RADIUS Attributes for Network Management Authorization

1
RADIUS Attributes for Network Management
Authorization

• David Harrington
• IETF64 RADEXT WG
• Vancouver, BC

2
ISMS WG Goals

• Integrated Security Model for SNMP
• Integrated with existing security solutions
• A survey of operators showed the following
  popular for securing CLI
• 66 local accounts
• 49 SSH
• 40 RADIUS
• 29 TACACS

3
SNMP Authentication

• SNMPv3 requires authentication of the security
  principal, which is then used for MIB data access
  control (authorization)
• USM is an SNMPv3 security model using local
  account authentication
• SSHSM is an SNMPv3 security model using Secure
  Shell Authentication
• SSH often uses AAA for centralized configuration
  of authentication

4
SNMP Access Control

• SNMPv3 requires data access control to determine
  who has access to which MIB data objects
• VACM is view-based access control
• Views include/exclude access to subtrees in the
  MIB, similar to selecting directories in a backup
  utility GUI
• Users assigned to Groups
• Groups have access to assigned views

5
AAA Authorization

• No current AAA attributes are suitable for
  mapping to SNMP access control
• It is highly desirable that management attributes
  be able to be specified for similar/different
  management interfaces.
• For example, routing policy for CLI/SSH or
  Netconf/SSH or SNMPv3, but not SNMPv1
• Draft-nelson-radius-management-authorization is
  very much in line with the needs of the network
  management community

6
AAA Authorization

• ISMS would like RADEXT WG to define RADIUS
  attributes that name policies for management
  access control
• The mapping of authenticated entity to named
  policies done by AAA
• The mapping of policy names to policy
  implementations should be left to the management
  protocols