[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 5607

Network Working Group                                          D. Nelson
Internet-Draft                                     Elbrys Networks, Inc.
Intended status: Standards Track                                G. Weber
Expires: April 13, 2009                           Individual Contributor
                                                        October 10, 2008


 Remote Authentication Dial-In User Service (RADIUS) Authorization for
                 Network Access Server (NAS) Management
           draft-ietf-radext-management-authorization-06.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 13, 2009.

Abstract

   This document specifies Remote Authentication Dial-In User Service
   (RADIUS) attributes for authorizing management access to a Network
   Access Server (NAS).  Both local and remote management are supported,
   with granular access rights and management privileges.  Specific
   provisions are made for remote management via framed management
   protocols, and for management access over a secure transport
   protocol.






Nelson & Weber           Expires April 13, 2009                 [Page 1]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  New Values for Existing RADIUS Attributes  . . . . . . . . . .  5
     4.1.  Service-Type . . . . . . . . . . . . . . . . . . . . . . .  5
   5.  New RADIUS Attributes  . . . . . . . . . . . . . . . . . . . .  5
     5.1.  Framed-Management-Protocol . . . . . . . . . . . . . . . .  5
     5.2.  Management-Transport-Protection  . . . . . . . . . . . . .  8
     5.3.  Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
     5.4.  Management-Privilege-Level . . . . . . . . . . . . . . . . 12
   6.  Use with Dynamic Authorization . . . . . . . . . . . . . . . . 13
   7.  Examples of attribute groupings  . . . . . . . . . . . . . . . 14
   8.  Diameter Translation Considerations  . . . . . . . . . . . . . 16
   9.  Table of Attributes  . . . . . . . . . . . . . . . . . . . . . 17
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 18
   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 19
     11.1. General Considerations . . . . . . . . . . . . . . . . . . 19
     11.2. RADIUS Proxy Operation Considerations  . . . . . . . . . . 20
   12. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 21
   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
     13.1. Normative References . . . . . . . . . . . . . . . . . . . 21
     13.2. Informative References . . . . . . . . . . . . . . . . . . 21
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
   Intellectual Property and Copyright Statements . . . . . . . . . . 25

























Nelson & Weber           Expires April 13, 2009                 [Page 2]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   This document uses terminology from RFC 2865 [RFC2865], RFC 2866
   [RFC2866] and RFC 5176 [RFC5176].

   The term "integrity protection", as used in this document, is *not*
   the same as "authentication", as used in SNMP.  Integrity protection
   requires the sharing of cryptographic keys, but it does not require
   authenticated principals.  Integrity protection could be used, for
   example, with anonymous Diffie-Hellman key agreement.  In SNMP, the
   proof of identity of the principals (authentication) is conflated
   with tamper-resistance of the protected messages (integrity).  In
   this document, we assume that integrity protection and authentication
   are separate concerns.  Authentication is part of the base RADIUS
   protocol.

   SNMP uses the terms "auth" and "noAuth", as well as "priv" and
   "noPriv".  There is no analog to auth or noAuth in this document.  In
   this document, we are assuming that authentication always occurs when
   it is required, i.e. as a prerequisite to provisioning of access via
   an Access-Accept packet.


2.  Introduction

   RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6)
   values of the Service-Type (6) Attribute.  Both of these values
   provide access to the interactive, text-based Command Line Interface
   (CLI) of the NAS, and were originally developed to control access to
   the physical console port of the NAS, most often a serial port.

   Remote access to the CLI of the NAS has been available in NAS
   implementations for many years, using protocols such as Telnet,
   Rlogin and the remote terminal service of the Secure SHell (SSH).  In
   order to distinguish local, physical, console access from remote
   access, the NAS-Port-Type (61) Attribute is generally included in
   Access-Request and Access-Accept messages, along with the Service-
   Type (6) Attribute, to indicate the form of access.  A NAS-Port-Type
   (61) Attribute with a value of of Async (0) is used to signify a
   local serial port connection, while a value of Virtual (5) is used to
   signify a remote connection, via a remote terminal protocol.  This
   usage provides no selectivity among the various available remote
   terminal protocols (e.g.  Telnet, Rlogin, SSH, etc.).




Nelson & Weber           Expires April 13, 2009                 [Page 3]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   Today, it is common for network devices to support more than the two
   privilege levels for management access provided by the Service-Type
   (6) Attribute with values of NAS-Prompt (7) (non-privileged) and
   Administrative (6) (privileged).  Also, other management mechanisms
   may be used, such as Web-based management, Simple Network Management
   Protocol (SNMP) and NETCONF.  To provide support for these additional
   features, this specification defines attributes for Framed Management
   protocols, management protocol security, and management access
   privilege levels.

