RE: REMINDER: RADEXT WG review of draft-nelson-radius-management-authorization
"David B. Nelson" <dnelson@elbrysnetworks.com> Tue, 14 August 2007 15:25 UTC
Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 14 Aug 2007 15:25:51 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: radiusext@ops.ietf.org
Subject: RE: REMINDER: RADEXT WG review of draft-nelson-radius-management-authorization
Date: Tue, 14 Aug 2007 11:25:53 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <007501c7de87$67440250$5d1216ac@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcfegG7VasSLTHGJRty1ameu2f9k/AABG4VQ
Bernard Aboba writes... > The WG review request ends on August 16, 2007. Thanks for issuing the reminder. I didn't previously see this post, as it went to my previous employment address, and apparently not to the RADEXT list. I'll comment in-line, below. Bert Wijnen writes... > >Sect 4 > > > > The local application of the Management-Policy-Id within the managed > > entity may take the form of (a) one of an enumeration of command > > privilege levels, (b) a mapping into an SNMP View Based Access > > Control Method (VACM) table [RFC3415], or (c) some other set of > > > >Did you intend to writhe "Method", or do you mean "Model"? > >VACM stands for View Based Access Control Model in the SNMP context. Yes, "Model" was the intended word. Thanks, we'll fix that. > >Sect 7.3 > > The Text field is one or more octets, and its contents are > > implementation dependent. It is intended to be human readable and > > MUST NOT affect operation of the protocol. It is recommended that > > the message contain UTF-8 encoded 10646 [RFC2279] characters. > > > >The latest RFC for UTF-8 is RFC3629. > >I guess it is better reference that one. Good catch. We'll fix that one, too. > >I can support this work item as a topic for the RADEXT WG. > >Not sure how much I can contribute though, but I will try to > >review revisions of the document Thanks. Obviously, as an author, I support this work being adopted as a RADEXT WG work item, for what little that opinion may be worth. For those who may not yet have reviewed this draft, or those who have not reviewed a recent version, let me recap its purpose. This draft adds a couple of new attributes and a new value for an existing attribute to allow provisioning of management access authorization beyond the existing two-level authorization for access to the CLI of the NAS. The type of additional authorization supported includes specific authorization for management access methods and protocols other than CLI, such as SNMP, or HTTP. It also provides for more granular access levels than privileged and non-privileged. Many NASes in wide use today have multiple levels of management access permissions. This draft provides a standardized way to provision such access. Much of the body of RADIUS work is about provisioning securely authorized access to network resources, through the services of a NAS. This work is about provisioning securely authorized access to the management interfaces of the NAS itself, as part of an overall network infrastructure security solution. All of the attributes and value introduced in this draft can be implemented as new entries in the attribute dictionary of a dictionary driven RADIUS server implementation. -- to unsubscribe send a message to radiusext-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/radiusext/>
- RE: REMINDER: RADEXT WG review of draft-nelson-ra… Avi Lior
- RE: REMINDER: RADEXT WG review of draft-nelson-ra… Okita, Cat
- REMINDER: RADEXT WG review of draft-nelson-radius… Rati, Shiddalinganagouda
- RE: REMINDER: RADEXT WG review of draft-nelson-ra… Glen Zorn (gwz)
- RE: REMINDER: RADEXT WG review of draft-nelson-ra… Congdon, Paul T (ProCurve)
- Re: REMINDER: RADEXT WG review of draft-nelson-ra… Alan DeKok
- RE: REMINDER: RADEXT WG review of draft-nelson-ra… David B. Nelson
- REMINDER: RADEXT WG review of draft-nelson-radius… Bernard Aboba