Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

[Juergen Schoenwaelder <j.schoenwaelder at jacobs-university.de>]

On Tue, Jun 16, 2009 at 07:34:27AM +0200, Randy Presuhn wrote:
 
> As a matter of sanity, we have to assume that what the security
> administrator tells RADIUS to do is the same as what he wants the
> SNMP-alone policy to be.  If they're at odds, he's got a bigger
> problem than we can solve here.

If we make this assumption, why then have RADIUS at all?

I am familiar with envrionments where the SNMP configuration is rather
static and never changed unless really really really necessary. In
particular, nobody wants to configure a number of SNMP agents just
because a single user needs to be added/removed. But people are much
more happy to do this via a centralized (RADIUS) mechanism. In other
words, in such environemnts, the SNMP static access policy is by
definition different from the RADIUS access policy. For these
environments, making the assumption that the RADIUS and static SNMP
access policy are essentially the same except during transitional
update periods is a non starter since I still have to update a number
of SNMP agents - so there is really no win in having RADIUS involved.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>