Network Working Group D. Nelson
Internet-Draft Enterasys Networks
Expires: February 13, 2006 G. Weber
Cisco Systems
August 12, 2005
RADIUS NAS-Management Authorization
draft-nelson-radius-management-authorization-02.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 13, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document describes RADIUS attributes for the authorization and
service provisioning of local and remote management of embedded
systems and other managed entities (NASes). Specific provisions are
made for remote management via framed management protocols, and for
more granular levels of security and command privilege level beyond
those included in the base RADIUS specification. Provisions are also
introduced for enhancing auditability of individual management
Nelson & Weber Expires February 13, 2006 [Page 1]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
operations.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction and Rationale . . . . . . . . . . . . . . . . . 3
3. Provisions for Framed Management . . . . . . . . . . . . . . 3
4. Provisions for Granular Management Access Rights . . . . . . 4
5. Provisions for Secure CLI Management Access . . . . . . . . 4
6. Provisions to Enhance Auditability . . . . . . . . . . . . . 5
7. New Values for Existing RADIUS Attributes . . . . . . . . . 5
7.1 Service-Type . . . . . . . . . . . . . . . . . . . . . . . 5
8. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . 6
8.1 Framed-Management-Protocol . . . . . . . . . . . . . . . . 6
8.2 Non-Framed-Management-Security . . . . . . . . . . . . . . 7
8.3 Management-Policy-Id . . . . . . . . . . . . . . . . . . . 8
8.4 Non-Framed-Management-Command . . . . . . . . . . . . . . 9
8.5 Framed-Management-Operation . . . . . . . . . . . . . . . 10
8.6 Management-Context . . . . . . . . . . . . . . . . . . . . 11
9. Examples of attribute groupings . . . . . . . . . . . . . . 12
10. Diameter Translation Considerations . . . . . . . . . . . . 13
11. Proxy Operation Considerations . . . . . . . . . . . . . . . 13
12. Table of Attributes . . . . . . . . . . . . . . . . . . . . 14
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . 15
14. Security Considerations . . . . . . . . . . . . . . . . . . 15
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
15.1 Normative References . . . . . . . . . . . . . . . . . . 16
15.2 Informative References . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 16
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . 18
Nelson & Weber Expires February 13, 2006 [Page 2]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
This document uses terminology from RFC 2865 [RFC2865] and RFC 2866
[RFC2866].
2. Introduction and Rationale
The remote management Service-Types defined in RFC 2865 [RFC2865]
include NAS-Prompt and Admin. Both of these services provide access
to the interactive, ASCII-text, Command Line Interface (CLI) of the
managed entity. Current deployments of network equipment include in
the managed entity non-CLI, framed-protocol forms of management, such
as HTTP, HTTPS, and SNMP. In addition, network devices often support
more privilege levels for management access than the two levels
supported by NAS-Prompt (non-privileged) and Admin (privileged).
Some access policies may be so complex or granular that it is more
efficient to centralize them by having an AAA server make
authorization decisions for individual operations within management
sessions. To address these issues, attributes for framed management
protocols, management protocol security levels, and management access
privilege levels are described.
3. Provisions for Framed Management
Framed Management means management of an entity by means of a non-
interactive, non-CLI-style method. The management information is
typically formatted in a binary or textual protocol, such as HTTP or
SNMP. While remote management by interactive CLI sessions are
carried over protocols, such as Telnet, Rlogin, and SSH, these
protocols are primarily for the delivery of terminal, or pseudo-TTY
services. Command Line Interface, Menu Interface, or other ASCII
(UTF-8) terminal emulation interfaces are not considered to be Framed
Management protocols, as used in this document. Examples of Framed
Management protocols include HTTP, HTTPS, and SNMP.
