Network Working Group D. Nelson Internet-Draft Elbrys Networks, Inc. Intended status: Standards Track G. Weber Expires: August 27, 2008 February 24, 2008 Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management draft-ietf-radext-management-authorization-02.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 27, 2008. Copyright Notice Copyright (C) The IETF Trust (2008). Abstract This document describes Remote Authentication Dial-In User Service (RADIUS) attributes for the authorization and service provisioning of local and remote management of embedded systems and other managed entities, generally referred to as Network Access Servers (NASes). Specific provisions are made for remote management via framed management protocols, for granular levels of access rights and management privileges, and for specification of a protected transport Nelson & Weber Expires August 27, 2008 [Page 1]
Internet-Draft RADIUS NAS-Management Authorization February 2008 protocol. Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction and Rationale . . . . . . . . . . . . . . . . . . 3 3. Provisions for Framed Management . . . . . . . . . . . . . . . 3 4. Provisions for Granular Management Access Rights . . . . . . . 4 5. Provisions for Secure Management Access . . . . . . . . . . . 4 6. Current Practice for CLI Management Access . . . . . . . . . . 4 7. New Values for Existing RADIUS Attributes . . . . . . . . . . 5 7.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 5 8. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 6 8.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 6 8.2. Management-Transport-Protection . . . . . . . . . . . . . 8 8.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 10 8.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 11 9. Examples of attribute groupings . . . . . . . . . . . . . . . 12 10. Diameter Translation Considerations . . . . . . . . . . . . . 14 11. RADIUS Proxy Operation Considerations . . . . . . . . . . . . 15 12. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 16 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 14. Security Considerations . . . . . . . . . . . . . . . . . . . 16 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18 16.1. Normative References . . . . . . . . . . . . . . . . . . . 18 16.2. Informative References . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 Intellectual Property and Copyright Statements . . . . . . . . . . 20 Nelson & Weber Expires August 27, 2008 [Page 2]
Internet-Draft RADIUS NAS-Management Authorization February 2008 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This document uses terminology from RFC 2865 [RFC2865] and RFC 2866 [RFC2866]. 2. Introduction and Rationale The remote management Service-Types defined in RFC 2865 [RFC2865] include NAS-Prompt and Administrative. Both of these services provide access to the interactive, text-based, Command Line Interface (CLI) of the managed entity. Current deployments of network equipment include in the managed entity non-CLI, framed-protocol forms of management, such as web browser based management, SNMP, and NETCONF. In addition, network devices often support more privilege levels for management access than the two levels supported by NAS- Prompt (non-privileged) and Administrative (privileged). To address these issues, attributes for framed management protocols, management protocol security levels, and management access privilege levels are described. 3. Provisions for Framed Management Framed Management means management of an entity by means of a non- interactive, non-CLI-style method. The management information is typically formatted in a binary or textual encoding, such as HTML, XML or ASN.1/BER. While remote management by interactive CLI sessions is carried over protocols, such as Telnet, Rlogin, and SSH, these protocols are primarily for the delivery of terminal, or pseudo-TTY services. Note that, in this context, "SSH" means the remote terminal service of SSH, not the more general protected transport service of SSH. Command Line Interface, Menu Interface, or other text-based (e.g. ASCII or UTF-8) terminal emulation interfaces are not considered to be Framed Management protocols, as used in this document. Examples of Framed Management protocols include web-based management (HTML over HTTP or HTTPS), NETCONF (XML over HTTP/BEEP/ SOAP) and SNMP (SMI over ASN.1/BER). To support the authorization and provisioning of Framed Management access to managed entities, this document introduces a new value for the Service-Type attribute [RFC2865], and one new attribute. The new value for the Service-Type attribute is Framed-Management. The definition of this service is the provisioning of remote device Nelson & Weber Expires August 27, 2008 [Page 3]
