Network Working Group D. Nelson Internet-Draft Enterasys Networks Expires: December 21, 2006 G. Weber Cisco Systems June 19, 2006 RADIUS NAS-Management Authorization draft-nelson-radius-management-authorization-03.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 21, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes Remote Access Dial-In User Service (RADIUS) attributes for the authorization and service provisioning of local and remote management of embedded systems and other managed entities, generally referred to as Network Access Servers (NASes). Specific provisions are made for remote management via framed management protocols, and for more granular levels of security and command privilege level beyond those included in the base RADIUS Nelson & Weber Expires December 21, 2006 [Page 1] Internet-Draft RADIUS NAS-Management Authorization June 2006 specification. Provisions are also introduced for enhancing auditability of individual management operations. Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction and Rationale . . . . . . . . . . . . . . . . . . 3 3. Provisions for Framed Management . . . . . . . . . . . . . . . 3 4. Provisions for Granular Management Access Rights . . . . . . . 4 5. Provisions for Secure CLI Management Access . . . . . . . . . 4 6. Provisions to Enhance Auditability . . . . . . . . . . . . . . 5 7. Use of Authorize-Only . . . . . . . . . . . . . . . . . . . . 5 8. New Values for Existing RADIUS Attributes . . . . . . . . . . 5 8.1. Service-Type . . . . . . . . . . . . . . . . . . . . . . . 6 9. New RADIUS Attributes . . . . . . . . . . . . . . . . . . . . 7 9.1. Framed-Management-Protocol . . . . . . . . . . . . . . . . 7 9.2. Non-Framed-Management-Security . . . . . . . . . . . . . . 7 9.3. Management-Policy-Id . . . . . . . . . . . . . . . . . . . 8 9.4. Non-Framed-Management-Command . . . . . . . . . . . . . . 9 9.5. Framed-Management-Operation . . . . . . . . . . . . . . . 10 9.6. Management-Context . . . . . . . . . . . . . . . . . . . . 11 10. Examples of attribute groupings . . . . . . . . . . . . . . . 12 11. Diameter Translation Considerations . . . . . . . . . . . . . 13 12. Proxy Operation Considerations . . . . . . . . . . . . . . . . 15 13. Table of Attributes . . . . . . . . . . . . . . . . . . . . . 15 14. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 15. Security Considerations . . . . . . . . . . . . . . . . . . . 16 16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 16.1. Normative References . . . . . . . . . . . . . . . . . . . 17 16.2. Informative References . . . . . . . . . . . . . . . . . . 18 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19 Intellectual Property and Copyright Statements . . . . . . . . . . 20 Nelson & Weber Expires December 21, 2006 [Page 2] Internet-Draft RADIUS NAS-Management Authorization June 2006 1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. This document uses terminology from RFC 2865 [RFC2865] and RFC 2866 [RFC2866]. 2. Introduction and Rationale The remote management Service-Types defined in RFC 2865 [RFC2865] include NAS-Prompt and Admin. Both of these services provide access to the interactive, ASCII-text, Command Line Interface (CLI) of the managed entity. Current deployments of network equipment include in the managed entity non-CLI, framed-protocol forms of management, such as HTTP, HTTPS, and SNMP. In addition, network devices often support more privilege levels for management access than the two levels supported by NAS-Prompt (non-privileged) and Admin (privileged). Some access policies may be so complex or granular that it is more efficient to centralize them by having an AAA server make authorization decisions for individual operations within management sessions. To address these issues, attributes for framed management protocols, management protocol security levels, and management access privilege levels are described. 3. Provisions for Framed Management Framed Management means management of an entity by means of a non- interactive, non-CLI-style method. The management information is typically formatted in a binary or textual protocol, such as HTTP or SNMP. While remote management by interactive CLI sessions are carried over protocols, such as Telnet, Rlogin, and SSH, these protocols are primarily for the delivery of terminal, or pseudo-TTY services. Command Line Interface, Menu Interface, or other ASCII (UTF-8) terminal emulation interfaces are not considered to be Framed Management protocols, as used in this document. Examples of Framed Management protocols include HTTP, HTTPS, and SNMP. To support the authorization and provisioning of Framed Management access to managed entities, this document introduces a new value for the Service-Type attribute [RFC2865], and one new attribute. The new value for the Service-Type attribute is Framed-Management. The definition of this service is the provisioning of remote device management via a Framed Management protocol, as described in this section. The new attribute is Framed-Management-Protocol, the value Nelson & Weber Expires December 21, 2006 [Page 3] Internet-Draft RADIUS NAS-Management Authorization June 2006 of which specifies a particular protocol for use in the remote management session. 