Network Working Group D. Nelson
Internet-Draft Elbrys Networks, Inc.
Intended status: Standards Track G. Weber
Expires: December 14, 2008 Individual Contributor
June 12, 2008
Remote Authentication Dial-In User Service (RADIUS) Authorization for
Network Access Server (NAS) Management
draft-ietf-radext-management-authorization-03.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 14, 2008.
Abstract
This document describes Remote Authentication Dial-In User Service
(RADIUS) attributes for the authorization and service provisioning of
Network Access Servers (NASes). Both local and remote management are
supported, with granular access rights and management privileges.
Specific provisions are made for remote management via framed
management protocols, and for specification of a protected transport
protocol.
Nelson & Weber Expires December 14, 2008 [Page 1]
Internet-Draft RADIUS NAS-Management Authorization June 2008
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction and Rationale . . . . . . . . . . . . . . . . . . 3
3. Provisions for Framed Management . . . . . . . . . . . . . . . 3
4. Provisions for Granular Management Access Rights . . . . . . . 4
5. Provisions for Secure Management Access . . . . . . . . . . . 4
6. Current Practice for CLI Management Access . . . . . . . . . . 4
7. New Values for Existing RADIUS Attributes . . . . . . . . . . 5
7.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 5
8. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 5
8.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 5
8.2. Management-Transport-Protection . . . . . . . . . . . . . 8
8.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 11
8.4. Management-Privilege-Level . . . . . . . . . . . . . . . . 12
9. Examples of attribute groupings . . . . . . . . . . . . . . . 13
10. Diameter Translation Considerations . . . . . . . . . . . . . 15
11. RADIUS Proxy Operation Considerations . . . . . . . . . . . . 16
12. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 17
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
14. Security Considerations . . . . . . . . . . . . . . . . . . . 19
15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
16.1. Normative References . . . . . . . . . . . . . . . . . . . 20
16.2. Informative References . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . . . . 24
Nelson & Weber Expires December 14, 2008 [Page 2]
Internet-Draft RADIUS NAS-Management Authorization June 2008
1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
[RFC2866].
2. Introduction and Rationale
The remote management Service-Types defined in RFC 2865 [RFC2865]
include NAS-Prompt and Administrative. Both of these services
provide access to the interactive, text-based, Command Line Interface
(CLI) of the managed entity. Current deployments of network
equipment include in the managed entity non-CLI, framed-protocol
forms of management, such as web browser based management, SNMP, and
NETCONF. In addition, network devices often support more privilege
levels for management access than the two levels supported by NAS-
Prompt (non-privileged) and Administrative (privileged). To address
these issues, attributes for framed management protocols, management
protocol security levels, and management access privilege levels are
described.
3. Provisions for Framed Management
Framed Management means management of an entity by means of a non-
interactive, non-CLI-style method. The management information is
typically formatted in a binary or textual encoding, such as HTML,
XML or ASN.1/BER. While remote management by interactive CLI
sessions is carried over protocols, such as Telnet, Rlogin, and the
remote terminal service of SSH, these protocols are primarily for the
delivery of terminal, or pseudo-TTY services. Command Line
Interface, Menu Interface, or other text-based (e.g. ASCII or UTF-8)
terminal emulation interfaces are not considered to be Framed
Management protocols, as used in this document. Examples of Framed
Management protocols include web-based management (HTML over HTTP or
HTTPS), NETCONF (XML over SSH/BEEP/SOAP) and SNMP (SMI over ASN.1/
BER).
To support the authorization and provisioning of Framed Management
access to managed entities, this document introduces a new value for
the Service-Type Attribute [RFC2865], and one new attribute. The new
value for the Service-Type Attribute is Framed-Management. The
definition of this service is the provisioning of remote device
management via a Framed Management protocol, as described in this
Nelson & Weber Expires December 14, 2008 [Page 3]
Internet-Draft RADIUS NAS-Management Authorization June 2008
section. The new attribute is Framed-Management-Protocol, the value
of which specifies a particular protocol for use in the remote
management session.