Internet-Draft RADIUS NAS-Management Authorization February 2008 management via a Framed Management protocol, as described in this section. The new attribute is Framed-Management-Protocol, the value of which specifies a particular protocol for use in the remote management session. 4. Provisions for Granular Management Access Rights Two new attributes are introduced in this document in support of granular management access rights or command privilege levels. The Management-Policy-Id attribute is used to contain the name of a management access rights policy of local scope. This attribute functions similarly to Filter-ID. It is a string variable containing a policy name of local scope. The provisioning of the rules invoked by application of this management policy is by means outside the scope of this document, such as by MIB objects. The local application of the Management-Policy-Id within the managed entity may take the form of (a) one of an enumeration of command privilege levels, (b) a mapping into an SNMP Access Control Model, such as the View Based Access Control Model (VACM) table [RFC3415], or (c) some other set of management access policy rules that is mutually understood by the managed entity and the remote management application. Examples are given in Section 9. The Management-Privilege-Level attribute is used to contain an Integer-valued management privilege level indication. This attribute serves to modify or augment the management permissions bestowed by the NAS-Prompt Service-Type, and thus applies to CLI management interfaces. 5. Provisions for Secure Management Access To provide for the provisioning of secure management methods, via various secure transport protocols, one new attribute is introduced in this document, Management-Transport-Protection. The value of this attribute indicates the level of secure transport protocol protection that is required for the provisioning of NAS-Prompt, Administrative or Framed-Management service. 6. Current Practice for CLI Management Access To aid in understanding of this document, it is helpful to review current RADIUS implementation practice with regard to the provisioning of management access to the Command Line Interface (CLI) Nelson & Weber Expires August 27, 2008 [Page 4]
Internet-Draft RADIUS NAS-Management Authorization February 2008 of the NAS. The RADIUS Service-Type values of NAS-Prompt and Administrative originally applied to access via a physical console port of the NAS, most often a serial port. Remote access to the CLI of the NAS over remote terminal protocols such as Telnet, Rlogin and SSH, has been available in many NAS implementations for many years. In order to distinguish local, physical console, access from remote access, the NAS-Port-Type attribute is generally included in Access- Request and Access-Accept messages, along with the Service-Type, to indicate the form of access. A NAS-Port-Type of Async (0) is used to signify a local serial port connection, while a value of Virtual (5) is used to signify a remote connection, via a remote terminal protocol. This usage provides no selectivity among the various available remote terminal protocols (e.g. Telnet, Rlogin, SSH, etc.). It is expected that the additional features of this document with respect to remote access to the CLI of a NAS will be used in conjunction with the existing practice regarding the NAS-Port-Type attribute described in this section. 7. New Values for Existing RADIUS Attributes 7.1. Service-Type This document defines one new value for an existing RADIUS attribute. The Service-Type attribute is defined in Section 5.6 of RFC 2865 [RFC2865], as follows: This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access- Reject had been received instead. A summary of the Service-Type Attribute format is shown below. The fields are transmitted from left to right. Nelson & Weber Expires August 27, 2008 [Page 5]
Internet-Draft RADIUS NAS-Management Authorization February 2008 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 6 for Service-Type. Length 6 Value The Value field is four octets. This document defines one new value for the Service-Type attribute. (TBA) Framed-Management The semantics of the Framed-Management service are as follows: Framed-Management A framed management protocol session should be started on the NAS. 8. New RADIUS Attributes This document defines four new RADIUS attributes related to remote management authorization. 8.1. Framed-Management-Protocol The Framed-Management-Protocol attribute indicates the application- layer management protocol to be used for framed management access. It MAY be used in both Access-Request and Access-Accept packets. This attribute is used in conjunction with a Service-Type of Framed- Management. A summary of the Framed-Management-Protocol attribute format is shown below. The fields are transmitted from left to right. Nelson & Weber Expires August 27, 2008 [Page 6]
