< draft-ietf-isms-radius-vacm-10.txt   draft-ietf-isms-radius-vacm-11.txt >
Network Working Group K. Narayan Network Working Group K. Narayan
Internet-Draft Cisco Systems, Inc. Internet-Draft Cisco Systems, Inc.
Intended status: Standards Track D. Nelson Intended status: Standards Track D. Nelson
Expires: March 4, 2011 Elbrys Networks, Inc. Expires: March 18, 2011 Elbrys Networks, Inc.
R. Presuhn, Ed. R. Presuhn, Ed.
None None
August 31, 2010 September 14, 2010
Using Authentication, Authorization, and Accounting services to Using Authentication, Authorization, and Accounting services to
Dynamically Provision View-based Access Control Model User-to-Group Dynamically Provision View-based Access Control Model User-to-Group
Mappings Mappings
draft-ietf-isms-radius-vacm-10.txt draft-ietf-isms-radius-vacm-11.txt
Abstract Abstract
This memo defines a portion of the Management Information Base (MIB) This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols. It describes the use of for use with network management protocols. It describes the use of
information provided by Authentication, Authorization, and Accounting information provided by Authentication, Authorization, and Accounting
(AAA) services, such as the Remote Authentication Dial-In User (AAA) services, such as the Remote Authentication Dial-In User
Service (RADIUS), to dynamically update user-to-group mappings in the Service (RADIUS), to dynamically update user-to-group mappings in the
View-Based Access Control Model (VACM). View-Based Access Control Model (VACM).
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 4, 2011. This Internet-Draft will expire on March 18, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 18 skipping to change at page 5, line 18
1. a communications channel 1. a communications channel
2. an authenticated principal 2. an authenticated principal
3. service authorization 3. service authorization
4. an access control policy name 4. an access control policy name
Some of the binding is done via other specifications. A transport Some of the binding is done via other specifications. A transport
model, such as the Secure Shell Transport Model [RFC5592], provides a model, such as the Secure Shell Transport Model [RFC5592], provides a
binding between 1) and 2) and 3), providing a SecurityName. In turn, binding between 1) and 2) and 3), providing a securityName. In turn,
[RFC5607] provides a binding between (1+2+3) and 4). This document [RFC5607] provides a binding between (1+2+3) and 4). This document
extends that further, to create a binding between (1+2+3+4) and the extends that further, to create a binding between (1+2+3+4) and the
local (VACM MIB) definition of the named policy, called a group in local (VACM MIB) definition of the named policy, called a group in
VACM. VACM.
4.2. Applicability 4.2. Applicability
Though this memo was motivated to support the use of specific Though this memo was motivated to support the use of specific
Transport Models, such as the Secure Shell Transport Model [RFC5592], Transport Models, such as the Secure Shell Transport Model [RFC5592],
it MAY be used with other implementation environments satisfying it MAY be used with other implementation environments satisfying
skipping to change at page 6, line 48 skipping to change at page 6, line 48
this MIB module. this MIB module.
6.2. MIB modules required for IMPORTS 6.2. MIB modules required for IMPORTS
This MIB module employs definitions from [RFC2578], [RFC2579] and This MIB module employs definitions from [RFC2578], [RFC2579] and
[RFC3411]. [RFC3411].
6.3. Documents required for REFERENCE clauses 6.3. Documents required for REFERENCE clauses
This MIB module contains REFERENCE clauses making reference to This MIB module contains REFERENCE clauses making reference to
[RFC2865], [RFC3411], [RFC5590], and [RFC5592], [RFC2865], [RFC3411], and [RFC5590].
