RE: [Isms] #19: should RADIUS be exposed outside of SSH?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Salowey, Joe writes...
> Something to also consider when looking at management extensions for
> RADIUS is that the exact type of management may not be know at
> authentication time.
Yes.
> For example if the same SSH service is used for
> SNMP, CLI and NETCONF you probably won't know what the SSH client
wants
> until it invokes the appropriate subsystem. The same is true for more
> fine grained services.
There are three ways that AAA systems that provision specific services
typically deal with this issue:
1. the user identity presented for authentication is unique to the
specific service,
2. the AAA client identity is unique to the specific service, or
3. the AAA client provides hints to the AAA server in the authentication
request as to what service is being requested.
The third approach is most common. In the case of an SSH connection
where the application protocol is not known at authentication time, this
presents a problem. Either the AAA system provides authentication
without authorization, or some other method needs to be found.
It seems like this in an AAA/SSH issue, and requires some further
investigation.
_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