Internet-Draft RADIUS NAS-Management Authorization February 2008 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Framed-Management-Protocol. Length 6 Value The Value field is four octets. 1 SNMP 2 Web-based 3 NETCONF 4 FTP 5 TFTP 6 CP The acronyms used in the above table expand as follows: o SNMP: Simple Network Management Protocol. o Web-based: Use of an embedded web server in the NAS for management via a generic web browser client. The interface presented to the administrator may be graphical, tabular or textual. The protocol is HTML over HTTP. The protocol may optionally be HTML over HTTPS, i.e. using HTTP over TLS. o NETCONF: Management via the NETCONF protocol using XML over supported transports (e.g. HTTP, BEEP, SOAP). As secure transport profiles are defined for NETCONF, the list of transport options may expand. o FTP: File Transfer Protocol, used to transfer configuration files to and from the NAS. Nelson & Weber Expires August 27, 2008 [Page 7]
Internet-Draft RADIUS NAS-Management Authorization February 2008 o TFTP: Trivial File Transfer Protocol, used to transfer configuration files to and from the NAS. o CP: CP (file copy) protocol, used to transfer configuration files to and from the NAS. 8.2. Management-Transport-Protection The Management-Transport-Protection attribute specifies whether a secure transport protocol (e.g. SSH, TLS, DTLS, etc.) is required for use with the associated framed or non-framed management access session. The value of this attribute specifies the minimum level of protection that is required from the protected transport. The protected transport MAY provide a greater level of protection than is called for by the value of Management-Transport-Protection. When a secure form of non-framed management access is specified, it means that the remote terminal session is encapsulated in some form of protected transport, or tunnel. It may also mean that an explicit secure mode of operation is required, when the framed management protocol contains an intrinsic secure mode of operation. The Management-Transport-Protocol attribute does not apply to CLI access via a local serial port, or other non-remote connection. When a secure form of framed management access is specified, it means that the application-layer management protocol is encapsulated in some form of protected transport, or tunnel. It may also mean that an explicit secure mode of operation is required, when the framed management protocol contains an intrinsic secure mode of operation. A value of "No Protection (1)" indicates that a secure transport protocol is not required, and that the NAS SHOULD accept a connection over any transport associated with the application layer management protocol. Note that the definitions of management application to transport bindings are defined in the relevant documents that specify those management application protocols. The same "No Protection" semantics are conveyed by omitting this attribute from an Access- Accept packet. Note that specific protected transport protocols, cipher suites, key agreement methods, or authentication methods are not specified by this attribute. Such provisioning is beyond the scope of this document. A summary of the Management-Transport-Protection Attribute format is shown below. The fields are transmitted from left to right. Nelson & Weber Expires August 27, 2008 [Page 8]
Internet-Draft RADIUS NAS-Management Authorization February 2008 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Management-Transport-Protection. Length 6 Value The Value field is four octets. 1 No-Protection 2 Integrity-Protection 3 Confidentiality-Protection 4 Integrity-Confidentiality-Protection The acronyms used in the above table expand as follows: o No-Protection: No transport protection is required. Accept connections via any supported transport. o Integrity-Protection: The management session requires protection in a secure or protected transport, that is supported by the management access protocol and implementation. The secure transport MUST provide Integrity Protection. o Confidentiality-Protection: The management session requires protection in a secure or protected transport, that is supported by the management access protocol and implementation. The secure transport MUST provide Confidentiality Protection. o Integrity-Confidentiality-Protection: The management session requires protection in a secure or protected transport, that is supported by the management access protocol and implementation. The secure transport MUST provide both Integrity Protection and Confidentiality Protection. Nelson & Weber Expires August 27, 2008 [Page 9]
Internet-Draft RADIUS NAS-Management Authorization February 2008 8.3. Management-Policy-Id The Management-Policy-Id attribute indicates the name of the management access policy for this user. Zero or more Management- Policy-Id attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details. Multiple forms of management access rules may be expressed by the underlying named policy, the definition of which is beyond the scope of this document. The management access policy MAY be applied contextually, based on the nature of the management access method. For example, some named policies may only be valid for application to NAS-Prompt services and some other policies may only be valid for application to SMNPv3 services. The management access policy named in this attribute, received in an Access-Accept