draft-ietf-isms-radius-usage-05.txt   draft-ietf-isms-radius-usage-06.txt 
Network Working Group K. Narayan Network Working Group K. Narayan
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track D. Nelson Intended status: Standards Track D. Nelson
Expires: September 9, 2009 Elbrys Networks, Inc. Expires: October 31, 2009 Elbrys Networks, Inc.
March 8, 2009 April 29, 2009
Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Remote Authentication Dial-In User Service (RADIUS) Usage for Simple
Network Management Protocol (SNMP) Transport Models Network Management Protocol (SNMP) Transport Models
draft-ietf-isms-radius-usage-05.txt draft-ietf-isms-radius-usage-06.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 9, 2009. This Internet-Draft will expire on October 31, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 19 skipping to change at page 3, line 7
focus on the Secure Shell Transport Model. focus on the Secure Shell Transport Model.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2. RADIUS Operational Model . . . . . . . . . . . . . . . . . 3 1.2. RADIUS Operational Model . . . . . . . . . . . . . . . . . 4
1.3. RADIUS Usage With Secure Transports . . . . . . . . . . . 4 1.3. RADIUS Usage With Secure Transports . . . . . . . . . . . 5
1.4. SNMP Transport Models . . . . . . . . . . . . . . . . . . 5 1.4. SNMP Transport Models . . . . . . . . . . . . . . . . . . 6
2. RADIUS Usage for SNMP Transport Models . . . . . . . . . . . . 5 2. RADIUS Usage for SNMP Transport Models . . . . . . . . . . . . 6
2.1. RADIUS Authentication for Transport Protocols . . . . . . 7 2.1. RADIUS Authentication for Transport Protocols . . . . . . 8
2.2. RADIUS Authorization for Transport Protocols . . . . . . . 7 2.2. RADIUS Authorization for Transport Protocols . . . . . . . 8
2.3. SNMP Service Authorization . . . . . . . . . . . . . . . . 8 2.3. SNMP Service Authorization . . . . . . . . . . . . . . . . 9
3. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 9 3. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 10
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13
7.2. Informative References . . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
1.1. General 1.1. General
This memo describes the use of a Remote Authentication Dial-In User This memo describes the use of a Remote Authentication Dial-In User
Service (RADIUS) authentication and authorization service by Simple Service (RADIUS) authentication and authorization service by Simple
Network Management Protocol (SNMP) secure Transport Models to Network Management Protocol (SNMP) secure Transport Models to
authenticate users and authorize creation of secure transport authenticate users and authorize creation of secure transport
sessions. While the recommendations of this memo are generally sessions. While the recommendations of this memo are generally
skipping to change at page 8, line 43 skipping to change at page 9, line 43
The following RADIUS attributes SHOULD be used, as hint attributes The following RADIUS attributes SHOULD be used, as hint attributes
included in the Access-Request message to signal use of SNMP over a included in the Access-Request message to signal use of SNMP over a
secure transport (i.e. authPriv) to the RADIUS server: secure transport (i.e. authPriv) to the RADIUS server:
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protection with a value of Integrity- 3. Management-Transport-Protection with a value of Integrity-
Confidentiality-Protection. Confidentiality-Protection.
The following RADIUS attributes are used in an Access-Accept message The following RADIUS attributes are used in an Access-Accept message
to provision SNMP over a secure transport (i.e. authPriv): to provision SNMP over a secure transport which provides both
integrity and confidentiality (i.e. authPriv):
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
2. Framed-Management-Protocol with a value of SNMP. 2. Framed-Management-Protocol with a value of SNMP.
3. Management-Transport-Protection with a value of Integrity- 3. Management-Transport-Protection with a value of Integrity-
Confidentiality-Protection. Confidentiality-Protection.
The following RADIUS attributes MAY be optionally used, to authorize The following RADIUS attributes MAY be optionally used, to authorize
use of SNMP without protection (i.e. authNoPriv): use of SNMP without protection (i.e. authNoPriv):
1. Service-Type with a value of Framed-Management. 1. Service-Type with a value of Framed-Management.
skipping to change at page 9, line 34 skipping to change at page 10, line 35
Refer to [RFC2865] for a detailed description of these attributes. Refer to [RFC2865] for a detailed description of these attributes.
The Session-Timeout Attribute indicates the maximum number of seconds The Session-Timeout Attribute indicates the maximum number of seconds
that a session may exist before it is unconditionally disconnected. that a session may exist before it is unconditionally disconnected.
The Inactivity-Timeout Attribute indicates the maximum number of The Inactivity-Timeout Attribute indicates the maximum number of
seconds that a transport session may exist without any protocol seconds that a transport session may exist without any protocol
activity (messages sent or received) before the session is activity (messages sent or received) before the session is
disconnected. These timeouts are enforced by the NAS. disconnected. These timeouts are enforced by the NAS.