To support the authorization and provisioning of Framed Management
access to managed entities, this document introduces a new value for
the Service-Type attribute [RFC2865], and one new attribute. The new
value for the Service-Type attribute is Framed-Management. The
definition of this service is the provisioning of remote device
management via a Framed Management protocol, as described in this
section. The new attribute is Framed-Management-Protocol, the value
of which specifies a particular protocol for use in the remote
management session.
Nelson & Weber Expires February 13, 2006 [Page 3]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
4. Provisions for Granular Management Access Rights
One new attribute is introduced in this document in support of
granular management access rights or command privilege levels. The
Management-Policy-Id attribute is used to contain the name of a
management access rights policy of local scope. This attribute
functions similarly to Filter-ID. It is a string variable containing
policy name of local scope. The provisioning of the rules invoked by
application of this management policy is by means outside the scope
of this document, such as by MIB objects.
The local application of the Management-Policy-Id within the managed
entity may take the form of (a) one of an enumeration of command
privilege levels, (b) a mapping into an SNMP View Based Access
Control Method (VACM) table [RFC3415], or (c) some other set of
management access policy rules that is mutually understood by the
managed entity and the remote management application. Examples are
given in Section 9.
There are currently no standards that define the mechanism for
binding the value of Management-Policy-Id to a view in an SNMPv3 VACM
table. The desire for such a standardized mechanism as been
discussed in the IETF Integrated Security Model for SNMP (ISMS)
Working Group, but that work may be out-of-scope of the current ISMS
charter. As such, the definition of this binding mechanism is a
topic for current research.
The set of policy rules controlling access within management sessions
may be quite complex, e.g. the administrator, Alice, may only execute
potentially disruptive commands during her working shift; otherwise
she may execute monitoring commands if no other administrator is
using a particular device. At some point in the spectrum of
complexity, it becomes more effecient to centralize the control of
management access. New attributes are introduced to facilitate such
centralization. In particular, individual management operations
within a session may be authorized by sending an Access-Request which
includes a description of the requested operation and uses the
Service-Type of "Authorize Only" defined in RFC 3576 [RFC3576].
5. Provisions for Secure CLI Management Access
To provide for the authorization and provisioning of secure Command
Line Access management methods, one new attribute is introduced in
this document, Non-Framed-Management-Security. The value of this
attributes is an enumeration of security methods that may be required
for the provisioning of NAS-Prompt or Admin service.
Nelson & Weber Expires February 13, 2006 [Page 4]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
6. Provisions to Enhance Auditability
Device configuration errors are a frequent source of network service
outages. In many cases, these configuration errors are caused by
human administrators executing manual changes to device
configurations. These errors can be difficult to diagnose or locate.
To facilitate auditability, all of the attributes introduced in this
document may be used in accounting records. In addition, the idea of
generating interim accounting records for management sessions which
correlate to individual operations is introduced. For non-framed
management sessions, these individual operations typically correlate
to individual command executions within the device Command Line
Interface.
7. New Values for Existing RADIUS Attributes
7.1 Service-Type
This document defines one new value for an existing RADIUS attribute.
The Service-Type attribute is defined in Section 5.6 of RFC 2865
[RFC2865], as follows:
This Attribute indicates the type of service the user has requested,
or the type of service to be provided. It MAY be used in both
Access-Request and Access-Accept packets.
A NAS is not required to implement all of these service types, and
MUST treat unknown or unsupported Service-Types as though an Access-
Reject had been received instead.
A summary of the Service-Type Attribute format is shown below.
The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 5]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
6 for Service-Type.
Length
6 Value
The Value field is four octets.
This document defines one new value for the Service-Type
attribute.
(TBA) Framed-Management
The semantics of the Framed-Management service are as follows:
Framed-Management A framed protocol session should be started
for a remote management user or application,
such as HTTP or SNMP.
8. New RADIUS Attributes
This document defines six new RADIUS attributes related to remote
management authorization.
8.1 Framed-Management-Protocol
The Framed-Management-Protocol attribute indicates the protocol to be
used for framed management access. It MAY be used in both Access-
Request and Access-Accept packets.