7. Elements of Procedure 7. Elements of Procedure
The following elements of procedure are formulated in terms of two The following elements of procedure are formulated in terms of two
types of events: an indication of the establishment of a session, and types of events: an indication of the establishment of a session, and
an indication that one has ended. These can result in the creation an indication that one has ended. These can result in the creation
of entries in the vacmAaaSecurityToGroupTable, which can in turn of entries in the vacmAaaSecurityToGroupTable, which can in turn
trigger creation, update, or deletion of entries in the trigger creation, update, or deletion of entries in the
vacmSecurityToGroupTable. vacmSecurityToGroupTable.
skipping to change at page 7, line 34 skipping to change at page 7, line 34
coordinates session establishment with AAA authentication and coordinates session establishment with AAA authentication and
authorization. They rely on the receipt by the AAA client of the authorization. They rely on the receipt by the AAA client of the
RADIUS Management-Policy-Id [RFC5607] Attribute (or its equivalent) RADIUS Management-Policy-Id [RFC5607] Attribute (or its equivalent)
from the RADIUS Access-Accept message (or equivalent). They also from the RADIUS Access-Accept message (or equivalent). They also
assume that the User-Name [RFC2865] from the RADIUS Access-Request assume that the User-Name [RFC2865] from the RADIUS Access-Request
message (or equivalent) corresponds to a securityName [RFC3411]. message (or equivalent) corresponds to a securityName [RFC3411].
To ensure correct processing of SNMP PDUs, the handling of the To ensure correct processing of SNMP PDUs, the handling of the
indication of the establishment of a session in accordance with the indication of the establishment of a session in accordance with the
elements of procedure below MUST be completed before the elements of procedure below MUST be completed before the
IsAccessAllowed() abstract service interface [RFC3415] is invoked for isAccessAllowed() abstract service interface [RFC3415] is invoked for
any SNMP PDUs from that session. any SNMP PDUs from that session.
If a session termination indication occurs before all invocations of If a session termination indication occurs before all invocations of
the IsAccessAllowed() abstract service interface [RFC3415] have the isAccessAllowed() abstract service interface [RFC3415] have
completed for all SNMP PDUs from that session, those remaining completed for all SNMP PDUs from that session, those remaining
invocations MAY result in denial of access. invocations MAY result in denial of access.
7.2. Actions Upon Session Establishment Indication 7.2. Actions Upon Session Establishment Indication
7.2.1. Required Information 7.2.1. Required Information
Four pieces of information are needed to process the session Four pieces of information are needed to process the session
establishment indication: establishment indication:
skipping to change at page 9, line 18 skipping to change at page 9, line 18
7.2.4. Update of vacmGroupName 7.2.4. Update of vacmGroupName
Whenever the value of an instance of vacmAaaGroupName is updated, if Whenever the value of an instance of vacmAaaGroupName is updated, if
a corresponding entry exists in the vacmSecurityToGroupTable, and a corresponding entry exists in the vacmSecurityToGroupTable, and
that entry's StorageType is "volatile" and its RowStatus is "active", that entry's StorageType is "volatile" and its RowStatus is "active",
update the value of vacmGroupName with the value from update the value of vacmGroupName with the value from
vacmAaaGroupName. vacmAaaGroupName.
If a corresponding entry already exists in the If a corresponding entry already exists in the
vacmSecurityToGroupTable, and the row's StorageType is anything other vacmSecurityToGroupTable, and that row's StorageType is anything
than "volatile", or the RowStatus is anything other than "active", other than "volatile", or its RowStatus is anything other than
then a role (group) mapping for this user (principal) has already "active", then that instance of vacmGroupName MUST NOT be modified.
been put in place on this system, and will not be overridden.
