< draft-ietf-radext-management-authorization-06.txt   draft-ietf-radext-management-authorization-07.txt >
Network Working Group D. Nelson Network Working Group D. Nelson
Internet-Draft Elbrys Networks, Inc. Internet-Draft Elbrys Networks, Inc.
Intended status: Standards Track G. Weber Intended status: Standards Track G. Weber
Expires: April 13, 2009 Individual Contributor Expires: December 2, 2009 Individual Contributor
October 10, 2008 May 31, 2009
Remote Authentication Dial-In User Service (RADIUS) Authorization for Remote Authentication Dial-In User Service (RADIUS) Authorization for
Network Access Server (NAS) Management Network Access Server (NAS) Management
draft-ietf-radext-management-authorization-06.txt draft-ietf-radext-management-authorization-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79. This document may contain material
have been or will be disclosed, and any of which he or she becomes from IETF Documents or IETF Contributions published or made publicly
aware will be disclosed, in accordance with Section 6 of BCP 79. available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 13, 2009. This Internet-Draft will expire on December 2, 2009.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This document specifies Remote Authentication Dial-In User Service This document specifies Remote Authentication Dial-In User Service
(RADIUS) attributes for authorizing management access to a Network (RADIUS) attributes for authorizing management access to a Network
Access Server (NAS). Both local and remote management are supported, Access Server (NAS). Both local and remote management are supported,
with granular access rights and management privileges. Specific with granular access rights and management privileges. Specific
provisions are made for remote management via framed management provisions are made for remote management via framed management
protocols, and for management access over a secure transport protocols, and for management access over a secure transport
protocol. protocol.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. New Values for Existing RADIUS Attributes . . . . . . . . . . 5 4. Domain of Applicability . . . . . . . . . . . . . . . . . . . 5
4.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 5 5. New Values for Existing RADIUS Attributes . . . . . . . . . . 6
5. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 5 5.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 6
5.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 5 6. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6
5.2. Management-Transport-Protection . . . . . . . . . . . . . 8 6.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6
5.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11 6.2. Management-Transport-Protection . . . . . . . . . . . . . 9
5.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 12 6.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 12
6. Use with Dynamic Authorization . . . . . . . . . . . . . . . . 13 6.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 13
7. Examples of attribute groupings . . . . . . . . . . . . . . . 14 7. Use with Dynamic Authorization . . . . . . . . . . . . . . . . 15
8. Diameter Translation Considerations . . . . . . . . . . . . . 16 8. Examples of attribute groupings . . . . . . . . . . . . . . . 15
9. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 17 9. Diameter Translation Considerations . . . . . . . . . . . . . 17
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 10. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 18
11. Security Considerations . . . . . . . . . . . . . . . . . . . 19 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
11.1. General Considerations . . . . . . . . . . . . . . . . . . 19 12. Security Considerations . . . . . . . . . . . . . . . . . . . 20
11.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 20 12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 12.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 21
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
13.1. Normative References . . . . . . . . . . . . . . . . . . . 21 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
13.2. Informative References . . . . . . . . . . . . . . . . . . 21 14.1. Normative References . . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24 14.2. Informative References . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . . . . 25 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Terminology 1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses terminology from RFC 2865 [RFC2865], RFC 2866 This document uses terminology from RFC 2865 [RFC2865], RFC 2866
[RFC2866] and RFC 5176 [RFC5176]. [RFC2866] and RFC 5176 [RFC5176].
skipping to change at page 5, line 5 skipping to change at page 5, line 5
pre-provisioned on the NAS. This use of an attribute to specify use pre-provisioned on the NAS. This use of an attribute to specify use
of a pre-provisioned policy is similar to the Filter-Id (11) of a pre-provisioned policy is similar to the Filter-Id (11)
Attribute defined in [RFC2865] Section 5.11. Attribute defined in [RFC2865] Section 5.11.