A summary of the Framed-Management-Protocol Attribute format is shown
below. The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 6]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
(TBA) for Framed-Management-Protocol.
Length
6
Value
The Value field is four octets.
1 SNMP v3
2 HTTP
3 HTTPS/TLS
4 SFTP (via SSH)
5 SCP (via SSH)
8.2 Non-Framed-Management-Security
The Non-Framed-Management-Security attribute indicates the mandated
security parameters of non-framed management access sessions. It MAY
be used in both Access-Request and Access-Accept packets. This
attribute is used in conjunction with, and further specifies the
standard RADIUS Service-Type attributes of NAS-Prompt and Admin.
When a secure form of Non-Framed managment access is specified, for
example Telnet carried within Secure Shell (SSH), for access to the
interactive CLI prompt of the NAS, it generally means that the
terminal emulation session is encapsulated in some form of protected
application transport, or tunnel. It may also mean that an explicit
secure mode of operation is required, when the terminal emulation
access protocol contains an intrinsic secure mode of operation.
A summary of the Non-Framed-Management-Security Attribute format is
shown below. The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 7]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
(TBA) for Non-Framed-Management-Security.
Length
6
Value
The Value field is four octets.
1 None
2 Secure remote console using Secure Shell (SSH)
8.3 Management-Policy-Id
The Management-Policy-Id attribute indicates the name of the
management access policy for this user. Zero or more Management-
Policy-Id attributes MAY be sent in an Access-Accept packet.
Identifying a policy by name allows the policy to be used on
different NASes without regard to implementation details.
Multiple forms of management access rules may be expressed by the
underlying named policy, the definition of which is beyond the scope
of this document. The management access policy MAY be applied
contextually, based on the nature of the management access method.
For example, some named policies may only be valid for application to
NAS-Prompt services and some other policies may only be valid for
application to SMNPv3 services.
The management access policy named in this attribute, received in an
Access-Accept packet, MUST be applied to the session authorized by
the Access-Accept. If the policy name is unknown, or the policy
rules are incorrectly formatted, the NAS SHOULD treat the packet as
if it had been an Access-Reject.
A summary of the Management-Policy-Id Attribute format is shown
below. The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 8]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
(TBA) for Management-Policy-Id.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [RFC2279] characters.
8.4 Non-Framed-Management-Command
The Non-Framed-Management-Command attribute indicates a specific
management operation within a NAS-Prompt or Admin session. It MAY be
used in Access-Request or Accounting-Request packets. This attribute
MUST NOT be included in packets which also include the Framed-
Management-Operation attribute.
When used within an Access-Request with a Service-Type value of
"Authorize Only" (17), the NAS is requesting authorization for this
specific management operation within an existing NAS-Prompt or Admin
session. When used within an Accounting-Request with an Acct-Status-
Type value of Interim-Update (3), the NAS is reporting that the
specific management operation has been performed.
Typically, the text value of this attribute would equate to a single
command issued to the embedded device's Command Line Interface. If
the management session is using a menu or other ASCII interface, the
value of this attribute would contain a textual representation of the
specific operation.
A summary of the Non-Framed-Management-Command Attribute format is
shown below. The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 9]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
(TBA) for Non-Framed-Management-Command.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [RFC2279] characters.
8.5 Framed-Management-Operation
The Framed-Management-Operation attribute indicates a specific
management operation within a Framed-Management session. It MAY be
used in Access-Request or Accounting-Request packets. This attribute
MUST NOT be included in packets which also include the Non-Framed-
Management-Command attribute.
When used within an Access-Request with a Service-Type value of
"Authorize Only" (17), the NAS is requesting authorization for this
specific management operation within an existing Framed-Management
session. When used within an Accounting-Request with an Acct-Status-
Type value of Interim-Update (3), the NAS is reporting that the
specific management operation has been performed.
The value of this attribute is a textual rendering of the specific
management operation being performed, e.g. "SNMP GET OID
0.1.2.3...".