   Remote management via the command line is carried over protocols such
   as Telnet, Rlogin and the remote terminal service of SSH.  Since
   these protocols are primarily for the delivery of terminal or pseudo-
   TTY services, the term "Framed Management" is used to describe
   management protocols supporting techniques other than the command-
   line.  Typically these mechanisms format management information in a
   binary or textual encoding such as HTML, XML or ASN.1/BER.  Examples
   include Web-based management (HTML over HTTP or HTTPS), NETCONF (XML
   over SSH or BEEP or SOAP) and SNMP (SMI over ASN.1/BER).  Command
   line interface, menu interface or other text-based (e.g.  ASCII or
   UTF-8) terminal emulation services are not considered to be Framed
   Management protocols.


3.  Overview

   To support the authorization and provisioning of Framed Management
   access to managed entities, this document introduces a new value for
   the Service-Type (6) Attribute [RFC2865], and one new attribute.  The
   new value for the Service-Type (6) Attribute is Framed-Management
   (TBA-1), used for remote device management via a Framed Management
   protocol.  The new attribute is Framed-Management-Protocol (TBA-2),
   the value of which specifies a particular protocol for use in the
   remote management session.

   Two new attributes are introduced in this document in support of
   granular management access rights or command privilege levels.  The
   Management-Policy-Id (TBA-4) Attribute provides a text string
   specifying a policy name of local scope, that is assumed to have been
   pre-provisioned on the NAS.  This use of an attribute to specify use
   of a pre-provisioned policy is similar to the Filter-Id (11)
   Attribute defined in [RFC2865] Section 5.11.

   The local application of the Management-Policy-Id (TBA-4) Attribute
   within the managed entity may take the form of (a) one of an
   enumeration of command privilege levels, (b) a mapping into an SNMP
   Access Control Model, such as the View Based Access Control Model
   (VACM) [RFC3415], or (c) some other set of management access policy



Nelson & Weber           Expires April 13, 2009                 [Page 4]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   rules that is mutually understood by the managed entity and the
   remote management application.  Examples are given in Section 7.

   The Management-Privilege-Level (TBA-5) Attribute contains an integer-
   valued management privilege level indication.  This attribute serves
   to modify or augment the management permissions provided by the NAS-
   Prompt (7) value of the Service-Type (6) Attribute, and thus applies
   to CLI management.

   To enable management security requirements to be specified, the
   Management-Transport-Protection (TBA-3) Attribute is introduced.  The
   value of this attribute indicates the minimum level of secure
   transport protocol protection required for the provisioning of NAS-
   Prompt (7), Administrative (6) or Framed-Management (TBA-1) service.


4.  New Values for Existing RADIUS Attributes

4.1.  Service-Type

   The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865
   [RFC2865].  This document defines a new value of the Service-Type
   Attribute, as follows:

      (TBA-1)   Framed-Management

      The semantics of the Framed-Management service are as follows:

      Framed-Management   A framed management protocol session should
                          be started on the NAS.


5.  New RADIUS Attributes

   This document defines four new RADIUS attributes related to
   management authorization.

5.1.  Framed-Management-Protocol

   The Framed-Management-Protocol (TBA-2) Attribute indicates the
   application-layer management protocol to be used for Framed
   Management access.  It MAY be used in both Access-Request and Access-
   Accept packets.  This attribute is used in conjunction with a
   Service-Type (6) Attribute with the value of Framed-Management
   (TBA-1).

   It is RECOMMENDED that the NAS include an appropriately valued
   Framed-Management-Protocol (TBA-2) Attribute in an Access-Request



Nelson & Weber           Expires April 13, 2009                 [Page 5]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   packet, indicating the type of management access being requested.  It
   is further RECOMMENDED that the NAS include a Service-Type (6)
   Attribute with the value Framed-Management (TBA-1) in the same
   Access-Request packet.  The RADIUS server MAY use these attributes as
   a hint in making its authorization decision.

   The RADIUS server MAY include a Framed-Management-Protocol (TBA-2)
   Attribute in an Access-Accept packet that also includes a Service-
   Type (6) Attribute with a value of Framed-Management (TBA-1), when
   the RADIUS Server chooses to enforce a management access policy for
   the authenticated user that dictates one form of management access in
   preference to others.

   When a NAS receives a Framed-Management-Protocol (TBA-2) Attribute in
   an Access-Accept packet, it MUST deliver that specified form of
   management access or disconnect the session.  If the NAS does not
   support the provisioned management application-layer protocol, or the
   management access protocol requested by the user does not match that
   of the Framed-Management-Protocol (TBA-2) Attribute in the Access-
   Accept packet, the NAS MUST treat the Access-Accept packet as if it
   had been an Access-Reject.

   A summary of the Framed-Management-Protocol (TBA-2) Attribute format
   is shown below.  The fields are transmitted from left to right.



























Nelson & Weber           Expires April 13, 2009                 [Page 6]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |             Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 Value (cont)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

         (TBA-2) for Framed-Management-Protocol.

      Length

         6

      Value

         The Value field is a four octet enumerated value.

         1      SNMP
         2      Web-based
         3      NETCONF
         4      FTP
         5      TFTP
         6      SFTP
         7      RCP
         8      SCP

   All other values are reserved for IANA allocation subject to the
   provisions of Section 10.