4. Provisions for Granular Management Access Rights One new attribute is introduced in this document in support of granular management access rights or command privilege levels. The Management-Policy-Id attribute is used to contain the name of a management access rights policy of local scope. This attribute functions similarly to Filter-ID. It is a string variable containing policy name of local scope. The provisioning of the rules invoked by application of this management policy is by means outside the scope of this document, such as by MIB objects. The local application of the Management-Policy-Id within the managed entity may take the form of (a) one of an enumeration of command privilege levels, (b) a mapping into an SNMP View Based Access Control Method (VACM) table [RFC3415], or (c) some other set of management access policy rules that is mutually understood by the managed entity and the remote management application. Examples are given in Section 10. There is ongoing work to define a mechanism for binding the value of Management-Policy-Id to a view in an SNMPv3 VACM table [sshsm- radius]. See also: [tmsm] and [sshsm]. The set of policy rules controlling access within management sessions may be quite complex, e.g. the administrator, Alice, may only execute potentially disruptive commands during her working shift; otherwise she may execute monitoring commands if no other administrator is using a particular device. At some point in the spectrum of complexity, it becomes more efficient to centralize the control of management access. New attributes are introduced to facilitate such centralization. In particular, individual management operations within a session may be authorized by sending an Access-Request which includes a description of the requested operation and uses the Service-Type of "Authorize Only" defined in RFC 3576 [RFC3576]. 5. Provisions for Secure CLI Management Access To provide for the authorization and provisioning of secure Command Line Access management methods, one new attribute is introduced in this document, Non-Framed-Management-Security. The value of this attributes is an enumeration of security methods that may be required for the provisioning of NAS-Prompt or Admin service. Nelson & Weber Expires December 21, 2006 [Page 4] Internet-Draft RADIUS NAS-Management Authorization June 2006 6. Provisions to Enhance Auditability Device configuration errors are a frequent source of network service outages. In many cases, these configuration errors are caused by human administrators executing manual changes to device configurations. These errors can be difficult to diagnose or locate. To facilitate auditability, all of the attributes introduced in this document may be used in accounting records. In addition, the idea of generating interim accounting records for management sessions which correlate to individual operations is introduced. For non-framed management sessions, these individual operations typically correlate to individual command executions within the device Command Line Interface. 7. Use of Authorize-Only Dynamic RADIUS [RFC3576] provides for re-authorization via a Change of Authorization (CoA) message. Re-authorization of an existing session requires a previous RADIUS authentication. Some other authentication and authorization protocols, such as TACACS+, separate out the authorization phase from the authentication phase. When RADIUS is used to provide "Authorize Only" types of provisioning, such as with RFC 3576, there is an expectation that the original authentication for the NAS session was provided by RADIUS, and in fact provided by the RADIUS Server that initiates the CoA request. RFC 3576 requires that any RADIUS Access-Request with a Service-Type of "Authorize Only" contain the State attribute that was obtained from the RADIUS Server during the initial authentication. This State attribute serves as a form of "cookie" between the server and client. An additional mode of RADIUS re-authorization operation is useful with granular authorization, such as the per command authorization described in Section 9.4. In this case, the RADIUS Access-Request message, containing a Service-Type of "Authorize Only", and a State attribute from the original Access-Accept, is generated autonomously by the NAS, and not in response to a CoA message, as it is in [RFC3576]. Since the State attribute provides the session context to the RADIUS server, the User-Name and User-Password attributes are generally not required in the Access-Request message. 