Re: [Isms] WGLC: draft-ietf-isms-radius-usage-02

[Jeffrey Hutzelman <jhutz at cmu.edu>]

--On Tuesday, April 01, 2008 03:44:15 PM -0400 "David B. Nelson" 
<dnelson at elbrysnetworks.com> wrote:

>> section 2 discusses PAM; how do RADIUS servers in a Windows
>> environment do this?
>
> PAM is an interface between an end-user data service (e.g. SSH) and an
> authentication service (e.g. RADIUS Client).  RADIUS Servers do not come
> into the picture.  PAM is common in Unix environments.  I don't know what
> the equivalent is in a Windows environment.

To be fair, it is also reasonable for a RADIUS server to use PAM for 
password verification, allowing any of a variety of backends to be plugged 
in.  But as far as the protocol is concerned, that's an implementation 
detail.  For that matter, the use of PAM between an SSH server and RADIUS 
client is also an implementation detail.  It's possible that an SSH server 
uses PAM to support the password or keyboard-interactive auth methods, and 
if so, it's possible that the PAM stack is configured to use RADIUS.  The 
fact that we mention this possibility in a couple of places does not mean 
we are obligated to describe every way in which an SSH server might end up 
being a RADIUS client.

I don't think any change is needed here.

>> section 2.1
>> "Specific attributes for use with SNMP Transport Models are
>> recommended in this document." I don't think this document should be
>> used to make recommendations of specific RADIUS attributes. This
>> document should simply be about how to use the management-related
>> attributes that are defined, in an SNMP environment.
>
> Huh?  You want this document to describe how to use RADIUS for
> authentication and authorization of SNMP access without mentioning
> specific RADIUS attributes?  I know that SNMP documentation and
> architecture is big on abstraction, models, and such.  RADIUS
> documentation doesn't go in for that sort of thing, for better or worse.
> I wouldn't know where to begin...

I think I have to agree with David here. :-)

The point of this document is to describe how to use RADIUS to authorize 
SNMP access.  I don't see how we can do that without indicating which 
RADIUS attributes are used for that purpose and what they mean.  We could 
write a document which describes some abstraction for allowing SNMP 
applications to see whatever attributes happened to be provided by the 
RADIUS server, but I don't think that would accomplish our goal for this 
document.


>> I don't think SNMP has anything to do with this, and there is no
>> place in the ISMS architecture to specify these values.
>
> There may not be a place in the ISMS architecture.  However, RADIUS has a
> long history of provisioning limits on the services that it authorizes, so
> it seemed natural to continue this practice with SNMP.

I agree.  Note that the SNMP architecture doesn't necessarily need to have 
any place to specify these limits.  This can be handled entirely at the SSH 
layer.  And yes, I do think this document is the right place to discuss 
such things.


-- Jeff
_______________________________________________
Isms mailing list
Isms at ietf.org
https://www.ietf.org/mailman/listinfo/isms