RADIUS Extended Attributes for Management Authorization - PowerPoint PPT Presentation

About This Presentation
Title:

RADIUS Extended Attributes for Management Authorization

Description:

Split horizon views. Layer 2 management view. Layer 3 management view. Etc. ... vendor applicability, it would be better to define them as standard attributes ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 13
Provided by: davidb198
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: RADIUS Extended Attributes for Management Authorization


1
RADIUS Extended Attributes for Management
Authorization
  • David B. Nelson
  • IETF 62, RADEXT WG
  • March 9, 2005

2
Need for Management Attributes
  • RADUIS currently defines two attributes for
    management
  • Both are for CLI style interface
  • Service-Type Admin
  • Service-Type NAS-Prompt
  • No attributes for provisioning other forms of
    management interfaces

3
Need for Management Attributes
  • Need for attributes that describe non-CLI
    management interfaces
  • SNMP
  • HTTP

4
Need for Management Attributes
  • Need for attributes to specify secure vs.
    non-secure management interfaces
  • SSH
  • SNMP v3
  • HTTPS / TLS

5
Need for Management Attributes
  • Need for attributes to specify roles or privilege
    levels
  • SNMPv3 VACM entries
  • Like the Filter-ID attribute, but for management
  • Split horizon views
  • Layer 2 management view
  • Layer 3 management view
  • Etc.

6
Need for Management Attributes
  • Need attributes to authorize management commands
    on a per-command or per-operation granularity
  • Need attributes to provide an audit trail, on a
    per-command basis, via accounting for
    configuration changes to facilitate problem
    resolution
  • Provides feature-parity with TACACS

7
Possible solution approach
  • Internet-Draft draft-nelson-radius-management-aut
    horization-01.txt
  • Service-Type Framed-Management
  • Management-Access-ID
  • A named access policy, similar to Filter-ID
  • Name is of local scope
  • Could be a privilege level
  • Could be a VACM table entry

8
Possible solution approach
  • Management-Protocol
  • Used in conjunction with a Service-Type of
    Framed-Management
  • Values might be
  • SNMP-V3
  • HTTP
  • HTTPS-TLS

9
Possible solution approach
  • Non-Framed-Management-CommandA command line
    interface (CLI) interaction
  • Framed-Management-OperationA SNMP/HTTP operation
  • Management-ContextContextual information for
    above two.For example, a CLI sub-mode, menu
    name, virtual router instance, administrative role

10
Changes since -00
  • For use in ISP, roaming consortia, public access,
    and similar environments, split-horizon AAA
    should be used for management access. Text added
    in Proxy Operations section.
  • SNMPv1 and SNMPv2c values of Framed-Management-Pro
    tocol removed.
  • Attributes related to granular authorization/accou
    nting of CLI commands added.

11
Is there an interest?
  • Enterasys Networks is working in this area using
    Vendor-Specific attributes
  • If the management access services that these
    attributes specify are of multi-vendor
    applicability, it would be better to define them
    as standard attributes
  • Is there interest in working on defining such
    attributes, and creating implementations?

12
  • Questions?
  • Feedback?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "RADIUS Extended Attributes for Management Authorization" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!