8. New Values for Existing RADIUS Attributes Nelson & Weber Expires December 21, 2006 [Page 5] Internet-Draft RADIUS NAS-Management Authorization June 2006 8.1. Service-Type This document defines one new value for an existing RADIUS attribute. The Service-Type attribute is defined in Section 5.6 of RFC 2865 [RFC2865], as follows: This Attribute indicates the type of service the user has requested, or the type of service to be provided. It MAY be used in both Access-Request and Access-Accept packets. A NAS is not required to implement all of these service types, and MUST treat unknown or unsupported Service-Types as though an Access- Reject had been received instead. A summary of the Service-Type Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type 6 for Service-Type. Length 6 Value The Value field is four octets. This document defines one new value for the Service-Type attribute. (TBA) Framed-Management The semantics of the Framed-Management service are as follows: Framed-Management A framed protocol session should be started for a remote management user or application, such as HTTP or SNMP. Nelson & Weber Expires December 21, 2006 [Page 6] Internet-Draft RADIUS NAS-Management Authorization June 2006 9. New RADIUS Attributes This document defines six new RADIUS attributes related to remote management authorization. 9.1. Framed-Management-Protocol The Framed-Management-Protocol attribute indicates the protocol to be used for framed management access. It MAY be used in both Access- Request and Access-Accept packets. A summary of the Framed-Management-Protocol Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Framed-Management-Protocol. Length 6 Value The Value field is four octets. 1 SNMP v3 2 HTTP 3 HTTPS/TLS 4 SFTP (via SSH) 5 SCP (via SSH) 9.2. Non-Framed-Management-Security The Non-Framed-Management-Security attribute indicates the mandated security parameters of non-framed management access sessions. It MAY be used in both Access-Request and Access-Accept packets. This attribute is used in conjunction with, and further specifies the standard RADIUS Service-Type attributes of NAS-Prompt and Admin. Nelson & Weber Expires December 21, 2006 [Page 7] Internet-Draft RADIUS NAS-Management Authorization June 2006 When a secure form of Non-Framed management access is specified, for example Telnet carried within Secure Shell (SSH), for access to the interactive CLI prompt of the NAS, it generally means that the terminal emulation session is encapsulated in some form of protected application transport, or tunnel. It may also mean that an explicit secure mode of operation is required, when the terminal emulation access protocol contains an intrinsic secure mode of operation. A summary of the Non-Framed-Management-Security Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Value +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (cont) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type (TBA) for Non-Framed-Management-Security. Length 6 Value The Value field is four octets. 1 None 2 Secure remote console using Secure Shell (SSH) 9.3. Management-Policy-Id The Management-Policy-Id attribute indicates the name of the management access policy for this user. Zero or more Management- Policy-Id attributes MAY be sent in an Access-Accept packet. Identifying a policy by name allows the policy to be used on different NASes without regard to implementation details. Multiple forms of management access rules may be expressed by the underlying named policy, the definition of which is beyond the scope of this document. The management access policy MAY be applied contextually, based on the nature of the management access method. For example, some named policies may only be valid for application to NAS-Prompt services and some other policies may only be valid for Nelson & Weber Expires December 21, 2006 [Page 8] Internet-Draft RADIUS NAS-Management Authorization June 2006 application to SMNPv3 services. The management access policy named in this attribute, received in an Access-Accept packet, MUST be applied to the session authorized by the Access-Accept. If the policy name is unknown, or the policy rules are incorrectly formatted, the NAS SHOULD treat the packet as if it had been an Access-Reject. A summary of the Management-Policy-Id Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type (TBA) for Management-Policy-Id. Length >= 3 Text The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [RFC2279] characters. 