   The acronyms used in the above table expand as follows:

   o  SNMP: Simple Network Management Protocol.  [RFC3411], [RFC3412],
      [RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418]

   o  Web-based: Use of an embedded web server in the NAS for management
      via a generic web browser client.  The interface presented to the
      administrator may be graphical, tabular or textual.  The protocol
      is HTML over HTTP.  The protocol may optionally be HTML over
      HTTPS, i.e. using HTTP over TLS.  [HTML] [RFC2616]

   o  NETCONF: Management via the NETCONF protocol using XML over
      supported transports (e.g.  SSH, BEEP, SOAP).  As secure transport
      profiles are defined for NETCONF, the list of transport options
      may expand.  [RFC4741], [RFC4742], [RFC4743], [RFC4744]




Nelson & Weber           Expires April 13, 2009                 [Page 7]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   o  FTP: File Transfer Protocol, used to transfer configuration files
      to and from the NAS.  [RFC0959]

   o  TFTP: Trivial File Transfer Protocol, used to transfer
      configuration files to and from the NAS.  [RFC1350]

   o  SFTP: SSH File Transfer Protocol, used to securely transfer
      configuration files to and from the NAS.  SFTP uses the services
      of SSH.  [SFTP] See also Section 3.7, "SSH and File Transfers" of
      [SSH].  Additional information on the "sftp" program may typically
      be found in the online documentation ("man" pages) of Unix
      systems.

   o  RCP: Remote CoPy file copy utility (Unix-based), used to transfer
      configuration files to and from the NAS.  See Section 3.7, "SSH
      and File Transfers" of [SSH].  Additional information on the "rcp"
      program may typically be found in the online documentation ("man"
      pages) of Unix systems.

   o  SCP: Secure CoPy file copy utility (Unix-based), used to transfer
      configuration files to and from the NAS.  The "scp" program is a
      simple wrapper around SSH.  It's basically a patched BSD Unix
      "rcp" which uses ssh to do the data transfer (instead of using
      "rcmd").  See Section 3.7, "SSH and File Transfers" of [SSH].
      Additional information on the "scp" program may typically be found
      in the online documentation ("man" pages) of Unix systems.


5.2.  Management-Transport-Protection

   The Management-Transport-Protection (TBA-3) Attribute specifies the
   minimum level of protection that is required for a protected
   transport used with the framed or non-framed management access
   session.  The protected transport used by the NAS MAY provide a
   greater level of protection, but MUST NOT provide a lower level of
   protection.

   When a secure form of non-framed management access is specified, it
   means that the remote terminal session is encapsulated in some form
   of protected transport, or tunnel.  It may also mean that an explicit
   secure mode of operation is required, when the framed management
   protocol contains an intrinsic secure mode of operation.  The
   Management-Transport-Protection (TBA-3) Attribute does not apply to
   CLI access via a local serial port, or other non-remote connection.

   When a secure form of Framed Management access is specified, it means
   that the application-layer management protocol is encapsulated in
   some form of protected transport, or tunnel.  It may also mean that



Nelson & Weber           Expires April 13, 2009                 [Page 8]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   an explicit secure mode of operation is required, when the Framed
   Management protocol contains an intrinsic secure mode of operation.

   A value of "No Protection (1)" indicates that a secure transport
   protocol is not required, and that the NAS SHOULD accept a connection
   over any transport associated with the application-layer management
   protocol.  The definitions of management application to transport
   bindings are defined in the relevant documents that specify those
   management application protocols.  The same "No Protection" semantics
   are conveyed by omitting this attribute from an Access-Accept packet.

   Specific protected transport protocols, cipher suites, key agreement
   methods, or authentication methods are not specified by this
   attribute.  Such provisioning is beyond the scope of this document.

   It is RECOMMENDED that the NAS include an appropriately valued
   Management-Transport-Protection (TBA-3) Attribute in an Access-
   Request packet, indicating the level of transport protection for the
   management access being requested, when that information is available
   to the RADIUS client.  The RADIUS server MAY use this attribute as a
   hint in making its authorization decision.

   The RADIUS server MAY include a Management-Transport-Protection
   (TBA-3) Attribute in an Access-Accept packet that also includes a
   Service-Type (6) Attribute with a value of Framed-Management (TBA-1),
   when the RADIUS Server chooses to enforce an management access
   security policy for the authenticated user that dictates a minimum
   level of transport security.

   When a NAS receives a Management-Transport-Protection (TBA-3)
   Attribute in an Access-Accept packet, it MUST deliver the management
   access over a transport with equal or better protection
   characteristics or disconnect the session.  If the NAS does not
   support protected management transport protocols, or the level of
   protection available does not match that of the Management-Transport-
   Protection (TBA-3) Attribute in the Access-Accept packet, the NAS
   MUST treat the response packet as if it had been an Access-Reject.

   A summary of the Management-Transport-Protection (TBA-3) Attribute
   format is shown below.  The fields are transmitted from left to
   right.










Nelson & Weber           Expires April 13, 2009                 [Page 9]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |     Type      |    Length     |             Value
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                 Value (cont)         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

         (TBA-3) for Management-Transport-Protection.