packet, MUST be applied to the session authorized by the Access-Accept. If the NAS supports this attribute, but the policy name is unknown, or the policy rules are incorrectly formatted, the NAS MUST treat the packet as if it had been an Access- Reject. No precedence relationship is defined for multiple occurrences of the Management-Policy-Id attribute. NAS behavior in such cases is not predictable. Therefore, two or more occurrences of this attribute SHOULD NOT be included in a single service provisioning message, such as Access-Accept or CoA. The content of the Management-Policy-Id attribute is expected to be the name of a management access policy of local significance to the NAS, within a flat namespace of significance to the NAS. In this regard, the behavior is similar to that for the Filter-Id attribute. The policy names and rules are committed to the local configuration store of the NAS, and are provisioned by means beyond the scope of this document, such as via SNMP, NETCONF or CLI. Overloading or subdividing this flat name with multi-part specifiers (e.g. Access=remote, Level=7) is likely to lead to poor multi-vendor interoperability and SHOULD NOT be utilized. If a simple flat policy name is not sufficient to the anticipated use case, it is RECOMMEDNED that a Vendor Specific Attribute be used instead, rather than overloading the semantics of Management-Policy-Id. A summary of the Management-Policy-Id Attribute format is shown below. The fields are transmitted from left to right. Nelson & Weber Expires August 27, 2008 [Page 10]
Internet-Draft RADIUS NAS-Management Authorization February 2008 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type (TBA) for Management-Policy-Id. Length >= 3 Text The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [RFC3629] characters. 8.4. Management-Privilege-Level The Management-Privilege-Level attribute indicates the integer Privilege level to be assigned for management access for the authenticated user. Many NASes provide the notion of differentiated management privilege levels denoted by an integer value. The specific access rights conferred by each value are implementation dependent. It MAY be used in both Access-Request and Access-Accept packets. The management access level indicated in this attribute, received in an Access-Accept packet, MUST be applied to the session authorized by the Access-Accept. If the NAS supports this attribute, but the privilege level is unknown, the NAS MUST treat the packet as if it had been an Access-Reject. A summary of the Management-Privilege-Level attribute format is show below. The fields are transmitted from left to right. Nelson & Weber Expires August 27, 2008 [Page 11]
Internet-Draft RADIUS NAS-Management Authorization February 2008 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Management-Privilege-Level. Length 6 Value The Value field is an Integer, denoting a management privilege level. It is RECOMMENDED to limit use of Management-Privilege-Level to sessions where Service-Type is NAS-Prompt (not Administrative). Typically, NASes treat NAS-Prompt as the minimal privilege CLI service and Administrative as full privilege. Using the Management- Privilege-Level attribute with a Service-Type attribute with a value of NAS-Prompt will have the effect of increasing the minimum privilege level. Conversely, it is NOT RECOMMENDED to use this attribute with a Service-Type of Administrative, which may require decreasing the maximum privilege level. It is NOT RECOMMENDED to use Management-Privilege-Level in combination with Management-Policy-Id or for management access methods other than interactive CLI. The behavior resulting from such an overlay of management access control provisioning is not defined by this document, and in the absence of further specification is likely to lead to unexpected behaviors, especially in multi-vendor environments. 9. Examples of attribute groupings 1. Unprotected CLI access, via local console or remote terminal access, to the "super-user" access level: Nelson & Weber Expires August 27, 2008 [Page 12]
Internet-Draft RADIUS NAS-Management Authorization February 2008 * Service-Type (6) = Administrative (6) * Management-Transport-Protection (xx) = No-Protection (1) 2. CLI access, via a fully-protected secure remote terminal service to the non-privileged user access level: * Service-Type (6) = NAS-Prompt (7) * Management-Transport-Protection (xx) = Integrity- Confidentiality-Protection (4) 3. CLI access, via a confidentiality protected secure remote terminal service of SSH, to a custom management access level, defined by a policy: * Service-Type (6) = NAS-Prompt (7) * Transport-Protocol (xx) = SSH (2) * Management-Transport-Protection (xx) = Confidentiality- Protection (3) * Management-Policy-Id (xx) = "Network Administrator" 4. CLI access, via a fully-protected secure remote terminal service of SSH, with a management privilege level of 15: * Service-Type (6) = NAS-Prompt (7) * Management-Transport-Protection (xx) = SSH (2) * Management-Transport-Protection (xx) = Integrity- Confidentiality-Protection (4) * Management-Privilege-Level (xx) = 15 5. SNMPv3 access, using an Access Control Model specifier, such as a custom VACM View, defined by a policy: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = SNMP (1) * Management-Policy-Id (xx) = "SNMP Network Administrator View" Note that there is currently no standardized way of implementing this management policy mapping within SNMPv3. Such mechanisms are implementation specific. 6. SNMP secure Transport Model access, using the Secure Shell Transport Model: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = SNMP (1) * Transport-Protocol (xx) = SSH (2) Nelson & Weber Expires August 27, 2008 [Page 13]