9.4. Non-Framed-Management-Command The Non-Framed-Management-Command attribute indicates a specific management operation within a NAS-Prompt or Admin session. It MAY be used in Access-Request or Accounting-Request packets. This attribute MUST NOT be included in packets which also include the Framed- Management-Operation attribute. When used within an Access-Request with a Service-Type value of "Authorize Only" (17), the NAS is requesting authorization for this specific management operation within an existing NAS-Prompt or Admin session. When used within an Accounting-Request with an Acct-Status- Type value of Interim-Update (3), the NAS is reporting that the specific management operation has been performed. Typically, the text value of this attribute would equate to a single Nelson & Weber Expires December 21, 2006 [Page 9] Internet-Draft RADIUS NAS-Management Authorization June 2006 command issued to the embedded device's Command Line Interface. If the management session is using a menu or other ASCII interface, the value of this attribute would contain a textual representation of the specific operation. A summary of the Non-Framed-Management-Command Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type (TBA) for Non-Framed-Management-Command. Length >= 3 Text The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [RFC2279] characters. 9.5. Framed-Management-Operation The Framed-Management-Operation attribute indicates a specific management operation within a Framed-Management session. It MAY be used in Access-Request or Accounting-Request packets. This attribute MUST NOT be included in packets which also include the Non-Framed- Management-Command attribute. When used within an Access-Request with a Service-Type value of "Authorize Only" (17), the NAS is requesting authorization for this specific management operation within an existing Framed-Management session. When used within an Accounting-Request with an Acct-Status- Type value of Interim-Update (3), the NAS is reporting that the specific management operation has been performed. The value of this attribute is a textual rendering of the specific management operation being performed, e.g. "SNMP GET OID 0.1.2.3...". Nelson & Weber Expires December 21, 2006 [Page 10] Internet-Draft RADIUS NAS-Management Authorization June 2006 A summary of the Framed-Management Operation Attribute format is shown below. The fields are transmitted from left to right. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type (TBA) for Framed-Management-Operation. Length >= 3 Text The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [RFC2279] characters. 9.6. Management-Context The Management-Context attribute indicates additional contextual information in conjunction with the specific management operation indicated by either the Non-Framed-Management-Command or the Framed- Management-Operation attributes. It MAY be used in Access-Request or Accounting-Request packets. When used with the Non-Framed-Management-Command attribute, the Management-Context attribute may be used to indicate a Command Line Interface mode or sub-mode, a role associated with the management session, or other contextual information related to the specific operation being performed. A summary of the Management-Context Attribute format is shown below. The fields are transmitted from left to right. Nelson & Weber Expires December 21, 2006 [Page 11] Internet-Draft RADIUS NAS-Management Authorization June 2006 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Text ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Type (TBA) for Management-Context. Length >= 3 Text The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [RFC2279] characters. 10. Examples of attribute groupings 1. CLI access, via local console or telnet, to the "super-user" access level: * Service-Type (6) = Admin (6) * Non-Framed-Management-Security (xx) = None (1) 2. CLI access, via SSH/telnet, to the non-privileged user access level: * Service-Type (6) = NAS-Prompt (7) * Non-Framed-Management-Security (xx) = SSH (2) 3. CLI access, via SSH/telnet, to a custom management access level, defined by a policy: * Service-Type (6) = NAS-Prompt (7) * Non-Framed-Management-Security (xx) = SSH (2) * Management-Policy-Id (xx) = "Network Administrator" 4. Authorization for individual operation within above session: * Service-Type (6) = Authorize Only (17) Nelson & Weber Expires December 21, 2006 [Page 12] Internet-Draft RADIUS NAS-Management Authorization June 2006 * Non-Framed-Management-Command (xx) = "shutdown interface 18" * Management-Context (xx) = "operational CLI mode" 5. Accounting record for the individual operation above: * Acct-Status-Type (40) = Interim-Update (3) * Non-Framed-Management-Command (xx) = "shutdown interface 18" * Management-Context (xx) = "operational CLI mode" 6. SNMPv3 access, using a custom VACM View, defined by a policy: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = SNMPv3 (3) * Management-Policy-Id (xx) = "SNMP Network Administrator View" 7. Web (HTTP) access: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = HTTP (4) 8. Secure web access, using a custom management access level, defined by a policy: * Service-Type (6) = Framed-Management (xx) * Framed-Management-Protocol (xx) = HTTPS/TLS (5) * Management-Policy-Id (xx) = "Read-only web access" 11. Diameter Translation Considerations When used in Diameter, the attributes defined in this specification can be used as Diameter