      Length

         6

      Value

         The Value field is a four octet enumerated value.

         1      No-Protection
         2      Integrity-Protection
         3      Integrity-Confidentiality-Protection

   All other values are reserved for IANA allocation subject to the
   provisions of Section 10.

   The names used in the above table are elaborated as follows:

   o  No-Protection: No transport protection is required.  Accept
      connections via any supported transport.

   o  Integrity-Protection: The management transport MUST provide
      Integrity Protection, i.e. protection from unauthorized
      modification, using a cryptographic checksum.

   o  Integrity-Confidentiality-Protection: The management transport
      MUST provide both Integrity Protection and Confidentiality
      Protection, i.e. protection from unauthorized modification, using
      a cryptographic checksum, and protection from unauthorized
      disclosure, using encryption.

   The configuration or negotiation of acceptable algorithms, modes and
   credentials for the cryptographic protection mechanisms used in
   implementing protected management transports is outside the scope of
   this document.  Many such mechanisms have standardized methods of
   configuration and key management.




Nelson & Weber           Expires April 13, 2009                [Page 10]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


5.3.  Management-Policy-Id

   The Management-Policy-Id (TBA-4) Attribute indicates the name of the
   management access policy for this user.  Zero or one Management-
   Policy-Id (TBA-4) Attributes MAY be sent in an Access-Accept packet.
   Identifying a policy by name allows the policy to be used on
   different NASes without regard to implementation details.

   Multiple forms of management access rules may be expressed by the
   underlying named policy, the definition of which is beyond the scope
   of this document.  The management access policy MAY be applied
   contextually, based on the nature of the management access method.
   For example, some named policies may only be valid for application to
   NAS-Prompt (7) services and some other policies may only be valid for
   SNMP.

   The management access policy named in this attribute, received in an
   Access-Accept packet, MUST be applied to the session authorized by
   the Access-Accept.  If the NAS supports this attribute, but the
   policy name is unknown, or if the RADIUS client is able to determine
   that the policy rules are incorrectly formatted, the NAS MUST treat
   the Access-Accept packet as if it had been an Access-Reject.

   No precedence relationship is defined for multiple occurrences of the
   Management-Policy-Id (TBA-4) Attribute.  NAS behavior in such cases
   is undefined.  Therefore, two or more occurrences of this attribute
   SHOULD NOT be included in an Access-Accept or CoA-Request.  In the
   absence of further specification defining some sort of precedence
   relationship, it is not possible to guarantee multi-vendor
   interoperability when using multiple instances of this attribute in a
   single Access-Accept or CoA-Request packet.

   The content of the Management-Policy-Id (TBA-4) Attribute is expected
   to be the name of a management access policy of local significance to
   the NAS, within a namespace of significance to the NAS.  In this
   regard, the behavior is similar to that for the Filter-Id (11)
   Attribute.  The policy names and rules are committed to the local
   configuration data-store of the NAS, and are provisioned by means
   beyond the scope of this document, such as via SNMP, NETCONF or CLI.

   The namespace used in the Management-Policy-Id (TBA-4) Attribute is
   simple and monolithic.  There is no explicit or implicit structure or
   hierarchy .  For example, in the text string "example.com", the "."
   (period or dot) is just another character.  It is expected that text
   string matching will be performed without parsing the text string
   into any sub-fields.

   Overloading or subdividing this simple name with multi-part



Nelson & Weber           Expires April 13, 2009                [Page 11]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   specifiers (e.g.  Access=remote, Level=7) is likely to lead to poor
   multi-vendor interoperability and SHOULD NOT be utilized.  If a
   simple, unstructured policy name is not sufficient, it is RECOMMENDED
   that a Vendor Specific (26) Attribute be used instead, rather than
   overloading the semantics of Management-Policy-Id.

   A summary of the Management-Policy-Id (TBA-4) Attribute format is
   shown below.  The fields are transmitted from left to right.

       0                   1                   2
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
      |     Type      |    Length     |  Text ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

      Type

         (TBA-4) for Management-Policy-Id.

      Length

         >= 3

      Text

   The Text field is one or more octets, and its contents are
   implementation dependent.  It is intended to be human readable and
   MUST NOT affect operation of the protocol.  It is RECOMMENDED that
   the message contain UTF-8 encoded 10646 [RFC3629] characters.

5.4.  Management-Privilege-Level

   The Management-Privilege-Level (TBA-5) Attribute indicates the
   integer-valued privilege level to be assigned for management access
   for the authenticated user.  Many NASes provide the notion of
   differentiated management privilege levels denoted by an integer
   value.  The specific access rights conferred by each value are
   implementation dependent.  It MAY be used in both Access-Request and
   Access-Accept packets.

   The management access level indicated in this attribute, received in
   an Access-Accept packet, MUST be applied to the session authorized by
   the Access-Accept.  If the NAS supports this attribute, but the
   privilege level is unknown, the NAS MUST treat the Access-Accept
   packet as if it had been an Access-Reject.