The local application of the Management-Policy-Id (TBA-4) Attribute The local application of the Management-Policy-Id (TBA-4) Attribute
within the managed entity may take the form of (a) one of an within the managed entity may take the form of (a) one of an
enumeration of command privilege levels, (b) a mapping into an SNMP enumeration of command privilege levels, (b) a mapping into an SNMP
Access Control Model, such as the View Based Access Control Model Access Control Model, such as the View Based Access Control Model
(VACM) [RFC3415], or (c) some other set of management access policy (VACM) [RFC3415], or (c) some other set of management access policy
rules that is mutually understood by the managed entity and the rules that is mutually understood by the managed entity and the
remote management application. Examples are given in Section 7. remote management application. Examples are given in Section 8.
The Management-Privilege-Level (TBA-5) Attribute contains an integer- The Management-Privilege-Level (TBA-5) Attribute contains an integer-
valued management privilege level indication. This attribute serves valued management privilege level indication. This attribute serves
to modify or augment the management permissions provided by the NAS- to modify or augment the management permissions provided by the NAS-
Prompt (7) value of the Service-Type (6) Attribute, and thus applies Prompt (7) value of the Service-Type (6) Attribute, and thus applies
to CLI management. to CLI management.
To enable management security requirements to be specified, the To enable management security requirements to be specified, the
Management-Transport-Protection (TBA-3) Attribute is introduced. The Management-Transport-Protection (TBA-3) Attribute is introduced. The
value of this attribute indicates the minimum level of secure value of this attribute indicates the minimum level of secure
transport protocol protection required for the provisioning of NAS- transport protocol protection required for the provisioning of NAS-
Prompt (7), Administrative (6) or Framed-Management (TBA-1) service. Prompt (7), Administrative (6) or Framed-Management (TBA-1) service.
4. New Values for Existing RADIUS Attributes 4. Domain of Applicability
4.1. Service-Type Most of the RADIUS Attributes defined in this document have broad
applicability for provisioning local and remote management access to
NAS devices. However, those attributes that provision remote access
over framed management protocols and over secure transports have
special considerations. This document does not specify details of
the integration of these protocols with a RADIUS client in the NAS
implementation. However, there are functional requirements for
correct application of framed management protocols and/or secure
transport protocols that will limit the selection of such protocols
that can be considered for use with RADIUS. Since the RADIUS user
credentials are typically obtained by the RADIUS client from the
secure transport protocol server or the framed management protocol
server, the protocol, and its implementation in the NAS, MUST support
forms of credentials that are compatible with the authentication
methods supported by RADIUS.
RADIUS currently supports the following user authentication methods,
although others may be added in the future:
o Password (RFC 2865)
o CHAP (RFC 2865)
o ARAP (RFC 2869)
o EAP (RFC 2869, RFC 3579)
o HTTP Digest (RFC 5090)
The remote management protocols selected for use the RADIUS remote
NAS management sessions, for example those described in Section 6.1,
and the secure transport protocols selected to meet the protection
requirements, as described in Section 6.2, obviously need to support
user authentication methods that are compatible with those that exist
in RADIUS. The RADIUS authentication methods most likely usable with
these protocols are Password, CHAP and possibly HTTP Digest, with
Password being the distinct common denominator. There are many
secure transports that support other, more robust, authentication
mechanisms, such as public key. RADIUS has no support for public key
authentication, except within the context of an EAP Method. The
applicability statement for EAP indicates that it is not intended for
use as an application-layer authentication mechanism, so its use with
the mechanisms described in this document is NOT RECOMMENDED. In
some cases, Password may be the only compatible RADIUS authentication
method available.
5. New Values for Existing RADIUS Attributes
5.1. Service-Type
The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865 The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865
[RFC2865]. This document defines a new value of the Service-Type [RFC2865]. This document defines a new value of the Service-Type
Attribute, as follows: Attribute, as follows:
(TBA-1) Framed-Management (TBA-1) Framed-Management
The semantics of the Framed-Management service are as follows: The semantics of the Framed-Management service are as follows:
Framed-Management A framed management protocol session should Framed-Management A framed management protocol session should
be started on the NAS. be started on the NAS.
5. New RADIUS Attributes 6. New RADIUS Attributes
This document defines four new RADIUS attributes related to This document defines four new RADIUS attributes related to
management authorization. management authorization.