AVPs from the Code space 1-255 (RADIUS attribute compatibility space). No additional Diameter Code values are therefore allocated. The data types and flag rules for the attributes are as follows: Nelson & Weber Expires December 21, 2006 [Page 13] Internet-Draft RADIUS NAS-Management Authorization June 2006 +---------------------+ | AVP Flag rules | |----+-----+----+-----|----+ | | |SHLD| MUST| | Attribute Name Value Type |MUST| MAY | NOT| NOT|Encr| ---------------------------------|----+-----+----+-----|----| Service-Type (new value) | | | | | | Enumerated | M | P | | V | Y | Framed-Management-Protocol | | | | | | Enumerated | M | P | | V | Y | Non-Framed-Management-Security | | | | | | Enumerated | M | P | | V | Y | Non-Framed-Management-Command | | | | | | Enumerated | M | P | | V | Y | Management-Policy-Id | | | | | | UTF8String | M | P | | V | Y | Management-Operation | | | | | | UTF8String | M | P | | V | Y | Management-Context | | | | | | UTF8String | M | P | | V | Y | ---------------------------------|----+-----+----+-----|----| The attributes in this specification have no special translation requirements for Diameter to RADIUS or RADIUS to Diameter gateways; they are copied as is, except for changes relating to headers, alignment, and padding. See also [RFC3588] Section 4.1 and [RFC4005] Section 9. What this specification says about the applicability of the attributes for RADIUS Access-Request packets applies in Diameter to AA-Request [RFC4005] or Diameter-EAP-Request [RFC4072]. What is said about Access-Challenge applies in Diameter to AA-Answer [RFC4005] or Diameter-EAP-Answer [RFC4072] with Result-Code AVP set to DIAMETER_MULTI_ROUND_AUTH. What is said about Access-Accept applies in Diameter to AA-Answer or Diameter-EAP-Answer messages that indicate success. Similarly, what is said about RADIUS Access-Reject packets applies in Diameter to AA- Answer or Diameter-EAP-Answer messages that indicate failure. What is said about COA-Request applies in Diameter to Re-Auth-Request [RFC4005]. What is said about Accounting-Request applies to Diameter Accounting- Request [RFC4005] as well. Nelson & Weber Expires December 21, 2006 [Page 14] Internet-Draft RADIUS NAS-Management Authorization June 2006 12. Proxy Operation Considerations The device management access authorization attributes presented in this document present certain considerations when used in proxy environments. These considerations are not different from those that exist in RFC 2865 [RFC2865] with respect to the Service-Type attribute values of Admin and NAS-Prompt. Most proxy environments are also multi-party environments. In multi- party proxy environments it is important to distinguish which entities have the authority to provision management access to the edge devices, i.e. NASes, and which entities only have authority to provision network access services of various sorts. It may be important that operators of the NAS are able to ensure that access to the CLI, or other management interfaces, of the NAS are only provisioned to their own employees or contractors. One way for the NAS to enforce this requirement is to use only local, non-proxy RADIUS servers for management access requests. Proxy RADIUS servers could be used for non-management access requests, based on local policy. This "bifurcation" of RADIUS authentication and authorization is a simple case of separate administrative realms. The NAS may be designed so as to maintain separate lists of RADIUS servers for management AAA use and for non-management AAA use. An alternate method of enforcing this requirement would be for the first-hop proxy server, operated by the owner of the NAS, to filter out any RADIUS attributes that provision management access rights that originate from "up-stream" proxy servers not operated by the NAS owner. Access-Accept messages that provision such locally un- authorized management access MAY be treated as if they were an Access-Reject by the first-hop proxy server. These issues are not of concern when all the RADIUS servers, local and proxy, used by the NAS are under the sole administrative control of the NAS owner. 13. Table of Attributes The following table provides a guide to which attributes may be found in which kinds of packets, and in what quantity. Nelson & Weber Expires December 21, 2006 [Page 15] Internet-Draft RADIUS NAS-Management Authorization June 2006 Access- Request Accept Reject Challenge # Attribute --------------------------------------------------------------------- 0-1 0-1 0 0 TBA Framed-Management-Protocol 0-1 0-1 0 0 TBA Non-Framed-Management-Security 0 0+ 0 0 TBA Management-Policy-Id 0-1 0 0 0 TBA Non-Framed-Management-Command 0-1 0 0 0 TBA Framed-Management-Operation 0+ 0 0 0 TBA Management-Context Accounting- Request Response # Attribute --------------------------------------------------------------------- 0-1 0 TBA Framed-Management-Protocol 0-1 0 TBA Non-Framed-Management-Security 0+ 0 TBA Management-Policy-Id 0-1 0 TBA Non-Framed-Management-Command 0-1 0 TBA Framed-Management-Operation 0+ 0 TBA Management-Context The following table defines the meaning of the above table entries. 