   A summary of the Management-Privilege-Level (TBA-5) Attribute format
   is show below.  The fields are transmitted from left to right.



Nelson & Weber           Expires April 13, 2009                [Page 12]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |     Type      |    Length     |             Value
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                  Value (cont)         |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

       Type

          (TBA-5) for Management-Privilege-Level.

       Length

          6

       Value

          The Value field is a four octet Integer, denoting a management
          privilege level.


   It is RECOMMENDED to limit use of the Management-Privilege-Level
   (TBA-5) Attribute to sessions where the Service-Type (6) Attribute
   has a value of NAS-Prompt (7) (not Administrative).  Typically, NASes
   treat NAS-Prompt as the minimal privilege CLI service and
   Administrative as full privilege.  Using the Management-Privilege-
   Level (TBA-5) Attribute with a Service-Type (6) Attribute having a
   value of NAS-Prompt (7) will have the effect of increasing the
   minimum privilege level.  Conversely, it is NOT RECOMMENDED to use
   this attribute with a Service-Type (6) Attribute with a value of of
   Administrative (6), which may require decreasing the maximum
   privilege level.

   It is NOT RECOMMENDED to use the Management-Privilege-Level (TBA-5)
   Attribute in combination with a Management-Policy-Id (TBA-4)
   Attribute or for management access methods other than interactive
   CLI.  The behavior resulting from such an overlay of management
   access control provisioning is not defined by this document, and in
   the absence of further specification is likely to lead to unexpected
   behaviors, especially in multi-vendor environments.


6.  Use with Dynamic Authorization

   It is entirely OPTIONAL for the NAS management authorization
   attributes specified in this document to be used in conjunction with
   Dynamic Authorization extensions to RADIUS [RFC5176].  When such



Nelson & Weber           Expires April 13, 2009                [Page 13]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   usage occurs, those attributes MAY be used as listed in the Table of
   Attributes in Section 9.

   Some guidance on how to identify existing management sessions on a
   NAS for the purposes of Dynamic Authorization is useful.  The primary
   session identifiers SHOULD be User-Name (1) and Service-Type (6).  To
   accommodate instances when that information alone does not uniquely
   identify a session, a NAS supporting Dynamic Authorization SHOULD
   maintain one or more internal session identifiers that can be
   represented as RADIUS Attributes.  Examples of such attributes
   include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port
   (5) or NAS-Port-Id (87).  In the case of a remote management session,
   common identifier values might include things such as the remote IP
   address and remote TCP port number, or the file descriptor value for
   use with the open socket.  Any such identifier is obviously transient
   in nature, and implementations SHOULD take care to avoid and/or
   properly handle duplicate or stale values.

   In order for the session identification attributes to be available to
   the Dynamic Authorization Client, a NAS supporting Dynamic
   Authorization for management sessions SHOULD include those session
   identification attributes in the Access-Request message for each such
   session.  Additional discussion of session identification attribute
   usage may be found in Section 3 of [RFC5176].


7.  Examples of attribute groupings

   1.  Unprotected CLI access, via the local console, to the "super-
       user" access level:

       *  Service-Type (6) = Administrative (6)
       *  NAS-Port-Type (61) = Async (0)
       *  Management-Transport-Protection (TBA-3) = No-Protection (1)

   2.  Unprotected CLI access, via a remote console, to the "super-user"
       access level:

       *  Service-Type (6) = Administrative (6)
       *  NAS-Port-Type (61) = Virtual (5)
       *  Management-Transport-Protection (TBA-3) = No-Protection (1)

   3.  CLI access, via a fully-protected secure remote terminal service
       to the non-privileged user access level:

       *  Service-Type (6) = NAS-Prompt (7)





Nelson & Weber           Expires April 13, 2009                [Page 14]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


       *  NAS-Port-Type (61) = Virtual (5)
       *  Management-Transport-Protection (TBA-3) = Integrity-
          Confidentiality-Protection (3)

   4.  CLI access, via a fully-protected secure remote terminal service,
       to a custom management access level, defined by a policy:

       *  Service-Type (6) = NAS-Prompt (7)
       *  NAS-Port-Type (61) = Virtual (5)
       *  Management-Transport-Protection (TBA-3) = Integrity-
          Confidentiality-Protection (3)
       *  Management-Policy-Id (TBA-4) = "Network Administrator"

   5.  CLI access, via a fully-protected secure remote terminal service,
       with a management privilege level of 15:

       *  Service-Type (6) = NAS-Prompt (7)
       *  NAS-Port-Type (61) = Virtual (5)
       *  Management-Transport-Protection (TBA-3) = Integrity-
          Confidentiality-Protection (3)
       *  Management-Privilege-Level (TBA-5) = 15

   6.  SNMP access, using an Access Control Model specifier, such as a
       custom VACM View, defined by a policy:

       *  Service-Type (6) = Framed-Management (TBA-1)
       *  NAS-Port-Type (61) = Virtual (5)
       *  Framed-Management-Protocol (TBA-2) = SNMP (1)
       *  Management-Policy-Id (TBA-4) = "SNMP Network Administrator
          View"

       There is currently no standardized way of implementing this
       management policy mapping within SNMP.  Such mechanisms are the
       topic of current research.