The operational assumption here is that if the row's StorageType is The operational assumption here is that if the row's StorageType is
"volatile", then this entry was probably dynamically created; an "volatile", then this entry was probably dynamically created; an
entry created by a security administrator would not normally be given entry created by a security administrator would not normally be given
a StorageType of "volatile". If value being provided by RADIUS (or a StorageType of "volatile". If value being provided by RADIUS (or
other AAA service) is the same as what is already there, this is a other AAA service) is the same as what is already there, this is a
no-op. If the value is different, the new information is understood no-op. If the value is different, the new information is understood
as a more recent role (group) assignment for the user, which should as a more recent role (group) assignment for the user, which should
supersede the one currently held there. The structure of the supersede the one currently held there. The structure of the
vacmSecurityToGroupTable makes it impossible for a vacmSecurityToGroupTable makes it impossible for a
skipping to change at page 10, line 20 skipping to change at page 10, line 19
Whenever the last remaining row bearing a particular Whenever the last remaining row bearing a particular
(vacmAaaSecurityModel, vacmAaaSecurityName) pair is deleted from the (vacmAaaSecurityModel, vacmAaaSecurityName) pair is deleted from the
vacmAaaSecurityToGroupTable, the vacmSecurityToGroupTable is examined vacmAaaSecurityToGroupTable, the vacmSecurityToGroupTable is examined
for a corresponding row. If one exists, and if its StorageType is for a corresponding row. If one exists, and if its StorageType is
"volatile" and its RowStatus is "active", that row MUST be deleted as "volatile" and its RowStatus is "active", that row MUST be deleted as
well. The mechanism to accomplish this task is implementation- well. The mechanism to accomplish this task is implementation-
dependent. dependent.
8. Definitions 8. Definitions
VACM-AAA-MIB DEFINITIONS ::= BEGIN SNMP-VACM-AAA-MIB DEFINITIONS ::= BEGIN
IMPORTS IMPORTS
MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE, MODULE-IDENTITY, OBJECT-TYPE,
mib-2, mib-2,
Unsigned32 FROM SNMPv2-SMI Unsigned32 FROM SNMPv2-SMI
SnmpAdminString, SnmpAdminString,
SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB; SnmpSecurityModel FROM SNMP-FRAMEWORK-MIB;
vacmAaaMIB MODULE-IDENTITY vacmAaaMIB MODULE-IDENTITY
LAST-UPDATED "201008300000Z" -- 30 August, 2010 LAST-UPDATED "201009010000Z" -- 1 September, 2010
ORGANIZATION "ISMS Working Group" ORGANIZATION "ISMS Working Group"
CONTACT-INFO "WG-email: isms@ietf.org" CONTACT-INFO "WG-email: isms@ietf.org"
DESCRIPTION "The management and local datastore information DESCRIPTION "The management and local datastore information
definitions for the AAA-Enabled View-based Access definitions for the AAA-Enabled View-based Access
Control Model for SNMP. Control Model for SNMP.
Copyright (c) 2010 IETF Trust and the persons Copyright (c) 2010 IETF Trust and the persons
identified as the document authors. All rights identified as the document authors. All rights
reserved. reserved.
skipping to change at page 11, line 5 skipping to change at page 11, line 4
identified as the document authors. All rights identified as the document authors. All rights
reserved. reserved.
Redistribution and use in source and binary forms, Redistribution and use in source and binary forms,
with or without modification, is permitted pursuant with or without modification, is permitted pursuant
to, and subject to the license terms contained in, to, and subject to the license terms contained in,
the Simplified BSD License set forth in Section the Simplified BSD License set forth in Section
4.c of the IETF Trust's Legal Provisions Relating 4.c of the IETF Trust's Legal Provisions Relating
to IETF Documents to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC XXXX; This version of this MIB module is part of RFC XXXX;
see the RFC itself for full legal notices." see the RFC itself for full legal notices."
REVISION "201008300000Z" REVISION "201009010000Z"
DESCRIPTION "Initial version, published as RFC XXXX." DESCRIPTION "Initial version, published as RFC XXXX."