4. Provisions for Granular Management Access Rights
Two new attributes are introduced in this document in support of
granular management access rights or command privilege levels.
The Management-Policy-Id Attribute is used to contain the name of a
management access rights policy of local scope. This attribute
functions similarly to the Filter-ID Attribute. It is a text string
variable containing a policy name of local scope. The provisioning
of the rules invoked by application of this management policy is by
means outside the scope of this document, such as by MIB objects.
The local application of the Management-Policy-Id within the managed
entity may take the form of (a) one of an enumeration of command
privilege levels, (b) a mapping into an SNMP Access Control Model,
such as the View Based Access Control Model (VACM) [RFC3415], or (c)
some other set of management access policy rules that is mutually
understood by the managed entity and the remote management
application. Examples are given in Section 9.
The Management-Privilege-Level Attribute is used to contain an
integer-valued management privilege level indication. This attribute
serves to modify or augment the management permissions bestowed by
the NAS-Prompt Service-Type, and thus applies to CLI management
interfaces.
5. Provisions for Secure Management Access
To provide for the provisioning of secure management methods, via
various secure transport protocols, one new attribute is introduced
in this document, Management-Transport-Protection. The value of this
attribute indicates the minimum level of secure transport protocol
protection that is required for the provisioning of NAS-Prompt,
Administrative or Framed-Management service.
6. Current Practice for CLI Management Access
It is helpful to review current RADIUS implementation practice with
regard to the provisioning of management access to the Command Line
Interface (CLI) of the NAS. The RADIUS Service-Type values of NAS-
Prompt and Administrative originally applied to access via a physical
Nelson & Weber Expires December 14, 2008 [Page 4]
Internet-Draft RADIUS NAS-Management Authorization June 2008
console port of the NAS, most often a serial port. Remote access to
the CLI of the NAS over remote terminal protocols such as Telnet,
Rlogin and the remote terminal service of SSH, has been available in
many NAS implementations for many years. In order to distinguish
local, physical, console access from remote access, the NAS-Port-Type
Attribute is generally included in Access-Request and Access-Accept
messages, along with the Service-Type, to indicate the form of
access. A NAS-Port-Type of Async (0) is used to signify a local
serial port connection, while a value of Virtual (5) is used to
signify a remote connection, via a remote terminal protocol. This
usage provides no selectivity among the various available remote
terminal protocols (e.g. Telnet, Rlogin, SSH, etc.).
It is expected that the additional features of this document with
respect to remote access to the management interfaces of a NAS will
be used in conjunction with the existing practice regarding the NAS-
Port-Type Attribute described in this section.
7. New Values for Existing RADIUS Attributes
7.1. Service-Type
The Service-Type Attribute is defined in Section 5.6 of RFC 2865
[RFC2865]. This document defines a new value of the Service-Type
Attribute, as follows:
(TBA-1) Framed-Management
The semantics of the Framed-Management service are as follows:
Framed-Management A framed management protocol session should
be started on the NAS.
8. New RADIUS Attributes
This document defines four new RADIUS attributes related to remote
management authorization.
8.1. Framed-Management-Protocol
The Framed-Management-Protocol Attribute indicates the application-
layer management protocol to be used for Framed Management access.
It MAY be used in both Access-Request and Access-Accept packets.
This attribute is used in conjunction with a Service-Type of Framed-
Management.
Nelson & Weber Expires December 14, 2008 [Page 5]
Internet-Draft RADIUS NAS-Management Authorization June 2008
It is RECOMMENDED that the NAS include an appropriately valued
Framed-Management-Protocol Attribute in Access-Request packet,
indicating the type of management access being requested. It is
further RECOMMENDED that the NAS include a Service-Type Attribute
with the value Framed-Management (TBA-1) in the same Access-Request
packet. The RADIUS Server MAY use these hint attributes in making
its authorization decision.
The RADIUS Server MAY include a Framed-Management-Protocol Attribute
in an Access-Accept packet that also includes a Service-Type
Attribute with a value of Framed-Management, when the RADIUS Server
chooses to enforce a management access policy for the authenticated
user, that dictates one form of management access in preference to
others.