3. Table of Attributes 3. Table of Attributes
The following table provides a guide to which attributes may be found Table 1 provides a guide to which attributes may be found in which
in which kinds of packets, and in what quantity. kinds of packets, and in what quantity.
Access- Access-
Request Accept Reject Challenge # Attribute Request Accept Reject Challenge # Attribute
--------------------------------------------------------------------- ---------------------------------------------------------------------
0-1 0 0 0 1 User-Name [RFC2865] 0-1 0 0 0 1 User-Name [RFC2865]
0-1 0 0 0 2 User-Password [RFC2865] 0-1 0 0 0 2 User-Password [RFC2865]
0-1 0 0 0 4 NAS-IP-Address [RFC2865] 0-1 * 0 0 0 4 NAS-IP-Address [RFC2865]
0-1 * 0 0 0 95 NAS-IPv6-Address {RFC3162]
0-1 * 0 0 0 32 NAS-Identifier [RFC2865]
0-1 0-1 0 0 6 Service-Type [RFC2865] 0-1 0-1 0 0 6 Service-Type [RFC2865]
0-1 0-1 0 0-1 24 State [RFC2865] 0-1 0-1 0 0-1 24 State [RFC2865]
0 0-1 0 0 27 Session-Timeout [RFC2865] 0 0-1 0 0 27 Session-Timeout [RFC2865]
0 0-1 0 0 28 Idle-Timeout [RFC2865] 0 0-1 0 0 28 Idle-Timeout [RFC2865]
0-1 0-1 0-1 0-1 80 Message-Authenticator [RFC3579] 0-1 0-1 0-1 0-1 80 Message-Authenticator [RFC3579]
0-1 0-1 0 0 TBA-2 Framed-Management-Protocol 0-1 0-1 0 0 TBA-2 Framed-Management-Protocol
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
0-1 0-1 0 0 TBA-3 Management-Transport-Protection 0-1 0-1 0 0 TBA-3 Management-Transport-Protection
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
0 0+ 0 0 TBA-4 Management-Policy-Id
[I-D.ietf-radext-management-authorization]
The following table defines the meaning of the above table entries. Table 1
Table 2 defines the meaning of the entries in Table 1.
0 This attribute MUST NOT be present in a packet. 0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in
a packet. a packet.
0-1 Zero or one instance of this attribute MAY be present in 0-1 Zero or one instance of this attribute MAY be present in
a packet. a packet.
1 Exactly one instance of this attribute MUST be present in 1 Exactly one instance of this attribute MUST be present in
a packet. a packet.
* Only one of these atribute options SHOULD be included.
Note that this document does not describe the usage of RADIUS Table 2
Accounting, nor Dynamic RADIUS Re-Authorization. Such RADIUS usages
are not currently envisioned for SNMP, and are beyond the scope of SSH integration with RADIUS traditionally uses usernames and
this document. passwords (with the User-Password Attribute), but other secure
transports could use other authentication mechanisms, and would
include RADIUS authentication attributes appropriate for that
mechanism instead of User-Password.
This document does not describe the usage of RADIUS Accounting, nor
Dynamic RADIUS Re-Authorization. Such RADIUS usages are not
currently envisioned for SNMP, and are beyond the scope of this
document.
4. IANA Considerations 4. IANA Considerations
This document makes no requests of IANA for new allocations, however This document makes no requests of IANA for new allocations, however
there are placeholder values ("TBA-n") in Section 3, that refer to there are placeholder values ("TBA-n") in Section 3, that refer to
IANA assignments to be made in IANA assignments to be made in
[I-D.ietf-radext-management-authorization], which should be replaced [I-D.ietf-radext-management-authorization], which should be replaced
with actual values in this document, based on the corresponding IANA with actual values in this document, based on the corresponding IANA
assignments for [I-D.ietf-radext-management-authorization]. assignments for [I-D.ietf-radext-management-authorization].
Note to RFC Editor: This section should be removed upon publication
of this document as an RFC.
5. Security Considerations 5. Security Considerations
This specification describes the use of RADIUS for purposes of This specification describes the use of RADIUS for purposes of
authentication and authorization. Threats and security issues for authentication and authorization. Threats and security issues for
this application are described in [RFC3579] and [RFC3580]; security this application are described in [RFC3579] and [RFC3580]; security
issues encountered in roaming are described in [RFC2607]. issues encountered in roaming are described in [RFC2607].
