Network Working Group D. Nelson Request for Comments: 5607 Elbrys Networks, Inc. Category: Standards Track G. Weber Individual Contributor July 2009 Remote Authentication Dial-In Ur Service (RADIUS) Authorization for
Network Access Server (NAS) Management
Abstract
This document specifies Remote Authentication Dial-In Ur Service
(RADIUS) attributes for authorizing management access to a Network
Access Server (NAS). Both local and remote management are supported, with granular access rights and management privileges. Specific
provisions are made for remote management via Framed Management
protocols and for management access over a cure transport protocol. Status of This Memo滑板冲浪
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for
improvements. Plea refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited. Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights rerved.
This document is subject to BCP 78 and the IETF Trust’s Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (trustee.ietf/licen-info). Plea review the documents carefully, as they describe your rights and restrictions with respect to this document.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate licen from the person(s) controlling the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may Nelson & Weber Standards Track [Page 1]
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Domain of Applicability . . . . . . . . . . . . . . . . . . . 5
5. New Values for Existing RADIUS Attributes . . . . . . . . . . 6
5.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . .6
6. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6 6.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6 6.2. Management-Transport-Protection . . . . . . . . . . . . . 9 6.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
6.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 13
7. U with Dynamic Authorization . . . . . . . . . . . . . . . . 15
8. Examples of Attribute Groupings . . . . . . . . . . . . . . . 15
淘宝买家
9. Diameter Translation Considerations . . . . . . . . . . . . . 17
10. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 18
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
12. Security Considerations . . . . . . . . . . . . . . . . . . . 20 12.1. General Considerations . . . . . . . . . . . . . . . . . . 20
12.2. RADIUS Proxy Operation Considerations . . . . . . . . . . 22
13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 14.1. Normative References . . . . . . . . . . . . . . . . . . . 23 14.2. Informative References . . . . . . . . . . . . . . . . . . 23 Nelson & Weber Standards Track [Page 2]
1. Introduction
RFC 2865 [RFC2865] defines the NAS-Prompt (7) and Administrative (6) values of the Service-Type (6) Attribute. Both of the values
provide access to the interactive, text-bad Command Line Interface (CLI) of the NAS, and were originally developed to control access to the physical console port of the NAS, most often a rial port.
Remote access to the CLI of the NAS has been available in NAS
implementations for many years, using protocols such as Telnet,
Rlogin, and the remote terminal rvice of the Secure SHell (SSH).
In order to distinguish local, physical, console access from remote
access, the NAS-Port-Type (61) Attribute is generally included in
Access-Request and Access-Accept messages, along with the Service-
Type (6) Attribute, to indicate the form of access. A NAS-Port-Type (61) Attribute with a value of Async (0) is ud to signify a local
rial port connection, while a value of Virtual (5) is ud to
signify a remote connection, via a remote terminal protocol. This
usage provides no lectivity among the various available remote
terminal protocols (e.g., Telnet, Rlogin, SSH, etc.).
Today, it is common for network devices to support more than the two privilege levels for management access provided by the Service-Type
(6) Attribute with values of NAS-Prompt (7) (non-privileged) and
Administrative (6) (privileged). Also, other management mechanisms
may be ud, such as Web-bad management, the Simple Network
Management Protocol (SNMP), and the Network Configuration Protocol
(NETCONF). To provide support for the additional features, this
specification defines attributes for Framed Management protocols,
management protocol curity, and management access privilege levels. Remote management via the command line is carried over protocols such as Telnet, Rlogin, and the remote terminal rvice of SSH. Since
the protocols are primarily for the delivery of terminal or
terminal emulation rvices, the term "Framed Management" is ud to describe management protocols supporting techniques other than the
command line. Typically, the mechanisms format management
information in a binary or textual encoding such as HTML, XML, or
ASN.1/BER. Examples include Web-bad management (HTML over HTTP or HTTPS), NETCONF (XML over SSH or BEEP or SOAP), and SNMP (SMI over
什么是对称图形ASN.1/BER). Command line interface, menu interface, or other text-
bad (e.g., ASCII or UTF-8) terminal emulation rvices are not
considered to be Framed Management protocols.
Nelson & Weber Standards Track [Page 3]
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This document us terminology from RFC 2865 [RFC2865], RFC 2866
[RFC2866], and RFC 5176 [RFC5176].望怎么写
The term "integrity protection", as ud in this document, is *not*
the same as "authentication", as ud in SNMP. Integrity protection requires the sharing of cryptographic keys, but it does not require
authenticated principals. Integrity protection could be ud, for
example, with anonymous Diffie-Hellman key agreement. In SNMP, the
proof of identity of the principals (authentication) is conflated
with tamper-resistance of the protected messages (integrity). In
this document, we assume that integrity protection and authentication are parate concerns. Authentication is part of the ba RADIUS
protocol.