::= { mib-2 XXX } ::= { mib-2 XXX }
-- RFC Ed.: replace XXX with IANA-assigned number & remove this note -- RFC Ed.: replace XXX with IANA-assigned number & remove this note
-- RFC Ed.: replace XXXX with the RFC number & remove this note -- RFC Ed.: replace XXXX with the RFC number & remove this note
vacmAaaMIBObjects OBJECT IDENTIFIER ::= { vacmAaaMIB 1 } vacmAaaMIBObjects OBJECT IDENTIFIER ::= { vacmAaaMIB 1 }
vacmAaaMIBConformance OBJECT IDENTIFIER ::= { vacmAaaMIB 2 } vacmAaaMIBConformance OBJECT IDENTIFIER ::= { vacmAaaMIB 2 }
vacmAaaSecurityToGroupTable OBJECT-TYPE vacmAaaSecurityToGroupTable OBJECT-TYPE
SYNTAX SEQUENCE OF VacmAaaSecurityToGroupEntry SYNTAX SEQUENCE OF VacmAaaSecurityToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "This table provides a listing of all currently active DESCRIPTION "This table provides a listing of all currently active
sessions for which a mapping of the combination of sessions for which a mapping of the combination of
SnmpSecurityModel and securityName into a the name of SnmpSecurityModel and securityName into the name of
a VACM group which has been provided by an AAA service. a VACM group which has been provided by an AAA service.
The group name (in VACM) in turn identifies an access The group name (in VACM) in turn identifies an access
control policy to be used for the corresponding control policy to be used for the corresponding
principals." principals."
REFERENCE "RFC 3411 section 3.2.2 defines securityName" REFERENCE "RFC 3411 section 3.2.2 defines securityName"
::= { vacmAaaMIBObjects 1 } ::= { vacmAaaMIBObjects 1 }
vacmAaaSecurityToGroupEntry OBJECT-TYPE vacmAaaSecurityToGroupEntry OBJECT-TYPE
SYNTAX VacmAaaSecurityToGroupEntry SYNTAX VacmAaaSecurityToGroupEntry
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "An entry in this table maps the combination of a DESCRIPTION "An entry in this table maps the combination of a
SnmpSecurityModel and securityName into a the name SnmpSecurityModel and securityName into the name
of a VACM group defining the access control policy of a VACM group defining the access control policy
which is to govern a particular session. which is to govern a particular session.
Each entry corresponds to a session. Each entry corresponds to a session.
Entries do not persist across reboots. Entries do not persist across reboots.
An entry is created whenever an indication occurs An entry is created whenever an indication occurs
that a new session has been established that would that a new session has been established that would
not have the same index values as an existing entry. not have the same index values as an existing entry.
When a session is torn down, disconnected, timed out When a session is torn down, disconnected, timed out
(e.g., following the RADIUS Session-Timeout Attribute), (e.g., following the RADIUS Session-Timeout Attribute),
or otherwise terminated for any reason, the or otherwise terminated for any reason, the
corresponding vacmAaaSecurityToGroupEntry is deleted." corresponding vacmAaaSecurityToGroupEntry is deleted."
REFERENCE "RFC 3411 section 3.2.2 defines securityName"
INDEX { INDEX {
vacmAaaSecurityModel, vacmAaaSecurityModel,
vacmAaaSecurityName, vacmAaaSecurityName,
vacmAaaSessionID vacmAaaSessionID
} }
REFERENCE "RFC 3411 section 3.2.2 defines securityName"
::= { vacmAaaSecurityToGroupTable 1 } ::= { vacmAaaSecurityToGroupTable 1 }
VacmAaaSecurityToGroupEntry ::= SEQUENCE VacmAaaSecurityToGroupEntry ::= SEQUENCE
{ {
vacmAaaSecurityModel SnmpSecurityModel, vacmAaaSecurityModel SnmpSecurityModel,
vacmAaaSecurityName SnmpAdminString, vacmAaaSecurityName SnmpAdminString,
vacmAaaSessionID Unsigned32, vacmAaaSessionID Unsigned32,
vacmAaaGroupName SnmpAdminString vacmAaaGroupName SnmpAdminString
} }
skipping to change at page 13, line 4 skipping to change at page 12, line 51
::= { vacmAaaSecurityToGroupEntry 2 } ::= { vacmAaaSecurityToGroupEntry 2 }
vacmAaaSessionID OBJECT-TYPE vacmAaaSessionID OBJECT-TYPE
SYNTAX Unsigned32 SYNTAX Unsigned32
MAX-ACCESS not-accessible MAX-ACCESS not-accessible
STATUS current STATUS current
DESCRIPTION "An implementation-dependent identifier of the session. DESCRIPTION "An implementation-dependent identifier of the session.
