Re: [Isms] Moving into some design/architecture issuesofExtendedVACM

["Dave Nelson" <d.b.nelson at comcast.net>]

Juergen Schoenwaelder writes...
 
> I am familiar with envrionments where the SNMP configuration
> is rather static and never changed unless really really really
> necessary.

I suspect that this broadly applies to the access control rules and the
"roles" that are defined by the collections of rules, i.e. the "groups".  I
think that "roles" change very infrequently, once initially debugged and
tuned, unless something in the organization changes, such as a different
division of responsibilities or some new type of equipment with new
management challenges is introduced.

I think it's fair to say that the group definitions are semi-static, and
managed by traditional SNMP access.  These definitions are certainly *not*
managed by RADIUS.

I also think it's fair to say that most organizations have only a handful of
roles / groups.  What changes most frequently is the assignment of people to
roles.  From all the postings to date, I believe we have rough consensus on
that much.

What seems to be in contention is *how* the dynamic information from RADIUS
is applied.

The issue that seems to be most contentions is whether the securityName to
groupName binding provided by RADIUS is persistent in the NAS after the
session has ended.  While this is the way SNMP works it is not the way
RADIUS works.  This is the root of the disagreement -- very different
persistence models between RADIUS provisioning and SNMP provisioning.  Each
camp naturally views the issues from their own experience base and comfort
zone.

How do we resolve this?