Re: [Isms] Moving into some design / architecture issues of ExtendedVACM

To: Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>, Dave Nelson <d.b.nelson at comcast.net>
Subject: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
From: kaushik <kaushik at cisco.com>
Date: Mon, 15 Jun 2009 17:33:25 -0700
Authentication-results: sj-dkim-4; header.From=kaushik at cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: "isms at ietf.org" <isms at ietf.org>
Delivered-to: isms at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1594; t=1245112414; x=1245976414; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=kaushik at cisco.com; z=From:=20kaushik=20<kaushik at cisco.com> |Subject:=20Re=3A=20[Isms]=20Moving=20into=20some=20design= 20/=20architecture=20issues=20of=0A=20ExtendedVACM |Sender:=20; bh=x5rmNwB4ob/ccuKmE6p16rx7WMdKvY30lPnc/EMwgpI=; b=drw1NiupskKCCmYNt+LHyGu2I31jZV2ReiZp4FHAnr4FRjWEwheI8WpgtR a5dPdiGwexFFUvR6390deKNiMlbaoRMm/Ff9m4SP+E0PIltFCNDHrrrRMWMa OEiDPGdXJA;
In-reply-to: <20090614131231.GD4106 at elstar.local>
List-archive: <http://www.ietf.org/mail-archive/web/isms>
List-help: <mailto:isms-request@ietf.org?subject=help>
List-id: Mailing list for the ISMS working group <isms.ietf.org>
List-post: <mailto:isms@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
Thread-index: AcnuGg9MJxczCLBev0uf3kKaeOlnYQ==
Thread-topic: [Isms] Moving into some design / architecture issues of ExtendedVACM
User-agent: Microsoft-Entourage/12.12.0.080729

Hi Juergen,

I like the approach you have proposed to have the RADIUS user-to-group
mappings and VACM user-to-group mappings in separate tables and have a
control table to decide precedence.

Regards,
 kaushik


On 6/14/09 6:12 AM, "Juergen Schoenwaelder"
<j.schoenwaelder at jacobs-university.de> wrote:

> On Sat, Jun 13, 2009 at 07:20:12PM +0200, Dave Nelson wrote:
> 
>> Or course, there *are* some models of disparate authentication systems used
>> in a precedence relationship.  For example, consider NIS and /etc/passed as
>> used for UNIX login.  The key is that there *is* a precedence relation, and
>> you won't find NIS populating /etc/passwd with user entries.
> 
> SNMPv3 currently does not have this for authentication and it does not
> have this for authorization. To fix the multiple ACM issue, one would
> have to extend the SNMPv3 infrastructure with a table that controls
> how multiple ACMs each implementing the isAccessAllowed() ASI would
> work together. One option is of course to have priorities. If we would
> have something like this, we could have a RADIUS VACM MIB module which
> provides a security name to group name mapping based on RADIUS policy
> information and otherwise reuse VACM access rules. Then the new ACM
> control table would allow me to specify whether RADIUS takes
> precedence or not and I can have my fallback config in the VACM MIB
> that is being used when RADIUS fails.
> 
> This might be the cleanest solution. But getting this right does
> require some great deal of help of some SNMPv3 seniors...
> 
> /js

References:
- Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
  - From: Juergen Schoenwaelder

Prev by Date: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
Next by Date: Re: [Isms] Moving into some design/architecture issues ofExtendedVACM
Previous by thread: Re: [Isms] Moving into some design / architecture issues of ExtendedVACM
Next by thread: Re: [Isms] Moving into some design / architecture issuesofExtendedVACM
Index(es):
- Date
- Thread

Re: [Isms] Moving into some design / architecture issues of ExtendedVACM

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.