5.1. Framed-Management-Protocol 6.1. Framed-Management-Protocol
The Framed-Management-Protocol (TBA-2) Attribute indicates the The Framed-Management-Protocol (TBA-2) Attribute indicates the
application-layer management protocol to be used for Framed application-layer management protocol to be used for Framed
Management access. It MAY be used in both Access-Request and Access- Management access. It MAY be used in both Access-Request and Access-
Accept packets. This attribute is used in conjunction with a Accept packets. This attribute is used in conjunction with a
Service-Type (6) Attribute with the value of Framed-Management Service-Type (6) Attribute with the value of Framed-Management
(TBA-1). (TBA-1).
It is RECOMMENDED that the NAS include an appropriately valued It is RECOMMENDED that the NAS include an appropriately valued
Framed-Management-Protocol (TBA-2) Attribute in an Access-Request Framed-Management-Protocol (TBA-2) Attribute in an Access-Request
skipping to change at page 7, line 35 skipping to change at page 8, line 35
1 SNMP 1 SNMP
2 Web-based 2 Web-based
3 NETCONF 3 NETCONF
4 FTP 4 FTP
5 TFTP 5 TFTP
6 SFTP 6 SFTP
7 RCP 7 RCP
8 SCP 8 SCP
All other values are reserved for IANA allocation subject to the All other values are reserved for IANA allocation subject to the
provisions of Section 10. provisions of Section 11.
The acronyms used in the above table expand as follows: The acronyms used in the above table expand as follows:
o SNMP: Simple Network Management Protocol. [RFC3411], [RFC3412], o SNMP: Simple Network Management Protocol. [RFC3411], [RFC3412],
[RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418] [RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418]
o Web-based: Use of an embedded web server in the NAS for management o Web-based: Use of an embedded web server in the NAS for management
via a generic web browser client. The interface presented to the via a generic web browser client. The interface presented to the
administrator may be graphical, tabular or textual. The protocol administrator may be graphical, tabular or textual. The protocol
is HTML over HTTP. The protocol may optionally be HTML over is HTML over HTTP. The protocol may optionally be HTML over
skipping to change at page 8, line 32 skipping to change at page 9, line 32
pages) of Unix systems. pages) of Unix systems.
o SCP: Secure CoPy file copy utility (Unix-based), used to transfer o SCP: Secure CoPy file copy utility (Unix-based), used to transfer
configuration files to and from the NAS. The "scp" program is a configuration files to and from the NAS. The "scp" program is a
simple wrapper around SSH. It's basically a patched BSD Unix simple wrapper around SSH. It's basically a patched BSD Unix
"rcp" which uses ssh to do the data transfer (instead of using "rcp" which uses ssh to do the data transfer (instead of using
"rcmd"). See Section 3.7, "SSH and File Transfers" of [SSH]. "rcmd"). See Section 3.7, "SSH and File Transfers" of [SSH].
Additional information on the "scp" program may typically be found Additional information on the "scp" program may typically be found
in the online documentation ("man" pages) of Unix systems. in the online documentation ("man" pages) of Unix systems.
5.2. Management-Transport-Protection 6.2. Management-Transport-Protection
The Management-Transport-Protection (TBA-3) Attribute specifies the The Management-Transport-Protection (TBA-3) Attribute specifies the
minimum level of protection that is required for a protected minimum level of protection that is required for a protected
transport used with the framed or non-framed management access transport used with the framed or non-framed management access
session. The protected transport used by the NAS MAY provide a session. The protected transport used by the NAS MAY provide a
greater level of protection, but MUST NOT provide a lower level of greater level of protection, but MUST NOT provide a lower level of
protection. protection.
When a secure form of non-framed management access is specified, it When a secure form of non-framed management access is specified, it
means that the remote terminal session is encapsulated in some form means that the remote terminal session is encapsulated in some form
skipping to change at page 10, line 30 skipping to change at page 11, line 30
Value Value
The Value field is a four octet enumerated value. The Value field is a four octet enumerated value.
1 No-Protection 1 No-Protection
2 Integrity-Protection 2 Integrity-Protection
3 Integrity-Confidentiality-Protection 3 Integrity-Confidentiality-Protection
All other values are reserved for IANA allocation subject to the All other values are reserved for IANA allocation subject to the
provisions of Section 10. provisions of Section 11.
