draft-ietf-isms-radius-usage-03.txt   draft-ietf-isms-radius-usage-04.txt 
Network Working Group K. Narayan Network Working Group K. Narayan
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track D. Nelson Intended status: Standards Track D. Nelson
Expires: December 16, 2008 Elbrys Networks, Inc. Expires: April 15, 2009 Elbrys Networks, Inc.
June 14, 2008 October 12, 2008
Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Remote Authentication Dial-In User Service (RADIUS) Usage for Simple
Network Management Protocol (SNMP) Transport Models Network Management Protocol (SNMP) Transport Models
draft-ietf-isms-radius-usage-03.txt draft-ietf-isms-radius-usage-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 16, 2008. This Internet-Draft will expire on April 15, 2009.
Abstract Abstract
This memo describes the use of a Remote Authentication Dial-In User This memo describes the use of a Remote Authentication Dial-In User
Service (RADIUS) authentication and authorization service by Simple Service (RADIUS) authentication and authorization service by Simple
Network Management Protocol (SNMP) secure Transport Models to Network Management Protocol (SNMP) secure Transport Models to
authenticate users and authorize creation of secure transport authenticate users and authorize creation of secure transport
sessions. While the recommendations of this memo are generally sessions. While the recommendations of this memo are generally
applicable to a broad class of SNMP Transport Models, the examples applicable to a broad class of SNMP Transport Models, the examples
focus on the Secure Shell Transport Model. focus on the Secure Shell Transport Model.
skipping to change at page 7, line 7 skipping to change at page 7, line 7
authorization information will need to be obtained by the relevant authorization information will need to be obtained by the relevant
SNMP modules from the SSH module. SNMP modules from the SSH module.
One reason that RADIUS-provisioned service authorization is important One reason that RADIUS-provisioned service authorization is important
is that in many deployments the RADIUS server's back-end is that in many deployments the RADIUS server's back-end
authentication database contains credentials for many classes of authentication database contains credentials for many classes of
users, only a small portion of which may be authorized to access the users, only a small portion of which may be authorized to access the
management interfaces of managed entities (NASes) via SNMP. This is management interfaces of managed entities (NASes) via SNMP. This is
in contrast to the way USM for SNMP works, in which all principals in contrast to the way USM for SNMP works, in which all principals
entered to the local configuration data-store are authorized for entered to the local configuration data-store are authorized for
access to the managed entity. RADIUS-provisioned service access to the managed entity. In the absence of RADIUS-provisioned
authorization is a coarse granular mechanism to limit SNMP access service authorization, network management access may be granted to
only to operators/admins and deny access to a large population of unauthorized, but properly authenticated, users. With SNMPv3, an
users that may be authenticated by the RADIUS server. In the absence appropriately configured Access Control Model would serve to
of RADIUS-provisioned service authorization, operators would need to alleviate the risk of unauthorized access.
setup the SNMPv3 View-based Access Control Model (VACM) to alleviate
the risk of unauthorized access.