   7.  SNMP fully-protected access:

       *  Service-Type (6) = Framed-Management (TBA-1)
       *  NAS-Port-Type (61) = Virtual (5)
       *  Framed-Management-Protocol (TBA-2) = SNMP (1)
       *  Management-Transport-Protection (TBA-3) = Integrity-
          Confidentiality-Protection (3)

   8.  Web (HTTP/HTML) access:

       *  Service-Type (6) = Framed-Management (TBA-1)





Nelson & Weber           Expires April 13, 2009                [Page 15]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


       *  NAS-Port-Type (61) = Virtual (5)
       *  Framed-Management-Protocol (TBA-2) = Web-based (2)

   9.  Secure web access, using a custom management access level,
       defined by a policy:

       *  Service-Type (6) = Framed-Management (TBA-1)
       *  NAS-Port-Type (61) = Virtual (5)
       *  Framed-Management-Protocol (TBA-2) = Web-based (2)
       *  Management-Transport-Protection (TBA-3) = Integrity-
          Confidentiality-Protection (3)
       *  Management-Policy-Id (TBA-4) = "Read-only web access"


8.  Diameter Translation Considerations

   When used in Diameter, the attributes defined in this specification
   can be used as Diameter AVPs from the Code space 1-255 (RADIUS
   attribute compatibility space).  No additional Diameter Code values
   are therefore allocated.  The data types and flag rules for the
   attributes are as follows:


                                    +---------------------+
                                    |    AVP Flag rules   |
                                    |----+-----+----+-----|----+
                                    |    |     |SHLD| MUST|    |
   Attribute Name        Value Type |MUST| MAY | NOT|  NOT|Encr|
   ---------------------------------|----+-----+----+-----|----|
   Service-Type (new value)         |    |     |    |     |    |
                         Enumerated | M  |  P  |    |  V  | Y  |
   Framed-Management-Protocol       |    |     |    |     |    |
                         Enumerated | M  |  P  |    |  V  | Y  |
   Management-Transport-Protection  |    |     |    |     |    |
                         Enumerated | M  |  P  |    |  V  | Y  |
   Management-Policy-Id             |    |     |    |     |    |
                         UTF8String | M  |  P  |    |  V  | Y  |
   Management-Privilege-Level       |    |     |    |     |    |
                         Integer    | M  |  P  |    |  V  | Y  |
   ---------------------------------|----+-----+----+-----|----|


   The attributes in this specification have no special translation
   requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
   they are copied as is, except for changes relating to headers,
   alignment, and padding.  See also [RFC3588] Section 4.1 and [RFC4005]
   Section 9.




Nelson & Weber           Expires April 13, 2009                [Page 16]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   What this specification says about the applicability of the
   attributes for RADIUS Access-Request packets applies in Diameter to
   AA-Request [RFC4005].

   What is said about Access-Accept applies in Diameter to AA-Answer
   messages that indicate success.


9.  Table of Attributes

   The following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.

 Access Messages
 Request Accept Reject Challenge  #      Attribute
 ---------------------------------------------------------------------
 0-1     0-1      0        0     TBA-2   Framed-Management-Protocol
 0-1     0-1      0        0     TBA-3   Management-Transport-Protection
 0       0-1      0        0     TBA-4   Management-Policy-Id
 0       0-1      0        0     TBA-5   Management-Privilege-Level


   Accounting Messages
   Request Response   #     Attribute
   ---------------------------------------------------------------------
   0-1     0        TBA-2   Framed-Management-Protocol
   0-1     0        TBA-3   Management-Transport-Protection
   0-1     0        TBA-4   Management-Policy-Id
   0-1     0        TBA-5   Management-Privilege-Level



   Change-of-Authorization Messages
   Request  ACK   NAK   #     Attribute
   --------------------------------------------------------------------
   0       0     0   TBA-2   Framed-Management-Protocol
   0       0     0   TBA-3   Management-Transport-Protection
   0-1     0     0   TBA-4   Management-Policy-Id (Note 1)
   0-1     0     0   TBA-5   Management-Privilege-Level (Note 1)












Nelson & Weber           Expires April 13, 2009                [Page 17]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


  Disconnect Messages
  Request  ACK   NAK   #     Attribute
  ----------------------------------------------------------------------
  0        0     0   TBA-2   Framed-Management-Protocol
  0        0     0   TBA-3   Management-Transport-Protection
  0        0     0   TBA-4   Management-Policy-Id
  0        0     0   TBA-5   Management-Privilege-Level

  (Note 1) When included within a CoA-Request, these attributes
    represent an authorization change request.  When one of these
    attributes is omitted from a CoA-Request, the NAS assumes that the
    attribute value is to remain unchanged.  Attributes included in a
    CoA-Request replace all existing values of the same attribute(s).

  The following table defines the meaning of the above table entries.