0 This attribute MUST NOT be present in a packet. 0+ Zero or more instances of this attribute MAY be present in a packet. 0-1 Zero or one instance of this attribute MAY be present in a packet. 1 Exactly one instance of this attribute MUST be present in a packet. 14. IANA Considerations This document contains placeholders ("TBA") for assigned numbers within the RADIUS Attributes registry, to be assigned by IANA at the time this document should be published as an RFC. 15. Security Considerations This specification describes the use of RADIUS and Diameter for purposes of authentication, authorization and accounting for management access to devices within local area networks. RADIUS threats and security issues for this application are described in [RFC3579] and [RFC3580]; security issues encountered in roaming are described in [RFC2607]. For Diameter, the security issues relating to this application are described in [RFC4005] and [RFC4072]. Nelson & Weber Expires December 21, 2006 [Page 16] Internet-Draft RADIUS NAS-Management Authorization June 2006 This document specifies new attributes that can be included in existing RADIUS packets, which are protected as described in [RFC3579] and [RFC3576]. In Diameter, the attributes are protected as specified in [RFC3588]. See those documents for a more detailed description. The security mechanisms supported in RADIUS and Diameter are focused on preventing an attacker from spoofing packets or modifying packets in transit. They do not prevent an authorized RADIUS/Diameter server or proxy from inserting attributes with malicious intent. Any of the attributes described in this memo, with the exception of Service-Type, may not be understood by the NAS which receives it. A legacy NAS not compliant with this specification may silently discard these attributes while permitting the user to access the management interface(s) of the NAS. This can lead to users improperly receiving unauthorized management access to the NAS, or access with greater levels of access rights than were intended. RADIUS servers SHOULD attempt to ascertain whether or not the NAS supports these attributes before sending them in an Access-Accept. 16. References 16.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2279] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998. [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, June 2000. [RFC3415] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", STD 62, RFC 3415, December 2002. [RFC4005] Calhoun, P., Zorn, G., Spence, D., and D. Mitton, "Diameter Network Access Server Application", RFC 4005, August 2005. Nelson & Weber Expires December 21, 2006 [Page 17] Internet-Draft RADIUS NAS-Management Authorization June 2006 16.2. Informative References [RFC2607] Aboba, B. and J. Vollbrecht, "Proxy Chaining and Policy Implementation in Roaming", RFC 2607, June 1999. [RFC2866] Rigney, C., "RADIUS Accounting", RFC 2866, June 2000. [RFC3576] Chiba, M., Dommety, G., Eklund, M., Mitton, D., and B. Aboba, "Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)", RFC 3576, July 2003. [RFC3579] Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)", RFC 3579, September 2003. [RFC3580] Congdon, P., Aboba, B., Smith, A., Zorn, G., and J. Roese, "IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines", RFC 3580, September 2003. [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, "Diameter Base Protocol", RFC 3588, September 2003. [RFC4072] Eronen, P., Hiller, T., and G. Zorn, "Diameter Extensible Authentication Protocol (EAP) Application", RFC 4072, August 2005. [sshsm] Harrington, D. and J. Salowey, "Secure Shell Security Model for SNMP", draft-ietf-isms-secshell-03.txt (work in progress), May 2006. [sshsm-radius] Narayan, K. and D. Nelson, "RADIUS Usage for SNMP SSH Security Model", draft-narayan-isms-sshsm-radius-00.txt (work in progress), June 2006. [tmsm] Harrington, D. and J. Schoenwaelder, "Transport Mapping Security Model (TMSM) Architectural Extension for the Simple Network Management Protocol (SNMP)", draft-ietf-isms-tmsm-02.txt (work in progress), May 2006. Appendix A. Acknowledgments Many thanks to all reviewers, including Barney Wolff and Mauricio Sanchez. Nelson & Weber Expires December 21, 2006 [Page 18] Internet-Draft RADIUS NAS-Management Authorization June 2006 Authors' Addresses David B. Nelson Enterasys Networks 50 Minuteman Road Andover, MA 01810 USA Email: dnelson@enterasys.com Greg Weber Cisco Systems 10850 Murdock Road Knoxville, TN 37932 USA Email: gdweber@cisco.com Nelson & Weber Expires December 21, 2006 [Page 19] Internet-Draft RADIUS NAS-Management Authorization June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Nelson & Weber Expires December 21, 2006 [Page 20]