The names used in the above table are elaborated as follows: The names used in the above table are elaborated as follows:
o No-Protection: No transport protection is required. Accept o No-Protection: No transport protection is required. Accept
connections via any supported transport. connections via any supported transport.
o Integrity-Protection: The management transport MUST provide o Integrity-Protection: The management transport MUST provide
Integrity Protection, i.e. protection from unauthorized Integrity Protection, i.e. protection from unauthorized
modification, using a cryptographic checksum. modification, using a cryptographic checksum.
skipping to change at page 11, line 5 skipping to change at page 12, line 5
Protection, i.e. protection from unauthorized modification, using Protection, i.e. protection from unauthorized modification, using
a cryptographic checksum, and protection from unauthorized a cryptographic checksum, and protection from unauthorized
disclosure, using encryption. disclosure, using encryption.
The configuration or negotiation of acceptable algorithms, modes and The configuration or negotiation of acceptable algorithms, modes and
credentials for the cryptographic protection mechanisms used in credentials for the cryptographic protection mechanisms used in
implementing protected management transports is outside the scope of implementing protected management transports is outside the scope of
this document. Many such mechanisms have standardized methods of this document. Many such mechanisms have standardized methods of
configuration and key management. configuration and key management.
5.3. Management-Policy-Id 6.3. Management-Policy-Id
The Management-Policy-Id (TBA-4) Attribute indicates the name of the The Management-Policy-Id (TBA-4) Attribute indicates the name of the
management access policy for this user. Zero or one Management- management access policy for this user. Zero or one Management-
Policy-Id (TBA-4) Attributes MAY be sent in an Access-Accept packet. Policy-Id (TBA-4) Attributes MAY be sent in an Access-Accept packet.
Identifying a policy by name allows the policy to be used on Identifying a policy by name allows the policy to be used on
different NASes without regard to implementation details. different NASes without regard to implementation details.
Multiple forms of management access rules may be expressed by the Multiple forms of management access rules may be expressed by the
underlying named policy, the definition of which is beyond the scope underlying named policy, the definition of which is beyond the scope
of this document. The management access policy MAY be applied of this document. The management access policy MAY be applied
skipping to change at page 12, line 31 skipping to change at page 13, line 31
(TBA-4) for Management-Policy-Id. (TBA-4) for Management-Policy-Id.
Length Length
>= 3 >= 3
Text Text
The Text field is one or more octets, and its contents are The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is RECOMMENDED that the contents MUST NOT be parsed by the receiver; the contents can
the message contain UTF-8 encoded 10646 [RFC3629] characters. only be used to look up locally defined policies. It is RECOMMENDED
that the message contain UTF-8 encoded 10646 [RFC3629] characters.
5.4. Management-Privilege-Level 6.4. Management-Privilege-Level
The Management-Privilege-Level (TBA-5) Attribute indicates the The Management-Privilege-Level (TBA-5) Attribute indicates the
integer-valued privilege level to be assigned for management access integer-valued privilege level to be assigned for management access
for the authenticated user. Many NASes provide the notion of for the authenticated user. Many NASes provide the notion of
differentiated management privilege levels denoted by an integer differentiated management privilege levels denoted by an integer
value. The specific access rights conferred by each value are value. The specific access rights conferred by each value are
implementation dependent. It MAY be used in both Access-Request and implementation dependent. It MAY be used in both Access-Request and
Access-Accept packets. Access-Accept packets.
The mapping of integer values for this attribute to specific
collections of management access rights or permissions on the NAS is
vendor and implementation specific. Such mapping is often a user
configurable feature. It's RECOMMENDED that greater numeric values
imply greater privilege. However, it would be a mistake to assume
that this recommendation always holds.
The management access level indicated in this attribute, received in The management access level indicated in this attribute, received in
an Access-Accept packet, MUST be applied to the session authorized by an Access-Accept packet, MUST be applied to the session authorized by
the Access-Accept. If the NAS supports this attribute, but the the Access-Accept. If the NAS supports this attribute, but the
privilege level is unknown, the NAS MUST treat the Access-Accept privilege level is unknown, the NAS MUST treat the Access-Accept
packet as if it had been an Access-Reject. packet as if it had been an Access-Reject.
