Presentation is loading. Please wait.

Presentation is loading. Please wait.

RADIUS Attributes for Management Authorization David B. Nelson IETF 66, RADEXT WG July 10, 2006.

Published byMarjory Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "RADIUS Attributes for Management Authorization David B. Nelson IETF 66, RADEXT WG July 10, 2006."— Presentation transcript:

1 RADIUS Attributes for Management Authorization David B. Nelson IETF 66, RADEXT WG July 10, 2006

2 Need for Management Attributes RADUIS currently defines two attributes for management Both are for “CLI” style interface –Service-Type = Administrative –Service-Type = NAS-Prompt No attributes for provisioning other forms of management interfaces

3 Need for Management Attributes Need for attributes that describe non-CLI management interfaces –SNMP –HTTP –SFTP –SCP Potential consideration for NETCONF?

4 Need for Management Attributes Need for attributes to specify secure vs. non-secure management interfaces –SSH –SNMP v3 –HTTPS / TLS

5 Need for Management Attributes Need for attributes to specify roles or privilege levels –SNMPv3 VACM entries Like the Filter-ID attribute, but for management –Split horizon views Layer 2 management view Layer 3 management view Etc.

6 Need for Management Attributes Need attributes to authorize management commands on a per-command or per- operation granularity Need attributes to provide an audit trail, on a per-command basis, via accounting for configuration changes to facilitate problem resolution Provides feature-parity with TACACS+

7 Possible solution approach Internet-Draft: draft-nelson-radius- management-authorization-03.txt Service-Type = Framed-Management Management-Access-ID –A named access policy, similar to Filter-ID –Name is of local scope –Could be a privilege level –Could be a group name that maps to a VACM table entry

8 Possible solution approach Management-Protocol –Used in conjunction with a Service-Type of Framed-Management –Values might be: SNMP-V3 (SSHSM) HTTP HTTPS-TLS

9 Possible solution approach Non-Framed-Management-Command A command line interface (CLI) interaction Framed-Management-Operation A SNMP/HTTP operation Management-Context Contextual information for above two. For example, a CLI sub-mode, menu name, virtual router instance, administrative role

10 Changes since -01 Added a section on the use of “Authorize Only” Diameter Translation section revised. Security Consideration section revised. References section revised.

11 Is there an interest? Meets some of the requirements for authorization of SNMPv3 in the ISMS WG If the management access services that these attributes specify are of multi-vendor applicability, it would be better to define them as standard attributes Is there interest in working on defining such attributes, and creating implementations? Ready for adoption as a WG work item?

Download ppt "RADIUS Attributes for Management Authorization David B. Nelson IETF 66, RADEXT WG July 10, 2006."

Similar presentations

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
SNMP v3.

SNMP v3.
Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez.

Presentation to DIME WG on draft-ietf-radext-filter-rules-00-txt IETF 65 – Dallas,TX Mauricio Sanchez.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.
RADEXT WG draft-ietf-radext-ieee802ext-03 Bernard Aboba November 6, 2012 IETF 85 Please join the Jabber room:

RADEXT WG draft-ietf-radext-ieee802ext-03 Bernard Aboba November 6, 2012 IETF 85 Please join the Jabber room:
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
Integrated Security Model for SNMPv3 (ISMS) pronounced is miss David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
55 th IETF 1 55 th IETF Network Management for GSMP Interface draft-cha-gsmp-management-01.txt YoungWook Cha Andong National.

55 th IETF 1 55 th IETF Network Management for GSMP Interface draft-cha-gsmp-management-01.txt YoungWook Cha Andong National.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Aug 3, 2004AAA WG, IETF 60 San Diego1 Diameter NASReq Application Status David Mitton, Document Editor.

Aug 3, 2004AAA WG, IETF 60 San Diego1 Diameter NASReq Application Status David Mitton, Document Editor.
Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies.

Service Function Chaining Use Cases draft-liu-service-chaining-use-cases IETF 89 London, March 3, 2014 Will Liu, Hongyu Li, Oliver Huang, Huawei Technologies.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Doc: 11-03-0763-00-0000 Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.
1 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS - IETF 62 L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01.

1 © 2004 Cisco Systems, Inc. All rights reserved. L2VPN RADIUS - IETF 62 L2VPN RADIUS Auto-discovery and provisioning draft-ietf-l2vpn-radius-pe-discovery-01.

Similar presentations

Ads by Google