Network Working Group D. Nelson Internet Draft Enterasys Networks Expires: January 10, 2005 July 10, 2004 RADIUS Extension for Management Authorization draft-nelson-radius-management-authorization-00.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Comments on this document may be directed to the author. This Internet-Draft will expire on January 10, 2005. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document describes RADIUS Attributes for the authorization and service provisioning of local and remote management of embedded systems and other managed entities. Specific provisions are made for remote management via framed management protocols, and for more granular levels of security and command privilege level beyond those included in RFC 2865 [RFC2865]. 1. Introduction and Rationale The remote management Service-Types defined in RFC 2865 [RFC2865] include NAS-Prompt and Admin. Both of these services provide access D. Nelson Expires January 10, 2005 [Page 1] Internet-Draft RADIUS Extension for Management Authorization July 2004 to the interactive, ASCII-text, Command Line Interface (CLI) of the managed entity. Current deployments of network equipment include in the managed entity non-CLI, framed-protocol forms of management, such as HTTP, HTTPS, and SNMP. In addition, network devices often support more privilege levels for management access than the two levels supported by NAS-Prompt (non-privileged) and Admin (privileged). To address these issues, attributes for framed management protocols, management protocol security levels, and management access privilege levels are described. 2. Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119]. These key words mean the same thing whether capitalized or not. 3. Provisions for Framed Management Framed Management means management of an entity by means of a non- interactive, non-CLI-style method. The management information is typically formatted in a binary or textual protocol, such as HTTP or SNMP. While remote management by interactive CLI sessions are carried over protocols, such as Telnet, Rlogin, and SSH, these protocols are primarily for the delivery of terminal, or pseudo-TTY services. Command Line Interface, Menu Interface, or other ASCII (UTF-8) terminal emulation interfaces are not considered to be Framed Management protocols, as used in this document. Examples of Framed Management protocols include HTTP, HTTPS, and SNMP. To support the authorization and provisioning of Framed Management access to managed entities, this document introduces a new value for the Service-Type attribute [RFC2865], and one new attribute. The new value for the Service-Type attribute is Framed-Management. The definition of this service is the provisioning of remote device management via a Framed Management protocol, as described in this section. The new attribute is Framed-Management-Protocol, the value of which specifies a particular protocol for use in the remote management session. 4. Provisions for Granular Management Access Rights One new attribute is introduced in this document in support of granular management access rights or command privilege levels. The Management-Policy-Id attribute is used to contain the name of a management access rights policy of local scope. This attribute functions similarly to Filter-ID. It is a string variable containing policy name of local scope. The provisioning of the rules invoked by application of this management policy is by means outside the scope of this document, such as by MIB objects. D. Nelson Expires January 10, 2005 [Page 2] Internet-Draft RADIUS Extension for Management Authorization July 2004 The local application of the Management-Policy-Id within the managed entity may take the form of (a) one of an enumeration of command privilege levels, (b) a mapping into an SNMP View Based Access Control Method (VACM) table [RFC3415], or (c) some other set of management access policy rules that is mutually understood by the managed entity and the remote management application. Examples are given in Section 8. 5. Provisions for Secure CLI Management Access To provide for the authorization and provisioning of secure Command Line Access management methods, one new attribute is introduced in this document, Non-Framed-Management-Security. The value of this attributes is an enumeration of security methods that may be required for the provisioning of NAS-Prompt or Admin service. 6. New Values for Existing RADIUS Attributes 6.1 Service-Type This document defines one new value for an existing RADIUS attribute. The Service-Type attribute is defined in Section 5.6 of RFC 2865 [RFC2865], as follows: Service-Type Description This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access- Reject had been received instead. A summary of the Service-Type Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ D. Nelson Expires January 10, 2005 [Page 3] Internet-Draft RADIUS Extension for Management Authorization July 2004 Type 6 for Service-Type. Length 6 Value The Value field is four octets. This document defines one new value for the Service-Type attribute. (TBA) Framed-Management The semantics of the Framed-Management service are as follows: Framed-Management A framed protocol session should be started for a remote management user or application, such as HTTP or SNMP. 7. New RADIUS Attributes This document defines three new RADIUS attributes related to remote management authorization. 