Internet-Draft RADIUS NAS-Management Authorization February 2008 * Management-Transport-Protection (xx) = Integrity- Confidentiality-Protection (4) 7. Web (HTTP) access: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = Web-based (2) 8. Secure web access, using a custom management access level, defined by a policy: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = Web-based (2) * Management-Transport-Protection (xx) = Confidentiality- Protection (3) * Management-Policy-Id (xx) = "Read-only web access" 10. Diameter Translation Considerations When used in Diameter, the attributes defined in this specification can be used as Diameter AVPs from the Code space 1-255 (RADIUS attribute compatibility space). No additional Diameter Code values are therefore allocated. The data types and flag rules for the attributes are as follows: +---------------------+ | AVP Flag rules | |----+-----+----+-----|----+ | | |SHLD| MUST| | Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr| ---------------------------------|----+-----+----+-----|----| Service-Type (new value) | | | | | | Enumerated | M | P | | V | Y | Framed-Management-Protocol | | | | | | Enumerated | M | P | | V | Y | Management-Transport-Protection | | | | | | Enumerated | M | P | | V | Y | Management-Policy-Id | | | | | | UTF8String | M | P | | V | Y | Management-Privilege-Level | | | | | | Integer | M | P | | V | Y | ---------------------------------|----+-----+----+-----|----| The attributes in this specification have no special translation requirements for Diameter to RADIUS or RADIUS to Diameter gateways; Nelson & Weber Expires August 27, 2008 [Page 14]
Internet-Draft RADIUS NAS-Management Authorization February 2008 they are copied as is, except for changes relating to headers, alignment, and padding. See also [RFC3588] Section 4.1 and [RFC4005] Section 9. What this specification says about the applicability of the attributes for RADIUS Access-Request packets applies in Diameter to AA-Request [RFC4005]. What is said about Access-Accept applies in Diameter to AA-Answer messages that indicate success. 11. RADIUS Proxy Operation Considerations The device management access authorization attributes presented in this document present certain considerations when used in RADIUS proxy environments. These considerations are not different from those that exist in RFC 2865 [RFC2865] with respect to the Service- Type attribute values of Administrative and NAS-Prompt. Most RADIUS proxy environments are also multi-party environments. In multi-party proxy environments it is important to distinguish which entities have the authority to provision management access to the edge devices, i.e. NASes, and which entities only have authority to provision network access services of various sorts. It may be important that operators of the NAS are able to ensure that access to the CLI, or other management interfaces, of the NAS are only provisioned to their own employees or contractors. One way for the NAS to enforce this requirement is to use only local, non-proxy RADIUS servers for management access requests. Proxy RADIUS servers could be used for non-management access requests, based on local policy. This "bifurcation" of RADIUS authentication and authorization is a simple case of separate administrative realms. The NAS may be designed so as to maintain separate lists of RADIUS servers for management AAA use and for non-management AAA use. An alternate method of enforcing this requirement would be for the first-hop RADIUS proxy server, operated by the owner of the NAS, to filter out any RADIUS attributes that provision management access rights that originate from "up-stream" proxy servers not operated by the NAS owner. Access-Accept messages that provision such locally un-authorized management access MAY be treated as if they were an Access-Reject by the first-hop proxy server. These issues are not of concern when all the RADIUS servers, local and proxy, used by the NAS are under the sole administrative control of the NAS owner. Nelson & Weber Expires August 27, 2008 [Page 15]