When a NAS receives a Framed-Management-Protocol Attribute in an
Access-Accept packet, it MUST deliver that specified form of
management access, or disconnect the session. If the NAS does not
support the provisioned management application-layer protocol, or the
management access protocol requested by the user does not match that
of the Framed-Management-Protocol Attribute in the Access-Accept
packet, the NAS MUST treat the response packet as if it had been an
Access-Reject.
A summary of the Framed-Management-Protocol Attribute format is shown
below. The fields are transmitted from left to right.
Nelson & Weber Expires December 14, 2008 [Page 6]
Internet-Draft RADIUS NAS-Management Authorization June 2008
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
(TBA-2) for Framed-Management-Protocol.
Length
6
Value
The Value field is four octets.
1 SNMP
2 Web-based
3 NETCONF
4 FTP
5 TFTP
6 SFTP
7 RCP
8 SCP
All other values are reserved for IANA allocation subject to the
provisions of Section 13.
The acronyms used in the above table expand as follows:
o SNMP: Simple Network Management Protocol. [RFC3411], [RFC3412],
[RFC3413], [RFC3414], [RFC3415], [RFC3416], [RFC3417], [RFC3418]
o Web-based: Use of an embedded web server in the NAS for management
via a generic web browser client. The interface presented to the
administrator may be graphical, tabular or textual. The protocol
is HTML over HTTP. The protocol may optionally be HTML over
HTTPS, i.e. using HTTP over TLS. (http://www.w3.org/TR/html),
[RFC2616]
o NETCONF: Management via the NETCONF protocol using XML over
supported transports (e.g. SSH, BEEP, SOAP). As secure transport
profiles are defined for NETCONF, the list of transport options
Nelson & Weber Expires December 14, 2008 [Page 7]
Internet-Draft RADIUS NAS-Management Authorization June 2008
may expand. [RFC4741], [RFC4742], [RFC4743], [RFC4744]
o FTP: File Transfer Protocol, used to transfer configuration files
to and from the NAS. [RFC0959]
o TFTP: Trivial File Transfer Protocol, used to transfer
configuration files to and from the NAS. [RFC1350]
o SFTP: SSH File Transfer Protocol, used to securely transfer
configuration files to and from the NAS. SFTP uses the services
of SSH. (http://tools.ietf.org/html/draft-ietf-secsh-filexfer-13)
o RCP: Remote CoPy file copy utility (Unix-based), used to transfer
configuration files to and from the NAS.
o SCP: Secure CoPy file copy utility (Unix-based), used to transfer
configuration files to and from the NAS.
8.2. Management-Transport-Protection
The Management-Transport-Protection Attribute specifies whether a
secure transport protocol (e.g. SSH, TLS, DTLS, etc.) is required
for use with the associated framed or non-framed management access
session. The value of this attribute specifies the minimum level of
protection that is required from the protected transport. The
protected transport MAY provide a greater level of protection than is
called for by the value of Management-Transport-Protection.
When a secure form of non-framed management access is specified, it
means that the remote terminal session is encapsulated in some form
of protected transport, or tunnel. It may also mean that an explicit
secure mode of operation is required, when the framed management
protocol contains an intrinsic secure mode of operation. The
Management-Transport-Protection Attribute does not apply to CLI
access via a local serial port, or other non-remote connection.
When a secure form of framed management access is specified, it means
that the application-layer management protocol is encapsulated in
some form of protected transport, or tunnel. It may also mean that
an explicit secure mode of operation is required, when the framed
management protocol contains an intrinsic secure mode of operation.
A value of "No Protection (1)" indicates that a secure transport
protocol is not required, and that the NAS SHOULD accept a connection
over any transport associated with the application layer management
protocol. The definitions of management application to transport
bindings are defined in the relevant documents that specify those
Nelson & Weber Expires December 14, 2008 [Page 8]
Internet-Draft RADIUS NAS-Management Authorization June 2008
management application protocols. The same "No Protection" semantics
are conveyed by omitting this attribute from an Access-Accept packet.