A summary of the Framed-Management Operation Attribute format is
shown below. The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 10]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
(TBA) for Framed-Management-Operation.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [RFC2279] characters.
8.6 Management-Context
The Management-Context attribute indicates additional contextual
information in conjunction with the specific management operation
indicated by either the Non-Framed-Management-Command or the Framed-
Management-Operation attributes. It MAY be used in Access-Request or
Accounting-Request packets.
When used with the Non-Framed-Management-Command attribute, the
Management-Context attribute may be used to indicate a Command Line
Interface mode or sub-mode, a role associated with the management
session, or other contextual information related to the specific
operation being performed.
A summary of the Management-Context Attribute format is shown below.
The fields are transmitted from left to right.
Nelson & Weber Expires February 13, 2006 [Page 11]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| Type | Length | Text ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type
(TBA) for Management-Context.
Length
>= 3
Text
The Text field is one or more octets, and its contents are
implementation dependent. It is intended to be human readable and
MUST NOT affect operation of the protocol. It is recommended that
the message contain UTF-8 encoded 10646 [RFC2279] characters.
9. Examples of attribute groupings
1. CLI access, via local console or telnet, to the "super-user"
access level:
* Service-Type (6) = Admin (6)
* Non-Framed-Management-Security (xx) = None (1)
2. CLI access, via SSH/telnet, to the non-privileged user access
level:
* Service-Type (6) = NAS-Prompt (7)
* Non-Framed-Management-Security (xx) = SSH (2)
3. CLI access, via SSH/telnet, to a custom management access level,
defined by a policy:
* Service-Type (6) = NAS-Prompt (7)
* Non-Framed-Management-Security (xx) = SSH (2)
* Management-Policy-Id (xx) = "Network Administrator"
4. Authorization for individual operation within above session:
* Service-Type (6) = Authorize Only (17)
* Non-Framed-Management-Command (xx) = "shutdown interface 18"
Nelson & Weber Expires February 13, 2006 [Page 12]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
* Management-Context (xx) = "operational CLI mode"
5. Accounting record for the individual operation above:
* Acct-Status-Type (40) = Interim-Update (3)
* Non-Framed-Management-Command (xx) = "shutdown interface 18"
* Management-Context (xx) = "operational CLI mode"
6. SNMPv3 access, using a custom VACM View, defined by a policy:
* Service-Type (6) = Framed-Management (xx)
* Framed-Management-Protocol (xx) = SNMPv3 (3)
* Management-Policy-Id (xx) = "SNMP Network Administrator View"
7. Web (HTTP) access:
* Service-Type (6) = Framed-Management (xx)
* Framed-Management-Protocol (xx) = HTTP (4)
8. Secure web access, using a custom management access level,
defined by a policy:
* Service-Type (6) = Framed-Management (xx)
* Framed-Management-Protocol (xx) = HTTPS/TLS (5)
* Management-Policy-Id (xx) = "Read-only web access"
10. Diameter Translation Considerations
The attributes defined in this document are compatible with the
standard Diameter translation process as defined in Section 9 of
Diameter Network Access Server Application [I-D.ietf-aaa-diameter-
nasreq].
11. Proxy Operation Considerations
The device management access authorization attributes presented in
this document present certain considerations when used in proxy
environments. These considerations are not different from those that
exist in RFC 2865 [RFC2865] with respect to the Service-Type
attribute values of Admin and NAS-Prompt.
Most proxy environments are also multi-party environments. In multi-
party proxy environments it is important to distinguish which
entities have the authority to provision management access to the
edge devices, i.e. NASes, and which entities only have authority to
provision network access services of various sorts.
It may be important that operators of the NAS are able to ensure that
Nelson & Weber Expires February 13, 2006 [Page 13]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
access to the CLI, or other management interfaces, of the NAS are
only provisioned to their own employees or contractors. One way for
the NAS to enforce this requirement is to use only local, non-proxy
RADIUS servers for management access requests. Proxy RADIUS servers
could be used for non-management access requests, based on local
policy. This "bi-furcation" of RADIUS authentication and
authorization is a simple case of separate administrative realms.
