributes
  • Is there interest in working on defining such
    attributes, and creating implementations?

12
  • Questions?
  • Feedback?
Write a Comment
User Comments (0)
About PowerShow.com