Re: [Isms] #19: should RADIUS be exposed outside of SSH?

To: "Nelson, David" <dnelson at enterasys.com>
Subject: Re: [Isms] #19: should RADIUS be exposed outside of SSH?
From: Eliot Lear <lear at cisco.com>
Date: Sun, 16 Oct 2005 16:16:36 +0200
Authentication-results: imail.cisco.com; header.From=lear@cisco.com; dkim=pass ( message from cisco.com verified; );
Cc: isms at ietf.org
Dkim-signature: a=rsa-sha1; q=dns; l=721; t=1129472834; x=1129905034; c=nowsp; s=nebraska; h=Subject:From:Date:Content-Type:Content-Transfer-Encoding; d=cisco.com; i=lear@cisco.com; z=Subject:Re=3A=20[Isms]=20#19=3A=20should=20RADIUS=20be=20exposed=20outside=20of= 20SSH?| From:Eliot=20Lear=20<lear@cisco.com>| Date:Sun,=2016=20Oct=202005=2016=3A16=3A36=20+0200| Content-Type:text/plain=3B=20charset=3DISO-8859-1=3B=20format=3Dflowed| Content-Transfer-Encoding:7bit; b=ToP09gO6Ox5BZ33zrJZ1ujghbsosq2IGSm+/+kgzhF9Dblzg2ncRA3vJmEpJ89lIyLKkuDpQ wtzBd4Rbp5hTBazqDKa1I1wVmBLK18WWV5QJI/rOKFDLLtxUAZAug9Mze50X8nOxeDl5hmFnFli U1DAdr7LXG+CVf+E1NYfGtd4=
In-reply-to: <2A5E4540D4D5934D9A1E7E0B0FDB2D69010325EF@MAANDMBX2.ets.enterasys.com>
List-archive: <http://www1.ietf.org/pipermail/isms>
List-help: <mailto:isms-request@lists.ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.lists.ietf.org>
List-post: <mailto:isms@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@lists.ietf.org?subject=unsubscribe>
References: <2A5E4540D4D5934D9A1E7E0B0FDB2D69010325EF@MAANDMBX2.ets.enterasys.com>
Sender: isms-bounces at lists.ietf.org
User-agent: Thunderbird 1.4.1 (Macintosh/20051006)

Nelson, David wrote:

Subject: [Isms] #19: should RADIUS be exposed outside of SSH?

One point that hasn't had much [any] discussion is that AAA services
such as RADIUS and Diameter are designed to provision a specific
service, such as packet forwarding or telnet terminal services.  I
believe that AAA should provision SNMP management access as a specific
service, and therefore a RADIUS authorization for SNMP access should not
be capable of being used for packet forwarding services (or visa versa).
This is another level of authorization that would need to be exposed
beyond SSH.

We should be very careful how we do this. We do not want to tie SSHSM to radius or diameter. In order to even determine this prior to authentication (the specific SNMP subsystem request is made *after* authentication) it seems to me that a separate port is required.

Eliot

_______________________________________________
Isms mailing list
Isms at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/isms

References:
- RE: [Isms] #19: should RADIUS be exposed outside of SSH?
  - From: Nelson, David

Prev by Date: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Next by Date: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Previous by thread: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Next by thread: RE: [Isms] #19: should RADIUS be exposed outside of SSH?
Index(es):
- Date
- Thread

Re: [Isms] #19: should RADIUS be exposed outside of SSH?

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.