      0    This attribute MUST NOT be present in a packet.
      0+   Zero or more instances of this attribute MAY be present in
           a packet.
      0-1  Zero or one instance of this attribute MAY be present in
           a packet.
      1    Exactly one instance of this attribute MUST be present in
           a packet.


10.  IANA Considerations

   Note to RFC Editor: Remove the following paragraphs (to "End Note")
   upon publication of this document as an RFC.

   This document contains placeholders ("TBA-n") for assigned numbers
   within the RADIUS Attributes Types registry
   (http://www.iana.org/assignments/radius-types), to be assigned by
   IANA at the time this document should be published as an RFC.
   o  New enumerated value for the existing Service-Type Attribute:
      *  Framed-Management (TBA-1)
   o  New RADIUS Attribute Types:
      *  Framed-Management-Protocol (TBA-2)
      *  Management-Transport-Protection (TBA-3)
      *  Management-Policy-Id (TBA-4)
      *  Management-Privilege-Level (TBA-5)

   The enumerated values of the newly assigned RADIUS Attribute Types as
   defined in this document are to be assigned at the same time as the
   new Attribute Types.

   For the Framed-Management-Protocol Attribute:




Nelson & Weber           Expires April 13, 2009                [Page 18]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


         1      SNMP
         2      Web-based
         3      NETCONF
         4      FTP
         5      TFTP
         6      SFTP
         7      RCP
         8      SCP

   For the Management-Transport-Protection Attribute:

         1      No-Protection
         2      Integrity-Protection
         3      Integrity-Confidentiality-Protection

   End Note.

   Note to RFC Editor: Retain the following paragraph (to "End Note")
   upon publication of this document as an RFC.

   Assignments of additional enumerated values for the RADIUS attributes
   defined in this document are to be processed as described in
   [RFC3575], subject to the additional requirement of a published
   specification.

   End Note.


11.  Security Considerations

11.1.  General Considerations

   This specification describes the use of RADIUS and Diameter for
   purposes of authentication, authorization and accounting for
   management access to devices within networks.  RADIUS threats and
   security issues for this application are described in [RFC3579] and
   [RFC3580]; security issues encountered in roaming are described in
   [RFC2607].  For Diameter, the security issues relating to this
   application are described in [RFC4005] and [RFC4072].

   This document specifies new attributes that can be included in
   existing RADIUS packets, which may be protected as described in
   [RFC3579] and [RFC5176].  In Diameter, the attributes are protected
   as specified in [RFC3588].  See those documents for a more detailed
   description.

   The security mechanisms supported in RADIUS and Diameter are focused
   on preventing an attacker from spoofing packets or modifying packets



Nelson & Weber           Expires April 13, 2009                [Page 19]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   in transit.  They do not prevent an authorized RADIUS/Diameter server
   or proxy from inserting attributes with malicious intent.

   A legacy NAS may not recognize the attributes in this document that
   supplement the provisioning of CLI management access.  If the value
   of the Service-Type Attribute is NAS-Prompt or Administrative, the
   legacy NAS may silently discard such attributes, while permitting the
   user to access the CLI management interface(s) of the NAS.  This can
   lead to users improperly receiving authorized management access to
   the NAS, or access with greater levels of access rights than were
   intended.  RADIUS servers SHOULD attempt to ascertain whether or not
   the NAS supports these attributes before sending them in an Access-
   Accept provisioning CLI access.

   It is possible that certain NAS implementations may not be able to
   determine the protection properties of the underlying transport
   protocol as specified by the Management-Transport-Protection
   Attribute.  This may be a limitation of the standard application
   programming interface of the underlying transport implementation or
   of the integration of the transport into the NAS implementation.  In
   either event, NASes conforming to this specification, which cannot
   determine the protection state of the remote management connection
   MUST treat an Access-Accept message containing a Management-
   Transport-Protection Attribute containing a value other than No-
   Protection (1) as if it were an Access-Reject message, unless
   specifically overridden by local policy configuration.

   Use of the No-Protection (1) option for the Management-Transport-
   Protection (TBA-3) Attribute is NOT RECOMMENDED in any deployment
   where secure management or configuration is required.

11.2.  RADIUS Proxy Operation Considerations

   The device management access authorization attributes presented in
   this document present certain considerations when used in RADIUS
   proxy environments.  These considerations are not different from
   those that exist in RFC 2865 [RFC2865] with respect to the Service-
   Type Attribute values of Administrative and NAS-Prompt.

   Most RADIUS proxy environments are also multi-party environments.  In
   multi-party proxy environments it is important to distinguish which
   entities have the authority to provision management access to the
   edge devices, i.e.  NASes, and which entities only have authority to
   provision network access services of various sorts.

   It may be important that operators of the NAS are able to ensure that
   access to the CLI, or other management interfaces of the NAS, is only
   provisioned to their own employees or contractors.  One way for the



Nelson & Weber           Expires April 13, 2009                [Page 20]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   NAS to enforce this requirement is to use only local, non-proxy
   RADIUS servers for management access requests.  Proxy RADIUS servers
   could be used for non-management access requests, based on local
   policy.  This "bifurcation" of RADIUS authentication and
   authorization is a simple case of separate administrative realms.
   The NAS may be designed so as to maintain separate lists of RADIUS
   servers for management AAA use and for non-management AAA use.