A summary of the Management-Privilege-Level (TBA-5) Attribute format A summary of the Management-Privilege-Level (TBA-5) Attribute format
is show below. The fields are transmitted from left to right. is show below. The fields are transmitted from left to right.
0 1 2 3 0 1 2 3
skipping to change at page 13, line 46 skipping to change at page 15, line 8
privilege level. privilege level.
It is NOT RECOMMENDED to use the Management-Privilege-Level (TBA-5) It is NOT RECOMMENDED to use the Management-Privilege-Level (TBA-5)
Attribute in combination with a Management-Policy-Id (TBA-4) Attribute in combination with a Management-Policy-Id (TBA-4)
Attribute or for management access methods other than interactive Attribute or for management access methods other than interactive
CLI. The behavior resulting from such an overlay of management CLI. The behavior resulting from such an overlay of management
access control provisioning is not defined by this document, and in access control provisioning is not defined by this document, and in
the absence of further specification is likely to lead to unexpected the absence of further specification is likely to lead to unexpected
behaviors, especially in multi-vendor environments. behaviors, especially in multi-vendor environments.
6. Use with Dynamic Authorization 7. Use with Dynamic Authorization
It is entirely OPTIONAL for the NAS management authorization It is entirely OPTIONAL for the NAS management authorization
attributes specified in this document to be used in conjunction with attributes specified in this document to be used in conjunction with
Dynamic Authorization extensions to RADIUS [RFC5176]. When such Dynamic Authorization extensions to RADIUS [RFC5176]. When such
usage occurs, those attributes MAY be used as listed in the Table of usage occurs, those attributes MAY be used as listed in the Table of
Attributes in Section 9. Attributes in Section 10.
Some guidance on how to identify existing management sessions on a Some guidance on how to identify existing management sessions on a
NAS for the purposes of Dynamic Authorization is useful. The primary NAS for the purposes of Dynamic Authorization is useful. The primary
session identifiers SHOULD be User-Name (1) and Service-Type (6). To session identifiers SHOULD be User-Name (1) and Service-Type (6). To
accommodate instances when that information alone does not uniquely accommodate instances when that information alone does not uniquely
identify a session, a NAS supporting Dynamic Authorization SHOULD identify a session, a NAS supporting Dynamic Authorization SHOULD
maintain one or more internal session identifiers that can be maintain one or more internal session identifiers that can be
represented as RADIUS Attributes. Examples of such attributes represented as RADIUS Attributes. Examples of such attributes
include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port include Acct-Session-Id (44), Acct-Multi-Session-Id (50), NAS-Port
(5) or NAS-Port-Id (87). In the case of a remote management session, (5) or NAS-Port-Id (87). In the case of a remote management session,
skipping to change at page 14, line 29 skipping to change at page 15, line 38
in nature, and implementations SHOULD take care to avoid and/or in nature, and implementations SHOULD take care to avoid and/or
properly handle duplicate or stale values. properly handle duplicate or stale values.
In order for the session identification attributes to be available to In order for the session identification attributes to be available to
the Dynamic Authorization Client, a NAS supporting Dynamic the Dynamic Authorization Client, a NAS supporting Dynamic
Authorization for management sessions SHOULD include those session Authorization for management sessions SHOULD include those session
identification attributes in the Access-Request message for each such identification attributes in the Access-Request message for each such
session. Additional discussion of session identification attribute session. Additional discussion of session identification attribute
usage may be found in Section 3 of [RFC5176]. usage may be found in Section 3 of [RFC5176].