Internet-Draft RADIUS NAS-Management Authorization February 2008 12. Table of Attributes The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity. Access- Request Accept Reject Challenge # Attribute --------------------------------------------------------------------- 0-1 0-1 0 0 TBA Framed-Management-Protocol 0-1 0-1 0 0 TBA Management-Transport-Protection 0 0-1 0 0 TBA Management-Policy-Id 0 0-1 0 0 TBA Management-Privilege-Level Accounting- Request Response # Attribute --------------------------------------------------------------------- 0-1 0 TBA Framed-Management-Protocol 0-1 0 TBA Management-Transport-Protection 0-1 0 TBA Management-Policy-Id 0-1 0 TBA Management-Privilege-Level The following table defines the meaning of the above table entries. 0 This attribute MUST NOT be present in a packet. 0+ Zero or more instances of this attribute MAY be present in a packet. 0-1 Zero or one instance of this attribute MAY be present in a packet. 1 Exactly one instance of this attribute MUST be present in a packet. 13. IANA Considerations Note to RFC Editor: Remove this paragraph upon publication as an RFC. This document contains placeholders ("TBA") for assigned numbers within the RADIUS Attributes registry, to be assigned by IANA at the time this document should be published as an RFC. Assignment of additional enumerated values for RADIUS attributes defined in this document are to be processed as described in [RFC3575], subject to the additional minimum requirement that a published specification is always required. 14. Security Considerations This specification describes the use of RADIUS and Diameter for Nelson & Weber Expires August 27, 2008 [Page 16]
Internet-Draft RADIUS NAS-Management Authorization February 2008 purposes of authentication, authorization and accounting for management access to devices within networks. RADIUS threats and security issues for this application are described in [RFC3579] and [RFC3580]; security issues encountered in roaming are described in [RFC2607]. For Diameter, the security issues relating to this application are described in [RFC4005] and [RFC4072]. This document specifies new attributes that can be included in existing RADIUS packets, which may be protected as described in [RFC3579] and [RFC3576]. In Diameter, the attributes are protected as specified in [RFC3588]. See those documents for a more detailed description. The security mechanisms supported in RADIUS and Diameter are focused on preventing an attacker from spoofing packets or modifying packets in transit. They do not prevent an authorized RADIUS/Diameter server or proxy from inserting attributes with malicious intent. Any of the attributes described in this memo, with the exception of Service-Type, may not be understood by the NAS which receives it. A legacy NAS not compliant with this specification may silently discard these attributes while permitting the user to access the management interface(s) of the NAS. This can lead to users improperly receiving unauthorized management access to the NAS, or access with greater levels of access rights than were intended. RADIUS servers SHOULD attempt to ascertain whether or not the NAS supports these attributes before sending them in an Access-Accept. It is possible that certain NAS implementations may not be able to determine the protection properties of the underlying transport protocol as specified by the Management-Transport-Protection attribute. This may be a limitation of the standard application programming interface of the underlying transport implementation or of the integration of the transport into the NAS implementation. In either event, NASes conforming to this specification, which cannot determine the protection state of the remote management connection SHOULD treat an Access-Accept message containing a Management- Transport-Protocol attribute containing a value other than No- Protection (1) as if it were an Access-Reject message, unless specifically overridden by local policy configuration. 15. Acknowledgments Many thanks to all reviewers, including Barney Wolff, Mauricio Sanchez, David Harrington, Juergen Schoenwaelder, Bernard Aboba. Nelson & Weber Expires August 27, 2008 [Page 17]
Internet-Draft RADIUS NAS-Management Authorization February 2008 16. References 16.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. 16.2. Informative References [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote Authentication Dial In User Service)", RFC 3575, July 2003. [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003. [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003. [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003. [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, Nelson & Weber Expires August 27, 2008 [Page 18]
Internet-Draft RADIUS NAS-Management Authorization February 2008 August 2005. [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005. Authors' Addresses David B. Nelson Elbrys Networks, Inc. 75 Rochester Avenue, Unit 3 Portsmouth, NH 03801 USA Email: d.b.nelson@comcast.net Greg Weber Email: gdweber@gmail.com Nelson & Weber Expires August 27, 2008 [Page 19]
Internet-Draft RADIUS NAS-Management Authorization February 2008 Full Copyright Statement Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Nelson & Weber Expires August 27, 2008 [Page 20]