SNMP us the terms "auth" and "noAuth", as well as "priv" and
"noPriv". There is no analog to auth or noAuth in this document. In this document, we are assuming that authentication always occurs when it is required, i.e., as a prerequisite to provisioning of access via an Access-Accept packet.
3. Overview
To support the authorization and provisioning of Framed Management
access to managed entities, this document introduces a new value for the Service-Type (6) Attribut
e [RFC2865] and one new attribute. The new value for the Service-Type (6) Attribute is Framed-Management
(18), ud for remote device management via a Framed Management
protocol. The new attribute is Framed-Management-Protocol (133), the value of which specifies a particular protocol for u in the remote management ssion.
Two new attributes are introduced in this document in support of
granular management access rights or command privilege levels. The
Management-Policy-Id (135) Attribute provides a text string
specifying a policy name of local scope, that is assumed to have been pre-provisioned on the NAS. This u of an attribute to specify u of a pre-provisioned policy is similar to the Filter-Id (11)
Attribute defined in [RFC2865] Section 5.11.
The local application of the Management-Policy-Id (135) Attribute
within the managed entity may take the form of (a) one of an
enumeration of command privilege levels, (b) a mapping into an SNMP Nelson & Weber Standards Track [Page 4]
Access Control Model, such as the View-Bad Access Control Model
(VACM) [RFC3415], or (c) some other t of management access policy
rules that is mutually understood by the managed entity and the
remote management application. Examples are given in Section 8.
The Management-Privilege-Level (136) Attribute contains an integer-
valued management privilege level indication. This attribute rves to modify or augment the management permissions provided by the NAS- Prompt (7) value of the Service-Type (6) Attribute, and thus applies to CLI management.
To enable management curity requirements to be specified, the
Management-Transport-Protection (134) Attribute is introduced. The
value of this attribute indicates the minimum level of cure
transport protocol protection required for the provisioning of NAS-
Prompt (7), Administrative (6), or Framed-Management (18) rvice.
报告心得体会4. Domain of Applicability
Most of the RADIUS attributes defined in this document have broad
applicability for provisioning local and remote management access to NAS devices. However, tho attributes that provision remote access over Framed Management protocols and over cure transports have
special considerations. This document does not specify the details
of the integration of the protocols with a RADIUS client in the NAS implementation. However, there are functional requirements for
correct application of Framed Management protocols and/or cure
transport protocols that will limit the lection of such protocols
that can be considered for u with RADIUS. Since the RADIUS ur
credentials are typically obtained by the RADIUS client from the
cure transport protocol rver or the Framed Management protocol
rver, the protocol, and its implementation in the NAS, MUST support forms of credentials that are compatible with the authentication
methods supported by RADIUS.
RADIUS currently supports the following ur authentication methods, although others may be added in the future:
o Password - RFC 2865
o CHAP (Challenge Handshake Authentication Protocol) - RFC 2865
o ARAP (Apple Remote Access Protocol) - RFC 2869
o EAP (Extensible Authentication Protocol) - RFC 2869, RFC 3579
o HTTP Digest - RFC 5090
Nelson & Weber Standards Track [Page 5]
The remote management protocols lected for u with the RADIUS
remote NAS management ssions, for example, tho described in
Section 6.1, and the cure transport protocols lected to meet the protection requirements, as described in Section 6.2, obviously need to support ur authentication methods that are compatible with tho that exist in RADIUS. The RADIUS authentication methods most likely usable with the protocols are Password, CHAP, and possibly HTTP
Digest, with Password being the distinct common denominator. There
关于十二星座
are many cure transports that support other, more robust,
authentication mechanisms, such as public key. RADIUS has no support for public key authentication, except within the context of an EAP
Method. The applicability statement for EAP indicates that it is not intended for u as an application-layer authentication mechanism, so its u with the mechanisms described in this document is NOT
RECOMMENDED. In some cas, Password may be the only compatible
RADIUS authentication method available.你给我一片天
5. New Values for Existing RADIUS Attributes
5.1. Service-Type
The Service-Type (6) Attribute is defined in Section 5.6 of RFC 2865 [RFC2865]. This document defines a new value of the Service-Type
Attribute, as follows:
18 Framed-Management
The mantics of the Framed-Management rvice are as follows:
Framed-Management A Framed Management protocol ssion should
be started on the NAS.
6. New RADIUS Attributes
This document defines four new RADIUS attributes related to
management authorization.
6.1. Framed-Management-Protocol
The Framed-Management-Protocol (133) Attribute indicates the
application-layer management protocol to be ud for Framed
Management access. It MAY be ud in both Access-Request and Access- Accept packets. This attribute is ud in conjunction with a
城管执法
Service-Type (6) Attribute with the value of Framed-Management (18). It is RECOMMENDED that the NAS include an appropriately valued
Framed-Management-Protocol (133) Attribute in an Access-Request
packet, indicating the type of management access being requested. It Nelson & Weber Standards Track [Page 6]