7. Examples of attribute groupings 8. Examples of attribute groupings
1. Unprotected CLI access, via the local console, to the "super- 1. Unprotected CLI access, via the local console, to the "super-
user" access level: user" access level:
* Service-Type (6) = Administrative (6) * Service-Type (6) = Administrative (6)
* NAS-Port-Type (61) = Async (0) * NAS-Port-Type (61) = Async (0)
* Management-Transport-Protection (TBA-3) = No-Protection (1) * Management-Transport-Protection (TBA-3) = No-Protection (1)
2. Unprotected CLI access, via a remote console, to the "super-user" 2. Unprotected CLI access, via a remote console, to the "super-user"
access level: access level:
skipping to change at page 16, line 17 skipping to change at page 17, line 25
9. Secure web access, using a custom management access level, 9. Secure web access, using a custom management access level,
defined by a policy: defined by a policy:
* Service-Type (6) = Framed-Management (TBA-1) * Service-Type (6) = Framed-Management (TBA-1)
* NAS-Port-Type (61) = Virtual (5) * NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (TBA-2) = Web-based (2) * Framed-Management-Protocol (TBA-2) = Web-based (2)
* Management-Transport-Protection (TBA-3) = Integrity- * Management-Transport-Protection (TBA-3) = Integrity-
Confidentiality-Protection (3) Confidentiality-Protection (3)
* Management-Policy-Id (TBA-4) = "Read-only web access" * Management-Policy-Id (TBA-4) = "Read-only web access"
8. Diameter Translation Considerations 9. Diameter Translation Considerations
When used in Diameter, the attributes defined in this specification When used in Diameter, the attributes defined in this specification
can be used as Diameter AVPs from the Code space 1-255 (RADIUS can be used as Diameter AVPs from the Code space 1-255 (RADIUS
attribute compatibility space). No additional Diameter Code values attribute compatibility space). No additional Diameter Code values
are therefore allocated. The data types and flag rules for the are therefore allocated. The data types and flag rules for the
attributes are as follows: attributes are as follows:
+---------------------+ +---------------------+
| AVP Flag rules | | AVP Flag rules |
|----+-----+----+-----|----+ |----+-----+----+-----|----+
| | |SHLD| MUST| | | | SHOULD MUST| |
Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr| Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
---------------------------------|----+-----+----+-----|----| ---------------------------------|----+-----+----+-----|----|
Service-Type (new value) | | | | | | Service-Type (new value) | | | | | |
Enumerated | M | P | | V | Y | Enumerated | M | P | | V | Y |
Framed-Management-Protocol | | | | | | Framed-Management-Protocol | | | | | |
Enumerated | M | P | | V | Y | Enumerated | M | P | | V | Y |
Management-Transport-Protection | | | | | | Management-Transport-Protection | | | | | |
Enumerated | M | P | | V | Y | Enumerated | M | P | | V | Y |
Management-Policy-Id | | | | | | Management-Policy-Id | | | | | |
UTF8String | M | P | | V | Y | UTF8String | M | P | | V | Y |
skipping to change at page 16, line 42 skipping to change at page 18, line 4
Enumerated | M | P | | V | Y | Enumerated | M | P | | V | Y |
Framed-Management-Protocol | | | | | | Framed-Management-Protocol | | | | | |
Enumerated | M | P | | V | Y | Enumerated | M | P | | V | Y |
Management-Transport-Protection | | | | | | Management-Transport-Protection | | | | | |
Enumerated | M | P | | V | Y | Enumerated | M | P | | V | Y |
Management-Policy-Id | | | | | | Management-Policy-Id | | | | | |
UTF8String | M | P | | V | Y | UTF8String | M | P | | V | Y |
Management-Privilege-Level | | | | | | Management-Privilege-Level | | | | | |
Integer | M | P | | V | Y | Integer | M | P | | V | Y |
---------------------------------|----+-----+----+-----|----| ---------------------------------|----+-----+----+-----|----|
The attributes in this specification have no special translation The attributes in this specification have no special translation
requirements for Diameter to RADIUS or RADIUS to Diameter gateways; requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
they are copied as is, except for changes relating to headers, they are copied as is, except for changes relating to headers,
alignment, and padding. See also [RFC3588] Section 4.1 and [RFC4005] alignment, and padding. See also [RFC3588] Section 4.1 and [RFC4005]
Section 9. Section 9.
What this specification says about the applicability of the What this specification says about the applicability of the
attributes for RADIUS Access-Request packets applies in Diameter to attributes for RADIUS Access-Request packets applies in Diameter to
AA-Request [RFC4005]. AA-Request [RFC4005].
What is said about Access-Accept applies in Diameter to AA-Answer What is said about Access-Accept applies in Diameter to AA-Answer
messages that indicate success. messages that indicate success.
9. Table of Attributes 10. Table of Attributes
The following table provides a guide to which attributes may be found The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity. in which kinds of packets, and in what quantity.