This value MUST be unique among all currently open This value MUST be unique among all currently open
sessions of all of this SNMP engine's transport models. sessions of all of this SNMP engine's transport models.
The value has no particular significance other than to The value has no particular significance other than to
distinguish sessions. distinguish sessions.
Implementations in which tmSessionID has a compatible Implementations in which tmSessionID has a compatible
syntax and is unique across all transport models MAY syntax and is unique across all transport models MAY
use that value." use that value."
REFERENCE "The abstract service interface parameter tmSessionID REFERENCE "The abstract service interface parameter tmSessionID
is defined in RFC 5590 section 5.2.4 and RFC 5592 is defined in RFC 5590 section 5.2.4."
section 4.1.2"
::= { vacmAaaSecurityToGroupEntry 3 } ::= { vacmAaaSecurityToGroupEntry 3 }
vacmAaaGroupName OBJECT-TYPE vacmAaaGroupName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE(1..32)) SYNTAX SnmpAdminString (SIZE(1..32))
MAX-ACCESS read-only MAX-ACCESS read-only
STATUS current STATUS current
DESCRIPTION "The name of the group to which this entry is to belong. DESCRIPTION "The name of the group to which this entry is to belong.
In RADIUS environments this comes from the RADIUS In RADIUS environments this comes from the RADIUS
Management-Policy-Id Attribute. Management-Policy-Id Attribute.
skipping to change at page 17, line 44 skipping to change at page 17, line 44
o Glenn Keeni o Glenn Keeni
o Jari Arkko o Jari Arkko
o Joel Jaeggli o Joel Jaeggli
o Magnus Nystroem o Magnus Nystroem
o Mike Heard o Mike Heard
o Robert Story
o Russ Housley o Russ Housley
o Sean Turner o Sean Turner
o Tim Polk o Tim Polk
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2578] McCloghrie, K., Ed., Perkins, D., Ed., and J.
Schoenwaelder, Ed., "Structure of Management Information Schoenwaelder, Ed., "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J. [RFC2579] McCloghrie, K., Ed., Perkins, D., Ed., and J.
skipping to change at page 18, line 39 skipping to change at page 18, line 42
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415, Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002. December 2002.
[RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem [RFC5590] Harrington, D. and J. Schoenwaelder, "Transport Subsystem
for the Simple Network Management Protocol (SNMP)", for the Simple Network Management Protocol (SNMP)",
RFC 5590, June 2009. RFC 5590, June 2009.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009.
[RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In [RFC5607] Nelson, D. and G. Weber, "Remote Authentication Dial-In
User Service (RADIUS) Authorization for Network Access User Service (RADIUS) Authorization for Network Access
Server (NAS) Management", RFC 5607, July 2009. Server (NAS) Management", RFC 5607, July 2009.
[RFC5608] Narayan, K. and D. Nelson, "Remote Authentication Dial-In [RFC5608] Narayan, K. and D. Nelson, "Remote Authentication Dial-In
User Service (RADIUS) Usage for Simple Network Management User Service (RADIUS) Usage for Simple Network Management
Protocol (SNMP) Transport Models", RFC 5608, August 2009. Protocol (SNMP) Transport Models", RFC 5608, August 2009.
12.2. Informative References 12.2. Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet- "Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002. Standard Management Framework", RFC 3410, December 2002.
[RFC5592] Harrington, D., Salowey, J., and W. Hardaker, "Secure
Shell Transport Model for the Simple Network Management
Protocol (SNMP)", RFC 5592, June 2009.
Authors' Addresses Authors' Addresses
Kaushik Narayan Kaushik Narayan
Cisco Systems, Inc. Cisco Systems, Inc.
10 West Tasman Drive 10 West Tasman Drive
San Jose, CA 95134 San Jose, CA 95134
USA USA
Phone: +1 408-526-8168 Phone: +1 408-526-8168
Email: kaushik_narayan@yahoo.com Email: kaushik_narayan@yahoo.com
 End of changes. 23 change blocks. 
26 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/