Specific protected transport protocols, cipher suites, key agreement
methods, or authentication methods are not specified by this
attribute. Such provisioning is beyond the scope of this document.
It is RECOMMENDED that the NAS include an appropriately valued
Management-Transport-Protection Attribute in Access-Request packet,
indicating the level of transport protection for the management
access being requested, when that information is available to the
RADIUS Client. The RADIUS Server MAY use this hint attribute in
making its authorization decision.
The RADIUS Server MAY include a Management-Transport-Protection
Attribute in an Access-Accept packet that also includes a Service-
Type Attribute with a value of Framed-Management, when the RADIUS
Server chooses to enforce an management access security policy for
the authenticated user, that dictates a minimum level of transport
security.
When a NAS receives a Management-Transport-Protection Attribute in an
Access-Accept packet, it MUST deliver the management access over a
transport with equal or better protection characteristics, or
disconnect the session. If the NAS does not support protected
management transport protocols, or the level of protection available
does not match that of the Management-Transport-Protection Attribute
in the Access-Accept packet, the NAS MUST treat the response packet
as if it had been an Access-Reject.
A summary of the Management-Transport-Protection Attribute format is
shown below. The fields are transmitted from left to right.
Nelson & Weber Expires December 14, 2008 [Page 9]
Internet-Draft RADIUS NAS-Management Authorization June 2008
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
(TBA-3) for Management-Transport-Protection.
Length
6
Value
The Value field is four octets.
1 No-Protection
2 Integrity-Protection
3 Integrity-Confidentiality-Protection
All other values are reserved for IANA allocation subject to the
provisions of Section 13.
The names used in the above table are elaborated as follows:
o No-Protection: No transport protection is required. Accept
connections via any supported transport.
o Integrity-Protection: The management transport MUST provide
Integrity Protection, i.e. protection from unauthorized
modification, using a cryptographic checksum.
o Integrity-Confidentiality-Protection: The management transport
MUST provide both Integrity Protection and Confidentiality
Protection, i.e. protection from unauthorized modification, using
a cryptographic checksum, and protection from unauthorized
disclosure, using encryption.
The configuration or negotiation of acceptable algorithms, modes and
credentials for the cryptographic protection mechanisms used in
implementing protected management transports is outside the scope of
this document. Many such mechanisms have standardized methods of
configuration and key management.
Nelson & Weber Expires December 14, 2008 [Page 10]
Internet-Draft RADIUS NAS-Management Authorization June 2008
8.3. Management-Policy-Id
The Management-Policy-Id Attribute indicates the name of the
management access policy for this user. Zero or one Management-
Policy-Id Attributes MAY be sent in an Access-Accept packet.
Identifying a policy by name allows the policy to be used on
different NASes without regard to implementation details.
Multiple forms of management access rules may be expressed by the
underlying named policy, the definition of which is beyond the scope
of this document. The management access policy MAY be applied
contextually, based on the nature of the management access method.
For example, some named policies may only be valid for application to
NAS-Prompt services and some other policies may only be valid for
application to SMNP services.
The management access policy named in this attribute, received in an
Access-Accept packet, MUST be applied to the session authorized by
the Access-Accept. If the NAS supports this attribute, but the
policy name is unknown, or the policy rules are incorrectly
formatted, the NAS MUST treat the response packet as if it had been
an Access-Reject.
No precedence relationship is defined for multiple occurrences of the
Management-Policy-Id Attribute. NAS behavior in such cases is not
predictable. Therefore, two or more occurrences of this attribute
SHOULD NOT be included in a single service provisioning message, such
as Access-Accept or CoA-Request.
The content of the Management-Policy-Id Attribute is expected to be
the name of a management access policy of local significance to the
NAS, within a flat namespace of significance to the NAS. In this
regard, the behavior is similar to that for the Filter-Id Attribute.
The policy names and rules are committed to the local configuration
data-store of the NAS, and are provisioned by means beyond the scope
of this document, such as via SNMP, NETCONF or CLI.
