RE: REMINDER: RADEXT WG review of draft-nelson-radius-management-authorization

["David B. Nelson" <dnelson@elbrysnetworks.com>]

Bernard Aboba writes...

> The WG review request ends on August 16, 2007.

Thanks for issuing the reminder.

I didn't previously see this post, as it went to my previous employment
address, and apparently not to the RADEXT list.  I'll comment in-line,
below.

Bert Wijnen writes...

> >Sect 4
> >
> >    The local application of the Management-Policy-Id within the managed
> >    entity may take the form of (a) one of an enumeration of command
> >    privilege levels, (b) a mapping into an SNMP View Based Access
> >    Control Method (VACM) table [RFC3415], or (c) some other set of
> >
> >Did you intend to writhe "Method", or do you mean "Model"?
> >VACM stands for View Based Access Control Model in the SNMP context.

Yes, "Model" was the intended word.  Thanks, we'll fix that.

> >Sect 7.3
> >    The Text field is one or more octets, and its contents are
> >    implementation dependent.  It is intended to be human readable and
> >    MUST NOT affect operation of the protocol.  It is recommended that
> >    the message contain UTF-8 encoded 10646 [RFC2279] characters.
> >
> >The latest RFC for UTF-8 is RFC3629.
> >I guess it is better reference that one.

Good catch.  We'll fix that one, too.

> >I can support this work item as a topic for the RADEXT WG.
> >Not sure how much I can contribute though, but I will try to 
> >review revisions of the document

Thanks.

Obviously, as an author, I support this work being adopted as a RADEXT WG
work item, for what little that opinion may be worth.

For those who may not yet have reviewed this draft, or those who have not
reviewed a recent version, let me recap its purpose.

This draft adds a couple of new attributes and a new value for an existing
attribute to allow provisioning of management access authorization beyond
the existing two-level authorization for access to the CLI of the NAS.  The
type of additional authorization supported includes specific authorization
for management access methods and protocols other than CLI, such as SNMP, or
HTTP.  It also provides for more granular access levels than privileged and
non-privileged.  Many NASes in wide use today have multiple levels of
management access permissions.  This draft provides a standardized way to
provision such access.

Much of the body of RADIUS work is about provisioning securely authorized
access to network resources, through the services of a NAS.  This work is
about provisioning securely authorized access to the management interfaces
of the NAS itself, as part of an overall network infrastructure security
solution.

All of the attributes and value introduced in this draft can be implemented
as new entries in the attribute dictionary of a dictionary driven RADIUS
server implementation.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>