7.1 Framed-Management-Protocol The Framed-Management-Protocol attribute indicates the protocol to be used for framed management access. It MAY be used in both Access- Request and Access-Accept packets. A summary of the Framed-Management-Protocol Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Framed-Management-Protocol. Length 6 D. Nelson Expires January 10, 2005 [Page 4] Internet-Draft RADIUS Extension for Management Authorization July 2004 Value The Value field is four octets. 1 SNMP v1 2 SNMP v2c 3 SNMP v3 4 HTTP 5 HTTPS / TLS 7.2 Non-Framed-Management-Security The Non-Framed-Management-Security attribute indicates the mandated security parameters of non-framed management access sessions. It MAY be used in both Access-Request and Access-Accept packets. This attribute is used in conjunction with, and further specifies the standard RADIUS Service-Type attributes of NAS-Prompt and Admin. A summary of the Non-Framed-Management-Security Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Non-Framed-Management-Security. Length 6 Value The Value field is four octets. 1 None 2 Secure remote console using Secure Shell (SSH) 7.3 Management-Policy-Id The Management-Policy-Id attribute indicates the name of the management access policy for this user. Zero or more Management- D. Nelson Expires January 10, 2005 [Page 5] Internet-Draft RADIUS Extension for Management Authorization July 2004 Policy-Id attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details. Multiple forms of management access rules may be expressed by the underlying named policy, the definition of which is beyond the scope of this document. The management access policy MAY be applied contextually, based on the nature of the management access method. For example, some named policies may only be valid for application to NAS-Prompt services and some other policies may only be valid for application to SMNPv3 services. The management access policy named in this attribute, received in an Access-Accept packet, MUST be applied to the session authorized by the Access-Accept. If the policy name is unknown, or the policy rules incorrectly formatted, the NAS SHOULD treat the packet as if it had been an Access-Reject. A summary of the Management-Policy-Id Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type (TBA) for Management-Policy-Id. Length >= 3 Text The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [RFC2279] characters. 8. Examples of attribute groupings: (1.) CLI access, via local console or telnet, to the "super-user" access level: Service-Type (6) = Admin (6) Non-Framed-Management-Security (xx) = None (1) D. Nelson Expires January 10, 2005 [Page 6] Internet-Draft RADIUS Extension for Management Authorization July 2004 (2.) CLI access, via SSH/telnet, to the non-privileged user access level: Service-Type (6) = NAS-Prompt (7) Non-Framed-Management-Security (xx) = SSH (2) (3.) CLI access, via SSH/telnet, to a custom management access level, defined by a policy: Service-Type (6) = NAS-Prompt (7) Non-Framed-Management-Security (xx) = SSH (2) Management-Policy-Id (xx) = "Network Administrator" (4.) SNMPv3 access, using a custom VACM View, defined by a policy: Service-Type (6) = Framed-Management (xx) Framed-Management-Protocol (xx) = SNMPv3 (3) Management-Policy-Id (xx) = "SNMP Network Administrator View" (5.) Web (HTTP) access: Service-Type (6) = Framed-Management (xx) Framed-Management-Protocol (xx) = HTTP (4) (6.) Secure web access, using a custom management access level, defined by a policy: Service-Type (6) = Framed-Management (xx) Framed-Management-Protocol (xx) = HTTPS/TLS (5) Management-Policy-Id (xx) = "Read-only web access" 9. Diameter Translation Considerations The attributes defined in this document are compatible with the standard Diameter translation process as defined in Section 9 of Diameter Network Access Server Application [NASREQ]. 10. Proxy Operation Considerations No unique RADIUS or Diameter proxy operation considerations are incurred by the attributes described within this document. 11. Security Considerations The RADIUS attributes and attribute values described in this document do not impose any additional security considerations beyond those documented in the existing RADIUS specification, RFC 2865 [RFC2685]. D. Nelson Expires January 10, 2005 [Page 7] Internet-Draft RADIUS Extension for Management Authorization July 2004 12. IANA Considerations This document contains placeholders ("TBA") for assigned numbers within the RADIUS Attributes registry, to be assigned by IANA at the time this document should be published as an RFC. 13. References 13.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2865] Rigney, C., Willens, S., Rubens, A. and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [NASREQ] Calhoun, P., Zorn, G., Spence, D., Mitton, D., "Diameter Network Access Server Application", draft-ietf-aaa- diameter-nasreq-16.txt (work in progress), June 2004. [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998. 13.2 Informative References [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G. and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003. [RFC3415] Wijnen, B., Presuhn, R., McCloghrie, K. "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 3415, December 2002. Author's Address David B. Nelson Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01801-1008 USA EMail: dnelson@enterasys.com D. Nelson Expires January 10, 2005 [Page 8] Internet-Draft RADIUS Extension for Management Authorization July 2004 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Full Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. D. Nelson Expires January 10, 2005 [Page 9]