Minutes of the Terminal Server Accounting and Authentication BOF (TERMACCT) 23RD IETF, San Diego, CA Reported by Larry J. Blunk Discussion began with the distinguishing features of a Network Access Server (NAS). The concept of a NAS is considered to be an abstraction. For example, a Unix host with async ports could very well be considered a NAS. The difference between a NAS and a router is the notion of session based services which can be authenticated and authorized. It was questioned whether the Authentication, Authorization, and Accounting (AAA) servers would be running as separate servers or perhaps in the NAS itself. Again the concept of AAA servers were viewed as a logical abstraction. The AAA servers could indeed be separate or in fact all run on the same machine. Mention was made of the possibility of providing for interdomain AAA services. Some thought that this should be of primary concern in the design process. The DNS was used as example of a hierarchical domain of servers. Propagation of authentication information was discussed. It would be desirable to not have to re-authenticate the user for each service requested. There were questions asked concerning how Kerberos could be used as the authentication mechanism. While it would work fine for dumb terminals and PPP's PAP protocol, PPP's CHAP protocol presents difficulties. There was discussion of authorization and how configuration parameters are retrieved. Authorization needs to be kept distinct from configuration. Authorization information could be retrieved using a query and response mechanism or all at once. This is an implementation issue. The purpose of a NAS Working Group was discussed. Should it define the necessary standards, or use a liaison structure (similar to the Security Working Group)? While authentication and accounting are currently being addressed, there are no groups currently working on authorization. This is a big issue. A NAS Working Group could specify NAS specific authorization, but it would be desirable to make it extensible rather than limit it to NAS use only. Some discussion was given to providing a mechanism for a common user interface. It was generally agreed that this would be outside the scope of the group. There was some speculation that the requirements for dumb terminal access and framed serial line services differed substantially enough to warrant independent sub-groups. However, there were many who thought that there was enough common overlap to require a single group. The name NAAAG was suggested as possible acronym for the group. The consensus of the BOF was that a NAS Working Group is needed and that the requirements document needs to be further refined. It was also mentioned that those areas outside the scope of the Working Group should be defined. There is also need for communication and coordination with existing Working Groups.