RE: [Isms] #19: should RADIUS be exposed outside of SSH?

To: "Nelson, David" <dnelson at enterasys.com>, <isms at ietf.org>
Subject: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
From: "Kaushik Narayan \(kaushik\)" <kaushik at cisco.com>
Date: Fri, 14 Oct 2005 14:58:44 -0700
Cc:
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
Sender: isms-bounces at lists.ietf.org
Thread-index: AcXRAAUPc+D4DApuSWOiroAZU9q5kAAAJNUwAAER/tAAAHWWoAAAhU5w
Thread-topic: [Isms] #19: should RADIUS be exposed outside of SSH?

There are two options

The AAA server sends down all the management authorization information
specific to that particular user. We can have the service names that are
qualified, i.e. mgmt-snmp, mgmt-netconf and a SSH authentication request
can send a mgmt* which would result in all management authorization
information to be returned. The appropriate management protocol can then
use this information based on what requests arrive on authenticated SSH
channel.

The other option is to allow for authorization when requests are sent on
top of the SSH channel, this will however require change to protocols
such as RADIUS, Diameter to support explicit authorization from the NAS
to the AAA server.

 

-----Original Message-----
From: isms-bounces at lists.ietf.org [mailto:isms-bounces at lists.ietf.org]
On Behalf Of Nelson, David
Sent: Friday, October 14, 2005 2:40 PM
To: isms at ietf.org
Subject: RE: [Isms] #19: should RADIUS be exposed outside of SSH?

Salowey, Joe writes...

> Something to also consider when looking at management extensions for 
> RADIUS is that the exact type of management may not be know at 
> authentication time.

Yes.

>  For example if the same SSH service is used for SNMP, CLI and NETCONF

> you probably won't know what the SSH client
wants
> until it invokes the appropriate subsystem.  The same is true for more

> fine grained services.

There are three ways that AAA systems that provision specific services
typically deal with this issue:

1. the user identity presented for authentication is unique to the
specific service,

2. the AAA client identity is unique to the specific service, or

3. the AAA client provides hints to the AAA server in the authentication
request as to what service is being requested.

The third approach is most common.  In the case of an SSH connection
where the application protocol is not known at authentication time, this
presents a problem.  Either the AAA system provides authentication
without authorization, or some other method needs to be found.

It seems like this in an AAA/SSH issue, and requires some further
investigation.


_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

Prev by Date: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Next by Date: [Isms] Re: [Call-home] Re: last call for a Call Home BoF
Previous by thread: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Next by thread: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Index(es):
- Date
- Thread

RE: [Isms] #19: should RADIUS be exposed outside of SSH?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.