   An alternate method of enforcing this requirement would be for the
   first-hop RADIUS proxy server, operated by the owner of the NAS, to
   filter out any RADIUS attributes that provision management access
   rights that originate from "up-stream" proxy servers not operated by
   the NAS owner.  Access-Accept messages that provision such locally
   un-authorized management access MAY be treated as if they were an
   Access-Reject by the first-hop proxy server.

   These issues are not of concern when all the RADIUS servers, local
   and proxy, used by the NAS are under the sole administrative control
   of the NAS owner.


12.  Acknowledgments

   Many thanks to all reviewers, including Bernard Aboba, Alan DeKok,
   David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Barney
   Wolff and Glen Zorn.


13.  References

13.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, June 2000.

   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
              10646", STD 63, RFC 3629, November 2003.

13.2.  Informative References

   [HTML]     Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01
              Specification, W3C", December 1999.

   [RFC0959]  Postel, J. and J. Reynolds, "File Transfer Protocol",



Nelson & Weber           Expires April 13, 2009                [Page 21]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


              STD 9, RFC 959, October 1985.

   [RFC1350]  Sollins, K., "The TFTP Protocol (Revision 2)", STD 33,
              RFC 1350, July 1992.

   [RFC2607]  Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
              Implementation in Roaming", RFC 2607, June 1999.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC2866]  Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.

   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              December 2002.

   [RFC3412]  Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
              "Message Processing and Dispatching for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3412,
              December 2002.

   [RFC3413]  Levi, D., Meyer, P., and B. Stewart, "Simple Network
              Management Protocol (SNMP) Applications", STD 62,
              RFC 3413, December 2002.

   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
              (USM) for version 3 of the Simple Network Management
              Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.

   [RFC3415]  Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
              Access Control Model (VACM) for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3415,
              December 2002.

   [RFC3416]  Presuhn, R., "Version 2 of the Protocol Operations for the
              Simple Network Management Protocol (SNMP)", STD 62,
              RFC 3416, December 2002.

   [RFC3417]  Presuhn, R., "Transport Mappings for the Simple Network
              Management Protocol (SNMP)", STD 62, RFC 3417,
              December 2002.

   [RFC3418]  Presuhn, R., "Management Information Base (MIB) for the
              Simple Network Management Protocol (SNMP)", STD 62,
              RFC 3418, December 2002.



Nelson & Weber           Expires April 13, 2009                [Page 22]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


   [RFC3575]  Aboba, B., "IANA Considerations for RADIUS (Remote
              Authentication Dial In User Service)", RFC 3575,
              July 2003.

   [RFC3579]  Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
              Dial In User Service) Support For Extensible
              Authentication Protocol (EAP)", RFC 3579, September 2003.

   [RFC3580]  Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
              "IEEE 802.1X Remote Authentication Dial In User Service
              (RADIUS) Usage Guidelines", RFC 3580, September 2003.

   [RFC3588]  Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
              Arkko, "Diameter Base Protocol", RFC 3588, September 2003.

   [RFC4005]  Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
              "Diameter Network Access Server Application", RFC 4005,
              August 2005.

   [RFC4072]  Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
              Authentication Protocol (EAP) Application", RFC 4072,
              August 2005.

   [RFC4741]  Enns, R., "NETCONF Configuration Protocol", RFC 4741,
              December 2006.

   [RFC4742]  Wasserman, M. and T. Goddard, "Using the NETCONF
              Configuration Protocol over Secure SHell (SSH)", RFC 4742,
              December 2006.

   [RFC4743]  Goddard, T., "Using NETCONF over the Simple Object Access
              Protocol (SOAP)", RFC 4743, December 2006.

   [RFC4744]  Lear, E. and K. Crozier, "Using the NETCONF Protocol over
              the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744,
              December 2006.

   [RFC5176]  Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
              Aboba, "Dynamic Authorization Extensions to Remote
              Authentication Dial In User Service (RADIUS)", RFC 5176,
              January 2008.

   [SFTP]     Galbraith, J. and O. Saarenmaa, "SSH File Transfer
              Protocol", July 2006.

   [SSH]      Barrett, D., Silverman, R., and R. Byrnes, "SSH, the
              Secure Shell: The Definitive Guide, Second Edition,
              O'Reilly and Associates", May 2005.



Nelson & Weber           Expires April 13, 2009                [Page 23]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


Authors' Addresses

   David B. Nelson
   Elbrys Networks, Inc.
   75 Rochester Avenue, Unit 3
   Portsmouth, NH  03801
   USA

   Email: d.b.nelson@comcast.net


   Greg Weber
   Individual Contributor
   Knoxville, TN  37932
   USA

   Email: gdweber@gmail.com


































Nelson & Weber           Expires April 13, 2009                [Page 24]

Internet-Draft     RADIUS NAS-Management Authorization      October 2008


Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.











Nelson & Weber           Expires April 13, 2009                [Page 25]


Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/