Access Messages Access Messages
Request Accept Reject Challenge # Attribute Request Accept Reject Challenge # Attribute
--------------------------------------------------------------------- ---------------------------------------------------------------------
0-1 0-1 0 0 TBA-2 Framed-Management-Protocol 0-1 0-1 0 0 TBA-2 Framed-Management-Protocol
0-1 0-1 0 0 TBA-3 Management-Transport-Protection 0-1 0-1 0 0 TBA-3 Management-Transport-Protection
0 0-1 0 0 TBA-4 Management-Policy-Id 0 0-1 0 0 TBA-4 Management-Policy-Id
skipping to change at page 18, line 29 skipping to change at page 19, line 29
The following table defines the meaning of the above table entries. The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in a packet. 0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in 0+ Zero or more instances of this attribute MAY be present in
a packet. a packet.
0-1 Zero or one instance of this attribute MAY be present in 0-1 Zero or one instance of this attribute MAY be present in
a packet. a packet.
1 Exactly one instance of this attribute MUST be present in 1 Exactly one instance of this attribute MUST be present in
a packet. a packet.
10. IANA Considerations 11. IANA Considerations
Note to RFC Editor: Remove the following paragraphs (to "End Note")
upon publication of this document as an RFC.
This document contains placeholders ("TBA-n") for assigned numbers This document contains placeholders ("TBA-n") for assigned numbers
within the RADIUS Attributes Types registry within the RADIUS Attributes Types registry
(http://www.iana.org/assignments/radius-types), to be assigned by (http://www.iana.org/assignments/radius-types), to be assigned by
IANA at the time this document should be published as an RFC. IANA at the time this document should be published as an RFC.
o New enumerated value for the existing Service-Type Attribute: o New enumerated value for the existing Service-Type Attribute:
* Framed-Management (TBA-1) * Framed-Management (TBA-1)
o New RADIUS Attribute Types: o New RADIUS Attribute Types:
* Framed-Management-Protocol (TBA-2) * Framed-Management-Protocol (TBA-2)
* Management-Transport-Protection (TBA-3) * Management-Transport-Protection (TBA-3)
skipping to change at page 19, line 20 skipping to change at page 20, line 20
6 SFTP 6 SFTP
7 RCP 7 RCP
8 SCP 8 SCP
For the Management-Transport-Protection Attribute: For the Management-Transport-Protection Attribute:
1 No-Protection 1 No-Protection
2 Integrity-Protection 2 Integrity-Protection
3 Integrity-Confidentiality-Protection 3 Integrity-Confidentiality-Protection
End Note.
Note to RFC Editor: Retain the following paragraph (to "End Note")
upon publication of this document as an RFC.
Assignments of additional enumerated values for the RADIUS attributes Assignments of additional enumerated values for the RADIUS attributes
defined in this document are to be processed as described in defined in this document are to be processed as described in
[RFC3575], subject to the additional requirement of a published [RFC3575], subject to the additional requirement of a published
specification. specification.
End Note. 12. Security Considerations
11. Security Considerations
11.1. General Considerations 12.1. General Considerations
This specification describes the use of RADIUS and Diameter for This specification describes the use of RADIUS and Diameter for
purposes of authentication, authorization and accounting for purposes of authentication, authorization and accounting for
management access to devices within networks. RADIUS threats and management access to devices within networks. RADIUS threats and
security issues for this application are described in [RFC3579] and security issues for this application are described in [RFC3579] and
[RFC3580]; security issues encountered in roaming are described in [RFC3580]; security issues encountered in roaming are described in
[RFC2607]. For Diameter, the security issues relating to this [RFC2607]. For Diameter, the security issues relating to this
application are described in [RFC4005] and [RFC4072]. application are described in [RFC4005] and [RFC4072].
This document specifies new attributes that can be included in This document specifies new attributes that can be included in
skipping to change at page 20, line 35 skipping to change at page 21, line 28
determine the protection state of the remote management connection determine the protection state of the remote management connection
MUST treat an Access-Accept message containing a Management- MUST treat an Access-Accept message containing a Management-
Transport-Protection Attribute containing a value other than No- Transport-Protection Attribute containing a value other than No-
Protection (1) as if it were an Access-Reject message, unless Protection (1) as if it were an Access-Reject message, unless
specifically overridden by local policy configuration. specifically overridden by local policy configuration.