Additional security considerations for use of SNMP with secure Additional security considerations for use of SNMP with secure
Transport Models [I-D.ietf-isms-tmsm] and the Transport Security Transport Models [I-D.ietf-isms-tmsm] and the Transport Security
Model [I-D.ietf-isms-transport-security-model] are found in the Model [I-D.ietf-isms-transport-security-model] are found in the
skipping to change at page 11, line 29 skipping to change at page 12, line 34
Security Model is selected, then securityName is determined using Security Model is selected, then securityName is determined using
USM. This may not be what is expected when using an SNMP secure USM. This may not be what is expected when using an SNMP secure
Transport Model with an external authentication service, such as Transport Model with an external authentication service, such as
RADIUS. RADIUS.
Simultaneously using a secure transport with RADIUS authentication Simultaneously using a secure transport with RADIUS authentication
and authorization, and the SNMPv1 or SNMPv2c or USM security models and authorization, and the SNMPv1 or SNMPv2c or USM security models
is NOT RECOMMENDED. See the coexistence section of is NOT RECOMMENDED. See the coexistence section of
[I-D.ietf-isms-tmsm]. [I-D.ietf-isms-tmsm].
There are good reasons to provision USM access so supplement with There are good reasons to provision USM access to supplement with
AAA-based access, however. When the network is under duress, or the AAA-based access, however. When the network is under duress, or the
AAA-service is unreachable, for any reason, it is important to have AAA-service is unreachable, for any reason, it is important to have
access credentials stored in the local configuration data-store of access credentials stored in the local configuration data-store of
the managed entity. USM credentials are a likely way to fulfill this the managed entity. USM credentials are a likely way to fulfill this
requirement. This is analogous to configuring a local "root" requirement. This is analogous to configuring a local "root"
password in the "/etc/passwd" file of a UNIX workstation, to be used password in the "/etc/passwd" file of a UNIX workstation, to be used
as a backup means of login, for times when the Network Information as a backup means of login, for times when the Network Information
Service (NIS) authentication service is unreachable. Service (NIS) authentication service is unreachable.
The Message-Authenticator (80) attribute [RFC3579] SHOULD be used The Message-Authenticator (80) attribute [RFC3579] SHOULD be used
skipping to change at page 12, line 10 skipping to change at page 13, line 14
Harrington and Juergen Schoenwaelder for numerous helpful discussions Harrington and Juergen Schoenwaelder for numerous helpful discussions
in this space, and Wes Hardaker for his thoughtful review comments. in this space, and Wes Hardaker for his thoughtful review comments.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-isms-tmsm] [I-D.ietf-isms-tmsm]
Harrington, D. and J. Schoenwaelder, "Transport Subsystem Harrington, D. and J. Schoenwaelder, "Transport Subsystem
for the Simple Network Management Protocol (SNMP)", for the Simple Network Management Protocol (SNMP)",
draft-ietf-isms-tmsm-13 (work in progress), August 2008. draft-ietf-isms-tmsm-17 (work in progress), April 2009.
[I-D.ietf-isms-transport-security-model] [I-D.ietf-isms-transport-security-model]
Harrington, D. and W. Hardaker, "Transport Security Model Harrington, D. and W. Hardaker, "Transport Security Model
for SNMP", draft-ietf-isms-transport-security-model-09 for SNMP", draft-ietf-isms-transport-security-model-13
(work in progress), October 2008. (work in progress), April 2009.
[I-D.ietf-radext-management-authorization] [I-D.ietf-radext-management-authorization]
Nelson, D. and G. Weber, "Remote Authentication Dial-In Nelson, D. and G. Weber, "Remote Authentication Dial-In
User Service (RADIUS) Authorization for Network Access User Service (RADIUS) Authorization for Network Access
Server (NAS) Management", Server (NAS) Management",
draft-ietf-radext-management-authorization-05 (work in draft-ietf-radext-management-authorization-06 (work in
progress), July 2008. progress), October 2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
[RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication [RFC5080] Nelson, D. and A. DeKok, "Common Remote Authentication
Dial In User Service (RADIUS) Implementation Issues and Dial In User Service (RADIUS) Implementation Issues and
Suggested Fixes", RFC 5080, December 2007. Suggested Fixes", RFC 5080, December 2007.
7.2. Informative References 7.2. Informative References
[I-D.ietf-isms-secshell] [I-D.ietf-isms-secshell]
Harrington, D., Salowey, J., and W. Hardaker, "Secure Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for SNMP", Shell Transport Model for SNMP",
draft-ietf-isms-secshell-12 (work in progress), draft-ietf-isms-secshell-16 (work in progress),
October 2008. April 2009.
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999. Implementation in Roaming", RFC 2607, June 1999.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002. December 2002.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003. Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
"IEEE 802.1X Remote Authentication Dial In User Service "IEEE 802.1X Remote Authentication Dial In User Service
(RADIUS) Usage Guidelines", RFC 3580, September 2003. (RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) [RFC4252] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Authentication Protocol", RFC 4252, January 2006. Authentication Protocol", RFC 4252, January 2006.
 End of changes. 19 change blocks. 
49 lines changed or deleted 63 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/