AAA Certificate Provisioning

1
AAA Certificate Provisioning

• IETF 55
• Bernard Aboba
• bernarda_at_microsoft.com

2
The Way It Is Today

• Manual NAS provisioning
• Buy a NAS/AP
• On NAS, enter secret for use with RADIUS server
  IP address
• On RADIUS server, enter secret for use with NAS
  IP address
• Repeat for secondary servers
• Whats wrong with it
• Too hard for the average person
• Secrets bound to IP addresses, not names
• Using the same shared secret on all NASes is
  common
• Provisioning can be scripted but is not automatic
• We can do better
• Automated provisioning of RADIUS shared secrets
  Bob M.
• NAS Certificate provisioning

3
AAA Certificate Usage

• RADIUS
• RADIUS over IPsec (RFC 3162)
• Diameter (draft-ietf-aaa-diameter-15.txt)
• Diameter over TLS
• Diameter over IPsec

4
Scenarios

• Intra-domain AAA
• NAS/AP talks to AAA server(s) in same
  administrative domain
• NAS/AP AAA server(s) need common trusted root
• Inter-domain AAA
• AAA agent Proxy (RADIUS Diameter), Relay
  (Diameter), Redirect (Diameter)
• NAS/AP talks to AAA agent, agent talks to AAA
  server(s) in other administrative domains
• NAS/AP AAA agent need common trusted root
• AAA agent and server need common trusted root

5
Authorization Issues

• Are all devices and servers able to complete
  mutual TLS or IKE authentication authorized for
  their roles?
• Answer No.
• AAA server needs to know authorized NAS/AP
  devices
• NAS needs to know authorized AAA servers
• Why this is hard
• Cant assume that automated discovery is secure!
  (SLP, DNS, etc.)
• IPsec or TLS certs may not contain info for
  authorization
• No AAA OIDs
• May not want to use a special AAA server or NAS
  CA
• No separate auth for IKE Phase 2, makes per-app
  IKE cert policies difficult
• So What do we do?
• Manual configuration (directory, AAA server, NAS)
• Benefits over RADIUS config can use FQDNs
  instead of IP addresses
• Wouldnt it be nice if authorization were
  automated?