Overloading or subdividing this flat name with multi-part specifiers
(e.g. Access=remote, Level=7) is likely to lead to poor multi-vendor
interoperability and SHOULD NOT be utilized. If a simple flat policy
name is not sufficient to the anticipated use case, it is RECOMMENDED
that a Vendor Specific Attribute be used instead, rather than
overloading the semantics of Management-Policy-Id.
A summary of the Management-Policy-Id Attribute format is shown
below. The fields are transmitted from left to right.
Nelson & Weber Expires December 14, 2008 [Page 11]
Internet-Draft RADIUS NAS-Management Authorization June 2008
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
(TBA-4) for Management-Policy-Id.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [RFC3629] characters.
8.4. Management-Privilege-Level
The Management-Privilege-Level Attribute indicates the integer-valued
privilege level to be assigned for management access for the
authenticated user. Many NASes provide the notion of differentiated
management privilege levels denoted by an integer value. The
specific access rights conferred by each value are implementation
dependent. It MAY be used in both Access-Request and Access-Accept
packets.
The management access level indicated in this attribute, received in
an Access-Accept packet, MUST be applied to the session authorized by
the Access-Accept. If the NAS supports this attribute, but the
privilege level is unknown, the NAS MUST treat the response packet as
if it had been an Access-Reject.
A summary of the Management-Privilege-Level Attribute format is show
below. The fields are transmitted from left to right.
Nelson & Weber Expires December 14, 2008 [Page 12]
Internet-Draft RADIUS NAS-Management Authorization June 2008
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
(TBA-5) for Management-Privilege-Level.
Length
6
Value
The Value field is an Integer, denoting a management
privilege level.
It is RECOMMENDED to limit use of the Management-Privilege-Level
Attribute to sessions where the Service-Type Attribute has a value of
NAS-Prompt (not Administrative). Typically, NASes treat NAS-Prompt
as the minimal privilege CLI service and Administrative as full
privilege. Using the Management-Privilege-Level Attribute with a
Service-Type Attribute having a value of NAS-Prompt will have the
effect of increasing the minimum privilege level. Conversely, it is
NOT RECOMMENDED to use this attribute with a Service-Type of
Administrative, which may require decreasing the maximum privilege
level.
It is NOT RECOMMENDED to use the Management-Privilege-Level Attribute
in combination with a Management-Policy-Id Attribute or for
management access methods other than interactive CLI. The behavior
resulting from such an overlay of management access control
provisioning is not defined by this document, and in the absence of
further specification is likely to lead to unexpected behaviors,
especially in multi-vendor environments.
9. Examples of attribute groupings
1. Unprotected CLI access, via the local console, to the "super-
user" access level:
Nelson & Weber Expires December 14, 2008 [Page 13]
Internet-Draft RADIUS NAS-Management Authorization June 2008
* Service-Type (6) = Administrative (6)
* NAS-Port-Type (61) = Async (0)
* Management-Transport-Protection (TBA-3) = No-Protection (1)
2. Unprotected CLI access, via a remote console, to the "super-user"
access level:
* Service-Type (6) = Administrative (6)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (TBA-3) = No-Protection (1)
3. CLI access, via a fully-protected secure remote terminal service
to the non-privileged user access level:
* Service-Type (6) = NAS-Prompt (7)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (TBA-3) = Integrity-
Confidentiality-Protection (3)
4. CLI access, via a fully-protected secure remote terminal service,
to a custom management access level, defined by a policy:
* Service-Type (6) = NAS-Prompt (7)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (TBA-3) = Integrity-
Confidentiality-Protection (3)
* Management-Policy-Id (TBA-4) = "Network Administrator"
5. CLI access, via a fully-protected secure remote terminal service
of SSH, with a management privilege level of 15:
* Service-Type (6) = NAS-Prompt (7)
* NAS-Port-Type (61) = Virtual (5)
* Management-Transport-Protection (TBA-3) = Integrity-
Confidentiality-Protection (3)
* Management-Privilege-Level (TBA-5) = 15
6. SNMP access, using an Access Control Model specifier, such as a
custom VACM View, defined by a policy:
* Service-Type (6) = Framed-Management (TBA-1)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (TBA-2) = SNMP (1)
* Management-Policy-Id (TBA-4) = "SNMP Network Administrator
View"
There is currently no standardized way of implementing this
management policy mapping within SNMP. Such mechanisms are the
Nelson & Weber Expires December 14, 2008 [Page 14]
Internet-Draft RADIUS NAS-Management Authorization June 2008
topic of current research.