Data object access control authorization in SNMP is handled by the Data object access control authorization in SNMP is handled by the
Access Control Subsystem (ACS), instantiated as various Access Access Control Subsystem (ACS), instantiated as various Access
Control Models. The SNMP architecture, as described in RFC 3411 Control Models. The SNMP architecture, as described in RFC 3411
[RFC3411], explicitly mandates the separation of authentication and [RFC3411], explicitly mandates the separation of authentication and
authorization operations in order to retain modularity of the SNMP authorization operations in order to retain modularity of the SNMP
system. The Abstract Service Interface (ASI) of the ACS uses method- system. The Abstract Service Interface (ASI) of the ACS uses method-
independent parameters, including securityName, to determine access independent parameters, including securityName, to determine access
control rights. A detailed description of how an Access Control control rights. A detailed description of how an Access Control
Model (ACM) might utilize the services of a RADIUS client to obtain Model (ACM) might utilize the services of a RADIUS client to obtain
skipping to change at page 11, line 16 skipping to change at page 11, line 16
Request Accept Reject Challenge # Attribute Request Accept Reject Challenge # Attribute
--------------------------------------------------------------------- ---------------------------------------------------------------------
0-1 0 0 0 1 User-Name [RFC2865] 0-1 0 0 0 1 User-Name [RFC2865]
0-1 0 0 0 2 User-Password [RFC2865] 0-1 0 0 0 2 User-Password [RFC2865]
0-1 0 0 0 4 NAS-IP-Address [RFC2865] 0-1 0 0 0 4 NAS-IP-Address [RFC2865]
0-1 0-1 0 0 6 Service-Type [RFC2865] 0-1 0-1 0 0 6 Service-Type [RFC2865]
0-1 0-1 0 0-1 24 State [RFC2865] 0-1 0-1 0 0-1 24 State [RFC2865]
0 0-1 0 0 27 Session-Timeout [RFC2865] 0 0-1 0 0 27 Session-Timeout [RFC2865]
0 0-1 0 0 28 Idle-Timeout [RFC2865] 0 0-1 0 0 28 Idle-Timeout [RFC2865]
0-1 0-1 0-1 0-1 80 Message-Authenticator [RFC3579] 0-1 0-1 0-1 0-1 80 Message-Authenticator [RFC3579]
0-1 0-1 0 0 TBA-2 Framed-Management-Protection 0-1 0-1 0 0 TBA-2 Framed-Management-Protocol
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
0-1 0-1 0 0 TBA-3 Management-Transport-Protection 0-1 0-1 0 0 TBA-3 Management-Transport-Protection
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
0 0+ 0 0 TBA-4 Management-Policy-Id 0 0+ 0 0 TBA-4 Management-Policy-Id
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in a packet. 0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in
skipping to change at page 13, line 11 skipping to change at page 13, line 11
The authors would like to acknowledge the contributions of David The authors would like to acknowledge the contributions of David
Harrington and Juergen Schoenwaelder for numerous helpful discussions Harrington and Juergen Schoenwaelder for numerous helpful discussions
in this space, and Wes Hardaker for his thoughtful review comments. in this space, and Wes Hardaker for his thoughtful review comments.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-isms-secshell] [I-D.ietf-isms-secshell]
Harrington, D. and J. Salowey, "Secure Shell Transport Harrington, D., Salowey, J., and W. Hardaker, "Secure
Model for SNMP", draft-ietf-isms-secshell-10 (work in Shell Transport Model for SNMP",
progress), February 2008. draft-ietf-isms-secshell-12 (work in progress),
October 2008.
[I-D.ietf-isms-tmsm] [I-D.ietf-isms-tmsm]
Harrington, D. and J. Schoenwaelder, "Transport Subsystem Harrington, D. and J. Schoenwaelder, "Transport Subsystem
for the Simple Network Management Protocol (SNMP)", for the Simple Network Management Protocol (SNMP)",
draft-ietf-isms-tmsm-12 (work in progress), February 2008. draft-ietf-isms-tmsm-13 (work in progress), August 2008.
[I-D.ietf-isms-transport-security-model] [I-D.ietf-isms-transport-security-model]
Harrington, D., "Transport Security Model for SNMP", Harrington, D. and W. Hardaker, "Transport Security Model
draft-ietf-isms-transport-security-model-07 (work in for SNMP", draft-ietf-isms-transport-security-model-09
progress), November 2007. (work in progress), October 2008.
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
Nelson, D. and G. Weber, "Remote Authentication Dial-In Nelson, D. and G. Weber, "Remote Authentication Dial-In
User Service (RADIUS) Authorization for Network Access User Service (RADIUS) Authorization for Network Access
Server (NAS) Management", Server (NAS) Management",
draft-ietf-radext-management-authorization-03 (work in draft-ietf-radext-management-authorization-06 (work in
progress), June 2008. progress), October 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
 End of changes. 9 change blocks. 
21 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/