Presentation is loading. Please wait.

Presentation is loading. Please wait.

RADIUS Extended Attributes for Management Authorization David B. Nelson IETF 62, RADEXT WG March 9, 2005.

Published byBetty Pearson Modified over 9 years ago

Similar presentations

Presentation on theme: "RADIUS Extended Attributes for Management Authorization David B. Nelson IETF 62, RADEXT WG March 9, 2005."— Presentation transcript:

1 RADIUS Extended Attributes for Management Authorization David B. Nelson IETF 62, RADEXT WG March 9, 2005

2 Need for Management Attributes RADUIS currently defines two attributes for management Both are for “CLI” style interface –Service-Type = Admin –Service-Type = NAS-Prompt No attributes for provisioning other forms of management interfaces

3 Need for Management Attributes Need for attributes that describe non-CLI management interfaces –SNMP –HTTP

4 Need for Management Attributes Need for attributes to specify secure vs. non-secure management interfaces –SSH –SNMP v3 –HTTPS / TLS

5 Need for Management Attributes Need for attributes to specify roles or privilege levels –SNMPv3 VACM entries Like the Filter-ID attribute, but for management –Split horizon views Layer 2 management view Layer 3 management view Etc.

6 Need for Management Attributes Need attributes to authorize management commands on a per-command or per- operation granularity Need attributes to provide an audit trail, on a per-command basis, via accounting for configuration changes to facilitate problem resolution Provides feature-parity with TACACS+

7 Possible solution approach Internet-Draft: draft-nelson-radius- management-authorization-01.txt Service-Type = Framed-Management Management-Access-ID –A named access policy, similar to Filter-ID –Name is of local scope –Could be a privilege level –Could be a VACM table entry

8 Possible solution approach Management-Protocol –Used in conjunction with a Service-Type of Framed-Management –Values might be: SNMP-V3 HTTP HTTPS-TLS

9 Possible solution approach Non-Framed-Management-Command A command line interface (CLI) interaction Framed-Management-Operation A SNMP/HTTP operation Management-Context Contextual information for above two. For example, a CLI sub-mode, menu name, virtual router instance, administrative role

10 Changes since -00 For use in ISP, roaming consortia, public access, and similar environments, “split-horizon” AAA should be used for management access. Text added in Proxy Operations section. SNMPv1 and SNMPv2c values of Framed- Management-Protocol removed. Attributes related to granular authorization/accounting of CLI commands added.

11 Is there an interest? Enterasys Networks is working in this area using Vendor-Specific attributes If the management access services that these attributes specify are of multi-vendor applicability, it would be better to define them as standard attributes Is there interest in working on defining such attributes, and creating implementations?

12 Questions? Feedback?

Download ppt "RADIUS Extended Attributes for Management Authorization David B. Nelson IETF 62, RADEXT WG March 9, 2005."

Similar presentations

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using the Cisco SDM.
History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,

History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.

AAA-ARCH IRTF-RG Authentication Authorisation and Accounting ARCHitecture Research Group chairs: C. de Laat J. Vollbrecht Content of this talk has contributions.
VLANs Semester 3, Chapter 3 Allan Johnson Website:

VLANs Semester 3, Chapter 3 Allan Johnson Website:
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.

RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.
Integrated Security Model for SNMPv3 (ISMS) pronounced is miss David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.

Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Exterior Gateway Protocol Border Gateway Protocol (BGP) Interior Gateway Protocol Routing Information Protocol (RIP) Enhanced Interior Gateway Protocol.

Exterior Gateway Protocol Border Gateway Protocol (BGP) Interior Gateway Protocol Routing Information Protocol (RIP) Enhanced Interior Gateway Protocol.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—1-1 Small Network Implementation Introducing the Review Lab.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—1-1 Small Network Implementation Introducing the Review Lab.
Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems and emergencies in the network (router.

Basic tasks that fall under this category are: What is Network Management? Fault Management Dealing with problems and emergencies in the network (router.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google