7. SNMP fully-protected access:
* Service-Type (6) = Framed-Management (TBA-1)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (TBA-2) = SNMP (1)
* Management-Transport-Protection (TBA-3) = Integrity-
Confidentiality-Protection (3)
8. Web (HTTP/HTML) access:
* Service-Type (6) = Framed-Management (TBA-1)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (TBA-2) = Web-based (2)
9. Secure web access, using a custom management access level,
defined by a policy:
* Service-Type (6) = Framed-Management (TBA-1)
* NAS-Port-Type (61) = Virtual (5)
* Framed-Management-Protocol (TBA-2) = Web-based (2)
* Management-Transport-Protection (TBA-3) = Integrity-
Confidentiality-Protection (3)
* Management-Policy-Id (TBA-4) = "Read-only web access"
10. Diameter Translation Considerations
When used in Diameter, the attributes defined in this specification
can be used as Diameter AVPs from the Code space 1-255 (RADIUS
attribute compatibility space). No additional Diameter Code values
are therefore allocated. The data types and flag rules for the
attributes are as follows:
Nelson & Weber Expires December 14, 2008 [Page 15]
Internet-Draft RADIUS NAS-Management Authorization June 2008
+---------------------+
| AVP Flag rules |
|----+-----+----+-----|----+
| | |SHLD| MUST| |
Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr|
---------------------------------|----+-----+----+-----|----|
Service-Type (new value) | | | | | |
Enumerated | M | P | | V | Y |
Framed-Management-Protocol | | | | | |
Enumerated | M | P | | V | Y |
Management-Transport-Protection | | | | | |
Enumerated | M | P | | V | Y |
Management-Policy-Id | | | | | |
UTF8String | M | P | | V | Y |
Management-Privilege-Level | | | | | |
Integer | M | P | | V | Y |
---------------------------------|----+-----+----+-----|----|
The attributes in this specification have no special translation
requirements for Diameter to RADIUS or RADIUS to Diameter gateways;
they are copied as is, except for changes relating to headers,
alignment, and padding. See also [RFC3588] Section 4.1 and [RFC4005]
Section 9.
What this specification says about the applicability of the
attributes for RADIUS Access-Request packets applies in Diameter to
AA-Request [RFC4005].
What is said about Access-Accept applies in Diameter to AA-Answer
messages that indicate success.
11. RADIUS Proxy Operation Considerations
The device management access authorization attributes presented in
this document present certain considerations when used in RADIUS
proxy environments. These considerations are not different from
those that exist in RFC 2865 [RFC2865] with respect to the Service-
Type Attribute values of Administrative and NAS-Prompt.
Most RADIUS proxy environments are also multi-party environments. In
multi-party proxy environments it is important to distinguish which
entities have the authority to provision management access to the
edge devices, i.e. NASes, and which entities only have authority to
provision network access services of various sorts.
It may be important that operators of the NAS are able to ensure that
Nelson & Weber Expires December 14, 2008 [Page 16]
Internet-Draft RADIUS NAS-Management Authorization June 2008
access to the CLI, or other management interfaces of the NAS, is only
provisioned to their own employees or contractors. One way for the
NAS to enforce this requirement is to use only local, non-proxy
RADIUS servers for management access requests. Proxy RADIUS servers
could be used for non-management access requests, based on local
policy. This "bifurcation" of RADIUS authentication and
authorization is a simple case of separate administrative realms.
The NAS may be designed so as to maintain separate lists of RADIUS
servers for management AAA use and for non-management AAA use.