The NAS may be designed so as to maintain separate lists of RADIUS
servers for management AAA use and for non-management AAA use.
An alternate method of enforcing this requirement would be for the
first-hop proxy server, operated by the owner of the NAS, to filter
out any RADIUS attributes that provision management access rights
that originate from "up-stream" proxy servers not operated by the NAS
owner. Access-Accept messages that provision such locally un-
authorized management access MAY be treated as if they were an
Access-Reject by the first-hop proxy server.
These issues are not of concern when all the RADIUS servers, local
and proxy, used by the NAS are under the sole administrative control
of the NAS owner.
12. Table of Attributes
The following table provides a guide to which attributes may be found
in which kinds of packets, and in what quantity.
Nelson & Weber Expires February 13, 2006 [Page 14]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
Access-
Request Accept Reject Challenge # Attribute
---------------------------------------------------------------------
0-1 0-1 0 0 TBA Framed-Management-Protocol
0-1 0-1 0 0 TBA Non-Framed-Management-Security
0 0+ 0 0 TBA Management-Policy-Id
0-1 0 0 0 TBA Non-Framed-Management-Command
0-1 0 0 0 TBA Framed-Management-Operation
0+ 0 0 0 TBA Management-Context
Accounting-
Request Response # Attribute
---------------------------------------------------------------------
0-1 0 TBA Framed-Management-Protocol
0-1 0 TBA Non-Framed-Management-Security
0+ 0 TBA Management-Policy-Id
0-1 0 TBA Non-Framed-Management-Command
0-1 0 TBA Framed-Management-Operation
0+ 0 TBA Management-Context
The following table defines the meaning of the above table entries.
0 This attribute MUST NOT be present in a packet.
0+ Zero or more instances of this attribute MAY be present in
a packet.
0-1 Zero or one instance of this attribute MAY be present in
a packet.
1 Exactly one instance of this attribute MUST be present in
a packet.
13. IANA Considerations
This document contains placeholders ("TBA") for assigned numbers
within the RADIUS Attributes registry, to be assigned by IANA at the
time this document should be published as an RFC.
14. Security Considerations
The RADIUS attributes and attribute values described in this document
do not impose any additional security considerations beyond those
documented in the existing RADIUS specification [RFC2865].
15. References
Nelson & Weber Expires February 13, 2006 [Page 15]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
15.1 Normative References
[I-D.ietf-aaa-diameter-nasreq]
Calhoun, P., Zorn, G., Spence, D., and D. Mitton,
"Diameter Network Access Server Application",
draft-ietf-aaa-diameter-nasreq-17 (work in progress),
July 2004.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO
10646", RFC 2279, January 1998.
[RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
"Remote Authentication Dial In User Service (RADIUS)",
RFC 2865, June 2000.
[RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3415,
December 2002.
15.2 Informative References
[RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000.
[RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B.
Aboba, "Dynamic Authorization Extensions to Remote
Authentication Dial In User Service (RADIUS)", RFC 3576,
July 2003.
Authors' Addresses
David B. Nelson
Enterasys Networks
50 Minuteman Road
Andover, MA 01810
USA
Email: dnelson@enterasys.com
Nelson & Weber Expires February 13, 2006 [Page 16]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
Greg Weber
Cisco Systems
10850 Murdock Road
Knoxville, TN 37932
USA
Email: gdweber@cisco.com
Appendix A. Acknowledgments
Many thanks to all reviewers, including Barney Wolff and Mauricio
Sanchez.
Nelson & Weber Expires February 13, 2006 [Page 17]
�
Internet-Draft RADIUS NAS-Management Authorization August 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Nelson & Weber Expires February 13, 2006 [Page 18]