Use of the No-Protection (1) option for the Management-Transport- Use of the No-Protection (1) option for the Management-Transport-
Protection (TBA-3) Attribute is NOT RECOMMENDED in any deployment Protection (TBA-3) Attribute is NOT RECOMMENDED in any deployment
where secure management or configuration is required. where secure management or configuration is required.
11.2. RADIUS Proxy Operation Considerations 12.2. RADIUS Proxy Operation Considerations
The device management access authorization attributes presented in The device management access authorization attributes presented in
this document present certain considerations when used in RADIUS this document present certain considerations when used in RADIUS
proxy environments. These considerations are not different from proxy environments. These considerations are not different from
those that exist in RFC 2865 [RFC2865] with respect to the Service- those that exist in RFC 2865 [RFC2865] with respect to the Service-
Type Attribute values of Administrative and NAS-Prompt. Type Attribute values of Administrative and NAS-Prompt.
Most RADIUS proxy environments are also multi-party environments. In Most RADIUS proxy environments are also multi-party environments. In
multi-party proxy environments it is important to distinguish which multi-party proxy environments it is important to distinguish which
entities have the authority to provision management access to the entities have the authority to provision management access to the
skipping to change at page 21, line 20 skipping to change at page 22, line 13
servers for management AAA use and for non-management AAA use. servers for management AAA use and for non-management AAA use.
An alternate method of enforcing this requirement would be for the An alternate method of enforcing this requirement would be for the
first-hop RADIUS proxy server, operated by the owner of the NAS, to first-hop RADIUS proxy server, operated by the owner of the NAS, to
filter out any RADIUS attributes that provision management access filter out any RADIUS attributes that provision management access
rights that originate from "up-stream" proxy servers not operated by rights that originate from "up-stream" proxy servers not operated by
the NAS owner. Access-Accept messages that provision such locally the NAS owner. Access-Accept messages that provision such locally
un-authorized management access MAY be treated as if they were an un-authorized management access MAY be treated as if they were an
Access-Reject by the first-hop proxy server. Access-Reject by the first-hop proxy server.
An additional exposure present in proxy deployments is that sensitive
user credentials, e.g passwords, are likely to be available in
cleartext form at each of the proxy servers. Encrypted or hashed
credentials are not subject to this risk, but password authentication
is a very commonly used mechanism for management access
authentication, and in RADIUS passwords are only protected on a hop-
by-hop basis. Malicious proxy servers could misuse this sensitive
information.
These issues are not of concern when all the RADIUS servers, local These issues are not of concern when all the RADIUS servers, local
and proxy, used by the NAS are under the sole administrative control and proxy, used by the NAS are under the sole administrative control
of the NAS owner. of the NAS owner.
12. Acknowledgments 13. Acknowledgments
Many thanks to all reviewers, including Bernard Aboba, Alan DeKok, Many thanks to all reviewers, including Bernard Aboba, Alan DeKok,
David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Barney David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Hannes
Wolff and Glen Zorn. Tschofenig, Barney Wolff and Glen Zorn.
13. References 14. References
13.1. Normative References 14.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)", "Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000. RFC 2865, June 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003. 10646", STD 63, RFC 3629, November 2003.
13.2. Informative References 14.2. Informative References
[HTML] Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01 [HTML] Raggett, D., Le Hors, A., and I. Jacobs, "The HTML 4.01
Specification, W3C", December 1999. Specification, W3C", December 1999.
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, October 1985. STD 9, RFC 959, October 1985.
[RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33, [RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33,
RFC 1350, July 1992. RFC 1350, July 1992.
skipping to change at page 25, line 4 skipping to change at line 1110
USA USA
Email: d.b.nelson@comcast.net Email: d.b.nelson@comcast.net
Greg Weber Greg Weber
Individual Contributor Individual Contributor
Knoxville, TN 37932 Knoxville, TN 37932
USA USA
Email: gdweber@gmail.com Email: gdweber@gmail.com
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
 End of changes. 36 change blocks. 
68 lines changed or deleted 137 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/