An alternate method of enforcing this requirement would be for the
first-hop RADIUS proxy server, operated by the owner of the NAS, to
filter out any RADIUS attributes that provision management access
rights that originate from "up-stream" proxy servers not operated by
the NAS owner. Access-Accept messages that provision such locally
un-authorized management access MAY be treated as if they were an
Access-Reject by the first-hop proxy server.
These issues are not of concern when all the RADIUS servers, local
and proxy, used by the NAS are under the sole administrative control
of the NAS owner.
12. Table of Attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.
Nelson & Weber Expires December 14, 2008 [Page 17]
Internet-Draft RADIUS NAS-Management Authorization June 2008
Access-
Request Accept Reject Challenge # Attribute
---------------------------------------------------------------------
0-1 0-1 0 0 TBA-2 Framed-Management-Protocol
0-1 0-1 0 0 TBA-3 Management-Transport-Protection
0 0-1 0 0 TBA-4 Management-Policy-Id
0 0-1 0 0 TBA-5 Management-Privilege-Level
Accounting-
Request Response # Attribute
---------------------------------------------------------------------
0-1 0 TBA-2 Framed-Management-Protocol
0-1 0 TBA-3 Management-Transport-Protection
0-1 0 TBA-4 Management-Policy-Id
0-1 0 TBA-5 Management-Privilege-Level
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in
a packet.
0-1 Zero or one instance of this attribute MAY be present in
a packet.
1 Exactly one instance of this attribute MUST be present in
a packet.
13. IANA Considerations
Note to RFC Editor: Remove the following paragraphs upon publication
of this document as an RFC.
This document contains placeholders ("TBA-n") for assigned numbers
within the RADIUS Attributes Types registry
(http://www.iana.org/assignments/radius-types), to be assigned by
IANA at the time this document should be published as an RFC.
o New enumerated value for the existing Service-Type Attribute:
* Framed-Management (TBA-1)
o New RADIUS Attribute Types:
* Framed-Management-Protocol (TBA-2)
* Management-Transport-Protection (TBA-3)
* Management-Policy-Id (TBA-4)
* Management-Privilege-Level (TBA-5)
The enumerated values of the newly assigned RADIUS Attribute Types as
defined in this document are to be assigned at the same time as the
new Attribute Types.
Nelson & Weber Expires December 14, 2008 [Page 18]
Internet-Draft RADIUS NAS-Management Authorization June 2008
For the Framed-Management-Protocol Attribute:
1 SNMP
2 Web-based
3 NETCONF
4 FTP
5 TFTP
6 SFTP
7 RCP
8 SCP
For the Management-Transport-Protection Attribute:
1 No-Protection
2 Integrity-Protection
3 Integrity-Confidentiality-Protection
Note to RFC Editor: Retain the following paragraph upon publication
of this document as an RFC.
Assignments of additional enumerated values for the RADIUS attributes
defined in this document are to be processed as described in
[RFC3575], subject to the additional requirement of a published
specification.
14. Security Considerations
This specification describes the use of RADIUS and Diameter for
purposes of authentication, authorization and accounting for
management access to devices within networks. RADIUS threats and
security issues for this application are described in [RFC3579] and
[RFC3580]; security issues encountered in roaming are described in
[RFC2607]. For Diameter, the security issues relating to this
application are described in [RFC4005] and [RFC4072].
This document specifies new attributes that can be included in
existing RADIUS packets, which may be protected as described in
[RFC3579] and [RFC5176]. In Diameter, the attributes are protected
as specified in [RFC3588]. See those documents for a more detailed
description.
The security mechanisms supported in RADIUS and Diameter are focused
on preventing an attacker from spoofing packets or modifying packets
in transit. They do not prevent an authorized RADIUS/Diameter server
or proxy from inserting attributes with malicious intent.
Any of the attributes described in this memo, with the exception of
Nelson & Weber Expires December 14, 2008 [Page 19]
Internet-Draft RADIUS NAS-Management Authorization June 2008
Service-Type, may not be understood by the NAS which receives it. A
legacy NAS not compliant with this specification may silently discard
these attributes while permitting the user to access the management
interface(s) of the NAS. This can lead to users improperly receiving
unauthorized management access to the NAS, or access with greater
levels of access rights than were intended. RADIUS servers SHOULD
attempt to ascertain whether or not the NAS supports these attributes
before sending them in an Access-Accept.
It is possible that certain NAS implementations may not be able to
determine the protection properties of the underlying transport
protocol as specified by the Management-Transport-Protection
Attribute. This may be a limitation of the standard application
programming interface of the underlying transport implementation or
of the integration of the transport into the NAS implementation. In
either event, NASes conforming to this specification, which cannot
determine the protection state of the remote management connection
MUST treat an Access-Accept message containing a Management-
Transport-Protection Attribute containing a value other than No-
Protection (1) as if it were an Access-Reject message, unless
specifically overridden by local policy configuration.
15. Acknowledgments
Many thanks to all reviewers, including Bernard Aboba, Alan DeKok,
David Harrington, Mauricio Sanchez, Juergen Schoenwaelder, Barney
Wolff and Glen Zorn.
16. References
16.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
16.2. Informative References
[RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
STD 9, RFC 959, October 1985.
Nelson & Weber Expires December 14, 2008 [Page 20]
Internet-Draft RADIUS NAS-Management Authorization June 2008
[RFC1350] Sollins, K., "The TFTP Protocol (Revision 2)", STD 33,
RFC 1350, July 1992.
[RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy
Implementation in Roaming", RFC 2607, June 1999.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62,
RFC 3413, December 2002.
[RFC3414] Blumenthal, U. and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", STD 62, RFC 3414, December 2002.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002.
[RFC3416] Presuhn, R., "Version 2 of the Protocol Operations for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3416, December 2002.
[RFC3417] Presuhn, R., "Transport Mappings for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3417,
December 2002.
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62,
RFC 3418, December 2002.
[RFC3575] Aboba, B., "IANA Considerations for RADIUS (Remote
Nelson & Weber Expires December 14, 2008 [Page 21]
Internet-Draft RADIUS NAS-Management Authorization June 2008
Authentication Dial In User Service)", RFC 3575,
July 2003.
[RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
Dial In User Service) Support For Extensible
Authentication Protocol (EAP)", RFC 3579, September 2003.
[RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese,
"IEEE 802.1X Remote Authentication Dial In User Service
(RADIUS) Usage Guidelines", RFC 3580, September 2003.
[RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
Arkko, "Diameter Base Protocol", RFC 3588, September 2003.
[RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
"Diameter Network Access Server Application", RFC 4005,
August 2005.
[RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible
Authentication Protocol (EAP) Application", RFC 4072,
August 2005.
[RFC4741] Enns, R., "NETCONF Configuration Protocol", RFC 4741,
December 2006.
[RFC4742] Wasserman, M. and T. Goddard, "Using the NETCONF
Configuration Protocol over Secure SHell (SSH)", RFC 4742,
December 2006.
[RFC4743] Goddard, T., "Using NETCONF over the Simple Object Access
Protocol (SOAP)", RFC 4743, December 2006.
[RFC4744] Lear, E. and K. Crozier, "Using the NETCONF Protocol over
the Blocks Extensible Exchange Protocol (BEEP)", RFC 4744,
December 2006.
[RFC5176] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 5176,
January 2008.
Nelson & Weber Expires December 14, 2008 [Page 22]
Internet-Draft RADIUS NAS-Management Authorization June 2008
Authors' Addresses
David B. Nelson
Elbrys Networks, Inc.
75 Rochester Avenue, Unit 3
Portsmouth, NH 03801
USA
Email: d.b.nelson@comcast.net
Greg Weber
Individual Contributor
Knoxville, TN 37932
USA
Email: gdweber@gmail.com
Nelson & Weber Expires December 14, 2008 [Page 23]
Internet-Draft RADIUS NAS-Management Authorization June 2008
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Nelson & Weber Expires December 14, 2008 [Page 24]
